Five Ways to Manage Exceptions and Overrides for Risk Mitigation

February 19, 2024
(Originally published in ABA Risk and Compliance, November/December 2023) In lending, discretion can take several forms, including exceptions and overrides. An exception is an application whose outcome is not fully consistent with credit underwriting and pricing policies. The variation can be either in the underwriting outcome, or in loan terms and conditions, such as interest […]

(Originally published in ABA Risk and Compliance, November/December 2023)

In lending, discretion can take several forms, including exceptions and overrides. An exception is an application whose outcome is not fully consistent with credit underwriting and pricing policies. The variation can be either in the underwriting outcome, or in loan terms and conditions, such as interest rate or fees. An override is a type of exception where the lender makes an underwriting decision or sets loan terms and conditions that are different from the outcome from the lender’s credit algorithms. Overrides can either be low side, where the application is treated more favorably than the algorithmic decision, or high side, where the application is treated less favorably than the algorithmic decision.

Excessive exceptions to established policies and procedures can be a sign of weaknesses in risk management. According to the Federal Reserve’s Commercial Bank Examination Manual (CBEM), one of the characteristics of strong risk management is that, “There are few exceptions to established policies and procedures, and none of these exceptions would likely lead to a significant loss to the organization.”[i] Conversely, the CBEM describes weak risk management by stating, “The internal control system may be lacking in important respects, particularly as indicated by continued control exceptions or by the failure to adhere to written policies and procedures. The deficiencies associated in these systems could have adverse effects on the safety and soundness of the institution . . .”[ii]

In fair lending, “discretion” is the equivalent of a “four-letter word.”  As a form of discretion, exceptions and overrides can be the source of significant fair lending risk. The FFIEC Interagency Fair Lending Examination Procedures,[iii] the Comptroller’s Handbook on Fair Lending,[iv] and the CFPB’s ECOA Baseline Examination Procedures[v] all identify exceptions as a source of fair lending risk. For example, three of the eight FFIEC Underwriting risk factors and two of the seven Pricing risk factors relate to exceptions, including credit scoring overrides.  The Appendix to the FFIEC Interagency Fair Lending Examination Manual includes monitoring the nature and frequency of exceptions and the sufficiency of documentation of the rationale for exceptions as principal policy issues.

Managing Risk

If your institution permits exceptions, including overrides, how should you manage the associated risk?

1. Start by reviewing policies and procedures, especially for consumer, mortgage, and small business lending. When an institution permits underwriting or pricing exceptions or overrides, policies and procedures should include clear guidance regarding when exceptions are permitted, what mitigating factors may be considered in granting exceptions, and limits on the number of underwriting exceptions or value of pricing exceptions permitted on a loan. Just like loan approval authority, a loan officer’s ability to grant exceptions should be limited and controlled.

2. It is a best practice to limit the volume of exceptions granted at the portfolio or product level. Excessive exceptions are an indicator of fair lending risk even when they are guided by clear policies and procedures. ().[vi] Excessive exceptions may also be an indicator of unsafe or unsound banking practices, as they can expose the lender to unrecognized or unwanted credit risk.

3. Exceptions should be monitored at the institution, portfolio, and product level by both unit and dollar volumes of exposure. Institutions may find it helpful to track exception types as well. Management and Board reporting should include the frequency and type of exceptions, as well as the performance of loans originated with exceptions. The Comptroller’s Handbook on Corporate and Risk Governance notes, “Performance and risk reports should enable the board to . . .monitor the types, volumes, and impacts of exceptions to policies and operating procedures.”[vii]

The FDIC Risk Management Manual of Examination Policies says accurate and timely reporting to management and the board of directors may include “The aggregate level of policy exceptions and the performance of that portfolio . . .” and notes “Prudent management and boards monitor compliance with internal policies and maintain reports of all exceptions to policy.”[viii]

4. Exception monitoring should be part of your fair lending compliance management system. Disparities in the distribution of exceptions and overrides on a prohibited basis are a source of fair lending risk. A concentration of high side overrides among protected class borrowers may be especially risky, as a high side override results in denying a request for credit that is approvable according to your loan policy. When monitoring exceptions, you should consider both the incidence of exceptions among each demographic group and the average value or number of exceptions received by each demographic group. Testing the incidence of exceptions indicates whether each demographic group is equally likely to receive an exception, while testing the value or number of exceptions reveals whether the extent of exceptions granted is similar across all demographic groups that receive exceptions. When conducting fair lending testing of exceptions, lenders should test high side and low side overrides separately.

5. Finally, lenders should periodically sample exceptions to assess the adequacy of the documentation supporting the exception and its mitigating factors. Missing or incomplete documentation increases the risk associated with exceptions.

Limiting and monitoring exceptions are components of both a strong fair lending compliance management system and robust credit risk management. If your institution permits exceptions, ensure that guidelines for granting exceptions are clear, limits are in place, monitoring, and testing for both fair lending and credit risk are conducted, and sufficient board and management reporting exists. Otherwise, exceptions may become exceptionally risky.


Lynn Woosley is a Managing Director with Asurity Advisors. She has more than 30 years’ risk management experience in both financial services and regulatory environments. She is an expert in consumer protection, including fair lending, fair servicing, community reinvestment, and UDAAP.

Before joining Asurity, Lynn led the fair banking practice for an advisory firm. She has also held multiple leadership positions, including Senior Vice President and Fair and Responsible Banking Officer, within the Enterprise Risk Management division of a top 10 bank. Prior to joining the private sector, Lynn served as Senior Examiner and Fair Lending Advisory Economist at the Federal Reserve Bank of Atlanta. Reach her at

[i], page 63

[ii], page 64



[v], page 16

[vi], page 16

[vii], page 30

[viii], pages 15 and 23

Sign up for news + updates

Expert insights and regulatory updates on RegTech, compliance management, and fair lending.

Recommended Resources

Goals Module Overview

Learn more about the Goals Module and its key monitoring and reporting features.

Reg+Tech Magazine Volume 2 Issue 1

Learn about the changes of state consumer protection and the responsibility of financial services institutions to pursue operational excellence and a culture of compliance.

Reg+Tech Magazine Vol. 1 Issue 2

Regulatory and technology experts discuss innovation, CRA reforms, and how single-close construction loans are reenergizing rural America.

chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram