Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Operational Risk

Credit Risk KRIs for Fintech Lenders: DPD Buckets, Charge-Off Trends, and the Concentration Signals That Show Up in Exam Findings

Most fintech lenders track delinquency and charge-offs. Few connect them into a KRI framework that holds up under regulatory scrutiny. Here are the 7 credit risk metrics your risk function should be running — and the thresholds that trigger action.

By Rebecca Leung · June 28, 2026 ·
Table of Contents

TL;DR

  • Most fintech lenders track DPD and charge-offs in isolation — the gap is in connecting them as a coherent KRI system with defined escalation triggers
  • The 2020 Interagency Guidance on Credit Risk Review Systems (OCC/FDIC/Fed/NCUA) explicitly endorses KRI-driven adjustment of credit review frequency and scope — but most fintechs don’t have the framework to operationalize it
  • Roll rates, vintage curve variance, and model PSI are earlier-warning signals than charge-offs — by the time NCO is elevated, you’ve already missed the window to respond
  • CECL changed the game: reserve assumptions are now themselves a KRI, not just an accounting output

Consumer credit is softening. The FDIC’s 2025 Risk Review flagged consumer lending as a category requiring ongoing monitoring, with modest increases in past-due loans in consumer portfolios and heightened attention to lower-credit-score borrower segments. For fintech lenders — BNPL platforms, personal loan issuers, digital auto lenders, earned-wage-access providers with credit products — the question is whether your credit risk monitoring framework gives you 60 to 90 days of warning before stress shows up in the income statement.

In most cases, it doesn’t. Most fintech lenders track 30/60/90-day DPD buckets and net charge-off rates. A smaller number track vintage performance curves. Few have connected these metrics into a KRI framework with defined thresholds, escalation paths, and board-level reporting — the kind of framework that holds up when the OCC or CFPB examiners ask how you identify deteriorating credit quality and what you do about it.

The 2020 Interagency Guidance on Credit Risk Review Systems — issued jointly by the OCC, Federal Reserve, FDIC, and NCUA — explicitly endorses the use of key risk indicators and performance metrics to support adjustments to credit review frequency and scope. If you can’t show that KRI readings inform your review cadence, you’re operating without the governance infrastructure that regulators expect to see.

Here are the 7 KRIs that should be in every fintech lender’s credit risk monitoring framework.


What Makes Fintech Credit KRIs Different From Bank KRIs

Before the metrics: context on what makes fintech credit risk monitoring distinct from a community bank’s loan portfolio review.

Speed of feedback. A traditional bank’s 90-day review cycle can catch problems before they compound. A BNPL lender with 4-installment loans has a 6-to-8 week product lifecycle — by the time 90-DPD appears, the vintage is nearly done. Fintech credit KRIs need to run at monthly or biweekly frequency, not quarterly.

Model dependency. Fintech credit decisions run through ML-based scoring models, not credit officer judgment. When performance deteriorates, the question is always: is this the borrower population changing, or is the model misbehaving? That distinction requires model-level KRIs alongside portfolio-level KRIs.

Regulatory inheritance. Fintechs operating under bank-as-a-service (BaaS) arrangements don’t own their own charter — but they inherit the regulatory expectations of their bank partner. The bank’s model risk management framework, concentration limits, and credit policy apply to the fintech’s origination activity. The 2024 Interagency RFI on Bank-Fintech Arrangements (OCC Bulletin 2024-21) made clear that banks remain fully responsible for safe and sound conduct regardless of third-party involvement.

CECL exposure. Any fintech that consolidates loan portfolios for accounting purposes (or any partner bank that does) is now operating under CECL (ASC 326), which requires lifetime expected credit loss estimation at origination. That model is a live risk indicator, not just an accounting process.


KRI 1: 30/60/90-Day DPD Delinquency Rates

What it measures: The percentage of outstanding loan balance (or loan count) in each delinquency bucket — loans 30 days past due, 60 days past due, 90+ days past due — as of each monitoring date.

Why it matters: DPD buckets are the standard entry point for credit risk monitoring. They measure where the portfolio is today. A rising 30-DPD rate is your first visible signal that underwriting quality or borrower conditions are changing. A rising 90-DPD rate is a near-certain leading indicator of charge-offs 60-90 days forward.

Threshold guidance: Calibrate to your product type. For unsecured personal loans, a 30-DPD rate above 4% warrants credit committee review; above 6% should trigger a formal board risk report. For secured products (auto, real estate), thresholds are materially lower. Any DPD bucket that increases more than 75 basis points quarter-over-quarter warrants documentation of the driver — is it seasoning of a specific vintage, a macro event, or a policy change?

Reporting format: Track delinquency rates both as a percentage of balance and as a trend over 8 rolling quarters. A waterfall view showing bucket flows quarter-over-quarter is more diagnostic than a single snapshot.


KRI 2: Early Delinquency Roll Rates (30-to-60, 60-to-90)

What it measures: The proportion of loans in a given DPD bucket that migrate to the next bucket in the following monitoring period. 30-to-60 roll rate = (accounts that became 60-DPD this month) / (accounts that were 30-DPD last month).

Why it matters: Roll rates are leading indicators — they tell you where charge-offs are headed before they arrive. A stable 30-DPD rate but a rising 30-to-60 roll rate means your front book looks fine but your workout ability is deteriorating. Conversely, a high 30-DPD rate with a low roll rate might indicate strong collections performance catching early delinquencies.

Threshold guidance: Track rolling 3-month average roll rates. A 30-to-60 roll rate exceeding 35-40% for unsecured consumer products typically warrants a collections strategy review. An increase of more than 5 percentage points quarter-over-quarter in any roll rate should appear in the credit risk report regardless of absolute level.

The early warning advantage: Roll rates often signal portfolio stress 45-90 days before elevated charge-offs become visible. For fintech lenders who need to adjust pricing, underwriting standards, or origination volume in response to credit quality signals, roll rates are the most actionable leading indicator in the KRI stack.


KRI 3: Net Charge-Off Rate

What it measures: Loans written off as uncollectible (net of recoveries) as a percentage of average outstanding loan balance, typically annualized.

Why it matters: NCO is the clearest financial measure of realized credit loss. It’s what appears in earnings reports, what bank partners scrutinize in BaaS arrangements, and what regulators compare against peer benchmarks.

Threshold guidance: Thresholds depend heavily on product type and target market. Unsecured personal lenders targeting prime borrowers typically run NCO rates in the 3-5% range; near-prime and non-prime products run higher. Any quarter where NCO rate exceeds the prior 4-quarter average by more than 50 basis points should trigger a review of origination vintage performance and current underwriting policy.

What NCO doesn’t tell you: By the time elevated NCO is visible, the problem is 90-120 days old. NCO is a lagging indicator — it confirms what roll rates and vintage performance already showed you. Use it as a control metric and for board reporting, but don’t rely on it as your primary monitoring signal.


KRI 4: Vintage Curve Performance vs. Model

What it measures: The cumulative loss rate of each loan origination cohort (vintage) tracked over its lifecycle, compared against the model-predicted loss curve for that vintage.

Why it matters: Vintage analysis separates the performance of different time periods’ originations. If your Q3 2025 vintage is tracking worse than model predictions at 6 months seasoned, you can flag that cohort specifically — without it being masked by better-performing earlier vintages in aggregate statistics.

How to use it as a KRI: For each vintage that has reached 6 months of seasoning, calculate the actual cumulative loss rate and compare it against the predicted rate from your origination model. A variance of more than ±15% (relative) from model expectations should trigger a formal documentation of the explanation — economic conditions, underwriting policy change, model assumption error, or borrower segment shift.

The Upstart lesson: Upstart’s public SEC disclosures documented that vintages from Q1 2021 through Q3 2023 underperformed model predictions due to macro conditions and interest rate changes. This is the real-world consequence of model assumptions calibrated on a period that stopped being representative. Vintage curve variance vs. model is the KRI that surfaces this problem early.


KRI 5: Portfolio Concentration Risk

What it measures: The percentage of total loan balance or exposure concentrated in a single industry sector, geographic region, loan size band, or product type — compared against defined concentration limits.

Why it matters: The 2020 Interagency Guidance on Credit Risk Review Systems emphasizes that scope of review should cover loans with higher-risk indicators, including loans where concentration signals elevate systemic risk. A portfolio that looks healthy in aggregate can carry hidden concentration risk: if 40% of your personal loan portfolio is to gig-economy borrowers in three metro areas, a macro shock to those sectors hits you asymmetrically.

Threshold guidance: Define concentration limits as a percentage of Tier 1 capital (for bank-affiliated fintechs) or total portfolio exposure (for standalone lenders). A common starting point: any single industry sector or geography exceeding 25% of total outstanding balance warrants monitoring; exceeding 35% triggers a board notification and limit review. Fintech lenders using alternative data to serve underbanked segments should be especially attentive to whether their borrower populations have correlated risk profiles not visible in traditional credit bureau data.

What examiners look for: OCC and FDIC examiners ask whether concentration limits are defined, whether compliance is tracked quarterly, and whether board approval is required for exceptions. The absence of defined limits — not just limit breaches — is itself a finding.


