Nsight Blog | Ncontracts

Everything You Need to Know about Fair Lending Risk Assessments

Written by Ncontracts Compliance Team | Apr 10, 2019 2:00:00 PM

Fair lending is a key area of regulatory scrutiny, and one that garners a lot of public attention. In this regulatory environment, it really pays to know your risk. One of the best ways to gain a clear and objective understanding of your fair lending compliance risk is through a fair lending risk assessment. Learn everything you need to know about them and get a free fair lending risk assessment matrix here!

Fair lending compliance risk exists at every stage of the lending process. For financial institutions, that means that proactive management of your fair lending risk exposure is essential! One of the best ways to understand and manage your risk is with a fair lending risk assessment.

In this blog, you’ll learn everything you need to know about fair lending risk assessments. More specifically, you’ll gain the answers to these important questions:

When talking about a topic like this, a topic that can be complicated and a little daunting, it’s good to start at the very beginning. What is a fair lending risk assessment - and what is it not?

What Is a Fair Lending Risk Assessment?

A fair lending risk assessment is simply a review of your current fair lending risk exposure. It documents all of your fair lending risk exposure, the factors that are increasing or reducing that risk, and the remaining risk posed to your financial institution.

The goal is to help you understand inherent and residual fair lending risk, manage fair lending risks better by identifying gaps in your controls, highlight areas of highest risk, and provide guidelines for how to mitigate risk. Importantly, the goal of a risk assessment is also to notify the Board and senior management of risk exposure.

Since fair lending is all about discrimination, the central question in a fair lending risk assessment is “what is the risk that this financial institution is discriminating against a prohibited basis group?”

What Is a Fair Lending Risk Assessment Not?

A fair lending risk assessment is not an audit or an exam. An audit gauges the effectiveness of the compliance program, but it is not focused on identifying any and all gaps that may be present.

Are Fair Lending Risk Assessments Required?

Yes, fair lending risk assessments are required. Every regulator has a slightly different approach to risk assessments, so make sure that you know how your regulatory agency approaches them.

“A fair lending risk assessment should be conducted to assist the bank in understanding where risks may be present in the lending process."

- FDIC, “Managing fair lending Risk” Presentation

There are no regulatory requirements to use a particular process, tool, or rating system in your risk assessment. However, it is important that the risk assessment approach is consistent and the answers are based on logical rationale.

Related: Risk Assessments for Financial Institutions

How Does a Fair Lending Risk Assessment Work?

A fair lending risk assessment works by evaluating the different types of risks in your institution. 

In the most general sense, there are three important elements that a fair lending risk assessment will consider: inherent risk, controls, and residual risk. These are defined below:

  • Inherent Risk: Inherent risk is the risk that a situation or entity has before any controls are applied. In fair lending compliance, the following are a few factors that can contribute to your inherent risk:
    • Business lines, products, and services
    • Retail footprint and market strategy
    • Regulatory risks and scrutiny
    • General operational risks
  • Controls: Processes, procedures, policies, systems, and other mitigating factors that help to reduce the inherent risk. Examples of controls might include:
    • Training
    • Monitoring
  • Residual Risk: The risk that is remaining after controls have been considered.
    • The understanding of residual risk is gained from the fair lending risk assessment. This amount of residual risk identified will ultimately guide any changes your financial institution makes.

Here is an easy metaphor to help you understand the relationship between these three elements of the risk equation. Jumping out of a plane has a high inherent risk. However, jumping with a licensed guide and a working parachute puts two excellent controls in place. These controls combine to reduce the high inherent risk down to a relatively low residual risk. In fact, these controls are so effective that Americans completed approximately 3.3M jumps in 2018 alone.

Some people ask this question looking to understand the steps or components of a fair lending risk assessment. Those components will vary depending on who is doing your risk assessment, what products, business lines, or geographies are being reviewed, and your financial institution.

