Home Compliance StandardsFactor analysis of information risk (FAIR) Assessment What Is a FAIR Lending Risk Assessment? 
Factor analysis of information risk (FAIR) Assessment

What Is a FAIR Lending Risk Assessment? 

by RSI Security
written by RSI Security
Incident

Risk is a key consideration in every element of a financial institution’s business model. Actuarial scientists develop financial risk models that shape banks’ products and services, from savings accounts to loans. And then, of course, security risks shape the ways in which banks safeguard their physical and digital assets and resources. Finally, on a slightly less obvious front, FAIR lending risk assessments also play a vital role in ensuring a financial institution’s long-term health.

 

What’s a FAIR Lending Risk Assessment?

Banks and other types of lenders are compelled to make equitable efforts to lend to any and all potential borrowers. These days, many businesses rely on technology to help them fulfil that mandate.

Believe it or not, fairness depends on cybersecurity practices nearly as much as it does upon attitude. Laxed IT practices can lead to “digital redlining” and other potentially harmful lending practices.

So, if you want to make sure you’re not running afoul of any key fairness rules, you’ll need to keep your cyberdefenses optimized. To that effect, this blog will break down everything you need to know on the subject into two main areas:

  • What fair lending means for financial institutions
  • How FAIR risk analysis can facilitate compliance

Below, we’ll switch between “fair” and “FAIR” to talk about legal requirements and cybersecurity best practices, respectively. Ultimately, the goal is to help you see what’s FAIR is fair, so to speak.

 

Fair Lending: What it is and Why it Matters

Fair lending is an essential practice for financial institutions. It requires that lenders issue credit in an equal way to all borrowers, no matter what their background is. Specifically, the term “fair lending” refers to a body of regulations, at all levels of government, ensuring banks follow basic principles of equity.

Per Chase’s breakdown of Fair Lending at their bank, applicable laws and acts include:

  • The Civil Rights Act of 1866 – Ensuring all US-born citizens have certain rights, including purchasing real estate, regardless of their race or ethnic background.
  • The Fair Housing Act (FHA) – Protecting against discrimination with respect to the buying, selling, and financing of real estate, on the basis of:
    • Race, color, ethnicity, and religion
    • Sex, gender, orientation,and family status
    • Visible or invisible disabilities or handicaps
  • Home Mortgage Disclosure Act (HMDA) – Ensuring that financial institutions report on all real-estate based financing they facilitate, including demographic details of clients.
  • The Equal Credit Opportunity Act (ECOA) – Ensuring access to financial services for all clients, as well as prohibiting advice or discouragement, based on:
    • All the protected identity categories of the FHA
    • Income level and receipt of public assistance
  • The Americans With Disabilities Act (ADA) – Further protecting disabled individuals (whether mentally or physically), ensuring their access to financial products and services is the same as anyone else’s.

Fair lending exists to do exactly what its name implies — ensure that financial institutions treat all (potential) customers equitably. 

 

Request a Consultation

 

What Are Fair Lending Risks?

With respect to fair lending, “risk” has to do with the ways in which the kinds of discrimination codified across these previously mentioned laws may occur. Crucially, discrimination doesn’t always have to come from a malicious lender acting in a conspicuously prejudiced way.

According to a foundational FDIC presentation on Fair Lending Risk Assessments, the key to understanding fair lending risk comes down to three vectors of discrimination:

  • Overt discrimination in lender practices or policies
  • Unnecessary application of policy that leads to indirect discrimination
  • Lapses in discretion that lead to discriminatory lending terms or denial thereof

Fair lending means identifying all potential sources of discrimination, no matter how overt or incidental, and rooting them out. Failure to do so can result not only in immediate harm to those discriminated against, but also consequences for the lender.

Per Chase’s guide to fair lending, the institutions who enforce these regulations include:

  • The Consumer Financial Protection Bureau (CFPB)
  • The Department of Housing and Urban Development (HUD)
  • The Federal Deposit Insurance Corporation (FDIC)
  • The Office of the Controller of Currency (OCC)
  • The Federal Trade Commission (FTC)
  • The Federal Reserve Board (FRB)
  • The Department of Justice (DOJ)

The best way to ensure that your business is free from overt, indirect, or discretionary risk with respect to fair lending is to engage in rigorous (ideally quantifiable) risk analysis.

That’s where the FAIR part comes into play.

 ADA

How FAIR Institute Principles Can Help

What we’ve been referring to as “FAIR” thus far is actually the cybersecurity protocol “Factor Analysis of Information Risk.” FAIR is shepherded by the FAIR Institute, a US-based nonprofit, and later adopted by the Open Group as a global standard for risk management.

