This is the accessible text file for GAO report number GAO-04-610 entitled 'Small Business Administration: New Service for Lender Oversight Reflects Some Best Practices, but Strategy for Use Lags Behind' which was released on July 09, 2004. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Chair, Committee on Small Business and Entrepreneurship, U.S. Senate: June 2004: SMALL BUSINESS ADMINISTRATION: New Service for Lender Oversight Reflects Some Best Practices, but Strategy for Use Lags Behind: GAO-04-610: GAO Highlights: Highlights of GAO-04-610, a report to the Chair, Committee on Small Business and Entrepreneurship, U.S. Senate: Why GAO Did This Study: The Small Business Administration (SBA) has been challenged in the past in developing a lender oversight capability and a loan monitoring system to facilitate its oversight. While SBA has made progress in its lender oversight program, its past efforts to develop a loan monitoring system were unsuccessful. In 2003, SBA obtained loan monitoring services from Dun & Bradstreet. GAO evaluated SBA’s loan monitoring needs, how well those needs are met by the new service, and the similarities and differences for the purposes of credit risk management between SBA and private sector best practices. What GAO Found: Largely because SBA relies on lenders to make the loans it guarantees, the agency needs a loan and lender monitoring capability that will enable it to efficiently and effectively analyze its overall portfolio of loans, its individual lenders, and their portfolios of loans. SBA, along with Dun & Bradstreet, essentially identified these same needs as they obtained the loan monitoring service. In addition, they identified the importance of applying industry standards and best practices for loan and lender monitoring and the need to identify high-risk lenders. Based on our assessment of best practices, SBA’s credit risk management efforts need to include a comprehensive infrastructure, appropriate methodologies, and policies. The loan monitoring service could enable SBA to conduct the type of monitoring and analyses typical of best practices among banks and recommended by financial institution regulators, if SBA develops and implements appropriate policies. SBA’s newly obtained service provides a credit risk management infrastructure and methodology that appear to be on par with those of many private sector lenders. For example, the database affords analytical capabilities based on common financial models that are used by major financial institutions. Although SBA obtained a useful service, it does not have comprehensive policies needed to implement best practices and address its needs as an agency with a public mission, especially regarding its need to use enforcement actions to address noncompliance. In addition, SBA does not have a contingency plan in the event the Dun & Bradstreet service is discontinued. SBA, similar to private lenders, must determine the level of risk it will tolerate, but it must do so within the context of its mission and its programs’ structures, which may consequently translate into different uses of its Dun & Bradstreet loan monitoring service. Since SBA is a public agency with a public mission, its mission obligations will drive its credit risk management policies. For example, different loan products in the 7(a) program have different levels of guarantees, and guarantees on 504 program loans have a different structure from 7(a) guarantees. These differences influence the mix of loans in SBA’s portfolio and, consequently, would impact how SBA manages its credit risk. Furthermore, the structure of SBA’s loan guarantee programs may also result in different credit risk management policies between SBA and major lenders. Private sector lenders manage credit risk at the loan level and the portfolio level. Since SBA relies on private lenders to originate and service the majority of the loans it guarantees, it also needs to manage the credit risk in its portfolio at the lender level. What GAO Recommends: The SBA Administrator should (1) consider the applicability of best practices in developing policies for using the loan monitoring service, (2) develop enforcement policies to address noncompliance among lenders, (3) ensure adequate resources are devoted to developing policies, (4) explore using the service elsewhere in the agency, and (5) develop contingency plans in the event that the loan monitoring service contract is discontinued. We obtained comments on a draft of this report from SBA’s Associate Deputy Administrator for Capital Access. SBA generally agreed with the overall findings and recommendations, but stated that it should receive more credit for progress made. www.gao.gov/cgi-bin/getrpt?GAO-04-610. To view the full product, including the scope and methodology, click on the link above. For more information, contact William Shear at (202) 512-8678 or shearw@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Loan and Lender Monitoring Capability Is Necessary for SBA to Conduct Effective Portfolio and Lender Oversight: The Dun & Bradstreet Loan Monitoring Service Appears to Provide Appropriate Infrastructure and Methodologies, but SBA's Lack of Comprehensive Policies Could Hamper Effective Oversight: SBA's Mission and Loan Program Structure Would Affect Its Use of Credit Risk Management Tools: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendixes: Appendix I: Objectives, Scope, and Methodology: Appendix II: SBA Data Integrity Processes for the Dun & Bradstreet RAM Data Mart: Appendix III: Comments from the Small Business Administration: Appendix IV: GAO Contacts and Staff Acknowledgments: GAO Contacts: Staff Acknowledgments: Tables: Table 1: Key Elements of a Comprehensive Credit Risk Management Program: Table 2: How Well Does the Service Provide SBA with Best-Practice Infrastructure and Methodologies?: Table 3: How Well Has SBA Implemented Best-Practice Policies?: Figure: Figure 1: Best-Practices Risk Management Framework: Abbreviations: ACH: automated clearinghouse: CDC: Certified Development Companies: CFO: chief financial officer: FCA: Farm Credit Administration: FEDSIM: Federal Systems Integration and Management Center Program: FSS: Financial Stress Score: GSA: General Services Administration: OCC: Office of the Comptroller of the Currency: OIG: Office of Inspector General: OLO: Office of Lender Oversight: RAM: Risk Assessment Manager: SBLC: Small Business Lending Corporation: SBPS: Small Business Predictive Score: SBA: Small Business Administration: Letter June 8, 2004: The Honorable Olympia J. Snowe: Chair, Committee on Small Business and Entrepreneurship: United States Senate: Dear Madam Chair: In fiscal year 2003, private lenders reportedly made more than 57,000 loans totaling almost $12 billion to small businesses through the Small Business Administration's (SBA) two major loan guarantee programs. These loans are made to businesses for operating capital and other purposes under SBA's 7(a) program and for fixed assets under its 504 program. SBA guarantees varying portions of these loans, depending on the loan program and loan product, although the majority (75 percent) was approved by banks and other private financial entities under authority delegated by SBA. To efficiently and effectively carry out its mission of maintaining and strengthening the nation's economy by guaranteeing loans in an effort to help small businesses create jobs, SBA must monitor its overall portfolio of loans, its individual lenders, and their portfolios. At the end of fiscal year 2003, SBA's portfolio of business loans totaled $45 billion. Our past work documented that SBA has not had a successful lender monitoring program or a loan monitoring system. From 1998 to 2001, at a cost of $9.6 million, SBA attempted to improve its monitoring by independently developing its own loan monitoring system. These efforts failed in part because the agency did not plan properly. And in 2003, partly based on congressional action to cut funding of its loan monitoring system, SBA awarded a contract to Dun & Bradstreet to enable the agency to better monitor its portfolio, its individual lenders, and their portfolios. In this report, we refer to the loan monitoring service provided under the contract with Dun & Bradstreet as "Dun & Bradstreet service" or "loan monitoring service." Due to the importance of acquiring a loan monitoring service and an effective set of policies for its use, you asked us to review the agency's acquisition and use of the new Dun & Bradstreet service. Specifically, you asked us to determine (1) SBA's loan portfolio monitoring needs, (2) how well the newly obtained Dun & Bradstreet service meets SBA's loan portfolio monitoring needs, and (3) the major differences and similarities for the purposes of credit risk management between SBA and private sector best practices. To determine SBA's loan portfolio monitoring needs, we reviewed and analyzed agency documents, and discussed related issues with agency and industry officials and contractor staff. In addition we analyzed SBA's intended purposes for the Dun & Bradstreet service. Furthermore, we identified applicable industry best practices and federal guidance to banks for loan portfolio monitoring. To determine how well the new Dun & Bradstreet service meets SBA's needs, we reviewed and analyzed agency documents, and conducted interviews with agency officials and contractor staff. We also analyzed the Dun & Bradstreet deliverables and the capabilities of the Dun & Bradstreet service, as well as SBA's use and planned use of the service. To determine the major similarities and differences between SBA and private sector best practices for the purposes of credit risk management, we interviewed selected major small business lenders and federal banking regulators. We conducted our work in Washington, D.C., between August 2003 and May 2004 in accordance with generally accepted government auditing standards. Appendix I contains a full description of our objectives, scope, and methodology. Results in Brief: Largely because SBA relies on lenders to make its guaranteed loans, the agency needs a loan and lender monitoring capability that will enable it to efficiently and effectively analyze various aspects of its overall portfolio of loans, its individual lenders, and their portfolios. Even though SBA did not detail specific requirements for its loan monitoring, in general, SBA's intended purpose, according to SBA officials, is to enable the agency to effectively oversee its portfolio and lending partners. During the acquisition of the loan monitoring service, SBA and its contractor, Dun & Bradstreet, identified more specific requirements, including application of monitoring and evaluation services to existing SBA loan data; application of industry standards and best practices for loan and lender monitoring; and early identification of high-risk lenders. Based on our assessment of best practices, for SBA to effectively monitor its portfolio and lending partners, it needs a loan and lender monitoring capability based on a credit risk[Footnote 1] management program that would likely include a comprehensive infrastructure, appropriate methodologies, and policies. Based on our assessment of best practices, our understanding of the Dun & Bradstreet service, and SBA's needs, the Dun & Bradstreet service could enable SBA to conduct the type of monitoring and analyses typical of best practices among major lenders and recommended by financial institution regulators, if SBA develops and implements appropriate policies. With the Dun & Bradstreet service, SBA currently has obtained a credit risk management infrastructure and methodology that appear to be on par with those of many private sector lenders. For instance, Dun & Bradstreet maintains a database for SBA that provides SBA with analytical capabilities based on financial models widely used by major lenders. Although SBA obtained a useful service, it does not have comprehensive policies needed to implement best practices. In addition, as an agency with a public mission, SBA does not have policies directing how the service could be used as a basis for taking enforcement actions to address noncompliance. SBA, similar to private lenders, must determine the level of risk it will tolerate but must do so within the context of its mission and its programs' structures, and this difference may consequently translate into different uses of its loan monitoring service. Since SBA is a public agency, its mission obligations will drive its credit risk management policies. For example, different loan products in the 7(a) program have different levels of guarantees, and guarantees on 504 program loans have a different structure from 7(a) guarantees. These differences influence the mix of loans in SBA's portfolio and, consequently, would impact how SBA manages its credit risk. Moreover, the structure of SBA's loan guarantee programs may also account for some of the differences in credit risk management policies between SBA and major