via e-mail
November 3, 2003Comment 1
KeyCorp’s Response to Draft Supervisory Guidance on
Internal Ratings-Based Systems for Corporate Credit
Introduction
KeyCorp considers itself privileged to be able to comment on the U.S.
Regulatory Agencies’ Draft Supervisory Guidance on Internal
Ratings-Based Systems for Corporate Credit document published in the
Federal Register, August 4, 2003 along with the Advanced Notice of
Proposed Rulemaking (ANPR).
KeyCorp has actively participated with industry groups such as RMA,
IIF and ISDA in constructing their responses to the ANPR as well as
Basel II in general. We are honored to have had the opportunity to work
with them, as well as all other participating financial institutions.
Also, as an individual institution, we have discussed and advanced
concepts, analysis and models on numerous occasions and on various
topics to regulators active in the Basel II process.
We are in general agreement with the positions taken in the RMA
industry group’s response to the Draft Supervisory Guidance on Internal
Ratings-Based Systems for Corporate Credit. Listed below are some issues
we believe may not have been adequately covered by the industry working
groups, or that we think deserve extra emphasis.
This document only covers KeyCorp’s position on items contained in
the Draft Supervisory Guidance on Internal Ratings-Based Systems for
Corporate Credit. Separate documents are being sent as our response to
the Advanced Notice of Proposed Rulemaking and Draft Supervisory
Guidance regarding Operational Risk Measurement and Management.
Dr. Ashish K. Dev
Executive Vice President
Risk Management
KeyCorp
KeyCorp’s Response to Draft Supervisory Guidance on
Internal Ratings-Based Systems for Corporate Credit
Detailed Comments
This paper is KeyCorp’s response to the Draft Supervisory Guidance on
Internal Ratings-Based Systems for Corporate Credit document published
in the Federal Register, August 4, 2003. Separate papers deal with our
views on the Advanced Notice of Proposed Rulemaking and the Draft
Supervisory Guidance regarding Operational Risk Measurement and
Management.
Our responses focuses on those areas where an alternative
prescription may serve the supervisors better, or where supervisory
guidance might be better aligned with best practices, and on those areas
where additional clarification is needed. We greatly appreciate this
opportunity to engage in constructive dialog on the very important
matter of bank supervision of internal ratings systems.
Our responses are grouped by supervisory standard, printed in bold
and numbered with the prefix “S”. In some cases supplemental text has
been included along with the standard. We have restated only those
standards that we chose to comment on.
S4. Banks must record obligor defaults in accordance with the IRB
definition of default.
The IRB definition of default largely coincides with the situations
we use at Key Bank to identify a facility as non-accruing. There are
some exceptions. (For example, a company that continues to meet its
obligations while in bankruptcy reorganization.) If the IRB definition
were identified with non-accrual status, implementation would be made
simpler.
S5. Banks must assign discrete obligor grades.
33. While banks may use models to estimate probabilities of default
for individual obligors, the IRB approach requires banks to group the
obligors into discrete grades. Each obligor grade, in turn, must be
associated with a single PD.
This standard seems unnecessary. Why assign all obligors with the
same rating the same PD? Why not permit default ratings to be associated
with a range of PDs? In situations where the bank is able to estimate a
PD, as opposed to merely ascribing an obligor rating, it should be
allowed to use the estimated PD rather than the average PD associated
with its grade in its economic capital calculation.
S7. Separate exposures to the same obligor must be assigned to the
same obligor rating grade.
S19. Banks reflecting the risk-mitigating effect of guarantees must
do so by either adjusting PDs or LGDs, but not both.
It is possible that some facilities of a given obligor may involve
guarantees while others may not. Applying the risk-mitigating effect of
the guarantee to the PD may result in different obligor ratings. Either
an exception to S7 needs to be made for this situation, or S19 should
direct that the effect of guarantees be applied by adjusting the LGDs.
S8. In assigning an obligor to a rating category, the bank must
assess the risk of obligor default over a period of at least one year.
S9. Obligor ratings must reflect the impact of financial distress.
37. In assigning an obligor to a rating category, the bank must
assess the risk of obligor default over a period of at least one year.
This use of a one-year assessment horizon does not mean that a bank
should limit its consideration to outcomes for that obligor that are
most likely over that year; the rating must take into account possible
adverse events that might increase an obligor’s likelihood of default.
In analyzing corporate credit risk at Key, adverse outcomes that may
occur beyond a one-year period for obligors to which we have a greater
than one year exposure are reflected in estimated mark-to-market losses.
M-T-M losses do not enter into the risk rating, which is a simple
two-dimensional rating based on a 1-year PD and LGD. M-T-M losses do,
however, enter into the formula for economic capital. Expected M-T-M
losses and economic capital both factor into the break-even pricing
calculation.
If the intent here is that banks “stress” the financial ratio inputs
that drive an obligor rating, then we would recommend against
implementing this standard. Applying subjective stress tests to each
credit would be costly, produce significant non-comparability, and would
result in less accurate ratings and PDs than the process typically used
now at most banks.
S10. Banks must adopt a ratings philosophy. Policy guidelines should
describe the ratings philosophy, particularly how quickly ratings are
expected to migrate in response to economic cycles.
S11. A bank’s capital management policy must be consistent with its
ratings philosophy in order to avoid capital shortfalls in times of
systematic economic stress.
We have no disagreement with these two standards. We fully recognize
that a bank that adopts a Point-in-Time rating philosophy and therefore
a Point-in-Time capital management philosophy will likely require more
capital during a recession than during the rest of the cycle. However,
these regulations are intended to specify minimum capital requirements.
Most banks will continue to maintain capital in excess of the minimum as
a cushion for times of systemic economic stress. The size of the cushion
will fluctuate and will allow the bank to avoid having to raise capital
during stress periods.
S16. Loss severity ratings must reflect losses expected during
periods with a relatively high number of defaults.
51. Like obligor ratings, which group obligors by expected default
frequency, loss severity ratings assign facilities to groups that are
expected to experience a common loss severity. However, the different
treatment accorded to PD and LGD in the model used to calculate IRB
capital requirements mandates an asymmetric treatment of obligor and
loss severity ratings. Obligor ratings assign obligors to groups that
are expected to experience common default frequencies across a number of
years, some of which are years of general economic stress and some of
which are not. In contrast, loss severity ratings (or estimates) must
pertain to losses expected during periods with a high number of defaults
– particular years that can be called stress conditions. For cases in
which loss severities do not have a material degree of cyclical
variability, use of a long-run default weighted average is appropriate,
although stress condition LGD generally exceeds these averages.
This standard is problematic for Key Bank. Because the IRB capital
model does not include PD-LGD correlation and LGD variability, we agree
that a stress condition LGD is appropriate for calculating regulatory
capital. But, because these features are built into our internal
economic capital models, we would prefer to base internal ratings on a
weighted average LGD. We suggest that banks be allowed to use weighted
average LGDs when the internal capital model is formulated to replicate
stress conditions.
S22. Banks must have ongoing validation processes that include the
review of developmental evidence, ongoing monitoring, and the comparison
of predicted parameter values to actual outcomes (back-testing).
65. Generally, the evaluation of developmental evidence will include
a body of expert opinion. For example, developmental evidence in support
of a statistical rating model must include information on the logic that
supports the model and an analysis of the statistical model-building
techniques. In contrast, developmental evidence in support of a
constrained-judgment system that features guidance values of financial
ratios might include a description of the logic and evidence relating
the values of the ratios to past default and loss outcomes.
We interpret this standard, in conjunction with S31 below, to mean
that reliance upon vendor supplied developmental evidence is acceptable
assuming that
1) The bank has analyzed the logic that supports the model and the
statistical model-building technique,
2) The bank has verified that PD estimates are long-run averages,
3) Reference data used in the default model meets the long-run
requirement, and
4) The model has been calibrated to capture the default experience
over a reasonable mix of good and bad years of the economic cycle.
S24. Banks must develop statistical tests to back-test their IRB
rating systems.
S25. Banks must establish internal tolerance limits for differences
between expected and actual outcomes.
S26. Banks must have a policy that requires remedial actions be taken
when policy tolerances are exceeded.
77. At this time, there is no generally agreed-upon statistical test
of the accuracy of IRB systems. Banks must develop statistical tests to
back-test their IRB rating systems. In addition, banks must have a
policy that specifies internal tolerance limits for comparing
back-testing results. Importantly, that policy must outline the actions
that would be taken whenever policy limits are exceeded.
