Feature Operational Risk
Credit Risk KRIs for Fintech Lenders: DPD Buckets, Charge-Off Trends, and the Concentration Signals That Show Up in Exam Findings
Most fintech lenders track delinquency and charge-offs. Few connect them into a KRI framework that holds up under regulatory scrutiny. Here are the 7 credit risk metrics your risk function should be running — and the thresholds that trigger action.
Table of Contents
TL;DR
- Most fintech lenders track DPD and charge-offs in isolation — the gap is in connecting them as a coherent KRI system with defined escalation triggers
- The 2020 Interagency Guidance on Credit Risk Review Systems (OCC/FDIC/Fed/NCUA) explicitly endorses KRI-driven adjustment of credit review frequency and scope — but most fintechs don’t have the framework to operationalize it
- Roll rates, vintage curve variance, and model PSI are earlier-warning signals than charge-offs — by the time NCO is elevated, you’ve already missed the window to respond
- CECL changed the game: reserve assumptions are now themselves a KRI, not just an accounting output
Consumer credit is softening. The FDIC’s 2025 Risk Review flagged consumer lending as a category requiring ongoing monitoring, with modest increases in past-due loans in consumer portfolios and heightened attention to lower-credit-score borrower segments. For fintech lenders — BNPL platforms, personal loan issuers, digital auto lenders, earned-wage-access providers with credit products — the question is whether your credit risk monitoring framework gives you 60 to 90 days of warning before stress shows up in the income statement.
In most cases, it doesn’t. Most fintech lenders track 30/60/90-day DPD buckets and net charge-off rates. A smaller number track vintage performance curves. Few have connected these metrics into a KRI framework with defined thresholds, escalation paths, and board-level reporting — the kind of framework that holds up when the OCC or CFPB examiners ask how you identify deteriorating credit quality and what you do about it.
The 2020 Interagency Guidance on Credit Risk Review Systems — issued jointly by the OCC, Federal Reserve, FDIC, and NCUA — explicitly endorses the use of key risk indicators and performance metrics to support adjustments to credit review frequency and scope. If you can’t show that KRI readings inform your review cadence, you’re operating without the governance infrastructure that regulators expect to see.
Here are the 7 KRIs that should be in every fintech lender’s credit risk monitoring framework.
What Makes Fintech Credit KRIs Different From Bank KRIs
Before the metrics: context on what makes fintech credit risk monitoring distinct from a community bank’s loan portfolio review.
Speed of feedback. A traditional bank’s 90-day review cycle can catch problems before they compound. A BNPL lender with 4-installment loans has a 6-to-8 week product lifecycle — by the time 90-DPD appears, the vintage is nearly done. Fintech credit KRIs need to run at monthly or biweekly frequency, not quarterly.
Model dependency. Fintech credit decisions run through ML-based scoring models, not credit officer judgment. When performance deteriorates, the question is always: is this the borrower population changing, or is the model misbehaving? That distinction requires model-level KRIs alongside portfolio-level KRIs.
Regulatory inheritance. Fintechs operating under bank-as-a-service (BaaS) arrangements don’t own their own charter — but they inherit the regulatory expectations of their bank partner. The bank’s model risk management framework, concentration limits, and credit policy apply to the fintech’s origination activity. The 2024 Interagency RFI on Bank-Fintech Arrangements (OCC Bulletin 2024-21) made clear that banks remain fully responsible for safe and sound conduct regardless of third-party involvement.
CECL exposure. Any fintech that consolidates loan portfolios for accounting purposes (or any partner bank that does) is now operating under CECL (ASC 326), which requires lifetime expected credit loss estimation at origination. That model is a live risk indicator, not just an accounting process.
KRI 1: 30/60/90-Day DPD Delinquency Rates
What it measures: The percentage of outstanding loan balance (or loan count) in each delinquency bucket — loans 30 days past due, 60 days past due, 90+ days past due — as of each monitoring date.
Why it matters: DPD buckets are the standard entry point for credit risk monitoring. They measure where the portfolio is today. A rising 30-DPD rate is your first visible signal that underwriting quality or borrower conditions are changing. A rising 90-DPD rate is a near-certain leading indicator of charge-offs 60-90 days forward.
