|
Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations |
|||
|
FDIC Federal Register Citations |
||
|
[Federal Register: August 4, 2003 (Volume 68, Number 149)] [Notices] [Page 45949-45988] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr04au03-137] ----------------------------------------------------------------------- DEPARTMENT OF THE TREASURY Office of the Comptroller of the Currency [Docket No. 03-15] FEDERAL RESERVE SYSTEM [Docket No. OP-1153] FEDERAL DEPOSIT INSURANCE CORPORATION DEPARTMENT OF THE TREASURY Office of Thrift Supervision [No. 2003-28]
Internal Ratings-Based Systems for Corporate Credit and Operational Risk Advanced Measurement Approaches for Regulatory Capital AGENCIES: Office of the Comptroller of the Currency (OCC), Treasury; Board of Governors of the Federal Reserve System (Board); Federal Deposit Insurance Corporation (FDIC); and Office of Thrift Supervision (OTS), Treasury. ACTION: Draft supervisory guidance with request for comment. ----------------------------------------------------------------------- SUMMARY: The OCC, Board, FDIC, and OTS (the Agencies) are publishing for industry comment two documents that set forth draft supervisory guidance for implementing proposed revisions to the risk-based capital standards in the United States. These proposed revisions, which would implement the New Basel Capital Accord in the United States, are published as an advance notice of proposed rulemaking (ANPR) elsewhere in today's Federal Register. Under the advanced approaches for credit and operational risk described in the ANPR, banking organizations would use internal estimates of certain risk components as key inputs in the determination of their regulatory capital requirements. The Agencies believe that supervisory guidance is necessary to balance the flexibility inherent in the advanced approaches with high standards that promote safety and soundness and encourage comparability across institutions. The first document sets forth Draft Supervisory Guidance on Internal Ratings-Based Systems for Corporate Credit (corporate IRB guidance). This document describes supervisory expectations for institutions that intend to adopt the advanced internal ratings-based approach (A-IRB) for credit risk as set forth in today's ANPR. The corporate IRB guidance is intended to provide supervisors and institutions with a clear description of the essential components and characteristics of an acceptable A-IRB framework. The guidance focuses specifically on corporate credit portfolios; further guidance is expected at a later date on other credit portfolios (including, for example, retail and commercial real estate portfolios). The second document sets forth Draft Supervisory Guidance on Operational Risk Advanced Measurement Approaches for Operational Risk (AMA guidance). This document outlines supervisory expectations for institutions that intend to adopt an advanced measurement approach (AMA) for operational risk as set forth in today's ANPR. The Agencies are seeking comments on the supervisory standards set forth in both documents. In addition to seeking comment on specific aspects of the supervisory guidance set forth in the documents, the Agencies are seeking comment on the extent to which the supervisory guidance strikes the appropriate balance between flexibility and specificity. Likewise, the Agencies are seeking comment on whether an appropriate balance has been struck between the regulatory requirements set forth in the ANPR and the supervisory standards set forth in these documents. DATES: Comments must be received no later than November 3, 2003. ADDRESSES: Comments should be directed to: OCC: Please direct your comments to: Office of the Comptroller of the Currency, 250 E Street, SW., Public Information Room, Mailstop 1-5, Washington, DC 20219, Attention: Docket No. 03-15; fax number (202) 874-4448; or Internet address: regs.comments@occ.treas.gov. Due to delays in paper mail delivery in the Washington area, we encourage the submission of comments by fax or e-mail whenever possible. Comments may be inspected and photocopied at the OCC's Public Information Room, 250 E Street, SW., Washington, DC. You may make an appointment to inspect comments by calling (202) 874-5043. Board: Comments should refer to Docket No. OP-1153 and may be mailed to Ms. Jennifer J. Johnson, Secretary, Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue, NW., Washington, DC, 20551. However, because paper mail in the Washington area and at the Board of Governors is subject to delay, please consider submitting your comments by e-mail to regs.comments@federalreserve.gov, or faxing them to the Office of the Secretary at 202/452-3819 or 202/ 452-3102. Members of the public may inspect comments in Room MP-500 of the Martin Building between 9 a.m. and 5 p.m. on weekdays pursuant to Sec. 261.12, except as provided in Sec. 261.14, of the Board's Rules Regarding Availability of Information, 12 CFR 261.12 and 261.14. FDIC: Written comments should be addressed to Robert E. Feldman, Executive Secretary, Attention: Comments, Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC, 20429. Commenters are encouraged to submit comments by facsimile transmission to (202) 898-3838 or by electronic mail to Comments@FDIC.gov. Comments also may be hand-delivered to the guard station at the rear of the 550 17th Street Building (located on F Street) on business days between 8:30 a.m. and 5 p.m. Comments may be inspected and photocopied at the FDIC's Public Information Center, Room 100, 801 17th Street, NW., Washington, DC between 9 a.m. and 4:30 p.m. on business days. OTS: Send comments to Regulation Comments, Chief Counsel's Office, Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552, Attention: No. 2003-28. Delivery: Hand deliver comments to the Guard's desk, east lobby entrance, 1700 G Street, NW., from 9 a.m. to 4 p.m. on business days, Attention: Regulation Comments, Chief Counsel's Office, Attention: No. 2003-28. Facsimiles: Send facsimile transmissions to FAX Number (202) 906-6518, Attention: No 2003-28. e-mail: Send e-mails to regs.comments@ots.treas.gov, Attention: No. 2003-28, and include your name and telephone number. Due to temporary disruptions in mail service in the Washington, DC area, commenters are encouraged to send comments by fax or e-mail, if possible. FOR FURTHER INFORMATION CONTACT: OCC: Corporate IRB guidance: Jim Vesely, National Bank Examiner, Large Bank Supervision (202/874-5170 or james.vesely@occ.treas.gov); AMA guidance: Tanya Smith, Senior International Advisor, International Banking & Finance (202/874-4735 or tanya.smith@occ.treas.gov). Board: Corporate IRB guidance: David Palmer, Supervisory Financial Analyst, Division of Banking Supervision and Regulation (202/452-2904 or david.e.palmer@frb.gov); AMA guidance: T. Kirk Odegard, Supervisory Financial Analyst, Division of Banking Supervision and Regulation (202/ 530-6225 or thomas.k.odegard@frb.gov). For users of Telecommunications Device for [[Page 45950]] the Deaf (``TDD'') only, contact 202/263-4869. FDIC: Corporate IRB guidance and AMA guidance: Pete D. Hirsch, Basel Project Manager, Division of Supervision and Consumer Protection (202/898-6751 or phirsch@fdic.gov). OTS: Corporate IRB guidance and AMA guidance: Michael D. Solomon, Senior Program Manager for Capital Policy (202/906-5654); David W. Riley, Project Manager (202/906-6669), Supervision Policy; Teresa A. Scott, Counsel (Banking and Finance) (202/906-6478); or Eric Hirschhorn, Principal Financial Economist (202/906-7350), Regulations and Legislation Division, Office of the Chief Counsel, Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552. Document 1: Draft Supervisory Guidance on Internal Ratings-Based Systems for Corporate Credit Table of Contents I. Introduction A. Purpose B. Overview of Supervisory Expectations 1. Ratings Assignment 2. Quantification 3. Data Maintenance 4. Control and Oversight Mechanisms C. Scope of Guidance D. Timing II. Ratings for IRB Systems A. Overview B. Credit Ratings 1. Rating Assignment Techniques a. Expert Judgment b. Models c. Constrained Judgment C. IRB Ratings System Architecture 1. Two-Dimensional Rating System a. Definition of Default b. Obligor Ratings c. Loss Severity Ratings 2. Other Considerations of IRB Rating System Architecture a. Timeliness of Ratings b. Multiple Ratings Systems c. Recognition of the Risk Mitigation Benefits of Guarantees 3. Validation Process a. Ratings System Developmental Evidence b. Ratings System Ongoing Validation c. Back Testing III. Quantification of IRB Systems A. Introduction 1. Stages of the Quantification Process 2. General Principles for Sound IRB Quantification B. Probability of Default (PD) 1. Data 2. Estimation 3. Mapping 4. Application C. Loss Given Default (LGD) 1. Data 2. Estimation 3. Mapping 4. Application D. Exposure at Default (EAD) 1. Data 2. Estimation 3. Mapping 4. Application E. Maturity (M) F. Validation Appendix to Part III: Illustrations of the Quantification Process IV. Data Maintenance A. Overview B. Data Maintenance Framework 1. Life Cycle Tracking 2. Rating Assignment Data 3. Example Data Elements C. Data Element Functions 1. Validation and Refinement 2. Developing Parameter Estimates 3. Applying Rating System Improvements Historically 4. Calculating Capital Ratios and Reporting to the Public 5. Supporting Risk Management D. Managing data quality and integrity 1. Documentation and Definitions 2. Electronic Storage 3. Data Gaps V. Control and Oversight Mechanisms A. Overview B. Independence in the Rating Approval Process C. Transparency D. Accountability 1. Responsibility for Assigning Ratings 2. Responsibility for Rating System Performance E. Use of Ratings F. Rating System Review (RSR) G. Internal Audit 1. External Audit H. Corporate Oversight I. Introduction A. Purpose This document describes supervisory expectations for banking organizations (institutions) adopting the advanced internal ratings- based approach (IRB) for the determination of minimum regulatory risk- based capital requirements. The focus of this guidance is corporate credit portfolios. Retail, commercial real estate, securitizations, and other portfolios will be the focus of later guidance. This draft guidance should be considered with the advance notice of proposed rulemaking (ANPR) on revisions to the risk-based capital standard published elsewhere in today's Federal Register. The primary objective of IRB is to enhance the sensitivity of regulatory capital requirements to credit risk. To accomplish that objective, IRB harnesses a bank's own risk rating and quantification capabilities. In general, the IRB approach reflects and extends recent developments in risk management and banking supervision. However, the degree to which any individual bank will need to modify its own credit risk management practices to deliver accurate and consistent IRB risk parameters will vary from institution to institution. This guidance is intended to provide supervisors and institutions with a clear description of the essential components and characteristics of an acceptable IRB framework. Toward that end, this document sets forth IRB system supervisory standards that are highlighted in bold and designated by the prefix ``S.'' Whenever possible, these supervisory standards are principle-based to enable institutions to implement the framework flexibly. However, when prudential concerns or the need for standardization override the desire for flexibility, the supervisory standards are more detailed. Ultimately, institutions must have credit risk management practices that are consistent with the substance and spirit of the standards in this guidance. The IRB conceptual framework outlined in this document is intended neither to dictate the precise manner by which institutions should seek to meet supervisory expectations, nor to provide technical guidance on how to develop such a framework. As institutions develop their IRB systems in anticipation of adopting them for regulatory capital purposes, supervisors will be evaluating, on an individual bank basis, the extent to which institutions meet the standards outlined in this document. In evaluating institutions, supervisors will rely on this supervisory guidance as well as examination procedures, which will be developed separately. This document assumes that readers are familiar with the proposed IRB approach to calculating minimum regulatory capital articulated in the ANPR. B. Overview of Supervisory Expectations Rigorous credit risk measurement is a necessary element of advanced risk management. Qualifying institutions will use their internal rating systems to associate a probability of default (PD) with each obligor grade, as well as a loss given default (LGD) with each credit facility. In addition, institutions will estimate exposure at default (EAD) and will calculate the effective remaining maturity (M) of credit facilities. Qualifying institutions will be expected to have an IRB system consisting of four interdependent components: [sbull] A system that assigns ratings and validates their accuracy (Chapter 1), [sbull] A quantification process that translates risk ratings into IRB parameters (Chapter 2), [sbull] A data maintenance system that supports the IRB system (Chapter 3), and, [[Page 45951]] [sbull] Oversight and control mechanisms that ensure the system is functioning as intended and producing accurate ratings (Chapter 4). Together these rating, quantification, data, and oversight mechanisms present a framework for defining and improving the evaluation of credit risk. It is expected that rating systems will operate dynamically. As ratings are assigned, quantified and used, estimates will be compared with actual results and data will be maintained and updated to support oversight and validation efforts and to better inform future estimates. The rating system review and internal audit functions will serve as control mechanisms that ensure that the process of ratings assignment and quantification function according to policy and design and that noncompliance and weaknesses are identified, communicated to senior management and the board, and addressed. Rating systems with appropriate data and oversight feedback mechanisms foster a learning environment that promotes integrity in the rating system and continuing refinement. IRB systems need the support and oversight of the board and senior management to ensure that the various components fit together seamlessly and that incentives to make the system rigorous extend across line, risk management, and other control groups. Without strong board and senior management support and involvement, rating systems are unlikely to provide accurate and consistent risk estimates during both good and bad times. The new regulatory minimum capital requirement is predicated on an institution's internal systems being sufficiently advanced to allow a full and accurate assessment of its risk exposures. Under the new framework, an institution could experience a considerable capital shortfall in the most difficult of times if its risk estimates are materially understated. Consequently, the IRB framework demands a greater level of validation work and controls than supervisors have required in the past. When properly implemented, the new framework holds the potential for better aligning minimum capital requirements with the risk taken, pushing capital requirements higher for institutions that specialize in riskier types of lending, and lower for those that specialize in safer risk exposures. Supervisors will evaluate compliance with the supervisory standards for each of the four components of an IRB system. However, evaluating compliance with each of the standards individually will not be sufficient to determine an institution's overall compliance. Rather, supervisors and institutions must also evaluate how well the various components of an institution's IRB system complement and reinforce one another to achieve the overall objective of accurate measures of risk. In performing their evaluation, supervisors will need to exercise considerable supervisory judgment, both in evaluating the individual components and the overall IRB framework. A summary of the key supervisory expectations for each of the IRB components follows. Ratings Assignment The first component of an IRB system involves the assignment and validation of ratings (see Chapter 1). Ratings must be accurately and consistently applied to all corporate credit exposures and be subject to initial and ongoing validation. Institutions will have latitude in designing and operating IRB rating systems subject to five broad standards: Two-dimensional risk-rating system--IRB institutions must be able to make meaningful and consistent differentiations among credit exposures along two dimensions--obligor default risk and loss severity in the event of a default. Rank order risks--IRB institutions must rank obligors by their likelihood of default, and facilities by the loss severity expected in default. Calibration--IRB obligor ratings must be calibrated to values of the probability of default (PD) parameter and loss severity ratings must be calibrated to values of the loss given default (LGD) parameter. Accuracy--Actual long-run actual default frequencies for obligor rating grades must closely approximate the PDs assigned to those grades and realized loss rates on loss severity grades must closely approximate the LGDs assigned to those grades. Validation process--IRB institutions must have ongoing validation processes for rating systems that include the evaluation of developmental evidence, process verification, benchmarking, and the comparison of predicted parameter values to actual outcomes (back- testing). Quantification The second component of an IRB system is a quantification process (see Chapter 2). Since obligor and facility ratings may be assigned separately from the quantification of the associated PD and LGD parameters, quantification is addressed as a separate process. The quantification process must produce values not only for PD and LGD but also for EAD and for the effective remaining maturity (M). The quantification of those four parameters is expected to be the result of a disciplined process. The key considerations for effective quantification are as follows: Process--IRB institutions must have a fully specified process covering all aspects of quantification (reference data, estimation, mapping, and application). Documentation--The quantification process, including the role and scope of expert judgment, must be fully documented and updated periodically. Updating--Parameter estimates and related documentation must be updated regularly. Review--A bank must subject all aspects of the quantification process, including design and implementation, to an appropriate degree of independent review and validation. Constraints on Judgment--Judgmental adjustments may be an appropriate part of the quantification process, but must not be biased toward lower risk estimates. Conservatism--Parameter estimates must incorporate a degree of conservatism that is appropriate for the overall robustness of the quantification process. Data Maintenance The third component of an IRB system is an advanced data management system that produces credible and reliable risk estimates (see Chapter 3). The broad standard governing an IRB data maintenance system is that it supports the requirements for the other IRB system components, as well as the institution's broader risk management and reporting needs. Institutions will have latitude in managing their data, subject to the following key data maintenance standards: Life Cycle Tracking--Institutions must collect, maintain, and analyze essential data for obligors and facilities throughout the life and disposition of the credit exposure. Rating Assignment Data--Institutions must capture all significant quantitative and qualitative factors used to assign the obligor and loss severity rating. Support of IRB System--Data collected by institutions must be of sufficient depth, scope, and reliability to: [sbull] Validate IRB system processes, [sbull] Validate parameters, [sbull] Refine the IRB system, [sbull] Develop internal parameter estimates, [sbull] Apply improvements historically, [sbull] Calculate capital ratios, [sbull] Produce internal and public reports, and [[Page 45952]] [sbull] Support risk management. Control and Oversight Mechanisms The fourth component of an IRB system is comprised of control and oversight mechanisms that ensure that the various components of the IRB system are functioning as intended (see Chapter 4). Given the various uses of internal risk ratings, including their direct link to regulatory capital requirements, there is enormous, sometimes conflicting, pressure on banks' internal rating systems. Control structures are subject to the following broad standards: Interdependent System of Controls--IRB institutions must implement a system of interdependent controls that include the following elements: [sbull] Independence, [sbull] Transparency, [sbull] Accountability, [sbull] Use of ratings, [sbull] Rating system review, [sbull] Internal audit, and [sbull] Board and senior management oversight. Checks and Balances--Institutions must combine the various control mechanisms in a way that provides checks and balances for ensuring IRB system integrity. The system of oversight and controls required for an effective IRB system may operate in various ways within individual institutions. This guidance does not prescribe any particular organizational structure for IRB oversight and control mechanisms. Banks have broad latitude to implement structures that are most effective for their individual circumstances, as long as those structures support and enhance the institution's ability to satisfy the supervisory standards expressed in this document. C. Scope of Guidance This draft guidance reflects work performed by supervisors to evaluate and compare current practices at institutions with the concepts and requirements for an IRB framework. For instances in which a range of practice was observable, examples are provided on how certain practices may or may not qualify. However, in many other instances, practices were at such an early stage of development that it was not feasible to describe specific examples. In those cases, requirements tend to be principle-based and without examples. Given that institutions are still in the early stages of developing qualifying IRB systems, it is expected that this guidance will evolve over time to more explicitly take into account new and improving practices. D. Timing S. An IRB system must be operating fully at least one year prior to the institution's intended start date for the advanced approach. As noted in the ANPR, the significant challenge of implementing a fully complying IRB system requires that institutions and supervisors have sufficient time to observe whether the IRB system is delivering risk-based capital figures with a high level of integrity. The ability to observe the institution's ratings architecture, validation, data maintenance and control functions in a fully operating environment prior to implementation will help identify how well the IRB system design functions in practice. This will be particularly important given that in the first year of implementation institutions will not only be subject to the new minimum capital requirements, but will also be disclosing risk-based capital ratios for the public to rely upon in the assessment of the institution's financial health. II. Ratings for IRB Systems A. Overview This chapter describes the design and operation of risk-rating systems that will be acceptable in an internal ratings-based (IRB) framework. Banks will have latitude in designing and operating IRB rating systems, subject to five broad standards: Two-dimensional risk-rating system--IRB institutions must be able to make meaningful and consistent differentiations among credit exposures along two dimensions--obligor default risk and loss severity in the event of a default. Rank order risks--IRB institutions must rank obligors by their likelihood of default, and facilities by the loss severity expected in default. Calibration--IRB obligor ratings must be calibrated to values of the probability of default (PD) parameter and loss severity ratings must be calibrated to values of the loss given default (LGD) parameter. Accuracy--Actual long-run actual default frequencies for obligor rating grades must closely approximate the PDs assigned to those grades and actual loss rates on loss severity grades must closely approximate the LGDs assigned to those grades. Validation process--IRB institutions must have ongoing validation processes for rating systems that include the evaluation of developmental evidence, process verification, benchmarking, and the comparison of predicted parameter values to actual outcomes (back- testing). B. Credit Ratings In general, a credit rating is a summary indicator of the relative risk on a credit exposure. Credit ratings can take many forms. The most widely known credit ratings are the public agency ratings, which are expressed as letters; bank internal ratings tend to be expressed as whole numbers--for example, 1 through 10. Some rating model outputs are expressed in terms of probability of default or expected default frequency, in which case they may be more than relative measures of risk. Regardless of the form, meaningful credit ratings share two characteristics: [sbull] They group credits to discriminate among possible outcomes. [sbull] They rank the perceived levels of credit risk. Banks have used credit ratings of various types for a variety of purposes. Some ratings are intended to rank obligors by risk of default and some are intended to rank facilities\1\ by expected loss, which incorporates risk of default and loss severity. Bank rating systems that are geared solely to expected loss will need to be amended to meet the two-dimensional requirements of the IRB approach. Rating Assignment Techniques Banks use different techniques, such as expert judgment and models, to assign credit risk ratings. For banks using the IRB approach, how ratings are assigned is important because different techniques will require different validation processes and control mechanisms to ensure the integrity of the rating system. To assist the discussion of rating architecture requirements, described below are some of the current rating assignment techniques. Any of these techniques--expert judgment, models, constrained judgment, or a combination thereof--could be acceptable within an IRB system, provided the bank meets the standards outlined in this document. --------------------------------------------------------------------------- \1\ Facilities--loans, lines, or other separate extensions of credit to an obligor. --------------------------------------------------------------------------- Expert Judgment Historically, banks have used expert judgment to assign ratings to commercial credits. With this technique, an individual weighs relevant information and reaches a conclusion about the appropriate risk rating. Presumably, the rater makes informed judgments based on knowledge gained through experience and training. [[Page 45953]] The key feature of expert-judgment systems is flexibility. The prevalence of judgmental rating systems reflects the view that the determinants of default are too complicated to be captured by a single quantitative model. The quality of management is often cited as an example of a risk determinant that is difficult to assess through a quantitative model. In order to foster internal consistency, banks employing expert judgment rating systems typically provide narrative guidelines that set out ratings criteria. However, the expert must decide how narrative guidelines apply to a given set of circumstances. The flexibility possible in the assignment of judgmental ratings has implications for the types of ratings review that are feasible. As part of the ratings validation process, banks will attempt to confirm that raters follow bank policy. However, two individuals exercising judgment can use the same information to support different ratings. Thus, the review of an expert judgment rating system will require an expert who can identify the impact of policy and the impact of judgment on a rating. Models In recent years, models have been developed for use in rating commercial credits. In a model-based approach, inputs are numeric and provide quantitative and qualitative information about an obligor. The inputs are combined using mathematical equations to produce a number that is translated into a categorical rating. An important feature of models is that the rating is perfectly replicable by another party, given the same inputs. The models used in credit rating can be distinguished by the techniques used to develop them. Some models may rely on statistical techniques while others rely on expert-judgment techniques. Statistical models. Statistically developed models are the result of statistical optimization, in which well-defined mathematical criteria are used to choose the model that has the closest fit to the observed data. Numerous techniques can be used to build statistical models; regression is one widely recognized example. Regardless of the specific statistical technique, a knowledgeable independent reviewer will have to exercise judgment in evaluating the reasonableness of a model's development, including its underlying logic, the techniques used to handle the data, and the statistical model building techniques. Expert-derived models.\2\ Several banks have built rating models by asking their experts to decide what weights to assign to critical variables in the models. Drawing on their experience, the experts first identify the observable variables that affect the likelihood of default. They then reach agreement on the weights to be assigned to each of the variables. Unlike statistical optimization, the experts are not necessarily using clear, consistent criteria to select the weights attached to the variables. Indeed, expert-judgment model building is often a practical choice when there is not enough data to support a statistical model building. Despite its dependence on expert judgment, this method can be called model-based as long as the result--the equation, most likely with linear weights--is used as the basis to rate the credits. Once the equation is set, the model shares the feature of replicability with statistically derived models. Generally, independent credit experts use judgment to evaluate the reasonableness of the development of these models. --------------------------------------------------------------------------- \2\ Some banks have developed credit rating models that they refer to as ``scorecards,'' but they have used expert judgment to derive the weights. While they are models, they are not scoring models in the now conventional use of the term. In its conventional use, the term scoring model is reserved for a rating model derived using statistical techniques. --------------------------------------------------------------------------- Constrained Judgment The alternatives just described present the extremes, but in practice, many banks use rating systems that combine models with judgment. Two approaches are common. Judgmental systems with quantitative guidelines or model results as inputs. Historically, the most common approach to rating has involved individuals exercising judgment about risks, subject to policy guidelines containing quantitative criteria such as minimum values for particular financial ratios. Banks develop quantitative criteria to guide individuals in assigning ratings, but often believe that those criteria do not adequately reflect the information needed to assign a rating. One version of this constrained judgment approach features a model output as one among several criteria that an individual may consider in assigning ratings. The individual assigning the rating is responsible for prioritizing the criteria, reconciling conflicts between criteria, and if warranted, overriding some criteria. Even if individuals incorporate model results as one of the factors in their ratings, they will exercise judgment in deciding what weight to attach to the model result. The appeal of this approach is that the model combines many pieces of information into a single output, which simplifies analysis, while the rater retains flexibility regarding the use of the model output. Model-based ratings with judgmental overrides. When banks use rating models, individuals are generally permitted to override the results under certain conditions and within tolerance levels for frequency. Credit-rating systems in which individuals can override models raise many of the same issues presented separately by pure judgment and model-based systems. If overrides are rare, the system can be evaluated largely as if it is a model-based system. If, however, overrides are prevalent, the system will be evaluated more like a judgmental system. Since constrained judgment systems combine features of both expert judgment and model-based systems, their evaluation will require the skills required to evaluate both of these other systems. C. IRB Ratings System Architecture Two-Dimensional Rating System S. IRB risk rating systems must have two rating dimensions--obligor and loss severity ratings. S. IRB obligor and loss severity ratings must be calibrated to values of the probability of default (PD) and the loss given default (LGD), respectively. Regardless of the type of rating system(s) used by an institution, the IRB approach imposes some specific requirements. The first requirement is that an IRB rating system must be two-dimensional. Banks will assign obligor ratings, which will be associated with a PD. They will also either assign a loss severity rating, which will be associated with LGD values, or directly assign LGD values to each facility. The process of assigning the obligor and loss severity ratings--hereafter referred to as the rating system--is discussed below, and the process of calibrating obligor and loss severity ratings to PD and LGD parameters is discussed in Chapter 2. S. Banks must record obligor defaults in accordance with the IRB definition of default. Definition of Default The consistent identification of defaults is fundamental to any IRB rating system. For IRB purposes, a default is considered to have occurred with regard to a particular obligor when either or both of the two following events have taken place: [sbull] The obligor is past due more than 90 days on any material credit [[Page 45954]] obligation to the banking group. Overdrafts will be considered as being past due once the customer has breached an advised limit or been advised of a limit smaller than current outstandings. [sbull] The bank considers that