lenders. Private sector lenders manage credit risk at the loan level and the portfolio level. Since SBA relies on private lenders to originate and service the majority of the loans it guarantees, it also needs to manage the credit risk in its portfolio at the lender level. This report contains five recommendations to SBA. We recommend that SBA consider the applicability of best practices for risk management addressed in this report as it develops policies for using the Dun & Bradstreet service. We also recommend that SBA expedite the development of the policies, especially as they would relate to enforcement. In addition, we recommend that SBA ensure that adequate resources are devoted to developing policies for the use of the Dun & Bradstreet service. We also recommend that SBA explore the potential for applying or expanding the capabilities of the service to SBA business processes and responsibilities, such as creating budget projections, in addition to lender oversight. Finally, we recommend that SBA develop contingency plans that would enable SBA's continued risk management of the 7(a) and 504 portfolio overall, individual lenders, and their portfolios in the event that the Dun & Bradstreet contract is discontinued. We obtained written comments on a draft of this report from SBA's Associate Deputy Administrator for Capital Access. These comments are discussed near the end of this report, and SBA's letter is reprinted in appendix III. In commenting on the draft, the Associate Deputy Administrator generally agreed with the overall findings and recommendations, especially the need to develop and fully implement policies for using the Dun & Bradstreet service. However, the letter stated that SBA should receive more credit for the progress it has made, especially in developing policies to implement the service. We believe that we have given SBA sufficient credit for the progress it has made, in particular for obtaining the service that provides SBA with best-practice infrastructure and methodologies. However, we think that the development of policies for use of such a service is an integral part of strategic planning, including planning during the time period before such a service is obtained. Background: In pursuing its mission of aiding small businesses, SBA provides small businesses with access to credit, primarily by guaranteeing loans through its 7(a) and 504 loan programs. SBA has a total credit portfolio of $45 billion, the majority of which consists of 7(a) and 504 loans.[Footnote 2] The 7(a) Loan Program is intended to serve small business borrowers who could not otherwise obtain credit under suitable terms and conditions from the private sector without an SBA guarantee. Under the program, SBA provides guarantees of up to 85 percent[Footnote 3] on loans made by participating lenders--often called certified or preferred lenders,[Footnote 4] which are subject to program oversight by SBA.[Footnote 5] Loan proceeds can be used for most business purposes, including working capital, equipment, furniture and fixtures, land and buildings, leasehold improvements, and debt refinancing. The 504 loan program provides long-term, fixed-rate financing to small businesses for expansion or modernization, primarily of real estate. The 504 financing is delivered through Certified Development Companies (CDC), about 270 typically preexisting private nonprofit corporations, established to contribute to the economic development of their communities.[Footnote 6] For a typical 504 loan project, at least 10 percent of the loan proceeds are provided by the borrower, at least 50 percent by an unguaranteed third-party lender loan, and the remainder by an SBA-guaranteed debenture[Footnote 7] from a CDC. Although SBA's 7(a) and 504 loan programs serve different needs, both programs rely on third parties to originate loan guarantees (participating lenders for 7(a) and CDCs for 504 loans). Because SBA guarantees up to 85 percent of the 7(a) loans and 40 percent of 504 loan projects, there is risk to SBA similar to that of a lender if the loans it makes are not repaid. Loan portfolio management (monitoring) is the process by which risks that are inherent in the credit process (primarily credit risk) are managed and controlled.[Footnote 8] Current best practices emphasize an understanding of (1) the risk posed by each loan and (2) how the risks of individual loans and portfolios are interrelated. To address individual credit risk, best-practice lenders focus on controlling the quality of individual loans approved and carefully monitoring loan performance over time. These efforts encompass such activities as specifying underwriting criteria, analyzing financial data at loan origination, maintaining loan documentation, routinely reviewing loan performance, and monitoring the financial condition of the borrower. Managing a loan portfolio to consider portfolio concentration risks-- which can result from concentration of loans in, for example, a particular industry--requires a more holistic view. Here, better technology and information systems have opened the door to better management methods. Today's loan portfolio managers frequently use software tools to identify interrelationships among loans and rank risk within a portfolio. The goal is to obtain early indications of increasing risk. Together, these two conceptual approaches--an individual and an aggregate view of risk--form the foundation of modern loan portfolio management. The Small Business Programs Improvement Act of 1996 required SBA to establish a risk management database that would provide timely and accurate information to identify loan underwriting, collections, recovery, and liquidation problems.[Footnote 9] In its fiscal year 1998 budget request, SBA presented plans for increased reliance on lenders to service and liquidate defaulted small business loans. SBA planned to use the new database to manage its loan portfolios, identify and effectively mitigate risks incurred through loans guaranteed by SBA, implement oversight of internal and external operations, and calculate subsidy rates. We reviewed SBA's plans to develop its loan monitoring system and reported[Footnote 10] that SBA had not undertaken the essential planning needed to develop the proposed system. Congress subsequently enacted provisions in the Small Business Reauthorization Act of 1997 that directed the agency to complete certain necessary planning activities that would serve as the basis for funding the development and implementation of its loan monitoring system.[Footnote 11] From 1998 to 2001, SBA's estimate for implementing the system grew from $17.3 million to $44.6 million. By 2001, SBA had spent $9.6 million for developmental activities but had never completed the mandated planning activities or developed a functioning loan monitoring system. We have periodically reported on SBA's progress in planning and developing the loan monitoring system since 1997.[Footnote 12] In 2001, Congress stopped appropriating funds for the loan monitoring system and instead authorized SBA to use reprogrammed funds, provided that SBA notify Congress in advance of SBA's use of the reprogrammed funds.[Footnote 13] Congress also directed SBA to develop a project plan to serve as a basis for future funding and oversight of the loan monitoring system. As a result, SBA suspended the loan monitoring system development effort. Of the $32 million appropriated for the loan monitoring system effort, about $14.7 million remained[Footnote 14] and was deposited with the General Services Administration's (GSA) Federal Systems Integration and Management Center Program (FEDSIM).[Footnote 15] In January 2002, SBA contracted for assistance to identify alternatives and provide recommendations for further developing a loan monitoring system. As a result, SBA chartered a loan monitoring system project management board with overall leadership and responsibility for the vision, direction, and results of the loan monitoring system effort. This board subsequently made the decision to no longer pursue the development of a loan monitoring system, and in February 2003, SBA, through FEDSIM, prepared a task order request for loan management services. A contract was awarded to Dun & Bradstreet in April 2003 to obtain loan management services, including loan and lender monitoring and evaluation and risk management tools; the contract includes four one-year options at an average cost of approximately $2 million a year.[Footnote 16] Prior to contracting for the Dun & Bradstreet loan monitoring service, SBA had made progress in developing its lender oversight program for 7(a) lenders with the establishment of the Office of Lender Oversight (OLO)--the office within SBA that is charged with ensuring consistent and appropriate supervision of its lending partners, with the development of written guidance in the form of "Standard Operating Procedures" and "Loan Policy and Program Oversight Guide for Lender Reviews," and through conducting reviews. However, our 2002 study of SBA's preferred lender review process found that it involved only a cursory review of lenders' processes rather than a qualitative assessment of their decisions with regard to borrowers' creditworthiness and eligibility.[Footnote 17] Preferred lender reviews were not designed to evaluate future financial risk. SBA's preferred lender reviews were set up as strict compliance reviews and were not designed to measure the lenders' future financial risk. Lender reviews were based on reviewers' findings using a questionnaire and a review checklist. Recent changes related to these reviews are discussed in this report. As participants in the 7(a) program, SBLCs are subject to the same review requirements as other 7(a) lenders, in addition to the required safety and soundness reviews. We have made recommendations calling on SBA to clarify its supervisory and enforcement powers over 7(a) lenders since November 2000.[Footnote 18] Further, CDCs are subject to the same lender reviews as those required by 7(a) lenders. As with SBLCs, SBA provides the only oversight currently required for CDCs; therefore, lender oversight for both SBLCs and CDCs is especially important in order for SBA to monitor the risk they pose to the agency. In February 2003, SBA's Office of Inspector General (OIG) recommended[Footnote 19] that SBA develop separate review procedures for the oversight of the 504 loan program and that the review process be both a financial and a compliance review. SBA responded that a redesigned approach to CDC lender reviews was under way.[Footnote 20] While elements of SBA's oversight program touched on the financial risk posed by preferred lenders, including SBLCs, based on historical information, weaknesses in the program limited SBA's ability to focus on, and respond to, current and future financial risk to the lenders' portfolio. In the past, neither the lender review process nor SBA's off-site monitoring efforts adequately focused on the financial risk posed by preferred lenders to SBA. Previously, SBA used loan performance benchmarking and ad hoc portfolio analysis as its primary tools for off-site monitoring. SBA officials stated that loan performance benchmarks are based on financial risk and serve as a measure to address a lender's potential risk to the SBA portfolio. Loan and Lender Monitoring Capability Is Necessary for SBA to Conduct Effective Portfolio and Lender Oversight: As SBA's reliance on lenders to originate 7(a) and 504 loans has grown, so has SBA's need for an effective method to monitor its portfolio and its individual lenders' performances. A credit risk loan and lender monitoring system--based on industry best practices for infrastructure, methodologies, and policies--would be an effective way to address credit risk in the SBA portfolio and to facilitate the oversight of SBA's lending partners. Although SBA has not articulated its specific information and analytical requirements needed to monitor credit risk, it has over several years developed some general requirements for its loan monitoring needs. Based on our assessment of best practices and our understanding of SBA's oversight and programmatic responsibilities, SBA needs a credit risk loan and lender monitoring service that will enable the agency to efficiently and effectively analyze various aspects of its overall portfolio, its individual lenders, and their portfolios. Although specific credit risk management practices may differ among banks, depending on the nature and complexity of their credit activities, a bank's credit risk management program will likely include a comprehensive infrastructure, appropriate methodologies, and policies. Continued Efforts within SBA Have Yielded General Requirements for Its Loan Monitoring Needs: Although SBA recognized the need for a credit risk loan and lender monitoring system and tried for years to build a system, SBA did not specify the information and analytical requirements to meet its needs. In its request for proposals to obtain loan management