Risk Mitigation for Facebook with Questions for Advertisers/Investors

Privacy Roadmap v2Poor internal controls, political impacts, and lack of data usage transparency at Facebook have elevated privacy concerns for regulators, advertisers, and investors globally. The broad use of social media has desensitized most Americans to the risk of exposing vast amounts of personal information to companies like Facebook and Google. Will this event materially harm Facebook?

Facebook has the technical skills to fix it going forward and will be a much better company if it does so. The problem is the historical data provided to third parties is not recoverable, and there will be regulatory fines and regulation. “Facebook began in 2007 letting outsiders access its ‘social graph’ – the friend connections, interests, and ‘likes’ that links its user base together.  By 2015, Facebook had largely stopped access to users’ friend connections, though political campaigns could still find would-be supporters by buying ads and using Facebook’s targeting tools” (Tau).

I have managed a Privacy function for more than seven years, so I have a road map of activities that Facebook should consider.

1)    Establish an internal Data Governance team for data control, capture consent for data collected, provide transparency for data given to third parties, and improve news/reporting integrity. Most financial institutions have established data owners and data stewards for data governance.

2)    Recognize that all consumers have different privacy expectations varying from indifference to protective. Create a system to capture user’s preference at the data element level and honor each user’s choice.

3)    There are numerous ways of masking personal data: using pseudonyms; encrypting certain sensitive data elements tagged by the user; and aggregating numerous users’ data into an autonomous virtual identity with similar characteristics (NOTE: the old rule of thumb of 10 aggregated individuals with similar behaviors is completely inadequate given today’s Big Data models). Additionally, “Computer Scientists have developed algorithms, sometimes called ‘differential privacy’ that randomizes or modifies data in ways that make them useful for academic research but not for other purposes. Apple has pioneered the use of this tool” (Duan).

4)    Utilize data mining to review partners’ Privacy Notices and ensure that data is used according to the most current and restrictive Privacy Notice policy. Ensure that all contracts have data usage audit requirements or data is stored on a jointly-managed protected server.

5)    Establish computer system requirements with partners that allow Facebook to delete Facebook’s user data on partners’ systems, thereby allowing user data to “be forgotten” as required under the EU General Data Protection Regulation.

6)    Verify that Facebook and third-party developers are adhering to all regulatory requirements. Democratic Sens. Mark Warner of Virginia and Amy Klobuchar of Minnesota are the co-authors of the Honest Ads Act bill that would subject online political ads to the same rules and restrictions as those for TV, radio, and satellite” (Swartz).   Mark Zuckerberg is supportive of the Honest Ads Act.  Facebook is already under investigation by Canada’s privacy commissioner (Seetharaman).

Mr. Zuckerberg and Ms. Sandberg have proactively defined an approach to determine what data has been captured and misused. “In an interview with CNN, a contrite Zuckerberg vowed to mount a ‘full investigation’ of thousands of apps with access to wide swaths of data ‘before we locked down our platform in 2014.’ ‘There will always be bad actors’ trying to misuse the platform, his No. 2 Sheryl Sandberg, told CNBC. ‘We are taking aggressive steps to be more transparent’” (Swartz).

Facebook’s greatest regulatory problem is securing user data collected by data miners and developers in the past to build apps and services. Facebook said it would audit apps that show suspicious patterns on how they pulled data. Developers, who have misused data or refuse to submit to an audit, will be banned from Facebook and their users notified (Seetharaman).

Investor Concerns

“Trillium Asset Management suggested establishing a risk oversight committee at the Board level. The New York State Common Retirement Fund asked Facebook to review and report on ‘the efficacy of its enforcement of its terms of service, related to content policies and assessing the risk posed by content management controversies,’ such as election interference, hate speech, and sexual harassment” (Norton).

These fund managers made solid suggestions, but there are questions that many investors should consider in evaluating these recommendations.

1) Why should we allow dual shares that protect leaders and diminish the role of shareholders and the Board? “Mr. Zuckerberg and insiders control over 60% of the voting rights, owing to Facebook’s dual share class structure” (Norton).

2) Both of these funds are examples of sustainable funds that market their investments within the framework of ESG (Environmental, Social, and Governance). The very nature of Facebook’s lack of social consciousness over the use of its data by political operatives, and the lack of governance over third-party contracts points to governance weakness, especially due diligence, at ESG funds that chose technology as one of their primary investment sectors.

