In developed markets ‘comprehensive’ credit bureaus are common place; that is credit bureaus which store information relating to all of an individual’s past repayments, not just information relating to their defaults. Although there are some exceptions most borrowers, lenders and regulators in these markets believe that a trusted third-party holding a database of good and bad financial history provides borrowers with better products and at a fairer price.

But most markets don’t start at this point. In markets where credit bureaus are new or non-existent it is often difficult for regulators and borrowers to know how to decide between a positive bureau and a negative bureau. In many cases the costs of a positive bureau are relatively well understood – both the physical costs of development and the societal costs in the form of privacy concerns – while its benefits remain underestimated: usually assumed to be only those benefits accruing to lenders through better risk control. As a result, the initial push is often for a ‘negative data only’ bureau.

But a positive bureau also carries significant benefits to borrowers and I will use an applicable, albeit in the inverse, example to explain how and why this can is the case.

In Formula 1 motor-racing points are awarded to the ten best drivers in each race and accumulated over the season to identify an overall winner. The goal of this approach is to identify the ‘best’ driver in a given year and it serves this purpose well – sorting out the very best from the just very good. Since most stakeholders in Formula 1 – team owners, sponsors, drivers and spectators – are concerned almost exclusively with knowing which individual is the ‘best’ this system seldom comes under serious criticism.

But that doesn’t mean that it suits all purposes equally well. Imagine you are placed in charge of a new Formula 1 team that has started with a very limited budget. The team owners realize that this small budget effectively precludes the possibility of winning the title in the short-term but they also understand that if they can survive in the sport for two years they can gain a bigger sponsor and fund a more serious title challenge thereafter. So their goal it to survive for two years and to do that they need to maximize the exposure they provide their advertisers by finishing as many races as possible as far from the back as possible.

What the budget means for you as the team manager is that you can only afford to hire cheap drivers which we’ll assume means drivers who finished in the bottom ten places in the previous season. From that group you’ll still want to get the two best drivers possible but how will you identify the ‘best’ drivers in that group? The table below shows the driver standings at the end of the 2010 season:

As the table above shows, the present system is so focused on segmenting drivers at the top of the table that it struggles to differentiate drivers towards the bottom; in fact the bottom six drivers all finished with zero points. 
Vitantonio Liuzzi might look like a clear choice in more than double the next driver tally but is he really the best option and who would you choose to join him? A new model is needed for your purpose, one that separates the ‘worst’ from the simply ‘bad’.

Negative bureaus have a similarly one-sided focus, a focus that might have fits their initial purpose but that limits their use in other situations. A negative bureau only stores information on customer defaults; helping to separate the highest risk customers from the less high risk customers but struggling to segment low risk customers. Information is only created when a payment is missed – and usually only when it is missed for several months – and so an individual with a long history of timeously repaying multiple debts will be seen as the same risk as a customer who has only paid back one small debt, for example.

Returning now to the earlier scenario: the current Formula 1 model awards points for finishing in one of the top 10 places using a sliding scale of 25; 18; 15; 12; 10; 8; 6; 4; 2; 1. A model better suited for your new purpose should still retain the information relating to good performances but should also seek to create and store information relating to bad performances. The simplest way to do this would be to penalize drivers for finishing in the last ten places using the same scale but in reverse.

Implementing these simple changes across the 2010 season immediately provides more insight into the relative performance of drivers towards the bottom of the standings and in so doing the gap between each driver becomes clearer and useful information is been created. 

Although Vitantonio Liuzzi had previously looked like an obvious pick his good performances – a 6th place in Korea and a 7th place in Australia – were overshadowed by his many more poor performances – last place in Abu Dhabi, Brazil and Singapore and second-last place in Japan and China. When the whole picture is seen together, he is no longer such an attractive prospect. A better bet would be to approach Jaime Alguersuari who, although he never placed better than 9th finished in 13th place or better in 80% of his races and only came last once. Sebastien Buemi also finished last on only one occasion though he spread his remaining results more unevenly with both more top ten and more bottom ten finishes than Jaime.
Both of these drivers would offer theoretically better returns having placed worse on the accepted scale but with more of the sort of results you’re team is looking for.
Of course this isn’t the perfect model and real Formula 1 fans might take exception but it does illustrate how creating a holistic view of the relative performance of all drivers, not just the very good ones, can be value-adding. 

Similarly, a negative-only bureau suits the simple purpose of identifying the very worst of your potential customers but it struggles to identify good customers or to segment the ‘middle’ customers by relative risk; users of the bureau that wish to merely avoid the worst borrowers are well served by this information but lenders who wish to target the best customer segments for low risk/ low margin products or who wish to match pricing to risk are unable to do so. 
The societal costs of a negative only bureau are therefore born by the best performing borrowers in that market who are given the same products at the same price as average risk borrowers. 
A comprehensive positive and negative bureau avoids this societal cost though it usually does so with added build and maintenance costs. 

When deciding which bureau is best for a given market then, borrowers and regulators should focus on the trade-off between the borrowers privacy concerns and the borrowers access to fair products at a fair price while lenders should focus on the trade-off between the cost of a comprehensive bureau – passed onto them in the form of higher bureau fees – and the expected benefits to be achieved through more profitable niche products.

* * * 

The fact that the 2011 season has just finished stands testament to how long this article has sat in draft form, awaiting publishing. However, the big delay does at least afford me add an addendum on the performance of the proposed model.
Of course far too many factors are at play to make a scientific comparison, not least the fact that Vitantonio Liuzzi, the man our model told us not to pick, changed teams but here goes anyway:
Vitantonio Liuzzi didn’t qualify for one race, retired from 5 and ended the season without a top 10 finish and only 7 finishes within the top 20. In all, he didn’t manage to collect a single point and joined seven other drivers in joint last place. 
Both models suggested Sebastien Buemi and he also finished the season placed 15th with 7 top ten finishes against five retirements and no finishes outside of the top 15. While Jaime Alguersuari, our model’s wildcard pick, finished one spot better on the overall standings with 5 top ten places, 3 retirements and only one finish outside of the top 20.
Never shy to identify a trend from two data points, I’d call that a 2-1 win to the comprehensive model


The importance of card not present fraud is growing as more commerce moves online. The major card networks have reacted with systems to control the risks but the coverage of these defences is still limited. However, since chargeback rules generally protect the issuer from direct fraud losses it is common to see efforts to control this type of fraud being de-prioritised.

But the cost of fraud doesn’t only include direct, financial losses; the full impact of card not present fraud can only be seen when indirect costs are also considered. These indirect costs are both financial in nature as well as reputational. The indirect financial costs of card not present fraud include the cost of replacement plastics, the cost of the admin staff needed to manage chargebacks, the cost of funding the charges until the refund is received, etc. Reputational costs, on the other hand, are incurred when customers are inconvenienced by the forced closure of their accounts and the re-issuing of new plastics.

Both of these costs are relatively minor when card not present fraud happens on an irregular and fairly random basis. Most customers understand that fraud does happen and will not be too upset if the bank contacts them to replace a card once fraud has been detected, unless they have incurred a financial loss in the process (unlikely on credit cards if there is a decent detection system in place due to the delay between transactions and payments but fairly common for debit cards).

However, both types of indirect costs can be significant if the card issuer finds themselves under attack from a persistent fraudster. Due to the electronic nature of card not present fraud, a common weakness in the card issuing process can be exploited to make this a realistic threat. That weakness is the sequential issuing of card numbers.

Credit card numbers conform to a certain format in order to convey the specific information needed to enable international interoperability. One key part of this universal format is that the numbers are all validated by the Mod 10 check. I’m not going to discuss the mechanics of that algorithm here, the only important take-away is that it uses all the previous numbers in a fixed way to set the final number in the credit card sequence. So, working backwards it is possible to calculate whether any purported credit card number is a potentially valid one. I say ‘potentially valid’ because the algorithm cannot establish whether this number has been issued, just that it conforms to the pattern.

Unfortunately, this does not just enable international commerce it also enables fraud. If a fraudster wants to create potential credit card numbers they need only use this algorithm and a bit of basic knowledge about the other numbers to do so.

The numbers created have one major gap though, that stops them being useful – they don’t have an expiry date. Note, they also don’t have the 3/ 4 digit CVV number but not as many online transactions validate this. Without the correct expiry date the fraudulently created card number will not work, even if it matches an existing open account. Fraudsters can use trial-and-error in an attempt to establish the correct expiry date for a given number but multiple incorrect attempts will usually trigger an alert at the issuer and since there is no way for the fraudster to know for sure that such a number actually exists, the process can be interminable. As a result, card not present fraud using created numbers is not usually a major problem.

Unless card numbers are issued sequentially that is. A typical 16 digit credit card number may appear a random selection of numbers at first but as I mentioned they conform to a standard format. The first few digits identify the card network and issuing bank, the next few digits are usually used by that issuer to identify the sub-product while the last six to eight digits before the final check digit remain available for any use and it is these digits that are sometimes issued sequentially.

In an example I have seen before, the last six digits were split in two and issued sequentially so that the first card issued in a new product would end 001001X where X was the check digit, the next one would end 001002, the thousandth card would end in 002001X and so on.

This system had been used for years without problem until a specific online attack revealed its inherent weakness. A fraudster need only find one match between a valid, issued card number and its expiry date to be in the position to create the next card in the sequence knowing full well that the expiry date was almost certain to be the same. They could continue this process until the expiry date no longer worked in which case they could assume with much certainty that the expiry date had now moved up by one. So, be it through chance or trial-and-error, if a fraudster knows that card number XXXX XXXX XXXX 123X expires in May 2012 then they can be sure that card number XXXX XXXX XXXX 124X does too – using the Mod 10 algorithm to calculate the new check digit being the only other required step.

This knowledge allows the fraudster to create thousands of credit card numbers with a high probability of validity (around 80% once closed accounts, re-issued numbers, etc. are taken into account) and to use these for a large-scale attack. It is under such an attack that a card issuer can suffer significant financial and reputational costs. In the case I alluded to earlier, the premium card portfolio had been compromised in this manner and at one time cards were being compromised so quickly that some affected customers were contacted were issued new plastics only for those to be compromised too before they had even been delivered. Given that this was the premium card product it is easy to see how large the reputational costs were despite actual financial losses being insignificant.

To prevent a repeat of this situation, the issuer in question switched to randomised numbering thus breaking any logical link between the card number and its expiry date. In the new system batches of ten thousand numbers were created at a time, ordered randomly and then assigned in that order. At the same time there has been a drive to increase the coverage of Visa and Mastercard’s respective online fraud defence tools and to use the CVV code in online authorisations – something which had not been technically possible in the past. Both of these other projects address the same problem and so, to the extent that they’re implemented, will negate the benefits of random number issuing. However, where they are not widely used, random number issuing remains a low-tech but pro-active defence.

Many lenders fail to fully appreciate the size of their fraud losses. By not actively searching for – and thus not classifying – fraud within their bad debt losses, they miss the opportunity to create better defences and so remain exposed to ever-growing losses. Any account that is written-off without ever having made a payment is likely to be fraud; any account that is in collections for their full limit within the first month or two is likely to be fraud; any recently on book account that is written-off because the account holder is untraceable is likely to be fraud, etc.

Credit scorecards do not detect application fraud very well because the link between the credit applicant and the credit payer is broken. In a ‘normal’ case the person applying for the credit is also the person that will pay the monthly instalments and so the data in the application represents the risk of the future account-holder and thus the risk of a missed payment. However, when a fraudster applies with a falsified or stolen identity there is no such link and so the data in that application no longer has any relationship to the future account-holder and so can’t represent the true risk.


First Person Fraud

Now that explanation assumes we are talking about third-party fraud; fraud committed by someone other than the person described on the application. That is the most clear-cut form of fraud. However, there is also the matter of first person fraud which is less clear-cut.

First person fraud is committed when a customer applies using their own identity but does so with no intention of paying back the debt, often also changing key data fields – like income – to improve their chances of a larger loan.

Some lenders will treat this as a form of bad debt while others prefer to treat it as a form of fraud. It doesn’t really matter so long as it is treated as a specific sub-type of either definition. I would, however, recommend treating it as a sub-type of fraud unless a strong internal preference exists for treating it as bad debt. Traditional models for detecting bad debt are built on the assumption that the applicant has the intention of paying their debt and so aim to measure the ability to do so which they then translate into a measure of risk. In these cases though, that assumption is not true and so there should instead be a model looking for the existence of the willingness to pay the debt rather than the ability to do so. From a recovery point of view, a criminal fraud case it is also a stronger deterrent to customers than a civil bad debt one.


Third Person Fraud

The rest of the fraud then, is third-party fraud. There are a number of ways fraud can happen but I’ll just cover the two most common types: false applications and identity take-overs.

False applications are applications using entirely or largely fictional data. This is the less sophisticated method and is usually the first stage of fraud in a market and so is quickly detected when a fraud solution or fraud scorecard is implemented. Creating entirely new and believable identities on a large-scale without consciously or subconsciously reverting to a particular pattern is difficult. There is therefore a good chance of detecting false applications by using simple rules based on trends, repeated but mismatched information, etc.

A good credit bureau can also limit the impact of false applications since most lenders will then look for some history of borrowing before a loan is granted. An applicant claiming to be 35 years old and earning €5 000 a month with no borrowing history will raise suspicions, especially where there is also a sudden increase in credit enquiries.

Identity take-over is harder to detect but also harder to perpetrate, so it is a more common problem in the more sophisticated markets. In these cases a fraudster adopts the identity – and therefore the pre-existing credit history – of a genuine person with only the slightest changes made to contact information in most cases. Again a good credit bureau is the first line of defence albeit now in a reactive capacity alerting the lender to multiple credit enquiries within a short period of time.

Credit bureau alerts should be supported by a rule-based fraud system with access to historical internal and, as much as possible, external data. Such a system will typically be built using three types of rules: rules specific to the application itself; rules matching information in the application to historical internal and external known frauds; rules matching information in the application to all historical applications.


Application Specific Rules

Application specific rules can be built and implemented entirely within an organisation and are therefore often the first phase in the roll-out of a full application fraud solution. These rules look only at the information captured from the application in question and attempt to identify known trends and logical data mismatches.

Based on a review of historical fraud trends the lender may have identified that the majority of their frauds originated through their online channel in loans to customers aged 25 years or younger, who were foreign citizens and who had only a short history at their current address. The lender would then construct a rule to identify all applications displaying these characteristics.

Over-and-above these trends there are also suspicious data mismatches that may be a result of the data being entered by someone less familiar with the data than a real customer would be expected to be with their own information. These data mismatches would typically involve things like an unusually high salary given the applicant’s age, an inconsistency between the applicant’s stated age and date of birth, etc.

In the simplest incarnation these rules would flag applications for further, manual investigation. In more sophisticated systems though, some form of risk-indicative score would be assigned to each rule and applications would then be prioritised based on the scores they accumulated from each rule hit.

These rules are easy to implement and need little in the way of infrastructure but they only detect those fraudulent attempts where a mistake was made by the fraudster. In order to broaden the coverage of the application fraud solution it is vital to look beyond the individual application and to consider a wider database of stored information relating to previous applications – both those known to have been fraudulent and those still considered to be good.


Known Fraud Data

The most obvious way to do this is to match the information in the application to all the information from previous applications that are known – or at least suspected – to have been fraudulent. The fraudster’s greatest weakness is that certain data fields need to be re-used either to subvert the lenders validation processes or to simplify their own processes.

For example many lenders may phone applicants to confirm certain aspects on their application or to encourage early utilisation and so in these cases the fraudster would need to supply at least one genuine contact number; in other cases lenders may automatically validate addresses and so in these cases the fraudster would need to supply a valid address. No matter the reason, as soon as some data is re-used it becomes possible to identify where that has happened and in so doing to identify a higher risk of fraud.

To do this, the known fraud data should be broken down into its component parts and matched separately so that any re-use of an individual data field – address, mobile number, employer name, etc. – can be identified even if it is used out of context. Once identified, it is important to calculate the relative importance in order to prioritise alerts. Again this is best done with a scorecard but expert judgement alone can still add value; for example it is possible that several genuine applicants will work for an employer that has been previously used in a fraudulent application but it would be much more worrying if a new applicant was to apply using a phone number or address that was previously used by a fraudster.

It is also common to prioritise the historical data itself based on whether it originated from a confirmed fraud or a suspected one. Fraud can usually only be confirmed if the loan was actually issued, not paid and then later shown to be fraudulent. Matches to data relating to these accounts will usually be prioritised. Data relating to applications that were stopped based on the suspicion of fraud, on the other hand, may be slightly de-prioritised.


Previous Applications

When screening new applications it is important to check their data not just against the known fraud data discussed above but also against all previous ‘good’ applications. This is for two reasons: firstly not all fraudulently applied for applications are detected and secondly, especially in the case of identity theft, the fraudster is not always the first person to use the data and so it is possible that a genuine customer had previously applied using the data that is now being used by a fraudster.

Previous application data should be matched in two steps if possible. Where the same applicant has applied for a loan before, their specific data should be matched and checked for changes and anomalies. The analysis must be able to show if, for a given social security number, there have been any changes in name, address, employer, marital status, etc. and if so, how likely those changes are to be the result of an attempted identity theft versus a simple change in circumstances. Then – or where the applicant has not previously applied for a loan – the data fields should be separated and matched to all existing data in the same way that the known fraud data was queried.

