via email
RMA Working Group
on Operational Risk Regulation Comment Letter on the ANPR and DSG on
Operational Risk Regulatory Capital
I. Introduction
In June 2003, the RMA1 formed
the RMA Working Group on Operational Risk Regulation (the Working Group)
for its members and the attendees of the Operational Risk Management
Discussion Group2 to examine and contribute to the
development of bank regulations that deal with operational risk. As its
first task, the Working Group commented to the Basel Committee on Bank
Supervision and to the U.S. Bank Regulatory Agencies (the Agencies) on
the treatment of the Advanced Measurement Approach (AMA) in the Third
Consultative Document (CP3) of the New Basel Capital Accord (the
Accord).3
Now, the Working Group is pleased to
submit this letter on the related Advanced Notice of Proposed Rulemaking
(ANPR) and Draft Supervisory Guidance (DSG) in response to the request
for comment from the Agencies.
This letter is divided into seven more
sections that deal with:
• General Issues of clarity,
force and scope, and principles that should govern the regulation's
present form and future evolution;
• Transition and Timing Issues
surrounding the introduction of the proposed regulation;
• Governance and Organization
Issues concerning the role of the Board vis-à-vis senior management
and the definition of independence of the risk management function;
• Data Issues including scope,
reconciliation, thresholds, relevance and evolving approach;
• Capital Estimation and other
Analytical Issues including offsets for risk mitigation,
reductions for correlation and diversification, indirect losses, the
differences amongst methodologies, and the exclusion of expected
operational losses;
• Issues regarding Supervisory
Practices and Regulatory Developments, including home host country
issues and alternatives to the AMA; and
• Conclusion.
The Working Group hopes that this comment
letter proves useful to the Agencies as they work to finalize their
regulatory proposal and associated supervisory guidance.
II. General Issues
Increasing Specificity and
Prescriptiveness5 The final form of the regulation should
contain far fewer mandatory rules for well-managed banks.
The ANPR contains many more specific
prescriptions than CP3. For example, the ANPR:
• requires the internal control
environment to exceed "Agency minimum standards." This is a new
requirement that is unclear;
• suggests additional fields to be
maintained for large losses in loss event databases:
• Where loss is reported and expensed
• Discovery date of the loss
• Event end date
• Management actions
• Adjustments to the loss amounts
• Product type;
• requires quantification, with
documentation of model rationale and assumptions for expected loss
(EL), even when it has been budgeted and/or reserved for;
• requires risk mitigation for
insurance only, not other securities products, as was implied under
CP3; and
• requires additional data maintenance
practices to track losses when the impact is across multiple business
lines.
Where the ANPR or the DSG needs to be
specific and a rule is appropriate, it is helpful to make that rule as
clear as possible. However, the Working Group believes there should not
be so many mandatory rules and much of what is being prescribed should
be left to management judgment and oversight.
Ambiguities and Inconsistencies The
DSG in particular needs to be clarified extensively to reduce
repetitiveness and internal inconsistencies, and definitions are needed
for many key concepts in the ANPR and DSG.
The relationship between the two
documents, and their relationship to CP3 and to principles of regulation
and supervision is obscure. Although the ANPR states that the DSG is
meant to explain more fully the material in the ANPR,6 that
is not always the case.
In the DSG in particular, several
subjects are treated more than once in language that is not always
consistent. Redundancies should be removed. Many undefined terms are
used in different contexts in different ways, making their meaning
uncertain. More definitions are needed.7
These aspects of the current drafts make
it hard to judge for example whether the balance between flexibility and
fixed requirements is right, or the balance between supervision and
regulation is appropriate – two of the questions on which the regulators
have asked for comment.
Future Changes The regulation
should be clear that future evolution will generally be toward more
principles-based guidance and that change will be introduced gradually,
to avoid undue implementation costs.
