In the wake of the implementation of the Dodd-Frank Wall Street Reform and Consumer Protection Act stress test (DFAST) regulations, the term “stress test” has become a familiar part of the banking lexicon. The DFAST regulations require midsize banks—those with assets between $10 billion and $50 billion—to project the expected impact of three economic scenarios—baseline, adverse, and severely adverse—on their financial statements and capital ratios. Midsize financial institutions were required to report this year’s stress test results to their regulators by March 31, 2015, the second round of stress tests required for these banks.
Although the submission that was due in March was round two, most banks felt that it demanded just as much effort as the first round of stress tests. Regulators focused more on process than results in round one and clearly stated that what was acceptable in the first submission would be insufficient for subsequent examinations. Little formal feedback is in so far, but what we have heard indicates that continuous improvement was definitely expected.
In the first round, most banks either used simplistic models or projections that did not capture their risks fully. Banks now are expected to develop enhanced models, and more significant portfolios are being modeled using bottom-up rather than top-down approaches. In assessing models, regulators are questioning assumptions and methodologies and looking for well documented, sound conceptual bases for the modeling choices made. Overly manual modeling processes also are being flagged as impractical for ad hoc use. The message is loud and clear: stress testing models are expected to be integrated into risk management practices.
One common area for continued attention appears to be documentation. Whether it’s better organizing information to make it easier to follow the bank’s processes, improving validation documentation, writing user procedures, or better documenting the effective challenge process, the feedback received thus far reinforces that DFAST truly is a formal process. The documentation has to be sufficient for banks to manage, monitor and maintain the overall stress testing program. It also needs to be detailed enough to allow other users, including validators and regulators, to clearly understand the process.
Validation continues to be a big area of focus, and attention is being paid to both the timing and extent of validation activities. Timing is a critical review point, as the models are expected to be validated prior to the final stress test exercise. Validations have been criticized for having incomplete documentation, for failing to assess data lineage and quality, and for not being comprehensive. As modeling systems become more sophisticated, validations need to provide broader coverage. Validators—whether internal or third-party resources—must be experienced and competent, and they must deliver a sound validation in accordance with the agreed scope.
Banks have been encouraged to shore up organizational structures and procedures to keep their stress testing programs up-to-date and intact. With competition for quantitative resources at an all-time high, many are making choices about hiring statistical specialists and using contractors to keep on track. Banks are focusing on more automated processes, broader business participation, and more detailed user procedures to make sure the loss of one or two employees does not cause a program to fall apart completely.
Life in the DFAST Lane
As with most important business processes, effective DFAST risk management requires significant input from business management, risk management, and internal audit. A collaborative relationship among these three lines of defense results in the strongest DFAST processes. With reporting deadlines for the next cycle in 2016 being delayed from March 31 to July 31, banks have a bit of breathing room to assess the effectiveness and efficiency of their DFAST programs. Banks should use this extra time to further develop documentation, address highest priority issues, and continue to integrate stress testing into routine risk management practices.