Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Federal Register Publications

FDIC Federal Register Citations



 Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations



FDIC Federal Register Citations


via email

Citigroup

Comment 1

Document 2: Draft supervisory guidance on Operational Risk Advanced Measurement Approaches for Regulatory Capital

The comments to this paper are indexed to the numbering of the standards in the document.

S 1. The institution’s operational risk framework must include an independent firm wide operational risk management function, line of business management oversight, and independent testing and verification functions.

Clarification of the role of the independent testing and verification functions is required. Our Operational risk framework is reviewed by our independent Audit and Risk Review (ARR) organization. However, testing of controls within each business, as prescribed by our Risk and Control Self-Assessment standards, is performed by individuals within the business. We consider this to be appropriate because the businesses are ultimately responsible for managing and controlling their operational risks.

S 2. The board of directors must oversee the development of the firm-wide operational risk framework, as well as major changes to the framework. Management roles and accountability must be clearly established.

S 3. The board of directors and management must ensure that appropriate resources are allocated to support the operational risk framework.

The Board of Directors does have an important role in reviewing Citigroup’s Operational Risk, however, roles such as resource allocation are more appropriately executed by senior management, rather than the Board.

S 4. The institution must have an independent operational risk management function that is responsible for overseeing the operational risk framework at the firm level to ensure the development and consistent application of operational risk policies, processes, and procedures throughout the institution.

S 5. The firm-wide operational risk management function must ensure appropriate reporting of operational risk exposures and loss data to the board of directors and senior management.

The wording of these standards has been improved substantially and now represents an appropriate division of responsibilities – in particular, the term “framework” describes the role as we have implemented it. With this change, we now feel that this is one area in which we are already well positioned.

S 6. Line of business management is responsible for the day-to-day management of operational risk within each business unit.

S 7. Line of business management must ensure that internal controls and practices within their line of business are consistent with firm-wide policies and procedures to support the management and measurement of the institution’s operational risk.

Again, we support the division of responsibilities as being a suitable basis on which to organise the operational risk management function.

S 8. The institution must have policies and procedures that clearly describe the major elements of the operational risk management framework, including identifying, measuring, monitoring, and controlling operational risk.

We have no fundamental disagreement with any of the aspects of the operational risk management framework that is listed under this standard. We would only comment that if the external data comes from a consortium comprising a fairly small number of banks, it is quite probable that this external loss data may well not include any large potential events. Useful coverage of large events is more likely if the external data comes from a database of large public loss events. The two types of external data have rather different uses.

S 9. Operational risk management reports must address both firm wide and line of business results. These reports must summarize operational risk exposure, loss experience, relevant business environment and internal control assessments, and must be produced no less often than quarterly.

S 10. Operational risk reports must also be provided periodically to senior management and the board of directors, summarizing relevant firm-wide operational risk information.

This is work in progress. We are confident that the result will be that we meet the required standards for reporting.

S 11. An institution’s internal control structure must meet or exceed minimum regulatory standards established by the Agencies.

S 12. The institution must demonstrate that it has appropriate internal loss event data, relevant external loss event data, assessments of business environment and internal controls factors, and results from scenario analysis to support its operational risk management and measurement framework.

S 13. The institution must include the regulatory definition of operational risk as the baseline for capturing the elements of the AMA framework and determining its operational risk exposure.

S 14. The institution must have clear standards for the collection and modification of the elements of the operational risk AMA framework.

The four elements of the AMA framework will play a significant role in both the management and measurement of operational. We object to the requirement that any risk measurement system must include the use of all four elements - internal data, relevant external data, scenario analysis and factors reflecting the business environment and internal control systems. Certainly, each of these elements is well worth considering as part of the management framework, but a requirement to include all of them in the quantitative measurement may be excessively burdensome. Consider a business that has an internal data set that is sufficient for modeling the risk using an allowable AMA methodology. Such a business should be permitted to proceed without using external data. Similarly, scenario analysis might be an appropriate way to evaluate the results of an AMA model for some business lines, but should not be a required element in every AMA calculation.