services, SBA officials stated that they did not include a needs assessment because they did not want to dictate the solution to be provided but to have vendors bring innovative risk management solutions to SBA. However, SBA reported in its fiscal year 2003-2008 strategic plan that, in general, it planned to allocate resources for a loan monitoring capability to provide effective oversight of its portfolio, its lending partners, and their portfolios in its 7(a) and 504 loan programs. In April 2003, SBA contracted with Dun & Bradstreet, which worked in conjunction with Fair Isaac, to obtain such services. In the interim, SBA collaborated with Dun & Bradstreet to identify more specific requirements. According to the statement of work prepared by FEDSIM, SBA wanted a loan monitoring capability that would apply monitoring and evaluation services to existing loan data, apply industry standards and best practices for loan and lender monitoring, and enable SBA to identify high-risk lenders. These requirements applied to both the 7(a) loan program and the 504 loan program. SBA's Loan Monitoring Capability Should Be Based on Industry Best Practices for Infrastructure, Methodologies, and Policies: Based on our analysis of guidance published by financial regulators[Footnote 21] and on interviews with risk management professionals, it would be appropriate for SBA's loan monitoring capability to be based on best practices for infrastructure, methodologies, and policies. Figure 1 illustrates this concept. The Office of the Comptroller of the Currency (OCC), the federal regulator of national banks, requires regulated lenders to practice basic loan portfolio monitoring/risk management. However, OCC notes that the sophistication of an institution's risk management policies and processes will depend on the size of the institution, the complexity of its portfolio, and the types of credit risks it has assumed. Accordingly, no single credit risk rating system is ideal for every bank. In practice, a bank's risk rating system should reflect the complexity of its lending activities and the overall level of risk involved. Figure 1: Best-Practices Risk Management Framework: [See PDF for image] [End of figure] Despite customization of risk management systems, financial regulators and practitioners we spoke with are in general agreement about the characteristics associated with effective credit risk management. Similar to private lenders that focus on individual loans and their overall portfolio, SBA must monitor its overall portfolio, its individual lenders, and their portfolios. As such, it is important for SBA to have an effective monitoring capability based on best-practice infrastructure, methodologies, and policies. Infrastructure: The infrastructure comprises the elements within an effective monitoring system that makes the methodologies and policies work. Financial regulators report that an infrastructure based on best practices will consist of skilled personnel who are well-trained and properly motivated with the ability to make professional judgments based on complex analytical data; strong management information systems that provide accurate, timely, complete, consistent, and relevant information; and functioning internal controls related to data quality.[Footnote 22] SBA has been especially challenged, and did not succeed, in creating a loan monitoring management information system on its own. Methodologies: Best-practice methodologies refer to the application of analytic models to measure credit risk. Financial institution regulators agree that internal risk rating systems are becoming increasingly important in credit risk management at large banks in the United States and are an essential ingredient in effective credit risk management.[Footnote 23] They also agree that methodologies based on best practices will consist of the following elements: * sound statistical and financial modeling assumptions; * scenario approaches such as (1) back testing to see if the models' projected default probabilities or expected loss rates are largely confirmed by experience and (2) stress testing to see how loan performance is affected by changes in one or more financial, structural, or economic variables; and: * concentration management techniques. Policies: Policies based on best practices will consist of the establishment of a risk management function consistent with the nature, size, and complexity of the portfolio. According to financial regulators and practitioners, successful risk management functions work under the guidance of a clear credit strategy and risk profile (i.e., an institution's tolerance for risk) established by senior management. Policies and procedures also help staff apply the institution's credit strategy in a consistent manner to help ensure that management's risk profile objectives are met. Standard management reporting--such as various forms of segmentation (i.e., various data analyses based on variables such as geography, industry, and loan type), trend, and purchase/default rate analyses--is one such element within the policy framework, which facilitates compliance with management's objective of a clear and transparent credit strategy and risk profile. Risk management professionals we talked with meet frequently, often weekly or monthly, in order to review these standard management reports and to discuss their action plans. Further, policies should be in place to ensure risk management information systems are continuously updated in an ever-changing business environment and internal controls are enforced to ensure that exceptions to policies and procedures are reported and handled appropriately in a timely manner. Together, infrastructure, methodologies, and policies form the foundation of a best-practices risk management framework, as illustrated in figure 1. The sophistication of the individual framework components varies and is correlated with the complexity and risk profile of the portfolio. The goal is to understand and manage credit risk such that a reasonable risk-adjusted profit is generated, or in SBA's case, to ensure compliance with its program goals while staying within its congressionally approved budget. Table 1 describes these credit risk management best practices in more detail. Table 1: Key Elements of a Comprehensive Credit Risk Management Program: Infrastructure: Human capital/quality staff; A well- trained and properly motivated staff is central to effective credit risk management. Judgment is an important factor in best-practices risk management because not all decisions can be derived solely from complex analytical approaches. Infrastructure: Strong management information systems; The effectiveness of the bank's risk management efforts heavily depends on the quality of its management information systems. Systems supporting risk management should provide accurate, timely, complete, consistent, and relevant information. Many of the advancements in modern loan portfolio management are the direct result of the more robust information systems available today. Infrastructure: Data quality/systems maintenance; Routine quality control and reconciliation processes are fundamental to ensuring accurate data. Risk management data and information technology tools should be maintained. In addition, such tools must be upgraded as needed. The best technology can be next to worthless if the data are not accurate. Methodologies: Sound statistical and financial models; Models used to identify and measure credit risk need to be appropriate and conceptually sound. Methodologies: Back testing; Models used to identify and measure credit risk should be empirically validated. Back testing, or validation analysis, shows that projected default probabilities or expected loss rates, per the models, are largely confirmed by experience-that the models are accurately anticipating outcomes. Methodologies: Stress testing; Stress testing is the process by which a lender alters assumptions about one or more financial, structural, or economic variables to determine the potential effect on the performance of the loan. Methodologies: Techniques for managing concentrations of risk; Portfolio management tools can set exposure limits or ceilings on selected concentrations. Policies: Establishment of a risk management function; Financial institutions must have in place a system for monitoring the overall composition and quality of their credit portfolio. This system should be consistent with the nature, size, and complexity of the institution's portfolio. Independence from the loan origination function, commitment from top management, and clear enforcement authority are characteristics typically associated with successful risk management functions. Policies: Active senior management; involvement; Senior leadership should have responsibility for establishing, implementing, and periodically reviewing the credit risk strategy and significant credit risk policies of the institution. These efforts will drive a lender's credit culture. A lender's credit culture is the sum of its credit values, beliefs, and behaviors. The culture, risk profile, and credit practices of a bank should be linked. Our interviewing revealed frequent reporting to senior management by the risk management function and, in selected instances, direct participation from senior leadership in the risk management function. Policies: Clear credit strategy and risk profile; Best-practices risk management groups operate under the guidance of clear credit strategies and risk profiles. These policies are established by senior management and should reflect the institution's tolerance for risk and expected financial performance. The risk profile evolves from the credit culture, strategic planning, and day-to-day activities of making and collecting loans. Policies: Internal risk rating process; An internal risk rating system represents an effort to identify, measure, and rank credit risk. Credit scoring is a statistical process frequently used to support an internal risk rating system. Per OCC, identifying and rating credit risk is a core credit risk management practice. Policies: Standardized reporting; Best-practices risk management functions generate timely and relevant standardized management reporting. Specific reporting frequently mentioned by practitioners includes: various forms of segmentation analysis, trend analysis, purchase/default rate analysis, exception reporting, risk rating reviews, and analysis of portfolio similarities and interrelationships. Policies: Frequent and routine portfolio reviews; Best-practices risk management professionals meet frequently and routinely with internal stakeholders to analyze and review standardized portfolio reporting packages and the significant credit policies of the institution. Policies: Compliance with internal policies/control functions; Institutions must ensure that the credit granting function is being properly managed and that credit exposures are within levels consistent with prudential standards and internal limits. Institutions should establish and enforce internal controls and other practices to ensure that exceptions to policies and procedures are reported and handled appropriately in a timely manner. Policies: Completeness; All credit exposure should be rated/considered by the risk management function. Policies: Continuous improvement; This refers to efforts to upgrade and enhance risk management information systems, policies, and practices as appropriate, to accommodate an ever-changing business environment. Source: GAO analysis of industry publications and interviews with industry officials. Notes: This is not an exhaustive list of best-practice characteristics because there is significant variability among the risk management systems of private sector lenders. Sources included relevant sections of the Office of the Comptroller of the Currency's Comptroller's Handbook on Loan Portfolio Management (April 1998) and Rating Credit Risk (April 2001); OCC Director's Handbook; Michel Crouhy, Dan Galai, and Robert Mark, Risk Management: Comprehensive Chapters on Market, Credit, and Operational Risk, 1st ed. (New York, New York: McGraw Hill, 2001); Basel Committee, Principles for the Management of Credit Risk, and Credit Risk Modeling: Current Practices and Applications; William F. Treacy and Mark S. Carey, "Credit Risk Rating at Large U.S. Banks," Federal Reserve Bulletin (November 1998); and interviews with select major lenders' officials and federal regulator bank examiners. [End of table] The Dun & Bradstreet Loan Monitoring Service Appears to Provide Appropriate Infrastructure and Methodologies, but SBA's Lack of Comprehensive Policies Could Hamper Effective Oversight: Combined with appropriate SBA policies, the Dun & Bradstreet service could enable the agency to conduct the type of monitoring and analyses typical among major lenders and recommended by financial regulators. SBA now has access to a risk management infrastructure and methodology that appear to have characteristics similar to those of many private sector lenders, including a functioning Web-accessible "data mart"[Footnote 24] that will provide the agency with the information necessary to manage its loan portfolio. Furthermore, the Dun & Bradstreet service provides SBA with an independent risk management team of contractor staff dedicated to managing the service and associated portfolio analysis. Although SBA has obtained a useful service, it does not yet have comprehensive policies on par with industry best practices to support the loan monitoring service. SBA has implemented certain key elements, such as an internal risk rating system, but it has not yet adopted other critical policy-related best practices. The policies, for example, should set explicit risk limits and steps to take when the limits are violated. The Dun & Bradstreet Service Appears to Provide an Infrastructure and Methodology on Par with Best Practices: The loan monitoring service SBA obtained under contract from Dun & Bradstreet includes an infrastructure that appears to be on par with best practices, including a strong management information system, quality data, and human capital. The comprehensive data mart hosted by Dun & Bradstreet, referred to as RAM (Risk Assessment Manager), is a password-protected, Web-accessible data mart that SBA staff can query at any time. The sources for the RAM data are SBA's 7(a) and 504 databases, Dun & Bradstreet corporate information, and commercial scoring data (e.g., Small Business Predictive Score (SBPS) and Financial Stress Score (FSS)).