The Working Group is concerned about the
timing, scale and direction of future change in the regulation and
supervisory practices that are covered by the ANPR and the DSG in the
years ahead. It is widely believed in the industry that the new Accord
will be obsolete before the ink is dry and senior regulators have said
they expect it to evolve – to be “evergreen.” 8
As we develop more specific knowledge in
the industry about sound practices in operational risk management, the
AMA should not become ever more prescriptive. It would be far preferable
if it evolved toward a more principles-based and less rules-based body
of guidance. Principles tend to be more durable than specific rules;
their wider applicability can enhance fairness; their relationship to
fundamental public policy imperatives establishes their legitimacy more
clearly than any relatively unsupported enumeration of rules. In any
event, the pace of change should generally be moderate and measured and
set a balance between introducing improvements in a timely manner and
limiting compliance costs to a reasonable level.
III. Transition and Timing Issues
During a planned transition to Basel
II, regulation should allow banks to combine the AIR-B approach for
credit risk capital with the BIA or the SA for operational risk.
Unlike their counterparts in other
nations, the U.S. Agencies propose to implement the new Basel Capital
Accord without offering the options of the Basic Indicator Approach (BIA)
and the Standardized Approach (SA). The U.S. banks concerned will
implement the Advanced Internal Ratings-Based Approach (AIR-B) for
credit risk. The Working Group recognizes that banks should implement an
approach to operational risk at the same time, because the AIR-B covers
credit risk alone: there is no “gross-up” for operational risk as exists
under the current framework. Therefore, as currently proposed, these
banks have no choice and must implement the AMA as they implement the
AIR-B.
The Working Group believes that this may
prevent timely opting in by borderline banks that expect to be ready for
AIR-B but not as ready for AMA.
Operational risk management and
measurement is at a much earlier stage of development than credit risk
management and measurement. There are significant open issues such as
the relative value of internal data vs. external data vs. scenario
analysis, and methodologies for converting external data into something
usable internally. For this reason, some well managed banks have taken
the very defensible strategic decision to develop their operational risk
management capacity at a measured pace.
Therefore, regulators should allow banks
a transition period during which they might use the AIR-B approach to
estimate credit risk capital and the BIA or the SA for calculating
operational risk regulatory capital. This transitional arrangement
should be subject to certain conditions:
• The bank should comply with the
finalized DSG sections titled “Corporate Governance” and “Operational
Risk Management Elements”;
• The bank should have a
well-articulated implementation plan for the AMA to which they are
committed;
• The bank is capturing internal
operational risk data, and effectively using internal data, external
data, business environment and internal control factor assessments,
and scenario analysis in the management of operational risk throughout
the bank.
This would establish that the bank had a
well-developed approach to measuring and managing operational risk and
was on track to adopt AMA in a reasonable timeframe.
The Working Group understands that the
BIA and SA are not accurate measures of operational risk and that, used
for any protracted period, they could distort incentives. This is why
the Working Group supports only their temporary use. Still, for a period
of a few years, with a clear end point, the Working Group believes that
the benefits that arise from wider use of the AIR-B far outweigh the
negatives associated with the temporary and limited use of the BIA and
SA.
The Working Group considers it is
important to ensure the incentives for opting into Basel II encourage as
many banks as possible to do so now and in the future.
Timing Following the recently
announced delay in finalizing the Accord internationally, the
implementation end date should be put back at least six months.
Following the October 2003 announcement
by the Basel Committee that it would postpone finalization of the Accord
for six more months, implementation should also be delayed by a similar
period, to allow banks time to make the necessary investments in people,
processes and systems to achieve compliance.
IV. Governance and Organization Issues
Board and Management Oversight
The regulation should not mandate the exact manner in which the Board of
a bank is involved in determining operational risk management policy,
organization or implementation.
