NR 95-101 September 26, 1995 OCC Launches Supervision by Risk' Program WASHINGTON, D.C. -- Comptroller of the Currency Eugene A. Ludwig tonight announced the Comptroller's Office is expanding, enhancing and standardizing the way examiners evaluate risk in national banks. Mr. Ludwig said the Comptroller's Office has defined specific categories of risk it will use in assessing risks in bank activities and will in the future be using these risk categories as the basis for its supervision and examination. The announcement was made in a speech by Mr. Ludwig at Georgetown University's Center for Business-Government Relations. "After an extensive review of the OCC's bank supervision policies and procedures, we have come to the conclusion that we must fundamentally change the approach we have been using to supervise banks," Mr. Ludwig said. "Supervision by risk puts the focus squarely on what matters -- evaluating the quantity of risk exposure in an institution and determining the quality of the risk management systems in place to control that risk." "Supervision by risk" builds on OCC examiners' experience in incorporating risk assessment in bank supervision in recent years, Mr. Ludwig said. To achieve more comprehensive and efficient examinations of national banks, the OCC has defined nine categories of risk inherent in bank activities that will be evaluated by OCC examiners. These definitions enable OCC to treat the same risks consistently in all banks and across various products and activities, Mr. Ludwig said. In addition, the definitions clarify for bankers the kinds of risk OCC will be assessing in their institutions. The nine categories of risk are: Credit risk -- from a debtor's failure to meet the terms of any contract with the bank or otherwise fail to perform as agreed. Interest rate risk -- from movements in interest rates. Liquidity risk -- from a bank's inability to meet its obligations when they come due, without incurring unacceptable losses. Price risk -- from changes in the value of portfolios of financial instruments. Foreign exchange risk -- from movement of foreign exchange rates. Transaction risk -- from problems with service or product delivery. Compliance risk -- from violations or non-conformance with laws, rules, regulations, prescribed practices or ethical standards. Strategic risk -- from adverse business decisions or improper implementation of those decisions. Reputation risk -- from negative public opinion. Risk profiles prepared for each bank will help focus examiner attention on the most serious concerns within a bank and focus OCC resources on banks where the need is greatest. For example, Mr. Ludwig said, if a bank has significant interest rate risk exposure, the OCC may include economists and analysts on an examination team to help evaluate the bank's interest rate risk models. Examiners will determine whether a bank has identified the risks associated with particular activities and has put in place the necessary systems and controls to manage that risk. Where risk is not properly managed, the OCC will work with bank management to ensure corrective action is taken so that the bank is managed in a safe and sound manner. Mr. Ludwig said supervision by risk would help the OCC do a better job of responding to current and future risks to banks and the country's financial system. "Rather than seeing regulation as a ball and chain weighing them down, or supervision as a shackle holding them back," he said, "I want the industry to view OCC examiners as adding value to their business without imposing needless burden. Attachments: Speech by Mr. Ludwig on Supervision by Risk; risk definitions. Remarks of Eugene A. Ludwig Comptroller of the Currency Before the Georgetown University The Center for Business-Government Relations Washington, DC September 26, 1995 This evening, I'd like to talk about how the Office of the Comptroller of the Currency, the regulatory agency I head, is refocusing its primary supervisory efforts to deal more effectively with a critical public policy challenge -- the challenge of ensuring that we have a banking system that is safe, sound and vigorous in an era of dramatic change. Just think of the shifts we've witnessed on the financial services landscape over the past 20 years. We see mega-mergers and mega-banks. Today, 85 percent of banking assets are held by just 15 percent of the industry. We see new, more complex products. Derivatives held in commercial bank portfolios have a notional value of over $17 trillion. We see banks moving away from the traditional business of banking. Some banks today make virtually no loans, but rather are almost totally engaged in trading activities. We see the increasing globalization of financial markets. The foreign exchange market has evolved from a $1 billion-a-day business in 1974 to one where $1 trillion is traded daily. What a change from banking's earlier days. In those quieter times, making money in banking was often disparagingly referred to as the 3-6-3 method: Take deposits and pay 3 percent interest, make loans and charge 6 percent interest -- and be back on the golf course by 3. Well, I'd be willing to bet that few bankers get to the links by 3 these days. That's unfortunate for them, but the changes in banking we've seen to date -- and the innovations I am certain we will see in the future -- hold enormous potential for consumers and the economy. I am committed to allowing market forces to work so that consumers as well as the banking industry will see lower prices and enjoy a greater array of financial services to help them in their professional and personal lives. It is vital for this country to have a fully competitive, more efficient banking system playing an ever larger role in creating jobs and stimulating economic opportunity. At the same time, I am mindful that the Office of the Comptroller of the Currency has an important