These standards are reasonable and reflective of best practice. But
we are concerned about the setting of “tolerance limits.” There may be
no good actions to be taken when “tolerance limits” are exceeded if the
current system already reflects the state-of-the-art.
We advise that S25 and S26 be modified to simply require ongoing
review of performance with a view toward improvement. Benchmarking and
back-testing requirements should be sufficient for this task.
S27. IRB institutions must have a fully specified process covering
all aspects of quantification (reference data, estimation, mapping, and
application). The quantification process, including the role and scope
of expert judgment, must be fully documented and updated periodically.
Data – First, the bank constructs a reference data set, or source of
data, from which parameters can be estimated. Reference data sets
include internal data, external data, and pooled internal/external data.
Important considerations include the comparability of the reference data
to the current credit portfolio, whether the sample period
“appropriately” includes periods of stress, and the definition of
default used in the reference data. The reference data must be described
using a set of observed characteristics; consequently, the data set must
contain variables that can be used for this characterization. Relevant
characteristics might include external debt ratings, financial measures,
geographic regions, or any other factors that are believed to be related
in some way to PD, LGD, or EAD. More than one reference data set may be
used.
Estimation – Second, the bank applies statistical techniques to the
reference data to determine a relationship between characteristics of
the reference data and the parameters (PD, LGD, or EAD). The result of
this step is a model that ties descriptive characteristics of the
obligor or facility in the reference data set to PD, LGD, or EAD
estimates.
In this context, the term ‘models’ is used in the most general sense;
a model may be simple, such as the calculation of averages, or more
complicated, such as an approach based on advanced regression
techniques. This step may include adjustments for differences between
the IRB definition of default and the default definition in the
reference data set, or adjustments for data limitations. More than one
estimation technique may be used to generate estimates of the risk
components, especially if there are multiple sets of reference data or
multiple sample periods.
S28. Parameter estimates and related documentation must be updated
regularly.
87. The parameter estimates must be updated at least annually, and
the process for doing so must be documented in bank policy. The update
should also evaluate the judgmental adjustments embedded in the
estimates; new data or techniques may suggest a need to modify those
adjustments.
We interpret these standards in conjunction with S31 below to mean
that reliance upon pooled data, vendor supplied statistical models, and
parameter estimates is acceptable. The concern here is with the
requirement that parameter estimates “must be updated at least
annually.” A vendor is unlikely to revise a model so frequently, but
rather is more likely to wait to do so until performance of the model
can be demonstrably improved.
S31. Parameter estimates must incorporate a degree of conservatism
that is appropriate for the overall robustness of the quantification
process.
S32. The sample for the reference data must be at least five years,
and must include periods of economic stress during which default rates
were relatively high.
98. Note that this principle does not simply restate the requirement for
five years of data: periods of stress during which default rates are
relatively high must be included in the data sample. Exclusion of such
periods biases PD estimates downward and unjustifiably lowers regulatory
capital requirements.
In some instances all available data may not include a period of
stress during which default rates were relatively high. A case in point
might be commercial real estate lending for which the last period of
stress was the late 1980s to early 1990s. For many banks data is simply
not available from this time period. In our view the absence of such
data should not preclude a bank from adopting advanced IRB capital
provided an appropriate degree of conservatism is applied to parameter
estimates for such a portfolio, with the approval of the supervisors.
For other business lines 5 years of historical data may not be
available at the start of Basel II. For these we suggest that the “start
date” for achieving the minimum historical data requirement be the date
on which the final capital rules and supervisory guidance are published.
Assuming this occurs, for example, at year-end 2004, core banks would be
required to have at least 2 years of historical data by the beginning of
Basel II (January 2007). Some business lines, of course, would fulfill
the 5-years requirement by January 2007, but some lines would not meet
the requirement until year-end 2009. A “phase-in” process of this type
is necessary we feel.
S34. Estimates of default rates must be empirically based and must
represent a long-run average.
105. Statistical default prediction models may also play a role in PD
estimation.
For example, the characteristics of the reference data might include
financial ratios or a distance-to-default measure, as defined by a
specific implementation of a Merton-style structural model.
106. For a model-based approach to meet the requirement that ultimate
grade
PD estimates be long-run averages, the reference data used in the
default model must meet the long-run requirement. For example, a model
can be used to relate financial ratios to likelihood of default based on
the outcome for the firms – default or non-default. Such a model must be
calibrated to capture the default experience over a reasonable mix of
good and bad years of the economic cycle. The same requirement would
hold for a structural model; distance to default must be calibrated to
default frequency using long-run experience. This applies to both
internal and vendor models, and a bank must verify that this requirement
is met.
See the responses to S22 and S27-28 above.
S41. The sample period for the reference data must be at least seven
years, and must include periods of economic stress during which defaults
were relatively high.
The comments on S31-32 also apply here.
S49. A validation process must cover all aspects of IRB
quantification.
175. Banks must have a process for validating IRB quantification;
their policies must state who is accountable for validation, and
describe the actions that will proceed from the different possible
results. Validation should focus on the three estimated IRB parameters
(PD, LGD, and EAD). Although the established validation process should
result in an overall assessment of IRB quantification for each
parameter, it also must cover each of the four stages of the
quantification process as described in preceding sections of this
chapter (data, estimation, mapping, and application). The validation
process must be fully documented, and must be approved by appropriate
levels of the bank’s senior management. The process must be updated
periodically to incorporate new developments in validation practices and
to ensure that validation methods remain appropriate; documentation must
be updated whenever validation methods change.
176. Banks should use a variety of validation approaches or tools; no
single validation tool can completely and conclusively assess IRB
quantification. Three broad types of tools that are useful in this
regard are evaluation of the conceptual soundness of the approach to
quantification (evaluation of logic), comparison to other sources of
data or estimates (benchmarking), and comparisons of actual outcomes to
predictions (back-testing). Each of these types of tools has a role to
play in validation, although the role varies across the four stages of
quantification.
S50. A bank must comprehensively validate parameter estimates at
least annually, must document the results, and must report these results
to senior management.
182. A full and comprehensive annual validation is a minimum for
effective risk management under IRB. More frequent validation may be
appropriate for certain parts of the IRB system and in certain
circumstances; for example, during high-default periods, banks should
compute realized default and loss severity rates more frequently,
perhaps quarterly. They must document the results of validation, and
must report them to appropriate levels of senior risk management.
Our reading of these two standards is that validation shall cover all
four stages of the quantification process: data, estimation, mapping,
and application; and that validation should consist of 1) evaluation of
logic, 2) benchmarking, and 3) back-testing. S50 indicates that this
must occur at least annually and perhaps quarterly during high default
periods. Such intensive validation requirements seem inconsistent with
the observation that “it will take considerable time before outcomes
will be available” (see paragraph 74 of the Draft), and also
inconsistent with the desire for IRB parameters to reflect long run
averages. Our concern is that such frequent validation will create
pressure on the part of supervisors to constantly revise parameter
estimates that ought to reflect long-term averages.
S52. Institutions must collect, maintain, and analyze essential data
for obligors and facilities throughout the life and disposition of the
credit exposure.
S53. Institutions must capture all significant quantitative and
qualitative factors used to assign the obligor and loss severity rating.
S54. Data elements must be of sufficient depth, scope, and
reliability to:
• Validate IRB system processes,
• Validate parameters,
• Refine the IRB system,
• Develop internal parameter estimates,
• Apply improvements historically,
• Calculate capital ratios,
• Produce internal and public reports, and
• Support risk management.
S55. Institutions must document the process for delivering, retaining
and updating inputs to the data warehouse and ensuring data integrity.
S56. Institutions must develop comprehensive definitions for the data
elements used within each credit group or business line (a “data
dictionary”).
S57. Institutions must store data in electronic format to allow
timely retrieval for analysis, validation of risk rating systems, and
required disclosures.
The IRB data maintenance standards do not explain how much history is
required for rating assignment data and supporting IRB data, or how long
the system is expected to be operational prior to qualification for IRB
capital. More direction is needed on these points.
Some reference data elements required for validation will be in the
form of pooled industry data. Although this is not discussed, our
assumption is that this is acceptable as long as the data can be
compared with internal data and with other sources.
The requirement that institutions must store data in electronic
format to allow timely retrieval for analysis, validation, and
disclosures could be quite costly if interpreted to mean that everything
should be stored electronically, and all in one place. Best practice for
many years to come will likely involve some non-electronic formats,
multiple electronic-based files, and considerable differences in the
designing of warehousing and retrieval systems. We hope that supervisors
will be allowed to develop a sense for which data maintenance practices
are acceptable over time by comparing practices across banks.