To reiterate, only some of these elements may be appropriate for the measurement of the operational risk of a given business unit, though all the elements should be considered in the management of that operational risk.

The significant use of overrides for internal loss data should not be required, other than to correct input errors. However, if external data is used, then there may be many events in the external database that are simply not relevant. Since only relevant external events are required, this could lead to a significant workload to decide and document exactly which events are relevant and which are not.

S 15. The institution must have at least five years of internal operational risk loss data captured across all material business lines, events, product types, and geographic locations.

Initially, less than five years worth of data will be available at the time that the accord is scheduled to become effective. The flexibility described in footnote 12 is essential.

S 16. The institution must be able to map internal operational risk losses to the seven loss-event type categories.

S 17. The institution must have a policy that identifies when an operational risk loss becomes a loss event and must be added to the loss event database. The policy must provide for consistent treatment across the institution.

S 18. The institution must establish appropriate operational risk data thresholds.

S 19. Losses that have any characteristics of credit risk, including fraud-related credit losses, must be treated as credit risk for regulatory capital purposes. The institution must have a clear policy that allows for the consistent treatment of loss event classifications (e.g., credit, market, or operational risk) across the organization.

We opposed the specification in CP3 of a loss data collection threshold because we believed that the threshold should be established by line of business at a level that would be appropriate for the quantification methodology being use there. Thus we particularly welcome the flexibility that the Agencies have incorporated in that we will have the ability to use different data thresholds in different businesses. However, we are concerned that this flexibility will not benefit our card business, for example, which can be typified as having a large number of small losses, all similar in nature, but which in total do represent a significant proportion of the total operational risk losses. Although the number of losses and the size of the losses are already captured with precision, we do not feel that there is a need to capture the detailed information on each individual loss event.

The implication is that the quantification of operational risk will require modeling of individual events, whereas in fact other models may be more suitable for certain businesses, such as the credit card business. We request clarification that the allowable models will not be limited to those that can be considered to model individual events.

We do not see that the cost of capturing comprehensive data on “near misses” in a central database will be warranted, although it is certainly important that the business line management to be aware of significant occurrences of this type.

We do not see adequate benefit, relative to the costs, to justify capturing, in our operational loss database, information data that is already being captured and capitalized as credit or market risk. The cost of the effort to collect this data would be a burden, yet the data would not be used to calculate economic capital or regulatory capital requirements. The implementation of such a process would require resources but not produce a clear benefit where these events are already well managed, e.g., as credit risk. The definition of the regulatory boundary between operational risk and credit risk is a welcome clarification.

S 20. The institution must have policies and procedures that provide for the use of external loss data in the operational risk framework.

S 21. Management must systematically review external data to ensure an understanding of industry experience.

We particularly welcome the fact that external data no longer has to be used as an explicit input into our loss data set. In some instances, we expect to use external data only as a benchmark or perhaps as a form of scenario analysis.

S 22. The institution must have a system to identify and assess business environment and internal control factors.

S 23. Management must periodically compare the results of their business environment and internal control factor assessments against actual operational risk loss experience.

S 24. Management must have policies and procedures that identify how scenario analysis will be incorporated into the operational risk framework.

Again, we do not believe that there is always a necessity to incorporate scenario analysis into the measurement of operational risk regulatory capital. In some instances, scenario analysis is more appropriately used in the management of operational risk, for example to investigate whether the response to certain scenarios would be appropriate. We understand that, by using the term “framework” in this standard, such a use would be acceptable to ensure compliance with this standard.

S 25. The institution must have a comprehensive operational risk analytical framework that provides an estimate of the institution’s operational risk exposure, which is the aggregate operational loss that it faces over a one-year period at a soundness standard consistent with a 99.9 per cent confidence level.

S 26. Management must document the rationale for all assumptions underpinning its chosen analytical framework, including the choice of inputs, distributional assumptions, and the weighting across qualitative and quantitative elements. Management must also document and justify any subsequent changes to these assumptions.