[Footnote 25] Each month, SBA staff electronically send Dun & Bradstreet updated loan data files. After Dun & Bradstreet staff process the SBA loan data, they add the corporate and scoring data, which are updated quarterly. Ensuring the integrity of data used in the RAM is critical to the value of the loan monitoring service and is considered a best practice. Routine quality control and reconciliation processes are fundamental to ensuring data integrity. We analyzed the processes SBA, Dun & Bradstreet, and Fair Isaac have to manage the integrity of data associated with the service. We found through our own testing and other analyses that SBA's controls to ensure the integrity of both the 7(a) and the 504 program data appear reasonable, as a whole, to ensure that misstatements or inaccuracies are detected and corrected on a timely basis. These controls were adequate to help ensure the quality of the underlying SBA data used in the data mart. Although we did not test the Dun & Bradstreet and Fair Isaac's processes for data quality, we reviewed their established procedures for data integrity and found them generally reasonable. Appendix II contains a full discussion of our review of data integrity. There are several contractor staff that manage and assist SBA staff with using the loan monitoring service. SBA has a risk management team within the Office of Lender Oversight (OLO) dedicated to managing the Dun & Bradstreet contract as part of its lender oversight responsibilities. Furthermore, SBA can contact Dun & Bradstreet staff to fulfill ad hoc analysis requests and for consultation regarding best practices. The Dun & Bradstreet staff also provide SBA with monthly status reports about the progress of their obligations under the contract and current trends in best practices related to the small business lending industry. Similar to the loan monitoring service infrastructure, the associated methodology appears to be consistent with private sector best practices since it appears to be based on sound financial models. The financial models used to score the loans and lenders are based on data managed by Dun & Bradstreet and commercial-off-the-shelf risk scoring models developed by Fair Isaac. Dun & Bradstreet has over 160 years of data management experience, including current relationships with over 90 percent of the top 1,000 companies worldwide, whereas Fair Isaac has over 50 years of experience as the leading provider of financial services analytics. Fair Isaac's suite of solutions is used by 22 of the top 25 U.S. small business lenders. Fair Isaac conducts statistical analysis on its products, including stress testing during its model development. In addition to using the widely used statistical and financial models, Dun & Bradstreet and Fair Isaac conduct continuous process improvement through back testing to ensure that the models are working correctly for SBA. The modeling and SBPS and FSS scores undergo evaluation on a regular basis, including analyses to determine whether the models predict outcomes in a stable manner as the population of loans changes (called population stability) and loan characteristics change (called character analysis). These analyses and reports can help determine when the models require redevelopment to maintain accurate predictive risk information. Since SBA is solely dependent on the Dun & Bradstreet service to provide them with infrastructure and methodologies consistent with best practices, without the service it is unlikely, at this time, that SBA would be able to continue the same level of risk management of its overall portfolio, its individual lenders, and their portfolios. SBA Does Not Have Comprehensive Policies for Its New Loan Monitoring Capability on Par with Industry Best Practices: Unlike best practices, SBA has not fully developed or implemented comprehensive loan monitoring-related policies and procedures to improve its lender oversight. However, SBA has implemented certain key elements of policy-related best practices. For instance, SBA established a risk management function when it created the Office of Lender Oversight in 1999. In addition, SBA officials have implemented an internal risk rating process (i.e., lender rankings) and receive standard quarterly reports, or tools, provided by Dun & Bradstreet. According to SBA's own broad time line for developing policy related to the new loan monitoring capability, while some key oversight standard operating procedures are scheduled to be completed by September 2004, its policies will remain incomplete until at least April 30, 2005, about 1.5 years after Dun & Bradstreet began providing its service to SBA in September 2003. Comprehensive policies based on best practices would enable the agency to effectively carry out its public mission, especially regarding its need to address any findings of noncompliance with enforcement actions. SBA has, through the Dun & Bradstreet service, an internal risk rating process that includes lender rankings and associated risk scoring. Dun & Bradstreet ranks SBA lenders each quarter based on their risk level. To do this, Dun & Bradstreet consolidates each lender's loans and then scores, or quantifies, the risk by calculating the projected purchase rate (i.e., the price SBA pays a lender for a loan when a borrower defaults on the loan and SBA determines the lender has complied with the loan program requirements) for each loan portfolio against the total SBA dollars at risk.[Footnote 26] Subsequently, Dun & Bradstreet staff rank lenders for review based on their score. On September 30, 2003, Dun & Bradstreet provided OLO with the first round of lender rankings. Dun & Bradstreet staff also provide SBA with standard lender performance reports each quarter. These reports are based on profiles Dun & Bradstreet staff develop of each loan and lender portfolio. These include high-level profiling, such as demographic profiles and segmentation profiling and analysis.[Footnote 27] The lender-level profiling also includes aggregating each loan portfolio into lender portfolios and comparing lenders based on high-level performance analysis and reporting. The variables used to do this include dollar value of loans, distribution of 90-plus days past due by SBPS, average SBPS, and dollars at risk. However, SBA falls short on other key elements of policy-related best practices. Best practices dictate the need for a clear and transparent understanding of how a risk management service and the tools it provides will be used. Comprehensive policies are fundamental to developing and implementing a shared understanding of tools associated with the Dun & Bradstreet service. Best practices state that agency stakeholders should meet frequently and routinely to review the loan portfolios and the resulting analyses, and discussion should occur within the context of the comprehensive policies, notably the institution's credit strategy and risk profile. According to major- lender officials, internal stakeholders (companywide) meet at least once a month to analyze and review the standard management reporting packages to understand the major trends within the portfolio and identify possible policies that need to be revised or adopted to ensure they are consistent with the credit strategy and risk profile. At SBA, according to OLO officials, agencywide stakeholders meet periodically to discuss overall portfolio performance trends. These portfolio reviews, often occurring monthly, incorporate the quarterly Dun & Bradstreet reports, and according to SBA officials, additional internal SBA management reporting in their discussions. This process of meeting routinely to review standardized reporting is consistent with major- lender best practices, although SBA's lack of a clear credit strategy and risk profile may impact the efficacy of this portfolio review process. Additionally, SBA states in its fiscal year 2005 Performance Plan that it will continue to use and enhance its new loan monitoring capability to improve financial accountability and management, to improve the content of and processes involving the agency's financial statements, and the subsidy models used for estimating the cost of SBA's loan programs. Although selected offices within the agency currently receive monthly portfolio management reporting and analytics, including quarterly Dun & Bradstreet reports, stakeholders agencywide do not yet routinely use Dun & Bradstreet reports to support their mission activities. For example, the Chief Financial Officer's (CFO) office, which is one of the offices that does not routinely use these reports, may benefit from the data and analytic capabilities provided by the Dun & Bradstreet service in fulfilling its budget and financial management responsibilities. In addition, other offices might use performance reports to better inform SBA district office staff about specific lender activity in order to enhance their outreach efforts to both businesses and lenders and their technical support services to businesses. For example, performance reports could be used to monitor lending to special groups of eligible small businesses like veterans, Native Americans, women, and disadvantaged businesses. Although SBA recognizes that it needs to revise its lender review process, it has yet to fully implement a review process that enables it to ensure that its lending partners are complying with agency regulations and policies and that it has found any prospective financial risks. In 2003, the agency planned to begin conducting new strategic on-site operational reviews with those lenders whose risk profiles indicate a high level of financial risk to the agency. SBA reviewers intend to assess a lender's SBA origination, servicing, and liquidation practices. These risk-based reviews should provide the SBA with better information to both improve lender loan management processes and SBA loan programs, as well as develop useful information regarding lender and portfolio risk. In a related effort, the agency performance plan has a goal to expand its safety and soundness examinations of certain state-chartered nondepository financial entities. SBA officials stated that there are only a small number of these entities making 7(a) loans and that these entities are currently overseen by state regulators. The SBA Administrator testified in February 2004 that the new loan monitoring capability, coupled with a redesigned lender review process, would result in a risk-based approach to oversight, providing the agency with more meaningful information about SBA's lenders.[Footnote 28] According to the Administrator's testimony, the approach would also be more streamlined and efficient, allowing SBA to better deploy resources in areas where the agency has the most exposure, while being less intrusive to the lenders. Pilot testing of the new review process began in May 2003. Tables 2 and 3 compare SBA's credit risk management capability to key elements of best practices. SBA relied solely on Dun & Bradstreet to provide the infrastructure and methodologies consistent with best practices. The service, which is owned and operated by Dun & Bradstreet, provides SBA with many key best-practice elements, including a strong management information system based on apparent sound statistical and financial models. Although the Dun & Bradstreet service is consistent with key elements of best practices associated with infrastructure and methodologies, without contingency plans SBA would not have the capability on its own to duplicate the loan monitoring service. SBA officials shared general ideas about what they might be able to do without the Dun & Bradstreet service, but they have no specific contingency plans. Moreover, while SBA has incorporated selected best-practice policies, such as a functioning internal risk rating system and more frequent and relevant standardized risk management reporting, the agency has yet to develop a clear credit strategy and risk profile for its credit portfolio or to define enforcement actions against its lenders in cases of noncompliance. Table 2: How Well Does the Service Provide SBA with Best-Practice Infrastructure and Methodologies?