How do banks manage risks in their credit card portfolios? How do banks manage risks in their credit card portfolios?

New Boston Fed working paper analyzes how firms track risks and respond to ‘breaches’ New Boston Fed working paper analyzes how firms track risks and respond to ‘breaches’

May 21, 2024

How do financial institutions track potential risks in their credit card portfolios? And what do they do when the risks become too big?

Federal Reserve researchers investigated these questions in a new Supervisory Research and Analysis working paper called “Managing Risk in Cards Portfolios: Risk Appetite and Limits.”

The authors find that firms tend to take a steady approach to risk assessment, continuously monitoring potential risks against pre-defined limits, or thresholds, to their risk appetite. Monitoring activities help firms avoid frequent “breaches” of these risk thresholds, which rarely change.

Claire Labonne, a paper co-author and Federal Reserve Bank of Boston senior financial economist, said understanding how firms handle business risks is a key focus area for bank supervision.

“Appropriately managing risks in credit card portfolios is important for maintaining firms’ safety and soundness,” said Labonne, a member of the Boston Fed’s Supervisory Research and Analysis Unit.

How do frameworks help banks measure risks? 

Labonne co-authored the paper with Tiffany Eder, a senior financial institution analyst at the Federal Reserve Board, Caitlin O’Loughlin, an economist who works at the Federal Reserve Bank of Chicago, and Krish Sharma, a former research associate at the Boston Fed.

In the paper, the authors analyze how banks manage the risks of their credit card businesses. A bank tracks its open credit card lines, including when each card became active, card balances, payment histories, and delinquencies. The firm uses this data to build “risk appetite frameworks,” or collections of metrics that track risks in a certain business area, Labonne said.

Banks regularly monitor these metrics by color-coding their risk levels, she said. For example, “green” might indicate that a firm’s proportion of high-risk credit card customers is acceptable. But if that share increases faster than expected, the color might elevate to “amber,” since that may lead to more payment delinquencies, which increases the chances of unexpected losses for the firm, Labonne said.

If the bank doesn’t act and delinquency rates continue to grow, this metric could reach the “red” threshold. That causes a breach the bank must address and resolve through an internal process.

“Multiple people in a firm are responsible for looking at these metrics, including risk committees,” Labonne said. “If something is still going wrong, then the issue can go all the way to the firm’s board of directors.”

The researchers sourced their data for the paper from monthly reports provided to bank supervisors by four large consumer banks between 2014 – 2021. They find that these risk appetite frameworks contain anywhere from 40 – 150 metrics. The authors focus specifically on 79 metrics related to outstanding credit card balances.

“It wasn’t all in a neat spreadsheet,” Labonne said. “We had to search through unstructured data and employ different techniques to gather the information we needed.”

How do firms handle “rare” risk breaches?

The authors find that these risk appetite frameworks tend to be “sticky,” meaning that firms rarely change their threshold limits.

“That’s probably to be expected. From a risk-management perspective, you don’t want firms ‘shifting the goalpost’ each month,” Labonne said. “Stability is key here.”

She added that raising threshold limits alone does not address the driving forces behind why a risk is increasing unexpectedly. The researchers used regressions – which look at correlations in data sets to see if they’re statistically significant – to analyze how banks handle breaches when they do occur.

Even after breaches, which the authors found were rare, banks did not simply raise threshold limits as a quick solution. They instead took other actions, like adjusting their strategy for the portfolio to reduce risk, the authors said.

“When actual values exceed the threshold, firms must take mitigating actions,” they wrote. “But actions are often taken before the breach even happens, as continuous monitoring enables firms to anticipate them.”

Read the full paper on

Media Inquiries? Media Inquiries?

Contact our media relations team. We connect journalists with Boston Fed economists, researchers, and leadership and a variety of other resources.

up down About the Authors