Comment 2
KeyCorp’s Response to Draft Supervisory Guidance regarding
Operational Risk Measurement and Management
Introduction
KeyCorp considers itself privileged to be able to comment on the U.S.
Regulatory Agencies’ Draft Supervisory Guidance regarding Operational
Risk Measurement and Management published in the Federal Register,
August 4, 2003 along with the Advanced Notice of Proposed Rulemaking (ANPR).
KeyCorp has actively participated with industry groups such as RMA,
ISDA and IIF in constructing their responses to the ANPR as well as
Basel II in general. We are fortunate to have had the opportunity to
work with them, as well as all other participating financial
institutions. Also, as an individual institution, we have discussed and
advanced concepts, analysis and models on numerous occasions and on
various topics to regulators active in the Basel II process.
We are in general agreement with the positions taken in the RMA
industry group’s response to the AMA Framework for Operational Risk and
Draft Supervisory Guidance regarding Operational Risk Measurement and
Management. Listed below are some issues we believe may not have been
adequately covered by the industry working groups, or that we think
deserve extra emphasis.
This document only covers KeyCorp’s position on items contained in
Section V (‘AMA Framework for Operational Risk’) of the Advanced Notice
of Proposed Rulemaking (ANPR) and the Draft Supervisory Guidance
regarding Operational Risk Measurement and Management. Separate
documents have been sent as our responses to other aspects of the
Advanced Notice of Proposed Rulemaking (ANPR) and Draft Supervisory
Guidance on Internal Ratings-Based Systems for Corporate Credit.
Anupam Sahay
Vice President
Operational Risk
KeyCorp |
Ashish K. Dev
Executive Vice President
Risk Management
Head of Operational Risk
KeyCorp |
KeyCorp’s Response to Draft Supervisory Guidance
regarding Operational Risk Measurement and Management
Detailed Comments
KeyCorp strongly supports the overall regulatory framework for
operational risk measurement and management, proposed in Section V of
the Advanced Notice of Proposed Rulemaking (ANPR), titled ‘AMA Framework
for Operational Risk’, and the accompanying Supervisory Guidance on
Operational Risk (SGOR).
Given the current state of intellectual development and practical
awareness surrounding operational risk, the Agencies have quite rightly
proposed a flexible framework wherein individual institutions have
considerable room to develop their own internal models.
KeyCorp stands firmly in support of an explicit capital charge for
operational risk under Pillar 1. Our support rests on the following
arguments:
Moving Op Risk charge to Pillar 2 would necessitate raising the
credit risk charge in Pillar 1 in accordance with the principle of
maintaining the overall capital charge. Banks with significantly more
credit risk, compared to operational risk, would be at a disadvantage.
Having an explicit capital charge for operational risk will
foster convergence in the methodologies for measuring and managing
operational risk. This is a good thing for the industry. Such
convergence is likely to flounder if each institution's treatment of
operational risk is isolated from the rest of the industry. Our past
experience with market risk lends support to this viewpoint.
Pillar 1 capital charge creates a level playing field among the
banks that are either required to join the new Basel regime or plan to
opt-in. Inclusion of Op risk charge as a Pillar 2 component would
introduce an unacceptable level of subjectivity.
Pillar 1 capital charge is consistent with a comprehensive
enterprise-wide risk view, with credit, market and operational risk as
the three major risk types. All of these risks lend themselves to
measurement and similar statistical techniques for analysis, in
particular computation of economic capital. Furthermore, operational
risk is intimately linked with both credit and market risk (by way of
operations in the credit and market areas). It stands to reason that
the goal of fully understanding the risk profile of an institution,
and the management of that risk, would immensely benefit from
requiring that operational risk be subjected to the same rigor and
supervisory treatment as are credit risk and market risk.
The Basel II process up to now has not only focused on regulatory
capital for Operational Risk but also (much more than in credit risk,
for example) catalyzed major development in the definition,
categorization and management of Op risk. The emphasis on Operational
risk has increased significantly across the banking industry. A Pillar
1 treatment will ensure the pace of development needed in
methodologies for Op risk and place the emphasis that it deserves.
Along with our support for the general direction laid out in the ANPR
and Draft Supervisory Guidance regarding Operational Risk Measurement
and Management, there are a number of issues that we seek clarification
for or would like to comment on. The issues are divided into six
sections:
I. Transition
II. Corporate Governance
III. Methodology
IV. Internal Data
V. External Data & Scenario Analysis
VI. Risk Mitigation
I. Transition:
Allowance of BIA or SA for operational risk
According the proposed rules, U.S. banks will able to take advantage
of the Advanced Internal Ratings-Based Approach (AIRB) for credit risk
only if they also qualify for operational risk AMA. Banks for whom
credit risk is the major burden, adopting AIRB is very important. In
contrast to the credit risk processes and policies, the operational risk
infrastructure is fairly immature and there are uncertainties
surrounding the qualification processes, including ambiguities of some
of the qualifying criteria. In this light, it seems harsh to disallow a
bank from advanced practice if it fails, in a small measure, to qualify
for operational risk AMA. For those banks that, at the time of
implementation of the new rules, are well underway towards a mature
operational risk measurement and management framework and have a
well-defined roadmap to the finish line, the agencies should consider
the option of simpler operational risk capital methodologies, such as
the Basic Indicator Approach or the Standardized Approach, as a
temporary measure.
II. Corporate Governance:
Standards too prescriptive
The division of responsibilities vis-à-vis management of operational
risk is best left to the individual institution. While it may be
suitable to mandate that the Board should be aware of the operational
risk profile of the institution and the major losses and issues that
surface, it is probably inappropriate (certainly impractical) to require
them to ‘oversee the development of the firm-wide operational risk
frameworks, as well as major changes to the framework’ (S2).
III. Methodology:
Consistent treatment of Expected Loss
Recently, the Basel Committee indicated that expected losses will not
be included in credit risk capital. A consistent treatment should be
meted out to operational risk. Just as in credit risk, banks anticipate
and cover for expected operating losses in the form of reserves, product
pricing and future margin income, as part of managing their everyday
business. Capital should be charged for only the unexpected part of the
losses and the adequacy of the coverage for expected losses should be
treated as a supervisory matter in Pillar 2.
Indirect Costs
In response to the ANPR question whether indirect losses (for
example, opportunity costs) should be included in the definition of
operational risk against which institutions should hold capital, we
strongly oppose the inclusion. While in principle it is attractive to
measure the full economic impact of an operational event, in practice,
the endeavor would be plagued by issues of uniform application of rules
across banks and accuracy of measurement. Furthermore, today, banks are
just learning to collect data on losses that show up in their financial
books. The data collection process is too immature to handle more
intangible losses such as opportunity costs.
IV. Internal Data:
3-year data requirement rule should not be changed
Implementing and executing a loss data collection is tedious and
time-consuming exercise for banks. The difficulty is compounded if
information has to be collected retrospectively, especially if there is
need to go back more than a few quarters. All along, the Basel documents
have spoken of a three-year minimum requirement of internal data for the
purposes of qualifying for AMA. KeyCorp started collecting data
late-2002, so as to have 3-4 years of data by the end of 2006, the
proposed implementation date of the New Basel Accord. It is not
appropriate to change the rules midstream and change the minimum
requirement from 3 to 5 years, notwithstanding the provision provided
for in the footnote on page 153 stating that ‘a shorter initial period
may be acceptable for institutions that are newly authorized to use an
AMA methodology’.
Default Correlations should be less than 100%
Adding operational risk capital estimates across the individual
buckets of loss types (and perhaps business lines) amounts to setting
the correlation between these various risk processes to 100%. Even
though there is likely to be some correlation between the individual
operational risk categories, in most cases it is guaranteed to be very
small. For example, the correlation between Internal Fraud risk and
Damage to Physical Assets risk is going to be close to zero. The
situation is likely to be similar for all loss category pairs, perhaps
with the exception of 1) Internal Fraud and External Fraud, and 2)
Clients, Products & Business Practices and Execution, Delivery & Process
Management. As such, taking perfect correlation as a starting point and
insisting on rigorous procedures to demonstrate otherwise, leads to an
excessively conservative viewpoint with significant overestimation of
the true overall operational risk.
V. External Data & Scenario Analysis:
Scope of Scenario should be expanded
The current language of CP3 gives the impression that External Data &
Scenario Analysis are to be used only for high severity events. What
does one do in cases where there is almost no data in a certain risk
bucket, e.g. Damage to Physical Assets? We believe that External Data &
Scenario Analysis provide a rational framework to create ``virtual
events’’ and should be used to fill any gaps in data. Typically, most of
the gaps will be toward the high severity end. But the principle of
generating loss information using External Data & Scenario Analysis
remains valid for all potential events.
Identifying a minimum uniform set
While we understand the value (and indeed the necessity) of using
external data, leaving the gate wide-open in terms of the particular
data institutions would use—``relevant external data (either public data
and/or pooled industry data)’’—jeopardizes the comparability of the
internal models across institutions. Presumably, supervisory oversight
under Pillar 2 would ensure a level playing field in the use of external
data. Nonetheless, this may not be sufficient comfort to institutions
that are peers and competitors.
For the purposes of AMA there should be one aggregate industry
database (whether maintained by the industry or the national
supervisors) and all institutions adopting AMA should be required to
take into account all events in this database, with relevancy for their
particular institution factored in. This is a tall order but one that
would go a long way in insuring uniformity.
Regulating agencies should support safe-harbor laws for data pools
Operational event data consortia, like the ABA’s Operational Risk
Consortium (ORC), are very important for increasing the knowledge pool
of potential operational events and their impact. There are serious
confidentiality and privacy concerns because of which the information
getting into the database gets restricted and consequently of less use.
For example, the ORC does not collect descriptive information about
individual loss events, thereby reducing its usefulness as an input for
a root cause or scenario analysis.
VI. Risk Mitigation
Floor of 20% is arbitrary
Given the already stringent requirements for an insurance coverage to
be eligible as risk mitigation, why should the reduction be limited to
20% of the total operational risk capital charge? We understand the need
for a haircut on insurance coverage, as definitely there is a non-zero
probability of an insurance payment not coming through. However, a
haircut of 80% seems too high. More transparency, on part of the Basel
Committee, about the data and rationale leading to the 20% impact
limitation would be in order.
The SGOR specifies fairly rigid parameters for an institution to
utilize insurance as a primary risk mitigant. In effect, the paper only
authorizes the placement of commercial insurance, with underwriters
having strong financial ratings, into the institution’s adjustment for
risk mitigation. For the top banking companies in the United States,
including KeyCorp, the exclusion of wholly owned captive insurance
companies is inappropriate.
Insurance via captives should get acceptance
There are several shortcomings associated with transferring
operational risks to the commercial insurance market.
Timeliness of payments: Significant insurance claims relating to
operational risks being presented to commercial underwriters for
coverage, seldom, if ever, result in timely payouts. It is far more
common, and is certainly KeyCorp’s experience, that coverage litigation
is necessary in order to impose payment from our insurance carriers
pursuant to the policy terms and conditions.
High deductible: High deductibles which preclude risk transfer for
virtually all operational risk losses are the reality which faces all
institutions falling within the scope of the proposed Basel II Capital
Accord. For financial insurance coverages including professional
liability and blanket bond, KeyCorp retains the initial $25,000,000 loss
before the claim is presented to the commercial insurance carrier.
Specificity of coverage: the explicit mapping of the policies by
the commercial insurance industry to cover the various operational risk
exposures of the institution may be conceptually attainable but would be
subject to subsequent coverage restrictions over time based upon the
whim of the commercial markets. What is insurable in one year is deemed
uninsurable the next and the insurers react in lock step with each
other. Some of the notable coverage exposures that fall within the scope
of operational risk that have been abandoned by the commercial insurance
market recently are unauthorized trading, various investment banking
risks, and property exposures such as mold.
We believe that a detailed evaluation and understanding of the
operations of wholly owned captives such as KeyCorp Insurance Company,
Ltd., would result in its endorsement as a primary risk mitigant
relating to operational risk. Every characteristic pertaining to the
insurance policy as an acceptable risk mitigant, identified in the
proposed rulemaking document, coincides with the effective use of a
wholly owned captive. Broad policy terms and conditions, realistic
deductibles, and timely claims payouts can only depict coverage written
through a captive insurance company and not coverage offered through
commercial underwriters.
Openness towards other risk mitigation techniques
The new rules should leave the door open for innovation in the area
of operational risk mitigation and not declare insurance as the only
risk mitigation acceptable at these early stages of development.
| 