Threshold guidance: Calibrate to your product type. For unsecured personal loans, a 30-DPD rate above 4% warrants credit committee review; above 6% should trigger a formal board risk report. For secured products (auto, real estate), thresholds are materially lower. Any DPD bucket that increases more than 75 basis points quarter-over-quarter warrants documentation of the driver — is it seasoning of a specific vintage, a macro event, or a policy change?
Reporting format: Track delinquency rates both as a percentage of balance and as a trend over 8 rolling quarters. A waterfall view showing bucket flows quarter-over-quarter is more diagnostic than a single snapshot.
KRI 2: Early Delinquency Roll Rates (30-to-60, 60-to-90)
What it measures: The proportion of loans in a given DPD bucket that migrate to the next bucket in the following monitoring period. 30-to-60 roll rate = (accounts that became 60-DPD this month) / (accounts that were 30-DPD last month).
Why it matters: Roll rates are leading indicators — they tell you where charge-offs are headed before they arrive. A stable 30-DPD rate but a rising 30-to-60 roll rate means your front book looks fine but your workout ability is deteriorating. Conversely, a high 30-DPD rate with a low roll rate might indicate strong collections performance catching early delinquencies.
Threshold guidance: Track rolling 3-month average roll rates. A 30-to-60 roll rate exceeding 35-40% for unsecured consumer products typically warrants a collections strategy review. An increase of more than 5 percentage points quarter-over-quarter in any roll rate should appear in the credit risk report regardless of absolute level.
The early warning advantage: Roll rates often signal portfolio stress 45-90 days before elevated charge-offs become visible. For fintech lenders who need to adjust pricing, underwriting standards, or origination volume in response to credit quality signals, roll rates are the most actionable leading indicator in the KRI stack.
KRI 3: Net Charge-Off Rate
What it measures: Loans written off as uncollectible (net of recoveries) as a percentage of average outstanding loan balance, typically annualized.
Why it matters: NCO is the clearest financial measure of realized credit loss. It’s what appears in earnings reports, what bank partners scrutinize in BaaS arrangements, and what regulators compare against peer benchmarks.
Threshold guidance: Thresholds depend heavily on product type and target market. Unsecured personal lenders targeting prime borrowers typically run NCO rates in the 3-5% range; near-prime and non-prime products run higher. Any quarter where NCO rate exceeds the prior 4-quarter average by more than 50 basis points should trigger a review of origination vintage performance and current underwriting policy.
What NCO doesn’t tell you: By the time elevated NCO is visible, the problem is 90-120 days old. NCO is a lagging indicator — it confirms what roll rates and vintage performance already showed you. Use it as a control metric and for board reporting, but don’t rely on it as your primary monitoring signal.
KRI 4: Vintage Curve Performance vs. Model
What it measures: The cumulative loss rate of each loan origination cohort (vintage) tracked over its lifecycle, compared against the model-predicted loss curve for that vintage.
Why it matters: Vintage analysis separates the performance of different time periods’ originations. If your Q3 2025 vintage is tracking worse than model predictions at 6 months seasoned, you can flag that cohort specifically — without it being masked by better-performing earlier vintages in aggregate statistics.
How to use it as a KRI: For each vintage that has reached 6 months of seasoning, calculate the actual cumulative loss rate and compare it against the predicted rate from your origination model. A variance of more than ±15% (relative) from model expectations should trigger a formal documentation of the explanation — economic conditions, underwriting policy change, model assumption error, or borrower segment shift.
The Upstart lesson: Upstart’s public SEC disclosures documented that vintages from Q1 2021 through Q3 2023 underperformed model predictions due to macro conditions and interest rate changes. This is the real-world consequence of model assumptions calibrated on a period that stopped being representative. Vintage curve variance vs. model is the KRI that surfaces this problem early.
KRI 5: Portfolio Concentration Risk
What it measures: The percentage of total loan balance or exposure concentrated in a single industry sector, geographic region, loan size band, or product type — compared against defined concentration limits.
Why it matters: The 2020 Interagency Guidance on Credit Risk Review Systems emphasizes that scope of review should cover loans with higher-risk indicators, including loans where concentration signals elevate systemic risk. A portfolio that looks healthy in aggregate can carry hidden concentration risk: if 40% of your personal loan portfolio is to gig-economy borrowers in three metro areas, a macro shock to those sectors hits you asymmetrically.
