Federal Deposit
Insurance Corporation

Ms. Jennifer J. Johnson
Secretary, Board of Governors
Federal Reserve System
20th Street and Constitution Avenue, NW
Washington, D.C. 20551

Office of the Comptroller of the Currency
250 E Street, SW
Public Information Room, Mailstop 3-6
Washington, DC 20219

Regulation Comments
Chief Counsel's Office
Office of Thrift Supervision
1700 G. St, NW.
Washington, DC 20552

Robert E. Feldman
Executive Secretary
Attention: Comments
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429

Re: Draft Supervisory Guidance on the Internal Ratings-Based Systems for Corporate Credit and Operational Risk: FDIC (no reference number listed); FRB Docket No. OP-1153; OCC Docket No. 03–15; OTS No. 2003–28; Capital Adequacy; Implementation of New Basel Capital Accord; 68 Federal Register 45949; August 4, 2003

Ladies and Gentlemen:

On August 4, the banking agencies in the United States (Agencies) published for comment an Advance Notice of Proposed Rulemaking (ANPR) on how the proposed New Basel Capital Accord (New Accord) as currently proposed in the Consultative Paper No. 3, (CP3) would be implemented in the United States. As proposed, the United States would apply only the advanced internal ratings-based approach (A-IRB) out of the New Accord and only to a core group of the largest, internationally active banks. At the same time, the Agencies published a request for comments on a “Draft Supervisory Guidance on the Internal Ratings-Based Systems for Corporate Credit and Operational Risk.” This letter sets out the American Bankers Association’s (ABA) comments on that Draft Supervisory Guidance on the Operating Risk AMA. The American Bankers Association brings together all elements of the American banking community to best represent the interests of this rapidly changing industry. Its membership – which includes community, regional, and money center banks and holding companies, as well as savings institutions, trust companies, and savings banks – makes ABA the largest banking trade association in the United States.

Our comments are divided into three sections: (1) background regarding the proposal and the unique vantage point we can provide through the work of ABA’s Operating Risk Committee (ORC); (2) comments on nine areas of specific concern to our members; and (3) comments (with references to the level of concern) in response to the 33 supervisory principles enunciated in the Draft Supervisory Guidance.

There are several key themes that characterize much of the detailed discussion presented below.

•  Banks should be allowed to determine which combination of elements is appropriate to assess and manage operational risk within their institutions. Banks understand that they will need to defend the appropriateness of their methodology and underlying assumptions to the Banking Agencies. How an institution does this should be within the purview of the institution, and regulatory mandates or specific quantitative requirements should be avoided. Such an approach is consistent with a principles-based regulatory approach and is management oriented and tailored to the individual institution’s business.

•  Flexibility is needed and specific quantitative tests or requirements should be avoided. Flexibility is important because integrating external data into an AMA model in a useful manner will be very challenging. Modeling will clearly change as experience is gained, as economic and business conditions require, as databases become more sophisticated and as risk management procedures and methodologies improve. The goal is to encourage good operational risk management, and this should not be driven by arbitrary standards.
   
• The use of external data to provide a benchmark for performance can be very useful and should be encouraged. Addressing industry concerns about confidentiality of external data will help to foster convergence in the methodologies for measuring and managing operational risk and facilitate more scenario testing.

As is noted below, the ABA has worked closely with bankers to form an operating risk committee, which has as its primary objective the development of an accurate, consistent and reliable dataset on bank operational risk losses that could be used for benchmarking. Thus, we believe we have a unique perspective on these issues and the use of external data in managing this risk.

We would also like at the outset to acknowledge the improvements that have been made which are reflected in the ANPR and the Supervisory Guidance. Certainly, banks that anticipate that they will be required to comply with the Basel II requirement and those that are likely to “opt-in” are making plans to meet the standard. Many of these banks believe that the inclusion of operating risk in Pillar 1 encourages a full understanding of the risk profile of an institution and will foster a convergence in the methodologies for measuring and managing operational risk. Other banks, however, remain concerned about an explicit capital charge for operational risk, as they believe that the current state-of-the-art for operating risk measurement has not progressed sufficiently to warrant its use in regulatory capital standards. Should the agencies move forward with explicit capital treatment, addressing the concerns presented below become even more important.

I. Background

Under the ANPR’s framework, a banking organization meeting the AMA supervisory standards would use its internal risk measurement system to calculate its regulatory capital requirement for operational risk. As the ANPR states:

In calculating the operational risk exposure, an AMA-qualified institution would be expected to estimate the aggregate operational risk loss that it faces over a one-year period at a soundness standard consistent with a 99.9 percent confidence level. The institution’s AMA capital requirement for operational risk would be the sum of expected loss and unexpected loss, unless the institution can demonstrate that an expected loss offset would meet the supervisory standards for operational risk. The institution would have to use a combination of internal loss event data, relevant external loss event data, business environment and internal control factors, and scenario analysis in calculating its operational risk exposure.

Related to external data, the Draft Supervisory Guidance states:

An institution would have to establish and adhere to policies and procedures that provide for the use of relevant external loss data in the operational risk framework. External data would be particularly relevant where an institution’s internal loss history is not sufficient to generate an estimate of major unexpected losses. Management would have to systematically review external data to ensure an understanding of industry experience. The Agencies seek comment on the use of external data and its optimal function in the operational risk framework.

The ABA’s Operating Risk Committee (ORC) has a unique perspective on the proposal. As mentioned above, a primary mission of the ABA’s ORC is to develop an accurate, consistent and reliable dataset on bank operational risk losses that could be used for benchmarking. The genesis of this benchmarking program is to improve the management of operating risk and to lower the costs to participating banks. Thus, good management practices – not regulatory requirements – were the driving factor behind this initiative.

Reporting of quarterly operating loss data began the first quarter of this year. In setting up the operating loss data collection effort, the group considered many of the issues raised in the ANPR Part V. The comments in this section therefore reflect the views of bankers on the ABA’s ORC. Our committee also met to discuss these issues with the Risk Management Association and we want to acknowledge their important observations on these issues.

In order to give context to the following comments on external data collection and use for operational risk analysis, a description of the ABA ORC project may be helpful. Each ABA ORC data reporter agrees to file a quarterly report of operating loss statistics based on prescribed data definitions. Data are provided for all material lines of business and loss categories within two years of participating, starting January 1, 2004, or sooner. A consistent internal methodology is specified for assigning losses charged to corporate support, parent company or technology unit back to an appropriate line of business, as defined by the Basel Committee, for U.S. subsidiaries and operations only. Banks report new loss events and provide updates to previously reported loss events each quarter. If subsequent recoveries or payments are associated with a previously reported loss event, the bank reports a loss event record with the updated amount using the previous source and event identification.

II. Significant Issues Raised by the Proposed Supervisory Guidance

ABA has consulted with the ORC in preparing these comments on data issues. The participating risk managers identified nine issues with Part V of the ANPR of significant concern:

1. The distinction between credit and operating losses should be based upon industry practices, not regulatory dictates.

2. Expected losses should not require capital charges.

3. Consistent standards of reporting are needed.

4. Thresholds should be set by institutions to reflect their own criteria for managing operating risk.

5. The Supervisory Guidance should specify that different “significance” thresholds would be acceptable for external data, as compared to those used internally.

6. The Supervisory Guidance should allow banks to determine the most effective way to use external data in their AMA models.

7. The Banking Agencies should confirm consortium data confidentiality and data scaling to support development of external operational loss data.

8. All defendable risk mitigation should be recognized to the extent that it offsets risk exposure.

9. Specific quantitative requirements should be avoided.

These concerns are discussed in greater detail below.

1. The distinction between credit and operating losses should be based upon industry practices, not regulatory dictates.

There are several issues related to distinguishing between credit and operational losses. Current definitions of credit losses include losses due to a breach of contract between the borrower and the bank. Treatment of errors or losses related to a credit product, but caused by a third party or an unknown party could be categorized as an operational loss, not a credit loss. The facts of the situation will dictate the treatment and banks should be allowed to make that determination. Of particular concern to banks would be trying to distinguish the difference for losses with high frequency but low severity. Perhaps the best examples of this are credit card fraud losses. The burden to change the treatment of these types of losses from industry practices to regulatory dictates would likely result in undue expense – and no benefit – for the bank.

In fact, there may be no need to separate credit and operational losses for these high-frequency, low-severity events. The loss is already included in expected losses. Certainly, we acknowledge that separating components of credit product losses by operating risk or credit risk does become an issue on low-frequency, high-value events, such as on checks backed by a home equity line of credit. Removing expected losses from regulatory capital considerations might help resolve any ambiguity between credit and operating losses, particularly given that expected losses are likely to be addressed by appropriate pricing of products (see the next section). Bank case management systems readily handle the normal, small magnitude losses that can be confused between operating and credit losses. Regulators should rely on industry practices to distinguish between credit and operating losses.

2. Expected losses should not require capital charges.

The proposed new Capital Accord (until the recently proposed change) would have required banks to hold capital against all expected losses. We have expressed in previous comment letters on the Basel proposals that this requirement should be eliminated. In this regard, we note that in its statement of October 11, 2003, the Basel Committee indicated that it changed its proposal and will treat expected and unexpected credit losses differently, with the capital requirement focusing on unexpected credit losses, not expected credit losses – a change long advocated by the banking industry. Consistent with this policy change, we believe that expected operating losses should similarly be treated separately from unexpected operating losses.

Operational losses are part of normal, everyday business. While not anticipated individually (or else they would be avoided), they are anticipated in aggregate. Banks cover these costs in reserves and the prices for individual products. Therefore, there is no need for supervisory capital to be charged against the expected costs.

For credit risk exposure, the Basel Committee has now recognized that offsets in the form of reserves, product pricing and future margin income can make capital requirements unnecessary. The logic is no different for operating loss exposure. While more attention has been given to offsets for credit, as compared to operating loss exposures in the past, this does not justify differing treatment. Many institutions, particularly the AMA banks, are now formalizing structures for reserves and product pricing offsets for operating risks, and therefore warrant the same treatment as for credit loss exposure.

The key for operating losses, just as for credit losses, is the institution’s ability to defend its offsets, subject to supervisory review. If a bank can demonstrate to examiners that it has covered expected losses, for credit or operational risk, in reserves, product pricing, future margin income, etc., then it should not be subject to additional capital penalties.

3. Consistent standards for reporting are needed.

The ANPR and the Supervisory Guidance appear to require that operational loss data should be recorded consistent with Generally Accepted Accounting Principles (GAAP). This seems consistent with the idea that regulatory capital addresses the tangible risks that can be accounted for uniformly across all institutions. Limiting the scope of operational loss data to those reported in the general ledger seems reasonable to promote uniform treatment. Such consistent treatment is the only way to provide meaningful benchmarking. In fact, this is the current reporting approach taken by the ABA ORC data consortium. Only actual losses are to be submitted; no estimates are to be reported. If specific reserves or accruals are actually booked to the general ledger, the amount can be reported, then updated with the actual amount when it is known.

It should also be recognized that the exact point in time that a loss occurs is rarely definitive. There can be a long lag between an initial event that could indicate loss and final actual loss. At some point in between, the financial consequences are typically recognized. Further, potential offsets (such as self-insurance), make the reconciliation of the loss database to the general ledger difficult. Of course, timing of events and recognition of losses are always an issue. The important principle is to have consistent standards for reporting financial information, whether for operating loss or any other financial transaction. We encourage banking regulators to work with accounting standard setters in coordination of regulatory and accounting requirements. If the regulators were to require different treatment for recognition of operating losses, it would inevitably lead to lengthy interpretation of their own rules.

While we agree that the reporting of operational losses should be consistent with GAAP – despite the challenges enunciated above – there is an additional issue of concern to the industry. Most banks wait until the reserving event to recognize a loss financially. However, recent interpretations by the Financial Accounting Standards Board are moving GAAP away from reserves for credit losses that are not specific to individual events. This interpretation can prevent banks from booking the operating loss under unallocated reserves. On the other hand, operating losses by their very nature are not linked to specific reserves. Thus, the new interpretation is making it harder for banks to book and reconcile operating losses. In fact, the Banking Agencies have just filed a comment letter on the American Institute of Certified Public Accountants’ (AICPA’s) proposed new treatment of unallocated reserves strongly urging the proposal be abandoned. This issue remains open until the question of any change in GAAP is resolved.

4. Thresholds should be set by institutions to reflect their own criteria for managing operating risk.

We agree that thresholds are needed so that meaningful operational losses are identified for risk measurement and management purposes. Our Committee believes that a prudent approach would be for each institution to set its own internal thresholds relative to its own operations, subject to supervisory review. An institution should be able to demonstrate the appropriateness of its threshold to the banking agencies. This is more management oriented and tailored to the individual institution’s business. Of course, aggregated external data typically requires a consistent threshold, but it must be recognized that a bank may choose to have a different internal threshold that best suits its own risk management systems.

We would note that most errors and other operational loss events are so trivial that collecting figures on their costs would be excessively burdensome. Banks will, therefore, pick thresholds that will provide the detail required to effectively manage operational risk but will also avoid the collection of untold minutia of data. As such determinations are likely to be different for different banks, specific guidelines from the agencies should be avoided in favor of flexibility with appropriate justification by institutions as to why the threshold was set as it was.

5. The Supervisory Guidance should specify that different “significance” thresholds would be acceptable for the external data, as compared to those used internally.

It is certainly possible – and reasonable – for an institution to use a lower threshold for internal purposes than would be provided to an external benchmarking effort, such as ABA’s data consortium. This would appear to create a conflict if an institution uses its own lower thresholds for its AMA but intends to benchmark using data from the consortium based on higher thresholds. However, institutions will be able to statistically adjust for differences in their own AMAs, and thereby not undermine the usefulness of the external data. Therefore, the Supervisory Guidance needs to specify that the Banking Agencies will accept different thresholds as

appropriate to different institutions – yet nonetheless accept higher common thresholds for the external data from the consortium. It would be inappropriate to set an external data standard for all banks based on the lowest level set by an individual institution for its internal use. Doing so would impose huge costs with no material benefit to the risk management within institutions that believe a higher threshold is appropriate for their business and operations.

6. The Supervisory Guidance should allow banks to determine the most effective way to use external data in their AMA models.

External data can be very useful in helping a bank manage its risk. The ANPR appropriately allows flexibility as to how AMA models can use external data. Flexibility is important because integrating external data into an AMA model in a useful manner will be very difficult, requiring scaling for a wide variety of factors related to product lines, control environment, and scale of activity. Moreover, the integration of such data is highly experimental and its value, as yet, unproven. In some cases, external data and information may not be available or may not accurately represent the bank’s risk. Good business practices, suited to the particular institution should be the guiding principle for regulatory oversight of external data in AMA models.

We note that other questions remain, which would most appropriately be addressed in Pillar 2. These include:

• What constitutes “relevant” external loss data?

• Will relevance mean within the same business line as opposed to from a bank of the same size?

• How will the supervisors determine that an institution has surveyed an “appropriate set” of external data?

• Should data be scaled domestically or internationally?

• How will the supervisors uniformly compare data in various consortia and public databases?

7. The Banking Agencies should confirm consortium data confidentiality and data scaling to support development of external operational loss data.

We believe that data consortia, like the ABA’s ORC, are important for benchmarking purposes and fostering convergence in the methodologies for measuring and managing operational risk. Privacy and confidentiality are critical to achieving bank participation in data reporting consortia. To foster these collection efforts and to facilitate the participation of banks in providing operating loss data, it is critically important that the Banking Agencies clearly establish in writing the confidentiality of such data collection and aggregation.

The ABA’s ORC has gone to great lengths to protect the confidentiality of information provided for benchmarking. Each reporter must sign a confidentiality agreement and agree to safeguards for data security and integrity. Moreover, loss data presented in any summary report prepared by the ABA are masked and scaled, thereby protecting disclosure of the raw data. The source data remains the confidential and proprietary property of the submitting bank. None of the participants have direct access to the loss data contained in the database except through summaries prepared by ABA.

Because of the confidentiality concerns, ABA’s consortium does not collect descriptive information about individual loss events. Without such information, the potential applications for scenario testing are more limited. Therefore, in order to encourage robust scenario testing, protection of confidentiality is vital and regulatory acknowledgement of this and support for ways to protect this information are needed.

In part to assure data security, the ABA’s ORC found it necessary to scale figures reported by its reporting institutions. Scaling is appropriate for a wide variety of factors related to product lines, control environment, and the scale of activity and can be easily adapted for comparative analysis. The Supervisory Guidelines should clearly indicate acceptance of scaling.

8. All defendable risk mitigation should be recognized to the extent that it offsets risk exposure.

The restriction proposed in the Supervisory Guidance that institutions may reduce their operational risk exposure results by no more than 20 percent to reflect the impact of risk mitigants is arbitrary and does not promote the use and development of risk mitigation. In fact, it may actually lead institutions to choose risk-mitigation programs that are less than optimal. Certainly, we acknowledge that exposure cannot be reduced by 100 percent of policy coverage because not all claims get paid and there are often added litigation costs. Our committee recommends eliminating the 20 percent limit and focus on addressing the issues of extent and certainty of coverage and solvency. For example, institutions should be allowed to use a probability of payment, justified by historical data and including added litigation costs.

Moreover, the Supervisory Guidance provides that an institution’s AMA model can consider insurance to offset losses – but only if the provider is an A-rated insurance company. However, some banks self insure or acquire insurance from a captive insurance company. This captive or self-insurance clearly can mitigate losses, and credit for this coverage should be provided. Understandably, the Banking Agencies are concerned about the ability of the captive or self-insurance to pay off claims. However, if a captive or self-insurer can demonstrate that its claims-paying ability is up to the standards of a rated insurance company, then its protection should also be factored into the AMA model. Even an insurer with less than an “A” rating provides risk mitigation. While it may provide relatively less than the A-rated carrier, the offset should be recognized in the AMA model.

Further, to foster enhancements in risk mitigation, the Banking Agencies should clearly articulate that all forms of risk mitigation will be considered as can be justified by the institution.

9. Specific quantitative requirements should be avoided.

There are several provisions in the ANPR that require quantitative support (e.g., for assumptions about correlations among operations losses across business lines) and an analytical framework to estimate an institution’s operational risk exposure. An institution should be responsible to demonstrate the appropriateness of its assumptions. A particular concern of our bankers is that regulators will apply the methodology or analytical framework used by one or more institutions as the “appropriate” or “minimum” standard that should apply to all institutions. A one-size-fits-all framework could not possibly work, given the diversity of activities and risk management approaches that exist. Thus, how an institution demonstrates the appropriateness of its assumptions should be within the purview of the institution, and regulatory mandates or specific quantitative requirements should be avoided. Given the wide scope of operational risks, the inherent unpredictability of operational losses, and the current lack of sufficient historical data, such requirements are unreasonable.

Similarly, true testing and verification of certain elements of the operational risk framework will not be possible until several years of experience have been acquired. Only with sufficient historical information can control mechanisms be evaluated, leading indicators confirmed, accuracy of quantitative methods assessed, and appropriateness of a qualitative adjustment for the current environment be evaluated. Some institutions with decentralized operations would find many of these requirements particularly challenging. The agencies should allow for databases to evolve and become more sophisticated. The bottom line is that flexibility is required and specific quantitative tests and requirements should be avoided. The goal is to encourage good operational risk management, and this should not be driven by arbitrary standards.

III. Specific Responses on Key Questions of Concern

The proposed Supervisory Guidance lists 33 supervisory principles for use of the AMA framework. The ABA’s ORC member banks were asked to review those 33 supervisory principles and to rank them on a scale of 1 to 3, with 1 being “low concern” and 3 being “high concern.” While most of the supervisory principles were not of major concern to the ORC members, five scored over 2.00, and so pose significant issues. These include, in order of concern, S 29, S 28, S 30, S12 and S 31. Additionally we would think that principles scoring 1.75 or more warrant attention, including S 20, S 23, S27, S 32, S 9, S 24 and S 25. The average score appears in parentheses on each supervisory principle.

S 01. The institution’s operational risk framework must include an independent firm-wide operational risk management function, line of business management oversight, and independent testing and verification functions. (1.25)

ABA’s ORC bankers believe in general that they already meet this principle. Care must be taken so that the term “independent” in the operations risk management function does not lead to added requlatory requirements.