[A]: Infrastructure: Human capital/quality staff; Significant progress: Yes; Limited progress: No. Infrastructure: Strong management information systems; Significant progress: Yes; Limited progress: No. Infrastructure: Data quality/systems maintenance; Significant progress: Yes; Limited progress: No. Methodologies: Sound statistical and financial models; Significant progress: Yes; Limited progress: No. Methodologies: Back testing; Significant progress: Yes; Limited progress: No. Methodologies: Stress testing; Significant progress: Yes; Limited progress: No. Methodologies: Concentration management techniques[B]; Significant progress: No; Limited progress: Yes. Source: GAO analysis of industry publications and interviews with industry officials. Note: Sources included relevant sections of the Office of the Comptroller of the Currency's Comptroller's Handbook on Loan Portfolio Management (April 1998) and Rating Credit Risk (April 2001); OCC Director's Handbook; Michel Crouhy, Dan Galai, and Robert Mark, Risk Management: Comprehensive Chapters on Market, Credit, and Operational Risk, 1st ed. (New York, New York: McGraw Hill, 2001); Basel Committee, Principles for the Management of Credit Risk, and Credit Risk Modeling: Current Practices and Applications; William F. Treacy and Mark S. Carey, "Credit Risk Rating at Large U.S. Banks," Federal Reserve Bulletin (November 1998); and interviews with select major lenders' officials and federal regulator bank examiners. [A] The infrastructure and methodologies are provided by Dun & Bradstreet and Fair Isaac. Our designation of significant progress is based on a continuation of SBA's contract with Dun & Bradstreet. While SBA now has implemented certain key elements of a risk management function, significant improvements in selected "significant progress" categories may be appropriate. [B] Techniques for managing concentrations of risk include setting exposure limits or ceilings on concentrations. [End of table] Table 3: How Well Has SBA Implemented Best-Practice Policies? Policies: Establishment of a risk management function; Significant progress: Yes; Limited progress: No. Policies: Active senior management involvement; Significant progress: Yes; Limited progress: No. Policies: Clear credit strategy and risk profile; Significant progress: No; Limited progress: Yes. Policies: Internal risk rating process; Significant progress: Yes; Limited progress: No. Policies: Standardized reporting[A]; Significant progress: Yes; Limited progress: No. Policies: Frequent and routine portfolio reviews; Significant progress: No; Limited progress: Yes. Policies: Compliance with internal policies/control functions; Significant progress: No; Limited progress: Yes. Policies: Completeness; Significant progress: No; Limited progress: Yes. Policies: Continuous improvement; Significant progress: Significant progress: No; Limited progress: Limited progress: Yes. Source: GAO analysis of industry publications and interviews with industry officials. Note: Sources included relevant sections of the Office of the Comptroller of the Currency's Comptroller's Handbook on Loan Portfolio Management (April 1998) and Rating Credit Risk (April 2001); OCC Director's Handbook; Michel Crouhy, Dan Galai, and Robert Mark, Risk Management: Comprehensive Chapters on Market, Credit, and Operational Risk, 1st ed. (New York, New York: McGraw Hill, 2001); Basel Committee, Principles for the Management of Credit Risk, and Credit Risk Modeling: Current Practices and Applications; William F. Treacy and Mark S. Carey, "Credit Risk Rating at Large U.S. Banks," Federal Reserve Bulletin (November 1998); and interviews with select major lenders' officials and federal regulator bank examiners. [A] Standardized reporting is frequent, typically monthly, management reporting that is reviewed and discussed companywide, or in SBA's case would be discussed by senior office heads. Further, these reports could be used to identify portfolio trends and identify possible policy revisions. These reports support the credit strategy of the financial entity. [End of table] SBA's Mission and Loan Program Structure Would Affect Its Use of Credit Risk Management Tools: SBA, similar to private lenders, must determine the level of risk it will tolerate but do so within the context of the public purposes of its loan guarantee programs, their budget constraints, and their structures. Nevertheless, many private sector risk management best practices are relevant to SBA. SBA's Mission and Loan Guarantee Program Structure Would Affect How SBA Uses the New Loan Monitoring Capability: Although SBA, similar to private lenders, must determine the level of risks it will tolerate in the loans it guarantees, its mission obligations will drive its credit risk management policies. For example, different loan products in the 7(a) program have different levels of guarantees, and guarantees on 504 program loans have a different structure from 7(a) guarantees. These differences influence the mix of loans in SBA's portfolio and, consequently, would impact how SBA manages its credit risk. Accordingly, SBA may require policies and management reporting that are different from what lenders require. For example, while lenders manage credit risk by determining which loans to make and the mix of loans made, SBA, as a federal agency and advocate for small business, may not be able to manage its risk in the same ways. SBA's exclusion of, or imposition of, concentration limits on selected loan sectors based on risk limits could conflict with congressional, public, or industry interpretations of its mission obligations. Similarly, changing underwriting standards for certain classes of loans could be difficult to implement because it would compel its lending partners to change their underwriting criteria as needed due to economic conditions. Additionally, SBA may permit its lenders to offer greater forbearance (e.g., time to repay the loan) than private lenders would in the absence of an SBA guarantee. Also, SBA could offer assistance, such as counseling and technical help, to struggling borrowers through its partnerships with private entities. These kinds of broad, mission-related issues may influence the policies and business practices governing SBA's use of the Dun & Bradstreet loan monitoring service and related tools. The structures of SBA's loan guarantee programs may also account for some of the differences in risk management policies and practices between SBA and major lenders. This lender-level emphasis contrasts with how major private sector lenders manage credit risk, which is at the loan level. Because SBA relies on private lenders to originate and service the majority of the loans it guarantees, SBA is primarily managing the credit risk in its portfolio at the lender level. As a result, much of the agency's risk rating processes and management reporting--while conceptually similar to the processes associated with loan-level analysis--focuses on lenders, or a lender's portfolio of loans. Here, the Dun & Bradstreet loan monitoring service supports lender oversight functions, such as SBLC examinations. These lender oversight responsibilities, and the associated interest in lender risk, contrast with how SBA, compared with private lenders, might use its risk management tools. Conclusions: In acquiring the loan monitoring service under contract with outside experts, SBA has taken an important step that should help it meet the needs it identified for monitoring its lending partners, and their portfolios, and in managing the risk inherent in its $45 billion loan portfolio. The service provided by Dun & Bradstreet reflects many best practices, particularly those related to infrastructure and methodology, and can facilitate a new level of sophistication in SBA's oversight efforts. It will afford SBA a means to obtain various measures of financial risk posed by its lending partners and the opportunities to analyze loans and lending patterns efficiently and effectively. These functions are important to managing risk and to strengthening both SBA's on-site reviews and off-site monitoring of its lending partners--functions of the Office of Lender Oversight (OLO). In addition, the Dun & Bradstreet service, its related tools, and its potential for developing other tools could aid SBA offices with other responsibilities. These include certifying preferred lenders, identifying lenders against which enforcement actions might be taken, ensuring that its lending programs are providing credit to special groups of eligible small businesses (veterans, disadvantaged businesses, etc.), and estimating the cost of its loan programs. However, the potential benefits of the service, for OLO and other offices, cannot be realized without comprehensive policies that reflect best practices appropriate to SBA's responsibilities to guide the use of the loan monitoring service. SBA's time line for developing such policies stretches into 2005, more than a year and a half after the contractor delivered the capability to SBA. Moreover, SBA officials have not yet begun to explore the potential uses of the service for purposes other than lender oversight and portfolio monitoring, such as creating budget projections for its loan programs. Notably, SBA's continued risk management capability is solely contingent on the continuation of the Dun & Bradstreet contract. In the event that the Dun & Bradstreet contract is discontinued, SBA would not have the capability on its own to duplicate the loan monitoring service provided by Dun & Bradstreet. Recommendations for Executive Action: We are making five recommendations to the SBA Administrator. First, we recommend that in developing policies for the use of the Dun & Bradstreet loan monitoring service, SBA consider the applicability of best practices, including specific policy elements identified in this report. Practices that should be considered include plans for continuous improvement in the service and its tools, frequent and routine portfolio reviews, and active involvement of senior SBA managers in reviewing the use of output. Second, the Administrator should expedite the development of policies for taking enforcement actions against all lending partners to address noncompliance issues identified through the loan monitoring service and to address safety and soundness issues among SBLCs and CDCs, for whom SBA is the only regulator. We have made recommendations calling on SBA to clarify its supervisory and enforcement powers since November 2000. Although SBA has taken some incremental planning steps to address the issue, its current time line estimates finalizing enforcement regulations in April 2005. Third, ensure that resources within SBA are devoted to developing policies for the use of the loan monitoring service, so that the overall time line for completion--April 2005--is met. Fourth, establish an agencywide task force to explore the potential for applying the capabilities of the Dun & Bradstreet service to SBA business processes and responsibilities other than lender oversight, such as overall portfolio risk management or budget projections. Programmatic offices and the Office of the Chief Financial Officer should be included. Fifth, develop contingency plans that would enable SBA's continued risk management of the 7(a) and 504 portfolio overall, individual lenders, and their portfolios in the event that the Dun & Bradstreet contract is discontinued. Agency Comments and Our Evaluation: We requested SBA's comments on a draft of this report. The Associate Deputy Administrator for Capital Access provided written comments that are presented in appendix III. The Associate Deputy Administrator generally agreed with the overall findings and recommendations, especially the need to develop and fully implement policies for using the Dun & Bradstreet service. However, the letter stated that SBA should receive more credit for the progress it has made in developing these policies. In contrast to SBA's Associate Deputy Administrator, we think that we have given SBA sufficient credit for its progress. In particular, we give credit for obtaining the service, and we documented the significant progress made in how the service provides SBA with best- practice infrastructure and methodologies. However, SBA has not detailed how it has devoted resources to the