I was a victim of identity takeover a few years ago. In a big way. Professional fraudsters had hacked my personal email account, somehow figured out one of my recipients was my financial advisor, and researched my past communications to get a feel for how my financial advisor and I communicated. They managed to re-direct any correspondence from him to them while not disrupting my day-to-day use of that email account. My security was fully compromised. I had no idea it was happening.
“Did you get the money I wired?” my advisor asked during a regularly scheduled check-in.
“What money?” I asked, without a clue.
I’m not kidding when I tell you time seemed to stop over the next 30 seconds as it dawned on both of us that something horrible might have just gone down. And it had.
I’d like to tell you it was a false alarm and the bad guys got nothing. I’d like to tell you that I had been sloppy in protecting my passwords or had opened phishing emails or accessed my email using unsecured Wi-Fi. But, the truth is that this episode cost my financial advisor financial and professional pain—he made me whole on what was lost and suffered sanction for a mishandled verification process—and I lost the blissful consciousness of thinking these things happened to other people, not me. I actually would have considered myself well protected before this episode revealed that to be an absurdity.
There is an analogous though less obvious situation happening in how companies manage the credit risk of their commercial, or business, customers. Many are challenged in the areas of expertise, risk infrastructure, and control processes to properly assess and insulate their companies from the true credit risks they face For starters, the base loss rate of commercial customers is low, but when these losses occur, they tend to be large and painful. The episodic nature of losses creates a tendency to excuse the losses as anomalies. Add to this the fact that nearly a decade has passed since the last recession – creating a string of years without significant delinquencies or bad debt – and it’s not hard to see that sensitivities to credit risk have become dulled. But, the benefit of a good economy and good fortune does not equal good credit risk management.
One of my early credit mentors would always invoke the phrase “even turkeys fly in hurricanes” as a reminder that the real measure of credit risk protection is taken under economic duress, not in good times. Any company looking for assurances they are properly insulated needs to assess the quality of their expertise, the sophistication of their risk management infrastructure, and the rigor of their risk management processes.
Compare your company’s credit risk protections with these items. If you lack some or many of these, resist the urge to assume they are unimportant.
Credit risk screens are grounded in the credit risk performance of the population you serve
Many businesses pull an Experian or D&B commercial credit file and pair it with a judgmental evaluation of whether to accept or deny the account. If pre-established, clear score cutoffs exist and are followed, and if there is backward-looking review of how those credit criteria relate to the performance that comes later, this could be fine.
More common, however, is a situation-by-situation assessment where general rules of thumb prevail. Each credit analyst has their own bias on what they like and don’t like. Sales pressure, especially on big accounts, is known to play a role.
The gold standard is to have credit risk models that successfully score an applicant based upon variables that are statistically significant predictors of severe delinquency or charge offs. These models are re-validated regularly to ensure they properly slope credit risk. It’s also smart to continually validate your credit policy cut lines by looking closely at those that are declined. Rigorous, model-based shops have added bonuses too: they enable instant decisions for the vast majority of applicants (good customer experience) and significantly reduce the cost of judgmental credit review, since only exceptions or marginal applicants get flagged for manual review.
Credit monitoring is frequent and tuned to changes in behavior
It is surprising how few companies monitor the credit health of their commercial customers after an initial credit pull. Credit health is not a constant, so don’t assume accounts will remain in good standing in perpetuity. Just because your child didn’t have a fever last winter doesn’t mean they don’t have one today, especially if they are displaying symptoms. Same concept.
Your company needs to re-screen every commercial customer at a regular frequency. Changes in credit health are as important to observe as the absolute level. Best practice is to have a behavioral scoring model that incorporates both credit bureau data as well as the customer’s payment patterns with you. An effective model will help quickly and accurately alert you to changes that are predictive of higher probability of severe delinquency, giving you the advanced warning to reduce credit lines, more aggressively collect, or monitor more closely. A credit manager might discount a recent delayed payment of a formerly pristine customer, but the behavioral model won’t.
You have preventive and detective controls for fraud
If you transact online, you need fraud defenses. If you don’t know all of your customers intimately or much beyond an account number, you need fraud defenses. If you are a business of any scale (especially >$50M in revenue), you need fraud defenses. Nearly every business goes through the same a-ha experience I had personally . . . they consider fraud to be irrelevant to them until they are hit with a doozy.
The fraud use cases that your particular business needs to defend against may be idiosyncratic to what you do and who you serve. At a minimum, consult a third party fraud defense expert to help diagnose vulnerabilities and identify ways to insulate. More than likely, all transactions and credit screens warrant a screening for fraud flags via home grown algorithms or external software. This is seamless to your day-to-day operation and calls out for additional scrutiny those items that fail pre-set business rules.
No matter how strong the upfront defenses, you can’t assume 100% of fraud is prevented. You should have robust detective controls to monitor spending patterns, particularly among new customer accounts. You need to know whether the brand new customer blowing through their initial credit limit is a sales success to celebrate or a fraudster that needs to get shut down.
You’ve taken the worst case off the table
All bad debt accounts are not equal. You may only have 1 account that goes bad out of 300, but if that account is a large one and a disproportionate share of your sales, that is going to be very painful. ALL businesses have a limit where a credit loss is unduly painful and must be avoided. This may be where a loss would trip a bank covenant and jeopardize a credit line. This may simply be a judgment on what’s unacceptable.
What’s most important is that credit limits have some ceiling irrespective of perceived credit worthiness and that these are lines that don’t get crossed. Every business should have a max credit line they are willing to extend, though that max credit line can change over time. If needed or valued, pursue credit insurance to help insulate the pain of a very large loss. You may not ever expect Large Public Customer X to be a bad debt risk, but if they are, make sure they don’t take your company down with them if they go.
If you don’t have one or multiple of these in place, do not fret. They can be easily tackled with the right focus and prioritization. There are also many external providers who can help you get there for a fraction of the time and cost it would take you to do it yourself. BlueTarp, for example, creates customized B2B credit programs tailored to the needs of your business without changing how you do business. Whether you tap BlueTarp, another provider, or do it yourself, don’t delay. It’s too late to defend your business from credit risk in a recession.