When my team and I visit a client to perform an engagement, there are usually a variety of tasks that we will perform during one audit. Some, such as the Allowance for Loan Loss, are considered high risk by everyone, and taken quite seriously wherever we go. Senior management always looks for feedback or how to strengthen their existing controls.
On the other hand, there are the areas we review that make eyes roll and are perceived in general as a waste of time and effort. One such activity is Loan Maintenance changes. And although it can be a bit of a chore, this is a very important control function for your lending department, reducing the risk of internal fraud, and with the prevalence of Identity Theft, it becomes even more key.
Loan Maintenance is just that – modifying something on an existing loan (or loan customer information) based on customer request, bank error, or pre conceived circumstance such as interest rate changes. These things, in and of themselves, are innocuous, but by just peering past the veil slightly, it can lead to some concern.
There are three keys to a solid LM function the firm looks for, to ensure that adequate controls are in place. These controls serve to limit personnel who can access customer accounts, ensure that proper documentation is maintained when necessary, and having a review function to guarantee that the process you have in place is working as intended.
- Accessibility - Not everyone on the loan servicing /production staff should have the ability to enter a borrower’s account and change information. This function should be limited to a relatively small number and controlled by the IT department through password and, if possible, an electronic “signature” that is recorded each time a change is made. Certain things that can be altered, such as interest rates, payment due dates, etc., should only be performed with transaction authorization, and should be able to be easily traced to the person who made the change (and can, in turn, trace the change back to the authorization). Having limited access to the loan system means having greater control of the loan information, which is key to maintain the integrity of the data therein. This certainly would reduce the risk of internal fraud within the institution. There are a myriad of incidents reported where a “rogue” employee has reduced interest rates or changed payment dates for “friends,” or went so far as to increase exiting credit line limits and transfer amounts to his/her account. Such things can certainly be narrowed through careful access designation and monitoring.
- Documentation - Having back up for your changes is a critical function, not only for authorized activity from bank management, but from your customers as well. As Identity Theft has become a huge threat to both customers and banks, it is become paramount that any change requested by customers are verified to actually come <from> that customer, and not from a malicious third party. To that end, many banks are now restricting traditional customer services such as address changes to “walk-in“ only status. Gone are the days where you can simply open the mail (or email!), receive a request, and change the address for a borrower and be done with it. This is an easy way for an ID thief to worm their way into an account and retrieve information. Even if you do not prescribe to the “walk in only “ strategy, your bank should have strong controls in place to document the borrower requesting the change, verifying the signature, and even making telephone call backs to the borrower to ensure that it was them that requested the change. A change of address form should be retained in the customer’s loan file, or if necessary, a log that the borrower was contacted and the change was confirmed. This may appear a bit draconian, but it is my belief that the people wearing the black hats are currently one step ahead of banks in regards to Identity Theft crime, and anything that can be done to secure borrower information should be done.
- Review – Having the above in place means nothing if management is not monitoring the loan maintenance activity for any abnormality. This means pulling the daily report and checking it against source documentation if available. Tedious? Yes. Necessary? Absolutely. By reviewing your changes, you are not preventing typical clerical input errors from getting out of hand. The most harmless thing such as a scheduled interest rate change that is not correct can lead to multitudes of problems down the line simply because they are not reviewed. Borrowers are overcharged/undercharged interest, a bank is sited (and fined!) and then also needs to expend funds to review existing loans to discern the extent of the trouble. In addition, this review creates an added level of fraud protection for both the bank and your borrowers.
Monitoring Loan maintenance changes is not glamorous. It is in fact, less fun than a trip to the DMV. However, it is an increasingly necessary function that must be performed in order to combat the ever changing electronic world in which we live in.