Advertisers Realize that Facebook has a Unique Product

“Facebook was, for a time, exfiltrating massive amounts of data about its users to developers and data miners of every stripe.” Facebook allowed this data access, hoping to build a business-like Apple Inc.’s iPhone App store” (Mims).

Facebook and Google command 63% of the $83 billion digital-ad market in the U.S. Mobile advertising generated more than 86% of Facebook’s $40.7 billion total revenue in 2017” (Swartz).

P&G said it cut its digital-ad budget by $200MM last year. Digital-ads account for a third of P&G’s $7.1 billion ad budget” (Swartz).  However, $200MM is only 2.8% of the budget so how impactful will the reduction be to Facebook or Google? I would argue as a P&G investor that their ads follow established brand loyalty and quality messages but are ineffective against cheaper store brands and innovative competitors that use digital ads more effectively. If you type “P&G” or “Proctor and Gamble” into the Apple Store or Google Play Store, you will see a few consumer apps for products like Pampers, Charmin or Tide laundry service amidst a host of other non-consumer apps. My recommendation for certain advertisers is look carefully at the value provided by Facebook versus subscription services or cross-product loyalty programs tied to consumers’ phone apps rather than providing ad content that Facebook can leverage with competitors on social media response data.

Blog Author Email: bphelan@riskdirector.com

LinkedIn Profile: http://www.linkedin.com/in/bob-phelan



Duan, Charles, and Weissmann, Shoshana. “How could Facebook Have Been So Careless?” The Wall Street Journal, 26 Mar. 2018.

Mims, Christopher. “Facebook Confronts Identity Crisis.” The Wall Street Journal, 21 Mar. 2018.

Norton, Leslie P. “Facebook Shareholders Force Data Privacy Vote.” Barron’s. 26 Mar. 2018

Seetharaman, Deepa. “Lax Data Policies Haunt Facebook.” The Wall Street Journal, 21 Mar. 2018.

Swartz, Jon. “Facebook under Seige”, Barron’s. 26 Mar. 2018


Tau, Byron. “Data Blowback Pummels Facebook.” The Wall Street Journal, 20 Mar. 2018.

Customer Risk in Cryptocurrency and Florida Payday Lending

There are new risks that might evade detection by the current risk management machine learning models used in financial institutions. I wanted to share some interesting observations that could impact risk in credit card portfolios.
Florida is a state dominated by small business services. All small businesses rely to some degree on credit cards for their payments and working capital. I want to highlight recent changes that could increase credit risk and should be explored by risk management departments of financial institutions.
1) Florida is the only state in the US that changed the law in March 2018 for payday lenders to offset the CFPB rule on interest rates. “The state currently allows loans of up to $500 paid off in a lump sum within 31 days, with annual interest rates often exceeding 300%… To get around the CFPB rule, Florida will permit loans of up to $1,000, to be paid back in installments in 60 days or 90 days. The federal regulation doesn’t generally cover loans lasting 45 days or longer” (Hayashi). The high-interest rate for a longer period could accelerate delinquencies with small businesses and consumers in Florida that are accustomed to payday loans but unaware of the additional interest due.
2) To maintain a home, consumers use a network of small businesses that provide services ranging from lawn care to home repair. My experience is that many of the small business owners are now accepting payment in cryptocurrencies that they say increase their margins (similar to cash payments). In January 2018, Citibank, Chase, Bank of America, and Capital One stopped customers from purchasing cryptocurrencies on their credit cards (Andriotis). Risk management should reassess the debt to payment pattern for the segment of cryptocurrency buyers given the 50% decline in value of their cryptocurrency assets. This risk segment is small for most financial institutions, but preemptive line reductions for heavily indebted customers could help them better manage their finances and avoid default.
3) Given that most financial institutions in 2018 have prohibited cryptocurrency purchases with their credit cards, the risk of a fraudulent merchant activity is reduced for those institutions. However, credit risk remains as numerous posts on the internet explain how to buy cryptocurrencies with PayPal or other payment processors that could enable customers to continue to create credit risk for their financial institution (Martindale).

Blog Author Email: bphelan@riskdirector.com

LinkedIn Profile: http://www.linkedin.com/in/bob-phelan




Hayashi, Yuka. “Florida Gives Payday Lenders a Boost.” The Wall Street Journal, 19 Mar. 2018. Web. 21 Mar. 2018.