the obligor is unlikely to pay its credit obligations to the banking group in full, without recourse by the bank to actions such as liquidating collateral (if held). Any obligor (or its underlying credit facilities) that meets one or more of the following conditions is considered unlikely to pay and therefore in default: [sbull] The bank puts the credit obligation on non-accrual status. [sbull] The bank makes a charge-off or account-specific provision resulting from a significant perceived decline in credit quality subsequent to the bank taking on the exposure. [sbull] The bank sells the credit obligation at a material credit- related economic loss. [sbull] The bank consents to a distressed restructuring of the credit obligation where this is likely to result in a diminished financial obligation caused by the material forgiveness, or postponement, of principal, interest or (where relevant) fees. [sbull] The bank has filed for the obligor's bankruptcy or a similar order in respect of the obligor's credit obligation to the banking group. [sbull] The obligor has sought or has been placed in bankruptcy or similar protection where this would avoid or delay repayment of the credit obligation to the banking group. While most conditions of default currently are identified by bank reporting systems, institutions will need to augment data capture systems to collect those default circumstances that may not have been traditionally identified. These include facilities that are current and still accruing but where the obligor declared or was placed in bankruptcy. They must also capture so called ``silent defaults''-- defaults when the loss on a facility was avoided by liquidating collateral. Loan sales on which a bank experiences a material loss due to credit deterioration are considered a default. Material credit related losses are defined as XX. (The agencies seek comment on how to define ``material'' loss in the case of loans sold at a discount). Banks should ensure that they have adequate systems to identify such transactions and to maintain adequate records so that reviewers can assess the adequacy of the institution's decision-making process in this area. Obligor Ratings S. Banks must assign discrete obligor grades. While banks may use models to estimate probabilities of default for individual obligors, the IRB approach requires banks to group the obligors into discrete grades. Each obligor grade, in turn, must be associated with a single PD. S. The obligor-rating system must result in a ranking of obligors by likelihood of default. The proper operation of the obligor-rating system will feature a ranking of obligors by likelihood of default. For example, if a bank uses a rating system based on a 10-point scale, with 1 representing obligors of highest financial strength and 10 representing defaulted obligors, grades 2 through 9 should represent groups of ever-increasing risk. In a rating system in which risk increases with the grade, an obligor with a grade 4 is riskier than an obligor with a grade 2, but need not be twice as risky. S. Separate exposures to the same obligor must be assigned to the same obligor rating grade. As noted above, the IRB framework requires that the obligor rating be distinct from the loss severity rating, which is assigned to the facility. Collateral and other facility characteristics should not influence the obligor rating. For example, in a 1-to-10 rating system, where risk increases with the number grade, a defaulted borrower with a fully cash-secured transaction should be rated a 10--defaulted-- regardless of the remote expectation of loss. Likewise, a borrower whose financial condition warrants the highest investment grade rating should be rated a 1 even if the bank's transactions are subordinate to other creditors and unsecured. Since the rating is assigned to the obligor and not the facility, separate exposures to the same obligor must be assigned to the same obligor rating grade. At the bottom of any IRB system rating scale is a default grade. Once an obligor is considered to be in default for IRB purposes, that obligor must be assigned a default grade until such time as its financial condition and performance improve sufficiently to clearly meet the bank's internal rating definition for one of its non-default grades. Once an obligor is in default on any material credit obligation to the subject bank, all of its facilities at that institution are considered to be in default. S. In assigning an obligor to a rating category, the bank must assess the risk of obligor default over a period of at least one year. S. Obligor ratings must reflect the impact of financial distress. In assigning an obligor to a rating category, the bank must assess the risk of obligor default over a period of at least one year. This use of a one-year assessment horizon does not mean that a bank should limit its consideration to outcomes for that obligor that are most likely over that year; the rating must take into account possible adverse events that might increase an obligor's likelihood of default. Rating Philosophy--Decisions Underlying Ratings Architecture S. Banks must adopt a ratings philosophy. Policy guidelines should describe the ratings philosophy, particularly how quickly ratings are expected to migrate in response to economic cycles. S. A bank's capital management policy must be consistent with its ratings philosophy in order to avoid capital shortfalls in times of systematic economic stress. In the IRB framework, banks assign obligors to groups that are expected to share common default frequencies. That general description, however, still leaves open different possible implementations, depending on how the bank defines the set of possible adverse events that the obligor might face. A bank must decide whether obligors are grouped by expected common default frequency over the next year (a so- called point-in-time rating system) or by an expected common default frequency over a wider range of possible stress outcomes (a so-called through-the-cycle rating system). Choosing between a point-in-time system and a through-the-cycle system yields a rating philosophy. In point in time rating systems, obligors are assigned to groups that are expected to share a common default frequency in a particular year. Point-in-time ratings change from year to year as borrowers' circumstances change, including changes due to the economic possibilities faced by the borrowers. Since the economic circumstances of many borrowers reflect the common impact of the general economic environment, the transitions in point-in-time ratings will reflect that systematic influence. A Merton-style probability of default prediction model is commonly believed to be an example of a point-in-time approach to rating (although that may depend on the specific implementation of the model). Through-the-cycle rating systems do not ask the question, what is the probability of default over the next year. [[Page 45955]] Instead, they assign obligors to groups that would be expected to share a common default frequency if the borrowers in them were to experience distress, regardless of whether that distress is in the next year. Thus, as the descriptive title suggests, this rating philosophy abstracts from the near-term economic possibilities and considers a richer assessment of the possibilities. Like point-in-time ratings, through the cycle ratings will change from year to year due to changes in borrower circumstance. However, since this rating philosophy abstracts from the immediate economic circumstance and considers the implications of hypothetical stress circumstances, year to year transitions in ratings will be less influenced by changes in the actual economic environment. The ratings agencies are commonly believed to use through-the-cycle rating approaches. Current practice in many banks in the U.S. is to rate obligors using an approach that combines aspects of both point-in-time and through the cycle approaches. The explanation provided by banks that combine those approaches is that they want rating transitions to reflect the directional impact of changes in the economic environment, but that they do not want all of the volatility in ratings associated with a point-in-time approach. Regardless of which ratings philosophy a bank chooses, an IRB bank must articulate clearly its approach and the implications of that choice. As part of the choice of rating philosophy, the bank must decide whether the same ratings philosophy will be employed for all of the bank's portfolios. And management must articulate the implications that the bank's ratings philosophy has on the bank's capital planning process. If a bank chooses a ratings philosophy that is likely to result in ratings transitions that reflect the impact of the economic cycle, its capital management policy must be designed to avoid capital shortfalls in times of systematic economic stress. Obligor-Rating Granularity S. An institution must have at least seven obligor grades that contain only non-defaulted borrowers and at least one grade to which only defaulted borrowers are assigned. The number of grades used in a rating system should be sufficient to reasonably ensure that management can meaningfully differentiate risk in the portfolio, without being so large that it limits the practical use of the rating system. To determine the appropriate number of grades beyond the minimum seven non-default grades, each institution must perform its own internal analysis. S. An institution must justify the number of obligor grades used in its rating system and the distribution of obligors across those grades. The mere existence of an exposure concentration in a grade (or grades) does not, by itself, reflect weakness in a rating system. For example, banks may focus on a particular type of lending, such as asset-based lending, in which the borrowers may have similar default risk. Banks with such focused lending activities may use close to the minimum number of obligor grades, while banks with a broad range of lending activities should have more grades. However, banks with a high concentration of obligors in a particular grade are expected to perform a thorough analysis that supports such a concentration. A significant concentration within an obligor grade may be suspected if the financial strength of the borrowers within that grade varies considerably. If obligors seem unduly concentrated, then management should ask themselves the following questions: [sbull] Are the criteria for each grade clear? Those rating criteria may be too vague to allow raters to make clear distinctions. Ambiguity may be an issue throughout the rating scale or it may be limited to the most commonly used ratings. [sbull] How diverse are the obligors? That is how many market segments (for example, large commercial, middle market, private banking, small business, geography, etc.) are significantly represented in the bank's borrower population? If a bank's commercial loan portfolio is not concentrated in one market segment, its risk rating distribution is not likely to be concentrated. [sbull] How broad are the bank's internal rating categories compared to those of other lenders? The bank may be able to learn enough from publicly available information to adjust its rating criteria. Some banks use ``modifiers'' to provide more risk differentiation to a given rating system. A risk rating modified with a plus, minus or other indicator does not constitute a separate grade unless the bank has developed a distinct rating definition and criteria for the modified grade. In the absence of such distinctions, grades such as 5, 5+, and 5- are viewed as a single grade for regulatory capital purposes regardless of the existence of the modifiers. Loss Severity Ratings S. Banks must rank facilities by the expected severity of the loss upon default. The second dimension of an IRB system is the loss severity rating, which is calibrated to LGD. A facility's LGD estimate is the loss the bank is likely to incur in the event that the obligor defaults, and is expressed as a percentage of exposure at the time of default. LGD estimates can be assigned either through the use of a loss severity rating system or they can be directly assigned to each facility. LGD analysis is still in very early stages of development relative to default risk modeling. Academic research in this area is relatively sparse, data are not abundant, and industry practice is still widely varying and evolving. Given the lack of data and the lack of research into LGD modeling, some banks are likely, as a first step, to segment their portfolios by a handful of available characteristics and determine the appropriate LGDs for those segments. Over time, banks' LGD methodologies are expected to evolve. Long-standing banking experience and existing research on LGD, while preliminary, suggests that collateral values, seniority, industry, etc. are predictive of loss severity. S. Banks must have empirical support for LGD rating systems regardless of whether they use an LGD grading system or directly assign LGD estimates. Whether a bank chooses to assign LGD values directly or, alternatively, to rate facilities and then quantify the LGD for the rating grades, the key requirement is that it will need to identify facility characteristics that influence LGD. Each of the loss severity rating categories must be associated with an empirically supported LGD estimate. In much the same way an obligor-rating system ranks exposures by the probability of default, a facility rating system must rank facilities by the likely loss severity. Regardless of the method used to assign LGDs (loss severity grades or direct LGD estimation), data used to support the methodology must be gathered systematically. For many banks, the quality and quantity of data available to support the LGD estimation process will have an influence on the method they choose. Stress Condition LGDs S. Loss severity ratings must reflect losses expected during periods with a relatively high number of defaults. Like obligor ratings, which group obligors by expected default frequency, loss severity ratings assign facilities to groups that are expected to experience a common loss severity. However, the different treatment accorded to PD and LGD in the model used to calculate IRB capital requirements mandates an [[Page 45956]] asymmetric treatment of obligor and loss severity ratings. Obligor ratings assign obligors to groups that are expected to experience common default frequencies across a number of years, some of which are years of general economic stress and some of which are not. In contrast, loss severity ratings (or estimates) must pertain to losses expected during periods with a high number of defaults--particular years that can be called stress conditions. For cases in which loss severities do not have a material degree of cyclical variability, use of a long-run default weighted average is appropriate, although stress condition LGD generally exceeds these averages. Loss Severity Rating/LGD Granularity S. Banks must have a sufficiently fine loss severity grading system or prediction model to avoid grouping facilities with widely varying LGDs together. While there is no stated minimum number of loss severity grades, the systems that provide LGD estimates must be flexible enough to adequately segment facilities with significantly varying LGDs. Banks should have a sufficiently fine LGD grading system or LGD prediction model to avoid grouping facilities with widely varying LGDs together. For example, a bank using a loss severity rating-scale approach that has credit products with a variety of collateral packages or financing structures would be expected to have more LGD grades than those institutions with fewer options in their credit products. Other Considerations of IRB Rating System Architecture Timeliness of Ratings S. All risk ratings must be updated whenever new relevant information is received, but must be updated at least annually. A bank must have a policy that requires a dynamic ratings approach ensuring that obligor and loss severity ratings reflect current information. That policy must also specify minimum financial reporting and collateral valuation requirements. For example, at the time of servicing events, banks typically receive updated financial information on obligors. For cases in which loss severity grades or estimates are dependent on collateral values or other factors that change periodically, that policy must take into account the need to update these factors. Banks' policies may include an alternative rating update timetable for exposures below a de minimus amount that is justified by the lack of materiality of the potential impact on capital. For example, some banks use triggering events to prompt an update of their ratings on de minimus exposures rather than adhering to a specific timetable. Multiple Ratings Systems Some banks may develop one risk-rating system that can be used across the entire commercial loan portfolio. However, a bank can choose to deploy any number of rating systems as long as all exposures are assigned PD and LGD values. A different rating system could be used for each business line and each rating system could use a different rating scale. A bank could also use a different rating system for each business line with each system using a common rating scale. Rating models could be used for some portfolios and expert judgment systems for others. An institution's complexity and sophistication, as well as the size and range of products offered, will affect the types and numbers of rating systems employed. While using a number of rating systems is feasible, such a practice might make it more difficult to meet supervisory standards. Each rating system must conform to the standards in this guidance and must be validated for accuracy and consistency. The requirement that each rating systems be calibrated to parameter values imposes the ultimate constraint, which is that ratings be applied consistently. Recognition of the Risk Mitigation Benefits of Guarantees S. Banks reflecting the risk-mitigating effect of guarantees must do so by either adjusting PDs or LGDs, but not both. S. To recognize the risk-mitigating effects of guarantees, institutions must ensure that the written guarantee is evidenced by an unconditional and legally enforceable commitment to pay that remains in force until the debt is satisfied in full. Adjustments for guarantees must be made in accordance with specific criteria contained in the bank's credit policy. The criteria should be plausible and intuitive, and should address the guarantor's ability and willingness to meet its obligations. Banks are expected to gather evidence that confirms the risk-mitigating effect of guarantees. Other forms of written third-party support (for example, comfort letters or letters of awareness) that are not legally binding should not be used to adjust PD or LGD unless a bank can demonstrate through analysis of internal data the risk-mitigating effect of such support. Banks may not adjust PDs or LGDs to reflect implied support or verbal assurances. Regardless of the method used to recognize the risk-mitigating effects of guarantees, a bank must adopt an approach that is applied consistently over time and across the portfolio. Moreover, the onus is on the bank to demonstrate that its approach is supported by logic and empirical results. While guarantees may provide grounds for adjusting PD or LGD, they cannot result in a lower risk weight than that assigned to a similar direct obligation of the guarantor.\3\ --------------------------------------------------------------------------- \3\ The probability that an obligor and a guarantor (who supports the obligor's debt) will both default on a debt is lower than the probability that either the obligor or the guarantor will default. This favorable risk-mitigation effect is known as the reduced likelihood of ``double default.'' In determining their rating criteria and procedures, banks are not permitted to consider possible favorable effects of imperfect expected correlation between default events for the borrower and guarantor for purposes of regulatory capital requirements. Thus, the adjusted risk weight cannot reflect the risk mitigation of double default. The ANPR solicits public comment on the double-default issues. --------------------------------------------------------------------------- Validation Process S. IRB rating system architecture must be designed to ensure rating system accuracy. As part of their IRB rating system architecture, banks must implement a process to ensure the accuracy of their rating systems. Rating system accuracy is defined as the combination of the following outcomes: [sbull] The actual long-run average default frequency for each rating grade is not significantly greater than the PD assigned to that grade. [sbull] The actual stress-condition loss rates experienced on defaulted facilities are not significantly greater than the LGD estimates assigned to those facilities. Some differences across individual grades between observed outcomes and the estimated parameter inputs to the IRB equations can be expected. But if systematic differences suggest a bias toward lowering regulatory capital requirements, the integrity of the rating system (of either the PD or LGD dimensions or of both) becomes suspect. Validation is the set of activities designed to give the greatest possible assurances of ratings system accuracy. S. Banks must have ongoing validation processes that include the review of developmental evidence, ongoing monitoring, and the comparison of predicted parameter values to actual outcomes (back- testing). Validation is an integral part of the rating system architecture. Banks must have processes designed to give [[Page 45957]] reasonable assurances of their rating systems' accuracy. The ongoing process to confirm and ensure rating system accuracy consists of: [sbull] The evaluation of developmental evidence, [sbull] Ongoing monitoring of system implementation and reasonableness (verification and benchmarking), and [sbull] Back-testing (comparing actual to predicted outcomes). IRB institutions are expected to employ all of the components of this process. However, the data to perform comprehensive back-testing will not be available in the early stages of implementing an IRB rating system. Therefore, banks will have to rely more heavily on developmental evidence, quality control tests, and benchmarking to assure themselves and other interested parties that their rating systems are likely to be accurate. Since the time delay before rating systems can be back-tested is likely to be an important issue--because of the rarity of defaults in most years and the bunching of defaults in a few years--the other parts of the validation process will assume greater importance. If rating processes are developed in a learning environment in which banks attempt to change and improve ratings, back testing may be delayed even further. Validation in its early stages will depend on bank management's exercising informed judgment about the likelihood of the rating system working--not simply on empirical tests. Ratings System Developmental Evidence The first source of support for the validity of a bank's rating system is developmental evidence. Evaluating developmental evidence involves making a reasonable assessment of the quality of the rating system by analyzing its design and construction. Developmental evidence is intended to answer the question, Could the rating system be expected to work reasonably if it is implemented as designed? That evidence will have to be revisited whenever the bank makes a change to its rating system. If a bank adopts a rating system and does not make changes, this step will not have to be revisited. However, since rating systems are likely to change over time as the bank learns about the effectiveness of the system and incorporates the results of those analyses, the evaluation of developmental evidence is likely to be an ongoing part of the process. The particular steps taken in evaluating developmental evidence will depend on the type of rating system. Generally, the evaluation of developmental evidence will include a body of expert opinion. For example, developmental evidence in support of a statistical rating model must include information on the logic that supports the model and an analysis of the statistical model- building techniques. In contrast, developmental evidence in support of a constrained-judgment system that features guidance values of financial ratios might include a description of the logic and evidence relating the values of the ratios to past default and loss outcomes. Regardless of the type of rating system, the developmental evidence will be more persuasive when it includes empirical evidence on how well the ratings might have worked in the past. This evidence should be available for a statistical model since such models are chosen to maximize the fit to outcomes in the development sample. In addition, statistical models should be supported by evidence that they work well outside the development sample. Use of ``holdout'' sample evidence is a good model-building practice to ensure that the model is not merely a statistical quirk of the particular data set used to build the model. Empirical developmental evidence of rating effectiveness will be more difficult to produce for a judgmental rating system. Such evidence would require asking raters how they would have rated past credits for which they did not know the outcomes. Those retrospective ratings could then be compared to the outcomes to determine whether the ratings were correct on average. Conducting such tests, however, will be difficult because historical data sets may not include all of the information that an individual would have actually used in making a judgment about a rating. The sufficiency of the developmental evidence will itself be a matter of informed expert opinion. Even if the rating system is model- based, an evaluation of developmental evidence will entail judging the merits of the model-building technique. Although no bright line tests are feasible because expert judgment is essential to the evaluation of rating system development, experts will be able to draw conclusions about whether a well-implemented system would be likely to perform satisfactorily. Ratings System Ongoing Validation The second source of analytical support for the validity of a bank rating system is the ongoing analysis intended to confirm that the rating system is being implemented and continues to perform as intended. Such analysis involves process verification and benchmarking. Process Verification Verification activities address the question, Are the ratings being assigned as intended? Specific verification activities will depend on the rating approach. If a model is used for rating, verification analysis begins by confirming that the computer code used to deploy the model is correct. The computer code can be verified in a number of established ways. For example, a qualified expert can duplicate the code or check the code line by line. Process verification for a model will also include confirmation that the correct data are being used in the model. For expert-judgment and constrained-judgment systems, verification requires other individual reviewers to evaluate whether the rater followed rating policy. The primary requirements for verification of ratings assigned by individuals are: [sbull] A transparent rating process, [sbull] A database with information used by the rater, and [sbull] Documentation of how the decisions were made. The specific steps will depend on how much the process incorporates specific guidelines and how much the exercise of judgment is allowed. As the dependence on specific guidelines increases, other individuals can more easily confirm that guidelines were followed by reference to sufficient documentation. As the dependence on judgment rises, the ratings review function will have to be staffed increasingly by experts with appropriate skills and knowledge about the rating policies of the bank. Ratings process verification also includes override monitoring. If individuals have the ability to override either models or policies in a constrained-judgment system, the bank should have both a policy stating the tolerance for overrides and a monitoring system for identifying the occurrence of overrides. A reporting system capturing data on reasons for overrides will facilitate learning about whether overrides improve accuracy. Benchmarking S. Banks must benchmark their internal ratings against internal, market and other third-party ratings. Benchmarking is the set of activities that uses alternative tools to draw inferences about the correctness of ratings before outcomes are actually [[Page 45958]] known. The most important type of benchmarking of a rating system is to ask whether another rater or rating method attaches the same rating to a particular obligor or facility. Regardless of the rating approach, the benchmark can be either a judgmental or a model-based rating. Examples of such benchmarking include: [sbull] Ratings reviewers who completely re-rate a sample of credits rated by individuals in a judgmental system. [sbull] An internally developed model is used to rate credits rated earlier in a judgmental system. [sbull] Individuals rate a sample of credits rated by a model. [sbull] Internal ratings are compared against results from external agencies or external models. Because it will take considerable time before outcomes will be available, using alternative ratings as benchmarks will be a very important validation device. Such benchmarking must be applied to all rating approaches, and the benchmark can be either a model or judgment. At a minimum, banks must establish a process in which a representative sample of its internal ratings is compared to third-party ratings (e.g., independent internal raters, external rating agencies, models, or other market data sources) of the same credits. Benchmarking also includes activities designed to draw broader inferences about whether the rating system--as opposed to individual ratings--is working as expected. The bank can look for consistency in ranking or consistency in the values of rating characteristics for similarly rated credits. Examples of such benchmarking activities include: [sbull] Analyzing the characteristics of obligors that have received common ratings. [sbull] Monitoring changes in the distribution of ratings over time. [sbull] Calculating a transition matrix calculated from changes in ratings in a bank's portfolio and comparing it to historical transition matrices from internal bank data or publicly available ratings. While benchmarking activities allow for inferences about the correctness of the ratings system, they are the not same thing as back- testing. The benchmark itself is a prediction and may be in error. If benchmarking evidence suggests a pattern of rating differences, it should lead the bank to investigate the source of the differences. Thus, the benchmarking process illustrates the possibility of feedback from ongoing validation to model development, underscoring the characterization of validation as a process. Back Testing S. Banks must develop statistical tests to back-test their IRB rating systems. S. Banks must establish internal tolerance limits for differences between expected and actual outcomes. S. Banks must have a policy that requires remedial actions be taken when policy tolerances are exceeded. The third component of a validation process is back-testing, which is the comparison of predictions with actual outcomes. Back-testing of IRB systems is the empirical test of the accuracy of the parameter values, PD and LGD, associated with obligor and loss severity ratings, respectively. For IRB rating systems, back-testing addresses the combined effectiveness of the assignment of obligor and loss severity ratings and the calibration of the parameters PD and LGD attached to those ratings. At this time, there is no generally agreed-upon statistical test of the accuracy of IRB systems. Banks must develop statistical tests to back-test their IRB rating systems. In addition, banks must have a policy that specifies internal tolerance limits for comparing back- testing results. Importantly, that policy must outline the actions that would be taken whenever policy limits are exceeded. As a combined test of ratings effectiveness, back-testing is a conceptual bridge between the ratings system architecture discussed in this chapter and the quantification of parameters, discussed in Chapter 2. The final section of Chapter 2 discusses back-testing as one type of quantitative test required to validate the quantification of parameter values. III. Quantification of IRB Systems Ratings quantification is the process of assigning numerical values to the four key components for internal ratings-based assessments of credit-risk capital: probability of default (PD), the expected loss given default (LGD), the expected exposure at default (EAD), and maturity (M). Section I establishes an organizing framework for considering IRB quantification and develops general principles that apply to the entire process. Sections II through IV cover specific principles or supervisory standards that apply to PD, LGD, and EAD respectively. The maturity component, which is much less dependent on statistical estimates and the use of data, receives somewhat different treatment in section V. Validation of the quantification process is covered in section VI. A. Introduction Stages of the Quantification Process With the exception of maturity, the risk components are unobservable and must be estimated. The estimation must be consistent with sound practice and supervisory standards. In addition, a bank must have processes to ensure that these estimates remain valid. Calculation of risk components for IRB involves two sets of data: the bank's actual portfolio data, consisting of current credit exposures assigned to internal grades, and a ``reference data set,'' consisting of a set of defaulted credits (in the case of LGD and EAD estimation) or both defaulted and non-defaulted credits (in the case of PD estimation). The bank estimates a relationship between the reference data set and probability of default, loss severity, or exposure; then this estimated relationship is applied to the actual portfolio data for which capital is being assessed. Quantification proceeds through four logical stages: obtaining reference data; estimating the reference data's relationship to the parameters; mapping the correspondence between the reference data and the portfolio's data; and applying the relationship between reference data and parameters to the portfolio's data. (Readers may find it helpful to refer to the