obligation to ensure that banks operate safely and soundly so that our citizens and economy do not have to bear the brunt of systemic financial problems. How to balance these competing concerns -- safety and soundness on the one hand, with a desire not to be so intrusive that we obstruct positive market forces on the other -- has been a constant focus at the OCC since I came to office two-and-a-half years ago. After an extensive review of the OCC's bank supervision policies and procedures, we have come to the conclusion that to achieve this balance -- particularly in a time of unprecedented changes in the financial services industry -- we must fundamentally change the way we supervise banks. Accordingly, we are this evening announcing a new, comprehensive bank supervision program that the OCC will be implementing over the next several months. We call this new program "supervision by risk." All of us who worked on this effort at the OCC over the last 18 months or so are convinced that this new program is a winner for everyone. It's a winner for banks because it will achieve much less burden with increased safety and soundness. It's a winner for bank customers, who stand to benefit greatly from a more efficient, stronger banking system. And it's a winner for the OCC. Our supervision will be more efficient and of more value because we will focus on what matters -- reduction of risk -- and eliminate make-work, ministerial -- often seen as nitpicking -- tasks. Supervision by risk focuses our efforts on evaluating the quantity of risk exposure in an institution and determining the quality of the risk management systems in place to control that risk. But what is so new about focusing on risk? Hasn't bank supervision always been concerned about risk? This evening, I want to address those questions. I'd like us first to look at today's environment, which essentially compels us to adopt the supervision by risk approach, and how we have reached this significant milestone in the evolution of bank supervision. Then, I plan to discuss what this approach entails and how it will work. And before opening the discussion up to questions, I'll outline briefly what this approach will mean for our agency and the banks we supervise. To appreciate why supervision by risk is the right approach for today's environment, I think it is essential to understand just how dramatically the banking environment has changed and continues to change. For most of this century, the banking business could rely on the fact that virtually every American consumer would have significant balances on deposit with a bank or thrift. Indeed, that's been the case until very recently. Banks would then recycle these funds in the most profitable way possible. For commercial banks, that primarily meant lending on a short-term basis to business customers. Moreover, the interest the bank had to pay the public to get these deposits was in essence subsidized -- that is, it was limited by federal law, Federal Reserve Board Regulation Q. In addition, most corporate borrowers had nowhere else to go for credit. Of course, all that has changed -- and then some. The Reg Q ceiling has been lifted along with the geographic barriers that had bridled competition. Every day, more and more corporate borrowers go directly to the capital markets for funding. Investment bankers, such as Goldman Sachs, Merrill Lynch, and others -- notably GE Capital -- are competing directly for credit business. Some of these nonbank firms also offer what are in essence checking accounts. Moreover, core deposits keep flooding out of banks into mutual funds every day. Today, banks hold the same amount of core deposits as they did in 1991. Meanwhile, the amount of money held in mutual funds has grown 20 fold in the last 15 years, with banks missing out on the lion's share of that growth. Help me illustrate this point. Let's see how many of you here this evening have invested money in a mutual fund? How many of you have money market accounts with a broker? In addition to these aforesaid changes brought by changes in public policy and by heightened competition, banks are being heavily affected by the evolution of information technology and the increasing internationalization of U.S. markets. I will not dwell on the former because all of us are so aware of the changes that information technology has already meant in our daily lives. However, the importance of these changes for banking cannot be overstated. Banking is, in many ways, an information business, so many advancements in the ability to move information have implications for banking. Put more concretely, how valuable is a physical bank branch -- in which a bank may have invested millions of dollars -- when customers can do their banking business at a point of sale terminal, or a telephone, or on a computer screen? Or think of it like this. Each teller transaction costs a bank $4.00. The same transaction over a telephone or computer line costs a dime. It's not surprising, then, that the American Bankers Association predicts a six-fold increase in home banking transactions by 1997. And what is a customer relationship when someone can surf the Internet to determine what the best price is on a home mortgage loan, or the best rate for a certificate of deposit? Just imagine what pressure that puts on the entire industry to change. But it's not just technology that is changing the face of banking. Over the last several decades, America has seen its markets for goods and services and its capital markets become increasingly international. Banks have had to provide customers with an expanding array of products and services that deal with this reality, and bank funding has become much more international. That brings with it greater exposure to the currency markets and foreign debt and equity markets, along with foreign credit risks. These changes have already caused profound changes in what banks do and can do profitably. In the face of heated competition and as a result of technological capabilities, many banks have expanded beyond their local markets and beyond their traditional product and service offerings . By way of illustration, banks themselves have gone into the mutual funds business. Banks have gone heavily into the consumer loan business, including, importantly, credit cards, consumer finance companies and mortgage banking. Bank home mortgage lending has doubled in the last ten years. And banks are major participants in foreign equity and debt markets -- the so-called emerging markets. These forces are causing structural changes in the industry, as we've witnessed with the wave of bank mergers in recent months. Since 1988, the number of banks has fallen nearly 25 percent. This trend will no doubt continue and may even accelerate as a result of new laws enacted last year. Moreover, it is worth noting that the precise business today's banks are focusing on is no longer the same -- with banks often pursuing markedly different strategies from their peers. Some of our country's largest banks, for example, have moved almost completely away from the view most people have of a traditional bank. At one bank in the Midwest, credit cards account for over half of their business. Another bank on the West Coast has made a calculated business decision to no longer make home mortgage loans at all -- leaving this market to a competitor. At one bank on the East Coast, less than ten percent of the assets are loans and virtually all of their revenues come from trading activities. What does all this mean for bank supervision? To answer my own rhetorical question, it means we have had to develop a supervisory system capable of dealing with new risks and different combinations of risk. Now I do not mean to say that the regulator's goal should be to eliminate risk. Over 2000 years ago, Sophocles observed that "Fortune is not on the side of the faint-hearted." Business -- particularly the financial services business -- is based on prudent risktaking. No risk, no reward. So focusing supervision on risk in no way equates to risk elimination; it is consistent with our ultimate focus on safety and soundness. Our objective has been to develop better tools to recognize the complexities of risk, monitor risk, and work with banks to control risks -- to keep risks within prudent bounds. This change of approach represents a breakthrough in bank supervision. For many decades, our supervision was primarily designed to gauge the existence and value of the assets, liabilities and capital of each national bank. Our national bank examiners sometimes called this the "count the cash" approach. In the 1970s, the OCC first began to consider a more modern approach by looking at the factors likely to promote a bank's on-going safety and soundness -- things such as management control, systems and procedures, and effective internal audit. Our examiners began to make more detailed reviews of bank policies, procedures and practices, and the specific responsibility of a bank's management and board of directors for overseeing these aspects of the business. The 1980s brought a host of new issues. Hard lessons were learned in foreign currency risk, liquidity risk and credit risk, particularly in the seemingly safe areas such as agriculture and commercial real estate. The problems of that decade also coincided with budget cutbacks across the federal government. The OCC -- along with the other federal financial regulators -- was challenged on two fronts. First, as a result of dwindling resources and the deregulatory problems of the time, the agency lost scores of seasoned examiners in the early part of the decade. As the decade progressed, attempts to hire and train new examiners were frustrated by an inability to offer competitive salaries to attract top-notch professionals -- a problem that has since been rectified for the OCC with a much-needed change in federal law. Second, our supervision -- while beginning to look at the level of risk involved in a bank's performance -- was still largely a retrospective look at how risks had been mishandled rather than a proactive assessment of what problems were coming down the pike and what should be done to manage them. We were focusing on the results of these poor practices -- treating the disease -- rather than administering preventive medicine. Looking back at the decade as a whole, the '80s underscored the value of experienced examiners and the need for those with specialized expertise. It also demonstrated that at the largest banks, there was no substitute for having our examiners work in tandem with bank management to understand and strengthen their risk management strategies. The increased bank derivatives activity of the early '90s provided our first opportunity to put an enhanced risk focus approach into practice, when we proactively apprised bank management of the liquidity and market risks these instruments pose. These experiences of the '70s, '80s and '90s set the stage for the supervision by risk philosophy that I believe is essential to banking success as we move into the 21st century. What then precisely constitutes the supervision by risk approach we are now taking? First, the approach involves using risk as the organizing principle for all our safety and soundness supervision. To do this, it was necessary for the OCC to define a common set of risks for our supervision staff to focus on, or if you will a common vocabulary of risk. We have done this. Our common risk vocabulary is based on nine categories of risk: credit risk, interest rate risk, liquidity risk, price risk, foreign exchange risk, transaction risk, compliance risk, strategic risk and reputation risk. We believe that these categories along with subcategories we have also defined comprise the full range of risks faced by virtually any financial services firm, including banks. In developing these categories we looked closely at what risk categories banks are using themselves and what risk definitions other experts in this area are using. There appears to be no universal set of risks used by everyone. Indeed, that was one of the reasons we felt compelled to come up with our own set of risks. I am comfortable that the OCC vocabulary of risks both covers the waterfront and will be compatible with what others are using. It is also worth noting that our nine risk categories, of course, are not mutually exclusive. Any product or service a bank offers may expose the institution's earnings or capital to a combination of the risks we have defined. For those of you who are interested, we have a handout that goes into more detail. I want to be clear is that we are not requiring banks to adopt our risk vocabulary or do anything particular with it. The vocabulary is for the use of our examination team. Armed with the new risk definitions, our examiners will evaluate the risks present in each national bank. After making and recording judgments regarding risk exposure and the ability of a bank to manage that exposure, the examiner will then make a summary aggregate risk judgment and determine the anticipated future direction of risk at the bank for the coming year. These data will feed into the examination strategy for each bank and allow us to focus future supervision on what we deem to be the higher risk areas within the bank, while limiting our examination of lower-risk areas that bank management is addressing effectively. This gives examiners a good guidepost of what to pay particular attention to, and they will share this information with bank management, because we believe the banks should know how and why we examine certain areas with more scrutiny than others. I want to underscore the importance of using the common lexicon of risk as a basis for examination strategies that are customized to the risks of each bank. As I noted earlier, banks are getting into different businesses that have different risks, combinations of risks and greater interconnectivity of risk. So we are in an age where a one-size-fits-all supervisory strategy fits no bank well. But tailoring supervision to the material risks found in a particular institution allows us to add maximum value with minimum waste and intrusion. A good example of how we have been able to tailor supervision by focusing on risk is found in our recent experience differentiating small and large bank supervision. Experience has taught us that supervision by risk between small banks and large banks differs markedly. In July of 1994, we rolled out the first element of this framework with our non-complex community bank procedures. In that program, we carved out a group of smaller banks that have a relatively conservative strategy and similar risk profile -- that is, the bulk of their business is in traditional lending. Consequently, we've been able to streamline their exams and increase safety and soundness by focusing on the single most important risk for this group of banks -- credit risk. If you're interested in how we examine for risk in these types of institutions, we'll be happy to send you material the agency has developed that relates to our smaller, less complex national banks. But it is the larger, more complex institutions toward which the supervision by risk approach is primarily aimed. In the upcoming months, the OCC will release the supervision by risk framework for large banks. We will issue detailed examiner guidance based on the risk vocabulary I have discussed this evening. Now, I want to stress that this will pose no new requirements on banks. It is a framework that more precisely lays out how our examiners should use the risk lexicon and the supervision by risk approach in examining larger banks. I am convinced that it will prove to be the foundation for supervision at these institutions that will both improve the quality of supervision and materially reduce burden. An additional major virtue in focusing our supervision on risk (as distinct from the traditional transactional approach or an approach based on product line) is that it encourages examiners to look at risk across the entire spectrum of a bank's activity. A bank may have a modest amount of a particular kind of risk -- say interest rate risk - in one activity. But where several activities at the bank also involve similar forms of the same risk, accumulated risk can add up to a serious problem. To use an analogy, if you are concerned about the risk of excess fat in your diet, as tempting as it might be, you are fooling yourself to say that it is okay to eat a low fat candy bar without taking into consideration all the fats contained in all the other goodies you have eaten that day. And I should note, of course, that the supervision by risk approach not only focuses on a single risk across product lines, but also focuses on all the risks within a product line. To extend the candy bar analogy, we will be looking not only at the fat content in the candy bar and other foods, we'll look at other ingredients in the candy bar -- sugar and sodium -- that materially impact overall health. So supervision by risk expands both the depth and the range of risk assessment. A third significant virtue to the supervision by risk approach is that we are reasonably confident it is a dynamic framework capable of accommodating future developments. No matter how cutting edge an institution may get in the foreseeable future, I believe the risk framework -- including the risk vocabulary -- is sufficiently comprehensive to provide for effective safety and soundness supervision for years to come. Indeed, in developing the approach, we have reviewed it in terms of products banks are currently offering as well as other financial services and have found the approach to be similarly efficacious. I also think that supervision by risk will make the examiner's job more interesting and meaningful. With a disciplined risk focus, we'll be able to do more with less -- taking the more mundane aspects out of the task of supervision and elevating the examiner's value to the banks they serve. And I'm certain we have the quality of personnel necessary to make this approach work for us, for banks and for the public. There also will be increased opportunities for those OCC examiners who are or want to become specialists in areas like interest rate risk or capital markets. In addition, we've already begun to add economists to some of our examination teams, and early returns show that banks also appreciate these new perspectives on supervision as they look for ways to develop and perfect the various modeling tools they utilize. And finally, it is worth noting that the new supervision by risk approach will provide benefits beyond the confines of supervision narrowly defined. I am hopeful that the risk focus will elevate analysis of the banking business and individual banking products, both within our office and in more general areas such as academic research. I believe it gives government a more reasoned, more helpful and less bureaucratic decision making process when acting on banking issues. For example, the litmus test of whether a banking organization ought to be in a particular business and how it can do that business should be a rigorous risk analysis, rather than history or parochial interests. Currently, too much of the debate in the banking area is diluted with comments like " we always did it that way" or "that's somebody else's turf." CONCLUSION To sum up, modern banking is indeed complex, but the risk by supervision equation is really quite simple: a risk focus plus supervisory efficiency equals less burden for banks. Less burden ... and greater benefits. Less burden ... and more refined supervision. Less burden, and a new resource in banking's age-old need to take prudent risks and manage the business of banking in the most responsible way possible. And I hope that -- with supervision by risk -- banks will change the way they view regulation and supervision. Rather than seeing regulation as a ball and chain weighing them down or supervision as a shackle holding them back, I want the industry to view OCC examination as adding value to their businesses and ensuring the safety and soundness of their individual institutions and the banking industry as a whole. We have an important mission and a rich tradition at the OCC -- one of serving the banking industry in a way that continually fosters innovation, continually insures its safety and soundness, and continually inspires public trust and confidence in their public and private institutions. Supervision by risk will enable us to continue to carry out that important purpose. # # # Categories of Risk Supervision by risk requires common and consistent definitions of risk for both bankers and examiners. To accomplish this, the OCC has defined nine categories of risk for bank supervision purposes. These risks are: Strategic, Reputation, Credit, Interest Rate, Liquidity, Price, Foreign Exchange, Transaction and Compliance. These categories are not mutually exclusive, any product or service may expose the bank to multiple risks. For analysis and discussion purposes, however, the OCC identifies and assesses the risks separately. Strategic Risk Strategic risk is the risk to earnings or capital arising from adverse business decisions or improper implementation of those decisions. This risk is a function of the compatibility between an organization's strategic goals, the business strategies developed to achieve those goals, the resources deployed against these goals, and the quality of implementation. The resources needed to carry out business strategies are both tangible and intangible. They include communication channels, operating systems, delivery networks and managerial capacities and capabilities. The definition of strategic risk focuses on more than an analysis of the written strategic plan. Its focus is on how plans, systems, and implementation affect the franchise value. It also incorporates how management analyzes external factors that impact the strategic direction of the company. Reputation Risk Reputation risk is the risk to earnings or capital arising from negative public opinion. This affects the institution's ability to establish new relationships or services, or continue servicing existing relationships. This risk can expose the institution to litigation, financial loss, or damage to its reputation. Reputation risk exposure is present throughout the organization and includes the responsibility to exercise an abundance of caution in dealing with its customers and community. This risk is present in such activities as asset management and agency transactions. The assessment of reputation risk recognizes the potential impact of the public's opinion on a bank's franchise value. This risk is inherent in all bank activities. Banks which actively associate their name with products and services, such as with fiduciary services, are more likely to have higher reputation risk exposure. As the bank's vulnerability to public reaction increases, its ability to offer competitive products and services may be affected. Credit Risk Credit risk is the risk to earnings or capital of an obligor's failure to meet the terms of any contract with the bank or otherwise fail to perform as agreed. Credit risk arises from all activities where success depends on counterparty, issuer, or borrower performance. It arises any time bank funds are extended, committed, invested, or otherwise exposed through actual or implied contractual agreements, whether reflected on or off the balance sheet. Credit risk is likely the most