Andriotis, AnnaMaria. “Bitcoin Investors Had a Tough Week. Credit Card Companies are about to make it Tougher. ” The Wall Street Journal, 3 Feb. 2018. Web. 21 Mar. 2018. .

Martindale, John. “How to Buy Bitcoin with Paypal.” DigitalTrends.com. 20 Feb. 2018.
Web. 22 Mar. 2018.

How many “risk management fails” can Wells Fargo endure?

I have attached copy of my November 11, 2016 blog that appeared on LinkedIn.  At that time, I disagreed with the solution proposed by John Stumpf (CEO) and the Board of Directors of Wells Fargo.  Their initial solution was to discontinue the sales incentive goals.  If you remember the slogan, “Eight is great.”  This referred to a goal of 8 cross-sell products for each employee.  My point was that setting appropriate goals are fine if the goals have the oversight and reporting on “how employees achieve goals aligned with proper risk and compliance processes.”  The “how” must also include robust customer complaint monitoring. The Board and investors were clearly not informed on how goals were achieved.

My view is that Wells Fargo does not appear to have a robust risk management and compliance culture. The Washington Post has a great article by Renae Merle on August 31, 2017 titled “Wells Fargo finds an additional 1.4 million potentially fake accounts.”  These accounts show process failures going back for years with poor oversight as the customer impact is much larger than the estimate of 2.1 million fake accounts. Couple this recent finding of an additional 1.4MM fake accounts with the April 6, 2017 article, “Wells Uncovers More Abuses” reported by Emily Glass and Ruth Simon in the Wall Street Journal. The April report identified sales tactics problems (not included in the 3.5 million just reported) that were pervasive and not monitored. The evidence showed that Wells Fargo retail branch employees “pressured” small businesses into complex merchant servicing contracts by overstating the small business’s sales revenue to circumvent policies that verified the suitability of the contract for the small business customer.  The employee attained greater cross-sell product sales but at a detriment to the small business customer.

I strongly recommend that the Wells Fargo Board of Directors read my initial blog ” Sales Incentive Plans that Align with Regulatory Guidance – November 11, 2016″  to improve their risk and compliance oversight.



Risk Management Gets Tested


The US wakes up the first Monday after the catastrophic Houston flooding and risk managers will face questions on how to act. The phrase “Think Globally, Act Locally” rings true as most of the risk management actions will be locally focused in the Gulf Coast, but the negative impact on asset valuations will be felt across all US companies. Undoubtedly, our country’s priority is to support and protect the people along the Gulf Coast. However, let’s focus on risk management decisions that drive the economic impact to a company’s business and their employees’ and customers’ lives. Here are typical questions that the Board of Directors and Senior Management should be asking of their Risk Management teams.

1)     Are all employees safe and have we acted on the worksite contingency plan?

2)     What is our customer care policy and what is the communication plan for changes that must be made in our customer service network?

3)     What changes in debt collection, insurance payments, and lending will be instituted and how will it impact the customer, income statement, brand, and our regulatory compliance process?

4)     Do we have proper geographic risk management reporting? How long before we have accurate risk assessments of the impact to our employees, customers, and our financials?

5)     What are the forecasts for delinquency rates, recovery rates, write-off rates, and customer service staffing requirements?

6)     How has the company adjusted its models since these episodic events are NOT included in regulatory macroeconomic conditions and are underweighted in historical data?


Hurricane Harvey is the first real test of risk management leadership after the Great Recession of 2008.

Hurricane Harvey Risk Advisory – Investments

The US wakes up the first Monday after the catastrophic Houston flooding and the country is a bit poorer today.  Hurricane Harvey should have a negative impact on both the bond and equity markets, given the broad impact to business and consumers and the potential for increased government borrowing against a pending debt ceiling limit. I am writing because the usual media investment advice is following the usual albeit tired litany for hurricanes such as: watch out for insurance company losses; rising gas prices due to Gulf refinery shutdowns; buy any dips in the equity market, and specifically buy Home Depot and Lowe’s as they benefit from the rebuilding effort. Undoubtedly, our country’s priority must be to support and protect the people along the Gulf Coast, but I believe the risks are much broader than what is being discussed.