KRI 6: CECL Reserve Coverage Ratio

What it measures: The allowance for credit losses (ACL) as a percentage of outstanding loan balance, compared against actual and projected charge-off rates.

Why it matters: Under CECL (ASC 326), your reserve isn’t a backward-looking estimate — it’s a forward-looking lifetime loss forecast. If your model assumptions are wrong, your reserve rate will be wrong. The CECL coverage ratio becomes a KRI because a declining coverage ratio in a stable or deteriorating credit environment signals that your model is lagging.

Threshold guidance: Track the reserve coverage ratio against 12-month trailing NCO rate (a coverage ratio below 1.5x trailing NCO warrants review) and against forward-looking loss projections from your CECL model. Any quarter where actual NCO rate exceeds the CECL-implied loss rate suggests the model is under-reserving. Document the explanation: model timing lag, economic scenario assumption, or model performance gap.

For bank partners: If you’re a fintech operating under a BaaS arrangement, your bank partner’s CECL reserve for your origination program is a financial metric you should be monitoring independently. A bank that is under-reserved for your program is a concentration risk you carry.


KRI 7: Credit Model Performance (PSI and Gini)

What it measures: Two technical metrics that track whether your credit scoring model is still working as designed: Population Stability Index (PSI) measures whether the borrower population the model is scoring has shifted from its development sample; Gini coefficient (also called accuracy ratio) measures whether the model still discriminates between good and bad borrowers.

Why it matters: If the population you’re scoring has changed substantially — younger borrowers, different geographic mix, different income ranges — the model’s predictions may no longer be calibrated correctly, even if the algorithm hasn’t changed. PSI catches this drift before it shows up in vintage performance.

PSI thresholds (industry standard):

  • PSI < 0.10: Population is stable; no model review required
  • PSI 0.10–0.25: Minor shift; investigate the cause; consider monitoring upgrade
  • PSI > 0.25: Significant shift; model review or retraining required

Gini threshold: Track the Gini coefficient monthly for models driving active originations. A Gini decline of more than 5 percentage points from baseline (e.g., 0.72 falling to 0.67) signals degraded discriminatory power and warrants a model validation review.

Regulatory basis: The revised interagency model risk management guidance (OCC Bulletin 2026-13, April 2026) applies to bank credit models and, through bank-fintech relationships, to the scoring tools fintechs deploy. Examiners expect documented ongoing monitoring that includes distribution-level metrics, not just aggregate accuracy statistics. Under the 2020 Interagency Guidance on Credit Risk Review Systems, KRI and performance metric readings explicitly support adjustments to the frequency and scope of credit reviews.


Building the Credit Risk KRI Dashboard

Running these seven metrics as a coherent monitoring system requires a decision about reporting architecture. Here’s a simplified framework:

KRIFrequencyGreenYellowRedEscalation
30-DPD RateMonthly<3%3-5%>5%Credit Committee
60-DPD RateMonthly<1.5%1.5-3%>3%Credit Committee → CRO
30→60 Roll RateMonthly<30%30-40%>40%Collections strategy review
Net Charge-Off Rate (ann.)Quarterly<4%4-6%>6%Board risk report
Vintage vs. Model VarianceQuarterly<±10%±10-20%>±20%Model review + Board notification
Concentration (largest sector)Quarterly<20%20-30%>30%Board approval required
CECL Coverage vs. Trailing NCOQuarterly>2x1.5-2x<1.5xCFO + CRO escalation
PSI (score distribution)Monthly<0.100.10-0.25>0.25Model validation

The thresholds above are starting points. Calibrating them to your specific product mix, borrower segment, and economic environment is what turns a generic template into a governance tool that survives examiner scrutiny and board questions.


So What? The Exam-Ready Version of This Framework

If your current credit risk monitoring consists of a monthly DPD report and a quarterly board slide with NCO trends, you’re one examiner question away from a gap finding. The questions regulators are asking: Can you show that KRI readings informed your credit review scope and frequency? Can you document what happened when a threshold was breached? And can you show that your model assumptions are tracking against observed outcomes?

Pull your last three credit risk committee decks. Check whether all seven of these metrics appear, with what thresholds, and what action was taken when any of them moved. Gaps in that documentation are gaps that examiners will find.

The bigger lift for many fintech lenders: connecting model performance metrics (PSI, Gini) to the credit governance process. Most risk teams have the raw data. The missing piece is the governance layer — defined thresholds, escalation paths, and documentation that shows the board is seeing model health as a credit risk metric, not just a technology metric.