recognizable risk associated with banking. This definition, however, encompasses more than the traditional definition associated with lending activities. Credit risk implications will arise in conjunction with a broad range of bank activities, including selecting investment portfolio products, derivatives trading partners or foreign exchange counterparties. Interest Rate Risk Interest rate risk is the risk to earnings or capital arising from movements in interest rates. The economic perspective focuses on the value of the bank in today's interest rate environment and the sensitivity of that value to changes in interest rates. Interest rate risk arises from differences between the timing of rate changes and the timing of cash flows (repricing risk); from changing rate relationships among different yield curves affecting bank activities (basis risk); from changing rate relationships across the spectrum of maturities (yield curve risk); and from interest related options embedded in bank products (options risk). The evaluation of interest rate risk must consider the impact of complex, illiquid hedging strategies or products, and also the potential impact on fee income which is sensitive to changes in interest rates. In those situations where trading is separately managed this refers to structural positions and not trading portfolios. The assessment of interest rate risk should consider risk from both an accounting perspective (i.e. the affect on the bank's accrual earnings) and the economic perspective (market value of portfolio equity) of interest rate risk. Interest rate risk is sometimes captured under a broader category of market risk in some banks. In contrast to price risk, which focuses on the mark-to-market portfolios (e.g. trading accounts), interest rate risk focuses on the value implications for accrual portfolios (e.g. held-to-maturity and available-for-sale accounts). Liquidity Risk Liquidity risk is the risk to earnings or capital from a bank's inability to meet its obligations when they come due, without incurring unacceptable losses. Liquidity risk includes the inability to manage unplanned decreases or changes in funding sources. Risk also arises from the failure to recognize or address changes in market conditions that affect the ability to liquidate assets quickly and with minimal loss in value. Similar to interest rate risk, many banks capture liquidity risk under a broader category of market risk. Liquidity risk, like credit risk, is a recognizable risk associated with banking. The nature of liquidity risk, however, has changed in recent years. Increased investment alternatives for retail depositors, sophisticated off-balance sheet products with complicated cash-flow implications and a general increase in the credit sensitivity of banking customers are all examples of factors which complicate liquidity risk. Price Risk Price risk is the risk to earnings or capital arising from changes in the value of portfolios of financial instruments. This risk arises from market-making, dealing, and position-taking activities for interest rate, foreign exchange, equity and commodity markets. Many banks use the term price risk interchangeably with market risk. This is because price risk focuses on the changes in market factors (e.g. interest rates, market liquidity, volatilities, etc.) which affect the value of traded instruments. The primary accounts affected by price risk are those which are revalued for financial presentation (e.g. trading accounts for securities, derivatives, and foreign exchange products). Foreign Exchange Risk Foreign Exchange risk is the risk to earnings or capital arising from movement of foreign exchange rates. This risk refers to cross-border investing and operating activities. Market-making and position-taking in foreign currencies should be captured under price risk. Foreign exchange risk is also known as transfer risk and it is sometimes captured as a component of market risk. Foreign exchange risk arises from accrual accounts denominated in foreign currency, including loans, deposits, and equity investments (i.e. cross-border investing). Accounting conventions require quarterly revaluation of these accounts at current spot rates. This revaluation translates the foreign denominated accounts into U.S. dollar terms. Transaction Risk Transaction risk is the risk to earnings or capital arising from problems with service or product delivery. This risk is a function of internal controls, information systems, employee integrity, and operating processes. Transaction risk exists in all products and services. Transaction risk is also referred to as operating or operational risk. It is risk that arises on a daily basis in all banks as transactions are processed. It is a risk that transcends all divisions and products within a bank. Compliance Risk Compliance risk is the risk to earnings or capital arising from violations or non-conformance with laws, rules, regulations, prescribed practices, or ethical standards. The risk also arises in situations where the laws or rules governing certain bank products or activities of the bank's clients may be ambiguous or untested. Compliance risk exposes the institution to fines, civil money penalties, payment of damages, and the voiding of contracts. Compliance risk can lead to a diminished reputation, reduced franchise value, limited business opportunities, lessened expansion potential, and lack of contract enforceability. Compliance risk is often overlooked as it is blended into operational risk and transaction processing. A portion of the defined risk is sometimes referred to as legal risk. This definition is not limited solely to consumer protection laws. Compliance risk encompasses all laws as well as prudent ethical standards and contractual obligations. It also includes the exposure to litigation from all aspects of banking, traditional and nontraditional.