Unlike CP3, which was flexible in
defining the respective roles of the Board of Directors and senior
management9 in their oversight of operational risk
management, the ANPR requires formal Board of Director approvals of the
framework. The Working Group believes this is not necessary. It should
be sufficient for senior executive management to review and approve the
operational risk management framework to assure its scope and approach
is appropriate, and that it is well implemented and properly audited.
Then periodic updates to the Board can give the Board the opportunity to
give overall guidance and support. The Working Group believes the
adequacy of Corporate Governance should be evaluated under Pillar II.10
Independent Firm-wide Operational Risk
Management Function The regulation should more clearly define
independence.
The Working Group supports the idea of
Firm-wide Operational Risk Management Function independence. The
Operational Risk Management Function, Internal Audit and Compliance
should have independent reporting lines and performance objectives. This
is a prerequisite for Internal Audit and Compliance making objective
determinations about the effectiveness of the Operational Risk
Management Function. However, in the interests of efficiency, it is
important that these three functions be free to coordinate certain
aspects of their activity such as their development of standards,
criteria and tools for assessing, identifying, measuring and monitoring
risks. And it should be permissible for the analysis of the Audit and
Compliance functions, such as audit scores, to be used by the business
units and the Operational Risk Management Function in the assessment and
management operational risks.
The definition of independence used in
describing the relationship of the operational risk management function
to other parts of an institution should apply to purpose, reporting
structure and scope of activity but permit cooperation in ways that
would add to efficiency.
V. Data Issues
Definition of Operational Risk:
Scope of Legal losses Regulation should exclude plaintive costs
in operational losses.
The proposed definition of operational
risk includes “...the exposure to litigation from all aspects of an
institutions activities”. 11 This would include all
litigation exposures, which the Working Group believes is inappropriate.
The term ‘exposure to litigation’ implies
that the institution is a defendant in a legal action. However,
technically this is not necessarily the case – ‘exposure to litigation’
could also include costs incurred by the institution as plaintiff. The
Working Group believes it should be explicitly stated that those
plaintiff-incurred costs not be considered as an operational risk.
The proposed definition would also seem
to include settlements of baseless lawsuits as operational risk losses.
As many times these settlements are made to control costs or to maintain
customer relations, these would be more appropriately labeled business
or strategic risks.
Definition of Operational Risk:
Boundary Issues Between Credit and Operational Risk Guidance
related to the classification of loss events should be clarified.
The proposed rules are unclear when
applied to retail credit products.12 In some institutions,
losses associated with the fraudulent use of credit cards or the
fraudulent use of homeowner equity lines of credit via a check have
traditionally been treated as operational losses, as opposed to credit
losses, because of their check/draft-like features. The Working Group
believes that this treatment should remain appropriate, and that the
guidance related to the classification of loss events should take such
events into account.
Loss Event Reconciliation
Regulation should not generally require operational loss data be
reconciled to the general ledger.
The definition and nature of operational
risk losses should be clarified. Currently, operational risk losses must
be “...recorded in the institution’s financial statements consistent
with Generally Accepted Accounting Principles (GAAP)”.13 Our
concern is that this not be construed as requiring a reconcilement to be
performed between all of an institution’s loss data and the general
ledger. Many operational risk losses do not get posted to the G/L as
discrete items, particularly in trading businesses. Requiring
reconcilement of general ledger information with operational risk data
would severely impact the quantity of usable loss data in certain
business lines. The supporting information for the loss is often found
in the narrative of the incident description as opposed to in a G/L
posting document. And operational losses should be dated at the time of
the event, even if the loss is accrued in the G/L over some extended
period. The Working Group believes that many loss event database items
will often, by their very nature, not be reconcilable to the general
ledger.
Loss Event Data Thresholds
Regulation should require thresholds be set so that enough loss event
data is collected for AMA modeling.
The proposed regulatory standard for loss
event data thresholds should be based on the required functions of the
data. Currently, one of the requirements of loss data “....capture a
significant proportion of the institution’s operational risk losses”.14
Given that the data will be used for risk measurement purposes in some
manner in an AMA model, a better standard would be to state that the
thresholds should provide data sufficient to perform this function.