Let me focus on other companies that may be exposed to this event in the Gulf Coast. This analysis is purely based on my risk assessment, and my oversight role in managing money for my family foundation. I do have some equity positions in some of these companies as full disclosure. Please consult your financial adviser to review your risk tolerance and financial objectives before making any investment decisions.

What is so important in my mind in investing is what risk management details are provided in 10K’s and 10Q’s for investors. You will find that many companies do NOT break out regional or even state geographic concentrations, which are most helpful in assessing credit and operational risk from episodic events like Harvey. As a good risk management practice, large concentration risks should have an action plan framework so that management and the Board of Directors can make decisions quickly. Boards should proactively review event-based frameworks for any major concentration as part of annual risk management assessments. Here is my list of heightened risk exposures:

1)     JP Morgan (JPM) has the largest deposit base ($83B, 4.2% market share) and by that measure is one of the largest banks in the Houston area. JPM also has the United Credit Card program and Houston is the second largest hub for United Airlines. Risk managers use airport hubs as a credit card customer acquisition strategy. Collection of credit card debt from hurricane losses takes patience and thoughtful risk management decisions to minimize losses. The key is customer care that generates improved recoveries but the recoveries usually occur after a spike in delinquency rates that creates reserve volatility on the income statement.

2)     The next largest banks by customer and business deposits as a proxy for customer lending exposure in the Houston area are: Wells Fargo ($25B, 1.5% of deposits). Bank of America ($20.5B, 1.2% of deposits), BBVA’s Houston subsidiary (15% of subsidiary deposits), and Zion Bank (Subsidiary Amergy) (15% of Zion’s Deposits). These banks should expect higher delinquency rates and must manage regulatory expectations, which remain high especially regarding settlement and collection practices.

3)     This will be the first test of FinTech lenders’ collection strategies and there is no meaningful risk data by geography to assess true exposures.

4)     The largest home insurers by premium written in this region are: State Farm ($1.7B premiums, 22% market share); Allstate ($765MM premiums, 9.7% market share). Please remember homeowner’s insurance does not cover floods and usually requires separate flood insurance. Therefore, there will be higher mortgage delinquencies, increased demand for government support, and overall lower debt collection from all customers in the Gulf coast region. The largest auto insurers by premiums underwritten are: State Farm (16.2% market share); Progressive Auto (8.56% market share); Allstate (7.3% market share).


In my opinion, Hurricane Harvey losses could exceed expectations and ongoing monitoring is key to any risk management or investment decision. The stock market did not heed my risk assessment and it opened higher this morning on August 28, 2017 because of the positive interest rate and regulatory implications from Jackson Hole. Investors may not be risk-adjusting returns given the potential outcomes of hurricane Harvey, the debt ceiling vote, tax reform, and debt collection regulatory scrutiny. Perhaps I am a bit bearish, so take that into consideration with your cup of coffee.

Recognizing Diversity and the Evolution of Risk Management

Bob Phelan

Financial Risk / Asset Management / Advisor

One advantage of a long career in one business function is the ability to provide perspective on how the function has evolved. This year, I have taken the time to explore risk management options in different industries, evaluated the risk needs of corporate boards, and identified pricing of risk assets as part of my investment oversight role.

Risk management has improved over the last 15 years by:

1)    Expanding the role of risk management to cover the full spectrum of potential risks

2)    Collaborating with Compliance, Audit, Finance, Human Resources, and the Board

3)    Embraced diversity of leadership within risk management which is providing more opportunities for Women, Minorities, and Veterans

4)    Improving transparency and reporting of risks to all levels of management and the Board

5)    Providing trusted due diligence on new products, M&A activity, and strategic decisions

6)    Building a diverse risk culture with increased communication venues to discuss shareholder goals, customer engagement, employee satisfaction, competitive threats, and social impacts

When I started as a risk manager with Bankers Trust in the late 1980s, we leveraged data and analytics to identify risk drivers, determine P&L volatility (value-at-risk (VaR)), and estimate return on credit and market risk-adjusted capital (RAROC) as a framework for strategic decisioning. Almost every risk manager was quantitatively trained and a programmer. Risk management functions continue to use the latest technology to support profitable business opportunities. At the start of my career, I utilized a Cray Computer and a 3rd Party database of all collateralized mortgage obligations to monitor valuations of arbitrage positions and provide independent risk assessments which gave the firm a competitive advantage. Recently, my teams used text-mining to take action on customer feedback, implemented realtime data updates for transaction processing, controlled targeting using social media data, and leveraged BigData with machine learning models to improve prediction of risk and customer preferences.