For fintech lenders building out this framework from scratch, the Financial Risk Management Kit includes pre-built credit risk KRI templates with threshold guidance, board reporting formats, and CECL monitoring checklists — structured for fintech and community bank use cases, calibrated to current OCC and FDIC examination expectations.



Sources:

  1. OCC/FDIC/Federal Reserve/NCUA — “Interagency Guidance on Credit Risk Review Systems” (May 2020): https://www.occ.gov/news-issuances/bulletins/2020/bulletin-2020-50.html
  2. OCC Comptroller’s Handbook: “Rating Credit Risk” (current edition): https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/rating-credit-risk/pub-ch-rating-credit-risk.pdf
  3. FDIC 2025 Risk Review — Consumer Lending and Credit Risk Sections: https://www.fdic.gov/analysis/risk-review
  4. Basel Committee on Banking Supervision — “Principles for the Management and Supervision of Credit Risk” (d595, 2025): https://www.bis.org/bcbs/publ/d595.pdf
  5. OCC Bulletin 2024-21: “Bank-Fintech Arrangements: Request for Information”: https://www.occ.gov/news-issuances/bulletins/2024/bulletin-2024-21.html

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What are the most important credit risk KRIs for fintech lenders?
The seven most critical credit risk KRIs for fintech lenders are: 30/60/90-day DPD delinquency bucket rates (tracked as a percentage of outstanding balance), early delinquency roll rates (the proportion of 30-DPD accounts that roll to 60-DPD), net charge-off rate (NCO), vintage curve performance vs. model, portfolio concentration risk (by industry, geography, or loan size), CECL allowance coverage ratio, and credit model performance metrics (PSI and Gini coefficient). Together, these give an early-warning picture of credit quality before losses materialize in the income statement.
How should fintech lenders set DPD delinquency thresholds?
Thresholds should be calibrated to your product type and customer segment, not copied from a bank template. As a starting point: a 30-DPD rate above 3-4% for personal loans or above 1.5-2% for secured products typically warrants ALCO or credit committee review. A 90-DPD rate approaching 2% in personal lending signals that current-period charge-offs will likely be elevated in 60-90 days. Consumer auto and mortgage thresholds are materially lower. Quarterly comparison against vintage cohort expectations and peer benchmarks is more useful than a static absolute threshold.
What is a roll rate in credit risk and why does it matter?
A roll rate measures the percentage of loans in one delinquency bucket that 'roll' into a more severe bucket in the next period. For example, if 35% of your 30-DPD accounts become 60-DPD in the following month, your 30-to-60 roll rate is 35%. Roll rates are leading indicators: they tell you where charge-offs are headed before they arrive. A rising roll rate across consecutive months is one of the most reliable early signals of portfolio stress that doesn't yet appear in charge-off statistics.
How does CECL change credit risk KRI requirements for fintechs?
CECL (ASC 326, effective for smaller reporting companies in 2023) requires institutions to estimate lifetime expected credit losses at loan origination rather than when losses are incurred. This means your CECL model assumptions — prepayment rates, probability of default, loss given default — are now live risk indicators themselves. A quarterly comparison of your CECL reserve rate against actual realized loss rates is a KRI for model adequacy. If your reserve coverage ratio is declining while charge-offs are rising, your model assumptions may be lagging actual portfolio performance.
What credit risk model metrics do regulators expect fintechs to track?
Regulators applying the 2020 Interagency Guidance on Credit Risk Review Systems (OCC/FDIC/Fed/NCUA) and model risk management principles expect ongoing monitoring of: (1) Population Stability Index (PSI) to detect shifts in the borrower population the model was trained on — thresholds of PSI < 0.10 (stable), 0.10-0.25 (investigate), > 0.25 (model review required); (2) Gini coefficient or AUC to track discriminatory power over time; (3) Backtesting of predicted PD vs. realized default rates. For bank-fintech partnerships, the bank's model risk management framework applies to the fintech's credit scoring tools regardless of who built them.
What concentration risk signals show up in bank examination findings for fintech lenders?
Examiners consistently flag three concentration patterns in fintech and community bank credit portfolios: over-reliance on a single loan product type, geographic concentration in economically cyclical regions, and industry/sector concentrations that aren't captured in standard underwriting criteria. OCC examination guidance expects institutions to define concentration limits as a percentage of Tier 1 capital or total portfolio exposure, monitor compliance quarterly, and require board-level approval for limit exceptions. Fintech lenders operating under BaaS arrangements inherit their bank partner's concentration limits.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

Financial Risk Management Kit

Credit risk, liquidity, concentration, and capital adequacy templates built for fintechs.

◆ Keep reading

Related posts.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.