S 02. The board of directors must oversee the development of the firm-wide operational risk framework, as well as major changes to the framework. Management roles and accountability must be clearly established. (1.50)

ABA’s ORC bankers believe that banks will be able to meet this requirement.

S 03. The board of directors and management must ensure that appropriate resources are allocated to support the operational risk framework. (1.56)

Our committee members believe that they have appropriate and adequate resources for this function (assuming, of course, that regulatory requirements are not excessively burdensome).

S 04. The institution must have an independent operational risk management function that is responsible for overseeing the operational risk framework at the firm level to ensure the development and consistent application of operational risk policies, processes, and procedures throughout the institution. (1.25)

ORC bankers believe in general that they already meet this principle.

S 05. The firm-wide operational risk management function must ensure appropriate reporting of operational risk exposures and loss data to the board of directors and senior management. (1.25)

ORC bankers are confident they will be able to meet this requirement.

S 06. Line of business management is responsible for the day-to-day management of operational risk within each business unit. (1.00)

This appears to be the industry practice to require that managers within the business areas be responsible for the day-to-day management of operational risk.

S 07. Line of business management must ensure that internal controls and practices within their line of business are consistent with firm-wide policies and procedures to support the management and measurement of the institution’s operational risk. (1.25)

As indicated by the relatively low score, ORC bankers believe that their internal controls are monitored and determined to be consistent between business lines and the firm-wide policies and procedures.

S 08. The institution must have policies and procedures that clearly describe the major elements of the operational risk management framework, including identifying, measuring, monitoring, and controlling operational risk. (1.25)

This issue is of very low concern, although several of the ORC members indicated that this is an ongoing and evolving process.

S 09. Operational risk management reports must address both firm-wide and line of business results. These reports must summarize operational risk exposure, loss experience, relevant business environment and internal control assessments, and must be produced no less often than quarterly. (1.75)

There is a somewhat higher level of concern about this supervisory principle that arises from uncertainty about the term “relevant business environment.” Additionally, for banks with a decentralized structure, aggregating and quantifying operational risks across the enterprise will be difficult and will be an evolving process.

S 10. Operational risk reports must also be provided periodically to senior management and the board of directors, summarizing relevant firm-wide operational risk information. (1.50)

Again, this appears to be an evolving process, and there is wide expectation that operational risk reports would become more formalized and complete.

S 11. An institution’s internal control structure must meet or exceed minimum regulatory standards established by the Agencies. (1.13)

This is uniformly perceived as already being met.

S 12. The institution must demonstrate that it has appropriate internal loss event data, relevant external loss event data, assessments of business environment and internal controls factors, and results from scenario analysis to support its operational risk management and measurement framework. (2.19)

The ABA’s ORC banks are participating already in a program to meet this standard. However, members expressed some concern about the term “relevant external loss data” and believe that it is an institution’s responsibility to make such a determination, consistent with industry practices and appropriate support for the particular application (discussed in Nos. 4, 5, and 6, above). As noted in No. 7 above, scenario testing may be limited if there is no assurances of confidentiality of descriptive information for individual loss events that may be collected as part of any outside data collection and benchmarking effort.

S 13. The institution must include the regulatory definition of operational risk as the baseline for capturing the elements of the AMA framework and determining its operational risk exposure. (1.13)

There is consensus that this has already been done. However, there was some concern raised related to the recognition of risk of litigation. It may well be that institutions will settle nuisance or baseless lawsuits for insignificant sums of money in order to put closure to the action and reduce legal costs. This could be considered a cost of doing business, and clarification regarding these actions versus the risk of litigation should be made.

S 14. The institution must have clear standards for the collection and modification of the elements of the operational risk AMA framework. (1.25)

Institutions understand that they will need to justify the assumptions that underpin their AMA framework and any changes that may be required. Regulatory flexibility is once again extremely important, as the modeling will clearly change as experience is gained, as economic and business conditions require, and as risk management procedures and methodologies improve.

S 15. The institution must have at least five years of internal operational risk loss data captured across all material business lines, events, product types, and geographic locations. (1.63)

Each institution should determine what constitutes the appropriate business lines, events, geographic locations and product types to be captured for effective risk management. Institutions understand that they will need to justify these judgements. Flexibility is required, however, as questions will inevitably arise. For example, several members suggested that data would be available for key lines of business but would not be currently available for the entire organization. Some members also asked if the geographic location includes international operations, since the current data reporting project only includes domestic locations.

Overall, the concern is relatively low to meet this standard, as long as supervisory approval is granted to allow for a shorter period, such as three years, which was suggested in the ANPR.

S 16. The institution must be able to map internal operational risk losses to the seven loss-event type categories. (1.00)

ABA’s ORC bankers believe that they already meet this principle.

S 17. The institution must have a policy that identifies when an operational risk loss becomes a loss event and must be added to the loss event database. The policy must provide for consistent treatment across the institution. (1.00)

Committee members believe that they already meet this principle. As noted above (No. 3) regarding GAAP accounting, the exact point in time that a loss occurs is rarely definitive, as there are timing issues between an initial event that could indicate loss and final actual loss. Offsets make the determination difficult as well. The important principle is to have consistent standards for reporting financial information.

S 18. The institution must establish appropriate operational risk data thresholds. (1.38)

See No. 4 above for a complete discussion on thresholds.

S 19. Losses that have any characteristics of credit risk, including fraud-related credit losses, must be treated as credit risk for regulatory capital purposes. The institution must have a clear policy that allows for the consistent treatment of loss event classifications (e.g., credit, market, or operational risk) across the organization. (1.50)

While we agree that the institution should have a clear policy across the institution, we suggest that there be flexibility for the institution in recognizing certain losses as either credit or operational losses. This is especially true in regards to retail credit products and related losses. (See No. 1 above for a more complete discussion.)

S 20. The institution must have policies and procedures that provide for the use of external loss data in the operational risk framework. (1.88)

ABA’s ORC bankers feel confident that they can meet this supervisory standard, provided that the regulators permit scaling of data. In the ORC data reporting project, data are currently scaled based on gross domestic income and assets (and, in fact, participants provide full-time-equivalent employess, FTEs, and other metrics for potential future use). This is done both to make the data comparable among institutions and for data security. We believe that the Supervisory Guidance should explicitly state that the scaling approach is acceptable and that more than one method of scaling could be adopted. (See No. 7 above.)

S 21. Management must systematically review external data to ensure an understanding of industry experience. (1.63)

ORC members believe that they can meet this supervisory standard. However, the challenge for institutions will be to determine what would be considered an “appropriate set” of external data that best facilitates the effectiveness in managing operational risk (see No. 6 above.)

S 22. The institution must have a system to identify and assess business environment and internal control factors. (1.50)

The ORC members will have such a system. However, for some banks in a decentralized operating environment, the challenge will be in assessing the risks and aggregating them.

S 23. Management must periodically compare the results of their business environment and internal control factor assessments against actual operational risk loss experience. (1.88)

Again, comparison of the business environment and internal control factor assessments against actual risk loss experience in a decentralized operating environment may be a challenge, as stated above under S 22.

S 24. Management must have policies and procedures that identify how scenario analysis will be incorporated into the operational risk framework. (1.75)

Given the limitations of outside data and the expected evolution of explicit modeling, concern was expressed regarding uncertainty as to how scenario analysis will weigh into the capital model and its impact on the overall capital charge. Limitations due to confidentiality concerns on external data and its impact on scenario analysis should be considered here (see No. 7 above). Some bankers thought that examples would be helpful as they consider the appropriate method to incorporate scenario analysis.

S 25. The institution must have a comprehensive operational risk analytical framework that provides an estimate of the institution’s operational risk exposure, which is the aggregate operational loss that it faces over a one-year period at a soundness standard consistent with a 99.9 percent confidence level. (1.75)

The 99.9 percent confidence level as a minimum standard appears overly conservative. Certainly, the current state of the art may not enable a meaningful estimate of risk exposure at this confidence level, and given the wide scope of operational risk and the inherent unpredictability of operational losses, it may never be possible to meet this requirement.

S 26. Management must document the rationale for all assumptions underpinning its chosen analytical framework, including the choice of inputs, distributional assumptions, and the weighting across qualitative and quantitative elements. Management must also document and justify any subsequent changes to these assumptions. (1.63)

ORC bankers believe in general that they already meet this principle.

S 27. The institution’s operational risk analytical framework must use a combination of internal operational loss event data, relevant external operational loss event data, business environment and internal control factor assessments, and scenario analysis. The institution must combine these elements in a manner that most effectively enables it to quantify its operational risk exposure. The institution can choose the analytical framework that is most appropriate to its business model. (1.88)

Many comments in the previous section address this concern. Our members anticipate meeting this standard, although the process may not be straightforward. The flexibility to choose the analytical framework that is most appropriate to an institution’s business model is the appropriate approach and emphasizes good business practices rather than arbitrary restrictions and requirements.

S 28. The institution’s capital requirement for operational risk will be the sum of expected and unexpected losses unless the institution can demonstrate, consistent with supervisory standards, the expected loss offset. (2.25)

As discussed in detail above in No. 2, the ABA objects to the inclusion of expected losses in capital calculation.

S 29. Management must document how its chosen analytical framework accounts for dependence (e.g., correlations) among operational losses across and within business lines. The institution must demonstrate that its explicit and embedded dependence assumptions are appropriate, and where dependence assumptions are uncertain, the institution must use conservative estimates. (2.38)

As is discussed in detail in No. 9 above, we have serious reservations concerning the ability of any institution to collect sufficient data to defend correlation assumptions. Given the sparse data available, explicit and objective determinations are not always possible. Instead we recommend that heuristic and qualitative experience should be allowed as bases for the required correlations.

S 30. Institutions may reduce their operational risk exposure results by no more than 20% to reflect the impact of risk mitigants. Institutions must demonstrate that mitigation products are sufficiently capital-like to warrant inclusion in the adjustment to the operational risk exposure. (2.25)

As noted in No. 8 above, our members believe that the limitation on risk mitigation to no more than twenty percent is simply arbitrary and capricious on the part of the Banking Agencies. Keeping the floor on risk mitigation so low may force institutions to use programs that are less protective than otherwise. Our banks understand that exposure cannot be reduced by one hundred percent of policy coverage because not all claims get paid and that there are often added litigation costs. However, rather than imposing an arbitrary floor, the Banking Agencies should focus on addressing the issues of extent and certainty of coverage and solvency.

Additionally, the guidelines do not seem to allow using captive insurance coverage as risk mitigation. Captive or self-insurance with due diligence and coverage from reinsurance companies should be allowed, as discussed above in No. 8. The regulation should provide flexibility, allowing for recognition of other risk mitigation products that emerge in the future.

S 31. Institutions using the AMA approach for regulatory capital purposes must use advanced data management practices to produce credible and reliable operational risk estimates. (2.06)

There are several requirements built into this standard, including the ability to factor in adjustments related to risk mitigation, correlations, and risk assessments. This may prove to be difficult for decentralized operating environments as well as the issues surrounding correlations as noted in S 29.

S 32. The institution must test and verify the accuracy and appropriateness of the operational risk framework and results. (1.88)

ORC bankers believe in general that they already meet this principle.

S 33. Testing and verification must be done independently of the firm-wide operational risk management function and the institution’s lines of business. (1.63)

ORC bankers believe in general that they already meet this principle.

Conclusion

The shared goal among banks and the Banking Agencies is to have effective risk management practices in place and appropriate amounts of capital to support the risk that is assumed by each institution. We believe the best way to accomplish this is to allow institutions to determine which combination of elements is appropriate to assess and manage operational risk within their institutions. Banks understand that they must defend the assumptions that underlie their methodologies. This approach is management oriented, reflects an individual institution’s business, and is consistent with a principles-based regulatory approach.

Moreover, flexibility is critical as risk-management practices – including analytical techniques and use of risk-mitigants – are evolving and will improve as experience is gained. Arbitrary standards would fail to meet the test of time and should be avoided.

Lastly, addressing concerns over confidentiality of external data will help to foster convergence in the methodologies for measuring and managing operational risk and facilitate more scenario testing.

We appreciate the opportunity to comment on this important issue.

Sincerely,

James Chessen
Chief Economist
American Bankers Association
Washington, DC