FDIC Federal Register Citations

November 3, 2003

FINANCIAL GUARDIAN GROUP

Office of the Comptroller of the Currency
250 E Street, S.W.
Public Information Room, Mailstop 1-5
Washington, D.C. 20219
Attention: Docket No. 03-14

Federal Deposit Insurance Corporation
550 17th Street, N.W.
Washington, D.C. 20429
Attention: Mr. Robert E. Feldman
Reference: Comments

Board of Governors of the Federal Reserve System
20th Street and Constitution Avenue, N.W.
Washington, D.C. 20551
Attention: Ms. Jennifer J. Johnson
Reference: Docket No. R-1154

Regulation Comments
Chief Counsel's Office
Office of Thrift Supervision
1700 G Street, N.W.
Washington, D.C. 20552
Attention: No. 2003-27

Dear Sir or Madam:

The Financial Guardian Group (FGG) is pleased to comment on the interagency advance notice of proposed rulemaking (ANPR) that would implement the new Basel Capital Accord in the United States. The FGG represents the interests of specialized U.S. banks particularly concerned with the proposed new capital charge for operational risk. We appreciate that the U.S. operational risk proposal does not include the basic-indicator or standardized options, and we are grateful that the U.S. has worked hard to win approval of the advanced measurement approach (AMA) for inclusion in Basel. However, even this approach is deeply flawed if employed as a regulatory capital charge instead of a guide to effective risk management and bank supervision. The FGG strongly supports Basel's and the ANPR's objective of comparable, truly risk-based international capital standards. However, we urge U.S. regulators to advance this goal by deleting from the rule the proposed capital charge for operational risk and addressing it in the U.S. and Basel rules through a meaningful, enforceable supervisory standard. Unless or until the regulatory understanding of operational risk catches up with the knowledge of credit risk reflected in many major improvements proposed in the ANPR, a regulatory capital charge will - contrary to the agencies' best intentions - increase systemic risk, create perverse incentives for risk-taking and result in undue competitive harm.

We have noted with considerable interest efforts underway both in Basel and the U.S. to focus the risk-based capital (RBC) rules on unexpected losses, not expected ones. We concur with those who have argued that expected loss (EL) is amply and adequately addressed through future margin income and reserves and that RBC should focus solely on unexpected loss (UL). Doing so - which would be a major improvement in both the Basel rules and the ANPR - would make even more inappropriate the proposed Pillar 1 capital charge on operational risk. EL in operational risk can and should be treated, as with credit risk, as an expense, and covered by revenues, earnings or reserves. To the degree any methodological agreement exists with regard to operational risk, it is on EL. There is simply no agreed-upon methodology to measure UL in operational risk or to determine how mitigants against UL should be counted in RBC - a sharp contrast to accepted methodologies for recognizing credit enhancements and other ways to set expected loss. We continue to oppose the proposed limit on recognizing insurance as a mitigant in the AMA, precisely because it is among the best ways to mitigate UL and the restriction proposed creates a perverse incentive against effective risk mitigation.

The FGG is appreciative of sections in the ANPR that explore the wide range of potential problems with the operational risk-based capital (ORBC) charge, and we are particularly grateful for the request for a Pillar 2 alternative to the proposed Pillar 1 charge. In this letter, we outline such an alternative, and we look forward to working with you to address any questions it may raise in the next round of U.S. action on the Basel rules.

We also appreciate the questions in the ANPR regarding the potential economic and market impact of the Basel rules in the proposed U.S. standards. We believe the ORBC charge creates serious economic costs above and beyond those associated with the Basel rules as a whole, and this comment provides evidence to that effect. Based on this analysis, we believe the proposal would in fact trigger the requirements for Office of Management and Budget review pertaining to rules with significant economic impact. Congress will doubtless also be deeply concerned with those aspects of the rule that unnecessarily impose undue direct or indirect costs, which could be passed on to consumers and harm U.S. financial industry competitiveness.

Executive Summary

The following are the key points raised in this comment letter, which supplements these policy recommendations with research and data as appropriate:

• An array of experts - including the BIS's own committees, the Comptroller of the Currency, and the Federal Reserve Banks of Chicago, Richmond and San Francisco, question whether operational risk can be accurately quantified or effectively offset by a regulatory capital charge. The supervisory objective of improved operational risk (OR) management can be better advanced through meaningful, enforceable supervisory standards for which banks at home and abroad are held accountable.

• The ORBC charge would be a net cost to U.S. banks due to the proposed retention of the leverage and risk-based capital thresholds for supervisory action, making it still more difficult to craft an improved risk-based capital regime that covers all U.S. banks, not just the largest ones. The proposed bifurcated approach to Basel will result in numerous market disruptions and potential risk to the FDIC.

• The Basel rules in general and the operational risk-based capital charge in particular have significant economic impact. The revisions to the credit risk-based capital standards are, in broad terms, an appropriate and necessary cost because of the need to improve the relationship between regulatory and economic capital. Thus, to the degree that risky credits bear more regulatory capital, these costs are appropriate and offset by the reduction in capital for low-risk assets. However, the ORBC charge could cost U.S. banks $50 - 60 billion without any positive benefit and with many negative implications.¹ Proposed limits on benefits from the advanced models and re-qualification for ultimate full recognition of any capital reductions unnecessarily increase cost and undermine the worthy purpose of the overall Basel rewrite.

• The Pillar 1 ORBC charge would increase, not reduce risk. There is no agreed-upon calculation for operational risk, especially catastrophic risk. The costly charge would divert resources from proven forms of operational risk mitigation - contingency planning, redundancies, controls and procedures, insurance, etc. Proposed implementation in the U.S. of an additional ORBC charge for "indirect" losses would exacerbate all of the quantitative and competitiveness problems with the existing proposal.

• The ORBC charge will impose an unnecessary competitive cost on U.S. banks, especially specialized ones that compete against non-banks in key lines of business. The charge will also adversely affect international competitiveness because foreign regulators can apply the advanced measurement approach in ways that - intentionally or not - advantage their institutions without any improvement in operational risk management and mitigation.

• Recognition of future margin income and reserves is appropriate for operational risk, but this should be done in Pillar 2. A proposed Pillar 2 supervisory plan for operational risk is provided. The U.S. should advance this improved Pillar 2 in a multilateral fashion through the Basel Committee, not issue separate guidance solely for the U.S.

• The ANPR does not get the desired balance right between the flexibility of the advanced measurement approach and supervisory consistency. As a result, the proposal effectively implements the Basel "standardized" ORBC charge in the U.S., with all the problems that it presents.

I. Background

The FGG has long supported Basel II's goal of a three-pillar approach to effective bank supervision and we appreciate its incorporation in the ANPR. However, we believe that including operational risk in Pillar 1 (regulatory capital) rather than Pillar 2 (supervision) undermines balanced supervision. The goals of improving bank operational risk management and internal capital allocation are best served through a substantial improvement in Pillar 2 with regard to operational risk, supplemented by appropriate Pillar 3 disclosures. A Pillar 1 capital charge for a risk that the BIS's own Risk Management Group and Committee on the Global Financial System agree cannot be defined or accurately measured has already distracted significant industry and supervisory resources from urgently needed improvements.² An operational risk-based capital charge - even with the proposed improvements in the AMA - will deter improvements in qualitative operational risk management. The goal of "comparability" - that is, comparable regulatory standards across institutions and national borders - is best met through Pillars 2 and 3, not an arbitrary Pillar 1 capital charge with unintended adverse consequences for the competitive viability of specialized institutions that choose to operate as U.S. banks.

The BIS's own committees are not the only ones that find a Pillar 1 capital charge problematic for operational risk. Numerous commenters - including the Federal Reserve Bank of San Francisco and the Federal Reserve Bank of New York's Foreign Exchange Committee have also noted serious problems with a quantitative approach to operational risk. Indeed, the Federal Reserve Bank of Chicago filed a comment with the Basel Committee on the second consultative paper making clear the numerous problems with the proposed version of ORBC - problems not corrected despite the progress represented by the AMA.³ The Federal Reserve Bank of Richmond also filed a comment noting that operational risk can be "[a] difficult risk to quantify and can be very subjective."⁴ The Federal Reserve Bank of San Francisco has noted, "[a] key component of risk management is measuring the size and scope of the firm's risk exposures. As yet, however, there is no clearly established, single way to measure operational risk on a firm-wide basis."⁵ The Foreign Exchange Committee concluded that "[u]nlike credit and market risk, operational risk is very difficult to quantify."⁶

The Comptroller of the Currency has also spoken out on the problems of operational risk. In a speech to the Institute of International Bankers, Comptroller Hawke stated that "[a] one-size-fits-all approach to operational risk - such as a formulaic capital charge based on some percentage of gross revenues or a percentage of the charge for credit risk - while simple to apply, would disadvantage the best managed banks and provide undeserved advantage to the worst managed. Worst of all, it would provide no incentive to improve internal control systems." ⁷

These OCC and Federal Reserve conclusions are buttressed by academic research. A Cambridge University study determined that "...no data now exists for evaluation of operational risk events similar to Barings, Daiwa or LTCM. The possibility of effectively pooling such data across institutions seems unrealistic for many years to come and is statistically invalid without further research."⁸ A study by Charles Calomiris and Richard Herring states, "[p]rivate insurance and process regulation would be more effective than capital requirements for regulating operational risk."⁹ Finally, we would draw your attention to a Group of Ten report which found "[t]he term `operating risk' is a somewhat ambiguous concept that can have a number of definitions ... operating risk is the least understood and least researched contributor to financial institution risk."¹⁰

Getting regulatory capital right is essential because capital is a main driver of pricing, profitability and, therefore, franchise value. A Stanford University study with Nobel Prize-winner Joseph Stiglitz among its authors concludes, "[s]ince holding capital is costly, the per-period profits of the bank are lower, certeris paribus, when bank capital increases. Thus, increasing the amount of capital held by the bank has two effects: the positive bonding effect and the negative franchise value effect." ¹¹ Similarly, Moody's Investors Service notes that "holding excessive levels of capital will impair the financial performance of a bank and thereby impact upon its competitiveness."¹² The importance of regulatory capital drives the various arbitrage efforts that have rightly sparked Basel and U.S. regulators to get the balance between regulatory and economic capital better through the proposed revisions. Indeed, if regulatory capital didn't matter - as some agencies have suggested in testimony and other forums - the entire costly and hard exercise of the Basel II process would be solely an academic model-building convention held over many years in numerous nations. Basel and the ANPR rightly recognize the critical importance of regulatory capital and the need to align it closely to economic capital. Setting a regulatory charge before there is wide agreement on economic capital - which would occur if the ANPR on operational risk were implemented - would undermine the goals of Basel, not enhance them.

A quick example points to the critical importance of getting regulatory capital right. Following the adoption of Basel I, commercial paper backup revolvers with a 365 day or greater term became almost prohibitively expensive, because the Basel 1 capital rules require that capital be held against such facilities. Conversely, pricing became ultra-competitive for facilities with a term of less than one year, since Basel 1 did not require capital for such structures. Of course, unlike lines of business like asset management, unregulated, non-banking institutions do not compete in this market. As a result, unrestrained by the need to conform pricing to levels set by unregulated competitors, pricing for revolvers stabilized at levels determined by the regulatory capital requirement of the banking industry providers. It is unclear what the effect of the capital regime would have been if banks were competing with non-banks at the time. This uncertainty makes it imperative that Basel II is correct before it is implemented.

II. Overall Capital Framework

A. Bifurcated Regulatory Capital

The FGG believes that a Pillar 2 approach for ORBC would ease the disruptions resulting from the proposed bifurcated approach, creating a positive incentive for more U.S. insured depositories to opt-in to the Basel rules and, therefore, to bring their own internal systems and risk management up to the more sophisticated requirements rightly mandated by the U.S. for use of the various advanced credit risk requirements.

We urge the U.S. regulators to come up with revisions to risk-based capital suitable for all insured depositories, not just the nation's largest banks. Smaller banks and savings associations are key players in many markets - including the specialized ones of concern to the FGG - and they should thus benefit from risk reductions through lower regulatory capital or pay for risk increases in the same manner as larger institutions. The costly failure of Superior FSB in 2001 in part because regulatory capital was not sufficient for complex residuals points to the importance of focusing regulatory changes on creating an effective, workable, and coherent regulatory capital framework for all insured depositories, not just a select few.

B. Leverage and "Well-Capitalized" Thresholds

The ANPR states that OR was implicit in the Basel I Accord, which included a "buffer" to account for it and other non-credit risks. With the AMA, the ANPR says no such "buffer" is required because no implicit risks remain in the regulatory capital charge. Of course, interest-rate risk, liquidity risk and many others remain without a specific regulatory capital charge. We would refer to the "supervision-by-risk" framework rightly used by all of the agencies and note the many specified risks in it for which no Pillar 1 capital charge is proposed. ¹³ Many of these risks - interest-rate risk, of course, but also liquidity and foreign-exchange risk - are quantified daily, in sharp contrast to operational risk, but only OR is included as a new charge in the ANPR.

The agencies in fact appear to recognize that a "buffer" remains important because of the proposed retention of the unique U.S. leverage capital standards, as well as the use of 10% as the risk-based capital criterion for eligibility as a "well-capitalized" financial holding company or insured depository. The FGG believes that the ORBC requirement is proposed to "top off" U.S. capital requirements for low-risk institutions to ensure that the ongoing leverage and risk-based capital standards appear relevant. In fact, these standards are anachronistic and should be abolished, especially if a Pillar 1 ORBC charge is retained. With these standards in place and a new ORBC charge mandated, the overall cost of the Basel rules rises so high as to create undue economic cost and unnecessary competitive damage. Given that U.S. banks - in sharp contrast to EU ones - compete every day against firms outside the bank capital rules in key lines of business, these costs are particularly inappropriate and excessively burdensome.

The proposed retention of the leverage and well-capitalized standards creates particularly serious problems for specialized banks which will not benefit from the significant reductions proposed for low credit-risk assets. Attached to this comment is a table based on publicly-available information that shows that the effect of the Pillar I ORBC charge is to reduce significantly the "excess" capital held by specialized banks.* The capital ratios for these banks could be lowered by one percent to almost four percent - a major impact with the ten percent standard in mind - in some cases very near to the regulatory minimum. Banks adversely affected by this add-on capital charge would remain wellcapitalized by all non-regulatory market judgments, but they could still be subject to extreme sanctions - loss of their financial holding company privileges, for example. As a result, the ORBC charge atop the leverage and current risk-based capital thresholds widens the disparities between economic and regulatory capital, instead of bringing them as closely as possible together - the goal, of course, of the entire Basel II exercise and of the ANPR.

Quite simply, the U.S. rules must drop the leverage standard and readjust the well-capitalized one to reflect the fact that some banks will in fact be very well capitalized at far different ratios than now apply. Failure to drop these arbitrary ratios - especially if the ORBC requirement remains in Pillar 1 - would seriously undermine the goals of the ANPR and the larger policy interests served by alignment of regulatory and economic capital.

III. Economic Consequences of an ORBC Charge

As the table noted above makes clear, the ORBC charge will have significant implications for specialized banks, with each of those noted bearing capital costs well in excess of $100 million based on the best calculation possible using the more simple ORBC methods proposed in the Basel document. The consulting firm Mercer, Oliver Wyman has estimated the cost of compliance per bank to be between $50-200 million. ¹⁴ As a result, we believe the $100 million threshold for determining if a regulatory action requires review by the Office of Management and Budget is clearly met.

Due to the complexity of the AMA, there is no reliable ways to assess its impact on individual institutions, let alone the economy as a whole. However, the third quantitative impact survey (QIS3) makes clear that the ORBC charge is a significant cost to large banks, with the survey finding the net impact of ORBC is a 13% increase in capital that offsets reductions otherwise achieved under the sophisticated advanced models proposed in the ANPR for credit risk. Based on the $477 billion held as regulatory capital by the top twenty five U.S. banks, ¹⁵ an increase of 13% in regulatory capital would cost U.S. banks approximately $62 billion. Given the proposed retention of the leverage and well-capitalized test - as well as the limits on recognizing ANPR benefits - any offsetting credit RBC reductions are, at best, hypothetical over time and unlikely at the outset of the new rules.

The overall economic cost of the ORBC requirement increases still further when the cost of the capital requirement is translated into the larger economy. Insured depositories of course leverage capital into lending and related activities. Thus, the $62 billion cost of the ORBC requirement will reduce the amount of lending and investment banks can do, adversely affecting individual and corporate customers through reduced credit availability and/or higher funding costs.

IV. Perverse Incentives

Despite the improvements made through the AMA in Basel's third consultative paper and the proposal in the ANPR, the FGG believes that a Pillar 1 capital charge for operational risk will increase - not reduce - systemic risk and the risk an individual institution will be ill-prepared for serious operational risk. We see this because:

• many of the world's biggest banks will count ORBC based on the gross-income method remaining in the Basel proposal, creating potential systemic risk;

• the AMA does not address the perverse incentive issue because regulators will benchmark it to the standardized approach. Fundamentally, there is no agreed-upon definition of OR nor any widely-accepted way to measure it. Thus, supervisors and institutions will be forced to use untested benchmarks (likely linked to gross income). As discussed below, we do not think the ANPR has balanced the need for "flexibility" with that for "consistency," resulting in potential implicit application of the CP3 gross-income derived ORBC charges; and

• ongoing problems in the AMA - notably failure to recognize operational risk mitigation - will lead banks to neglect proven ways to reduce operational risk, putting themselves and financial markets at undue risk. A Pillar 2 approach with meaningful, enforceable supervisory standards focusing on proven forms of OR mitigation would be a significant contribution to the financial system, particularly at this time of heightened concern about unpredictable OR resulting from terrorist attack.

This conclusion is echoed in the aforementioned Kuritzkes and Scott study which states, "[r]elative to effective management controls and insurance, capital is at most a second-best mechanism for protecting banks against the consequences of [operational risks]. But perversely to the extent that a minimum level of OR capital is required - as contemplated under Basel II - then capital can actually serve as a deterrent to reducing operational losses." ¹⁶

A. Failure to Recognize Risk Mitigation

The FGG appreciates that the ANPR, like CP3, would recognize insurance in the AMA. However, the strict criteria necessary for eligibility may force insurance into a few structures provided by a limited number of insurers. This could concentrate risk in a few counterparties, resulting in systemic risk if severe OR events occur. We understand the regulators' desire to permit ORBC reductions only for insurance structures that will quickly and certainly compensate a bank for loss, but specific Pillar 1 standards for insurance eligibility could actually increase, not reduce, OR.

The proposed 20% limit on reductions in the AMA capital calculation for insurance also creates a perverse incentive. Banks may well reduce their purchases of insurance, especially the most costly - and therefore most needed - kinds because of limited regulatory capital recognition of this costly form of OR mitigation. As noted, the FGG believes that insurance - even with acknowledged limitations - is a proven form of risk mitigation. It should thus be fully recognized in the AMA to create a positive incentive for risk mitigation. Judging by the CP3 comment letters posted on the BIS' website, this position has strong support throughout the industry and among regulators. In its comment letter on CP2, the Federal Reserve Bank of Chicago recommended that capital reductions for mitigation of operational risk be permitted "wherever banks can demonstrate that risk exposures are materially reduced." It also warned that excessively narrow definitions for what methods are permissible impedes the development and application of risk mitigation techniques in the banking industry and undermines "the very purpose of banking supervision and regulation." ¹⁷ The Federal Reserve Bank of San Francisco notes, "[w]ith respect to operational risk, several steps can be taken to mitigate such losses. For example, damages due to natural disaster can be insured against. Losses arising from business disruptions due to electrical or telecommunications failures can be mitigated by establishing redundant backup facilities. Losses due to internal reasons, such as employee fraud or product flaws, are harder to identify and insure against, but they can be mitigated with strong internal auditing procedures." ¹⁸ Similarly, in its comments on CP3, the New York State Banking Department recommended the Basel Committee recognize the use of risk mitigants such as contingency plans. ¹⁹

We recognize that the 39-page supervisory guidance accompanying the ANPR attempts to address in detail how the AMA would recognize various forms of OR mitigation. However, the complexity of the document increases the prospects that supervisors will benchmark AMA calculations to standardized ones, discouraging banks from costly investments in back-up facilities, contingency planning and the other operational risk mitigants highlighted in the recent interagency white paper that makes clear the importance of these measures.²⁰

Since 9/11, U.S. regulators have rightly focused on all of these proven forms of operational risk mitigation, improving systems found lacking on that terrible day and reinforcing those that proved their worth. However, a GAO study found that significant preparedness problems remain. ²¹ Diversion of supervisory effort towards all of the model-building, testing and validation required to assure that large complex banking organizations comply with the proposed ORBC requirement and the detailed supervisory guidance is, the FGG believes, a dangerous misallocation of resources. This is especially true given the major demands on the banking agencies to ensure that the better-understood, but still quite complex, credit risk models that support the advanced internal ratings-based methodology are appropriate at all of the banks that qualify to use them.

Under U.S. law, supervisors visit all insured depositories at least once every eighteen months and larger institutions are examined at least every twelve months. At the same time, all very large U.S. banks have teams of resident examiners who stay at the bank full-time to test and re-test a wide range of risk areas to ensure there are appropriate capital and risk management processes. When banks fail to satisfy their examiners, the supervisors have a very broad array of remedies. These range from the "moral guidance" cited in CP3 to specific sanctions, cease-and-desist orders and, under extreme circumstances, bank closure or forced sale. U.S. regulators have closed insured depositories when they are in nominal compliance with Pillar 1-style regulatory capital standards because of undue risk. These powers were significantly enhanced by the U.S. Congress after the S&L crisis of the 1980s and the banking problems of the early 1990s, in part because several very large banks (e.g., Texas' First Republic) failed at considerable cost to the FDIC even though they had adequate capital under then applicable rules.

Thus, U.S. regulators have full powers to ensure ample OR capital and management, while foreign supervisors may permit wide variance from appropriate practice if nominal compliance with an arbitrary capital charge occurs. As a result, some very large global banks may be sadly unprepared for operational risk, especially catastrophic risk, because back-up facilities and contingency planning have been ignored by banks and their supervisors in favor of the Pillar 1 capital charge.

C. Catastrophic Risk

We are concerned that the U.S. regulators have decided to follow the Basel Committee in reversing the treatment of catastrophic risk. In the instructions accompanying the QIS 3, the Basel Committee stated that capital should not be assessed for catastrophic events that lie beyond the scope of any regulatory capital regime.²² We applauded this approach and concur with the findings of a second Cambridge University study which notes that "[c]apital is an expensive form of self-insurance and is ill-suited to protecting against very low-probability, high-impact risks."²³ Further, Moody's Investors Service noted just last month that: "[t]he only protection [against low-frequency high-severity loss events] is through multiple layers of effective management and control."²⁴ It is unfortunate that this sensible approach has been abandoned by both the Basel Committee and the U.S. banking agencies.

One major objection to the AMA - as well as to any regulatory OR capital charge - has been the problem of modeling and quantifying 9/11-type risks. The GAO recently noted this difficulty stating: "Experts we contacted said such analyses [of the frequency and severity of terrorist attacks] were extremely difficult because they involved attempts to forecast terrorist behavior, which were very difficult to quantify."²⁵ Capital is particularly irrelevant in the face of catastrophic risk such as nuclear blasts, bio-terror or similar tragedies. These risks are so unexpected and, potentially, so large that banks - like society as a whole - will be forced to rely on the ingenuity and heroism that distinguished the financial system after the collapse of the World Trade Center. Importantly, what limited loss then was not regulatory or even economic OR capital, but contingency planning, disaster preparedness and back-up facilities - none of which is fully recognized in the AMA in part because there remains no accepted method to define or measure OR to take full account of risk mitigation. As KPMG notes, "[a] risk sensitive Economic Capital methodology will - ceteris paribus - reward investments in business continuity management components with a lower capital charge."²⁶ The FGG urges the agencies to delete catastrophic risk should a Pillar 1 approach be included in the final U.S. rules. However, the serious problems quantifying and mitigating such risks argue strongly for a Pillar 2 approach, where the proven forms of catastrophic risk mitigation can be fully credited without the offsetting cost of an unnecessary capital charge.

V. Competitive and Customer Service Implications

A. Foreign Competitors

1. Impact of Including Legal Risk in OR

As discussed in more detail below, banks operating in the United States generally face a far broader range of regulation outside the banking area than their foreign competitors. This regulation covers areas as diverse as corporate governance, lending and employment discrimination and workplace safety. In addition, the U.S. legal system poses the highest litigation risk of any G-10 country. As a result, under the ANPR, U.S. banks will likely be required to set aside more capital for operational risk than their foreign competitors. U.S. banks will be forced to do this despite the fact that U.S. securities laws already require reserving for material legal risks and there is no evidence that these types of legal risks have adversely affected the safety and soundness of any U.S. bank. As Credit Suisse notes, "firms with significant activities in the United States could be put at a competitive disadvantage due to the increased litigation risk resulting from the U.S. judicial system." ²⁷

2. Supervisory Differences

The FGG recognizes that Basel II attempts to reflect the importance of effective supervision in Pillar 2. However, CP3 remains relatively weak in this area and we do not believe it will encourage supervisors in all participating nations to improve their standards and - where necessary - back them with effective enforcement. In sharp contrast, U.S. banks that fail the arbitrary leverage and well-capitalized tests or the ANPR's revised RBC ones face many serious regulatory and market sanctions. As a result, U.S. banks often hold far more regulatory capital than foreign counterparts and they would likely continue to do so under Basel II.

This capital difference puts U.S. banks at a competitive disadvantage because, as discussed above, regulatory capital is a key determinant of pricing and profitability. When the capital standards are credible, higher capital can be offset in the market because counterparties believe the bank is of lower risk and, therefore, a desirable provider of various services. However, a non-credible capital charge - the Pillar I ORBC requirement, for example - cannot be offset in the market because counterparties derive no benefit from it. Therefore, U.S. banks will face serious problems competing against foreign institutions under a Pillar 1 regime.

The significant disparity between U.S. action and that in many other nations when capital thresholds are missed means that the U.S. must take particular care with new Pillar 1 capital standards. Our unique and credible enforcement regime should be focused solely on regulatory capital standards that make sense, not the proposed ORBC charge. Pillar 2 treatment ensures appropriate U.S. supervisory flexibility to address individual bank problems without creating an arbitrary threshold standard to which U.S. banks will be held even as foreign supervisors permit wide variation from the Basel mark.

Similarly, the disparate application of the Accord may put U.S. banks at a further competitive disadvantage. A recent PriceWaterhouseCoopers study concludes that the European Union's new Capital Adequacy Directive, would selectively implement the Basel Accord.²⁸ This decision creates many issues for the Pillar 1 approach to credit risk and the disclosures mandated under Pillar 3. However, it is the relaxed implementation of the ORBC charge that is of most concern to the FGG. The EU is expected to "require fewer, different and apparently less demanding [qualifying criteria for the AMA] than those specified by Basel." We hope the U.S. regulators will work to eliminate Pillar 1 treatment of operational risk, ensuring that U.S. banks are not further harmed by its inconsistent application.

B. Non-bank Competitors

U.S. banks often operate in major lines of business, such as asset management, custody and payments processing services, in which they compete head-to-head with non-bank institutions. In the U.S. - in sharp contrast to plans in the EU - only banks will be covered by the Basel Accord and its stringent operational risk-based capital charge. Their non-bank counterparts will be exempt. Some U.S. regulators have suggested from time to time that the SEC might adopt a rule comparable to the ORBC one, but this does not appear likely. Indeed, proposed capital standards for "investment bank holding companies" and "consolidated supervised entities" are notable in their complete avoidance of any comparable ORBC requirement for these very large, very important non-bank competitors.²⁹

This disparity will place banks at a substantial competitive disadvantage relative to their non-bank counterparts. The above-mentioned Credit Suisse study reports that "[r]egulated banks that must comply with capital requirements are...placed at a competitive disadvantage within the financial services market." This competitive disadvantage is particularly pronounced for FGG members, which specialize in fee-based asset management, custody and payments processing lines of business.³⁰ These lines of business are dominated by non-bank institutions. For example, seventeen of the top twenty five U.S. money managers are non-banks. ³¹ The competitive pressures imposed by this disadvantage could force some U.S. banks to move these lines of business out of the bank, or to sell these businesses, de-banking completely. Such a development could increase systemic risk because major institutions would operate outside bank supervision.

VI. Pillar 2 Alternative

The FGG continues strongly to recommend that the Basel Committee address operational risk in Pillar 2. This will create a strong incentive for improved internal controls and capital allocation, in sharp contrast to the arbitrary Pillar 1 approach that - even with the AMA - will result in undue regulatory arbitrage and risk-taking. We are grateful for the request for a meaningful Pillar 2 approach to operational risk, and appended to this letter we have provided a detailed proposal presented in U.S. regulatory language suitable for rapid adoption in conjunction with the credit risk sections of the Basel Accord.

VII. Definitional Problems

Serious definitional problems remain as to OR in the ANPR, with these problems exacerbated by the proposal to add "opportunity cost" to those counted as operational risk. Here, we discuss the fundamental flaws in the ORBC definition that make Pillar 1 treatment untenable. In the section below on specific U.S. concerns on which comment is sought in the ANPR, we note specific problems with adding opportunity cost to this already dubious definition.

A. Lack of Agreement

Despite the proposed operational risk definition, there is wide disagreement on how in fact it should be measured or determined. Note, for example, the BIS's own Committee on the Global Financial System conclusion that, "[operational, legal and liquidity] risks are more difficult to measure than credit and market risk, and it may be difficult to deal with them in quantitative capital rules and disclosure standards. A more qualitative approach, focusing on risk management, may be needed."³² We note above similar concerns from a wide range of U.S. entities, including several Federal Reserve Banks. Standard & Poor's agrees that a qualitative approach is needed, noting that "the lack of consistent industry-wide operational loss data represents a large obstacle to the development of a statistical methodology that could carry the analysis beyond the qualitative" and that "the assessment of OR remains essentially a qualitative analysis closely linked to the assessment of management."³³

We would also refer the agencies to the results of the Risk Management Group (RMG) 2002 loss data collection (LDC) exercise for operational risk. As with the 2001 exercise, the LDC is intended to substantiate the ORBC charge. While the 2002 report shows considerable improvement in such areas as number of participating banks and bank confidence in the data presented, the results still show variations in operational risk measurement and the way economic capital is assigned. The RMG itself states that these results should be used with "caution" and that data "does not allow identification of the business lines and/or event types that are the largest source of operational risk." Similarly, the RMG notes that it is "not clear the extent to which the sample of banks in the survey was representative of the banking industry as a whole." The data on OR losses and loss recovery are found also to be of dubious quality due to the range of methodological problems still dogging the LDC.³⁴

Key points from the RMG study include:

• 89 banks in 19 countries reported, with only 63 meeting various sample criteria that permit broad use of their data. This small number in so many countries suggests very wide variations in data applicability to large numbers of banks in individual countries. Data problems are compounded by the fact that, of these 89 banks, only 32 said that the reported data comprise all OR for all business lines. Over half of the reporting banks said data were not comprehensive for any business line.

• There is wide variability in the number of reported OR loss incidents (ranging from one to over 2,000), with doubts about the validity of these data. Of the eight banks reporting 1,000 or more incidents, only two said data were comprehensive; however, of the 35 banks reporting 100 or fewer losses, 17 said data were comprehensive.

• Data are very clustered, making it difficult to infer capital charges either by event type or business line. For example, over 36% of incidents were in one area: external fraud in retail banking. This is perhaps the best understood area of OR and one for which pricing and reserves are in place, although the ORBC charge does not permit offsets for either. Further, this risk remains double-counted due to the credit risk charge related to these losses. Physical and system disruptions were only 2% of the reported incidents, but 20% of the loss (perhaps due to the fact that 9/11 was in this year's report). Insurance related to these losses is generally not recognized in ORBC.

• Of the 89 banks, 60 provided some data on economic capital for OR, although only approximately 40 provided data either on OR overall and/or on business lines. The average and median amounts of economic capital for OR reported by the 40 banks were 15% and 14% respectively, indicating that a large number of the banks fell within this range. However, the full range of reported economic capital varied from 0.09% to 41%. The average and median amounts of economic capital for asset management were 7% and 5%, respectively - far off the charges in the proposed standardized approach.

• Only one-third of reporting banks estimate expected OR. Data here are most inconsistent due to different definitions of OR and other factors.

We fail to see how a Pillar 1 ORBC charge can be deemed viable at this time when the Basel Committee's own group assessing it has found such wide variability and incomplete data. Even though some findings cluster around the averages on which the basic-indicator and standardized approaches are based, many institutions assess their appropriate economic OR capital far differently without any indication that these differences are unsafe or unsound. We recognize that the AMA is intended to accommodate some of these differences, but the fundamental lack of agreement - conceptual, methodological or even factual - on how OR is defined or measured makes an AMA in Pillar 1 inappropriate at this time.

A recent study of 309 risk professionals - the majority of who work for banks - confirms the industry-wide difficulties of assembling this data.³⁵ When asked what their greatest concerns were regarding implementation of the new Basel Accord, over 60% of the respondents replied that they were concerned with the lack of operational risk data - second only to cost of compliance.

B. Treatment of "Legal Risk"

The ANPR, like CP3, would define operational risk to include "legal risk." Page five of the supervisory guidance includes an array of regulatory, legal and even social policy risks. The FGG believes that including legal risk in a regulatory capital charge will have unintended and, as discussed above, adverse-competitive consequences. We are particularly struck by the inclusion of legal risk in the face of the explicit exclusion of reputational risk from the definition. This is of special note when reputational risk has in recent years proven itself a serious one even as banks around the world continue to manage their legal risk without any potential threat to safety and soundness.

For example, rules against nondiscrimination are unique to the U.S. in terms of both the scope of the rules and the significant penalties associated with them. Similarly, the U.S. has a unique tort and environmental liability environment that subjects firms to far greater potential costs for an array of offenses that go without cost elsewhere. While all operational risk is difficult to quantify, these types of legal risks are even more so. For example, two large banks have recently been sued for their participation - over 200 years ago - in the slave trade. How would this type of litigation risk be quantified or capital be assessed against it? Some rule of reason clearly must apply in judging legal risk, but none is noted in the ANPR or supervisory guidance. It is also important to note that, within the U.S., these types of risks can vary greatly by state and municipality. Furthermore, legal risk is unique in that the initial estimated exposure - for which U.S. firms are required to allocate reserves for - is often less than expected and often not resolved for many years. Of course, insurance is also a widely accepted - and successful - mitigant of this type of risk.