Threshold guidance: Define concentration limits as a percentage of Tier 1 capital (for bank-affiliated fintechs) or total portfolio exposure (for standalone lenders). A common starting point: any single industry sector or geography exceeding 25% of total outstanding balance warrants monitoring; exceeding 35% triggers a board notification and limit review. Fintech lenders using alternative data to serve underbanked segments should be especially attentive to whether their borrower populations have correlated risk profiles not visible in traditional credit bureau data.
What examiners look for: OCC and FDIC examiners ask whether concentration limits are defined, whether compliance is tracked quarterly, and whether board approval is required for exceptions. The absence of defined limits — not just limit breaches — is itself a finding.
KRI 6: CECL Reserve Coverage Ratio
What it measures: The allowance for credit losses (ACL) as a percentage of outstanding loan balance, compared against actual and projected charge-off rates.
Why it matters: Under CECL (ASC 326), your reserve isn’t a backward-looking estimate — it’s a forward-looking lifetime loss forecast. If your model assumptions are wrong, your reserve rate will be wrong. The CECL coverage ratio becomes a KRI because a declining coverage ratio in a stable or deteriorating credit environment signals that your model is lagging.
Threshold guidance: Track the reserve coverage ratio against 12-month trailing NCO rate (a coverage ratio below 1.5x trailing NCO warrants review) and against forward-looking loss projections from your CECL model. Any quarter where actual NCO rate exceeds the CECL-implied loss rate suggests the model is under-reserving. Document the explanation: model timing lag, economic scenario assumption, or model performance gap.
For bank partners: If you’re a fintech operating under a BaaS arrangement, your bank partner’s CECL reserve for your origination program is a financial metric you should be monitoring independently. A bank that is under-reserved for your program is a concentration risk you carry.
KRI 7: Credit Model Performance (PSI and Gini)
What it measures: Two technical metrics that track whether your credit scoring model is still working as designed: Population Stability Index (PSI) measures whether the borrower population the model is scoring has shifted from its development sample; Gini coefficient (also called accuracy ratio) measures whether the model still discriminates between good and bad borrowers.
Why it matters: If the population you’re scoring has changed substantially — younger borrowers, different geographic mix, different income ranges — the model’s predictions may no longer be calibrated correctly, even if the algorithm hasn’t changed. PSI catches this drift before it shows up in vintage performance.
PSI thresholds (industry standard):
- PSI < 0.10: Population is stable; no model review required
- PSI 0.10–0.25: Minor shift; investigate the cause; consider monitoring upgrade
- PSI > 0.25: Significant shift; model review or retraining required
Gini threshold: Track the Gini coefficient monthly for models driving active originations. A Gini decline of more than 5 percentage points from baseline (e.g., 0.72 falling to 0.67) signals degraded discriminatory power and warrants a model validation review.
Regulatory basis: The revised interagency model risk management guidance (OCC Bulletin 2026-13, April 2026) applies to bank credit models and, through bank-fintech relationships, to the scoring tools fintechs deploy. Examiners expect documented ongoing monitoring that includes distribution-level metrics, not just aggregate accuracy statistics. Under the 2020 Interagency Guidance on Credit Risk Review Systems, KRI and performance metric readings explicitly support adjustments to the frequency and scope of credit reviews.
Building the Credit Risk KRI Dashboard
Running these seven metrics as a coherent monitoring system requires a decision about reporting architecture. Here’s a simplified framework:
| KRI | Frequency | Green | Yellow | Red | Escalation |
|---|---|---|---|---|---|
| 30-DPD Rate | Monthly | <3% | 3-5% | >5% | Credit Committee |
| 60-DPD Rate | Monthly | <1.5% | 1.5-3% | >3% | Credit Committee → CRO |
| 30→60 Roll Rate | Monthly | <30% | 30-40% | >40% | Collections strategy review |
| Net Charge-Off Rate (ann.) | Quarterly | <4% | 4-6% | >6% | Board risk report |
| Vintage vs. Model Variance | Quarterly | <±10% | ±10-20% | >±20% | Model review + Board notification |
| Concentration (largest sector) | Quarterly | <20% | 20-30% | >30% | Board approval required |
| CECL Coverage vs. Trailing NCO | Quarterly | >2x | 1.5-2x | <1.5x | CFO + CRO escalation |
| PSI (score distribution) | Monthly | <0.10 | 0.10-0.25 | >0.25 | Model validation |
The thresholds above are starting points. Calibrating them to your specific product mix, borrower segment, and economic environment is what turns a generic template into a governance tool that survives examiner scrutiny and board questions.