development of needed policies. In addition, based on our analysis, it appears that SBA has not taken actions that are important to successfully develop needed policies. The Associate Deputy Administrator stated, "The development of policies is progressing logically following the acquisition of the loan and lender monitoring services." In contrast, we think that the development of policies for using such a service is an integral part of strategic planning, including planning during the time period before such a service is obtained. In our view, SBA could have developed more specific policies for using the service before it was obtained. For example, we have not seen evidence that SBA has developed policies addressing the level of risk it will tolerate within the context of its mission and its programs' structures. In response to our recommendation on considering the applicability of best practices for risk management as it develops policies for using the Dun & Bradstreet service, SBA's Associate Deputy Administrator stated that it is committed to fully implementing the service based on best practices consistent with those that were identified in the report. In comments regarding our recommendation to expedite the development of policies, especially as they relate to enforcement, SBA's Associate Deputy Administrator stated that the agency has made progress in developing its enforcement-related policies. SBA submitted legislative proposals for specific enforcement authorities, but in the absence of specific legislation, SBA intends to go forward with proposed enforcement regulations under its general oversight authority. However, the final rule for enforcement actions will not be completed until April 2005. We support SBA's intent to go forward with proposed enforcement regulations under SBA's general oversight authority, consistent with our earlier recommendations. Concerning our recommendation that SBA should ensure that resources already within the agency are devoted to developing policies for the use of the Dun & Bradstreet service, SBA's Associate Deputy Administrator stated that the agency is committed to fully implementing the service, including the associated policies and procedures, and will make every effort to meet the established time line of April 2005 for the policies' completion. However, the Associate Deputy Administrator did not specifically detail what resources would be devoted to the development of the policies. The Associate Deputy Administrator agreed with our recommendation that SBA establish an agencywide task force to explore the potential for applying capabilities of the Dun & Bradstreet service to various offices within SBA and stated that the agency should leverage this resource to the maximum extent possible. He acknowledged that while some information provided by the Dun & Bradstreet service has far- ranging uses that could benefit other program areas within SBA, the agency must recognize that the service provides confidential business information. Therefore, uses of the service by other offices remain unresolved. In response to our recommendation that SBA develop contingency plans that would enable SBA's continued risk management of the 7(a) and 504 portfolio overall, individual lenders, and their portfolios in the event that the Dun & Bradstreet contract is discontinued, SBA's Associate Deputy Administrator noted that the agency has begun to consider various options to continue its approach to loan and lender monitoring, should the contract be discontinued. SBA has identified several nationally recognized vendors that offer possible replacement services, but the Associate Deputy Administrator stated, and we agree, that it is impractical to run concurrent contracts as a contingency plan. However, SBA does not have a formal contingency plan in place. The Associate Deputy Administrator stated in his comment letter that he identified a number of inaccuracies in our draft report. However, these were mostly technical corrections, which we incorporated, as appropriate, in this report. SBA's letter is reprinted in appendix III. Unless you publicly announce its contents earlier, we plan no further distribution until 30 days after the date of this report. At that time, we will send copies of this report to the Ranking Minority Member of the Senate Committee on Small Business and Entrepreneurship, the Chairman and Ranking Minority Member of the House Committee on Small Business, other appropriate congressional committees, and the Administrator of the Small Business Administration. We also will make copies available to others upon request. In addition, the report will be available at no charge on the GAO Web site at [Hyperlink, http://www.gao.gov]. If you have any questions about this report, please contact me at (202) 512-8678 or [Hyperlink, shearw@gao.gov]; or Katie Harris, Assistant Director, at (202) 512-8415 or [Hyperlink, harrism@gao.gov]. Key contributors to this report are listed in appendix IV. Sincerely yours, Signed by: William B. Shear, Director, Financial Markets and Community Investment: [End of section] Appendixes: Appendix I: Objectives, Scope, and Methodology: To evaluate the Small Business Administration's (SBA) loan portfolio monitoring needs, we first identified SBA's loan portfolio monitoring strategy and the intended purpose of the Dun & Bradstreet service. Then, we identified best practices from federal guidance to banks and generally accepted industry practices and explored how these practices might apply to SBA. To identify SBA's loan portfolio monitoring strategy, we analyzed agency and contractor files. In addition, we interviewed SBA Office of Lender Oversight (OLO) officials and Dun & Bradstreet contractors who were providing the loan monitoring service during our review. We also interviewed Farm Credit Administration (FCA) officials responsible for conducting the Small Business Lending Corporation (SBLC) reviews during the last few years and reviewed their summary report for fiscal year 2002. To identify industry best practices for loan portfolio monitoring, we analyzed guidance published by the Office of the Comptroller of the Currency, the Basel Committee, the Federal Deposit Insurance Corporation, and the Federal Reserve and consolidated all like practices. We also consulted relevant literature related to financial markets and risk management. Lastly, we interviewed officials at several large private banks that make 7(a) and 504 loans as well as other loans to small businesses and selected SBLCs. To determine how well the new Dun & Bradstreet service and associated tools meet SBA's needs, we reviewed and analyzed agency and contractor documents and conducted interviews. We analyzed the Dun & Bradstreet contract files to identify the contract deliverables and the service's capabilities. We also verified the contractor's implemented and planned actions and interviewed relevant contractor staff. In addition, we obtained and analyzed SBA planning documents, including its 2003-2008 Strategic Plan, and its 2004 and 2005 Annual Performance Plans, and we interviewed agency officials to determine SBA's use and planned use of the loan monitoring service. Moreover, we compared SBA's current and planned use of the service to industry best practices we identified in analyzing SBA's loan portfolio monitoring needs. To determine the major differences and similarities for the purposes of credit risk management between SBA and private sector best practices, we analyzed industry documents and interviewed risk management professionals employed at several of SBA's largest and most active small business lending partners. We analyzed banking regulator publications related to risk management, primarily credit risk, as well as position papers from the Basel Committee, and considered various academic studies, and selected books and papers recommended by the Global Association of Risk Management Professionals. Furthermore, we interviewed bank examiners and relevant employees of the Office of the Comptroller Currency and the Federal Deposit Insurance Company. To determine what steps SBA took to ensure the integrity of the data used in the Dun & Bradstreet RAM (Risk Assessment Manager) data mart, we analyzed agency and contractor documents and interviewed SBA and contractor officials. To document SBA controls over its 7(a) program data, we relied on the findings of our recent audit of SBA's 7(a) program subsidy model, in which we assessed the integrity of the data in SBA's database. To determine the data integrity processes for the 504 program, we analyzed agency documents and 504 LAMP (the SBA- developed customized Access database tool) data samples, and interviewed SBA officials. However, we did not conduct independent tests of the 504 program data integrity process. To determine the data integrity processes of the Dun & Bradstreet and Fair Isaac data, we interviewed company officials. Although we did not test the Dun & Bradstreet and Fair Isaac processes for ensuring data quality, we reviewed their established procedures for quality and found them generally reasonable. A summary of our related findings is contained in appendix II. We conducted our work in Washington, D.C., between August 2003 and May 2004 in accordance with generally accepted government auditing standards. [End of section] Appendix II: SBA Data Integrity Processes for the Dun & Bradstreet RAM Data Mart: Controls to help ensure the integrity of the data entered in the Dun & Bradstreet RAM data mart appear reasonable, as a whole, to ensure that misstatements or inaccuracies are detected and corrected on a timely basis, and the level of data errors in the system would not significantly affect the loan monitoring service's risk profiling capabilities. The RAM database includes information related to SBA's entire loan portfolio, roughly 5,000-plus lenders and 230,000 outstanding loans,[Footnote 29] combining SBA data with commercial data, consumer data, and credit scores to produce risk metrics to facilitate lender oversight. The RAM receives data from four different sources--SBA's 7(a) and 504 databases, and Dun & Bradstreet and Fair Isaac. We found that SBA's controls over its 7(a) program data, which represent approximately 70 percent of the data entered into the RAM, were adequate to help ensure the quality of the underlying data. Our review of 504 program database data integrity procedures showed generally adequate controls, as well. Although we did not test the Dun & Bradstreet and Fair Isaac's processes for data quality, we reviewed their established procedures for data integrity and found them generally reasonable. SBA Has Adequate Controls over 7(a) Program Data Integrity: In our report on SBA's 7(a) program subsidy model,[Footnote 30] we found that SBA's monthly 7(a) reconciliation process, combined with lender incentives and loan sales, helped ensure the quality of the underlying data. Although some errors existed in SBA's database at the time of the review, the nature and magnitude of these errors were unlikely to significantly affect the usefulness of the database. The 7(a) program data represent 70 percent of the data entered into the RAM. Therefore, reasonableness of data integrity over the 7(a) program data helps to provide assurance that the quality of the data used is sufficiently reliable to monitor the performance of SBA's lenders and the risk exposure of SBA. The primary method SBA used to identify and correct data errors in its 7(a) program is its Form 1502 reconciliation process.[Footnote 31] Reconciliations are an important internal control established to ensure that all data inputs are received and are valid and that all outputs from a particular system are correct. This process, in which an SBA contractor every month matches borrower data submitted by 7(a) program lenders on SBA's Form 1502 to information in the agency's portfolio management system, helps ensure the completeness and accuracy of the agency's data. SBA district office staff work with lenders to correct errors identified by this match process. We did not independently test the data match conducted by SBA's contractors or the field office staff. However, we reviewed summary reports of the errors for each district office over a 4-month period during fiscal year 2003 and found that most of the errors reported were resolved during the month the errors were identified. In addition to the monthly loan data reconciliation process, lender incentives also helped ensure the integrity of the underlying data. In accordance with current SBA policy, the agency can reduce or completely deny a lender's claim for payment of the SBA guarantee if the defaulted loan data are not correct. According to SBA officials, this policy gives the 7(a) program lenders an incentive to correct data errors because it helps ensure they will be paid the full guarantee amount if the borrower subsequently defaults on the loan. Further, an ancillary benefit of SBA's loan sales program was to help ensure data integrity. Prior to a sale, SBA district office staff, as well as contractors, reviewed loan files as part of the "due diligence" reviews to provide accurate information about the loans available for sale, so that potential investors could make informed bids. According to SBA officials, discrepancies between the lender's data and SBA data had to be resolved prior to selling a loan. Processes for SBA 504 Data Integrity Appear Adequate: Unlike the 7(a) loan program, SBA does not currently have a formal reconciliation process in place for 504 program data, but testing we conducted found no major errors in the data. The informal process that SBA uses to ensure the integrity of its 504 data is based on a series of checks and balances, notably: (1) processing all payments through the federal government's automated clearinghouse (ACH); (2) electronically uploading data; and (3) evaluating and certifying approved 504 lenders based on accounting reports by a third party-- Colson Services Corporation, a unit of JP Morgan Chase. In addition, Certified Development Companies (CDC) have an incentive to review the monthly reports and notify SBA of any discrepancies. The aggregated 504 data come from three sources, but only one source's data are inputted into the RAM database. The three sources for aggregated data are current loan status and payment history, which is provided by Colson--the same contractor that performs similar loan payment and accounting for SBA's 7(a) program; semiannual dividend disbursements to investors, which is provided by the Bank of New York; and loan approval and default loan information that resides in SBA's mainframe. Colson and the Bank of New York transmit data monthly to SBA. SBA developed a customized Access database tool, referred to as the 504 LAMP, which aggregates the data following a set of procedures. Dun & Bradstreet's RAM database will input only the Colson data for lender oversight purposes since it is concerned only with the current loan data. The processes used to collect and input the Colson data into the 504 LAMP appear to minimize errors. Initially, Colson collects the majority of loan payments electronically via ACH and credits the payments within one business day of receipt. For payments not made, Colson is immediately notified by ACH and contacts the CDCs to collect the payments. For those late payments, checks or money orders are sent to Colson, and it enters the payments into its database. Colson electronically sends the payment information each month to SBA. Finally, SBA electronically inputs the Colson data into the 504 LAMP database. Another informal check on the integrity of the 504 LAMP data is the CDCs' incentives to ensure that the current status of loans is accurate. CDCs' continued participation in making 504 loans is contingent upon adequate financial performance and accountability. Therefore, CDCs have strong incentives to contact SBA to have any data errors corrected, or risk losing further participation in the program. Selected CDC performance data are uploaded monthly onto SBA's password protected Web site. CDC directors in the field can log in and receive a monthly report on their loan performance. SBA officials stated that CDC staff are diligent about finding errors and contacting SBA to remedy them. Dun & Bradstreet and Fair Isaac Data Integrity Processes Appear Adequate: The quality control processes of Dun & Bradstreet and Fair Isaac appear to be reasonable to help ensure the validity of the data used to produce risk management information for SBA, based on our review of their documentation and interviews with company officials. Due to the proprietary nature of the processes, we were unable to independently test the Dun & Bradstreet and Fair Isaac processes. However, Dun & Bradstreet officials explained their proprietary quality control process, referred to as DUNSRight, to validate the commercial data they provide to SBA. Additionally, Fair Isaac officials discussed the sources of their consumer data and how they ensure data quality. The commercial and consumer data that Dun & Bradstreet staff input into the RAM is used to analyze SBA loan data. More specifically, Dun & Bradstreet staff use the data to create predictive models and decision tree methodologies, and to group accounts with specific behaviors and risk profiles. The predictive models include a suite of five different models using Dun & Bradstreet and principal owner data, built using Fair Isaac proven analytic methodologies. According to Dun & Bradstreet officials, the models and decision trees are reviewed periodically to test and fine-tune strategies, based on changing market conditions. Dun & Bradstreet officials also stated they have a continual improvement process whereby the models used to analyze SBA loan and lender data are validated. The commercial data that Dun & Bradstreet collects go through a five- step quality assurance process. First, Dun & Bradstreet collects data from more than 80 million businesses and continuously updates its databases more than 1 million times daily based on real-time business transactions. Second, it matches SBA records with its records and achieves at least 95 percent match of the data on seven critical pieces of information used to identify the borrower. Third, Dun & Bradstreet assigns a unique identifier to each company. Fourth, Dun & Bradstreet identifies the corporate linkage of a business's branches/subsidiaries with their parent entity to help the SBA understand their complete corporate exposure between borrowers and their parent entities. Finally, Dun & Bradstreet generates predictive indicators of a business's potential inability to repay a loan. Dun & Bradstreet officials refer to this process as the DUNSRight process. Fair Isaac uses the commercial data from Dun & Bradstreet and consumer data from a credit bureau to develop its credit scores. The consumer data that Fair Isaac gathers from Trans Union Credit Bureau go through a less detailed cleansing process, but the process still appears to be reasonable. Initially, Fair Isaac provides the credit bureau with identifier information (i.e., name and address) from SBA, so it can match the entity with its associated credit report. Credit bureaus then send a report to Fair Isaac if there is a match (or a "hit"). Fair Isaac officials told us that the match rate is 95 percent. After Fair Isaac receives the credit reports, it electronically files the multiple credit reports for each business and transforms them into predictable variables. Finally, Fair Isaac creates predictive characteristics from the blended Trans Union consumer and Dun & Bradstreet commercial data, resulting in a Small Business Predictive Score (SBPS) intended to predict the likelihood of severe loan delinquency. Fair Isaac sends the SBPS score to Dun & Bradstreet, so it can load it into the RAM. Dun & Bradstreet officials stated that controls are in place to verify that all data merges in the RAM are successful. According to Fair Isaac officials, its SBPS model will likely remain the same because it is stable. The process Fair Isaac staff use to determine the stability of its model starts with the development of a population stability report. If the report states that the models are unstable, Fair Isaac then creates a characteristics analysis report. This report determines if the characteristics (or variables) have changed and by how much over time. In addition, each year the models are revalidated. Third parties do not routinely ensure the reliability or integrity of the models, but Fair Isaac's clients, such as SBA, inform the company if the models are not reasonably predicting borrower behavior. [End of section] Appendix III: Comments from the Small Business Administration: U.S. SMALL BUSINESS ADMINISTRATION: WASHINGTON, D.C. 20416: William B. Shear: Director, Financial Markets and Community Investment: General Accounting Office: Washington D.C. 20548: Dear Mr. Shear: This letter provides the U.S. Small Business Administration's response to the draft report prepared by the General Accounting Office (GAO) titled "New Service for Lender Oversight Reflects Some Best Practices but Strategy for Use Lags Behind," GAO-04-610. We appreciate the opportunity to comment on this report. As GAO acknowledges in its report, the U.S. Small Business Administration (SBA) has obtained loan and lender monitoring services that provides a best practices system comparable to systems utilized by major commercial banks in managing their small business loan portfolios. We believe this innovative approach is the first such system implemented within the Federal government for credit management purposes. After many years and millions of dollars spent unsuccessfully attempting to develop a system internally, this Administration reoriented, refocused and reprioritized the loan monitoring effort to ensure that the Agency has the necessary tools to conduct effective lender oversight. This work was achieved much faster, at a lower cost and with significantly fewer staff resources that had been involved in the prior effort. In the past year, SBA has acquired and put in place an impressive loan monitoring system (LMS). To accomplish this goal, the effort required the devotion of significant resources along with direct SBA staff and management attention to ensure its success. We are very proud of the work done in implementing the LMS. In fact, we believe a more appropriate title for the report would be "New Service for Lender Oversight Reflects Best Practices and Strategy for Use Is Underway." The work of the past year has been devoted largely to the acquisition of the services, the intense, detailed work of mapping SBA data to the Dun and Bradstreet (D&B) data mart, the design and development of analytics and reports and the related work associated with the data base enhancements recently implemented by D&B. A tremendous amount has been achieved in 12 short months. We are well aware of the need for policies to implement the loan monitoring system. Policy development could not proceed meaningfully until the system was in place and SBA was able to ascertain how the various components would be utilized in its oversight efforts. This system is a major strategic initiative for SBA. The development of policies is progressing logically following the acquisition of the loan and lender monitoring services. The loan monitoring system is part of the President's Management Agenda and the SBA's own performance scorecard, and the development of policies and procedures to fully implement LMS is one of the Office of Lender Oversight's strategic goals this year. We are committed to this effort and expect to meet our established timelines which we believe are aggressive. SBA is providing the following response to the five recommendations contained in GAO's draft report. Attached to this letter are a number of factual and/or technical corrections SBA believes are appropriate. 1. Recommendation One: SBA should consider the applicability of industry best practices in implementing LMS, including specific policy elements identified in this report. These practices include continuous improvement in the service and its tools, frequent and routine portfolio reviews, and active involvement of senior SBA managers in reviewing the use of output. SBA is committed to fully implementing a loan monitoring system that includes best practices consistent with GAO's recommendations. As GAO noted in its report, the application of private sector best practices to a Federal agency with public policy and mission priorities may not be directly correlated. SBA is making that assessment as it develops policy options. Nevertheless, many of GAO's recommendations are already being used by SBA in its oversight efforts. These activities will be formally _incorporated into the Agency's policies for lender oversight. Final policies are scheduled to be developed and in place by September 30, 2004. The only exception is the publication of a final rule for enforcement actions, which is planned for April 2005 due to the timeline involved in the regulatory process. 2. Recommendation Two: The administrator should expedite the development of policies for taking enforcement actions. We have made recommendations calling on SBA to clarify its supervisory and enforcement powers since November 2000. The Small Business Act gives SBA general authority for oversight of its lenders. In connection with both the Fiscal Year 2004 and Fiscal Year 2005 budgets, the Administration has submitted legislative proposals that give SBA specific enforcement authorities for its lenders, including Small Business Lending Companies (SBLCs). SBA had expected that some action would be taken on the legislative proposals and that the Agency would subsequently develop regulations. There may still be Congressional action on this issue; however, in the absence of specific legislation, SBA intends to go forward with proposed enforcement regulations under SBA's general oversight authority. The timeline for developing any proposed and final regulation simply does not allow for shortening the timing for regulations beyond the current timeline. Agency Standard Operating Procedures (SOPS) governing supervision and enforcement of SBA's lenders under current authorities are scheduled to be in place by September 30, 2004. However, the lack of supervisory and enforcement regulations does not prevent SBA from taking action against SBA lenders when the circumstances warrant. SBA has specific regulatory and procedural requirements for its lenders, including SBLCs. When these requirements are not met, SBA can, and has, taken appropriate action. The LMS delivers information tools which will allow SBA to become aware and respond to potential problems more quickly. It also allows SBA's Office of Lender Oversight to plan and adjust its review schedule to respond to problems identified. 