Practically speaking, a fair lending risk assessment often consists of a review of the financial institution’s history, policies and procedures, written documentation, tracking tools, reports, training materials, and exam results; conversations and interviews with key employees; and often, fair lending data analysis. (We will talk about this in more detail later.)

The end result is usually a formal report on the institution’s current inherent risk, existing controls, and residual risk exposure. This report will typically discuss not only the risks themselves, but also any evidence, potential causes, and often, and data-driven ideas for how to mitigate fair lending risk.

Read also: How Robust Is Your Lending Compliance Program?

What Types of Financial Institutions Need to Conduct a Fair Lending Risk Assessment?

If your financial institution has to comply with fair lending, you should conduct a risk assessment. Banks, credit unions, mortgage companies, indirect auto lenders, mortgage servicers, and other third-parties involved in the lending process will likely want to consider a fair lending risk assessment.

Again, if you're covered by fair lending regulations, you are required to conduct a risk assessment.

Who Is Able to Conduct a Fair Lending Risk Assessment?

A risk assessment can be conducted internally, or by a third-party consultant. There are not specific requirements about who can lead the risk assessment, but regulators will likely ask questions if the person conducting the assessment isn't qualified to do so. That's one reason why lots of financial institutions choose to outsource this requirement.

While the internal compliance professional can conduct a fair lending risk assessment, it is possible for certain areas of risk to be overlooked. If a Compliance Officer knew of unchecked risk, most likely, they would already be working to address it!

Partnering with a consulting company for a fair lending risk assessment can provide a more neutral, objective, and holistic understanding of risk. If your financial institution does decide to outsource, make sure that you are partnering with a reliable compliance expert. Look for compliance certifications, history of conducting such assessments, and personal experience of your consultants.

Imagine spending the time, effort, money, and energy required to complete a risk assessment, only to find out that it wasn’t effective. That’s why it’s valuable to use a trusted partner for your fair lending risk assessment.

When Should My Financial Institutions Do a Fair Lending Risk Assessment?

Best practices recommend that financial institutions conduct a fair lending risk assessment at least annually, or more frequently if the business changes. For example, if you go through a merger or acquisition, add new product lines, open up a new branch, or undergo other significant changes to your business, it’s a good idea to conduct an updated risk assessment.

You should complete a fair lending risk assessment at least every 12-18 months. Given the regulatory scrutiny of this area, we highly recommend annual fair lending risk assessments.

For some institutions, it’s just not possible to conduct a fair lending risk assessment annually. If that is the case for you, consider an abbreviated risk review every other year, or stretch your risk assessment schedule to every 18 months. While this approach does present some additional risk exposure, completing risk assessments less frequently is much better than not conducting them at all.

What Are the Key Areas of Fair Lending Risk?

If you’re planning your next risk assessment, you’re probably wondering about the areas of fair lending that will be evaluated for compliance. This is an important question to answer.

In general, make sure that your fair lending risk assessment evaluates: inherent risk, mitigating factors, and residual risk; risk at each stage of the lending process; your overall Fair Lending Compliance Management Program and the strength of controls in place; and any specific risk factors flagged by the regulators, prior exams, or previous risk assessments.

As mentioned earlier, fair lending risk exists at every stage of the lending process. Remember, fair lending is about more than just HMDA; it applies to all types of loans. Your fair lending risk assessment should evaluate risk in the following stages for all types of lending:

  1. Redlining
  2. Marketing/Advertising
  3. Steering
  4. Pricing
  5. Underwriting
  6. Servicing and Loss Mitigation

When evaluating your Fair Lending Compliance Management System, make sure to cover:

  • Overall Fair Lending Program
  • Monitoring
  • Reporting
  • Board and Management Oversight
    • Some regulators recommend conducting a compliance review of all proposed products and services before they are offered.
    • Know Your Products
    • Know Your Data
  • Training

Finally, ensure that the following fair lending risk factors are also considered in your risk assessment:

    • Regulation B (ECOA)
      • Adverse Action Notices: Action Taken, ECOA Notice, Federal Agency
      • Spousal Signatures: Joint Intent, Personal Guarantees on Commercial Credit
    • Regulation C (HMDA)
      • Government Monitoring Information (GMI)
    • Indirect Auto Lending, as applicable
    • Employee Compensation
      • Loan Officer and Originator Compensation
    • FinTech
    • Third-Party Relationships
  • Redlining Risk
    • This is a main area of regulatory scrutiny. Review your redlining risk actively. In particular, make sure to consider the shape of your REMA, your lending into majority-minority census tracts, and marketing or branch strategies that exclude majority-minority areas.
    • Read Also: Mapping and Fair Lending Risk: How the Agencies Use Your HMDA Data
  • Discretion
  • Exceptions
    • If you make exceptions during any portion of the lending process, but particularly in underwriting and in servicing/loss mitigation, you may have additional fair lending risk exposure.
  • Compensation
  • Maternity Leave

Do All Fair Lending Risk Assessments Include Analysis?

Not all fair lending risk assessments will directly include fair lending analysis, but it is an important part of understanding your overall risk.

As mentioned above, fair lending is all about preventing discrimination. One of the best ways to determine if discrimination is occurring is by analyzing your data. Risk of discrimination will often show up in your numbers in the form of a disparity.


A disparity is a difference between two numbers; in this case, it typically refers to a difference between the control group and the prohibited basis group. For example, a financial institution might analyze its lending data and find a disparity in the number of originations to control group applicants and African-American applicants. This would indicate that they should dig a little deeper and find out if this is the result of discrimination, or whether another factor is driving that disparity.

Disparities do not always mean discrimination exists, but analyzing your data for fair lending risk is the only way to know for sure.

Again, fair lending is about more than just HMDA. Your fair lending analysis should cover both HMDA and non-HMDA loan data. That said, the recent HMDA changes that make more data public may also change your fair lending risk exposure. If you haven’t analyzed your HMDA data under the new HMDA rule, now may be a good time.

Related: How to Build a Strong Fair Lending & Redlining Compliance Management System

The FDIC is clear about the importance of data analysis, saying “Review loan data and trade area information for any potential fair lending concerns.”

Ncontracts is an expert when it comes to fair lending analysis, providing powerful software and consulting, in addition to custom regression analysis. To learn more about our fair lending solutions, just click here!

What Questions Should a Fair Lending Risk Assessment Include?

There are no set number of questions that a fair lending risk assessment should seek to answer. However, it’s a good idea to consider questions that follow the Interagency Fair Lending Examination Guidelines, and enhance with questions that are responsive to your federal regulator’s priorities.

How Much Does a Fair Lending Risk Assessment Usually Cost?

The cost of a fair lending risk assessment will vary, depending on the following factors, among others:

  • Your financial institution’s size and complexity.
  • The time required to complete the risk assessment, including any time onsite.
  • The expertise of the person or company assessing your risk.
  • Any software used to help assess risk.
  • Additional factors as determined in the course of scoping the risk assessment.

The simplest and most cursory risk assessments will likely cost at least a thousand dollars. More in-depth and comprehensive risk assessments will cost more, and may cost tens of thousands. At the same time, larger institutions can expect their risk assessment to cost more than smaller institutions, due to their complexity.

If you’d like a quote for a risk assessment from Ncontracts, just click here.

What Should We Do If Risks are Identified?

If the fair lending risk assessment does identify risks, there are a few important steps to take. After the risk is identified, make sure to report it to the Board and senior management. From there, your financial institution will want to be proactive in addressing it. Here are a few reasons why.

In general, expect a risk assessment to identify areas of improvement. However, these recommendations should be evaluated in totality, and the highest risks should be prioritized.

Fair lending risk assessments are an essential part of your overall fair lending compliance management. Not only are they required by the regulators, but they also provide valuable insights that can help your financial institution comply and grow.

Want to better understand your fair lending gaps and risk?
Check out our free interactive download:
Rate Your Fair Lending Compliance System.