So What? The Exam-Ready Version of This Framework
If your current credit risk monitoring consists of a monthly DPD report and a quarterly board slide with NCO trends, you’re one examiner question away from a gap finding. The questions regulators are asking: Can you show that KRI readings informed your credit review scope and frequency? Can you document what happened when a threshold was breached? And can you show that your model assumptions are tracking against observed outcomes?
Pull your last three credit risk committee decks. Check whether all seven of these metrics appear, with what thresholds, and what action was taken when any of them moved. Gaps in that documentation are gaps that examiners will find.
The bigger lift for many fintech lenders: connecting model performance metrics (PSI, Gini) to the credit governance process. Most risk teams have the raw data. The missing piece is the governance layer — defined thresholds, escalation paths, and documentation that shows the board is seeing model health as a credit risk metric, not just a technology metric.
For fintech lenders building out this framework from scratch, the Financial Risk Management Kit includes pre-built credit risk KRI templates with threshold guidance, board reporting formats, and CECL monitoring checklists — structured for fintech and community bank use cases, calibrated to current OCC and FDIC examination expectations.
Related Reading
- Interest Rate Risk KRIs: 8 Metrics for Banks and Credit Unions Monitoring IRRBB
- KRI Fundamentals: Building a Key Risk Indicator Library That Survives Examination
- RCSA for Fintechs: Adapting the Risk and Control Self-Assessment for Digital-First Business Models
Sources:
- OCC/FDIC/Federal Reserve/NCUA — “Interagency Guidance on Credit Risk Review Systems” (May 2020): https://www.occ.gov/news-issuances/bulletins/2020/bulletin-2020-50.html
- OCC Comptroller’s Handbook: “Rating Credit Risk” (current edition): https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/rating-credit-risk/pub-ch-rating-credit-risk.pdf
- FDIC 2025 Risk Review — Consumer Lending and Credit Risk Sections: https://www.fdic.gov/analysis/risk-review
- Basel Committee on Banking Supervision — “Principles for the Management and Supervision of Credit Risk” (d595, 2025): https://www.bis.org/bcbs/publ/d595.pdf
- OCC Bulletin 2024-21: “Bank-Fintech Arrangements: Request for Information”: https://www.occ.gov/news-issuances/bulletins/2024/bulletin-2024-21.html
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
Financial Risk Management Kit
Credit risk, liquidity, concentration, and capital adequacy templates built for fintechs.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What are the most important credit risk KRIs for fintech lenders?
How should fintech lenders set DPD delinquency thresholds?
What is a roll rate in credit risk and why does it matter?
How does CECL change credit risk KRI requirements for fintechs?
What credit risk model metrics do regulators expect fintechs to track?
What concentration risk signals show up in bank examination findings for fintech lenders?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Financial Risk Management Kit
Credit risk, liquidity, concentration, and capital adequacy templates built for fintechs.
◆ Keep reading
Related posts.
Operational Risk
1,155 Violations and $1.2 Billion in Restitution: What the FDIC's Spring 2026 Supervisory Highlights Say About Where Your Program Gets Tested
The FDIC's Spring 2026 Consumer Compliance Supervisory Highlights documented 1,155 violations from 2025 exams — with TILA/Reg Z alone accounting for 462, flood insurance violations generating $150 million in orders, and formal enforcement actions requiring $1.2 billion in restitution. Here's how to use the FDIC's own findings as a self-assessment checklist before your next examination.
Jul 8, 2026
Operational Risk
What the OCC's CFSB Consent Order Says About BSA/AML Risk in Fintech Payment Partnerships
On May 21, 2026, the OCC released a consent order against Community Federal Savings Bank—sponsor bank for Wise and Crypto.com—for BSA/AML failures tied directly to rapid payment processing growth. The core problem wasn't the fintech partners. It was that alert tuning, CDD, and staffing never scaled with transaction volume. Here's the operational risk lesson for every institution growing through fintech relationships.
Jul 7, 2026
Operational Risk
The 2026 CRE Loan Maturity Wall: How Community Banks Should Stress-Test Their Commercial Real Estate Portfolios Right Now
More than $1.5 trillion in commercial real estate loans mature in 2026. Roughly 31% of all U.S. banks are CRE-concentrated. Here's the stress-testing methodology community banks need — before examiners ask for it.
Jul 6, 2026