Over the past 15 years, Risk Management has expanded its remit with broader assessments within the three main risk categories: credit, market, and operational risk. All have been influenced by regulatory requirements such as Basel and CCAR capital planning, as well as Dodd Frank resolution planning, Volker rule, and numerous other requirements. However, regulatory capital requirements have been hard to rationalize especially for operational risk. That said, risk leaders have engaged in improving operational risk processes and systems as they were trying to lower the risk capital requirements. We have made progress across operational risk by improving processes for 3rd party risk, anti-money laundering & sanctions, regulatory adherence, compliance, technology risk, reputational risk, fraud, cybersecurity, privacy, litigation risk, and human resource risk. The recent coordination with compliance and audit functions eliminates costly redundancy in assessing operations and systems. Due to the integration of risk management with other control functions, risk management teams now come from a variety of backgrounds and diverse cultures that benefits the entire organization.

There are some concerns that accompanied the evolution of Risk Management:

1)    The recent regulatory environment drove the creation of three lines of defense and created a higher cost structure that does not effectively drive risk-balanced decisions with clear accountability. On the positive side, the three lines of defense enhanced regulatory relationships as regulators relied upon the second line of defense to be the internal regulator that supplies analysis to them. The challenge role of the second line of defense can alter first line decisions but has been inefficient because it may: require extra documentation of challenge resolutions, address issues late in a new initiative execution plan, and lack measures of success.

2)    The current risk management environment primarily relies upon regulatory models as they are drivers of firm capital requirements. The regulatory models may increase systematic risk because the regulatory guidelines create similar models across the industry, and they use similar time periods of data to develop the models.

3)    Almost all risk assessments are based on models, historical data and typical risk scenarios impacting company assets, liabilities, and processes. However, there are numerous scenarios that are atypical but are not considered in current risk scenarios. In today’s world, the list of possible risk events is long and the world is unstable. There are competitive threats (Amazon, Fintech, foreign competition from China and India), disruptive technologies ( self-driving cars, automation/robots displacing workers, expanded mobile and digital capabilities), and government/political risks (trade wars, taxes, tariffs, sanctions, Federal Reserve raising short interest rates and impacting segments, Fed reducing its $4.5 trillion balance sheet and raising long interest rates and impacting segments, cybersecurity and impact on the electric grid, financial system, food systems), military risks (war, nuclear incident, impacting various geographic locations), social risks (decline of small business profitability impacting local communities, outsourcing of jobs to low-cost countries, minimum wage issues, moral and political suasion on financial obligations like debt repayment, changes in debt and bankruptcy forgiveness, tax policy implications especially mortgage and interest deductions, and healthcare cost implications).

Risk leaders have an obligation to preserve their firm value and drive profitable growth for the company, employees, customers, and society. There has been great progress and risk management is well-represented across many industries today. Risk leaders must continue to work with senior management and the board to establish a clear risk appetite framework and develop strategies to manage through whatever the future might bring, good or bad, from the unexpected.


Broadband is the best choice in Final Four against Facebook, Alphabet, Microsoft #FCC, #FTC,#BigData, #Privacy

Broadband is the best choice in Final Four against Facebook, Alphabet, Microsoft #FCC, #FTC,#BigData, #Privacy

A poem to research the impact of changing referees has on the investments game as the opportunity for high dividends and a higher foothold in BigData Marketing Competition.


Wake now! what light through FCC window breaks?
It is Ajit Pai, and broadband is the sun.
Arise, investors, this buffets the FAM* guns,
Who are already sick and pale with grief,
That Pai has made FCC Privacy more fair than FTC:
Be not so quick consumers to judge this win,
Our choice on personal data to 3rd Parties is a sin.
But on a comparison of valued added by data capture,
AT&T, Verizon, and Comcast delivers rapture.
Any investor should immediate consider in the latter,
And none but fools do wait, or else end up sadder.

* FAM = Facebook, Alphabet, Microsoft



McKinnon, John. “Privacy Provision Eases for Telecom” Wall Street Journal, 29 March 2017.