At its core, FAIR is a robust risk management system based on the principle that accurately quantifying risks is the most effective way to understand and mitigate them. FAIR is an explicit model of risk management, which enables a proactive risk posture more effectively than implicit, compliance-based models — like NIST CSF — which rely on a reactive risk posture.

The foundation of FAIR’s effective risk management comprises five elements:

  1. Accurate risk models – Complex quantitative values enable true quantitative analysis.
  2. Meaningful risk measurements – Actual scales, not simplified ordinal (1-5) categories.
  3. Effective risk comparisons – Direct mathematical comparison in uniform terms.
  4. Risk-informed decisions – Analytically backed decisions, minimizing variables.
  5. Cost-effective management – Efficient analysis, eliminating redundancies and costs.

These elements feed into one another. Together, they create a fundamental cybersecurity architecture that’s adaptable to any company at scale. But these practices don’t only ward off hackers and cybercrime; they also lay the groundwork for analysis of fair lending risks, as detailed above.

 

FAIR Lending Risk Assessment 101

The entirety of FAIR’s risk management relies upon the accuracy of its models. To that effect, the most important element of FAIR is the quantification of risk, also known as “risk assessment.” FAIR defines “risk” in terms of probability of future loss.

Before applying definition to fair lending risk, let’s take a look at how it works from a high-level. Per the FAIR flowchart, risk breaks down into two major categories:

  • Loss event frequency – How often a loss may occur within a given timeframe.
  • Loss magnitude – The various dollar-amount costs stemming from a loss event.

The first of these, loss event frequency, then breaks down into two subcategories:

  • Threat event frequency – The amount of times “threat agents” are likely to engage in an activity that might trigger a loss event, including these factors:
    • Contact frequency, or how regularly threat agents come into contact with catalysts that might enable them to cause a threat event.
    • Probability of action, or the behaviors a threat agent is likely to take, which (upon contact with a threat vector) might result in a loss. 
  • Vulnerability – The relative probability that any given threat will become a loss, including the following factors:
    • Threat capability, or the relative force or strength of a given threat.
    • Resistance strength, or the difficulty involved in a threat becoming a loss.

The second major category, loss magnitude, breaks down into the following:

  • Primary loss – The immediate and long-term costs stemming from risks, including:
    • Productivity, response, and replacement costs.
    • Competitive advantage and reputational costs.
    • Fines, settlements, and other legal consequences.
  • Secondary risk – Ancillary risks associated with the original threat, which receive their own treatment, starting again with loss frequency and magnitude.

At each category level, numerical values are assigned to variables like “risk” and “threat.” All of which are integrated into a uniform system enabling complex mathematical manipulation.

With respect to fair lending risk, “overt” instances of discrimination map onto threat events. Less tangible factors, like employees’ awareness (or lack thereof) of discrimination issues can map onto threats, with such employees themselves being designated as threat agents. Vulnerability can be calculated based on a matrix of publicly available probabilities and your own internal data.

FAIR is designed to take “intangibility” out of the equation, as much as possible. By quantifying your exposure to risk, you can get in front of discriminiation before it happens, preventing both the harm it causes to borrowers and any related blowback to your company.

 

How to Stay FAIR, Compliant, and Protected

Here at RSI Security, we take a similar approach to risk and cyberdefense as the FAIR Institute. While we’re happy to help your company meet any and all compliance regulations it needs to follow, we also know that just complying is far from the end of cybersecurity.

In fact, compliance is just the start of how to stay fair — and safe.

That’s why our talented team of experts has supplied cybersecurity solutions to companies of all sizes for over a decade. Whether you need a quick fix for your firewall, a tune up for cloud security, or even an overhaul of your entire architecture, we have you covered.

To get your FAIR lending risk assessment underway, or get the ball rolling on any cyber protections you may need to patch, contact RSI Security today!

 

Schedule a free Consultation

 

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

What’s a Factor Analysis of Information Risk Assessment?

June 25, 2020

Conducting a Quantitative Risk Analysis Assessment

January 8, 2021

How is Risk Exposure Calculated in FAIR?

December 21, 2020

Who Needs a Factor Analysis of Information Risk...

August 3, 2020

Exploring Open FAIR Risk Analysis Tools

March 3, 2021

Factor Analysis of Information Risk (FAIR) Training Best...

November 5, 2020

FAIR Risk Management Framework Checklist

November 26, 2020

What is a Fractional Security Advisor?

June 23, 2020

What to Look for in a FAIR Assessment...

June 1, 2020

Pros and Cons of Factor Analysis of Information...

January 8, 2021

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More