Investing in Securities Without Relying on External Credit Ratings
by Christopher McBride, Senior Supervisory Financial Analyst, Board of Governors
When Congress enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) to strengthen the financial regulatory system in the wake of the financial crisis, one area of concern it addressed was the accuracy of credit ratings for structured financial products. Specifically, section 931 of the Dodd-Frank Act states: "In the recent financial crisis, the ratings on structured financial products have proven to be inaccurate. This inaccuracy contributed significantly to the mismanagement of risks by financial institutions and investors, which in turn adversely impacted the health of the economy in the United States and around the world. Such inaccuracy necessitates increased accountability on the part of credit rating agencies."
Therefore, Congress directs the federal regulatory agencies in section 939A of the Dodd-Frank Act to amend their regulations to remove any reference to, or reliance on, nationally recognized statistical rating organizations (NRSROs) and to create a standard for determining the creditworthiness of securities and money market instruments.1 The agencies recently completed this work. As a result, supervisors’ expectations for banks’ investment securities oversight processes have shifted from allowing relatively passive oversight of credit risk to requiring a more active process of analysis and assessment. This article reviews the process of investing in securities without relying exclusively on NRSRO ratings (commonly known as external credit ratings).
On June 4, 2012, the Office of the Comptroller of the Currency (OCC) issued a final rule to implement section 939A.2 This rule, which was effective January 1, 2013, applies to the national banks and federal savings associations supervised by the OCC. The rule applies more broadly, however, because the Federal Reserve Board’s Regulation H3 and the Federal Deposit Insurance Corporation’s (FDIC’s) regulations on activities of insured state banks and insured savings associations4 prohibit member and nonmember state banks and state savings associations from engaging in activities and investments that are not permissible for national banks and their subsidiaries. Therefore, the OCC’s final rule establishes the standard for all banks and savings associations.
The OCC rule changed the definition of "investment grade" — which previously had been based on external credit rating categories — to mean "the issuer of a security has an adequate capacity to meet financial commitments under the security for the projected life of the asset or exposure. An issuer has an adequate capacity to meet financial commitments if the risk of default by the obligor is low and the full and timely repayment of principal and interest is expected."5 This standard is consistent with sound loan underwriting standards and requires a bank to analyze and verify repayment ability. To facilitate state member banks’ understanding of these new requirements, the Federal Reserve Board published SR Letter 12-15, "Investing in Securities Without Reliance on Nationally Recognized Statistical Rating Organization Ratings," which provides guidance on the new requirements.6
Credit Risk Due Diligence
Using external credit ratings has long been an efficient tool to identify credit risk before making an investment decision. Management must now analyze the investment quality of the issuer or pool in a way that is similar to conducting loan due diligence, except for differences in customer interaction. It is important to note that the regulations still allow banks to use an external rating as a component of their credit risk due diligence, but banks can no longer rely solely on that rating.
Banks are now required to identify credit risk in investment securities by fully assessing the issuer’s repayment ability. While the process may be more intensive than reliance on external credit ratings, management has several existing tools at its disposal to identify and monitor credit risk. A bank’s existing loan underwriting processes provide a basic starting point for identifying credit risk. As with underwriting credits, the degree of due diligence needed for any specific investment is dependent on the security’s credit quality, the complexity of the structure, and the size of the bank’s investment. So, for example, while a small investment in a straightforward general obligation bond of a local municipality should still receive an appropriate assessment of credit risk, such an investment would likely require less intensive review than a large investment in a corporate bond or a private label mortgage-backed security.
Banks are now required to identify credit risk in investment securities by fully assessing the issuer’s repayment ability.
Bank management also has the ability to use a variety of external sources, including credit rating agency reports. These reports offer bank management the ability to efficiently ascertain appropriate facts to understand whether or not an investment will fit with the bank’s risk appetite. However, any time a bank uses a third party to assess the credit risk of an investment, the bank must make sure that the third party has the appropriate skills and experience to conduct a factual assessment of credit risk.
The new guidance uses examples to lay out several factors that can be used in assessing credit risk. The nonexhaustive list of suggested factors provides insight into what methods may be appropriate for different types of securities. Management is not expected to use all of these factors for every transaction, but they can be helpful in providing a baseline for what might be expected depending on the type of security. These factors include, among others, both readily available market data and specific data related to various microeconomic factors.7 The examples are not mandated by regulation but should aid management in identifying components of an effective investment security credit risk oversight program.
Of course, not all investment securities or portfolios are alike and, as such, not all oversight programs are expected to be alike. A U.S. government or agency bond, for example, generally is considered to have so little credit risk that it does not need to be subjected to individual credit analysis. At the opposite end of the spectrum, a highly structured asset-backed security would require a thorough assessment, focusing on factors such as the structure of the bond, the asset pool, and the underlying repayment capacity. Management should understand that there is a range of expectations for securities depending on the issuer, structure, security type, and investment size.
Regulators expect management to put riskier securities, such as asset-backed securities, through a stringent review of credit risk. These securities, which are composed of asset pools that provide repayment, are highly structured and can contain options or other features that may significantly change the payoff and interest rate expectations depending on various factors. Simply stated, these securities are complex. Regardless of an institution’s size, these securities require proper oversight and risk identification. Before investing, management needs to have a thorough understanding of the security, including:
- Tranche behavioral expectations
- Asset pool makeup (e.g., types of underlying assets, concentrations, microeconomic impacts, underwriter quality)
- Cash flow waterfall stipulations
The above list is not exhaustive, but it identifies a few credit risk components that should be reviewed before making an investment in a structured security. Management should ensure that all aspects of a structured security fit within the risk profile and needs of the bank.
It is important to recognize that not only are there many different types of securities, but each class of security can also have a range of variation within the class. Municipal securities, for example, are quite varied and can have significantly different dynamics that require an oversight program tailored to the underlying bond risks. Municipal general obligation bonds and well-capitalized bank municipal revenue bonds are Type I securities and do not need to meet the investment-grade criteria to be eligible for purchase. However, to ensure investment activities are consistent with safe and sound banking practices, municipal bonds should be subject to a credit risk assessment.
Each state and locality has risks that are different from those of another state or even another locality within a state. Furthermore, an issuer can be a municipal agency, such as a road, sewer, or airport authority. Additional complications for this asset class are that governmental agencies have their own accounting protocols and that financial information is often inconsistent or out-of-date. These complications can create a problem if a bank is unable to obtain appropriate information on a timely basis or understand the information once it has been provided. Moreover, a portfolio of municipal investments within a bank’s lending area could be monitored differently than a portfolio of out-of-area issuers. Given the diversity and complexity of municipal security portfolios, management should increase its oversight of issuers through publicly available sources to stay apprised of issuers’ credit risk.
Ongoing monitoring is a crucial aspect of managing credit risk. This process provides management the opportunity to properly manage the investment portfolio and reduce or change risk levels as appropriate. Active monitoring of the portfolio supports management’s ability to remain within board-approved risk tolerances. Unlike due diligence, which can require a significant amount of work leading up to the investment, ongoing monitoring is focused solely on the credit risk of the issuer and its performance after the investment. Various sources of external data are available to monitor credit risk, although some issuers may not make data available in a timely manner.
Ongoing monitoring of the investment portfolio is expected to be a more intensive process under the new rules. However, management should understand the range of expectations for oversight. It is entirely appropriate to deploy resources in an efficient manner, focusing on attributes that are deemed significant (e.g., riskier assets, time since last review, complexity, size, or concentrations). This method promotes personnel efficiency while providing coverage to the portfolio. Not every investment needs to be reviewed every quarter. While quarterly review may be appropriate for some investments, it may be more appropriate to risk-focus the reviews of other investments. Management should develop an ongoing monitoring program, similar to loan review, that is properly tuned to the risks in the portfolio while providing sufficient coverage to promote risk awareness.
Credit risk is credit risk, whether in a loan portfolio or an investment portfolio. Bankers are comfortable underwriting loans and should be able to use those skills in developing an oversight process for identifying and monitoring credit risk in investment securities and portfolios. While an external credit rating can be one element of issuer due diligence, it cannot be used as the primary way to assess credit risk for either purchasing securities or ongoing monitoring.
The board of directors is ultimately responsible for the risk acceptance of a bank by establishing appropriate policies and limits, but management is responsible for implementing the board’s restrictions. Management may find it necessary to implement a tiered process for the ongoing review of the investment portfolio that focuses on inherent risk, size, complexity, concentration, or any other factor important to the bank. The new due diligence requirements can be supported by third-party information and analysis, but the decision to invest must be controlled by bank management and cannot be outsourced. One of the lessons of the financial crisis was that credit risk in an investment portfolio can be as debilitating as credit risk in a loan portfolio. Sound credit analysis and review of investment security purchases should serve community banks well in the long run.
- 1 The Federal Reserve Board prepared a report to Congress on references to NRSRO ratings in Federal Reserve regulations. See Board of Governors of the Federal Reserve System, Report to the Congress on Credit Ratings, July 2011, at www.federalreserve.gov/publications/other-reports/files/credit-ratings-report-201107.pdf.
- 2 See Office of the Comptroller of the Currency (2012), "Alternatives to the Use of External Credit Ratings in the Regulations of the OCC," final rule, Federal Register, vol. 77 (June 13), pp. 35253-35259.
- 3 See 12 CFR 208.21.
- 4 See 12 CFR 362.
- 5 See 12 CFR 16.2.
- 6 The FDIC and OCC have also published guidance for the institutions they supervise. See FDIC Financial Institution Letter FIL-48-2012, "Revised Standards of Creditworthiness for Investment Securities," at www.fdic.gov/news/news/financial/2012/fil12048.html, and OCC Bulletin 2012-18, "Alternatives to the Use of External Credit Ratings in the Regulations of the OCC," at www.occ.gov/news-issuances/bulletins/2012/bulletin-2012-18.html.
- 7 Readily available market data include factors that allow comparison of security performance with nonobligor-specific benchmarks, for instance, by comparing spreads with U.S. Treasuries and default rates to assess consistency with bonds of similar credit quality. Microeconomic factors are those that are specific to the obligor, for instance, an obligor’s capacity to repay its obligations or the sources of revenue and fiscal strength of a municipal authority.