As with the known fraud data it is worth prioritising these alerts. A match to known fraud data should be prioritised over a match to a previous application and within the matches a similar prioritisation should occur: again it would not be unusual for several applicants to share the same employer while it would be unusual for more than one applicant to share a mobile phone number and it would be impossible for more than one applicant to share a social security or national identity number.


Shared Data

When matching data in this way the probability of detecting a fraud increase as more data becomes available for matching. That is why data sharing is such an important tool in the fight against application fraud. Each lender may only receive a handful of fraud cases which limits not only their ability to develop good rules but most importantly limits their ability to detect duplicated data fields.

Typically data is shared indirectly and through a trusted third-party. In this model each lender lists all their known and suspected frauds on a shared database that is used to generate alerts but cannot otherwise be accessed by lenders. Then all new applications are first matched to the full list of known frauds before being matched only to the lender’s own previous applications and then subjected to generic and customised application-specific rules as shown in the diagram below:


In terms of credit risk strategy, the lending markets in America and Britain undoubtedly lead the way while several other markets around the world are applying many of the same principles with accuracy and good results. However, for a number of reasons and in a number of ways, many more lending markets are much less sophisticated. In this article I will focus on these developing markets; discussing how credit risk strategies can be applied in such markets and how doing so will add value to a lender.

The fundamentals that underpin credit risk strategies are constant but as lenders develop in terms of sophistication the way in which these fundamentals are applied may vary. At the very earliest stages of development the focus will be on automating the decisioning processes; once this has been done the focus should shift to the implementation of basic scorecards and segmented strategies which will, in time, evolve from focusing on risk mitigation to profit maximisation.

Automating the Decisioning Process

The most under-developed markets tend to grant loans using a branch-based decisioning model as a legacy of the days of fully manual lending. As such, it is an aspect more typical of the older and larger banks in developing regions and one that is allowing newer and smaller competitors to enter the market and be more agile.

A typical branch-lending model looks something like the diagram below:

In a model like this, the credit policy is usually designed and signed-off by a committee of very senior managers working in the head-office. This policy is then handed-over to the branches for implementation; usually by delivering training and documentation to each of the bank’s branch managers. This immediately presents an opportunity for misinterpretation to arise as branch managers try to internalise the intentions of the policy-makers.

Once the policy has been handed-over, it becomes the branch manager’s responsibility to ensure that it is implemented as consistently as possible. However, since each branch manager is different, as is each member of branch staff, this is seldom possible and so policy implementation tends to vary to a greater or lesser extent across the branch network.

Even when the policy is well implemented though, the nature of a single written policy is such that it can identify the applicants that are considered too risky to qualify for a loan but it cannot go beyond that to segment accepted customers into risk groups. This means that the only way that senior management can ensure the policy is being implemented correctly in the highest risk situations is by using the size of the loan as an indication of risk. So, to do this a series triggers are set to escalate loan applications to management committees.

In this model, which is not an untypical one, there are three committees: one within the branch itself where senior branch staff review the work of the loan officer for small value loan applications; if the loan size exceeds the branch committee’s mandate though it must then be escalated to a regional committee or, if sufficiently large, all the way to a head-office committee.

Although it is easy to see how such a series of committees came into being, their on-going existence adds significant costs and delays to the application process.

In developing markets where skills are short there a significant premium must usually be paid to high quality management staff. So, to use the time of these managers to essentially remake the same decision over-and-over (having already decided on the policy, they now need to repeatedly decide whether an application meets the agreed upon criteria) is an inefficient way to invest a valuable resource. More importantly though are the delays that must necessarily accompany such a series of committees. As an application is passed on from one team – and more importantly from one location – to another a delay is incurred. Added to this is the fact that committees need to convene before they can make a decision and usually do so on fixed dates meaning that a loan application may have to wait a number of days until the next time the relevant committee meets.

But the costs and delays of such a model are not only incurred by the lender, the borrower too is burdened with a number of indirect costs. In order to qualify for a loan in a market where impartial third-party credit data is not widely available – i.e. where there are no strong and accurate credit bureaus – an applicant typically needs to ‘over prove’ their risk worthiness. Where address and identification data is equally unreliable this requirement is even more burdensome. In a typical example an applicant might need to first show an established relationship with the bank (6 months of salary payments, for example); provide a written undertaking from their employer that they will notify the bank of any change in employment status; the address of a reference who can be contacted when the original borrower can not; and often some degree of security, even for small value loans.

These added costs serve to discourage lending and add to what is usually the biggest problem faced by banks with a branch-based lending model: an inability to grow quickly and profitably.

Many people might think that the biggest issue faced by lenders in developing markets is the risk of bad debt but this is seldom the case. Lenders know that they don’t have access to all the information they need when they need it and so they have put in place the processes I’ve just discussed to mitigate the risk of losses. However, as I pointed out, those processes are ungainly and expensive. Too ungainly and too expensive as it turns out to facilitate growth and this is what most lenders want to change as they see more agile competitors starting to enter their markets.

A fundamental problem with growing with a branch-based lending model is that the costs of growing the system rise in line with the increase capacity. So, to serve twice as many customers will cost almost twice as much. This is the case for a few reasons. Firstly, each branch serves only a given geographical catchment area and so to serve customers in a new region, a new branch is likely to be needed. Unfortunately, it is almost impossible to add branches perfectly and each new branch is likely to lead to either an inefficient overlapping of catchment areas or ineffective gaps. Secondly, within the branch itself there is a fixed capacity both in terms of the number of staff it can accommodate and in terms of the number of customers each member of staff can serve. Both of these can be adjusted, but only slightly.

Added to this, such a model does not easily accommodate new lending channels. If, for example, the bank wished to use the internet as a channel it would need to replicate much of the infrastructure from the physical branches in the virtual branch because, although no physical buildings would be required and the coverage would be universal, the decisioning process would still require multiple loan officers and all the standard committees.

To overcome this many lenders have turned to agency agreements, most typically with large private and government employers. These employers will usually handle the administration of loan applications and loan payments for their staff and in return will either expect that their staff are offered loans at a discounted rate or that they themselves are compensated with a commission.

By simply taking the current policy rules from the branch based process and converting them into a series of automated rules in a centralised system many of these basic problems can be overcome; even before improving those rules with advanced statistical scorecards. Firstly the gap between policy design and policy implementation is removed, removing any risk of misinterpretation. Then the need for committees to ensure proper policy implementation is greatly reduced, greatly reducing the associated costs and delays. Thirdly the risk of inconsistent application is removed as every application, regardless of the branch originating it or the staff member capturing the data, is treated in the same way. Finally, since the decisioning is automated there is almost no cost to add a new channel onto the existing infrastructure meaning that new technologies like internet and mobile banking can be leveraged as profitable channels for growth.

The Introduction of Scoring

With the basic infrastructure in place it is time to start leveraging it to its full advantage by introducing scorecards and segmented strategies. One of the more subtle weaknesses of a manual decision is that it is very hard to use a policy to do anything other than decline an account. As soon as you try to make a more nuanced decision and categorise accepted accounts into risk groups the number of variables increases too fast to deal with comfortably.

It is easy enough to say that an application can be accepted only if the applicant is over 21 years of age, earns more than €10 000 a year and has been working for their current employer for at least a year but how do you segment all the qualifying applications into low, medium and high risk groups? A low risk customer might be one that is over 35 years old, earns more than €15 000 and has been working at their current employer for at least a year; or one that is over 21 years old but who earns more than €25 000 and has been working at their current employer for at least two years; or one that is over 40 years old, earns more than €15 000 and has been working at their current employer for at least a year, etc.

It is too difficult to manage such a policy using anything other than an automated system that uses a scorecard to identify and segment risk across all accounts. Being able to do this allows a bank to begin customising its strategies and its products to each customer segment/ niche. Low risk customers can be attracted with lower prices or larger limits, high spending customers can be offered a premium card with more features but also with higher fees, etc.

The first step in the process would be to implement a generic scorecard; that is a scorecard built using pooled third-party data that relates to a portfolio that is similar to the one in which it is to be implemented. These scorecards are cheap and quick to implement and, as when used to inform only simple strategies, offer almost as much value as a fully bespoke scorecard would. Over time the data needed to build a more specific scorecard can be captured so that the generic scorecard can be replaced after eighteen to twenty-four months.

But the making of a decision is not the end goal; all decisions must be monitored on an on-going basis so that strategy changes can be implemented as soon as circumstances dictate. Again this is not something that is possible to do using a manual system where each review of an account’s current performance tends to involve as much work as the original decision to lend to that customer did. Fully fledged behavioural scorecards can be complex to build for developing banks but at this stage of the credit risk evolution a series of simple triggers can be sufficient. Reviewing an account in an automated environment is virtually instantaneous and free and so strategy changes can be implemented as soon as they are needed: limits can be increased monthly to all low risk accounts that pass a certain utilisation trigger, top-up loans can be offered to all low and medium risk customers as soon as their current balances fall below a certain percentage of the original balance, etc.

In so doing, a lender can optimise the distribution of their exposure; moving exposure from high risk segments to low risk segments or vice versa to achieve their business objectives. To ensure that this distribution remains optimised the individual scores and strategies should be consistently tested using champion/ challenger experiments. Champion/ challenger is always a simple concept and can be applied to any strategy provided the systems exist to ensure that it is implemented randomly and that its results are measurable. The more sophisticated the strategies, the more sophisticated the champion/ challenger experiments will look but the underlying theory remains unchanged.

Elevating the Profile of Credit Risk

Once scorecards and risk segmented strategies have been implemented by the credit risk team, the team can focus on elevating their profile within the larger organisation. As credit risk strategies are first implemented they are unlikely to interest the senior managers of a lender who would likely have come through a different career path: perhaps they have more of a financial accounting view of risk or perhaps they have a background in something completely different like marketing. This may make it difficult for the credit risk team to garner enough support to fund key projects in the future and so may restrict their ability to improve.

To overcome this, the credit team needs to shift its focus from risk to profit. The best result a credit risk team can achieve is not to minimise losses but to maximise profits while keeping risk within an acceptable band. I have written several articles on profit models which you can read here, here, here and here but the basic principle is that once the credit risk department is comfortable with the way in which their models can predict risk they need to understand how this risk contributes to the organisation’s overall profit.

This shift will typically happen in two ways: as a change in the messages the credit team communicates to the rest of the organisation and as a change in the underlying models themselves.

To change the messages being communicated by the credit team they may need to change their recruitment strategies and bring in managers who understand both the technical aspects of credit risk and the business imperatives of a lending organisation. More importantly though, they need to always seek to translate the benefit of their work from technical credit terms – PD, LGD, etc. – into terms that can be more widely understood and appreciated by senior management – return on investment, reduced write-offs, etc. A shift in message can happen before new models are developed but will almost always lead to the development of more business-focussed models going forward.

So the final step then is to actually make changes to the models and it is by the degree to which such specialised and profit-segmented models have been developed and deployed that a lenders level of sophistication will be measured in more sophisticated markets.

First things first, I am by no means a scorecard technician. I do not know how to build a scorecard myself, though I have a fair idea of how they are built; if that makes sense. As the title suggests, this article takes a simplistic view of the subject. I will delve into the underlying mathematics at only the highest of levels and only where necessary to explain another point. This article treats scorecards as just another tool in the credit risk process, albeit an important one that enables most of the other strategies discussed on this blog. I have asked a colleague to write a more specialised article covering the technical aspects and will post that as soon as it is available.


Scorecards aim to replace subjective human judgement with objective and statistically valid measures; replacing inconsistent anecdote-based decisions with consistent evidence-based ones. What they do is essentially no different from what a credit assessor would do, they just do it in a more objective and repeatable way. Although this difference may seem small, it enables a large array of new and profitable strategies.

So what is a scorecard?

A scorecard is a means of assigning importance to pieces of data so that a final decision can be made regarding the underlying account’s suitableness for a particular strategy. They do this by separating the data into its individual characteristics and then assigning a score to each characteristic based on its value and the average risk represented by that value.

For example an application for a new loan might be separated into age, income, length of relationship with the bank, credit bureau score, etc. Then the each possible value of those characteristics will be assigned a score based on the degree to which they impact risk. In this example ages between 19 and 24 might be given a score of – 100, ages between 25 and 30 a score of -75 and so on until ages 50 and upwards are given a score of +10. In this scenario young applicants are ‘punished’ while older customers benefit marginally from their age. This implies that risk has been shown to be inversely related to age. The diagram below shows an extract of a possible scorecard:

The score for each of these characteristics is then added to reach a final score. The final score produced by the scorecard is attached to a risk measure; usually something like the probability of an account going 90 days into arrears within the next 12 months. Reviewing this score-to-risk relationship allows a risk manager to set the point at which they will decline applications (the cut-off) and to understand the relative risk of each customer segment on the book. The diagram below shows how this score-to-risk relationship can be used to set a cut-off.

How is a scorecard built?

Basically what the scorecard builder wants to do is identify which characteristics at one point in time are predictive of a given outcome before or at some future point in time. To do this historic data must be structured so that one period can represent the ‘present state’ and the subsequent periods can represent the ‘future state’. In other words, if two years of data is available for analysis (the current month can be called Month 0 and the last Month can be called Month -24) then the most distant six months (from Month -24 to Month -18) will be used to represent the ‘current state’ or, more correctly, the observation period while the subsequent months (Months -17 to 0) represent the known future of those first six months and are called ‘the outcome period’. The type of data used in each of these periods will vary to reflect these differences so that application data (applicant age, applicant income, applicant bureau score, loan size requested, etc.) is important in the observation period and performance data (current balance, current days in arrears, etc.) is important in the outcome period.

With this simple step completed the accounts in the observation period must be defined and sorted based on their performance during the outcome period. To start this process a ‘bad definition’ and ‘good definition’ must first be agreed upon. This is usually something like: ‘to be considered bad, an account must have gone past 90 days in delinquency at least once during the 18 month outcome period’ and ‘to be considered good an account must never have gone past 30 days in delinquency during the same period’. Accounts that meet neither definition are classified as ‘indeterminate’.

Thus separated, the unique characteristics of each group can be identified. The data that was available at the time of application for every ‘good’ and ‘bad’ account is statistically tested and those characteristics with largely similar values within one group but largely varying values across groups are valuable indicators of risk and should be considered for the scorecard. For example if younger customers were shown to have a higher tendency to go ‘bad’ than older customers, then age can be said to be predictive of risk. If on average 5% of all accounts go bad but a full 20% of customers aged between 19 and 25 go bad while only 2% of customers aged over 50 go bad then age can be said to be a strong predictor of risk. There are a number of statistical tools that will identify these key characteristics and the degree to which they influence risk more accurately than this but they won’t be covered here.

Once each characteristic that is predictive of risk has been identified along with its relative importance some cleaning-up of the model is needed to ensure that no characteristics are overly correlated. That is, that no two characteristics are in effect showing the same thing. If this is the case, only the best of the related characteristics will be kept while the other will be discarded to prevent, for want of a better term, double-counting. Many characteristics are correlated in some way, for example the older you are the more likely you are to be married, but this is fine so long as both characteristics add some new information in their own right as is usually the case with age and marital status – an older, married applicant is less risky than a younger, married applicant just as a married, older applicant is less risky than a single, older applicant. However, there are cases where the two characteristics move so closely together that the one does not add any new information and should therefore not be included.

So, once the final characteristics and their relative weightings have been selected the basic scorecard is effectively in place. The final step is to make the outputs of the scorecard useable in the context of the business. This usually involves summarising the scores into a few score bands and may also include the addition of a constant – or some other means of manipulating the scores – so that the new scores match with other existing or previous models.


How do scorecards benefit an organisation?

Scorecards benefit organisations in two major ways: by describing risk in very fine detail they allow lenders to move beyond simple yes/ no decisions and to implement a wide range of segmented strategies; and by formalising the lending decision they provide lenders with consistency and measurability.

One of the major weaknesses of a manual decisioning system is that it seldom does more than identify the applications which should be declined leaving those that remain to be accepted and thereafter treated as being the same. This makes it very difficult to implement risk-segmented strategies. A scorecard, however, prioritises all accounts in order of risk and then declines those deemed too risky. This means that all accepted accounts can still be segmented by risk and this can be used as a basis for risk-based pricing, risk-based limit setting, etc.

The second major benefit comes from the standardisation of decisions. In a manual system the credit policy may well be centrally conceived but the quality of its implementation will be dependent on the branch or staff member actually processing the application. By implementing a scorecard this is no longer the case and the roll-out of a scorecard is almost always accompanied by the reduction in bad rates.

Over-and-above these risk benefits, the roll-out of a scorecard is also almost always accompanied by an increase in acceptance rates. This is because manual reviewers tend to be more conservative than they need to be in cases that vary in some way from the standard. The nature of a single credit policy is such that to qualify for a loan a customer must exceed the minimum requirements for every policy rule. For example, to get a loan the customer must be above the minimum age (say 28), must have been with the bank for more than the minimum period (say 6 months) and must have no adverse remarks on the credit bureau. A client of 26 with a five year history with the bank and a clean credit report would be declined. With a scorecard in place though the relative importance of exceeding one criteria can be weighed against the relative importance of missing another and a more accurate decision can be made; almost always allowing more customers in.


Implementing scorecards

There are three levels of scorecard sophistication and, as with everything else in business, the best choice for any situation will likely involve a compromise between accuracy and cost.