One might argue that it is appropriate for an ORBC regime to capture greater risks for U.S. banks if they do in fact exist. However, other requirements in U.S. law already capture the operational risks associated with legal liability. For example, U.S. securities laws require allocation of a specific reserve for legal costs and disclosure of them once a publicly-traded company has determined that legal risks pose a material challenge. There is no evidence that these reserves have ever proved inadequate, nor is there any evidence of a bank that has failed due to the operational risk associated with U.S.-specific legal liability.

VIII. Specific Concerns with the U.S. Proposal

A. Flexibility

The ANPR says this will be "flexible," but then says supervisors must ensure that institutions are "subject to a common set of standards." The document also notes the need for consistent application and enforcement of the AMA charge, while at the same time again emphasizing "flexibility" and the need to encourage innovation. The ANPR also states that supervisors are considering "additional measures to facilitate consistency." Still more regulatory detail in the already complex and prescriptive AMA would further undermine the already questionable "flexibility" in the AMA. A "consistent" approach is likely to benchmark itself against simple measures easy for institutions and supervisors to calculate, and these in turn would likely end up the same or comparable to the basicindicator and standardized approaches to ORBC in CP3. These are based on gross income - a factor with absolutely no correlation to operational risk correctly rejected by the agencies for application in the United States. Keeping the AMA in Pillar 1, however, would likely result in application of these highly flawed standards, with the additional problem of wide variability from examiner to examiner that could exacerbate the comparability and perverse incentives issues noted above.

The ANPR is likely also to force banks to calculate ORBC on standardized business lines, despite the fact that allocation of activities to these lines is often arbitrary and inconsistent with individual corporate organizations. This will essentially require banks to keep two sets of books on OR, with one tracking the standardized approach and the other the bank's own business structure and its perceived actual OR. Supervisors will clearly review AMA calculations based on the standardized business lines against the standardized charges, and banks may have difficulty explaining lower capital calculations under the AMA.

Banks may be forced to use one of the few approaches approved by regulators at the outset of the Basel Accord. This will, in turn, force ORBC calculations into a few, as yet unproven models. Should these prove incorrect, systemic OR will actually be increased, in contrast to reliance on more diverse systems which would not create this type of models risk.

B. Requalification

The FGG has long opposed the proposed limits on recognition of the advanced models in the Basel proposal, and we again express concern over them as proposed in the ANPR. Both CP3 and the ANPR propose that banks qualified through the onerous standards and disclosures to use the advanced credit risk model and the AMA could hold capital no less than 90% of their current Basel I levels in the first year after implementation and no less than 80% in the second year. This creates little, if any, incentive for low-risk institutions to make the substantial investments - $100 million or more for most large banks - in all of the Basel models. Further, given the impact of the Pillar 1 ORBC proposal, specialized banks are likely to see a net increase in overall RBC on day one - an increase that would go into effect immediately even as offsetting efforts to reduce risk go unrecognized. These limits make Basel II all pain and no gain - again in sharp contrast to the ostensible Basel goal of quick improvement in the alignment between regulatory and economic capital.

However, the ANPR exacerbates the Basel proposal's implementation problems. That is because the agencies propose not only to include all of the costly and complex qualifications to use the advanced models and the limits on benefiting from them, but also a subsequent requalification period in the third year or thereafter. Even if a bank had won approval to use the advanced models and done so under the limits in the first two years, it would need to be recertified by supervisors should the limits on Basel II recognition be dropped going forward. Given that banks will have had an extensive supervisory review and model verification process in advance of the initial approval to use the advanced models, we see no point - and considerable cost to both banks and supervisors - of the requalification process.

We would also note that a bank that in fact passes these two hurdles - initial limited use and then requalification - could thereafter fall off the Basel wagon and begin to vary models or capital in a fashion that results in inappropriate capital ratios. Supervisors need to preserve their scarce resources for the ongoing checks of Basel models and bank decision-making required by the complex proposal, not undertake unnecessary and costly re-approvals of already approved systems at arbitrary times in the implementation process.

C. Indirect Loss

The ANPR suggests that the definition of OR - already very problematic, as noted above - be expanded in the U.S. also to include "indirect losses," such as opportunity cost. The FGG believes that doing so would exacerbate the already grave flaws in the proposed definition of OR and the proposal to base a Pillar 1 regulatory capital charge on it.

It is most unclear, for example, how "indirect losses" are to be calculated. Should a decision to forego a particular line of business based on an ultimately unwise management decision be considered operational risk? If so, who is to determine how much revenue was foregone and what capital charge is appropriate against it. At what point will management be deemed to have considered an alternative strategy, and thus trigger a capital requirement? Currently, all institutions pay for such risk through their profit-and-loss statements - that is, if they don't make wise business decisions, their profitability suffers. U. S. courts view such decisions as within the "business judgment" protections of corporate governance standards, rightly eschewing efforts to second guess legitimate management decisions that prove unwise. To date, this has not been considered the business of regulators nor an area where regulatory capital has any role, and the FGG believes that current policy in this area should be continued.

Indeed, as with so much else in this proposal, a capital charge for "indirect loss" could create a perverse incentive against prudent risk management. Often, management foregoes a line of business, investment or particular loan due to fears about undue risk. In such cases, there can well be an "opportunity cost," especially if management fears turn out to be unrealized. Again, any such losses are reflected in the P&L. A regulatory capital charge - calculated who knows how - for such "loss" could inspire management to take undue risk to avoid a back-door penalty in cases where fears turn out to be unwarranted and an "opportunity cost" is determined under some model or by some regulator.

The ANPR notes that these "indirect losses" have resulted in "substantial cost" to some institutions. Other than the ongoing success or failure of individual bank strategic planning, we know of no cases of losses related to indirect factors. In the list of failures occasionally provided by the Federal Reserve to justify the Pillar 1 ORBC charge, no indirect loss-related case is apparent.

D. Treatment of Expected Loss

As noted at the outset of this letter, the FGG does not believe that a Pillar 1 capital charge for expected loss related to operational risk is any more appropriate than one for credit risk. We recognize that the ANPR proposes that the AMA recognize future margin income to the degree that a bank can demonstrate that funds budgeted for future margin income are "capital-like," and that "data thresholds" are not violated. We do not understand what this means. Do supervisors propose to review line-of- business budgets in detail on an ongoing basis to validate future margin income calculations? What "data thresholds" are meant - correct guesses about profitability? We know of no model against which supervisors can validate EL expectations on which a bank anticipates future margin income, and case-by-case determinations by supervisors on the basis outlined in the ANPR would involve regulators in day-to-day business decisions in an inappropriate and unnecessary fashion.

The ANPR also states that reserves cannot be recognized for regulatory capital purposes because of problems related to GAAP. However, reserves are an essential element of prudent banking and a very effective offset to operational risk. Reliance on them in a sound Pillar 2 approach to operational risk presents no GAAP problems, while creating an appropriate set of incentives for effective OR mitigation.

IX. Conclusion

For all of the reasons noted above, the FGG strongly advises U.S. regulators to delete from future rules any Pillar 1 capital charge for operational risk. Instead, the focus should shift at home and abroad to an effective and enforceable set of safety-and-soundness standards to anticipate, manage and mitigate operational risk. We stand ready to commit significant resources to support U.S. regulators and the Basel Committee in construction and implementation of these essential prudential standards.

Sincerely,

Karen Shaw Petrou
Executive Director

¹ Sizing Operational Risk and the Effect of Insurance: Implications for the Basel II Capital Accord, Andrew Kuritzkes and Hal Scott, June 18, 2002. This determination assumes: Total Risk Weighted Assets (RWA) for the U.S. banking system are approximately $5.9 trillion. The total regulatory capital requirement is fixed at 8% of RWA. The proposed 12% calibration would imply $56 billion of regulatory capital for operational risk. Our calculation for the top twenty five U.S. banks - assuming the findings of QIS3 that capital is expected to increase 13% is correct - is a cost of $62 billion (see Section III for a more detailed explanation).

² Credit Risk Transfer, Committee on the Global Financial System, Bank for International Settlements, January 2003 and Sound Practices for Management and Supervision of Operational Risk, Basel Committee on Bank Supervision, Risk Management Group, February 2003.

³ Federal Reserve Bank of Chicago Response to BIS Capital Proposal; Federal Reserve Bank of Chicago; May, 2001.

⁴ "The New Basel Accord " Second Consultative Package, January 2001; Federal Reserve Bank of Richmond; May 30, 2001

⁵ FRBSF Economic Letter, Federal Reserve Bank of San Francisco, January 25, 2002.

⁶ Management of Operational Risk in Foreign Exchange, The Foreign Exchange Committee, March 2003.

⁷ The New Basel Capital Accord: A Status Report, Speech to the Institute of International Bankers, John D. Hawke, Jr., March 4, 2002.

⁸ Operational Risk Capital Allocation and Integration of Risks, The Judge Institute of Management, Cambridge University, Elena Medova, 2001.

⁹ The Regulation of Operational Risk in Investment Management Companies, Charles W. Calomiris and Richard J. Herring, Investment Company Institute - Perspective, September 2002.

¹⁰ Report on Consolidation in the Financial Sector, Group of Ten, January 2001.

¹¹ Liberalization, Moral Hazard in Banking, and Prudential Regulation: Are Capital Requirements Enough?, Stanford University, Graduate School of Business, Thomas Hellman, Kevin Murdock and Joseph Stiglitz, 1998.

¹² Moody's Analytical Framework for Operational Risk Management of Banks, Moody's Investors Service, January 2003.

¹³ Comptroller's Handbook for Large Bank Supervision, Office of the Comptroller of the Currency, May 2001

¹⁴ Basle II Prompts Strategic Rethinks, Euromoney, Thomas Garside and Christian Pederson, December 2002.

¹⁵ Second quarter, 2003 data. See www.ffiec.gov.

¹⁶ Sizing Operational Risk and the Effect of Insurance: Implications for the Basel II Capital Accord, Andrew Kuritzkes and Hal Scott, June 18, 2002.

¹⁷ Federal Reserve Bank of Chicago Response to BIS Capital Proposal, Federal Reserve Bank of Chicago, May, 2001.

¹⁸ FRBSF Economic Letter, Federal Reserve Bank of San Francisco, January 25, 2002.

¹⁹ CP3 comment letter, New York State Banking Department, July 31, 2003.

²⁰ Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System, Federal Reserve, Office of the Comptroller of the Currency, and Securities and Exchange Commission, September 5, 2002.

²¹ Potential Terrorist Attacks: Additional Actions Needed to Better Prepare Critical Financial Market Participants, GAO 03-414, General Accounting Office, February 2003.

²² Quantitative Impact Study 3 Instructions, Basel Committee on Banking Supervision, Bank for International Settlements, October 2002.

²³ The Supervisory Approach: A Critique, The Judge Institute of Management, Cambridge University, Jonathan Ward, 2002.

²⁴ Moody's Says the Main Benefit of the New Basel Capita! Accord Should be the Strengthening of Banks' Risk Culture Rather than Boost Regulatory Capital - Which on Average is Already Adequate, Moody's Investors Service, October 20, 2003.

²⁵ Catastrophe Insurance Risks, GAO-03-1033, General Accounting Office, September 2003.

²⁶ Reaping the Rewards of Effective Business Continuity Management, KPMG, Presentation to the Information Systems Audit and Control Association - London, March 27, 2003.

²⁷ Basel II Implications for Banks and Banking Markets, Credit Suisse Economic & Policy Consulting, July 29, 2003.

²⁸ EU Risk Based Capital Directive CAD3 -The Future EU Capital Adequacy Framework, Financial Services Bulletin, October 2003.

²⁹ Alternative Net Capital Requirements for Broker-Dealers That Are Part of Consolidated Supervised Entities and Supervised Investment Bank Holding Companies, Proposed Rules, Securities and Exchange Commission, October 27, 2003.

³⁰ Deep Impact - Judging the effects of new rules on bank capital, The Economist, May 8, 2003.

³¹ Institutional Investor, July 2003.

³² Credit Risk Transfer, Committee on the Global Financial System, Bank for International Settlements, January 2003.

³³ Basel II: No Turning Back for the Banking Industry, Standard & Poor's, Commentary and News, August 26, 2003.

³⁴ 2002 Operational Risk Loss Data Collection Exercise, Risk Management Group, Bank for International Settlements, March 2003.

³⁵ Fear and Moaning in Last Stages, Risk Magazine, October 2003.

Attachments:

1) Proposed Pillar 2 Alternative

2) Table Demonstrating Cost of ORBC for Specialized U.S. Banks

* The table can be inspected and photocopied at the FDIC's Public Information Center, Room 100, 801 17th Street, NW., Washington, DC between 9 a.m. and 4:30 p.m. on business days.

Attachment 1

PROPOSED PILLAR 2 FOR OPERATIONAL RISK-BASED CAPITAL

The following proposed Pillar 2 for operational risk is adapted from the Basel Committee's "Sound Practices for the Management and Supervision of Operational Risk" and also draws heavily on the Federal Reserve's SR 99-18. The FGG believes it outlines a comprehensive framework for effective measurement, management and mitigation of operational risk based on allocation of appropriate economic capital against it. Thus, this approach ensures a comparable framework for banks and their supervisors without the numerous hazards resulting from a Pillar 1 ORBC requirement.

As discussed in detail in the accompanying comment letter, the FGG believes U.S. regulators have ample ability to ensure supervisory guidance without resort to the crude capital charge on which some foreign supervisors feel they must rely. Numerous instances in which the regulators have mandated significant sanctions - up to and including closure - in cases of violations of prudential rules make this clear.

PROPOSED PILLAR 2

I. Background

While the exact approach for effective operational risk management chosen by an individual bank will depend on a range of factors, including its size, sophistication and the nature and complexity of its activities, clear strategies and oversight by the board of directors and senior management, a strong operational risk and internal control culture (including, among other things, clear lines of responsibility and segregation of duties), effective internal reporting, and contingency planning are all crucial elements of an effective operational risk management framework for banks of any size and scope.

Deregulation and globalization of financial services, together with the growing sophistication of financial technology, are making the activities of banks and thus their risk profiles more complex. Greater use of automation has the potential to transform risks from manual processing errors to system failure risks, as greater reliance is placed on globally integrated systems. Further, growth of ecommerce brings with it potential risks (e.g., internal and external fraud and system security issues). Large-scale acquisitions, mergers, de-mergers and consolidations test the viability of new or newly integrated systems, while the emergence of banks as large-volume service providers creates the need for continual maintenance of high-grade internal controls and back-up systems. Banks may engage in risk mitigation techniques (e.g., collateral, credit derivatives, netting arrangements, and asset securitizations) to optimize their exposure to market risk and credit risk, but these techniques may in turn produce other forms of risk. Finally, growing use of outsourcing arrangements and the participation in clearing and settlement systems can mitigate some risks but can also present significant other risks to banks.

II. Operational Risk

In sum, all of these types of risk are operational risk, which the agencies define as the risk of loss from inadequate or failed internal processes, people and systems or from external events.

Operational risk includes:

• Internal fraud. For example, intentional misreporting of positions, employee theft, and insider trading on an employee's own account.
• External fraud. For example, robbery, forgery, check kiting, and damage from computer hacking.
• Clients, products and business practices. For example, fiduciary breaches, misuse of confidential customer information, improper trading activities on the bank's account, money laundering, and sale of unauthorized products.
• Damage to physical assets. For example, vandalism, earthquakes, fires and floods.
• Business disruption and system failures. For example, hardware and software failures, telecommunication problems, and utility outages.
• Execution, delivery and process management. For example, data entry errors, collateral management failures, incomplete legal documentation, unapproved access given to client accounts, non-client counterparty non-performance, and vendor disputes.

Operational risk exists in the natural course of corporate activity. However, failure to properly manage operational risk can result in a misstatement of an institution's risk profile and expose the institution to significant losses. In some business lines with minimal credit or market risk (e.g., asset management, and payment and settlement), the decision to incur operational risk, or compete based on the ability to manage and effectively price this risk, is an integral part of a bank's risk/reward calculus.

III. Keys to Effective Operational Risk Management and Mitigation

1. Role of the Board of Directors

The board or a designated committee is responsible for monitoring and oversight of a bank's risk management functions, and should approve and periodically review the operational risk management framework prepared by the bank's management. The framework should provide a firm-wide definition of operational risk and establish the principles of how operational risk is to be identified, assessed, monitored, and controlled/mitigated.

The board of directors should approve the implementation of a firm-wide framework to explicitly manage operational risk as a distinct risk to the bank's safety and soundness. The board should provide senior management with clear guidance and direction regarding the principles underlying the framework, be responsible for reviewing and approving a management structure capable of implementing the bank's operational risk management framework, and should approve the corresponding policies developed by senior management.

2. Internal Audit

The board (either directly or indirectly through its audit committee) should ensure that the scope and frequency of the internal audit program focused on operational risk is appropriately risk focused.

Audits should periodically validate that the firm's operational risk management framework is being implemented effectively across the firm. The board, or the audit committee, should ensure that the internal audit program is able to carry out these functions independently, free of management directive.

To the extent that the audit function is involved in oversight of the operational risk management framework, the board should ensure that the independence of the audit function is maintained. This independence may be compromised if the audit function is directly involved in the operational risk management process. The audit function may provide valuable input to those responsible for operational risk management, but should not itself have direct operational risk management responsibilities. Some banks may involve the internal audit function in developing an operational risk management program as internal audit functions generally have broad risk management skills and knowledge of the bank's systems and operations. Where this is the case, banks should see that responsibility for day-to-day operational risk management is transferred elsewhere in a timely manner.

3. Role of Senior Management

Senior management must ensure that the board-approved operational risk framework is implemented at all levels of the organization and that all levels of staff understand their responsibilities with respect to operational risk management. Senior management should also have responsibility for developing policies, processes, and procedures for managing operational risk in all of the bank's material products, activities, processes, and systems.

Management should translate the operational risk management framework approved by the board of directors into specific policies, processes, and procedures that can be implemented and verified within the different business units. While each level of management is responsible for the appropriateness and effectiveness of policies, processes, procedures, and controls within its purview, senior management should clearly assign authority, responsibility, and reporting relationships to encourage and maintain this accountability, and ensure that the necessary resources are available to manage operational risk effectively. Moreover, senior management should assess the appropriateness of the management oversight process in light of the risks inherent in a business unit's policy.

Senior management should ensure that bank activities are conducted by qualified staff with necessary experience, independence, technical capabilities and access to resources to carry out their duties. Management should ensure that the bank's operational risk management policy has been clearly communicated to staff at all levels in units that incur material operational risks.

Senior management should ensure that the operational risk management framework is integrated with efforts to manage credit, market, and other risks. Failure to do so could result in significant gaps or overlaps in a bank's overall risk management program.

Particular attention should be given to the quality of documentation controls and to transactionhandling practices. Policies, processes, and procedures related to advanced technologies supporting high transactions volumes, in particular, should be well documented and disseminated to all relevant personnel.

4. Operational Risk Identification

Banks should identify and assess the operational risk inherent in all material products, activities, processes, and systems. Banks should also ensure that, before new products, activities, processes, and systems are introduced or undertaken, the operational risk inherent in them is identified.

Risk identification is paramount for the subsequent development of a viable operational risk monitoring and control system. Effective risk identification considers both internal factors (such as the bank's structure, the nature of the bank's activities, the quality of the bank's human resources, organizational changes, and employee turnover) and external factors (such as changes in the industry and technological advances) that could adversely affect the achievement of the bank's objectives.

In addition to identifying the most potentially adverse risks, banks should assess their vulnerability to these risks. Effective risk assessment allows the bank to better understand its risk profile and most effectively target risk management resources.

Amongst the possible tools used by banks for identifying and assessing operational risk are:

• Self or Risk Assessment: a bank assesses its operations and activities against a menu of potential operational risk vulnerabilities. This process is internally driven and often incorporates checklists and/or workshops to identify the strengths and weaknesses of the operational risk environment. Scorecards, for example, provide a means of translating qualitative assessments into quantitative metrics that give a relative ranking of different types of operational risk exposures. Some scores may relate to risks unique to a specific business line while others may rank risks that cut across business lines. Scores may address inherent risks, as well as the controls to mitigate them. In addition, scorecards may be used by banks to allocate economic capital to business lines in relation to performance in managing and controlling various aspects of operational risk.

• Risk Mapping: in this process, various business units, organizational functions or process flows are mapped by risk type. This exercise can reveal areas of weakness and help prioritize subsequent management action.

• Risk Indicators: risk indicators are statistics and/or metrics, often financial, which can provide insight into a bank's risk position. These indicators tend to be reviewed on a periodic basis (such as monthly or quarterly) to alert banks to changes that may be indicative of risk concerns. Such indicators may include the number of failed trades, staff turnover rates and the frequency and/or severity of errors and omissions.

• Measurement: some firms have begun to quantify their exposure to operational risk using a variety of approaches. For example, data on a bank's historical loss experience could provide meaningful information for assessing the bank's exposure to operational risk and developing a policy to mitigate/control the risk. An effective way of making good use of this information is to establish a framework for systematically tracking and recording the frequency, severity and other relevant information on individual loss events.

5. Risk Monitoring

Banks should implement a process to regularly monitor operational risk profiles and material exposures to losses. There should be regular reporting of pertinent information to senior management and the board of directors that supports the proactive management of operational risk.

An effective monitoring process is essential for adequately managing operational risk. Regular monitoring activities can offer the advantage of quickly detecting and correcting deficiencies in the policies, processes, and procedures for managing operational risk. Promptly detecting and addressing these deficiencies can substantially reduce the potential frequency and/or severity of a loss event.

In addition to monitoring operational loss events, banks should identify appropriate indicators that may provide early warning of an increased risk of future losses. Such indicators (often referred to as key risk indicators or early warning indicators) should be forward-looking and could reflect potential sources of operational risk such as rapid growth, the introduction of new products, employee turnover, transaction breaks, and system downtime, among others. When thresholds are directly linked to these indicators an effective monitoring process can help identify key material risks in a transparent manner and enable the bank to act upon these risks appropriately.

The frequency of monitoring should reflect the risks involved and the frequency and nature of changes in the operating environment. Monitoring should be an integrated part of a bank's activities. The results of these monitoring activities should be included in regular management reports, as should compliance reviews performed by the internal audit and/or risk management functions. Reports generated by (and/or for) supervisory authorities may also be useful in this monitoring and should likewise be reported internally to senior management, where appropriate.

Senior management should receive regular reports from appropriate areas such as business units, group functions, the operational risk management office and internal audit.

The operational risk reports should contain internal financial, operational, and compliance data that are relevant to decision making. Reports should be distributed to appropriate levels of management and to areas of the bank on which areas of concern may have an impact. Reports should fully reflect any identified problem areas and should motivate timely corrective action on outstanding issues. To ensure the usefulness and reliability of these risk and audit reports, management should regularly verify the timeliness, accuracy, and relevance of reporting systems and internal controls in general. Management may also use reports prepared by external sources (auditors, supervisors) to assess the usefulness and reliability of internal reports. Reports should be analyzed with a view to improving existing risk management performance as well as developing new risk management policies, procedures, and practices.

In general, the board of directors should receive sufficient higher-level information to enable them to understand the bank's overall operational risk profile and focus on the material and strategic implications for the business.

6. Operational Risk Mitigation

Banks should have policies, processes, and procedures to control and/or mitigate material operational risks. Banks should periodically review their risk limitation and control strategies and should adjust their operational risk profile accordingly using appropriate strategies, in light of their overall risk appetite and profile.

Control activities are designed to address the operational risks that a bank has identified. For all material operational risks that have been identified, the bank should decide whether to use appropriate procedures to control and/or mitigate the risks, or bear the risks. For those risks that cannot be controlled, the bank should decide whether to accept these risks, reduce the level of business activity involved, or withdraw from this activity completely. Control processes and procedures should be established and banks should have a system in place for ensuring compliance with a documented set of internal policies concerning the risk management system. Principal elements of this could include, for example:

• top-level reviews of the bank's progress towards the stated objectives;
• auditing for compliance with management controls;
• policies, processes, and procedures concerning the review, treatment and resolution of noncompliance issues; and
• a system of documented approvals and authorizations to ensure accountability to an appropriate level of management.

Although a framework of formal, written policies and procedures is critical, it needs to be reinforced through a strong control culture that promotes sound risk management practices. Both the board of directors and senior management are responsible for establishing a strong internal control culture in which control activities are an integral part of the regular activities of a bank. Controls that are an integral part of the regular activities enable quick responses to changing conditions and avoid unnecessary costs.

An effective internal control system also requires that there be appropriate segregation of duties and that personnel are not assigned responsibilities which may create a conflict of interest. Assigning such conflicting duties to individuals, or a team, may enable them to conceal losses, errors or inappropriate actions. Therefore, areas of potential conflicts of interest should be identified, minimized, and subject to careful independent monitoring and review.

In addition to segregation of duties, banks should ensure that other internal practices are in place as appropriate to control operational risk. Examples of these include:

• close monitoring of adherence to assigned risk limits or thresholds;
• maintaining safeguards for access to, and use of, bank assets and records;
• ensuring that staff have appropriate expertise and training;
• identifying business lines or products where returns appear to be out of line with reasonable expectations; and
• regular verification and reconciliation of transactions and accounts.

Operational risk can be more pronounced where banks engage in new activities or develop new products (particularly where these activities or products are not consistent with the bank's core business strategies), enter unfamiliar markets, and/or engage in businesses that are geographically distant from the head office. Moreover, in many such instances, firms do not ensure that the risk management control infrastructure keeps pace with the growth in the business activity. A number of the most sizeable and highest-profile losses in recent years have taken place where one or more of these conditions existed. Therefore, it is incumbent upon banks to ensure that special attention is paid to internal control activities where such conditions exist.

Some significant operational risks have low probabilities but potentially very large financial impact. Moreover, not all risk events can be controlled (e.g., natural disasters). Risk mitigation tools or programs can be used to reduce the exposure to, or frequency and/or severity of, such events. For example, insurance policies, particularly those with prompt and certain pay-out features, can be used to externalize the risk of "low frequency, high severity" losses which may occur as a result of events such as third-party claims resulting from errors and omissions, physical loss of securities, employee or third party fraud, and natural disasters.

However, banks should view risk mitigation tools as complementary to, rather than a replacement for, thorough internal operational risk control. Having mechanisms in place to quickly recognize and rectify legitimate operational risk errors can greatly reduce exposures. Careful consideration also needs to be given to the extent to which risk mitigation tools such as insurance truly reduce risk, or transfer the risk to another business sector or area, or even create a new risk (e.g. legal or counterparty risk).

Investments in appropriate processing technology and information technology security are also important for risk mitigation. However, banks should be aware that increased automation could transform high-frequency, low-severity losses into low-frequency, high-severity losses. The latter may be associated with loss or extended disruption of services caused by internal factors or by factors beyond the bank's immediate control (e.g., external events). Such problems may cause serious difficulties for banks and could jeopardize an institution's ability to conduct key business activities. As discussed below, banks should establish disaster recovery and business continuity plans that address this risk and comply fully with all agency rules, guidance and orders.

Banks should also establish policies for managing the risks associated with outsourcing activities, doing so in full compliance with all applicable agency rules, guidance, and orders. Outsourcing of activities can reduce the institution's risk profile by transferring activities to others with greater expertise and scale to manage the risks associated with specialized business activities. However, a bank's use of third parties does not diminish the responsibility of management to ensure that the third party activity is conducted in a safe and sound manner and in compliance with applicable laws. Outsourcing arrangements should be based on robust contracts and/or service level agreements that ensure a clear allocation of responsibilities between external service providers and the outsourcing bank. Furthermore, banks need to manage residual risks associated with outsourcing arrangements, including disruption of services.

Depending on the scale and nature of the activity, banks should understand the potential impact on their operations and their customers of any potential deficiencies in services provided by vendors and other third-party or intra-group service providers, including both operational breakdowns and the potential business failure or default of the external parties. Management should ensure that the expectations and obligations of each party are clearly defined, understood and enforceable. The extent of the external party's liability and financial ability to compensate the bank for errors, negligence, and other operational failures should be explicitly considered as part of the risk assessment. Banks should carry out an initial due diligence test and monitor the activities of third party providers, especially those lacking experience of the banking industry's regulated environment, and review this process (including re-evaluations of due diligence) on a regular basis. The bank should pay particular attention to use of third-party vendors for critical activities.

In some instances, banks may decide to either retain a certain level of operational risk or self-insure against that risk. Where this is the case and the risk is material, the decision to retain or self-insure the risk should be transparent within the organization and should be consistent with the bank's overall business strategy and appetite for risk.

7. Contingency Planning

Senior management should ensure compliance with all applicable agency rules, guidance and orders regarding contingency planning. Banks should have in place contingency and business continuity plans to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption.

For reasons that may be beyond a bank's control, a severe event may result in the inability of the bank to fulfill some or all of its business obligations, particularly where the bank's physical, telecommunication, or information technology infrastructures have been damaged or made inaccessible. This can, in turn, result in significant financial losses to the bank, as well as broader disruptions to the financial system through channels such as the payments system. This potential requires that banks establish disaster recovery and business continuity plans that take into account different types of plausible scenarios to which the bank may be vulnerable, commensurate with the size and complexity of the bank's operations.

Banks should identify critical business processes, including those where there is dependence on external vendors or other third parties, for which rapid resumption of service would be most essential. For these processes, banks should identify alternative mechanisms for resuming service in the event of an outage. Particular attention should be paid to the ability to restore electronic or physical records that are necessary for business resumption, including the construction of appropriate backup facilities.

Banks should periodically review their disaster recovery and business continuity plans so that they are consistent with the bank's current operations and business strategies. Moreover, these plans should be tested periodically to ensure that the bank would be able to withstand high-severity risk.

IV. Allocation of Appropriate Economic Capital

To a large extent, a robust, diversified earnings stream is often the best protection against both expected and unexpected operational losses. While capital is important, it should only focus on unexpected loss. Expected losses should always be considered as an expense, and covered by revenue, earnings, or reserves. A banking organization's capital should reflect the perceived level of precision in the risk measures used, and the relative importance to the institution of the activities producing the risk. Capital adequacy should be assessed after evaluation of the sum total of an organization's activities, with appropriate adjustments made for risk correlations between activities and the benefit resulting from diversified lines of business that, in aggregate, reduce operational risk to the consolidated organization. Capital levels should also reflect that historical correlations among exposures can rapidly change.

Explicit goals for operational risk capitalization should be included in evaluation of capital adequacy. Goals may differ across institutions, which should evaluate whether their long-run capital targets might differ from short-run goals, based on current and planned changes in risk profiles and the recognition that accommodating new capital needs can require significant lead time. The goals should be reviewed and approved by the board and implemented by senior management.

1. Assessing Conformity to the Institution's Stated Objectives

Both the target level and composition of capital, along with the process for setting and monitoring such targets, should be reviewed and approved periodically by the institution's board of directors.

2. Composition of Capital

Analysis of capital adequacy should couple a rigorous assessment of the particular measured and unmeasured risks faced by the institution with consideration of the capacity of the institution's paid-in equity and other capital instruments to absorb unexpected losses. Common equity (that is, common stock and surplus and retained earnings) should be the dominant component of a banking organization's capital structure.

Common equity allows an organization to absorb losses on an ongoing basis and is permanently available for this purpose. Further, this element of capital best allows organizations to conserve resources when they are under stress because it provides full discretion as to the amount and timing of dividends and other distributions. Consequently, common equity is the basis on which most market judgements of capital adequacy are made.

Consideration of the capacity of an institution's capital structure to absorb unexpected losses should also take into account how that structure could be affected by changes in the institution's performance, or by the outside economic environment. For example, an institution experiencing a net operating loss - perhaps due to realization of unexpected losses - not only will face a reduction in its retained earnings, but also possible constraints on its access to capital markets. Other issues may arise in relation to use of optionality in its capital structure. Such adverse magnification effects could be further accentuated should adverse events take place at critical junctures for raising or maintaining capital, for example, as limited-life capital instruments are approaching maturity or as new capital instruments are being issued.

3. Examiner Review of Internal Capital Adequacy Analysis

As part of the regular supervisory and examination process, examiners should review internal capital assessment processes at large and complex banking organizations as well as the adequacy of their capital and their compliance with regulatory standards. In general, this review should assess the degree to which an institution has in place, or is making progress toward implementing, a sound internal process to assess capital adequacy. Examiners should briefly describe in the examination report the approach and internal processes used by the institution to assess its capital adequacy with respect to the risks it takes. Examiners should then document their evaluation of the adequacy and appropriateness of these processes for the risk profile of the institution, along with their assessment of the quality and timing of the institution's plans to develop and enhance its processes for evaluating capital adequacy with respect to risk.

In all cases, the findings of this review should be considered in determining the institution's supervisory rating for management. Examiners should expect complex institutions to have sound internal processes for assessing capital adequacy in place.

Beyond its consideration in evaluating management, over time this review should also become an integral element of assessing, and assigning a supervisory rating for capital adequacy as the institution develops appropriate processes for establishing capital targets and analyzing its capital adequacy as described above. If these internal assessments suggest that capital levels appear to be insufficient to support the risks taken by the institution, examiners should note this finding in examination and inspection reports, discuss plans for correcting this insufficiency with the institution's directors and management and, as appropriate, initiate follow-up supervisory actions.

4. Relating Capital to the Level of Operational Risk

Banking organizations should be able to demonstrate through internal analysis that their capital levels and composition are adequate to support the risks they face and that these levels are properly monitored by senior management and reviewed by directors. Examiners should review this analysis, including the target levels of capital chosen, to determine whether it is sufficiently comprehensive and relevant to the current operating environment. Examiners should also consider the extent to which the institution has provided for unexpected events in setting its capital levels. In this connection, the analysis should cover a sufficiently wide range of external conditions and scenarios, and the sophistication of techniques used should be commensurate with the institution's activities. Finally, supervisors should consider the quality of the institution's management information reporting and systems, the manner in which business risks and activities are aggregated, and management's record in responding to emerging or changing risks.

As a final matter, in performing this review, supervisors and examiners should be careful to distinguish between a comprehensive process that seeks to identify an institution's capital requirements on the basis of measured economic risk, and one that focuses only narrowly on the calculation and use of allocated capital or "economic value added" (EVA) for individual products or business lines for internal profitability analysis. This latter approach, which measures the amount by which operations or projects return more or less than their cost of capital, can be important to an organization in targeting activities for future growth or cutbacks. It requires, however, that the organization first determine - by various methods - the amount of capital necessary for each area of risk. It is that process for determining the necessary capital that is the topic of this guidance, and it should not be confused with related efforts of management to measure relative returns of the firm or of individual business lines, given an amount of capital already invested or allocated. Moreover, such EVA approaches often are unable to meaningfully aggregate the allocated capital across business lines as a tool for evaluating the institution's overall capital adequacy.