appendix to this chapter, which illustrates how this four-stage framework can be applied to ratings quantification approaches in practice.) An evaluation of any bank's IRB quantification process focuses on understanding how the bank implements each stage for each of the key parameters, and on assessing the adequacy of the bank's approach. Data--First, the bank constructs a reference data set, or source of data, from which parameters can be estimated. Reference data sets include internal data, external data, and pooled internal/external data. Important considerations include the comparability of the reference data to the current credit portfolio, whether the sample period ``appropriately'' includes periods of stress, and the definition of default used in the reference data. The reference data must be described using a set of observed characteristics; consequently, the data set must contain variables that can be used for this characterization. Relevant characteristics might include external debt ratings, financial measures, geographic regions, or any other factors that are believed to be [[Page 45959]] related in some way to PD, LGD, or EAD. More than one reference data set may be used. Estimation--Second, the bank applies statistical techniques to the reference data to determine a relationship between characteristics of the reference data and the parameters (PD, LGD, or EAD). The result of this step is a model that ties descriptive characteristics of the obligor or facility in the reference data set to PD, LGD, or EAD estimates. In this context, the term `models' is used in the most general sense; a model may be simple, such as the calculation of averages, or more complicated, such as an approach based on advanced regression techniques. This step may include adjustments for differences between the IRB definition of default and the default definition in the reference data set, or adjustments for data limitations. More than one estimation technique may be used to generate estimates of the risk components, especially if there are multiple sets of reference data or multiple sample periods. Mapping--Third, the bank creates a link between its portfolio data and the reference data based on common characteristics. Variables or characteristics that are available for the current portfolio must be mapped to the variables used in the default, loss- severity, or exposure model. (In some cases, the bank constructs the link for a representative exposure in each internal grade, and the mapping is then applied to all credits within a grade.) An important element of mapping is making adjustments for differences between reference data sets and the bank's portfolio. The bank must create a mapping for each reference data set and for each combination of variables used in any estimation model. Application--Fourth, the bank applies the relationship estimated for the reference data to the actual portfolio data. The ultimate aim of quantification is to attribute a PD, LGD, or EAD to each exposure within the portfolio, or to each internal grade if the mapping was done at the grade level. This step may include adjustments to default frequencies or loss rates to ``smooth'' the final parameter estimates. If the estimates are applied to individual transactions, the bank must in some way aggregate the estimates at the grade level. In addition, if multiple data sets or estimation methods are used, the bank must adopt a means of combining the various estimates. A number of examples are given in this chapter to aid exposition and interpretation. None of the examples is sufficiently detailed to incorporate all the considerations discussed in this chapter. Moreover, technical progress in the area of quantification is rapid. Thus, banks should not interpret an example that is consistent with the standard being discussed, and that resembles the bank's current practice, as creation of a ``safe harbor'' or as an indication that the bank's practice will be approved as-is. Banks should consider this guidance in its entirety when determining whether systems and practices are adequate. General Principles for Sound IRB Quantification Several core principles apply to all elements of the overall ratings quantification process; those general principles are discussed in this introductory section. Each of these principles is, in effect, a supervisory standard for IRB systems. Other supervisory standards, specific to particular elements or parameters, are discussed in the relevant sections. Supervisory evaluation of IRB quantification requires consideration of all of these principles and standards, both general and specific. Particular practical approaches to ratings quantification may be highly consistent with some standards, and less so with others. In any particular case, an ultimate assessment relies on the judgment of supervisors to weigh the strengths and weaknesses of a bank's chosen approach, using these supervisory standards as a guide. S. IRB institutions must have a fully specified process covering all aspects of quantification (reference data, estimation, mapping, and application). The quantification process, including the role and scope of expert judgment, must be fully documented and updated periodically. A fully specified quantification process must describe how all four stages (data, estimation, mapping, and application) are implemented for each parameter. Documentation promotes consistency and allows third parties to review and replicate the entire process. Examples of third parties that might use the documentation include rating-system reviewers, auditors, and bank supervisors. Periodic updates to the process must be conducted to ensure that new data, analytical techniques, and evolving industry practice are incorporated into the quantification process. S. Parameter estimates and related documentation must be updated regularly. The parameter estimates must be updated at least annually, and the process for doing so must be documented in bank policy. The update should also evaluate the judgmental adjustments embedded in the estimates; new data or techniques may suggest a need to modify those adjustments. Particular attention should be given to new business lines or portfolios in which the mix of obligors is believed to have changed substantially. A material merger, acquisition, divestiture, or exit clearly raises questions about the continued applicability of the process and should trigger an intensive review and updating. The updating process is particularly relevant for the reference data stage because new data become available all the time. New data must be incorporated, into the PD, LGD, and EAD estimates, using a well-defined process. S. A bank must subject all aspects of the quantification process, including design and implementation, to an appropriate degree of independent review and validation. An independent review is an assessment conducted by persons not accountable for the work being reviewed. The reviewers may be either internal or external parties. The review serves as a check that the quantification process is sound and works as intended; it should be broad-based, and must include all of the elements of the quantification process that lead to the ultimate estimates of PD, LGD, and EAD. The review must cover the full scope of validation: evaluation of the integrity of data inputs, analysis of the internal logic and consistency of the process, comparison with relevant benchmarks, and appropriate back-testing based on actual outcomes. S. Judgmental adjustments may be an appropriate part of the quantification process, but must not be biased toward lower estimates of risk. Judgment will inevitably play a role in the quantification process and may materially affect the estimates. Judgmental adjustments to estimates are often necessary because of some limitations on available reference data or because of inherent differences between the reference data and the bank's portfolio data. The bank must ensure that adjustments are not biased toward optimistically low parameter estimates for PD, LGD, and EAD. Individual assumptions are less important than broad patterns; consistent signs of judgmental decisions that lower parameter estimates materially may be evidence of bias. [[Page 45960]] The reasoning and empirical support for any adjustments, as well as the mechanics of the calculation, must be documented. The bank should conduct sensitivity analysis to demonstrate that the adjustment procedure is not biased toward reducing capital requirements. The analysis must consider the impact of any judgmental adjustments on estimates and risk weights, and must be fully documented. S. Parameter estimates must incorporate a degree of conservatism that is appropriate for the overall robustness of the quantification process. In estimating values of PD, LGD, and EAD should be as precise and accurate as possible. However, estimates of PD, LGD and EAD are statistics, and thus inherently subject to uncertainty and potential error. It is often possible to be reasonably confident that a risk component or other parameter lies within a particular range, but greater precision is difficult to achieve. Aspects of the ratings quantification process that are apt to introduce uncertainty and potential error include the following: The estimation of coefficients of particular variables in a regression-based statistical default or severity model. [sbull] The calculation of average default or loss rates for particular categories of credits in external default databases. [sbull] The mapping between portfolio obligors or facilities and reference data when the set of common characteristics does not align exactly. A general principle of the IRB approach is that a bank must adjust estimates conservatively in the presence of uncertainty or potential error. In many cases this corresponds to assigning a final parameter estimate that increases required capital relative to the best estimate produced through sound-practice estimation techniques. The extent of this conservative adjustment should be related to factors such as the relevance of the reference data, the quality of the mapping, the precision of the statistical estimates, and the amount of judgment used throughout the process. Margins of conservatism need not be added at each step; indeed, that could produce an excessively conservative result. The overall margin of conservatism should adequately account for all uncertainties and weaknesses; this is the general interpretation of requirements to incorporate appropriate degrees of conservatism. Improvements in the quantification process (use of better data, estimation techniques, and so on) may reduce the appropriate degree of conservatism over time. Estimates of PD, LGD, EAD, or other parameters or coefficients should be presented with an accompanying sense of the statistical precision of the estimates; this facilitates an assessment of the appropriate degree of conservatism. B. Probability of Default (PD) Data To estimate PD accurately, a bank must have a comprehensive reference data set with observations that are comparable to the bank's current portfolio of obligors. Clearly, the data set used for estimation should be similar to the portfolio to which such estimates will be applied. The same comparability standard applies to both internal and external data sets. To ensure ongoing applicability of the reference data, a bank must assess the characteristics of its current obligors relative to the characteristics of obligors in the reference data. Such variables might include qualitative and quantitative obligor information, internal and external rating, rating dates, and line of business or geography. To this end, a bank must maintain documentation that fully describes all explanatory variables in the data set, including any changes to those variables over time. A well-defined and documented process must be in place to ensure that the reference data are updated as frequently as is practical, as fresh data become available or portfolio changes make necessary. S. The sample for the reference data must be at least five years, and must include periods of economic stress during which default rates were relatively high. To foster more robust estimation, banks should use longer time series when more than five years of data are available. However, the benefits of using a longer time series (longer than five years) may have to be weighed against a possible loss of data comparability. The older the reference data, the less similar they are likely to be to the bank's current portfolio; striking the correct balance is a matter of judgment. Reference obligors must not differ from the current portfolio obligors systematically in ways that seem likely to be related to obligor default risk. Otherwise, the derived PD estimates may not be applicable to the current portfolio. Note that this principle does not simply restate the requirement for five years of data: periods of stress during which default rates are relatively high must be included in the data sample. Exclusion of such periods biases PD estimates downward and unjustifiably lowers regulatory capital requirements. Example. A bank's reference data set covers the years 1987 through 2001. Each year includes identical data elements, and each year is similarly populated. For its grade PD estimates, the bank relies upon data from a sub-sample covering 1992 through 2001. The bank provides no justification for dropping the years from 1987 through 1991. The bank contends that it is not necessary to include those data, as the reference sample they use for estimation satisfies the five-year requirement. This practice is not consistent with the standard because the bank has not supported its decision to ignore available data. The fact that the excluded years include a recession would raise particular concerns. S. The definition of default within the reference data must be reasonably consistent with the IRB definition of default. Regardless of the source of the reference data, a bank must apply the same default definition throughout the quantification processes. This fosters consistent estimation across parameters and reduces the potential for undesired bias. In addition, consistent application of the same definition across banks will permit true horizontal analysis by supervisors and engaged market participants. This standard applies to both internal and external reference data. For internal data, a bank's default definition is expected to be consistent with the IRB definition going forward. Banks will be expected to make appropriate adjustments to their data systems such that all defaults as defined for IRB are captured by the time a bank fully implements its IRB system. For any historical or external data that do not fully comply with the IRB definition of default, a bank must make conservative adjustments to reflect such discrepancies. Larger discrepancies require larger adjustments for conservatism. Example. To identify defaults in its historical data, a bank applies a consistent definition of ``placed on nonaccrual.'' This definition is used in the bank's quantification exercises to estimate PD, LGD, and EAD. The bank recognizes that use of the nonaccrual definition fails to capture certain defaults as identified in the IRB rules. Specifically, the bank indicates that the following kinds of defaulted facilities would not have been placed on nonaccrual: (1) Credit obligations that were sold at a material credit-related economic loss, and (2) distressed restructurings. To be consistent with the standard, the bank must make a well-supported adjustment to its grade PD estimates to reflect the difference in the default definitions. Estimation Estimation of PD is the process by which characteristics of the reference [[Page 45961]] data are related to default frequencies.\4\ The relevant characteristics that help to determine the likelihood of default are referred to as ``drivers of default''. Drivers might include variables such as financial ratios, management expertise, industry, and geography. --------------------------------------------------------------------------- \4\ The New Basel Capital Accord produced by the Basel Committee on Banking Supervision discusses three techniques for PD estimation. IRB banks are not constrained to select from among these three techniques; they have broad flexibility to implement appropriate approaches to quantification. The three Basel techniques are best regarded not as a complete taxonomy of the possible approaches to PD estimation, but rather as illustrations of a few of the many possible approaches. --------------------------------------------------------------------------- S. Estimates of default rates must be empirically based and must represent a long-run average. Estimates must capture average default experience over a reasonable mix of high-default and low-default years of the economic cycle. The average is labeled ``long-run'' because a long observation period would span both peaks and valleys of the economic cycle. The emphasis should not be on time-span; the long-run average concept captures the breadth, not the length, of experience. If the reference data are characterized by internal or external rating grades, one estimation approach is to calculate the mean of one- year realized default rates for each grade, giving equal weight to each year's realized default rate. PD estimates generally should be calculated in this manner. Another approach is to pool obligors in a given grade over a number of years and then calculate the mean default rate. In this case, each year's default rate is weighted by the number of obligors. This approach may underestimate default rates. For example, if lending declines in recessions so that obligors are fewer in those years than in others, weighting by number of obligors would dilute the effect of the recession year on the overall mean. The obligor-weighted calculation, or another approach, will be allowed only if the bank can demonstrate that this approach provides a better estimate of the long- run average PD. At a minimum, this would involve comparing the results of both methods. Statistical default prediction models may also play a role in PD estimation. For example, the characteristics of the reference data might include financial ratios or a distance-to-default measure, as defined by a specific implementation of a Merton-style structural model. For a model-based approach to meet the requirement that ultimate grade PD estimates be long-run averages, the reference data used in the default model must meet the long-run requirement. For example, a model can be used to relate financial ratios to likelihood of default based on the outcome for the firms--default or non-default. Such a model must be calibrated to capture the default experience over a reasonable mix of good and bad years of the economic cycle. The same requirement would hold for a structural model; distance to default must be calibrated to default frequency using long-run experience. This applies to both internal and vendor models, and a bank must verify that this requirement is met. Example 1. A bank uses external data from a rating agency to estimate PD. The PD estimate for each agency grade is calculated as the mean of yearly realized default rates over a time period (1980 through 2001) that includes several recessions and high-default years. The bank provides support that this time period adequately represents long-run experience. This illustrates an estimation method that is consistent with the standard. Example 2a. Like the institution in example 1, a bank maps internal ratings to agency grades. The estimates for the agency grades are set indirectly, using the default probabilities from a default prediction model. The bank does so because although it links internal and agency grades, the bank views the default model's results as more predictive than the historical agency default experience. For each agency grade, the bank calculates a PD estimate as the mean of the model-based default probabilities for the agency- rated obligors. In order to meet the long-run requirement, the bank calculates the estimates over the seven years from 1995 through 2001. The bank demonstrates that this time period includes a reasonable mix of high-default and low-default experience. This estimation method is consistent with the standard. Example 2b. In a variant of example 2a, a bank uses the mean default frequency per agency rating grade for a single year, such as 2001. Empirical evidence shows that the mean default frequency for agency grades varies substantially from year to year. A single year thus does not reflect the full range of experience, because a long- run average should be relatively stable year to year. Such instability makes this estimation method unacceptable. Example 2c. Another bank calculates the agency grade PD estimates as the median default probability of companies in that grade. The bank does so without demonstrating that the median is a better statistical estimator than the mean. This estimation method is not consistent with the standard. A median gives less weight to obligors with high estimated default probabilities than a simple mean does. The difference between mean and median can be material because distributions of credits within grades often are substantially skewed toward higher default probabilities: the riskier obligors within a grade tend to have individual default probabilities that are substantially worse than the median, while the least risky have default probabilities only somewhat better than the median. S. Judgmental adjustments may play an appropriate role in PD estimation, but must not be biased toward lower estimates. The following examples illustrate how supervisors will evaluate adjustments: Example 1. A bank uses the last five years of internal default history to estimate grade PDs. However, they recognize that the internal experience does not include any high-default years. In order to remedy this and still take advantage of its experience, the bank uses external agency data to adjust the estimates upward. Using the agency data, the bank calculates the ratio between the long-run average and the mean default rate per grade over the last five years. The bank assumes that the relationship observed in the agency data applies to its portfolio, and adjusts the estimates for the internal data accordingly. This practice is consistent with the standard. Example 2. A bank uses internal default experience to estimate grade PDs. However, the bank has historically failed to recognize defaults when the loss on the default obligation was avoided by seizing collateral. The bank makes no adjustment for such missing defaults. The realized default rate using the more inclusive definition would be higher than that observed by the bank (and loss severity rates would be correspondingly lower). This practice would not be consistent with the standard, unless the bank demonstrates that the necessary adjustment is immaterial. Mapping Mapping is the process of establishing a correspondence between the bank's current obligors and the reference obligor data used in the default model. Hence, mapping involves identifying how default-related characteristics of the current portfolio correspond to the characteristics of reference obligors. Such characteristics might include financial and nonfinancial variables, and assigned ratings or grades. Mapping can be thought of as taking each obligor in the bank's portfolio and characterizing it as if it were part of the reference data. There are two broad approaches to the mapping process: Obligor mapping: Each portfolio obligor is mapped to the reference data based on its individual characteristics. For example, if a bank applies a default model, a default probability will be generated for each obligor. That individual default probability is then used to assign each obligor to a particular internal grade, based on the bank's established criteria. To obtain a final estimate of the grade PD in the subsequent application stage, the bank averages the default probabilities of individual obligors within each grade. Grade mapping: Characteristics of the obligors within an internal grade are [[Page 45962]] averaged or otherwise summarized to construct a ``typical'' or representative obligor for each grade. Then, the bank maps that representative obligor to the reference data. For example, if the bank uses a default model, the default probability associated with that typical obligor will serve as the grade PD in the application stage. Alternatively, the bank may map the typical obligor to a particular external rating grade based on quantitative and qualitative characteristics, and assign the long-run default rate for that rating to the internal grade in the application stage. Either grade mapping or obligor mapping can be part of the quantification process; either method can produce a single PD estimate for each grade in the application stage. However, in the absence of other compelling considerations, banks should use obligor mapping for two reasons: [sbull] First, default probabilities are nonlinear under many estimation approaches. As a result, the default probability of the typical obligor--the result of a grade mapping approach--is often lower than the mean of the individual obligor default probabilities from the obligor mapping approach. For example, consider a bank that maps to the S&P scale and uses historical S&P bond default rates. For ease of illustration, suppose that one internal grade contains only three obligors that individually map to BB, BB-, and B+. The historical default rates for these three grades are 1.07, 1.76, and 3.24 percent, respectively (based on 1981-2001 data). Using obligor mapping, those rates would be assigned directly to the three obligors, yielding a mean PD of 2.02 percent for the grade. Using grade mapping, the grade PD would be only 1.76, because the grade's typical obligor is rated BB-. [sbull] Second, a hypothetical obligor with a grade's average characteristics may not represent well the risks presented by the grade's typical obligor. For example, a bank might observe that obligors with high leverage and low earnings variability have about the same default risk as obligors with low leverage and high earnings variability. These two types of obligors might both end up in the same grade, for example, Grade 6. If so, the typical obligor in Grade 6 would have moderate leverage and moderate earnings variability--a combination that might fail to reflect any of the individual obligors in Grade 6, and that could easily result in a PD for the grade that is too low. A bank electing to use grade mapping instead of obligor mapping should be especially careful in choosing a ``typical'' obligor for each grade. Doing so typically requires that the bank examine the actual distribution of obligors within each grade, as well as the characteristics of those obligors. Banks should be aware that different measures of central tendency (such as mean, median, or mode) will give different results, and that these different results may have a material effect on a grade's PD; they must be able to justify their choice of a measure. Banks must have a clear and consistent policy toward the calculation. S. The mapping must be based on a robust comparison of available data elements that are common to the portfolio and the reference data. Sound mapping practice uses all common elements that are available in the data as the basis for mapping. If a bank chooses to ignore certain common variables or to weight some variables more heavily than others, those choices must be supported. Mapping should also take into account differences in rating philosophy (for example, point-in-time or through-the-cycle) between any ratings embedded in the reference data set and the bank's own rating regime. A mapping should be plausible, and should be consistent with the rating philosophy established by the bank as part of its obligor rating policy. For a bank that uses grade mapping, levels and ranges of key variables within each internal grade should be close to values of similar variables for corresponding obligors within the reference data. The standard allows for use of a limited set of common variables that are predictive of default risk, in part to permit flexibility in early years when data may be far from ideal. Nevertheless, banks will eventually be expected to use variables that are widely recognized as the most reliable predictors of default risk in mapping exercises. In the meantime, banks relying on data elements that are weak predictors must compensate by making their estimates more conservative. For example, leverage and cash flow are widely recognized to be reliable predictors of corporate default risk. Borrower size is also predictive, but less so. A mapping based solely on size is by nature less reliable than one based on leverage, cash flow, and size. Example 1. In estimating PD, a bank relies on observed default rates on bonds in various agency grades for PD quantification. To map its internal grades to the agency grades, the bank identifies variables that together explain much of the rating variation in the bond sample. The bank then conducts a statistical analysis of those same variables within its portfolio of obligors, using a multivariate distance calculation to assign each portfolio obligor to the external rating whose characteristics it matches most closely (for example, assigning obligors to ratings so that the sum of squared differences between the external grade averages and the obligor's characteristics is minimized). This practice is broadly consistent with the standard. Example 2. A bank uses grade mapping to link portfolio obligors to the reference data set described by agency ratings. The bank looks at publicly rated portfolio obligors within an internal grade to determine the most common external rating, does the same for all grades, and creates a correspondence between internal and external ratings. The strength of the correspondence is a function of the number of externally rated obligors within each grade, the distribution of those external ratings within each grade and the similarity of externally rated obligors in the grade to those not externally rated. This practice is broadly consistent with this standard, but would require a comparison of rating philosophies and may require adjustments and the addition of margins of conservatism. S. A mapping process must be established for each reference data set and for each estimation model. Banks should never assume that a mapping is self-evident. Even a rating system that has been explicitly designed to replicate external agency ratings may or may not be effective in producing a replica; formal mapping is still necessary. Indeed, in such a system the kind of analysis involved in mapping may help identify inconsistencies in the rating process itself. A mapping process is needed even where the reference obligors come from internal historical experience. Banks must not assume that internal data do not require mapping, because changes in bank strategy or external economic forces may alter the composition of internal grades or the nature of the obligors in those grades over time. Mappings must be reaffirmed regardless of whether rating criteria or other aspects of the ratings system have undergone explicit changes during the period covered by the reference data set. Banks often use multiple reference data sets, and then combine the resulting estimates to get a grade PD. A bank that does that must conduct a rigorous mapping process for each data set. Supervisors expect all meaningful characteristics of obligors to be factored directly into the rating process; this should include characteristics like the obligor's industry or physical location. But in some circumstances, certain effects related to industry, geography, or other factors are not reflected in rating assignments or default estimates. In such cases, it may be appropriate for banks to capture the impact of the [[Page 45963]] omissions by using different mappings for different business lines or types of obligors. Supervisors expect this practice to be transitional; banks will eventually be required to incorporate the omitted effects into the rating system and the estimation process as they are uncovered and documented, rather than adjusting the mapping. Example 1. The bank maps its internal grades carefully to one rating agency, and then assumes a correspondence to another agency's scale despite known differences in the rating methods of the two agencies. The bank then applies a mean of the grade default rates from these two public debt-rating agencies to its internal grades. This practice is not consistent with the standard, because the bank should map to each agency's scale separately. Example 2. A bank uses internal historical data as its reference data. The bank computes a mean default rate for each grade as the grade PD for capital purposes, and asserts that mapping is unnecessary because ``its strong credit culture ensures that a 4 is always a 4.'' This practice is not consistent with the standard, because no mapping has been done; there is no assurance that a representative obligor in a grade today is comparable to an obligor in that same grade in the past. S. The mapping must be updated and independently validated regularly. The appropriate mapping between a bank's portfolio and the reference data may change over time. For example, relationships between internal grades and external agency grades may change during the economic cycle because of differences in rating philosophy. Similarly, distance-to-default measures for obligors in a given grade may not be constant over time. These likely changes make it imperative that the bank update all mappings regularly. Sound validation practices may include tests for internal consistency such as ``reverse mapping.'' Using this technique, a bank evaluates obligors from the reference data set as if they were subject to the bank's rating system (that is, part of the bank's current portfolio). The bank's mapping is then applied to these reverse-mapped obligors to see whether the mapped characterization of the reference obligor is consistent with that of the initial evaluation.\5\ Another valuable technique is to apply different mapping methods and compare the results. For example, mappings based on financial ratio comparisons can be rechecked using mappings based on available external ratings. --------------------------------------------------------------------------- \5\ For example, suppose a bank asserts that its Grade 3 corresponds to an S&P rating of A. Applying reverse mapping, the bank would take a sample of A-rated obligors from the reference data, run them through the bank's rating process (perhaps a simplified version), and check to see that those obligors usually receive a grade of 3 on the bank's internal scale. Example. A bank mapped its internal grades to the rating scale of one public debt-rating agency in 1992. Since then, the bank has completed a major acquisition of another large bank and significantly changed its business mix in other ways. The bank continues to use the same mapping, without reassessing its validity. This practice is not consistent with the standard. Application In the application stage, the bank applies the PD estimation method to the current portfolio of obligors using the mapping process. It obtains final PD estimates for each rating grade, which will be used to calculate minimum regulatory capital. To arrive at those estimates, a bank may adjust the raw results derived from the estimation stage. For example, it might aggregate individual obligor default probabilities to the rating grade level, or smooth results because a rating grade's PD estimate was higher than a lower quality grade. The bank must explain and support all adjustments when documenting its quantification process. Example. A bank uses external data to estimate long-run average PDs for each grade. The resulting PD estimate for Grade 2 is slightly higher than the estimate for Grade 3, even though Grade 2 is supposedly of higher credit quality. The bank uses statistics to demonstrate that this anomaly occurred because defaults are rare in the highest quality rating grades. The bank judgmentally adjusts the PD estimates for grades 2 and 3 to preserve the expected relationship between obligor grade and PD, but requires that total risk-weighted assets across both grades using the adjusted PD estimates be no less than total risk-weighted assets based on the unadjusted estimates, using a typical distribution of obligors across the two grades. Such an adjustment during the application stage is consistent with this guidance. S. IRB institutions that aggregate the default probabilities of individual portfolio obligors when calculating PD estimates for internal grades must have a clear policy governing the aggregation process. As noted above, mapping may be grade-based or obligor-based. Grade- based mappings naturally provide a single PD per grade, because the estimated default model is applied to the representative obligor for each grade. In contrast, obligor-based mappings must aggregate in some manner the individual PD estimates to the grade level. The expectation is that the grade PD estimate will be calculated as the mean. The bank will be allowed to calculate this estimate differently only if it can demonstrate that the alternative method provides a better estimate of the long-run average PD. To obtain this evidence, the bank must at least compare the results of both methods. S. IRB institutions that combine estimates from multiple sets of reference data must have a clear policy governing the combination process, and must examine the sensitivity of the results to alternative combinations. Because a bank should make use of as much information as possible when mapping, it will usually use multiple data sets. The manner in which the data or the estimates from those multiple data sets are combined is extremely important. A bank must document its justification for the particular combination methods selected. Those methods must be subject to appropriate approval and oversight. The data may come from the same basic data source but from different time periods or from different data sources altogether. For example, banks often combine internal data with external data, use external data from different sample periods, or combine results from corporate-bond default databases with results from equity-based models of obligor default. Different combinations will produce different PD estimates. The bank should investigate alternative combinations and document the impact on the estimates. When ultimate results are highly sensitive to how estimates from different data sources are combined, the bank must choose among the alternatives conservatively. C. Loss Given Default (LGD) The LGD estimation process is similar to the PD estimation process. The bank identifies a reference data set of defaulted credits and relevant descriptive characteristics. Once the bank obtains these data sets (with the facility characteristics), it must select a technique to estimate the economic loss per dollar of exposure at default, for a defaulted exposure with a given array of characteristics. The bank's portfolio must then be mapped, so that the model can be applied to generate an estimate of LGD for each portfolio transaction or severity grade. Data Unlike reference data sets used for PD estimation, data sets for severity estimation contain only exposures to defaulting obligors. At least two broad categories of data are necessary to produce LGD estimates. First, data must be available to calculate the actual economic loss experienced for each defaulted facility. Such data may include the market value of the facility at default, which can be [[Page 45964]] used to proxy a recovery rate. Alternatively, economic loss may be calculated using the exposure at the time of default, loss of principal, interest, and fees, the present value of subsequent recoveries and related expenses (or the costs as calculated using an approved allocation method), and the appropriate discount rate. Second, factors must be available to group the defaulted facilities in meaningful ways. Characteristics that are likely to be important in predicting loss rates include whether or not the facility is secured and the type and coverage of collateral if the facility is secured, seniority of the claim, general economic conditions, and obligor's industry. Although these factors have been found to be significant in existing academic and industry studies, a bank's quantification of LGD certainly need not be limited to these variables. For example, a bank might expand its loss severity research by examining many other potential drivers of severity (characteristics of an obligor that might help the bank predict the severity of a loss), including obligor size, line of business, geographic location, facility type, obligor ratings (internal or external), historical internal severity grade, or tenor of the relationship. A bank must ensure that the reference data remains applicable to its current portfolio of facilities. It must implement established processes to ensure that reference data sets are updated when new data become available. All data sources, variables, and the overall processes concerning data collection and maintenance must be fully documented, and that documentation should be readily available for review. S. The sample period for the reference data must be at least seven years, and must include periods of economic stress during which defaults were relatively high. Seven years is the minimum sample period for the LGD reference data. A longer sample period is desirable, because more default observations will be available for analysis and may serve to refine severity estimates. In any case, a bank must select a sample period that includes episodes of economic stress, which are defined as periods with a relatively high number of defaults. Inclusion of stress periods increases the size and potentially the breadth of the reference data set. According to some empirical studies, the average loss rate is higher during periods of stress. Example. A bank intends to rely primarily on internal data when quantifying all parameter estimates, including LGD. Its internal data cover the period 1994 through 2000. The bank will continue to extend its data set as time progresses. Its current policy mandates that credits be resolved within two years of default, and the data set contains the most recent data available. Although the current data set satisfies the seven-year requirement, the bank is aware that it does not include stress periods. In comparing its loss estimates with rates published in external studies for similarly stratified data, the bank observes that its estimates are systematically lower. To be consistent with the standard, the bank must take steps to include stress periods in its estimates. S. The definition of default within the reference data must be reasonably consistent with the IRB definition of default. This standard parallels a similar standard in the section on PD. The following examples illustrate how it applies in the case of LGD. Example 1. For LGD estimation, a bank includes in its default data base only defaulted facilities that actually experience a loss, and excludes credits for which no loss was recorded because liquidated collateral covered the loss (effectively applying a ``loss given loss'' concept). This practice is not consistent with the standard because the bank's default definition for LGD is narrower than the IRB definition. Example 2. A bank relies on external data sources to estimate LGD because it lacks sufficient internal data. One source uses ``bankruptcy filing'' to indicate default while another uses ``missed principal or interest payment,'' and the two sources result in significantly different loss estimates for the severity grades defined by the bank. The bank's practice is not consistent with the standard, and the bank should determine whether the definitions used in the reference data sets differ substantially from the IRB definition. If so, and the differences are difficult to quantify, the bank should seek other sources of reference data. For more minor differences, the bank may be able to make appropriate adjustments during the estimation stage. Estimation Estimation of LGD is the process by which characteristics of the reference data are related to loss severity. The relevant characteristics that help explain how severe losses tend to be upon default might include variables such as seniority, collateral, facility type, or business line. S. The estimates of loss severity must be empirically based and must reflect the concept of ``economic loss.'' Loss severity is defined as economic loss, which is different from accounting measures of loss. Economic loss captures the value of recoveries and direct and indirect costs discounted to the time of default, and it should be measured for each defaulted facility. The scope of the cash flows included in recoveries and costs is meant to be broad. Workout costs that can be clearly attributed to certain facilities or types of facilities must be reflected in the bank's LGD assignments for those exposures. When such allocation is not practical, the bank may assign those costs using factors based on broad averages. A bank must establish a discount rate that reflects the time value of money and the opportunity cost of funds to apply to recoveries and costs. The discount rate must be no less than the contract interest rate on new originations of a type similar to the transaction in question, for the lowest-quality grade in which a bank originates such transactions.\6\ Where possible, the rate should reflect the fixed rate on newly originated exposures with term corresponding to the average resolution period of defaulting assets. --------------------------------------------------------------------------- \6\ The appropriate discount rate for IRB purposes may differ from the contract rate required under FAS 114 for accounting purposes. --------------------------------------------------------------------------- Ideally, severity should be measured once all recoveries and costs have been realized. However, a bank may not resolve a defaulted obligation for many years following default. For practical purposes, banks may choose to close the period of observation before this final resolution occurs--that is, at a point in time when most costs have been incurred and when recoveries are substantially complete. Banks that do so should estimate the additional costs and recoveries that would likely occur beyond this period and include them in the LGD estimates. A bank must document its choice of the period of observation, and how it estimated additional costs and recoveries beyond this period. LGD for each type of exposure must be the loss per default (expressed as a percentage of exposure at default) expected during periods when default rates are relatively high. This expected loss rate is referred to as ``stress-condition LGD.'' For cases in which loss severities do not have a material degree of cyclical variability, use of the long-run default-weighted average is appropriate, although stress-condition LGD generally exceeds this average. The drivers of severity can be linked to loss estimates in a number of ways. One approach is to segment the reference defaults into groups that do not overlap. For example, defaults could be grouped by business line, predominant collateral type, and loan-to-value coverage. The LGD estimate for each category is the mean loss calculated over the category's defaulted facilities. Loss must be calculated as the default-weighted average (where individual defaults receive equal weight) rather than the average of [[Page 45965]] annual loss rates, and must be based on results from periods during which default rates were relatively numerous if loss rates are materially cyclical. Banks can also draw estimates of LGD from a statistical model. For example, they can build a regression model of severity using data on loss severity and some quantitative measures of the loss drivers. Any model must meet the requirements for model validation discussed in Chapter 1. Other methods for computing LGD could also be appropriate. Example 1. A bank has internal data on defaulted facilities, including information on business line, facility type, seniority, and predominant collateral type (if the facility is secured). The data allow for a reasonable calculation of economic loss. The data span eight years and include three years that can be termed high- default years. After analyzing the economic cycle using internal and external data, the bank concludes that the data show no evidence of material cyclical variability in loss severities, and that the default data span enough experience to allow estimation of a long- run average. On the basis of preliminary analysis, the bank determines that the drivers of loss severity for large corporate facilities are similar to those for middle-market loans, and that the two groups can be estimated as a pool. Again on the basis of preliminary analysis, the bank segments this pool by seniority and by six collateral groupings, including unsecured. These groupings contain enough defaults to allow reasonably precise estimates. The loss severity estimates are then calculated by averaging loss rates within each segment. This practice is consistent with the standard. Example 2. A bank uses internal data in which information on security and seniority is lacking. The bank groups corporate and middle-market defaulted facilities into a single pool and calculates the LGD estimate as the mean loss rate. No adjustments for the lack of data are made in the estimation or application steps. This practice is unacceptable because there is ample external evidence that security and seniority matter in these segments. A bank with such limited internal default data must incorporate external or pooled data into the estimation. Example 3. A bank determines that a business unit--for example, a unit dedicated to a particular type of asset-based lending--forms a homogeneous pool for the purposes of estimating loss severity. That is, although the facilities in this pool may differ in some respects, the bank determines that they share a similar loss experience in default. The bank must provide reasonable support for this pooling through analysis of lending practices and available internal and external data. In this example, the mean of a single segment is consistent with the standard. S. Judgmental adjustments may play an appropriate role in LGD estimation, but must not be biased toward lower estimates. It is difficult to make general statements about good and bad practices in this area, because adjustments can take many different forms. The following examples illustrate how supervisors would be likely to evaluate particular adjustments observed in practice. Example 1. A bank divides observed defaults into segments according to collateral type. One of the segments has too few observations to produce a reliable estimate. Relying on external data and judgment, the bank determines that the segment's estimated severity of loss falls somewhere between the estimates for two other categories. This segment's severity is set judgmentally to be the mean of the estimates for the other segments. This practice is consistent with the standard. Example 2. A bank does not know when recoveries (and related costs) occurred in a portfolio segment; therefore, it cannot properly discount the segment's cash flows. However, the bank has sufficient internal data to calculate economic loss for defaulted facilities in another portfolio segment. The bank can support the assumption that the timing of cash flows for the two segments is comparable. Using the available data and informed judgment, the bank estimates that the measured loss without discounting should be grossed up to account for the time value of money and the opportunity cost of funds. This practice is consistent with the standard. Example 3. A bank segments internal defaults in a business unit by some factors, including collateral. Although the available internal and external evidence indicates a higher LGD, the bank judgmentally assigns a loss estimate of 2 percent for facilities secured by cash collateral. The basis for this adjustment is that the lower estimate is justified by the expectation that the bank would do a better job of following policies for monitoring cash collateral in the future. Such an adjustment is generally not appropriate because it is based on projections of future performance rather than realized experience. This practice is not consistent with the standard. Mapping LGD mapping follows the same general principles that PD mapping does. A mapping must be plausible and must be based on a comparison of severity-related data elements common to both the reference data and the current portfolio. The mapping approach is expected to be unbiased, such that the exercise of judgment does not consistently lower LGD estimates. The default definitions in the reference data and the current portfolio of obligors should be comparable. The mapping process must be updated regularly, well-documented, and independently reviewed. S. A bank must conduct a robust comparison of available common elements in the reference data and the portfolio. Mapping involves matching facility-specific data elements available in the current portfolio to the factors in the reference data set used to estimate expected loss severity rates. Examples of factors that influence loss rates include collateral type and coverage, seniority, industry, and location. At least three kinds of mapping challenges may arise. First, even if similarly named variables are available in the reference data and portfolio data, they may not be directly comparable. For example, the definition of particular collateral types, or the meaning of ``secured,'' may vary from one application to another. Hence, a bank must ensure that linked variables are truly similar. Although adjustments to enhance comparability can be appropriate, they must be rigorously developed and documented. Second, levels of aggregation may vary. For example, the reference data may only broadly identify collateral types, such as financial and nonfinancial. The bank's information systems for its portfolio might supply more detail, with a wide variety of collateral type identifiers. To apply the estimates derived from the reference data, the internal data must be regrouped to match the coarser level of aggregation in the reference data. Third, reference data often do not include workout costs and will often use different discounting. Judgmental adjustments for such problems must be well-documented and, as much as possible, empirically based. S. A mapping process must be established for each reference data set and for each estimation model. Mapping is never self-evident. Even when reference data are drawn from internal default experience, a bank must still link the characteristics of the reference data with those of the current portfolio. Different data sets and different approaches to severity estimation may be entirely appropriate, especially for different business segments or product lines. Each mapping process must be specified and documented. Application At the application stage, banks apply the LGD estimation framework to their current portfolio of credit exposures. Doing so might require them to aggregate individual LGD estimates into broader averages (for example, into discrete severity grades) or to combine estimates in various ways. The inherent variability of recovery, due in part to unanticipated circumstances, demonstrates that no facility type is wholly risk-free, regardless of structure, collateral type, or collateral coverage. The existence of [[Page 45966]] recovery risk dictates that application of a zero percent LGD is not acceptable. S. IRB institutions that aggregate LGD estimates for severity grades from individual exposures within those grades must have a clear policy governing the aggregation process. Banks with discrete severity grades compute a single estimate of LGD for a representative exposure within each of those grades. If a bank with a discrete scale of severity grades maps those grades to the reference data using grade mapping, there will be a single estimate of LGD for each grade, and the bank does not need to aggregate further. However, if the bank maps at the individual transaction level, the bank may then choose to aggregate those individual LGD estimates to the grade level and use the grade LGD in capital calculations. Because different methods of aggregation are possible, a bank must have a clear policy regarding how aggregation should be accomplished; in general, simple averaging is preferred. (This standard is irrelevant for banks that choose to assign LGD estimates directly to individual exposures rather than grades, because aggregation is not required in that case.) S. An IRB institution must have a policy describing how it combines multiple sets of reference data. Multiple data sets may produce superior estimates of loss severity, if the results are appropriately combined. Combining such sets differently usually produces different estimates of LGD. As a matter of internal policy, a bank should investigate alternative combinations, and document the impact on the estimates. If the results are highly sensitive to the manner in which different data sources are combined, the bank must choose conservatively among the alternatives. D. Exposure at Default (EAD) Compared with PD and LGD quantification, EAD quantification is less advanced. As such, it is addressed in somewhat less detail in this guidance than are PD and LGD quantification. Banks should continue to innovate in the area EAD estimation, refining and improving practices in EAD measurement and prediction. Additional supervisory guidance will be provided as more data become available and estimation techniques evolve. A bank must provide an estimate of expected EAD for each facility in its portfolio. EAD is defined as the bank's expected gross dollar exposure of the facility upon the obligor's default. For fixed exposures like term loans, EAD is equal to the current amount outstanding. For variable exposures such as loan commitments or lines of credit, exposure is equal to current outstandings plus an estimate of additional drawings up to the time of default. This additional drawdown, identified as loan equivalent exposure (LEQ) in many institutions, is typically expressed as a percentage of the current total committed but undrawn amount. EAD can thus be represented as: EAD = current outstanding + LEQ x (total committed-current outstanding) As it is the LEQ that must be estimated, LEQ is the focus of this guidance. Even though EAD estimation is less sophisticated than PD and LGD estimation, a bank still develops EAD estimates by working through the four stages that produce the other types of quantification: The bank must use a reference data set; it must apply an estimation technique to produce an expected total dollar exposure at default for a facility with a given array of characteristics; it must map its current portfolio to the reference data; and, by applying the estimation model, it must generate an EAD estimate for each portfolio facility or facility-type, as the case may be. Data Like reference data sets used for LGD estimation, LEQ data sets contain only exposures to defaulting obligors. In many cases, the same reference data may be used for both LGD and LEQ. In addition to relevant descriptive characteristics (referred to as ``drivers'') that can be used in estimation, the reference data must include historical information on the exposure (both drawn and undrawn amounts) as of some date prior to default, as well as the drawn exposure at the date of default. As discussed below under ``Estimation,'' LEQ estimates may be developed using either a cohort method or a fixed-horizon method. The bank's reference data set must be structured so that it is consistent with the estimation method the bank applies. Thus, the data must include information on the total commitment, the undrawn amount, and the exposure drivers for each defaulted facility, either at fixed calendar dates for the cohort method or at a fixed interval prior to the default date for the fixed-horizon method. The reference data must contain variables that enable the bank to group the exposures to defaulted obligors in meaningful ways. Obligor and facility risk ratings are commonly believed to be significant characteristics for predicting additional drawdown. Since less empirical research has been done on EAD estimation, little is known about other potential drivers of EAD. Among the many possibilities, banks may consider time from origination, time to expiration or renewal, economic conditions, risk rating changes, or certain types of covenants. Some potential drivers may be linked to a bank's credit risk management skills, while others may be exogenous. Industry practice is likely to improve as banks extend their research to identify other meaningful drivers of EAD. A bank must ensure continued applicability of the reference data to its current portfolio of facilities. The reference data must include the types of variable exposures found in a bank's current portfolio. The definitions of default and exposure in the reference data should be consistent with the IRB definition of default, and consistent with the definitions used for PD and LGD quantification. Established processes must be in place to ensure that reference data sets are updated when new data are available. All data sources, variables, and the overall processes governing data collection and maintenance must be fully documented, and that documentation should be readily available for review. Seven years of data are required for EAD (or LEQ) estimation. The sample should include periods during which default rates were relatively high, and ideally cover a complete economic cycle. Estimation To derive LEQ estimates, characteristics of the reference data are related to additional drawings preceding a default event. The estimation process must be capable of producing a plausible estimate of LEQ to support the EAD calculation for each facility. Two broad types of estimation methods are used in practice, the cohort method and the fixed-horizon method. Under the cohort method, a bank groups defaults into discrete calendar periods (such as a year or a quarter). The bank then estimates the relationship between the drivers as of the start of that calendar period, and EAD or LEQ for each exposure to a defaulter. For each exposure category (that is, for each combination of exposure drivers identified by the bank), the LEQ estimate is calculated as the mean additional drawing for facilities in that category. To combine results for multiple periods into a single long-run average, the period-by- period means should be weighted by the proportion of defaults occurring in each period. Under the fixed-horizon method, for each exposure to a defaulted obligor the [[Page 45967]] bank compares additional drawdowns to the total commitment but undrawn amount that existed at the start of a fixed interval prior to the date of the default (the horizon). For example, the bank might base its estimates on a reference data set that supplies the actual exposure at default along with the drawn and undrawn amounts (as well as relevant drivers) at a date a fixed number of months prior to the date of each default, regardless of the actual calendar date on which the default occurred. Estimates of LEQ are computed from the average drawdowns that occur over the fixed-horizon interval, for whatever combinations of the driving variables the bank has determined are relevant for explaining and predicting exposure at default. Evidence may indicate that LEQ estimates are positively correlated with economic downturns; that is, it may be that LEQs increase during high-default periods. If so, the higher drawdowns that occur during high-default periods are denoted ``stress-condition LEQs,'' analogous to the ``stress-condition LGDs'' discussed earlier in this chapter. For any exposure type whose LEQ estimates exhibit material cyclicality, a bank must use the stress-condition LEQ for purposes of calculating EAD. In general, all available data should be used; particular observations or time periods should not be excluded from the data sample. Any adjustments a bank makes to the estimation results should be justified and fully documented. The analysis should be refreshed periodically as new data become available, and a bank should have a process in place to ensure that advances in analytical techniques and industry practice are considered as they emerge and are incorporated as appropriate. LEQ estimates should be updated at least annually. Detailed documentation, ongoing validation, and adequate oversight are fundamental controls that support a sound estimation process. Mapping If the same variables that drive exposure in the reference data are also available for facilities in the portfolio, mapping may be relatively easy. However, the bank must still review the definitions to ensure that variables that seem to be the same actually are. If the relevant variables are not available in a bank's current portfolio information system, the bank will encounter the same mapping complexities that it does when mapping for PD and LGD in similar circumstances. A bank should have well-documented policies that govern the mapping. Any exceptions to mapping policy should be reviewed, justified and fully documented. Mapping may be done for each exposure or for broad categories of exposure; the latter would be analogous to the ``grade mapping'' discussed earlier in this chapter. Application In the application stage, the estimated relationship between drivers and LEQ is applied to the bank's actual portfolio. To ensure that estimated EAD is at least as large as the currently drawn amount for all exposures, LEQs must not be negative. Multiple reference data sets may be used for LEQ estimation and combined at the application stage; those combinations should be rigorously developed, approved, and documented. Any smoothing or use of expert judgment to adjust the results should be well-justified and clearly documented. This includes any adjustment for definitions of default that do not meet the supervisory standards. The less robust the process, the more conservative the result should be. Some facility types may be treated as exceptions, and assigned an LEQ that does not vary with characteristics such as line of business or risk rating. Such exceptional treatment should be clearly justified, and the justification should be fully documented. EAD may be particularly sensitive to changes in the way banks manage individual credits. For example, a change in policy regarding covenants may have a significant impact on LEQ. When such changes take place, the bank should consider them when making its estimates--and it should do so from a conservative point of view. Policy changes likely to significantly increase LEQ should prompt immediate increases in LEQ estimates. If a bank's policy changes seem likely to reduce LEQ, estimates should be reduced only after the bank accumulates a significant amount of actual experience under the new policy to support the reductions. E. Maturity (M) A bank must assign a value of effective remaining maturity (M) to each credit exposure in its portfolio. In general, M is the weighted- average number of years to receipt of the cash flows the bank expects under the contractual terms of the exposure, where the weights are equal to the fraction of the total undiscounted cash flow to be received at each date. Mathematically, M is given by: [GRAPHIC] [TIFF OMITTED] TN04AU03.008 where wt is the fraction of the total cash flow received at time t, that is: [GRAPHIC] [TIFF OMITTED] TN04AU03.009 Ct is the undiscounted cash flow received at time t, with t measured in years from the date of the calculation of M. Effective maturity, sometimes referred to as ``average life,'' need not be a whole number, and often is not. For example, if 33 percent of the cash flow is expected at the end of one year (t=1) and the other 67 percent two years from today (t=2), then M is calculated as: M = (1x0.33) + (2x0.67) = 1.67 for an effective maturity of 1.67 years. This value of M would be used in the IRB capital calculation. The relevant cash flows are the future payments the bank expects to receive from the obligor, regardless of form; they may include payments of interest or fees, principal repayments, or other types of payments depending on the structure of the transaction. For exposures whose cash flow schedule is virtually predetermined unless the obligors defaults (fixed-rate loans, for example), the calculation of the weighted- average remaining maturity is straightforward, using the scheduled timing and amounts of the individual undiscounted cash flows. These cash flows should be the contractually expected payments; the bank should not take into account the possibility of delayed or reduced cash flows due to potential future default. Cash flows associated with other types of credit exposures may be somewhat less certain. In such cases, the bank must establish a method of projecting expected cash flows. In general, the method used for any exposure should be the same as the one used by the bank for purposes of valuation or risk management. The method must be well-documented and subject to independent review and approval. A bank must demonstrate that the method used is standard industry practice, that it is widely used within the bank for purposes other than regulatory capital calculations, or both. To be conservative, a bank may set M equal to the maximum number of years the obligor could take to fully discharge the contractual obligation (provided that the maximum is not longer than five years, as noted below). In many cases, this maximum will correspond to the stated or nominal maturity of the instrument. Banks must make this conservative choice (maximum nominal maturity) if the timing and amounts of [[Page 45968]] the cash flows on the exposure cannot be projected with a reasonable degree of confidence. Certain over-the-counter derivatives contracts and repurchase transactions may be subject to master netting agreements. In such cases, the bank may compute a single value of M for the transactions as a group by weighting each individual transaction's effective maturity by that transaction's share of the total notional value subject to the netting agreement, and summing the result across all of the transactions. For IRB capital calculations, the value of M for any exposure is subject to certain upper and lower limits, regardless of the actual effective maturity of the exposure. In all cases, the value of M should be no greater than 5 years. If an exposure clearly has an effective maturity that exceeds this upper limit, the bank may simply use a value of M=5 rather than calculating the actual effective maturity. For most exposures, the value of M must be no less than one year. For certain short-term exposures (repo-style transactions, money market transactions, trade finance-related transactions, and exposures arising from payment and settlement processes) that are not part of a bank's ongoing financing of a borrower and that have an original maturity of less than three months, M may be set as low as one day. For over-the- counter derivative and repurchase-style transactions subject to a master netting agreement, weighted average maturity must be set at no less than five days. F. Validation Values of PD, LGD, and EAD are estimates with implications for credit risk and the future performance of a bank's credit portfolio under IRB; in essence, they are forecasts. ``Validation'' of these estimates describes the full range of activities used to assess their quality as forecasts of default rates, loss severity rates, and exposures at default. Chapter 1 discusses validation of IRB systems in general; this section focuses specifically on ratings quantification, which includes the assignment of PD to obligor grades and the assignment of LGD, EAD, and M to exposures. S. A validation process must cover all aspects of IRB quantification. Banks must have a process for validating IRB quantification; their policies must state who is accountable for validation, and describe the actions that will proceed from the different possible results. Validation should focus on the three estimated IRB parameters (PD, LGD, and EAD). Although the established validation process should result in an overall assessment of IRB quantification for each parameter, it also must cover each of the four stages of the quantification process as described in preceding sections of this chapter (data, estimation, mapping, and application). The validation process must be fully documented, and must be approved by appropriate levels of the bank's senior management. The process must be updated periodically to incorporate new developments in validation practices and to ensure that validation methods remain appropriate; documentation must be updated whenever validation methods change. Banks should use a variety of validation approaches or tools; no single validation tool can completely and conclusively assess IRB quantification. Three broad types of tools that are useful in this regard are evaluation of the conceptual soundness of the approach to quantification (evaluation of logic), comparison to other sources of data or estimates (benchmarking), and comparisons of actual outcomes to predictions (back-testing). Each of these types of tools has a role to play in validation, although the role varies across the four stages of quantification. Evaluation of logic is essential in validating all stages of the quantification process. The quantification process requires banks to adopt methods, choose variables, and make adjustments; each of these actions requires an exercise of judgment. Validation should ensure that these judgments are plausible and informed. A bank should also validate estimates by comparing them with relevant external sources, a process broadly described as benchmarking. ``External'' in this context refers to anything other than the specific reference data, estimation approach, or mapping under consideration. Reference data can be compared with other data sources; choices of variables can be compared with similar choices made by others; estimation results can be compared with the results of alternative estimation methods using the same reference data. Other data sources may show that default and severity rates across the economy or the banking system are high or low relative to other periods, or may reveal unusual effects in parts of the quality spectrum. Effective validation must compare actual results with predictions. Such comparisons, often referred to as ``back-testing,'' are valuable comprehensive tests of the rating system and its quantification. However, they are only one element of the broader validation regime, and should not be a bank's only method of validation. Because they test the results of the rating system as a whole, they are unlikely to identify specific reasons for any divergence between expectations and realizations. Rather they will indicate only that further investigation is necessary. By applying back-testing to the reference data set as it is updated with new data, a bank can improve the estimation process. To further improve the process, a bank must regularly compare realized default rates, loss severities, and exposure-at-default experience from its portfolio with the PD, LGD, and EAD estimates on which capital calculations are based. Realizations should be compared with expected ranges based on the estimates. These expected ranges should take into account the bank's rating philosophy (the relative weight given to current and stress conditions in assigning ratings). Depending on that philosophy, year-by-year realized default rates and loss severities may be expected to differ significantly from the long-run average. If a bank adjusts final estimates to be conservative, it should likely do its back-testing on the unadjusted estimates. A bank's quantitative testing methods and other validation techniques should be robust to economic cycles. A sound validation process should take business cycles into account, and any adjustments for stages of the cycle should be clearly specified in advance and fully documented as part of the validation policy. The fact that a year has been ``unusual'' should not be taken as a reason to abandon the bank's standard validation practices. S. A bank must comprehensively validate parameter estimates at least annually, must document the results, and must report these results to senior management. A full and comprehensive annual validation is a minimum for effective risk management under IRB. More frequent validation may be appropriate for certain parts of the IRB system and in certain circumstances; for example, during high-default periods, banks should compute realized default and loss severity rates more frequently, perhaps quarterly. They must document the results of validation, and must report them to appropriate levels of senior risk management. S. The validation policy must outline appropriate remedial responses to the results of parameter validation. The goal of validation should be to continually improve the rating process and its quantification. To this end, the bank should establish thresholds or accuracy tolerances for validation results. Results that breach thresholds [[Page 45969]] should bring an appropriate response; that response should depend on the results and should not necessarily be to adjust the parameter estimates. When realized default, severity, or exposures rates diverge from expected ranges, those divergences may point to issues in the estimation or mapping elements of quantification. They may also indicate potential problems in other parts of the ratings assignment process. The bank's validation policy must describe (at least in broad terms) the types of responses that should be considered when relevant action thresholds are crossed. Appendix to Part III: Illustrations of the Quantification Process This appendix provides examples to show how the logical framework described in this guidance, with its four stages (data, estimation, mapping, and application), applies when analyzing typical current bank practices. The framework is broadly applicable--for PD or LGD or EAD; using internal, external, or pooled reference data; for simple or complex estimation methods-- although the issues and concerns that arise at each stage depend on a bank's approach. These examples are intended only to illustrate the logic of the four-stage IRB quantification framework, and should not be taken to endorse the particular techniques presented in the examples. In fact, certain aspects of the examples are not consistent with the standards outlined in this guidance. Example 1: PD Estimation From Bond Data [sbull] A bank establishes a correspondence between its internal grades and external rating agency grades; the bank has determined that its Grade 4 is equivalent to \3/4\ BB and \1/4\ B on the Standard and Poor's scale. [sbull] The bank regularly obtains published estimates of mean default frequencies for publicly rated BB and B obligors in North America from 1970 through 2002. [sbull] The BB and B historical default frequencies are weighted 75/25, and the result is a preliminary PD for the bank's internal Grade 4 credits. [sbull] However, the bank then increases the PD by 10 percent to account for the fact that the S&P definition of default is more lenient than the IRB definition. [sbull] The bank makes a further adjustment to ensure that the resulting grade PD is greater than the PD attributed to Grade 3 and less than the PD attributed to Grade 5. [sbull] The result is the final PD estimate for Grade 4. Process Analysis for Example 1 Data--The reference data set consists of issuers of publicly rated debt in North America over the period 1970 through 2002. The data description is very basic: each issuer in the reference data is described only by its rating (such as AAA, AA, A, BBB, and so on). Estimation--The bank could have estimated default rates itself using a database purchased from Standard and Poor's, but since these estimates would just be the mean default rates per year for each grade, the bank could just as well (and in this example does) use the published historical default rates from S&P; in essence, the estimation step has been outsourced to S&P. The 10 percent adjustment of PD is part of the estimation process in this case because the adjustment was made prior to the application of the agency default rates to the internal portfolio data. Mapping--The bank's mapping is an example of a grade mapping; internal Grade 4 is linked to the 75/25 mix of BB and B. Based on the limited information presented in the example, this step should be explored further. Specifically, how did the bank determine the 75/25 mix? Application--Although the application step is relatively straightforward in this case, the bank does make the adjustment of the Grade 4 PD estimate to give it the desired relationship to the adjacent grades. This adjustment is part of the application stage because it is made after the adjusted agency default rates are applied to the internal grades. Example 2: PD Estimation Using a Merton-Type Equity-Based Model [sbull] A bank obtains a 20-year database of North American firms with publicly traded equity, some of which defaulted during the 20-year period. [sbull] The bank uses the Merton approach to modeling equity in these firms as a contingent claim, constructing an estimate of each firm's distance-to-default at the start of each year in the database. The bank then ranks the firm-years within the database by distance-to-default, divides the ordered observations into 20 equal groups or buckets, and computes a mean historical one-year default frequency for each bucket. That default frequency is taken as an estimate of the applicable PD for any obligor within the range of distance-to-default values represented by each of the 20 buckets. [sbull] The bank next looks at all obligors with publicly traded shares within each of its internal grades, applies the same Merton- type model to compute distance-to-default at quarter-end, sorts these observations into the 20 buckets from the previous step, and assigns the corresponding PD estimate. [sbull] For each internal grade, the bank computes the mean of the individual obligor default probabilities and uses that average as the grade PD. Process Analysis for Example 2 Data--The reference data set consists of the North American firms with publicly traded equity in the acquired database. The reference data are described in this case by a single variable, specifically an identifier of the specific distance-to-default range from the Merton model (one of the 20 possible in this case) into which a firm falls in any year. Estimation--The estimation step is simple: the average default rate is calculated for each distance-to-default bucket. Since the data cover 20 years and a wide range of economic conditions, the resulting estimates satisfy the long-run average requirement. Mapping--The bank maps selected portfolio obligors to the reference data set using the distance-to-default generated by the Merton model. However, not all obligors can be mapped, since not all have traded equity. This introduces an element of uncertainty into the mapping that requires additional analysis by the bank: were the mapped obligors representative of other obligors in the same grade? The bank would need to demonstrate comparability between the publicly traded portfolio obligors and those not publicly traded. It may be appropriate for the bank to make conservative adjustments to its ultimate PD estimates to compensate for the uncertainty in the mapping. The bank also would need further analysis to demonstrate that the implied distance-to-default for each internal grade represented long-run expectations for obligors assigned to that grade; this could involve computing the Merton model for portfolio obligors over several years of relevant history that span a wide range of credit conditions. Application--The final step is aggregation of individual obligors to the grade level through calculation of the mean for each grade, and application of this grade PD to all obligors in the grade. The bank might also choose to modify PD assignments further at this stage, combining PD estimates derived from other sources, applying adjustments for cyclicality, introducing an appropriate degree of conservatism, or making other adjustments. Example 3: LGD Estimation From Internal Default Data [sbull] For each loan in its portfolio, a bank records collateral coverage as a percentage, as well as which of four types of collateral applies. [sbull] A bank has retained data on all defaulted loans since 1995. For each defaulted loan in the database, the bank has a record of the collateral type within the same four broad categories. However, collateral coverage is only recorded at three levels (low, moderate, or high, depending on the ratio of collateral to exposure at default). [sbull] The bank also records the timing and discounted value of recoveries net of workout costs for each defaulted loan in the database. Cash flows are tracked from the date of default to a ``resolution date,'' defined as the point at which the remaining balance is less than 5 percent of the exposure at the time of default. A recovery percentage is computed, equal to the value of recoveries discounted to the date of default, divided by the exposure at default. [sbull] For each cell (each of the 12 combinations of collateral type and coverage), the bank computes a simple mean LGD percentage as the mean of one minus the recovery percentage. One of the categories has a mean LGD of less than zero (recoveries have exceeded exposure on average), so the bank sets the LGD at zero to be conservative. [sbull] The bank assigns an estimate of expected LGD to each loan in the current portfolio by using collateral information to slot it into one of the 12 cells. The bank then applies the mean historical LGD for that cell and adjusts the result upward by 10 percent to compensate for the fact that the loss data come from a period believed to be unusually good economic performance. [[Page 45970]] Process Analysis for Example 3 Data--The reference data is the collection of historical defaults with the loss amounts from the bank's historical portfolio. The reference data are described by the two categorical variables (levels of collateral coverage and types of collateral). It would be important to determine whether the defaults over the past few years are comparable to defaults from the current portfolio. One would also want to ask why the bank ignores potentially valuable information by converting the continuous data on collateral coverage into a trimodal categorical variable. Estimation--Conceptually, the bank is using a ``loss severity model'' in which 12 binary variables, one for each loan coverage/ type combination, explain the percentage loss. The coefficients on the variables are just the mean loss figures from the reference data. Mapping--Mapping in this case is fairly straightforward, since all of the relevant characteristics of the reference data are also in the loan system for the current portfolio. However, the bank should determine whether the variables are being recorded in the same way (for example, the same definitions of collateral types), otherwise some adjustment might be needed. Application--The bank is able to apply the loss model by simply plugging in the relevant values for the current portfolio (or what amounts to the same thing, looking up the cell mean). The bank's assignment of zero LGD for one of the cells merits special attention; while the bank represented this assignment as conservative, the adjustment does not satisfy the supervisory requirement that LGD must exceed zero. A larger upward adjustment is necessary. Finally, the upward adjustment of the LGD numbers to account for the benign environment in which the reference data were generated presents one additional wrinkle. The bank must provide a well-documented, empirically based analysis of why a 10 percent upward adjustment is sufficient. IV. Data Maintenance A. Overview Institutions using the IRB approach for regulatory capital purposes will need advanced data management practices to produce credible and reliable risk estimates. The guiding principle governing an IRB data maintenance system is that it must support the requirements for the quantification, validation, control and oversight mechanisms described in this guidance, as well as the institution's broader risk management and reporting needs. The precise data elements to be collected will be dictated by the features and methodology of the IRB system employed by the institution. The necessary data elements will therefore vary by institution and even among business lines within an institution. Institutions will have latitude in managing their data, subject to the following key data maintenance standards: Life Cycle Tracking--institutions must collect, maintain, and analyze essential data for obligors and facilities throughout the life and disposition of the credit exposure. Rating Assignment Data--institutions must capture all significant quantitative and qualitative factors used to assign the obligor and loss severity ratings. Support of IRB System--data collected by institutions must be of sufficient depth, scope, and reliability to: [sbull] Validate IRB system processes, [sbull] Validate parameters, [sbull] Refine the IRB system, [sbull] Develop internal parameter estimates, [sbull] Apply improvements historically, [sbull] Calculate capital ratios, [sbull] Produce internal and public reports, and [sbull] Support risk management. This chapter covers the requirements for maintaining internal data. Reference data sets used for estimating IRB parameters are discussed in Chapter 2. B. Data Maintenance Framework Life Cycle Tracking S. Institutions must collect, maintain, and analyze essential data for obligors and facilities throughout the life and disposition of the credit exposure. Using a life cycle or ``cradle to grave'' concept for each obligor and facility supports front-end validation, back-testing, system refinements and risk parameter estimates. A depiction of life-cycle tracking follows: [GRAPHIC] [TIFF OMITTED] TN04AU03.001 Data elements must be recorded at origination and whenever the rating is reviewed, regardless of whether the rating is actually changed. Data elements associated with current and past ratings must be retained and include the following: [sbull] Key borrower and facility characteristics, [sbull] Ratings for obligor and loss severity grades, [sbull] Key factors used to assign the ratings, [sbull] Person or model responsible for assigning the rating, [sbull] Date rating assigned, and [sbull] Overrides to the rating and authorizing individual. At disposition, data elements must include: [sbull] Nature of disposition: renewal, repayment, loan sale, default, restructuring, [sbull] For defaults: exposure, actual recoveries, source of recoveries, costs of workouts and timing, [sbull] Guarantor support, [sbull] Sale price for loans sold, and [sbull] Other key elements that the bank deems necessary. [[Page 45971]] Rating Assignment Data S. Institutions must capture all significant quantitative and qualitative factors used to assign the obligor and loss severity rating. Assigning a rating to an obligor requires the systematic collection of various borrower characteristics as these factors are critical to validating the rating system. Obligors are rated using various methods, as discussed in Chapter 1. Each of these methods presents different challenges for input collection. For example, in judgmental rating systems, the factors used in the ratings decision have not traditionally been explicitly recorded. For purposes of an IRB approach, institutions that use expert and constrained judgment must record these factors and deliver them to the data warehouse. For loss severity estimates, institutions must record the basic structural characteristics of facilities and the factors used in developing the facility rating or LGD estimate. These often include the seniority of the credit, the amount and type of collateral, the most recent collateral valuation date and its fair value. Institutions must also track any overrides of the obligor or loss severity rating. Tracking overrides separately allows risk managers to identify whether the outcome of such overrides suggests either problems with rating criteria, or an improper level of discretion in adjusting the ratings. Example Data Elements For illustrative purposes, the following section provides examples of the kinds of data elements institutions will collect under an IRB data maintenance framework. General descriptive obligor and facility data The data below could be contained within a loan record or derived from various sources within the data warehouse. Guarantor data requirements are the same as for the obligor. Obligor/Guarantor Data [sbull] General data: name, address, industry [sbull] ID number (unique for all related parent/sub relationships) [sbull] Rating, date, and rater [sbull] PD percentage corresponding to rating General Facility Characteristics [sbull] Facility amounts: committed, outstanding [sbull] Facility type: Term, revolver, bullet, amortizing, etc. [sbull] Purpose: acquisition, expansion, liquidity, inventory, working capital [sbull] Covenants [sbull] Facility ID number [sbull] Origination and maturity dates [sbull] Last renewal date [sbull] Obligor ID link [sbull] Rating, date and rater [sbull] LGD dollar amount or percentage [sbull] EAD dollar amount or percentage Rating Assignment Data The data below provide an example of the categories and types of data that institutions must retain in order to continually validate and improve rating systems. These data items should tie directly to the documented criteria that the institution employs in assigning ratings, both qualitative and quantitative. For example, rating criteria often include ranges of leverage or cash flow for a particular obligor rating. In addition, qualitative factors, such as management effectiveness can be recorded in numeric form. For example, a 1 may equate to exceptionally strong management, and a 5 to very weak. The rating data elements collected should be complete enough so that others can review the relevant factors driving the rating decisions. Quantitative Factors in Obligor Ratings [sbull] Asset and sale size [sbull] Key ratios used within rating criteria: --profitability, --cash flow, --leverage, --liquidity, and --other relevant factors. Qualitative Factors in Obligor Ratings [sbull] Quality of earnings and cash flow [sbull] Management effectiveness, reliability [sbull] Strategic direction, industry outlook, position [sbull] Country factors and political risk [sbull] Other relevant factors External Factors in Obligor Ratings [sbull] Public debt rating and trend [sbull] External credit model score and trend Rating Notations [sbull] Flag for overrides or exceptions [sbull] Authorized individual for changing rating Key Facility Factors in LGD Ratings [sbull] Seniority [sbull] Collateral type: (cash, marketable securities, AR, stock, RE, etc.) [sbull] Collateral value and valuation date [sbull] Advance rates, LTV [sbull] Industry [sbull] Geography Rating Notations [sbull] Flag for overrides or exceptions [sbull] Authorized individual for changing rating Final Disposition Data Only recently have institutions begun to collect more complete data about a loan's disposition. Many institutions maintain subsidiary systems for their problem credits with details recorded, at times manually, on systems that were not linked with the institution's central loan or risk management systems. The unlinked data are a significant hindrance in developing reliable PD, LGD, and EAD estimates. In advanced systems, the ``grave'' portion of obligor and exposure tracking is an essential component for producing and validating risk estimates and is an important feedback mechanism for adjusting and improving risk estimates over time. Essential data elements are outlined below. Obligor/Guarantor [sbull] Default date [sbull] Circumstances of default (for example, nonaccrual, bankruptcy chapters 7-11, nonpayment) Facility [sbull] Outstandings at default [sbull] Amounts undrawn and outstanding plus time series prior to and through default Disposition [sbull] Amounts recovered and dates (including source: cash, collateral, guarantor, etc.) [sbull] Collection cost and dates [sbull] Discount factors to determine economic cost of collection [sbull] Final disposition (for example, restructuring or sale) [sbull] Sales price, if applicable [sbull] Accounting items (charge-offs to date, purchased discounts) C. Data Element Functions S. Data elements must be of sufficient depth, scope, and reliability to: [sbull] Validate IRB system processes, [sbull] Validate parameters, [sbull] Refine the IRB system, [sbull] Develop internal parameter estimates, [sbull] Apply improvements historically, [sbull] Calculate capital ratios, [sbull] Produce internal and public reports, and [sbull] Support risk management. Validation and Refinement The data elements collected by institutions must be capable of meeting [[Page 45972]] the validation requirements described in Chapters 1 and 2. These requirements include validating the institution's IRB system processes, including the ``front end'' aspects such as assigning ratings so that any issues can be identified early. The data must support efforts to identify whether raters and models are following rating criteria and policies and whether ratings are consistent across portfolios. In addition, data must support the validation of parameters, particularly the comparison of realized outcomes with estimates. Thorough data on default and disposition characteristics are of paramount importance for parameter back-testing. A rich source of data for validation efforts provides insights on the performance of the IRB system, and contributes to a learning environment in which refinements can be made to the system. These potential refinements include enhancements to rating assignment controls, processes, criteria or model coefficients, rating system architecture and parameter estimates. Developing Parameter Estimates As detailed in Chapter 2, institutions will be developing their PD, LGD, and EAD parameter estimates using reference data sets comprised of internal, pooled, and external data. Institutions are expected to work toward eventually using as much of their own experience as possible in their reference data sets. Applying Rating System Improvements Historically For loss severity estimates, institutions must record the basic structural characteristics of facilities and the factors used in developing the facility rating or LGD estimate. These often include the seniority of the credit, the amount and type of collateral, the most recent collateral valuation date and its fair value. To maintain a consistent series of information for credit risk monitoring and validation purposes, institutions need to be able to apply historically improvements they make to their rating systems. In the example below, a bank experiences unexpected and rapid migrations and defaults in its grade 4 category during 2006. Analysis of the actual financial condition of borrowers that defaulted compared with those that did not suggests the debt-to-EBITDA range for its expert judgment criteria of 3.0 to 5.5 is too broad. Research indicates that grade 4 should be redefined to include only borrowers with debt-to- EBITDA ratios of 3.0-4.5 and grade 5 as 4.5-6.5. In 2007, the change is initiated, but prior years' numbers are not recast (see Exhibit A). Consequently, a break in the series prevents the bank from evaluating credit quality changes over several years and from identifying whether applying the new rating criteria historically provides reasonable results. [GRAPHIC] [TIFF OMITTED] TN04AU03.007 Recognizing the need to provide senior managers and board members with a consistent risk trend, the new criteria are applied historically to obligors in grades 4 and 5 as reflected in Exhibit B. The original ratings assigned to the grades are maintained along with notations describing what the grade would be under the new rating criteria. If the precise weight an expert has given one of the redefined criteria is unknown, institutions are expected to make estimates on a best efforts basis. After the retroactive reallocation process, the bank observes that the mix of obligors in grade 5 declined somewhat over the past several years while the mix in grade 4 increased slightly. This contrasts with the trend identified before the retroactive reallocation. The result is that the multiyear transition statistics for grades 4 and 5 provide risk managers a clearer picture of risk. [[Page 45973]] [GRAPHIC] [TIFF OMITTED] TN04AU03.002 This example is based on applying ratings historically using data already collected by the bank. However, for some rating system refinements, institutions may identify in the future drivers of default or loss that might not have been collected for borrowers or facilities in the past. That is why institutions are encouraged to collect data that they believe may serve as a stronger predictor of default in the future. For example, certain elements of a borrower's cash flow might currently be suspected to overstate actual operational health for a particular industry. In the future, should an institution decide to deduct this item from cash flow with a resulting downgrade of many obligor ratings, the institution that collected these data could apply this rating change for prior years. This would provide the benefit of providing a consistent picture of risk over time and also present opportunities to validate the new criteria using historical data. Recognizing that institutions will not be able to anticipate fully the data they might find useful in the future, institutions are expected to reallocate grades on a best efforts basis when practical. Calculating Capital Ratios and Reporting to the Public Data retained by the bank will be essential for regulatory risk- based capital calculations and public reporting under the Pillar 3 disclosures. These uses underscore the need for a well-defined data maintenance framework and strong controls over data integrity. Control processes and data elements themselves should also be subject to periodic verification and testing by internal and external auditors. Supervisors will rely on these processes and also perform testing as circumstances warrant. Supporting Risk Management The information that can be gleaned from more extensive data collection will support a broad range of risk management activities. Risk management functions will rely on accurate and timely data to track credit quality, make informed portfolio risk mitigation decisions, and perform portfolio stress tests. Trends developed from obligor and facility risk rating data will be used to support internal capital allocation models, pricing models, ALLL calculations, and performance management measures, among others. Summaries of these are included in reports to institutions' boards of directors, regulators, and in public disclosures. D. Managing Data Quality and Integrity Because data are collected at so many different stages involving a variety of groups and individuals, there are numerous challenges to ensuring the quality of the data. For example: [sbull] Data will be retained over long timeframes, [sbull] Qualitative risk-rating variables will have subjective elements and will be open to interpretation, and [sbull] Exposures will be acquired through mergers and purchases, but without an adequate and easily retrievable institutional rating history. Documentation and Definitions S. Institutions must document the process for delivering, retaining and updating inputs to the data warehouse and ensuring data integrity. Given the many challenges presented by data for an IRB system, the management of data must be formalized. Fully documenting how the institution's flow of data is managed provides a means for evaluating whether the data maintenance framework is functioning as intended. Moreover, institutions must be able to communicate to individuals developing or delivering various data the precise definition of the items intended to be collected. Consequently, a ``data dictionary'' is necessary to ensure consistent inputs from individuals and data vendors and to allow third parties (such as the rating system review function, auditors, or bank supervisors) to evaluate data quality and integrity. S. Institutions must develop comprehensive definitions for the data elements used within each credit group or business line (a ``data dictionary''). Electronic Storage S. Institutions must store data in electronic format to allow timely retrieval for analysis, validation of risk rating systems, and required disclosures. To meet the significant data management challenges presented by the validation and control features of an IRB system, institutions will need to store their data electronically. Institutions will have a variety of storage techniques and potentially a variety of systems to create their data [[Page 45974]] warehouses. IRB data requirements can be achieved by melding together existing accounting, servicing, processing, workout and risk management systems, provided the linkages among these systems are well documented and include sufficient edit and integrity checks to ensure the data can be used reliably. Institutions without electronic databases would need to resort to manual reviews of paper files for ongoing back-testing and ad hoc ``forensic'' data mining and would be unable to perform that work in the timely and comprehensive manner required of IRB systems. Forensic mining of paper files to build an initial data warehouse from the institution's credit history is encouraged. In some instances, paper research may be necessary to identify data elements or factors not originally considered significant in estimating the risk of a particular class of obligor or facility. Data Gaps Rating histories are often lost or are irretrievable for loans acquired through mergers, acquisitions, or portfolio purchases. Institutions are encouraged wherever practical to collect any missing historical rating assignment driver data and to re-grade the acquired obligors and facilities for prior periods. In cases where retrieving historical data is not practical, institutions may attempt to create a rating history through a careful mapping of the legacy system and the new rating structure. Mapped ratings should be reviewed thoroughly for accuracy. The level of effort placed on filling data gaps should be commensurate with the size of the new exposures to be newly incorporated into the institution's IRB system. V. Control and Oversight Mechanisms A. Overview Banks' internal rating systems are the foundation for credit-risk management practices and play an important role in pricing, reserving, portfolio management, performance measurement, economic capital modeling, and long-term capital planning. Banks adopting the IRB approach will also use their credit-risk ratings to determine regulatory capital levels. The pivotal and varied uses of such risk ratings put enormous, sometimes conflicting, pressure on banks' internal rating systems. The consequences of inaccurate ratings and their associated estimates are significant, particularly as they affect minimum regulatory capital requirements. As risk ratings and their related parameters become better integrated in institutions' decision making, conflicting incentives arise that, if not well managed, can lead to overly optimistic or biased ratings. For example, sales and marketing staff (relationship managers or RMs) are typically compensated according to the volume of business they generate. That may predispose the RMs to assign more favorable ratings in order to achieve rate-of-return and sales objectives. More favorable ratings may create the appearance of higher risk-adjusted returns and business line profitability. Banks need to be aware of the full range of incentive conflicts that arise, and must develop effective controls to keep these incentive conflicts in check. Banks will have latitude in designing and implementing their control structures subject to the following principle: IRB institutions must implement a system of controls that includes the following elements: independence, transparency, accountability, use of ratings, rating system review, internal audit, and board and senior management oversight. While banks will have flexibility in how these elements are combined, they must incorporate sufficient checks and balances to ensure that the credit risk management system is functioning properly. Banks additionally will want to embody the following more generic principles in their control system: separation of duties, balancing incentives, and layers of review. Table 4.1 lists the key components of an IRB control and oversight system. How these control mechanisms can best be combined to reinforce one another is a key challenge for banks implementing IRB systems: Table 4.1 Control and Oversight Mechanisms [GRAPHIC] [TIFF OMITTED] TN04AU03.003 [[Page 45975]] As the following examples indicate, how a bank conducts its business will influence how it designs its control structure. A bank using an expert-judgment system will likely establish a different set of controls than a bank using mainly models. Recognizing that its expert-judgment system is less than fully transparent, a bank could offset this vulnerability by opting for complete independence in the rating approval process and an enhanced rating system review. Other considerations would influence the choice of controls when banks use models to assign ratings. While the ratings produced by models are transparent, a model's performance depends on how well the model was developed, the model's logic, and the quality of the data used to implement the model. Banks that use models to assign ratings must implement a system of controls that addresses model development, testing and implementation, data integrity and overrides. These activities would be covered by a comprehensive and independent rating system review and by ongoing spot checks on the accuracy of model inputs. Other control mechanisms such as accountability and audit would also be required. B. Independence in the Rating Approval Process An independent rating process is one in which the parties responsible for approving ratings and transactions are separate from sales and marketing and in which the persons approving ratings are principally compensated on risk-rating accuracy. As relative independence increases, the likelihood of accurate ratings assignments grows markedly. S. Ratings must be subject to independent approval or review. One way institutions can better achieve objective and accurate risk ratings is by ensuring that its rating approval process is independent. Institutions that firmly separate sales/marketing from credit are better able to manage the conflict between the goal of high sales volume and the need for good credit quality. An institution whose rating process is less independent must compensate by strengthening other control and oversight mechanisms. A significant factor in the evaluation of the rating system will be the assessment of whether such compensating controls are sufficient to offset a less-than-independent ratings process. While the overriding objective is to achieve independence in the rating approval process, in some instances, the relative materiality of a portfolio and cost/benefit trade-offs may support a less rigorous control process. The degree of independence achieved in the rating process depends on how an institution is organized and how it conducts its lending activities. Rating Approval Processes Responsibility for recommending and approving ratings varies by institution and, quite often, by portfolio.\7\ At some institutions, ratings are assigned and approved by relationship managers (RMs); at others, deal teams assign ratings that are later approved by credit officers. Still other institutions have independent credit officers assign and approve ratings. The culture of an institution and its business mix generally determine whether the business line or credit function is ultimately responsible for ratings. --------------------------------------------------------------------------- \7\ Rating processes vary by institution but generally involve an ``assignor'' and an ``approver.'' For instance, at many organizations the rating assignor is the person who ``owns'' the relationship (such as a ``relationship manager'') and the rating approver is an individual with credit authority (a ``credit risk manager''). In some cases, the rating assignor and approver are the same. Banks that separate the rating assignment and approval processes do so in order to minimize potential conflicts of interest and the potential for rating errors. --------------------------------------------------------------------------- The subsections that follow describe various rating assignment and approval structures used by banking organizations and the challenges that emerge in ensuring objective and consistent ratings. Any of the following structures can work as long as ratings are subject to an independent approval or review process, and are not unduly influenced by the line of business: Relationship Managers. As noted earlier, relationship managers are primarily responsible for marketing the bank's products and services, and their compensation is tied to the volume of business they generate. When RMs also have responsibility for assigning and approving ratings, there is an inherent conflict of interest. Credit quality and the ability to produce timely and accurate risk ratings are generally not major factors in an RM's compensation, even when he or she has responsibility for assigning and approving ratings. In addition, RMs also may become too close to the borrower to maintain their objectivity and remain unbiased. When banks delegate rating responsibility to RMs, they must offset the lack of independence with rigorous controls to prevent bias from affecting the rating process. Such controls must operate in practice, not just on paper, and would include, at a minimum, a comprehensive, independent post-closing review of ratings by a rating system review function. Deal Team. Some major banks employ a ``deal-team'' structure for credit origination and rating assignment. Using this approach, all members of the team--credit officers, investment bankers, underwriters, and others--contribute to analyzing creditworthiness, underwriting the deal, and assigning ratings. On the one hand, deal teams increase the access of credit officers to information on obligors and transactions early in the underwriting process, enabling them to make more informed credit decisions and to influence facility structure to address obligors' weaknesses. On the other hand, participation in the deal team could compromise the credit officer's objectivity. While credit officers typically report to an independent credit-risk-management function, they also have allegiance to the deal team that reports to executives within the sales and marketing line of business. In addition, credit officers may defer to the members of the team whose compensation is based on the revenue and sales volume they generate for the bank. Banks that maintain deal teams must ensure that the credit officer's independence is safeguarded through independent reporting lines and well-defined performance measures (e.g., adherence to policy, rating accuracy and timeliness). Credit Officers. Some banks give sole responsibility for assigning and approving ratings to credit officers who report to an independent credit function. In addition to assigning and approving and assigning initial ratings, credit officers regularly monitor the condition of obligors and refresh ratings as necessary. The potential downside of this structure is that these credit officers may have limited access to borrower information. Those credit officers that have a separate reporting line and whose compensation is principally based on their risk-rating accuracy are typically more independent than RMs or deal teams. Models. At some institutions, models assign ratings directly; at other institutions, models and judgment are combined to rate credits. Models introduce a high degree of independence to the rating process, but they too require human oversight and controls. Banks that use models must incorporate an independent judgmental review of the rating assignments to ensure that all relevant information is considered and to identify potential rating errors. Judgmental reviews are also needed when model outputs are [[Page 45976]] overridden. In addition, controls are needed to ensure accuracy of data inputs. When a bank uses a model to assign risk ratings, an individual obligor's rating is ``transparent.'' However, the model itself is not ``transparent'' without a great deal of effort to document how the model functions. C. Transparency Transparency is the ability of a third party, such as rating system reviewers, auditors or bank supervisors, to observe how the rating system operates and to understand the pertinent characteristics of individual ratings. S. IRB institutions must have a transparent rating system. Transparency in a rating system is achieved through documentation that covers the following: [sbull] The rating system's design, purpose, performance horizon, and performance standards; [sbull] The rating assignment process, including procedures for adjustments and overrides; [sbull] Rating definitions and criteria, scorecard criteria, and model specifications; [sbull] Parameter estimates and the process for their estimation; [sbull] Definition of the data elements to be warehoused to support controls, oversight, validation, and parameter estimation; and [sbull] Specific responsibilities of, and performance standards for, individuals and units involved in the rating system and its oversight. Transparency allows third parties (such as rating system review, auditors, or supervisors) to evaluate whether the rating system is performing as intended. Without transparency, it is difficult to hold people accountable for ratings errors and to validate the performance of the system. S. Rating criteria must be clear and specific and must include qualitative and quantitative factors. To produce transparent individual ratings, a bank's policies must contain clear, detailed ratings definitions. Banks should specify criteria for each factor that raters must consider, which may require unique rating definitions for certain industries. Banks should consider criteria for factors such as liquidity, sales and profitability, debt service and fixed charge coverage, minimum equity support, position within the industry, strength of management. A rating system with vague criteria or one merely defined by PDs or LGDs is not transparent. For example, the following rating definitions are not transparent because they require the rater to do too much interpreting: Borrower exhibits satisfactory quality and demonstrates acceptable principal and interest repayment capacity in the near term. Lower tier company in a cyclical industry. Unbalanced position with tight liquidity and high leverage. Declining or erratic profitability and marginal debt service capacity. Management is untested. D. Accountability ``Accountability'' is holding people responsible for their actions and establishing adverse consequences for inaccurate ratings. S. Policies must identify the parties responsible for rating accuracy and rating system performance. For accountability to be effective, it should be both observable and ingrained in the culture. Persons who assign and approve rate credits, derive parameter estimates, or oversee rating systems must be held accountable for complying with rating system policies and ensuring that aspects of the rating system within their control are as unbiased and accurate as possible. These persons must have the tools and resources necessary to carry out their responsibilities, and their performance should be evaluated against clear and specific objectives documented in policy. Responsibility for Assigning Ratings S. Individuals must be held accountable for complying with rating system policies and for assigning accurate ratings, and their performance and compensation must be linked to well-defined measurable performance standards. Responsibilities of raters should be clear, and performance should be measured against specific objectives. Performance evaluation and incentive compensation should be tied to performance goals. Examples of performance measures include: [sbull] Number and frequency of rating errors, [sbull] Significance of errors (for example, multiple downgrades), and [sbull] Proper and consistent application of criteria, including override criteria. Responsibility for Rating System Performance Just as individuals will be held accountable for the accuracy of ratings, an individual must be held responsible for the overall performance of the rating system. This individual must ensure that the rating system and all of its component parts--rating assignments, parameter estimation, data collection, control and oversight mechanisms--are functioning as intended. While these components often are housed within separate units of the organization, an individual must be responsible for ensuring that the parts work together effectively and efficiently. E. Use of Ratings S. Ratings used for regulatory capital must be the same ratings used to guide day-to-day credit risk management activities. The different uses and applications of the risk-rating system's outputs should promote greater accuracy and consistency of credit-risk evaluations across an organization. Ratings and the associated default, loss, and EAD estimates need to be incorporated within the credit-risk management, internal capital allocation, and corporate governance functions of IRB banks. S. Banks that use parameter estimates for risk management that are different from those used for regulatory capital must provide a well- documented rationale for the differences. PD and LGD parameters used for regulatory capital purposes may not be appropriate for other uses purposes. For example, PD estimates used to estimate reserve needs could reflect current economic conditions that are different from the longer term view appropriate to calculations of regulatory capital. When banks employ different estimates, those parameters must be defensible and supported by the following: [sbull] Qualitative and quantitative analysis of the logic and rationale for the difference(s); and [sbull] Senior management approval of the difference(s). F. Rating System Review (RSR) S. Banks must have a comprehensive, coordinated, independent review process to ensure that ratings are accurate and that the rating system is performing as intended. Rating system review (RSR) ensures that the rating system as a whole is functioning as intended. A broad range of responsibilities come under RSR's purview, as outlined in Table 4.2: Table 4.2.--Responsibilities of Rating System Review ------------------------------------------------------------------------ ------------------------------------------------------------------------- Scope of Review: Design of the rating system. Compliance with policies and procedures, including application of criteria. Check of all risk-rating grades for accuracy. Consistency across industries/portfolios/geographies. [[Page 45977]] Model development. Model use, including inputs and outputs. Overrides and policy exceptions. Quantification process. Back-testing (perform or review). Actual and predicted ratings transitions. Benchmarking against third-party data sources (perform or review). Adequacy of data maintenance. Analysis and Reporting: Identify errors and flaws. Recommend corrective action. ------------------------------------------------------------------------ For each of these responsibilities, RSR is largely checking and confirming the work of others and ensuring that the rating system's components work well together. RSR's testing and review should identify current and potential weaknesses and should lead to recommendations and corrective action such as [sbull] Adjusting policies and procedures, [sbull] Requiring additional training of staff, [sbull] Investing in infrastructure improvements, [sbull] Adjusting rating criteria, and [sbull] Adjusting parameter estimates. S. Rating system review must report significant findings to senior management and the board quarterly. RSR's role is to identify issues and areas of concern and report findings to the area that is accountable. When issues are systematic, RSR should bring them to the attention of senior management and the board. The activities of this function could be distributed across multiple areas or housed within one unit. Organizations will choose a structure that fits within their management and oversight framework. These units must always have high standing within the organization and should be staffed by individuals possessing the requisite stature, skills, and experience. Like internal audit, RSR must be independent from all in-house designers and developers (that is, system and model designers) and raters (that is, ratings and parameter assigners) in the risk-rating process. RSR's independence eliminates potential conflicts of interest and gives the group credibility when it reports findings and conclusions to the board and senior management. G. Internal Audit S. An independent internal audit function must determine whether rating system controls function as intended. S. Internal audit must evaluate annually whether the bank is in compliance with the risk-based capital regulation and supervisory guidance. Internal audit determines whether the bank's system of controls over internal ratings and the related parameters is robust. In its evaluation of controls, internal audit must consider any trade-offs made between the various mechanisms and confirm their continued appropriateness and relevance. As part of its review of control mechanisms, audit will evaluate the depth, scope, and quality of RSR's work and will conduct limited testing to ensure that their conclusions are well founded. The amount of testing will depend on whether audit is the primary or secondary reviewer of that work. Internal audit will report to the board and management on whether the bank is in compliance with the IRB standards. This report will allow the board and management to disclose that its rating processes and the controls surrounding these processes are in compliance with the IRB standards. This will be critical for public disclosure and ongoing work of supervisors. External Audit As part of the process of certifying financial statements, external auditors will confirm that the institution's capital position is fairly presented. To verify that actual capital exceeds regulatory minimums and to confirm compliance with the IRB rules, the external auditors must ascertain that the IRB system is rating credit risk appropriately and linking these ratings to appropriate estimates. Auditors must evaluate the bank's internal control functions and its compliance with the risk-based capital regulation and supervisory guidance. H. Corporate Oversight S. The full board or a committee of the board must approve key elements of the IRB system. Consistent with sound practice, bank management must ensure that a corporate culture exists in which institutional needs are readily identified and appropriate resources are brought to bear to rectify shortcomings. In the IRB context, senior management and the board of directors must ensure the objectivity and accuracy of the bank's credit-risk management systems and approach. Either the full board or a committee of the board should approve key elements of the risk-rating system. Information provided to the board should be sufficiently detailed to allow directors to confirm the continuing appropriateness of the institution's rating approach and to verify the adequacy of the controls supporting the rating system. S. Senior management must ensure that all components of the IRB system, including controls, are functioning as intended and comply with the risk-based capital regulation and supervisory guidance. Senior management's oversight should be even more active than that of the board of directors. Senior management should articulate what it expects of the technical and operational units of the risk-rating system, as well as what it expects of the units that manage the system's controls. To oversee the risk-rating system, senior management must have an extensive understanding of credit policies, underwriting standards, lending practices, and collection and recovery practices, and must be able to understand how these factors affect default and loss estimates. Senior management should not only oversee the controls process (its traditional role) but also should periodically meet with raters and validators to discuss the rating system's performance, areas needing improvement, and the status of efforts to improve previously identified deficiencies. The depth and frequency of information provided to the board and senior management must be commensurate with their oversight responsibilities and the condition of the institution. These reports should include the following information: [sbull] Risk profile by grade, [sbull] Risk rating migration across grades with emphasis on unexpected results, [sbull] Changes in parameter estimates by grade, [sbull] Comparison of realized PD, LGD, and EAD rates against expectations, [sbull] Reports measuring changes in regulatory and economic capital, [sbull] Results of capital stress testing, and [sbull] Reports generated by rating system review, audit, and other control units. Although all of an institution's controls must function smoothly, independently, and in concert with the others, the direction and oversight provided by the board and senior management are perhaps most important to ensure that the IRB system is functioning properly. Document 2: Draft Supervisory Guidance on Operational Risk Advanced Measurement Approaches for Regulatory Capital Table of Contents I. Purpose II. Background III. Definitions IV. Banking Activities and Operational Risk V. Corporate Governance A. Board and Management Oversight [[Page 45978]] B. Independent Firm-wide Risk Management Function C. Line of Business Management VI. Operational Risk Management Elements A. Operational Risk Policies and Procedures B. Identification and Measurement of Operational Risk C. Monitoring and Reporting D. Internal Control Environment VII. Elements of an AMA Framework A. Internal Operational Risk Loss Event Data B. External Data C. Business Environment and Internal Control Factor Assessments D. Scenario Analysis VIII. Risk Quantification A. Analytical Framework B. Accounting for Dependence IX. Risk Mitigation X. Data Maintenance XI. Testing and Verification Appendix A: Supervisory Standards for the AMA I. Purpose The purpose of this guidance is to set forth the expectations of the U.S. banking agencies for banking institutions that use Advanced Measurement Approaches (AMA) for calculating the operational risk capital charge under the new capital regulation. Institutions using the AMA will have considerable flexibility to develop operational risk measurement systems appropriate to the nature of their activities, business environment, and internal controls. An institution's operational risk regulatory capital requirement will be calculated as the amount needed to cover its operational risk at a level of confidence determined by the supervisors, as discussed below. Use of an AMA is subject to supervisory approval. This draft guidance should be considered with the advance notice of proposed rulemaking (ANPR) on revisions to the risk-based capital standard published elsewhere in today's Federal Register. As with the ANPR, the Agencies are seeking industry comment on this draft guidance. In addition to seeking comment on all specific aspects of this supervisory guidance, the Agencies are seeking comment on the extent to which the supervisory guidance strikes the appropriate balance between flexibility and specificity. Likewise, the Agencies are seeking comment on whether an appropriate balance has been struck between the regulatory requirements set forth in the ANPR and the supervisory standards set forth in this guidance. II. Background Effective management of operational risk is integral to the business of banking and to institutions' roles as financial intermediaries. Although operational risk is not a new risk, deregulation and globalization of financial services, together with the growing sophistication of financial technology, new business activities and delivery channels, are making institutions' operational risk profiles (i.e., the level of operational risk across an institution's activities and risk categories) more complex. This guidance identifies the supervisory standards (S) that institutions must meet and maintain to use an AMA for the regulatory capital charge for operational risk. The purpose of the standards is to provide the foundation for a sound operational risk framework, while allowing institutions to identify the most appropriate mechanisms to meet AMA requirements. Each institution will need to consider its complexity, range of products and services, organizational structure, and risk management culture as it develops its AMA. Operational risk governance processes need to be established on a firm-wide basis to identify, measure, monitor, and control operational risk in a manner comparable with the treatment of credit, interest rate, and market risks. Institutions will be expected to develop a framework that measures and quantifies operational risk for regulatory capital purposes. To do this, institutions will need a systematic process for collecting operational risk loss data, assessing the risks within the institution, and adopting an analytical framework that translates the data and risk assessments into an operational risk exposure (see definition below). The analytical framework must incorporate a degree of conservatism that is appropriate for the overall robustness of the quantification process. Because institutions will be permitted to calculate their minimum regulatory capital on the basis of internal processes, the requirements for data capture, risk assessment, and the analytical framework described below are detailed and specific. Effective operational risk measurement systems are built on both quantitative and qualitative risk assessment techniques. While the output of the regulatory framework for operational risk is a measure of exposure resulting in a capital number, the integrity of that estimate depends not only on the soundness of the measurement model, but also on the robustness of the institution's underlying risk management processes. In addition, supervisors view the introduction of the AMA as an important tool to further promote improvements in operational risk management and controls at large banking institutions. This document provides both AMA supervisory standards and a discussion of how those standards should be incorporated into an operational risk framework. The relevant supervisory standards are listed at the beginning of each section and a full compilation of the standards is provided in Appendix A. Not every section has specific supervisory standards. When spanning more than one section, supervisory standards are listed only once. Institutions will be required to meet, and remain in compliance with, all the supervisory standards to use an AMA framework. However, evaluating an institution's qualification with each of the individual supervisory standards will not be sufficient to determine an institution's overall readiness for AMA. Instead, supervisors and institutions must also evaluate how well the various components of an institution's AMA framework complement and reinforce one another to achieve the overall objectives of an accurate measure and effective management of operational risk. In performing their evaluation, supervisors will exercise considerable supervisory judgment, both in evaluating the individual components and the overall operational risk framework. An institution's AMA methodology will be assessed as part of the ongoing supervision process. This will allow supervisors to incorporate existing supervisory efforts as much as possible into the AMA assessments. Some elements of operational risk (e.g., internal controls and information technology) have long been subject to examination by supervisors. Where this is the case, supervisors will make every effort to leverage off these examination activities to assess the effectiveness of the AMA process. Substantive weaknesses identified in an examination will be factored into the AMA qualification process. III. Definitions There are important definitions that institutions must incorporate into an AMA framework. They are: [sbull] Operational risk: The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. The definition includes legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes the exposure to litigation from all aspects of an institution's [[Page 45979]] activities. The definition does not include strategic or reputational risks.\8\ --------------------------------------------------------------------------- \8\ An institution's definition of risk may encompass other risk elements as long as the supervisory definition is met. --------------------------------------------------------------------------- [sbull] Operational risk loss: The financial impact associated with an operational event that is recorded in the institution's financial statements consistent with Generally Accepted Accounting Principles (GAAP). Financial impact includes all out-of-pocket expenses associated with an operational event but does not include opportunity costs, foregone revenue, or costs related to investment programs implemented to prevent subsequent operational risk losses. Operational risk losses are characterized by seven event factors associated with: i. Internal fraud: An act of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involve at least one internal party. ii. External fraud: An act of a type intended to defraud, misappropriate property or circumvent the law, by a third party. iii. Employment practices and workplace safety: An act inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity/discrimination events. iv. Clients, products, and business practices: An unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product. v. Damage to physical assets: The loss or damage to physical assets from natural disaster or other events. vi. Business disruption and system failures: Disruption of business or system failures. vii. Execution, delivery, and process management: Failed transaction processing or process management, from relations with trade counterparties and vendors. [sbull] Operational risk exposure: An estimate of the potential operational losses that the banking institution faces at a soundness standard consistent with a 99.9 per cent confidence level over a one- year period. The institution will multiply the exposure by 12.5 to obtain risk-weighted assets for operational risk; this is added to the risk-weighted assets for credit and market risk to arrive at the denominator of the regulatory capital ratio. [sbull] Business environment and internal control factor assessments: The range of tools that provide a meaningful assessment of the level and trends in operational risk across the institution. While the institution may use multiple tools in an AMA framework, they must all have the same objective of identifying key risks. There are a number of existing tools, such as audit scores and performance indicators that may be acceptable under this definition. IV. Banking Activities and Operational Risk The above definition of operational risk gives a sense of the breadth of exposure to operational risk that exists in banking today as well as the many interdependencies among risk factors that may result in an operational risk loss. Indeed, operational risk can occur in any activity, function, or unit of the institution. The definition of operational risk incorporates the risks stemming from people, processes, systems and external events. People risk refers to the risk of management failure, organizational structure or other human resource failures. These risks may be exacerbated by poor training, inadequate controls, poor staffing resources, or other factors. The risk from processes stem from breakdowns in established processes, failure to follow processes, or inadequate process mapping within business lines. System risk covers instances of both disruption and outright system failures in both internal and outsourced operations. Finally, external events can include natural disasters, terrorism, and vandalism. There are a number of areas where operational risks are emerging. These include: [sbull] Greater use of automated technology has the potential to transform risks from manual processing errors to system failure risks, as greater reliance is placed on globally integrated systems; [sbull] Proliferation of new and highly complex products; [sbull] Growth of e-banking transactions and related business applications expose an institution to potential new risks (e.g., internal and external fraud and system security issues); [sbull] Large-scale acquisitions, mergers, and consolidations test the viability of new or newly integrated systems; [sbull] Emergence of institutions acting as large-volume service providers create the need for continual maintenance of high-grade internal controls and back-up systems; [sbull] Development and use of risk mitigation techniques (e.g., collateral, insurance, credit derivatives, netting arrangements and asset securitizations) optimize an institution's exposure to market risk and credit risk, but potentially create other forms of risk (e.g., legal risk); and [sbull] Greater use of outsourcing arrangements and participation in clearing and settlement systems mitigate some risks while increasing others. The range of banking activities and areas affected by operational risk must be fully identified and considered in the development of the institution's risk management and measurement plans. Since operational risk is not confined to particular business lines \9\, product types, or organizational units, it should be managed in a consistent and comprehensive manner across the institution. Consequently, risk management mechanisms must encompass the full range of risks, as well as strategies that help to identify, measure, monitor and control those risks. --------------------------------------------------------------------------- \9\ Throughout this guidance, terms such as ``business units'' and ``business lines'' are used interchangeably and refer not only to an institution's revenue-generating businesses, but also to corporate staff functions such as human resources or information technology. --------------------------------------------------------------------------- V. Corporate Governance Supervisory Standards S 1. The institution's operational risk framework must include an independent firm-wide operational risk management function, line of business management oversight, and independent testing and verification functions. The management structure underlying an AMA operational risk framework may vary between institutions. However, within all AMA institutions, there are three key components that must be evident--the firm-wide operational risk management function, lines of business management, and the testing and verification function. These three elements are functionally independent \10\ organizational components, but should work in cooperation to ensure a robust operational risk framework. --------------------------------------------------------------------------- \10\ For the purposes of AMA, ``functional independence'' is defined as the ability to carry out work freely and objectively and render impartial and unbiased judgments. There should be appropriate independence between the firm-wide operational risk management functions, line of business management and staff and the testing/ verification functions. Supervisory assessments of independence issues will rely upon existing regulatory guidance (e.g. audit, internal control systems, board of directors/management, etc.) --------------------------------------------------------------------------- A. Board and Management Oversight Supervisory Standards S 2. The board of directors must oversee the development of the firm-wide operational risk framework, as [[Page 45980]] well as major changes to the framework. Management roles and accountability must be clearly established. S 3. The board of directors and management must ensure that appropriate resources are allocated to support the operational risk framework. The board is responsible for overseeing the establishment of the operational risk framework, but may delegate the responsibility for implementing the framework to management with the authority necessary to allow for its effective implementation. Other key responsibilities of the board include: [sbull] Ensuring appropriate management responsibility, accountability and reporting; [sbull] Understanding the major aspects of the institution's operational risk as a distinct risk category that should be managed; [sbull] Reviewing periodic high-level reports on the institution's overall operational risk profile, which identify material risks and strategic implications for the institution; [sbull] Overseeing significant changes to the operational risk framework; and [sbull] Ensuring compliance with regulatory disclosure requirements. Effective board and management oversight forms the cornerstone of an effective operational risk management process. The board and management have several broad responsibilities with respect to operational risk: [sbull] To establish a framework for assessing operational risk exposure and identify the institution's tolerance for operational risk; [sbull] To identify the senior managers who have the authority for managing operational risk; [sbull] To monitor the institution's performance and overall operational risk profile, ensuring that it is maintained at prudent levels and is supported by adequate capital; [sbull] To implement sound fundamental risk governance principles that facilitate the identification, measurement, monitoring, and control of operational risk; [sbull] To devote adequate human and technical resources to operational risk management; and [sbull] To institute remuneration policies that are consistent with the institution's appetite for risk and are sufficient to attract qualified operational risk management and staff. Management should translate the operational risk management framework into specific policies, processes and procedures that can be implemented and verified within the institution's different business units. Communication of these elements will be essential to the understanding and consistent treatment of operational risk across the institution. While each level of management is responsible for effectively implementing the policies and procedures within its purview, senior management should clearly assign authority, responsibilities, and reporting relationships to encourage and maintain this accountability and ensure that the necessary resources are available to manage operational risk. Moreover, management should assess the appropriateness of the operational risk management oversight process in light of the risks inherent in a business unit's activities. The testing and verification function is responsible for completing timely and comprehensive assessments of the effectiveness of implementation of the institution's operational risk framework at the line of business and firm-wide levels. Management collectively is also responsible for ensuring that the institution has qualified staff and sufficient resources to carry out the operational risk functions outlined in the operational risk framework. Additionally, management must communicate operational risk issues to appropriate staff that may not be directly involved in its management. Key management responsibilities include ensuring that: [sbull] Operational risk management activities are conducted by qualified staff with the necessary experience, technical capabilities and access to adequate resources; [sbull] Sufficient resources have been allocated to operational risk management, in the business lines as well as the independent firm- wide operational risk management function and verification areas, so as to sufficiently monitor and enforce compliance with the institution's operational risk policy and procedures; and [sbull] Operational risk issues are effectively communicated with staff responsible for managing credit, market and other risks, as well as those responsible for purchasing insurance and managing third-party outsourcing arrangements. B. Independent Firm-Wide Risk Management Function Supervisory Standards S 4. The institution must have an independent operational risk management function that is responsible for overseeing the operational risk framework at the firm level to ensure the development and consistent application of operational risk policies, processes, and procedures throughout the institution. S 5. The firm-wide operational risk management function must ensure appropriate reporting of operational risk exposures and loss data to the board of directors and senior management. The institution must have an independent firm-wide operational risk management function. The roles and responsibilities of the function will vary between institutions, but must be clearly documented. The independent firm-wide operational risk function should have organizational stature commensurate with the institution's operational risk profile, while remaining independent of the lines of business and the testing and verification function. At a minimum, the institution's independent firm-wide operational risk management function should ensure the development of policies, processes, and procedures that explicitly manage operational risk as a distinct risk to the institution's safety and soundness. These policies, processes and procedures should include principles for how operational risk is to be identified, measured, monitored, and controlled across the organization. Additionally, they should provide for the collection of the data needed to calculate the institution's operational risk exposure. Additional responsibilities of the independent firm-wide operational risk management function include: [sbull] Assisting in the implementation of the overall firm-wide operational risk framework; [sbull] Reviewing the institution's progress towards stated operational risk objectives, goals and risk tolerances; [sbull] Periodically reviewing the institution's operational risk framework to consider the loss experience, effects of external market changes, other environmental factors, and the potential for new or changing operational risks associated with new products, activities or systems. This review process should include an assessment of industry best practices for the institution's activities, systems and processes; [sbull] Reviewing and analyzing operational risk data and reports; and [sbull] Ensuring appropriate reporting to senior management and the board. C. Line of Business Management Supervisory Standards S 6. Line of business management is responsible for the day-to-day management of operational risk within each business unit. S 7. Line of business management must ensure that internal controls and [[Page 45981]] practices within their line of business are consistent with firm-wide policies and procedures to support the management and measurement of the institution's operational risk. Line of business management is responsible for both managing operational risk within the business lines and ensuring that policies and procedures are consistent with and support the firm-wide operational risk framework. Management should ensure that business- specific policies, processes, procedures and staff are in place to manage operational risk for all material products, activities, and processes. Implementation of the operational risk framework within each line of business should reflect the scope of that business and its inherent operational complexity and operational risk profile. Line of business management must be independent of both the firm-wide operational risk management and the testing and verification functions. VI. Operational Risk Management Elements The operational risk management framework provides the overall operational risk strategic direction and ensures that an effective operational risk management and measurement process is adopted throughout the institution. The framework should provide for the consistent application of operational risk policies and procedures throughout the institution and address the roles of both the independent firm-wide operational risk management function and the lines of business. The framework should also provide for the consistent and comprehensive capture of data elements needed to measure and verify the institution's operational risk exposure, as well as appropriate operational risk analytical frameworks, reporting systems, and mitigation strategies. The framework must also include independent testing and verification to assess the effectiveness of implementation of the institution's operational risk framework, including compliance with policies, processes, and procedures. In practice, an institution's operational risk framework must reflect the scope and complexity of business lines, as well as the corporate organizational structure. Each institution's operational risk profile is unique and requires a tailored risk management approach appropriate for the scale and materiality of the risks present, and the size of the institution. There is no single framework that would suit every institution; different approaches will be needed for different institutions. In fact, many operational risk management techniques continue to evolve rapidly to keep pace with new technologies, business models and applications. The key elements in the operational risk management process include: [sbull] Appropriate policies and procedures; [sbull] Efforts to identify and measure operational risk; [sbull] Effective monitoring and reporting; [sbull] A sound system of internal controls; and [sbull] Appropriate testing and verification of the operational risk framework. A. Operational Risk Policies and Procedures Supervisory Standards S 8. The institution must have policies and procedures that clearly describe the major elements of the operational risk management framework, including identifying, measuring, monitoring, and controlling operational risk. Operational risk management policies, processes, and procedures should be documented and communicated to appropriate staff. The policies and procedures should outline all aspects of the institution's operational risk management framework, including: [sbull] The roles and responsibilities of the independent firm-wide operational risk management function and line of business management; [sbull] A definition for operational risk, including the loss event types that will be monitored; [sbull] The capture and use of internal and external operational risk loss data, including large potential events (including the use of scenario analysis); [sbull] The development and incorporation of business environment and internal control factor assessments into the operational risk framework; [sbull] A description of the internally derived analytical framework that quantifies the operational risk exposure of the institution; [sbull] An outline of the reporting framework and the type of data/ information to be included in line of business and firm-wide reporting; [sbull] A discussion of qualitative factors and risk mitigants and how they are incorporated into the operational risk framework; [sbull] A discussion of the testing and verification processes and procedures; [sbull] A discussion of other factors that affect the measurement of operational risk; and [sbull] Provisions for the review and approval of significant policy and procedural exceptions. B. Identification and Measurement of Operational Risk The result of a comprehensive program to identify and measure operational risk is an assessment of the institution's operational risk exposure. Management must establish a process that identifies the nature and types of operational risk and their causes and resulting effects on the institution. Proper operational risk identification supports the reporting and maintenance of capital for operational risk exposure and events, facilitates the establishment of mechanisms to mitigate or control the risks, and ensures that management is fully aware of the sources of emerging operational risk loss events. C. Monitoring and Reporting Supervisory Standards S 9. Operational risk management reports must address both firm- wide and line of business results. These reports must summarize operational risk exposure, loss experience, relevant business environment and internal control assessments, and must be produced no less often than quarterly. S 10. Operational risk reports must also be provided periodically to senior management and the board of directors, summarizing relevant firm-wide operational risk information. Ongoing monitoring of operational risk exposures is a key aspect of an effective operational risk framework. To facilitate monitoring of operational risk, results from the measurement system should be summarized in reports that can be used by the firm-wide operational risk and line of business management functions to understand, manage, and control operational risk and losses. These reports should serve as a basis for assessing operational risk and related mitigation strategies and creating incentives to improve operational risk management throughout the institution. Operational risk management reports should summarize: [sbull] Operational risk loss experience on an institution, line of business, and event-type basis; [sbull] Operational risk exposure; [sbull] Changes in relevant risk and control assessments; [sbull] Management assessment of early warning factors signaling an increased risk of future losses; [sbull] Trend analysis, allowing line of business and independent firm-wide operational risk management to assess [[Page 45982]] and manage operational risk exposures, systemic line of business risk issues, and other corporate risk issues; [sbull] Exception reporting; and [sbull] To the extent developed, operational risk causal factors. High-level operational risk reports must also be produced periodically for the board and senior management. These reports must provide information regarding the operational risk profile of the institution, including the sources of material risk both from a firm- wide and line of business perspective, versus established management expectations. D. Internal Control Environment Supervisory Standards S 11. An institution's internal control structure must meet or exceed minimum regulatory standards established by the Agencies. Sound internal controls are essential to an institution's management of operational risk and are one of the foundations of safe and sound banking. When properly designed and consistently enforced, a sound system of internal controls will help management safeguard the institution's resources, produce reliable financial reports, and comply with laws and regulations. Sound internal controls will also reduce the possibility of significant human errors and irregularities in internal processes and systems, and will assist in their timely detection when they do occur. The Agencies are not introducing any new internal control standards, but rather emphasizing the importance of meeting existing standards. There is a recognition that internal control systems will differ among institutions due to the nature and complexity of an institution's products and services, organizational structure, and risk management culture. The AMA standards allows for these differences, while also establishing a baseline standard for the quality of the internal control structure. Institutions will be expected to at least meet the minimum interagency standards\11\ relating to internal controls as a criterion for AMA qualification. --------------------------------------------------------------------------- \11\ There are a number of interagency standards that cover topics relevant to the internal control structure. These include, for example, the Interagency Policy Statement on the Internal Audit Function and Its Outsourcing (March 2003), the Federal Financial Institution's Examination Council's (FFIEC's) Business Continuity Planning Booklet (May 2003), the FFIEC's Information Security Booklet (January 2003). In addition, each Agency has extensive guidance on corporate governance, internal controls, and monitoring and reporting in its respective examination policies and procedures. --------------------------------------------------------------------------- The extent to which an institution meets or exceeds the minimum standards will primarily be assessed through current and ongoing supervisory processes. As noted earlier, the Agencies will leverage off existing examination processes, to avoid duplication in assessing an institution's implementation of an AMA framework. Assessing the internal control environment is clearly an area where the supervisory authorities already focus considerable attention. VII. Elements of an AMA Framework Supervisory Standards S 12. The institution must demonstrate that it has appropriate internal loss event data, relevant external loss event data, assessments of business environment and internal controls factors, and results from scenario analysis to support its operational risk management and measurement framework. S 13. The institution must include the regulatory definition of operational risk as the baseline for capturing the elements of the AMA framework and determining its operational risk exposure. S 14. The institution must have clear standards for the collection and modification of the elements of the operational risk AMA framework. Operational risk inputs play a significant role in both the management and measurement of operational risk. Necessary elements of an institution's AMA framework include internal loss event data, relevant external loss event data, results of scenario analysis, and assessments of the institution's business environment and internal controls. Operational risk inputs aid the institution in identifying the level and trend of operational risk, determining the effectiveness of risk management and control efforts, highlighting opportunities to better mitigate operational risk, and assessing operational risk on a forward-looking basis. To use its AMA framework, an institution must demonstrate that it has established a consistent and comprehensive process for the capture of all elements of the AMA framework. The institution must also demonstrate that it has clear standards for the collection and modification of all AMA inputs. While the analytical framework will generally combine these inputs to develop the operational risk exposure, supervisors must have the capacity to review the individual inputs as well; specifically, supervisors will need to review the loss information that is being provided to the analytical framework that stems from internal loss event data, versus the loss event information provided by external loss event data capture, scenario analysis, or the assessments of the business environment and internal control factors. The capture systems must cover all material business lines, business activities and corporate functions that could generate operational risk. The institution must have a defined process that establishes responsibilities over the systems developed to capture the AMA elements. In particular, the issue of overriding the data capture systems must be addressed. Any overrides should be tracked separately and documented. Tracking overrides separately allows management and supervisors to identify the nature and rationale, including whether they stem from simple input errors or, more importantly, from exclusion because a loss event was not pertinent for the quantitative measurement. Management should have clear standards for addressing overrides and should clearly delineate who has authority to override the data systems and under what circumstances. As noted earlier, for AMA qualification purposes, an institution's operational risk framework must, at a minimum, use the definition of operational risk that is provided in paragraph 10 when capturing the elements of the AMA framework. Institutions may use an expanded definition if considered more appropriate for risk management and measurement efforts. However, for the quantification of operational risk exposure for regulatory capital purposes, an institution must demonstrate that the AMA elements are captured so as to meet the baseline definition. A. Internal Operational Risk Loss Event Data Supervisory Standards S 15. The institution must have at least five years of internal operational risk loss data \12\ captured across all material business lines, events, product types, and geographic locations. --------------------------------------------------------------------------- \12\ With supervisory approval, a shorter initial historical observation period is acceptable for banks newly authorized to use an AMA methodology. --------------------------------------------------------------------------- S 16. The institution must be able to map internal operational risk losses to the seven loss-event type categories. S 17. The institution must have a policy that identifies when an operational risk loss becomes a loss event and must be added to the loss [[Page 45983]] event database. The policy must provide for consistent treatment across the institution. S 18. The institution must establish appropriate operational risk data thresholds. S 19. Losses that have any characteristics of credit risk, including fraud-related credit losses, must be treated as credit risk for regulatory capital purposes. The institution must have a clear policy that allows for the consistent treatment of loss event classifications (e.g., credit, market, or operational risk) across the organization. The key to internal data integrity is the consistency and completeness with which loss event data capture processes are implemented across the institution. Management must ensure that operational risk loss event information captured is consistent across the business lines and incorporates any corporate functions that may also experience operational risk events. Policies and procedures should be addressed to the appropriate staff to ensure that there is satisfactory understanding of operational risk and the data capture requirements under the operational risk framework. Further, the independent operational risk management function must ensure that the loss data is captured across all material business lines, products types, event types, and from all significant geographic locations. The institution must be able to capture and aggregate internal losses that cross multiple business lines or event types. If data is not captured across all business lines or from all geographic locations, the institution must document and explain the exceptions. AMA institutions must be able to map operational risk losses into the seven loss event categories defined in paragraph 10. Institutions will not be required to produce reports or perform analysis for internal purposes on the basis of the loss event categories, but will be expected to use the information about the event-type categories as a check on the comprehensiveness of the institution's data set. The institution must have five years of internal loss data, although a shorter range of historical data may be allowed, subject to supervisory approval. The extent to which an institution collects operational risk loss event data will, in part, be dependent upon the data thresholds that the institution establishes. There are a number of standards that an institution may use to establish the thresholds. They may be based on product types, business lines, geographic location, or other appropriate factors. The Agencies will allow flexibility in this area, provided the institution can demonstrate that the thresholds are reasonable, do not exclude important loss events, and capture a significant proportion of the institution's operational risk losses. The institution must capture comprehensive data on all loss events above its established threshold level. Aside from information on the gross loss amount, the institution should collect information about the date of the event, any recoveries, and descriptive information about the drivers or causes of the loss event. The level of detail of any descriptive information should be commensurate with the size of the gross loss amount. Examples of the type of information collected include: [sbull] Loss amount; [sbull] Description of loss event; [sbull] Where the loss is reported and expensed; [sbull] Loss event type category; [sbull] Date of the loss; [sbull] Discovery date of the loss; [sbull] Event end date; [sbull] Management actions; [sbull] Insurance recoveries; [sbull] Other recoveries; and [sbull] Adjustments to the loss estimate. There are a number of additional data elements that may be captured. It may be appropriate, for example, to capture data on ``near miss'' events, where no financial loss was incurred. These near misses will not factor into the regulatory capital calculation, but may be useful for the operational risk management process. Institutions will also be permitted and encouraged to capture loss events in their operational risk databases that are treated as credit risk for regulatory capital purposes, but have an underlying element of operational risk failure. These types of events, while not incorporated into the regulatory capital calculation, may have implications for operational risk management. It will be essential for institutions that capture loss events that are treated differently for regulatory capital and management purposes to demonstrate that (1) loss events are being captured consistently across the institution; (2) the data systems are sufficiently advanced to allow for this differential treatment of loss events; and (3) credit, market, and operational risk losses are being appropriated in the correct manner for regulatory capital purposes. The Agencies have established a clear boundary between credit and operational risks for regulatory capital purposes. If a loss event has any element of credit risk, it must be treated as credit risk for regulatory capital purposes. This would include all credit-related fraud losses. In addition, operational risk losses with credit risk characteristics that have historically been included in institutions' credit risk databases will continue to be treated as credit risk for the purposes of calculating minimum regulatory capital. The accounting guidance for credit losses provides that creditors recognize credit losses when it is probable that they will be unable to collect all amounts due according to the contractual terms of a loan agreement. Credit losses may result from the creditor's own underwriting, processing, servicing or administrative activities along with the borrower's failure to pay according to the terms of the loan agreement. While the creditor's personnel, systems, policies or procedures may affect the timing or magnitude of a credit loss, they do not change its character from credit to operational risk loss for regulatory capital purposes. Losses that arise from a contractual relationship between a creditor and a borrower are credit losses whereas losses that arise outside of a relationship between a creditor and a borrower are operational losses. B. External Data Supervisory Standards S 20. The institution must have policies and procedures that provide for the use of external loss data in the operational risk framework. S 21. Management must systematically review external data to ensure an understanding of industry experience. External data may serve a number of different purposes in the operational risk framework. Where internal loss data is limited, external data may be a useful input in determining the institution's level of operational risk exposure. Even where external loss data is not an explicit input to an institution's data set, such data provides a means for the institution to understand industry experience, and in turn, provides a means for assessing the adequacy of its internal data. External data may also prove useful to inform scenario analysis, fit severity distributions, or benchmark the overall operational risk exposure results. To incorporate external loss information into an institution's framework, the institution should collect the following information: [sbull] External loss amount; [sbull] External loss description; [sbull] Loss event type category; [sbull] External loss event date; [sbull] Adjustments to the loss amount (i.e., recoveries, insurance settlements, [[Page 45984]] etc) to the extent that they are known; and [sbull] Sufficient information about the reporting institution to facilitate comparison to its own organization. Institutions may obtain external