S 27. The institution’s operational risk analytical framework must use a combination of internal operational loss event data, relevant external operational loss event data, business environment and internal control factor assessments, and scenario analysis. The institution must combine these elements in a manner that most effectively enables it to quantify its operational risk exposure. The institution can choose the analytical framework that is most appropriate to its business model.

S 28. The institution’s capital requirement for operational risk will be the sum of expected and unexpected losses unless the institution can demonstrate, consistent with supervisory standards, the expected loss offset.

It should be recognized that direct calculation of specific risk results at a 99.9% confidence level will not be possible for most business lines, given the available data. Any such calculation will be subject to significant errors. We request clarification that the regulatory standards will reflect the practical necessity to generate results at lower confidence levels which can then be scaled to a higher target confidence level using an estimated scaling variable.

We very much doubt that the comparison of the exposure estimate with actual loss experience will enable us to prove that that the outputs are reasonable. The model is intended to produce a figure that could occur once every thousand years. Statistically speaking, it is unlikely that a few years or even a few decades will be sufficient time to make such a validation, so judgment will need to be employed in the process for approval of the AMA model.

The inclusion of Expected Losses in the capital requirements will result in punitive capital requirements in higher Expected Loss businesses such as credit cards and some consumer lending, without taking into account the fact that such businesses have fairly stable losses and therefore are less volatile. The same fundamental issues apply to a broader set of businesses in the context of Operational Risk where Expected Losses are routinely built into pricing. The document states that an institution will not be permitted to recognize EL offsets on budgeted loss contingencies that fall below the established data thresholds, and that this is relevant as many institutions currently budget for low severity, high frequency events that are more likely to fall below most institutions’ thresholds. Indeed, this is exactly the case for some of our consumer businesses, where individual losses are small and below the threshold, yet gross losses are high and fairly stable and covered by future margin income. We strongly oppose this guidance. We regard it as critically important that such expected losses be recognized, and that we are not required to cover such losses twice, once through reserves or pricing, and once through capital and that we are not required to capture details individually about these small losses.

S 29. Management must document how its chosen analytical framework accounts for dependence (e.g., correlations) among operational losses across and within business lines. The institution must demonstrate that its explicit and embedded dependence assumptions are appropriate, and where dependence assumptions are uncertain, the institution must use conservative estimates.

Diversification does reduce overall risk levels and Citigroup believes that the AMA must include the opportunity to capture the risk-reducing benefits of diversification and efficiencies of scale. Although correlation of operational risks is certainly less than perfect, empirical data to demonstrate this mathematically will always remain scarce. Therefore, we welcome the new language in this standard and trust that we can demonstrate appropriateness without having to demonstrate validity.

However, this does raise the difficult issue of diversification. If we have a number of legal entities, each of which has to have sufficient capital to cover losses at the 99.9 % confidence level, then the total corporation will be carrying capital sufficient to cover losses at an excessively high confidence level. We see that this could be a sufficiently large problem to impede the use of the AMA altogether. Subsidiary legal vehicles might not warrant the complexity of an AMA, and there might be no point in having an AMA at the group level if the capital requirement at that level is simply the sum of the capital requirements at the lowest level. A solution that addresses the issue of diversification is required.

S 30. Institutions may reduce their operational risk exposure results by no more than 20% to reflect the impact of risk mitigants. Institutions must demonstrate that mitigation products are sufficiently capital-like to warrant inclusion in the adjustment to the operational risk exposure.

In principle, we object to floors and caps and welcome their elimination over time, including the 20% limit on insurance-related capital benefits. The recognition of risk mitigation is welcome, but should be expanded beyond insurance in due course, as we believe is implied in this ANPR. However, we favor an initial increase in the amount of the cap above 20%, followed by its eventual elimination.

It is not sound from an economic perspective to deny both the benefits of using a captive insurance company and the consolidation of their capital. If the risk has to be passed through the captive insurer, then the capital of that insurer should be recognized. The approach should be changed so that the capital in the captive is recognized as available to cover firm risks. The current draft denies most of the benefits of using a captive insurer, while on the other hand it restricts the recognition of the capital held in that insurer.