The first option is to create an expert model. This is a manual approximation of a scorecard based on the experience of several experts. Ideally this exercise would be supported by some form of scenario planning tool where the results of various adjustments could be seen for a series of dummy applications – or genuine historic applications if these exist – until the results that meet the expectations of the ‘experts’. This method is better than manual decisioning since it leads to a system that looks at each customer in their entirety and because it enforces a standardised outcome. That said, since it is built upon relatively subjective judgements it should be replaced with a statistically built scorecard as soon as enough data is available to do so.

An alternative to the expert model is a generic scorecard. These are scorecards which have been built statistically but using a pool of similar though not customer-specific data. These scorecards are more accurate than expert models so as long as the data on which they were built reasonably resembles the situation in which they are to be employed. A bureau-level scorecard is probably the purest example of such a scorecard though generic scorecards exist for a range of different products and for each stage of the credit life-cycle.

Ideally, they should first be fine-tuned prior to their roll-out to compensate for any customer-specific quirks that may exist. During a fine-tuning, actual data is run through the scorecard and the results used to make small adjustments to the weightings given to each characteristic in the scorecard while the structure of the scorecard itself is left unchanged. For example, assume the original scorecard assigned the following weightings: -100 for the age group 19 to 24; -75 for the age group 25 to 30; -50 for the age group 31 to 40; and 0 for the age group 41 upwards. This could either be implemented as it is bit if there is enough data to do a fine-tune it might reveal that in this particular case the weightings should actually be as follows: -120 for the age group 19 to 24; -100 for the age group 25 to 30; -50 for the age group 31 to 40; and 10 for the age group 41 upwards. The scorecard structure though, as you can see, does not change.

In a situation where there is no client-specific data and no industry-level data exists, an expert model may be best. However, where there is no client-specific data but where there is industry-level data it is better to use a generic scorecard. In a case where there is both some client-specific data and some industry-level data a fine-tuned generic scorecard will produce the best results.

The most accurate results will always come, however, from a bespoke scorecard. That is a scorecard built from scratch using the client’s own data. This process requires significant levels of good quality data and access to advanced analytical skills and tools but the benefits of a good scorecard will be felt throughout the organisation.

You’ve got to know when to hold ‘em, know when to fold ‘em

Know when to walk away and know when to run

I’ve always wanted to use the lines from Kenny Rogers’ famous song, The Gambler, in an article. But that is only part of the reason I decided to use the game of Texas Holdem poker as a metaphor for the credit risk strategy environment.

The basic profit model for a game of poker is very similar to that of a simple lending business. To participate in a game of Texas Holdem there is a fixed cost (buy in) in exchange for which there is the potential to make a profit but also the risk of making a loss. As each card is dealt, new information is revealed and the player should adjust their strategy accordingly. Not every hand will deliver a profit and some will even incur a fairly substantial loss, however over time and by following a good strategy the total profit accumulated from those hands that are winners can be sufficient to cover the losses of those hands that are losers and the fixed costs of participating and a profit can thus be made.

Similarly in a lending business there is a fixed cost to process each potential customer, only some of whom will be accepted as actual customers who have the potential to be profitable or to result in a loss.  The lender will make an overall profit only if the accumulated profit from each profitable customer is sufficient to cover the losses from those that weren’t and the fixed processing costs.

In both scenarios, the profit can be maximised by increasing exposure to risk when the odds of a profit are good and reducing exposure, on the other hand, when the odds of a loss are higher. A good card player therefore performs a similar role to a credit analyst: continuously calculating the odds of a win from each hand, designing strategies to maximise profit based on those odds and then adjusting those strategies as more information becomes available.


To join a game of Texas Holdem each player needs to buy into that game by placing a ‘blind’ bet before they have seen any of the cards.  As this cost is incurred before any of the cards are seen the odds of victory can not be estimated. The blind bet is, in fact, the price to see the odds.

Thereafter, each player is dealt two private cards; cards that only they can see. Once these cards have been dealt each player must decide whether to play the game or not.

To play on, each player must enter a further bet. This decision must be made based on the size of the bet and an estimate of the probability of victory based on the two known cards. If the player should instead choose to not play, the will forfeit their initial bet.

A conservative player, one who will play only when the odds are strongly in their favour, may lose fewer hands but they will instead incur a relatively higher cost of lost buy-ins. Depending on the cost of the buy-in and the average odds of winning, the most profitable strategy will change but it will unlikely be the most conservative strategy.

In a lending organisation the equivalent role is played by the originations team. Every loan application that is processed, incurs a cost and so when an application is declined that cost is lost. A conservative scorecard policy will decline a large number of marginal applications choosing, effectively, to lose a small but known processing cost rather than risk a larger but unknown credit loss.  In so doing though, it also gives up the profit potential on those accounts. As with poker betting strategies, the ideal cut-off will change based on the level of processing costs and the average probability of default but will seldom be overly conservative.

A card player calculates their odds of victory from the known combinations of cards possible from a standard 54 card deck.  The player has the possibility of creating any five card combination made up from their two known cards and a further five random ones yet to be dealt, while each other player can create a five card combination made-up of any seven cards except for the two the player himself has.  With this knowledge, the odds that the two private cards will result in a winning hand can be estimated and, based on that estimate, make the decision whether to enter a bet and if so of what size; or whether to fold and lose the buy-in.

The methods used to calculate odds may vary, as do the sources of potential profits, but at a conceptual level the theory on which originations is based is similar to the theory which under-pins poker betting.

As each account is processed through a scorecard the odds of it eventually rolling into default are estimated. These odds are then used to make the decision whether to offer credit and, if so, to what extent.  Where the odds of a default are very low the lender will likely offer more credit – the equivalent of placing a larger starting bet – and vice versa.

Customer Management

The reason that card games like Texas Holdem are games of skill rather than just games of chance, is that the odds of a victory change during the course of a game and so the player is required to adapt their betting strategy as new information is revealed.  Increasing their exposure to risk as the odds grow better or retreating as the odds worsen.  The same is true of a lending organisation where customer management strategies seek to maximise organisational profit but changing exposure as new information is received.

Once the first round of betting has been completed and each player’s starting position has been determined, the dealer turns over three ‘community cards’.  These are cards that all players can see and can use, along with their two private cards, to create their best possible poker hand. A significant amount of new information is revealed when those three community cards are dealt. In time two further community cards will be revealed and it will be from any combination of those seven cards that a winning hand will be constructed. So, at this point, each player knows five of the seven cards they will have access to and three of the cards their opponents can use. The number of possible hands becomes smaller and so the odds that the players had will be a winner can be calculated more accurately. That is not to say the odds of a win will go up, just that the odds can be stated with more certainty.

At this stage of the game, therefore, the betting activity usually heats up as players with good hands increase their exposure through bigger bets. Players with weaker hands will try to limit their exposure by checking – that is not betting at all – or by placing the minimum bet possible. This strategy limits their potential loss but also limits their potential gain as the total size of the ‘pot’ is also kept down.

As each of the next two community cards is revealed this process repeats itself with players typically willing to place ever larger bets as the new information received allows them to calculate the odds with more certainty. Only once the final round of betting is complete are the cards revealed and a winner determined. Those players that bet until the final round but still lose will have lost significantly in this instance. However, if they continue to play the odds well they will expect to recuperate that loss – and more – over time.

The customer management team within a lending organisation works with similar principals. As an account begins to operate, new information is received which allows the lender to determine with ever more certainty the probability that an account will eventually default: with every payment that is received on time, the odds of an eventual default decrease; with every broken promise-to-pay, those odds increase; etc.

So the role of the customer management team is to design strategies that optimise the lender’s exposure to each customer based on the latest information received. Where risk appears to be dropping, exposure should be increased through limit increases, cross-selling of new products, reduced pricing, etc. while when the opposite occurs the exposure should be kept constant or even decreased through limit decreases, pre-delinquency strategies, foreclosure, etc.


As the betting activity heats up around them a player may decide that the odds no longer justify the cost required to stay in the game and, in these cases, the player will decide to fold – and accept a known small loss rather than continue betting and risk an even bigger eventual loss chasing an unlikely victory.

Collections has too many operational components to fit neatly into the poker metaphor but it can be most closely likened to this decision of whether or not to fold. Not every hand can be a winner and even hands that initially appeared to be strong can be shown to be weak when the latter community cards are revealed. A player who was dealt two hearts and who then saw two further hearts dealt in the first three community cards would have been in  a strong position with the odds that the fifth heart they need to create a strong ‘flush hand’ sitting at fifty percent. However, if when the next two cards are dealt neither is a heart, the probability of a winning hand will drop to close to zero.

In this situation the player needs to make a difficult decision: they have invested in a hand that has turned out to be a ‘bad’ one and they can either accept the loss or invest further in an attempt to salvage something. If there is little betting pressure from the other players, they might choose to stay in the game by matching any final bets; figuring that because the total pot was large and the extra cost of participating small it was worth investing further in an unlikely win. Money already bet, after all, is a sunk cost. If the bets in the latest round are high however, they might choose to fold instead and keep what money they have left available for investment in a future, hopefully better hand.

As I said, the scope of collections goes well beyond this but certain key decisions a collections strategy manager must make relate closely to the question of whether or not to fold. Once an account has missed a payment and entered the collections processes the lender has two options: to invest further time and money in an attempt to collect some or all of the outstanding balance or to cut their losses and sell or even to write-off the debt.

In cases where there is strong long-term evidence that the account is a good one, the lender might decide – as a card player might when a strong hand is not helped by the fourth community card – to maintain or even increase their exposure by granting the customer some leeway in the form of a payment holiday, a re-aging of debt or even a temporary limit increase. On the other hand, in cases where the new information has forced a negative re-appraisal of the customer’s risk but the value owed by that customer is significant, it might still be preferable for the lender to invest a bit more in an attempt to make a recovery, even though they know that the odds are against them. This sort of an investment would come in the form of an intensive collections campaign or the paid involvement of specialist third party debt collectors.

As with a game of cards, the lender will not always get it exactly right and will over invest in some risky customers and under-invest in others; the goal is to get the investment right often enough in the long-term to ensure a profit overall.

It is also true that a lender who consistently shies away from investing in the collection of marginal debt – one that chooses too easily to write-off debt rather than to risk an investment in its recovery – may start to create a reputation for themselves that is punitive in the long-run. A lender that is seen as a ‘soft touch’ by the market will attract higher risk customers and will see a shift in portfolio risk towards the high-end as more and more customers decide to let their debt fall delinquent in the hopes of a painless write-off. Similarly a card player that folds in all situations except those where the odds are completely optimal, will soon be found out by their fellow players. Whenever they receive the perfect hand and bet accordingly, the rest of the table will likely fold and in so doing reduce the size of the ensuing pot which, although won, will be much smaller than it might otherwise have been. In extreme cases, this limiting of the wins gained from good hands may be so sever that the player is unable to cover the losses they have had to take in the games in which they folded.


The goal of credit risk strategy, like that of a poker betting strategy, is to end with the most money possible. To do this, calculated bets must be taken at various stages and with varying levels of data; risk must be re-evaluated continuously and at times it may become necessary to take a known loss rather than to risk ending up with an even greater, albeit uncertain, loss in the future.

So, in both scenarios, risk should not be avoided but should rather be converted into a series of numerical odds which can be used to inform investment strategies that seek to leverage off good odds and hedge against bad odds. In time, if accurate models are used consistently to inform logical strategies it is entirely possible to make a long-term profit.

Of course in their unique nuances both fields also vary quite extensively from each other, not least in the way money is earned and, most importantly, in the fact that financial services is not a zero sum game. However, I hope that where similarities do exist these have been helpful in understanding how the profit levers in a lending business fit together. For a more technical look at the same issue, you can read my articles on profit modelling in general and for credit cards and banks in particular.