loss data in any reasonable manner. There are many ways to do so; some institutions are using data acquired through membership with industry consortia while other institutions are using data obtained from vendor databases or public sources such as court records or media reports. In all cases, management will need to carefully evaluate the data source to ensure that they are comfortable that the information being reported is relevant and reasonably accurate. C. Business Environment and Internal Control Factor Assessments Supervisory Standards S 22. The institution must have a system to identify and assess business environment and internal control factors. S 23. Management must periodically compare the results of their business environment and internal control factor assessments against actual operational risk loss experience. While internal and external loss data provide a historical perspective on operational risk, it is also important that institutions incorporate a forward-looking element to the operational risk measure. In principle, an institution with strong internal controls in a stable business environment will have less exposure to operational risk than an institution with internal control weaknesses that is growing rapidly or introducing new products. In this regard, institutions will be required to identify the level and trends in operational risk in the institution. These assessments must be current, comprehensive across the institution, and identify the critical operational risks facing the institution. The business environment and internal control factor assessments should reflect both the positive and negative trends in risk management within the institution as well as changes in an institution's business activities that increase or decrease risk. Because the results of the risk assessment are part of the capital methodology, management must ensure that the risk assessments are done appropriately and reflect the risks of the institution. Periodic comparisons should be made between actual loss exposure and the assessment results. The framework established to maintain the risk assessments must be sufficiently flexible to encompass an institution's increased complexity of activities, new activities, changes in internal control systems, or an increased volume of information. D. Scenario Analysis Supervisory Standards S 24. Management must have policies and procedures that identify how scenario analysis will be incorporated into the operational risk framework. Scenario analysis is a systematic process of obtaining expert opinions from business managers and risk management experts to derive reasoned assessments of the likelihood and impact of plausible operational losses consistent with the regulatory soundness standard. Within an institution's operational risk framework, scenario analysis may be used as an input or may, as discussed below, form the basis of an operational risk analytical framework. As an input to the institution's framework, scenario analysis is especially relevant for business lines or loss event types where internal data, external data, and assessments of the business environment and internal control factors do not provide a sufficiently robust estimate of the institution's exposure to operational risk. In some cases, an institution's internal loss history may be sufficient to provide a reasonable estimate of exposure to future operational losses. In other cases, the use of well-reasoned, scaled external data may itself be a form of scenario analysis. The institution must have policies and procedures that define scenario analysis and identify its role in the operational risk framework. The policy should cover key elements of scenario analysis, such as the manner in which the scenarios are generated, the frequency with which they are updated, and the scope and coverage of operational loss events they are intended to reflect. VIII. Risk Quantification A. Analytical Framework Supervisory Standards S 25. The institution must have a comprehensive operational risk analytical framework that provides an estimate of the institution's operational risk exposure, which is the aggregate operational loss that it faces over a one-year period at a soundness standard consistent with a 99.9 per cent confidence level. S 26. Management must document the rationale for all assumptions underpinning its chosen analytical framework, including the choice of inputs, distributional assumptions, and the weighting across qualitative and quantitative elements. Management must also document and justify any subsequent changes to these assumptions. S 27. The institution's operational risk analytical framework must use a combination of internal operational loss event data, relevant external operational loss event data, business environment and internal control factor assessments, and scenario analysis. The institution must combine these elements in a manner that most effectively enables it to quantify its operational risk exposure. The institution can choose the analytical framework that is most appropriate to its business model. S 28. The institution's capital requirement for operational risk will be the sum of expected and unexpected losses unless the institution can demonstrate, consistent with supervisory standards, the expected loss offset. The industry has made significant progress in recent years in developing analytical frameworks to quantify operational risk. The analytical frameworks, which are a part of the overall operational risk framework, are based on various combinations of an institution's own operational loss experience, the industry's operational loss experience, the size and scope of the institution's activities, the quality of the institution's control environment, and management's expert judgment. Because these models capture specific characteristics of each institution, such models yield unique risk-sensitive estimates of the institutions' operational risk exposures. While the Agencies are not specifying the exact methodology that an institution should use to determine its operational risk exposure, minimum supervisory standards for acceptable approaches have been developed. These standards have been set so as to assure that the regulation can accommodate continued evolution of operational risk quantification techniques, yet remain amenable to consistent application and enforcement across institutions. The Agencies will require that the institution have a comprehensive analytical framework that provides an estimate of the aggregate operational loss that it faces over a one-year period at a soundness standard consistent with a 99.9 percent confidence level, referred to as the institution's operational risk exposure. The institution will multiply the exposure estimate by 12.5 to obtain risk weighted assets for operational risk, [[Page 45985]] and add this figure to risk-weighted assets for credit and market risk to obtain total risk-weighted assets. The final minimum regulatory capital number will be 8 percent of total risk-weighted assets. The Agencies expect that there will be significant variation in analytical frameworks across institutions, with each institution tailoring its framework to leverage existing technology platforms and risk management procedures. These approaches may only be used, provided they meet the supervisory standards and include, as inputs, internal operational loss event data, relevant external operational loss event data, assessments of business environment and internal control factors, and scenario analysis. The Agencies do expect that there will be some uncertainty and potential error in the analytical frameworks because of the evolving nature of operational risk measurement and data capture. Therefore, a degree of conservatism will need to be built into the analytical frameworks to reflect the evolutionary status of operational risk and its impact on data capture and analytical modeling. A diversity of analytical approaches is emerging in the industry, combining and weighting these inputs in different ways. Most current approaches seek to estimate loss frequency and loss severity to arrive at an aggregate loss distribution. Institutions then use the aggregate loss distribution to determine the appropriate amount of capital to hold for a given soundness standard. Scenario analysis is also being used by many institutions, albeit to significantly varying degrees. Some institutions are using scenario analysis as the basis for their analytical framework, while others are incorporating scenarios as a means for considering the possible impact of significant operational losses on their overall operational risk exposure. The primary differences among approaches being used today relate to the weight that institutions place on each input. For example, institutions with comprehensive internal data may place less emphasis on external data or scenario analysis. Another example is that some institutions estimate a unique loss distribution for each business line/loss type combination (bottom-up approach) while others estimate a loss distribution on a firm-wide basis and then use an allocation methodology to assign capital to business lines (top-down approach). The Agencies expect internal loss event data to play an important role in the institution's analytical framework, hence the requirement for five years of internal operational risk loss data. However, as footnote 5 makes clear, five years of data is not always required for the analytical framework. For example, if a bank exited a business line, the institution would not be expected to make use of that business unit's loss experience unless it had relevance for other activities of the institution. Another example would be where a bank has made a recent acquisition where the acquired firm does not have internal loss event data. In these cases, the Agencies expect the institution to make use of the loss data available at the acquired institution and any internal loss data from operations similar to that of the acquired firm, but the institution will likely have to place more weight relevant external loss event data, results from scenario analysis, and factors reflecting assessments of the business environment and internal controls. Whatever analytical approach an institution chooses, it must document and provide the rationale for all assumptions embedded in its chosen analytical framework, including the choice of inputs, distributional assumptions, and the weighting of qualitative and quantitative elements. Management must also document and justify any subsequent changes to these assumptions. This documentation should: [sbull] Clearly identify how the different inputs are combined and weighted to arrive at the overall operational risk exposure so that the analytical framework is transparent. The documentation should demonstrate that the analytical framework is comprehensive and internally consistent. Comprehensiveness means that all required inputs are incorporated and appropriately weighted. At the same time, there should not be overlaps or double counting. [sbull] Clearly identify the quantitative assumptions embedded in the methodology and provide explanation for the choice of these assumptions. Examples of quantitative assumptions include distributional assumptions about frequency and severity, the methodology for combining frequency and severity to arrive at the overall loss distribution, and dependence assumptions between operational losses across and within business lines. [sbull] Clearly identify the qualitative assumptions embedded in the methodology and provide explanations for the choice of these assumptions. Examples of qualitative assumptions include the use of business environment and control factors as well as scenario analysis in the approach. [sbull] Where feasible, provide results based purely on quantitative methods separately from results that incorporate qualitative factors. This will provide a transparent means of determining the relative importance of quantitative versus qualitative inputs. [sbull] Where feasible, provide results based on alternative quantitative and qualitative assumptions to gauge the overall model's sensitivity to these assumptions. [sbull] Provide a comparison of the operational risk exposure estimate generated by the analytical framework with actual loss experience over time, to assess the reasonable of the framework's outputs. [sbull] Clearly identify all changes to assumptions, and provide explanations for such changes. [sbull] Clearly identify the results of an independent verification of the analytical framework. The regulatory capital charge for operational risk will include both expected losses (EL) and unexpected losses (UL). The Agencies have considered two approaches that might allow for some recognition of EL; these approaches are reserving and budgeting. However, both approaches raise questions about their ability to act as an EL offset for regulatory capital purposes. The current U.S. GAAP treatment for reserves (or liabilities) is based on an incurred-loss (liability) model. Given that EL is looking beyond current losses to losses that will be incurred in the future, establishing a reserve for operational risk EL is not likely to meet U.S. accounting standards. While reserves are specific allocations for incurred losses, budgeting is a process of generally allocating future income for loss contingencies, including losses resulting from operational risk. Institutions will be required to demonstrate that budgeted funds are sufficiently capital-like and remain available to cover EL over the next year. In addition, an institution will not be permitted to recognize EL offsets on budgeted loss contingencies that fall below the established data thresholds; this is relevant as many institutions currently budget for low severity, high frequency events that are more likely to fall below most institutions' thresholds. An institution's analytical framework complements but does not substitute for prudent controls. Rather, with improved risk measurement, institutions are finding that they can make better- informed strategic decisions regarding enhancements to controls and processes, the desired scale and scope of the operations, and how insurance and [[Page 45986]] other risk mitigation tools can be used to offset operational risk exposure. B. Accounting for Dependence Supervisory Standards S 29. Management must document how its chosen analytical framework accounts for dependence (e.g., correlations) among operational losses across and within business lines. The institution must demonstrate that its explicit and embedded dependence assumptions are appropriate, and where dependence assumptions are uncertain, the institution must use conservative estimates. Management must document how its chosen analytical framework accounts for dependence (e.g., correlation) between operational losses across and within business lines. The issue of dependence is closely related to the choice between a bottom-up or a top-down modeling approach. Under a bottom-up approach, explicit assumptions regarding cross-event dependence are required to estimate operational risk exposure at the firm-wide level. Management must demonstrate that these assumptions are appropriate and reflect the institution's current environment. If the dependence assumptions are uncertain, the institution must choose conservative estimates. In so doing, the institution should consider the possibility that cross-event dependence may not be constant, and may increase during stress environments. Under a top-down approach, an explicit assumption regarding dependence is not required. However, a parametric distribution for loss severity may be more difficult to specify under the top-down approach, as it is a statistical mixture of (potentially) heterogeneous business line and event type distributions. Institutions must carefully consider the conditions necessary for the validity of top-down approaches, and whether these conditions are met in their particular circumstances. Similar to bottom-up approaches, institutions using top-down approaches must ensure that implicit dependence assumptions are appropriate and reflect the institution's current environment. If historic dependence assumptions embedded in top-down approaches are uncertain, the institution must be conservative and implement a qualitative adjustment to the analysis. IX. Risk Mitigation Supervisory Standards S 30. Institutions may reduce their operational risk exposure results by no more than 20% to reflect the impact of risk mitigants. Institutions must demonstrate that mitigation products are sufficiently capital-like to warrant inclusion in the adjustment to the operational risk exposure. There are many mechanisms to manage operational risk, including risk transfer through risk mitigation products. Because risk mitigation can be an important element in limiting or reducing operational risk exposure in an institution, an adjustment is being permitted that will directly impact the amount of regulatory capital that is held for operational risk. The adjustment is limited to 20% of the overall operational risk exposure result determined by the institution using its loss data, qualitative factors, and quantitative framework. Currently, the primary risk mitigant used for operational risk is insurance. There has been discussion that some securities products may be developed to provide risk mitigation benefits; however, to date, no specific products have emerged that have characteristics sufficient to be considered capital-replacement for operational risk. As a result, securities products and other capital market instruments may not be factored in to the regulatory capital risk mitigation adjustment at this time. For an institution that wishes to adjust its regulatory capital requirement as a result of the risk mitigating impact of insurance, management must demonstrate that the insurance policy is sufficiently capital-like to provide the cushion that is necessary. A product that would fall in this category must have the following characteristics: [sbull] The policy is provided through a third party \13\ that has a minimum claims paying ability rating of A; \14\ --------------------------------------------------------------------------- \13\ Where operational risk is transferred to a captive or an affiliated insurer such that risk is retained within the group structure, recognition of such risk transfer will only be allowed for regulatory capital purposes where the risk has been transferred to a third party (e.g., an unaffiliated reinsurer) that meets the standards set forth in this section. \14\ Rating agencies may use slightly different rating scales.For the purpose of this supervisory guidance, the insurer must have a rating that is at least the equivalent of A under Standard and Poor's Insurer Financial Strength Ratings or an A2 under Moody's Insurance Financial Strength Ratings. --------------------------------------------------------------------------- [sbull] The policy has an initial term of one year; \15\ --------------------------------------------------------------------------- \15\ Institutions must decrease the amount of the adjustment if the remaining term is less than one year. The institution must have a clear policy in place that links the remaining term to the adjustment factor. --------------------------------------------------------------------------- [sbull] The policy has no exclusions or limitations based upon regulatory action or for the receiver or liquidator of a failed bank; [sbull] The policy has clear cancellation and non-renewal notice periods; and [sbull] The policy coverage has been explicitly mapped to actual operational risk exposure of the institution. Insurance policies that meet these standards may be incorporated into an institution's adjustment for risk mitigation. An institution should be conservative in its recognition of such policies, for example, the institution must also demonstrate that insurance policies used as the basis for the adjustment have a history of timely payouts. If claims have not been paid on a timely basis, the institution must exclude that policy from the operational risk capital adjustment. In addition, the institution must be able to show that the policy would actually be used in the event of a loss situation; that is, the deductible may not be set so high that no loss would ever conceivably exceed the deductible threshold. The Agencies will not specify how institutions should calculate the risk mitigation adjustment. Nevertheless, institutions are expected to use conservative assumptions when calculating adjustments. An institution should discount (i.e., apply its own estimates of haircuts) the impact of insurance coverage to take into account factors, which may limit the likelihood or size of claims payouts. Among these factors are the remaining terms of a policy, especially when it is less than a year, the willingness and ability of the insurer to pay on a claim in a timely manner, the legal risk that a claim may be disputed, and the possibility that a policy can be cancelled before the contractual expiration. X. Data Maintenance Supervisory Standards S 31. Institutions using the AMA approach for regulatory capital purposes must use advanced data management practices to produce credible and reliable operational risk estimates. Data maintenance is a critical factor in an institution's operational risk framework. Institutions with advanced data management practices should be able to track operational risk loss events from initial discovery through final resolution. These institutions should also be able to make appropriate adjustments to the data and use the data to identify trends, track problem areas, and identify areas of future risk. Such data should include not only operational risk loss event information, but also information on risk assessments, which are factored into the operational risk exposure calculation. In general, institutions using the AMA [[Page 45987]] should have the same data maintenance standards for operational risk as those set forth for A-IRB institutions under the credit risk guidance. Operational risk data elements captured by the institution must be of sufficient depth, scope, and reliability to: [sbull] Track and identify operational risk loss events across all business lines, including when a loss event impacts multiple business lines. [sbull] Calculate capital ratios based on operational risk exposure results. The institution must also be able to factor in adjustments related to risk mitigation, correlations, and risk assessments. [sbull] Produce internal and public reports on operational risk measurement and management results, including trends revealed by loss data and/or risk assessments. The institution must also have sufficient data to produce exception reports for management. [sbull] Support risk management activities. The data warehouse \16\ 16 must contain the key data elements needed for operational risk measurement, management, and verification. The precise data elements may vary by institution and also among business lines within an institution. An important element of ensuring consistent reporting of the data elements is to develop comprehensive definitions for each data element used by the institution for reporting operational risk loss events or for the risk assessment inputs. The data must be stored in an electronic format to allow for timely retrieval for analysis, verification and testing of the operational risk framework, and required disclosures. --------------------------------------------------------------------------- \16\ In this document, the terms ``database'' and ``data warehouse'' are used interchangeably to refer to a collection of data arranged for easy retrieval using computer technology. --------------------------------------------------------------------------- Management will need to identify those responsible for maintaining the data warehouse. In particular, policies and processes will need to be developed for delivering, storing, retaining, and updating the data warehouse. Policies and procedures must also cover the edit checks for data input functions, as well as the requirements for the testing and verification function to verify data integrity. Like other areas of the operational risk framework, it is critical that management ensure accountability for ongoing data maintenance, as this will impact operational risk management and measurement efforts. XI. Testing and Verification Supervisory Standards S 32. The institution must test and verify the accuracy and appropriateness of the operational risk framework and results. S 33. Testing and verification must be done independently of the firm-wide operational risk management function and the institution's lines of business. The operational risk framework must provide for regular and independent testing and verification of operational risk management policies, processes and measurement systems, as well as operational risk data capture systems. For most institutions, operational risk verification and testing will primarily be done by the audit function. Internal and external audits can provide an independent assessment of the quality and effectiveness of the control systems' design and performance. However, institutions may use other independent internal units (e.g. quality assurance) or third parties. The testing and verification function, whether internally or externally performed, should be staffed by qualified individuals who are independent from the firm-wide operational risk management function and the institution's lines of business. The verification of the operational risk measurement system should include the testing of: [sbull] Key operational risk processes and systems; [sbull] Data feeds and processes associated with the operational risk measurement system; [sbull] Adjustments to empirical operational risk capital estimates, including operational risk exposure; [sbull] Periodic certification of operational risk models used and their underlying assumptions; and [sbull] Assumptions underlying operational risk exposure, data decision models, and operational risk capital charge. The operational risk reporting processes should be periodically reviewed for scope and effectiveness. The institution should have independent verification processes to ensure the timeliness, accuracy, and comprehensiveness of operational risk reporting systems, both at the firm-wide and the line of business levels. Independent verification and testing should be done to ensure the integrity and applicability of the operational risk framework, operational risk exposure/loss data, and the underlying assumptions driving the regulatory capital measurement process. Appropriate reports, summarizing operational risk verification and testing findings for both the independent firm-wide risk management function and lines of business should be provided to appropriate management and the board of directors or a designated board committee. Appendix A: Supervisory Standards for the AMA S 1. The institution's operational risk framework must include an independent firm-wide operational risk management function, line of business management oversight, and independent testing and verification functions. S 2. The board of directors must oversee the development of the firm-wide operational risk framework, as well as major changes to the framework. Management roles and accountability must be clearly established. S 3. The board of directors and management must ensure that appropriate resources are allocated to support the operational risk framework. S 4. The institution must have an independent operational risk management function that is responsible for overseeing the operational risk framework at the firm level to ensure the development and consistent application of operational risk policies, processes, and procedures throughout the institution. S 5. The firm-wide operational risk management function must ensure appropriate reporting of operational risk exposures and loss data to the board of directors and senior management. S 6. Line of business management is responsible for the day-to- day management of operational risk within each business unit. S 7. Line of business management must ensure that internal controls and practices within their line of business are consistent with firm-wide policies and procedures to support the management and measurement of the institution's operational risk. S 8. The institution must have policies and procedures that clearly describe the major elements of the operational risk management framework, including identifying, measuring, monitoring, and controlling operational risk. S 9. Operational risk management reports must address both firm- wide and line of business results. These reports must summarize operational risk exposure, loss experience, relevant business environment and internal control assessments, and must be produced no less often than quarterly. S 10. Operational risk reports must also be provided periodically to senior management and the board of directors, summarizing relevant firm-wide operational risk information. S 11. An institution's internal control structure must meet or exceed minimum regulatory standards established by the Agencies. S 12. The institution must demonstrate that it has appropriate internal loss event data, relevant external loss event data, assessments of business environment and internal controls factors, and results from scenario analysis to support its operational risk management and measurement framework. S 13. The institution must include the regulatory definition of operational risk as the baseline for capturing the elements of the [[Page 45988]] AMA framework and determining its operational risk exposure. S 14. The institution must have clear standards for the collection and modification of the elements of the operational risk AMA framework. S 15. The institution must have at least five years of internal operational risk loss data \17\ captured across all material business lines, events, product types, and geographic locations. --------------------------------------------------------------------------- \17\ With supervisory approval, a shorter initial historical observation period is acceptable for banks newly authorized to use an AMA methodology. --------------------------------------------------------------------------- S 16. The institution must be able to map internal operational risk losses to the seven loss-event type categories. S 17. The institution must have a policy that identifies when an operational risk loss becomes a loss event and must be added to the loss event database. The policy must provide for consistent treatment across the institution. S 18. The institution must establish appropriate operational risk data thresholds. S 19. Losses that have any characteristics of credit risk, including fraud-related credit losses, must be treated as credit risk for regulatory capital purposes. The institution must have a clear policy that allows for the consistent treatment of loss event classifications (e.g., credit, market, or operational risk) across the organization. S 20. The institution must have policies and procedures that provide for the use of external loss data in the operational risk framework. S 21. Management must systematically review external data to ensure an understanding of industry experience. S 22. The institution must have a system to identify and assess business environment and internal control factors. S 23. Management must periodically compare the results of their business environment and internal control factor assessments against actual operational risk loss experience. S 24. Management must have policies and procedures that identify how scenario analysis will be incorporated into the operational risk framework. S 25. The institution must have a comprehensive operational risk analytical framework that provides an estimate of the institution's operational risk exposure, which is the aggregate operational loss that it faces over a one-year period at a soundness standard consistent with a 99.9 per cent confidence level. S 26. Management must document the rationale for all assumptions underpinning its chosen analytical framework, including the choice of inputs, distributional assumptions, and the weighting across qualitative and quantitative elements. Management must also document and justify any subsequent changes to these assumptions. S 27. The institution's operational risk analytical framework must use a combination of internal operational loss event data, relevant external operational loss event data, business environment and internal control factor assessments, and scenario analysis. The institution must combine these elements in a manner that most effectively enables it to quantify its operational risk exposure. The institution can choose the analytical framework that is most appropriate to its business model. S 28. The institution's capital requirement for operational risk will be the sum of expected and unexpected losses unless the institution can demonstrate, consistent with supervisory standards, the expected loss offset. S 29. Management must document how its chosen analytical framework accounts for dependence (e.g., correlations) among operational losses across and within business lines. The institution must demonstrate that its explicit and embedded dependence assumptions are appropriate, and where dependence assumptions are uncertain, the institution must use conservative estimates. S 30. Institutions may reduce their operational risk exposure results by no more than 20% to reflect the impact of risk mitigants. Institutions must demonstrate that mitigation products are sufficiently capital-like to warrant inclusion in the adjustment to the operational risk exposure. S 31. Institutions using the AMA approach for regulatory capital purposes must use advanced data management practices to produce credible and reliable operational risk estimates. S 32. The institution must test and verify the accuracy and appropriateness of the operational risk framework and results. S 33. Testing and verification must be done independently of the firm-wide operational risk management function and the institution's lines of business. Dated: July 17, 2003. John D. Hawke, Jr., Comptroller of the Currency. By order of the Board of Governors of the Federal Reserve System, July 21, 2003. Jennifer J. Johnson, Secretary of the Board. Dated at Washington, DC, this 11th day of July, 2003. By order of the Board of Directors. Federal Deposit Insurance Corporation. Robert E. Feldman, Executive Secretary. Dated: July 18, 2003. By the Office of Thrift Supervision. James E. Gilleran, Director. [FR Doc. 03-18976 Filed 8-1-03; 8:45 am] BILLING CODE 4810-33-P |
| Last Updated 07/07/2003 | regs@fdic.gov |