S 31. Institutions using the AMA approach for regulatory capital purposes must use advanced data management practices to produce credible and reliable operational risk estimates.

S 32. The institution must test and verify the accuracy and appropriateness of the operational risk framework and results.

S 33. Testing and verification must be done independently of the firm-wide operational risk management function and the institution’s lines of business.

This again raises the question of exactly what is meant by independence, which was discussed earlier.

Comment 2
 

Document 3: Draft supervisory guidance on Internal Ratings –Based Systems for Corporate Credit

In general, we find the Draft Guidance to be highly prescriptive for the corporate credit rating systems of Advanced Banks. These prescriptions could lead to “less-than-best practice” rating systems, multiple ratings systems, onerous processes and in some cases, may introduce systemic risk into the banking system. At times, the Draft Guidance appeared to be written with extreme focus on each section but with minimal appreciation of how all of the sections would work together. In addition, some of the key points appear to be drawn from evidence based on bond defaults, which can vary significantly from outcomes in the loan segment. There are other indications that the guidelines are meant to apply mainly to banks that operate only within North America and/or Europe, where rating agency data is more relevant, where external benchmarks are available and where single business cycles can be applied. These conditions do not apply to a global bank such as Citigroup, which operates in over 100 countries.

Best Practice vs. Conservatism: Although one of the stated requirements is that the “(r)atings used for regulatory capital must be the same ratings used to guide day-to-day credit risk management activities”, the Guidance simultaneously states "Parameter estimates must incorporate a degree of conservatism that is appropriate for the overall robustness of the quantification process" and “the bank must adjust estimates conservatively in the presence of uncertainty or potential error”. We could not find any delineation of how a bank is to square the standard of adhering to internal credit risk management with the proscriptive rules on “conservatism”. Clearly, any type of modeling of credit risk involves a degree of uncertainty, given the relative rarity of default. Adjusting all the parameters conservatively, as well as following the prescriptions listed below will result in overly conservative ratings, rather than best estimates of the risk, affecting our ability to compete in the marketplace (where we compete against many different intermediaries, many of whom do not fall under these regulations):

o The prohibition against the use of joint default probabilities despite recognition of the favorable risk-mitigation effect.

o The prohibition against implied support or verbal assurances, even in the presence of supporting empirical evidence.

o The prohibition against LGDs of zero. Our empirical studies indicate that LGDs of zero are relatively frequent and, in some cases we actually have found negative LGDs. For instance, trade loans guaranteed by the Exim Bank, where the guarantee covers any interest drag during the 6-month filing period.

o The required reliance on stressed PDs. As such, the risk measures move away from the most probable estimates of individual obligor defaults toward the worst case scenarios, no longer producing a good measure of expected loss of an obligor or of the economic risk for a global portfolio. A measure of economic capital for corporate credit risk that was based on stressed PDs for all obligors in all the industries and countries around the world we operate in would materially exaggerate our risks. With regard to the PDs, the ANPR asserts that ratings must “take into account possible adverse events that might increase an obligor’s likelihood of default.” There is little guidance as to what is appropriate within the “possible adverse events” schema.

o Required reliance on stressed LGDs, in addition to stressed PDs: the ANPR states that loss severity ratings must “reflect losses expected during periods with a relatively high number of defaults”. Although research based on bond default and recovery rates have shown a positive correlation between the total number of bond defaults in the economy within a year and the average LGD, such a relationship has not been established for loans – at least based on our own internal work (more on the reliance on bond data further on). Historically, there has been a material difference between how our bank has typically managed corporate loans after default and how defaulted bonds are treated in the market.

Reliance on Agency Processes and Vendor Models

o The guidance indicates a regulatory preference for agency practices or vendors over that of banks. The multiple requirements to map, validate and define rating practices using external ratings as benchmarks is troubling for several reasons:

• Lack of clear ratings definitions and transparent processes at the agencies or vendors. It is unclear what validation standards are to be applied to the agencies and vendors that are consistent with requirements on the internal ratings processes of banks. In our own research, we have found agency ratings to be inconsistent across industries, for instance, in terms of implied default rates. The published studies from the agencies lack that level of granularity. Similarly, the output from some of our validated internal models varies considerably from some vendor models.

• Rating agencies have focused on the bond markets, not on loans. For instance, the studies cited regarding the correlation on defaults and losses are generally based on an analysis of bond defaults and losses.

• The focus and experience of rating agencies are largely limited to North America and Europe. The empirical data on ratings and recovery are heavily weighted toward these two markets. Rating agencies have limited experience and data in many markets we operate in.

o The guidance implies a reliance on the agencies and other “third parties” for validating ratings processes without providing the standards that to which the third parties will be held. For instance, it is unclear how the supervisors would view a rating process where the conceptual practices are sound and the validation against defaults, for instance, proves quite compelling but the comparison to external ratings produces divergent outcomes.

o The guidance places considerable importance on benchmarking, often to external agencies, however ratings vary for many reasons and, except against actual default/loss events, it is near impossible to determine what an individual rating should be. Indeed, one supervisory standard speaks about a bank adopting and defending a ratings philosophy, but the Guidance gives overly broad definitions of two different philosophies ("through-the-cycle" and "point-in-time"). Later, though, the Guidance states "The ratings agencies are commonly believed to use through-the-cycle rating approaches." As such, requiring a convergence to agency ratings or any other external benchmark may introduce a higher degree of systemic risk.

o The guidance also states “banks will eventually be expected to use variables that are widely recognized as the most reliable predictors of default risk in mapping exercises”. Who is the arbiter of “most reliable predictors” and how is “most reliable” determined? This would seem to go very much against the premise that credit risk analysis is evolving and the availability of data will allow enhancements to the current state of credit risk analysis. For instance, the guidance cites that borrower size is predictive but less so than leverage and cash flow, without citing the source of that statement. This citation seems extremely broad and sweeping. We have developed a large number of rating models for different industries and global regions based on and validated by the empirical data from that industry/region. In some of our internal modeling efforts, size proved to be the most significant determinant of credit quality. And yet, in other internal modeling efforts, we found the key determinants of credit quality and their relative importance to vary from industry to industry, market to market. We think it is inappropriate and naïve for the ANPR to assume that the relative importance of the particular input variables needed to estimate an obligor’s PD is universal for all corporations, in all industries and countries of the world. Finally, this emphasis on use of widely recognized variables may introduce systematic risk into the banking system. To wit: if all banks use widely-recognized variables in their models, then banks may all move in tandem in and out of markets, heightening volatility and potentially damaging whole sectors of the economy.

Practical Issues for Global Banks

There are many processes included in the guidance, which are quite burdensome, without appearing to add significant value.

Re-estimating or validating the model/process risk parameters on an annual basis: Except for the largest markets, such as the United States, there will rarely be sufficient new defaults and resolved defaults (for LGD/EAD) to justify the re-estimation and reprogramming, testing, training and distribution of models and processes used to assign ratings. Even within the United States, there are generally few defaults within a particular industry/geography segment of a portfolio on an annual basis, much less a quarterly basis, except in the SME. On average, defaults take more than a year to resolve, so even during periods of higher-than-average defaults, the additional information would not seem to justify the required changes. Constant turnover in rating methodologies and processes could jeopardize the quality of the ratings. In addition, given that the Guidance states a minimum of five years of reference data, which must include periods of economic stress to estimate PDs, re-estimating or validating year after year during an economic expansion may dilute the stressed periods' data and weaken a model's ability to accurately assess risks when a downturn occurs.

Re-rating the portfolio for each change to the rating process: In addition, the process becomes even more onerous with the requirement to re-rate the entire portfolio every time a rating process changes. It is possible to re-rate a portfolio to the degree that all inputs into a rating are quantifiable. However, a system that relies both on models and expertise is difficult to replicate. The risk manager may not apply the same adjustment to a rating once the model changes.

Gauging impact of changes in actual economic circumstances on PDs and LGDs: This guidance may seem relatively straightforward for a bank operating in a single or relatively few markets. However, in building models or establishing LGDs that cover multiple countries, economic cycles often diverge or are not easily identifiable.

Calibrate models to fit customer base: We request more information on this requirement. This requirement could become very burdensome for a large global bank where the portfolios change rapidly. Our goal is to build models, for instance, that are appropriate for rating across the credit spectrum, even if all of the current customer base are rated investment grade. Models built on one industry or geography can be tested for ratings accuracy on other customers, assuming that the concepts are sound for the other business. If for instance, a rating model is built on corporates in Eastern Europe and due to an acquisition in Poland, companies from that country become more prevalent in the portfolio, is the existing model invalid? If the acquired bank did not have 5 years of data on the customers, should the model be recalibrated?

Comparability of reference data to current credit portfolio: As above, more clarification is requested, as well as some examples of how to establish that comparability.

Potential Erosion of Comparative Advantage: We need to understand the exact nature of what would be disclosed in "Summaries of (trends developed from obligor and facility risk rating data)…included…public disclosures."

Appropriate Control and Oversight Mechanisms. In contrast to market risk, the guidance requires an additional level of internal review of ratings and all ratings processes, models, and data aside from Audit and regulatory oversight. For banks where the responsibilities are already distributed across independent risk functions, this additional level of review is superfluous, expensive and bureaucratic.

• While we believe in independent oversight, the prescripts found in the Control and Oversight sections is inconsistent, impractical, and contradicts current best practices in the industry, and as outlined by the Agency’s own on-site supervisory staff. In fact, the guidance is internally inconsistent and arbitrary—for example section 213 describes ‘flexibility’ while table 4.1 mandates the creation of a ‘ratings system review’ area. We ask the Agencies to reconsider their approach in its entirety.

• We are concerned that the Agencies, in spite of their good intentions, are shockingly naïve in their underlying premise regarding how a bank typically operates effectively. In sections 215-216 and 220, two very different institutions are described (one with independent model-based ratings development groups vs. one without), but in BOTH circumstances a separate ratings review function is necessary. In the latter case, we agree. In the former case, we completely disagree; the prescribed role is typically performed by the ‘loan review group’ that is often found in Internal Audit. In this situation, there are lending officers that have only modest discretion to adjust ratings, there is an independent ratings-setting group that reports to independent risk management, and there is Internal Audit/Loan Review.

• For banking institutions that primarily use models to assign ratings, only two independent organizational units are necessary to create the ‘checks and balances’—an Independent Ratings Group and Internal Audit’s Loan Review Group. A ‘Ratings Review Group’ as described in Table 4.2 in the text is completely superfluous. Specifically, all responsibilities are already accounted for in an organization such as ours:

Responsibility—per Table 4.2

Group Responsible

Design of ratings systems Independent Ratings Group
Compliance with policies Audit/Loan Review
Check risk rating grades Audit/Loan Review
Consistency across industries Indep Ratings Group and Audit/Loan Review
Model development Audit/Loan Review
Model use Audit/Loan Review
Overrides and policy exceptions Audit/Loan Review
Quantification process Independent Ratings Group
Back testing Audit/Loan Review
Actual and predicted ratings trans. [meaning is unclear]
Benchmarking Independent Ratings Group
Adequacy of data maintenance Audit/Loan Review
Identify errors and flaws  [meaning is unclear]
Recommend corrective actions Audit/Loan Review


• The agencies fail to realize that when a Ratings Group reports to independent risk management, they have no incentive to sacrifice ratings accuracy for sales and marketing purposes. In fact, just the opposite is true: the ethos that develops in such a group is one of economic logic, empirical facts, thoughtful modeling, which is the best ‘check and balance’ against the influence of sales and marketing. And then Audit/Loan Review creates even more independence.

• The Ratings system oversight suggested by the guidance is impractical and obfuscates the role of management. The risk-rating system can best be understood by practitioners, and not by directors who will be unable to understand the data and detail inherent in this task.
 


 
Last Updated 11/07/2003 regs@fdic.gov

Last Updated: August 4, 2024