External Data Regulation should
require management to review relevant external data of admissible
quality, but allow banks leeway to apply sound judgment in dealing with
issues like applicability and scaling.
The guidance on the use of external data
needs strengthening. Clarity should be provided under Supervisory
Standard 21 on expectations relating to systematic review of external
data to ensure an understanding of industry experience. The Working
Group suggests incorporating language in this section acknowledging that
effective use of relevant external data is in the early stages of
development and that ongoing dialog during implementation is
appropriate.
In addition, to meet the external data
requirements, institutions have initiated a number of consortia and
third party vendor efforts. Greater direction from the agencies
regarding external loss data collection requirements would help to
ensure that the data collected and distributed by the consortia are
similar in quality, to avoid potential gaming through selective
incorporation of external data.
VI. Capital Estimation and other
Analytical Issues
Risk Mitigation Regulation
should not restrict the offset for risk mitigation to 20% of capital.
The 20% ceiling on the amount of capital
that can be offset by insurance appears arbitrary. The qualitative
criteria necessary for insurance to qualify as a capital offset are
particularly restrictive. The ceiling is a disincentive for financial
institutions to utilize all the protection that may be available from
insurance and other risk mitigants. The Working Group believes the size
of any capital adjustment for insurance should not be restricted to 20 %
but should be based on the quality and extent of insurance protection
provided.
The Working Group also believes that
insurance provided by captive insurers should be allowed for a capital
adjustment provided qualitative criteria are met.
Finally, regulations should provide
flexibility, allowing for recognition of other risk mitigation products
that emerge in the future. So, for example, securities products and
other capital market instruments that are determined to be effective
risk mitigation tools should be permissible offsets to operational risk
regulatory capital requirements..
Correlation Regulation should
allow capital reductions for correlation and diversification wherever
there is a strong argument for assuming such effects are material, even
if it is not a statistical argument.
It is important that the standard for
establishing correlation and diversification is reasonable. Generally,
the Working Group believes that insufficient data will be available to
estimate correlations across business lines and event types
statistically. Most assessments of correlations and the effects of
diversity will be made from qualitative reasoning based on the
underlying nature of the risks. The Working Group suggests the final
regulatory language recognize that a sound qualitative judgment will be
necessary and sufficient. Reasonable assumptions and inferences from
institutions that are actively working to improve their understanding of
available risk data should be acceptable.
It is important that overly conservative
criteria not be applied regarding correlation assumptions so that banks
using more risk-sensitive “bottoms-up” approaches to the quantification
of capital are not penalized.
Opportunity Costs Regulation
should not permit indirect losses and opportunity costs to be taken into
account in calculating capital.
The ANPR requests comment on whether
indirect losses (for example, opportunity costs) should be included in
the definition of operational risk against which institutions would have
to hold capital. The Working Group opposes consideration of indirect
losses such as opportunity cost in the definition of operational risk.
Issues would emerge relating to the accuracy of measurement, uniformity
in application, and immaturity of the data collection process that would
compound an already complicated task.
Alternative Approaches during
Transition Regulators should accept that equally valid but
different methodologies may be used by different institutions.
The Advanced Measurement Approach (AMA)
grants institutions considerable leeway in how they construct
operational risk capital models, provided certain standards are met. The
Working Group believes this is particularly appropriate given the
nascent stage of operational risk measurement. For example, the proposed
regulation implicitly allows great latitude in sources of external data
and its use. This makes a great deal of sense.
However, this flexibility may lead
different institutions to produce significantly different capital
estimates in relation to comparable operational risks. With only a
little over two years to achieve AMA compliance, institutions would
appreciate a statement in the regulation to the effect that, within
reason and at least for a period, the Agencies were willing to accept
this possibility; that, late in the day, they will not insist on
institutions adopting the methodologies that lead to particularly high
operational risk capital charges.
Expected Loss Regulators should
require only unexpected operational losses to be covered by regulatory
capital for any bank where expected operational losses are consistently
treated as an operating cost.
Supervisory Standard 28 requires capital
for operational risk to be the sum of expected and unexpected losses
unless the institution can demonstrate, consistent with supervisory
standards, the expected loss offset. The Working Group believes the
capital charge for operational risk should represent unexpected losses
only. Further guidance is needed on how banks are expected to
demonstrate to regulators that they have the appropriate coverage for
expected losses. Expected losses for operational risk typically are
budgeted and factored into the pricing for products and services.
The Basel Committee recently indicated
expected losses will not be included in credit risk capital. To be
consistent, we recommend this approach also be adopted for operational
risk capital too.
VII. Supervisory Practices and
Regulatory Issues
Flexibility The regulation
should set clear standards on supervisory flexibility.
Supervisors should be able to take the
circumstances of individual institutions into account – for example, in
making reasonable, fair adjustments to the timetable for implementing
AMA, depending on an institution’s recent history, or in adjusting
capital adequacy levels to reflect unusual levels of diversification or
concentration in its businesses or portfolios. However, they should
treat like institutions in like manner where their circumstances are
broadly the same. Moreover, this should be true regardless of which
country or Agency the supervisors come from so that, when confronted
with similar institutions in similar situations, supervisors apply the
same principles and reach similar conclusions. And, most certainly,
Agencies should be consistent in the way they apply supervisory
principles throughout the United States.
In general, the Working Group believes
the flexibility on standards needs to be explained more clearly. One way
to do this is to explain them in terms of universal basic principles and
then discuss the degree of flexibility in their interpretation. If
that’s the approach, then it is helpful to understand if there are
guidelines as to how supervisors should use their flexibility.
Alternatively, flexibility could be articulated in terms of two sets of
standards: those that apply universally; and those that apply only in
specific defined circumstances. For example, it would be useful for the
“must have” standards and criteria for compliance labeled as such and
spelt out in the DSG, so the costs and challenges of implementation
could be better understood.
The absence of a clear articulation of
where and how flexibility might be exercised in either the ANPR or the
DSG makes it hard to assess the flexibility of the proposed rules.
Roles and Responsibilities of
Supervisors Regulation should clearly delineate the respective
roles of the different US financial supervisory bodies.
The interpretation and implementation of
Sarbanes-Oxley, Basel II, FIDCIA and other legislation and regulation
should be coordinated to remove potential duplications and
contradictions, saving compliance costs.
Currently, it is unclear what the roles
of the Fed, OCC, FDIC, NASD and SEC will be in supervision of
operational risk management. Where there are differences in
interpretation between agencies, how will they be resolved? How will the
SEC lead role in assessing operational risks of bank broker dealer
businesses be coordinated with the federal bank regulator supervision of
operational risk management overall? How will the supervisory
interpretation of governance standards in Sarbanes-Oxley and the ANPR be
reconciled and applied?
The banking and other regulatory agencies
concerned should expeditiously review overlaps in their rules and
regulations flowing from recent and established law and regulatory
initiatives. It would be helpful if the language of the DSG and that of
other agency rules and regulations could be normalized. It is important
that the roles, responsibilities and scope of action of the various US
supervisory bodies be clarified prior to the finalization of the DSG.
This would reduce unnecessary regulatory burden and greatly help
affected institutions plan their implementation of the necessary changes
in the systems, organization and processes.
Home/Host Country Rules For
operational risk as well as credit risk, the home country supervisor
should generally set capital standards for internationally active Bank
Groups.
Provided the home country supervisor acts
in accordance with international supervisory standards established by
the Basel Committee, the home country supervisory should set standards
for the measurement of risk and the estimation of capital requirements
for the entire Bank Group and host country supervisors should accept a
top-down allocation scheme for apportioning capital to the separate
national and legal entities within the Group.
This is consistent with the Basel
Concordat and the Core Principles of Banking Supervision enunciated by
the Basel Committee in earlier documents. So an institution’s home
country supervisor, and not any of its host country supervisors, should
generally:
• determine the adequacy of an
institution’s capital in relation to it operational risk profile;
• assess an institution’s internal
methodologies for calculating operational risk and allocating
associated capital;
• approve an institution’s use of
advanced methodologies under Basel II;
• decide whether to require an
institution to hold regulatory capital for operational risk in excess
of the minimum called for under Basel II and, if so, what the
appropriate level of regulatory capital should be;
• establish “target” ratios for
supervisory action against an institution, which may be greater than
the minimum called for under Basel II;
• decide whether, and if so how, to
intervene to prevent capital from falling below required levels; and
• require action by an institution to
restore its capital in the event it falls below the minimum
requirement.
In any event, with regard to the
estimation of capital required in national and legal subsidiary
entities, it will often be impossible to make independent capital
estimates, entity by entity and, therefore, it is critical that a
top-down allocation approach be generally permissible.
Alternatives to AMA The
Agencies may wish to consider a simpler alternative to
setting operational risk management capital
standards.
Given the US regulatory decision to
forego either of the less rigorous alternatives to AMA in the their
implementation of Basel II, the Agencies may wish to consider something
significantly different to AMA before committing to final
implementation.
One alternative that has been recently
articulated was published in December last year as the “New General
Approach to Capital Adequacy.”15 That approach proposed that
regulators guide banks in their development of proposals for capital
adequacy levels not by setting rules of calculation but by creating
strong and clear incentives for banks to make their best faith efforts
independently. It focused less on how capital levels should be estimated
and more on the results and consequences.
That approach was framed as an
alternative for setting capital standards for all types of risk. But
there is no reason why it should not be applied, perhaps in the first
instance, just to operational risks. Indeed, the New General Approach
was based on a similar 1996 proposal developed just for market risk.
Applying it to a single area of risk seems quite feasible and it may,
therefore, provide an alternative that the Agencies should consider
seriously.
VIII. Conclusion
A risk-based approach to setting capital
adequacy standards will make America's banking system more competitive
and stable. The Working Group would be very happy to discuss and expand
on its comments with the Agencies at their convenience to support that
goal.
The Working Group wishes to thank the
Agencies for the opportunity to comment.
___________________________________________
[8]
In his testimony before the Committee on Banking, Housing, and Urban
Affairs, U.S. Senate June 18, 2003, Federal Reserve Vice Chairman Roger
Ferguson' said, "...Basel II could evolve as best practice evolves and,
as it were, be evergreen."
See page 45904, “Boundary Issues” 2nd paragraph.
See page 45978, Section III, 3rd paragraph.
Attachment 1
The Risk Management Association
Working Group on Operational Risk Regulation Members
Marty Blaauw
Operational Risk Manager
Union Bank of California
Richard Campbell
Senior Vice President,
Operational Risk Methodology and Capital Allocation
Wachovia
Tim Elliott
Vice President, Operational Risk Management
Comerica
Robert W. Jones
Director, Operational Risk
FleetBoston
Kristine Keusch
Vice President, Operational Risk
Comerica
Roland K. Ojeda
Senior Vice President, Operational Risk
BankWest Corporation
Patrick O’Neill
Head of Operational Risk, Americas
BNP Paribas
Garry K. Ottosen
Vice President, Operational Risk Measurement
Washington Mutual Bank
Anupam Sahay
Vice President, Enterprise-Wide Risk Solutions
KeyBank
Tara Heuse Skinner
Vice President, Corporate Strategy
Synovus
James Stoker
Vice President, Operational Risk Analytics
Suntrust Banks
Charles Taylor
Director, Operational Risk
The RMA
Sandeep Vishnu
Partner
Malvern Partners
| 