3. Recommendation Three: The administrator should ensure that resources already within SBA are devoted to developing the policies for the use of the loan monitoring service so that the overall timeline for completion -April 2005-is met. As noted above, SBA is committed to fully implementing a loan monitoring system. Critical to that effort is the development, implementation and communication of lender oversight policies and procedures. The majority of these policies are scheduled to be in place by September 30, 2004. The exception is the publication of a final rule for enforcement actions which is planned for April 2005 due to the timeline involved in the regulatory process. We will make every effort to meet the timeline established by SBA for completion (April 2005). 4. Recommendation Four: Establish an agency wide task force to explore the potential for applying the capabilities of the D&B service to SBA business processes and responsibilities other than lender oversight, such as overall portfolio risk management or budget projections. Programmatic offices and the Office of the Chief Financial Officer should be included. SBA has made a major investment in the loan and lender monitoring services provided by D&B and agrees with GAO's recommendation that SBA leverage this resource to the maximum extent possible. Over the past year, while our Office of Lender Oversight has appropriately been the lead office in acquiring and implementing the system, other offices have been involved in the process from the beginning. These offices include, but are not limited to, the Office of the Chief Financial Officer, the Office of Financial Assistance and the Office of the Chief Information Officer. One of the main reasons for including representatives from these other offices on the LMS team was to ensure that they were aware of the features of the system in order to ascertain how they might best utilize its features for their program activities. SBA will continue the involvement of these offices in LMS activities. While some information provided to SBA by D&B has far-ranging uses that could benefit other program areas of SBA, the Agency must be cognizant of the fact that the system contains confidential business information regarding small businesses and credit information on the principals in the businesses. As the D&B system is a commercial-off-the-shelf (COTS) package, it does not contain features that allow SBA to limit views of information to particular audiences. SBA has to identify the data that would be of use to other offices and ascertain the best vehicle for its dissemination. 5. Recommendation Five: Develop contingency plans that would enable SBA's continued risk management of the 7(a) and 504 portfolio overall, individual lenders, and their portfolios in the event that the D. & B. contract is discontinued. SBA has been considering various options to continue its approach to loan and lender monitoring should the D&B contract be discontinued. It is impractical to run concurrent contracts as a contingency plan. However, while SBA could not replicate the credit scoring components, SBA could acquire small business scores from Fair Isaac directly. With that information, combined with the analytical framework created by D&B, SBA would be able to continue its loan and lender monitoring activities until another vendor with an acceptable solution was engaged. SBA has identified several nationally recognized vendors that offer possible replacement systems. SBA receives monthly downloads of the data mart from D&B which are used for portfolio analysis and can be utilized to support an interim solution until a subsequent vendor is obtained. Again, SBA appreciates the opportunity to review GAO's draft report. Please contact Anthony Bedell, Assistant Administrator for Congressional and Legislative Affairs, at (202) 205-6700 should you wish to discuss this response in more detail. Sincerely, Signed by: Ronald E. Bew: Associate Deputy Administrator for Capital Access: [End of section] Appendix IV: GAO Contacts and Staff Acknowledgments: GAO Contacts: William B. Shear, (202) 512-8678 M. Katie Harris, (202) 512-8415: Staff Acknowledgments: In addition to the individuals above, Triana Bash, Dan Blair, Jamey Collins, Jordan Corey, Dave Gill, Fred Jimenez, Mitch Rachlis, Carl Ramirez, and Rhonda Rose made key contributions to this report. (250158): FOOTNOTES [1] Credit risk is the risk of financial loss due to borrower default. [2] Section 7(a) of the Small Business Act is codified at 15 U.S.C. Section 636, as amended. Authority for section 504 loans is codified at 15 U.S.C. Section 696, as amended. [3] Under one of SBA's 7(a) programs, the Export Working Capital Program, which provides short-term working capital to exporters, the agency can guarantee up to 90 percent of the loan. [4] Certified and preferred lenders consist of both private banks, credit unions, and Small Business Lending Companies (SBLC). SBLCs are nonbank lenders licensed and regulated--both for program compliance and for safety and soundness--by SBA. Unlike private banks, which have federal banking regulators, only SBA regulates SBLCs. [5] SBA can guarantee up to 85 percent of loans of $150,000 or less and up to 75 percent of loans above $150,000. 15 U.S.C. Section 636 (a) (2) (A) (2002). [6] Under standard operating procedures, SBA evaluates CDCs every three years. SOP 5010 Subpart H Chapter 24 Paragraph 26. Regulations require CDCs to submit annual reports to SBA district offices, and SBA uses these reports for evaluation and monitoring performance. 13 C.F.R. Section 120.830 (2004). [7] A debenture is an unsecured debt backed only by the credit worthiness of the borrower. Debentures have no collateral, and the agreement is documented by an indenture. The yields may vary from high to low, depending on who backs the debenture. [8] Loan portfolio management is an important element of an internal control framework. [9] Public Law No. 104-208, Div. D, 110 Stat. 3009-724, 15 U.S.C. Section 633, as amended. [10] U.S. General Accounting Office, Small Business Administration: Better Planning and Controls Needed for Information Systems, GAO/AIMD- 97-94 (Washington, D.C.: June 27, 1997). [11] Public Law No. 105-135 Section 233, 15 U.S.C. Section 633 note. [12] U.S. General Accounting Office, Small Business Administration: Mandated Planning for Loan Monitoring System Is Not Complete, GAO/AIMD- 98-214R (Washington, D.C.: June 30, 1998); Small Business Administration: Planning for Loan Monitoring System Has Many Positive Features but Still Carries Implementation Challenges, GAO/T-AIMD-98- 233 (Washington, D.C.: July 16, 1998); SBA Loan Monitoring System: Substantial Progress Yet Key Risks and Challenges Remain, GAO/AIMD-00- 124 (Washington, D.C.: Apr. 25, 2000); Loan Monitoring System: SBA Needs to Evaluate the Use of Software, GAO-02-188 (Washington, D.C.: Nov. 30, 2001). [13] See Public Law No. 107-77, v. 115 Stat. 796 (2001); H.R. Conf. Rep. No. 107-278 at 164 (2001). [14] For the $17.3 million that had been used, $9.6 million was used for system-related activities and about $7.7 million had been spent for nonsystem activities related to SBA's modernization effort. [15] FEDSIM is part of the GSA's Office of Information Technology Integration and provides client services on a fee-for-service basis. It is a federal government source for technical expertise to manage information technology needs. [16] The value of the contract is $1.8 million for the first year, and $1.8 million, $1.9 million, $2.1 million, and $2.2 million for the four subsequent optional years. Annual renewal is the option of SBA. [17] U.S. General Accounting Office, Small Business Administration: Progress Made but Improvements Needed in Lender Oversight, GAO-03-90 (Washington, D.C.: Dec. 9, 2002). [18] U.S. General Accounting Office, Small Business Administration: Actions Needed to Strengthen Small Business Lending Company Oversight, GAO-01-192 (Washington, D.C.: Nov. 17, 2000). [19] SBA Office of Inspector General, Audit of 504 Loan Program Oversight, Audit Report No. 3-10 (Washington, D.C.: Feb. 6, 2003). [20] SBA's Office of Inspector General Fiscal Year 2003 Performance Accountability Report does not report any updated information on this recommendation. [21] Financial regulators include the Office of the Comptroller of the Currency, the Federal Reserve, and the Federal Deposit Insurance Corporation (FDIC). In addition, the Basel Committee of the Bank for International Settlements, which was established by the central-bank Governors of the Group of Ten countries in 1974 to provide a forum for regular cooperation on banking supervisory matters, comprises members from these agencies and is responsible for formulating broad supervisory standards and guidelines and recommending statements of best practice for risk management. We will use "financial regulators" throughout this report to refer to the above-mentioned financial regulators. [22] This information was derived from the Office of the Comptroller of the Currency's Comptroller's Handbook on Loan Portfolio Management (April 1998) and Rating Credit Risk (April 2001); OCC Director's Handbook; and Michel Crouhy, Dan Galai, and Robert Mark, Risk Management: Comprehensive Chapters on Market, Credit, and Operational Risk, 1st ed. (New York, New York: McGraw Hill, 2001), 106. [23] William F. Treacy and Mark S. Carey, "Credit Risk Rating at Large U.S. Banks," Federal Reserve Bulletin (November 1998). [24] A data mart is a subset of a larger database that is focused on a specific business process. For example, according to SBA officials, there are six databases: "7(a) lender," with 5,300 lenders; "7(a) loan," with over 600,000 loans; "7(a) trend," with 300,000 loans; "504 lender," with 270 lenders; "504 loan," with 70,000 loans; and "504 trend," with 40,000 loans. The data mart includes only the current quarter 7(a) and 504 data. A separate database houses the previous quarters' data for historical analysis and other purposes. [25] SBA will use the SBPS to predict the likelihood of severe delinquency and the FSS to predict the likelihood of a business ceasing operations. [26] The projected purchase rate is based on a calculation. This calculation includes determining the probability of purchase for the SBA portfolio by statistically mapping the SBPS score through a retroscore analysis. The retroscore analysis validates that the SBPS score effectively ranks orders purchase risk within the SBA portfolio and determines the precise probability of SBA purchase associated with each score. Once the probability of purchase is determined, it is multiplied by each loan's SBA dollars to determine the projected purchase dollars for each loan. The next step in the calculation is to aggregate the projected purchase dollars for all loans within a lender's portfolio. The last step in determining the projected purchase rate is to divide the total projected purchase dollar by the total SBA dollars within each lender's portfolio. [27] Demographic profiling includes analysis of the portfolio data based on certain variables, including geography and industry code. Segmentation profiling and analysis involves segmenting each loan or lender into a group with specific profiles. Potential segmentation variables include SBPS score, loan type, loan status, and gross amount approved. [28] Statement of Hector V. Barreto, Administrator of the SBA, to the Senate Committee on Small Business and Entrepreneurship (Feb. 12, 2004). [29] The portfolio includes a broad national sample of loan sizes, loan types, geographic locations, and legal structures. [30] U.S. General Accounting Office, Small Business Administration: Model for 7(a) Program Subsidy Had Reasonable Equations, but Inadequate Documentation Hampered External Reviews, GAO-04-09 (Washington, D.C.: Mar. 31, 2004). [31] The information on Form 1502 includes a wide variety of data for individual loans, such as loan identification number, loan status (e.g., current, past due, or in liquidation), loan interest rate, portion of the loan guaranteed by SBA, and ending balance of the loan's guaranteed portion. GAO's Mission: The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: