|
November 3, 2003
FINANCIAL GUARDIAN GROUP
Office of the Comptroller of the Currency
250 E Street, S.W.
Public Information Room, Mailstop 1-5
Washington, D.C. 20219
Attention: Docket No. 03-14
Federal Deposit Insurance Corporation
550 17th Street, N.W.
Washington, D.C. 20429
Attention: Mr. Robert E. Feldman
Reference: Comments
Board of Governors of the Federal Reserve System
20th Street and Constitution Avenue, N.W.
Washington, D.C. 20551
Attention: Ms. Jennifer J. Johnson
Reference: Docket No. R-1154
Regulation Comments
Chief Counsel's Office
Office of Thrift Supervision
1700 G Street, N.W.
Washington, D.C. 20552
Attention: No. 2003-27
Dear Sir or Madam:
The Financial Guardian Group (FGG) is pleased to comment on the
interagency advance notice of proposed rulemaking (ANPR) that would
implement the new Basel Capital Accord in the United States. The FGG
represents the interests of specialized U.S. banks particularly
concerned with the proposed new capital charge for operational risk. We
appreciate that the U.S. operational risk proposal does not include the
basic-indicator or standardized options, and we are grateful that the
U.S. has worked hard to win approval of the advanced measurement
approach (AMA) for inclusion in Basel. However, even this approach is
deeply flawed if employed as a regulatory capital charge instead of a
guide to effective risk management and bank supervision. The FGG
strongly supports Basel's and the ANPR's objective of comparable, truly
risk-based international capital standards. However, we urge U.S.
regulators to advance this goal by deleting from the rule the proposed
capital charge for operational risk and addressing it in the U.S. and
Basel rules through a meaningful, enforceable supervisory standard.
Unless or until the regulatory understanding of operational risk catches
up with the knowledge of credit risk reflected in many major
improvements proposed in the ANPR, a regulatory capital charge will -
contrary to the agencies' best intentions - increase systemic risk,
create perverse incentives for risk-taking and result in undue
competitive harm.
We have noted with considerable interest efforts underway both in
Basel and the U.S. to focus the risk-based capital (RBC) rules on
unexpected losses, not expected ones. We concur with those who have
argued that expected loss (EL) is amply and adequately addressed through
future margin income and reserves and that RBC should focus solely on
unexpected loss (UL). Doing so - which would be a major improvement in
both the Basel rules and the ANPR - would make even more inappropriate
the proposed Pillar 1 capital charge on operational risk. EL in
operational risk can and should be treated, as with credit risk, as an
expense, and covered by revenues, earnings or reserves. To the degree
any methodological agreement exists with regard to operational risk, it
is on EL. There is simply no agreed-upon methodology to measure UL in
operational risk or to determine how mitigants against UL should be
counted in RBC - a sharp contrast to accepted methodologies for
recognizing credit enhancements and other ways to set expected loss. We
continue to oppose the proposed limit on recognizing insurance as a
mitigant in the AMA, precisely because it is among the best ways to
mitigate UL and the restriction proposed creates a perverse incentive
against effective risk mitigation.
The FGG is appreciative of sections in the ANPR that explore the wide
range of potential problems with the operational risk-based capital (ORBC)
charge, and we are particularly grateful for the request for a Pillar 2
alternative to the proposed Pillar 1 charge. In this letter, we outline
such an alternative, and we look forward to working with you to address
any questions it may raise in the next round of U.S. action on the Basel
rules.
We also appreciate the questions in the ANPR regarding the potential
economic and market impact of the Basel rules in the proposed U.S.
standards. We believe the ORBC charge creates serious economic costs
above and beyond those associated with the Basel rules as a whole, and
this comment provides evidence to that effect. Based on this analysis,
we believe the proposal would in fact trigger the requirements for
Office of Management and Budget review pertaining to rules with
significant economic impact. Congress will doubtless also be deeply
concerned with those aspects of the rule that unnecessarily impose undue
direct or indirect costs, which could be passed on to consumers and harm
U.S. financial industry competitiveness.
Executive Summary
The following are the key points raised in this comment letter, which
supplements these policy recommendations with research and data as
appropriate:
• An array of experts - including the BIS's own committees, the
Comptroller of the Currency, and the Federal Reserve Banks of Chicago,
Richmond and San Francisco, question whether operational risk can be
accurately quantified or effectively offset by a regulatory capital
charge. The supervisory objective of improved operational risk (OR)
management can be better advanced through meaningful, enforceable
supervisory standards for which banks at home and abroad are held
accountable.
• The ORBC charge would be a net cost to U.S. banks due to the
proposed retention of the leverage and risk-based capital thresholds for
supervisory action, making it still more difficult to craft an improved
risk-based capital regime that covers all U.S. banks, not just the
largest ones. The proposed bifurcated approach to Basel will result in
numerous market disruptions and potential risk to the FDIC.
• The Basel rules in general and the operational risk-based capital
charge in particular have significant economic impact. The revisions to
the credit risk-based capital standards are, in broad terms, an
appropriate and necessary cost because of the need to improve the
relationship between regulatory and economic capital. Thus, to the
degree that risky credits bear more regulatory capital, these costs are
appropriate and offset by the reduction in capital for low-risk assets.
However, the ORBC charge could cost U.S. banks $50 - 60 billion without
any positive benefit and with many negative implications.1 Proposed
limits on benefits from the advanced models and re-qualification for
ultimate full recognition of any capital reductions unnecessarily
increase cost and undermine the worthy purpose of the overall Basel
rewrite.
• The Pillar 1 ORBC charge would increase, not reduce risk. There is
no agreed-upon calculation for operational risk, especially catastrophic
risk. The costly charge would divert resources from proven forms of
operational risk mitigation - contingency planning, redundancies,
controls and procedures, insurance, etc. Proposed implementation in the
U.S. of an additional ORBC charge for "indirect" losses would exacerbate
all of the quantitative and competitiveness problems with the existing
proposal.
• The ORBC charge will impose an unnecessary competitive cost on U.S.
banks, especially specialized ones that compete against non-banks in key
lines of business. The charge will also adversely affect international
competitiveness because foreign regulators can apply the advanced
measurement approach in ways that - intentionally or not - advantage
their institutions without any improvement in operational risk
management and mitigation.
• Recognition of future margin income and reserves is appropriate for
operational risk, but this should be done in Pillar 2. A proposed Pillar
2 supervisory plan for operational risk is provided. The U.S. should
advance this improved Pillar 2 in a multilateral fashion through the
Basel Committee, not issue separate guidance solely for the U.S.
• The ANPR does not get the desired balance right between the
flexibility of the advanced measurement approach and supervisory
consistency. As a result, the proposal effectively implements the Basel
"standardized" ORBC charge in the U.S., with all the problems that it
presents.
I. Background
The FGG has long supported Basel II's goal of a three-pillar approach
to effective bank supervision and we appreciate its incorporation in the
ANPR. However, we believe that including operational risk in Pillar 1
(regulatory capital) rather than Pillar 2 (supervision) undermines
balanced supervision. The goals of improving bank operational risk
management and internal capital allocation are best served through a
substantial improvement in Pillar 2 with regard to operational risk,
supplemented by appropriate Pillar 3 disclosures. A Pillar 1 capital
charge for a risk that the BIS's own Risk Management Group and Committee
on the Global Financial System agree cannot be defined or accurately
measured has already distracted significant industry and supervisory
resources from urgently needed improvements.2 An operational risk-based
capital charge - even with the proposed improvements in the AMA - will
deter improvements in qualitative operational risk management. The goal
of "comparability" - that is, comparable regulatory standards across
institutions and national borders - is best met through Pillars 2 and 3,
not an arbitrary Pillar 1 capital charge with unintended adverse
consequences for the competitive viability of specialized institutions
that choose to operate as U.S. banks.
The BIS's own committees are not the only ones that find a Pillar 1
capital charge problematic for operational risk. Numerous commenters -
including the Federal Reserve Bank of San Francisco and the Federal
Reserve Bank of New York's Foreign Exchange Committee have also noted
serious problems with a quantitative approach to operational risk.
Indeed, the Federal Reserve Bank of Chicago filed a comment with the
Basel Committee on the second consultative paper making clear the
numerous problems with the proposed version of ORBC - problems not
corrected despite the progress represented by the AMA.3 The Federal
Reserve Bank of Richmond also filed a comment noting that operational
risk can be "[a] difficult risk to quantify and can be very
subjective."4 The Federal Reserve Bank of San Francisco has noted, "[a]
key component of risk management is measuring the size and scope of the
firm's risk exposures. As yet, however, there is no clearly established,
single way to measure operational risk on a firm-wide basis."5 The
Foreign Exchange Committee concluded that "[u]nlike credit and
market risk, operational risk is very difficult to quantify."6
The Comptroller of the Currency has also spoken out on the problems
of operational risk. In a speech to the Institute of International
Bankers, Comptroller Hawke stated that "[a] one-size-fits-all approach
to operational risk - such as a formulaic capital charge based on some
percentage of gross revenues or a percentage of the charge for credit
risk - while simple to apply, would disadvantage the best managed banks
and provide undeserved advantage to the worst managed. Worst of all, it
would provide no incentive to improve internal control systems."
7
These OCC and Federal Reserve conclusions are buttressed by academic
research. A Cambridge University study determined that "...no data now
exists for evaluation of operational risk events similar to Barings,
Daiwa or LTCM. The possibility of effectively pooling such data across
institutions seems unrealistic for many years to come and is
statistically invalid without further research."8 A study by Charles Calomiris and Richard Herring states, "[p]rivate insurance and process
regulation would be more effective than capital requirements for
regulating operational risk."9 Finally, we would draw your attention to
a Group of Ten report which found "[t]he term `operating risk' is a
somewhat ambiguous concept that can have a number of definitions ...
operating risk is the least understood and least researched contributor
to financial institution risk."10
Getting regulatory capital right is essential because capital is a
main driver of pricing, profitability and, therefore, franchise value. A
Stanford University study with Nobel Prize-winner Joseph Stiglitz among
its authors concludes, "[s]ince holding capital is costly, the
per-period profits of the bank are lower, certeris paribus, when bank
capital increases. Thus, increasing the amount of capital held by the
bank has two effects: the positive bonding effect and the negative
franchise value effect." 11 Similarly, Moody's Investors Service notes
that "holding excessive levels of capital will impair the financial
performance of a bank and thereby impact upon its competitiveness."12
The
importance of regulatory capital drives the various arbitrage efforts
that have rightly sparked Basel and U.S. regulators to get the balance
between regulatory and economic capital better through the proposed
revisions. Indeed, if regulatory capital didn't matter - as some
agencies have suggested in testimony and other forums - the entire
costly and hard exercise of the Basel II process would be solely an
academic model-building convention held over many years in numerous
nations. Basel and the ANPR rightly recognize the critical importance of
regulatory capital and the need to align it closely to economic capital.
Setting a regulatory charge before there is wide agreement on economic
capital - which would occur if the ANPR on operational risk were
implemented - would undermine the goals of Basel, not enhance them.
A quick example points to the critical importance of getting
regulatory capital right. Following the adoption of Basel I, commercial
paper backup revolvers with a 365 day or greater term became almost
prohibitively expensive, because the Basel 1 capital rules require that
capital be held against such facilities. Conversely, pricing became
ultra-competitive for facilities with a term of less than one year,
since Basel 1 did not require capital for such structures. Of course,
unlike lines of business like asset management, unregulated, non-banking
institutions do not compete in this market. As a result, unrestrained by
the need to conform pricing to levels set by unregulated competitors,
pricing for revolvers stabilized at levels determined by the regulatory
capital requirement of the banking industry providers. It is unclear
what the effect of the capital regime would have been if banks were
competing with non-banks at the time. This uncertainty makes it
imperative that Basel II is correct before it is implemented.
II. Overall Capital Framework
A. Bifurcated Regulatory Capital
The FGG believes that a Pillar 2 approach for ORBC would ease the
disruptions resulting from the proposed bifurcated approach, creating a
positive incentive for more U.S. insured depositories to opt-in to the
Basel rules and, therefore, to bring their own internal systems and risk
management up to the more sophisticated requirements rightly mandated by
the U.S. for use of the various advanced credit risk requirements.
We urge the U.S. regulators to come up with revisions to risk-based
capital suitable for all insured depositories, not just the nation's
largest banks. Smaller banks and savings associations are key players in
many markets - including the specialized ones of concern to the FGG -
and they should thus benefit from risk reductions through lower
regulatory capital or pay for risk increases in the same manner as
larger institutions. The costly failure of Superior FSB in 2001 in part
because regulatory capital was not sufficient for complex residuals
points to the importance of focusing regulatory changes on creating an
effective, workable, and coherent regulatory capital framework for all
insured depositories, not just a select few.
B. Leverage and "Well-Capitalized" Thresholds
The ANPR states that OR was implicit in the Basel I Accord, which
included a "buffer" to account for it and other non-credit risks. With
the AMA, the ANPR says no such "buffer" is required because no implicit
risks remain in the regulatory capital charge. Of course, interest-rate
risk, liquidity risk and many others remain without a specific
regulatory capital charge. We would refer to the "supervision-by-risk"
framework rightly used by all of the agencies and note the many
specified risks in it for which no Pillar 1 capital charge is proposed.
13 Many of these risks - interest-rate risk, of course, but also
liquidity and foreign-exchange risk - are quantified daily, in sharp
contrast to operational risk, but only OR is included as a new charge in
the ANPR.
The agencies in fact appear to recognize that a "buffer" remains
important because of the proposed retention of the unique U.S. leverage
capital standards, as well as the use of 10% as the risk-based capital
criterion for eligibility as a "well-capitalized" financial holding
company or insured depository. The FGG believes that the ORBC
requirement is proposed to "top off" U.S. capital requirements for
low-risk institutions to ensure that the ongoing leverage and risk-based
capital standards appear relevant. In fact, these standards are
anachronistic and should be abolished, especially if a Pillar 1 ORBC
charge is retained. With these standards in place and a new ORBC charge
mandated, the overall cost of the Basel rules rises so high as to create
undue economic cost and unnecessary competitive damage. Given that U.S.
banks - in sharp contrast to EU ones - compete every day against firms
outside the bank capital rules in key lines of business, these costs are
particularly inappropriate and excessively burdensome.
The proposed retention of the leverage and well-capitalized standards
creates particularly serious problems for specialized banks which will
not benefit from the significant reductions proposed for low credit-risk
assets. Attached to this comment is a table based on publicly-available
information that shows that the effect of the Pillar I ORBC charge is to
reduce significantly the "excess" capital held by specialized banks.* The
capital ratios for these banks could be lowered by one percent to almost
four percent - a major impact with the ten percent standard in mind - in
some cases very near to the regulatory minimum. Banks adversely affected
by this add-on capital charge would remain wellcapitalized by all
non-regulatory market judgments, but they could still be subject to
extreme sanctions - loss of their financial holding company privileges,
for example. As a result, the ORBC charge atop the leverage and current
risk-based capital thresholds widens the disparities between economic
and regulatory capital, instead of bringing them as closely as possible
together - the goal, of course, of the entire Basel II exercise and of
the ANPR.
Quite simply, the U.S. rules must drop the leverage standard and
readjust the well-capitalized one to reflect the fact that some banks
will in fact be very well capitalized at far different ratios than now
apply. Failure to drop these arbitrary ratios - especially if the ORBC
requirement remains in Pillar 1 - would seriously undermine the goals of
the ANPR and the larger policy interests served by alignment of
regulatory and economic capital.
III. Economic Consequences of an ORBC Charge
As the table noted above makes clear, the ORBC charge will have
significant implications for specialized banks, with each of those noted
bearing capital costs well in excess of $100 million based on the best
calculation possible using the more simple ORBC methods proposed in the
Basel document. The consulting firm Mercer, Oliver Wyman has estimated
the cost of compliance per bank to be between $50-200 million. 14 As a
result, we believe the $100 million threshold for determining if a
regulatory action requires review by the Office of Management and Budget
is clearly met.
Due to the complexity of the AMA, there is no reliable ways to assess
its impact on individual institutions, let alone the economy as a whole.
However, the third quantitative impact survey (QIS3) makes clear that
the ORBC charge is a significant cost to large banks, with the survey
finding the net impact of ORBC is a 13% increase in capital that offsets
reductions otherwise achieved under the sophisticated advanced models
proposed in the ANPR for credit risk. Based on the $477 billion held as
regulatory capital by the top twenty five U.S. banks, 15 an increase of
13% in regulatory capital would cost U.S. banks approximately $62
billion. Given the proposed retention of the leverage and
well-capitalized test - as well as the limits on recognizing ANPR
benefits - any offsetting credit RBC reductions are, at best,
hypothetical over time and unlikely at the outset of the new rules.
The overall economic cost of the ORBC requirement increases still
further when the cost of the capital requirement is translated into the
larger economy. Insured depositories of course leverage capital into
lending and related activities. Thus, the $62 billion cost of the ORBC
requirement will reduce the amount of lending and investment banks can
do, adversely affecting individual and corporate customers through
reduced credit availability and/or higher funding costs.
IV. Perverse Incentives
Despite the improvements made through the AMA in Basel's third
consultative paper and the proposal in the ANPR, the FGG believes that a
Pillar 1 capital charge for operational risk will increase - not reduce
- systemic risk and the risk an individual institution will be
ill-prepared for serious operational risk. We see this because:
• many of the world's biggest banks will count ORBC based on the
gross-income method remaining in the Basel proposal, creating potential
systemic risk;
• the AMA does not address the perverse incentive issue because
regulators will benchmark it to the standardized approach.
Fundamentally, there is no agreed-upon definition of OR nor any
widely-accepted way to measure it. Thus, supervisors and institutions
will be forced to use untested benchmarks (likely linked to gross
income). As discussed below, we do not think the ANPR has balanced the
need for "flexibility" with that for "consistency," resulting in
potential implicit application of the CP3 gross-income derived ORBC
charges; and
• ongoing problems in the AMA - notably failure to recognize
operational risk mitigation - will lead banks to neglect proven ways to
reduce operational risk, putting themselves and financial markets at
undue risk. A Pillar 2 approach with meaningful, enforceable supervisory
standards focusing on proven forms of OR mitigation would be a
significant contribution to the financial system, particularly at this
time of heightened concern about unpredictable OR resulting from
terrorist attack.
This conclusion is echoed in the aforementioned Kuritzkes and Scott
study which states, "[r]elative to effective management controls and
insurance, capital is at most a second-best mechanism for protecting
banks against the consequences of [operational risks]. But perversely to
the extent that a minimum level of OR capital is required - as
contemplated under Basel II - then capital can actually serve as a
deterrent to reducing operational losses." 16
A. Failure to Recognize Risk Mitigation
The FGG appreciates that the ANPR, like CP3, would recognize
insurance in the AMA. However, the strict criteria necessary for
eligibility may force insurance into a few structures provided by a
limited number of insurers. This could concentrate risk in a few
counterparties, resulting in systemic risk if severe OR events occur. We
understand the regulators' desire to permit ORBC reductions only for
insurance structures that will quickly and certainly compensate a bank
for loss, but specific Pillar 1 standards for insurance eligibility
could actually increase, not reduce, OR.
The proposed 20% limit on reductions in the AMA capital calculation
for insurance also creates a perverse incentive. Banks may well reduce
their purchases of insurance, especially the most costly - and therefore
most needed - kinds because of limited regulatory capital recognition of
this costly form of OR mitigation. As noted, the FGG believes that
insurance - even with acknowledged limitations - is a proven form of
risk mitigation. It should thus be fully recognized in the AMA to create
a positive incentive for risk mitigation. Judging by the CP3 comment
letters posted on the BIS' website, this position has strong support
throughout the industry and among regulators. In its comment letter on
CP2, the Federal Reserve Bank of Chicago recommended that capital
reductions for mitigation of operational risk be permitted "wherever
banks can demonstrate that risk exposures are materially reduced." It
also warned that excessively narrow definitions for what methods are
permissible impedes the development and application of risk mitigation
techniques in the banking industry and undermines "the very purpose of
banking supervision and regulation." 17 The Federal Reserve Bank of San
Francisco notes, "[w]ith respect to operational risk, several steps can
be taken to mitigate such losses. For example, damages due to natural
disaster can be insured against. Losses arising from business
disruptions due to electrical or telecommunications failures can be
mitigated by establishing redundant backup facilities. Losses due to
internal reasons, such as employee fraud or product flaws, are harder to
identify and insure against, but they can be mitigated with strong
internal auditing procedures." 18 Similarly, in its comments on CP3, the
New York State Banking Department recommended the Basel Committee
recognize the use of risk mitigants such as contingency plans. 19
B. Contingency Planning, Back-Up Facilities and other OR Mitigation
We recognize that the 39-page supervisory guidance accompanying the
ANPR attempts to address in detail how the AMA would recognize various
forms of OR mitigation. However, the complexity of the document
increases the prospects that supervisors will benchmark AMA calculations
to standardized ones, discouraging banks from costly investments in
back-up facilities, contingency planning and the other operational risk
mitigants highlighted in the recent interagency white paper that makes
clear the importance of these measures.20
Since 9/11, U.S. regulators have rightly focused on all of these
proven forms of operational risk mitigation, improving systems found
lacking on that terrible day and reinforcing those that proved their
worth. However, a GAO study found that significant preparedness problems
remain. 21 Diversion of supervisory effort towards all of the
model-building, testing and validation required to assure that large
complex banking organizations comply with the proposed ORBC requirement
and the detailed supervisory guidance is, the FGG believes, a dangerous
misallocation of resources. This is especially true given the major
demands on the banking agencies to ensure that the better-understood,
but still quite complex, credit risk models that support the advanced
internal ratings-based methodology are appropriate at all of the banks
that qualify to use them.
Under U.S. law, supervisors visit all insured depositories at least
once every eighteen months and larger institutions are examined at least
every twelve months. At the same time, all very large U.S. banks have
teams of resident examiners who stay at the bank full-time to test and
re-test a wide range of risk areas to ensure there are appropriate
capital and risk management processes. When banks fail to satisfy their
examiners, the supervisors have a very broad array of remedies. These
range from the "moral guidance" cited in CP3 to specific sanctions,
cease-and-desist orders and, under extreme circumstances, bank closure
or forced sale. U.S. regulators have closed insured depositories when
they are in nominal compliance with Pillar 1-style regulatory capital
standards because of undue risk. These powers were significantly
enhanced by the U.S. Congress after the S&L crisis of the 1980s and the
banking problems of the early 1990s, in part because several very large
banks (e.g., Texas' First Republic) failed at considerable cost to the
FDIC even though they had adequate capital under then applicable rules.
Thus, U.S. regulators have full powers to ensure ample OR capital and
management, while foreign supervisors may permit wide variance from
appropriate practice if nominal compliance with an arbitrary capital
charge occurs. As a result, some very large global banks may be sadly
unprepared for operational risk, especially catastrophic risk, because
back-up facilities and contingency planning have been ignored by banks
and their supervisors in favor of the Pillar 1 capital charge.
C. Catastrophic Risk
We are concerned that the U.S. regulators have decided to follow the
Basel Committee in reversing the treatment of catastrophic risk. In the
instructions accompanying the QIS 3, the Basel Committee stated that
capital should not be assessed for catastrophic events that lie beyond
the scope of any regulatory capital regime.22 We applauded this approach
and concur with the findings of a second Cambridge University study
which notes that "[c]apital is an expensive form of self-insurance and
is ill-suited to protecting against very low-probability, high-impact
risks."23 Further, Moody's Investors Service noted just last month that:
"[t]he only protection [against low-frequency high-severity loss events]
is through multiple layers of effective management and control."24 It is
unfortunate that this sensible approach has been abandoned by both the
Basel Committee and the U.S. banking agencies.
One major objection to the AMA - as well as to any regulatory OR
capital charge - has been the problem of modeling and quantifying
9/11-type risks. The GAO recently noted this difficulty stating:
"Experts we contacted said such analyses [of the frequency and severity
of terrorist attacks] were extremely difficult because they involved
attempts to forecast terrorist behavior, which were very difficult to
quantify."25 Capital is particularly irrelevant in the face of
catastrophic risk such as nuclear blasts, bio-terror or similar
tragedies. These risks are so unexpected and, potentially, so large that
banks - like society as a whole - will be forced to rely on the
ingenuity and heroism that distinguished the financial system after the
collapse of the World Trade Center. Importantly, what limited loss then
was not regulatory or even economic OR capital, but contingency
planning, disaster preparedness and back-up facilities - none of which
is fully recognized in the AMA in part because there remains no accepted
method to define or measure OR to take full account of risk mitigation.
As KPMG notes, "[a] risk sensitive Economic Capital methodology will -
ceteris paribus - reward investments in business continuity management
components with a lower capital charge."26 The FGG urges the agencies to
delete catastrophic risk should a Pillar 1 approach be included in the
final U.S. rules. However, the serious problems quantifying and
mitigating such risks argue strongly for a Pillar 2 approach, where the
proven forms of catastrophic risk mitigation can be fully credited
without the offsetting cost of an unnecessary capital charge.
V. Competitive and Customer Service Implications
A. Foreign Competitors
1. Impact of Including Legal Risk in OR
As discussed in more detail below, banks operating in the United
States generally face a far broader range of regulation outside the
banking area than their foreign competitors. This regulation covers
areas as diverse as corporate governance, lending and employment
discrimination and workplace safety. In addition, the U.S. legal system
poses the highest litigation risk of any G-10 country. As a result,
under the ANPR, U.S. banks will likely be required to set aside more
capital for operational risk than their foreign competitors. U.S. banks
will be forced to do this despite the fact that U.S. securities laws
already require reserving for material legal risks and there is no
evidence that these types of legal risks have adversely affected the
safety and soundness of any U.S. bank. As Credit Suisse notes, "firms
with significant activities in the United States could be put at a
competitive disadvantage due to the increased litigation risk resulting
from the U.S. judicial system." 27
2. Supervisory Differences
The FGG recognizes that Basel II attempts to reflect the importance
of effective supervision in Pillar 2. However, CP3 remains relatively
weak in this area and we do not believe it will encourage supervisors in
all participating nations to improve their standards and - where
necessary - back them with effective enforcement. In sharp contrast,
U.S. banks that fail the arbitrary leverage and well-capitalized tests
or the ANPR's revised RBC ones face many serious regulatory and market
sanctions. As a result, U.S. banks often hold far more regulatory
capital than foreign counterparts and they would likely continue to do
so under Basel II.
This capital difference puts U.S. banks at a competitive disadvantage
because, as discussed above, regulatory capital is a key determinant of
pricing and profitability. When the capital standards are credible,
higher capital can be offset in the market because counterparties
believe the bank is of lower risk and, therefore, a desirable provider
of various services. However, a non-credible capital charge - the Pillar
I ORBC requirement, for example - cannot be offset in the market because
counterparties derive no benefit from it. Therefore, U.S. banks will
face serious problems competing against foreign institutions under a
Pillar 1 regime.
The significant disparity between U.S. action and that in many other
nations when capital thresholds are missed means that the U.S. must take
particular care with new Pillar 1 capital standards. Our unique and
credible enforcement regime should be focused solely on regulatory
capital standards that make sense, not the proposed ORBC charge. Pillar
2 treatment ensures appropriate U.S. supervisory flexibility to address
individual bank problems without creating an arbitrary threshold
standard to which U.S. banks will be held even as foreign supervisors
permit wide variation from the Basel mark.
Similarly, the disparate application of the Accord may put U.S. banks
at a further competitive disadvantage. A recent PriceWaterhouseCoopers
study concludes that the European Union's new Capital Adequacy
Directive, would selectively implement the Basel Accord.28 This decision
creates many issues for the Pillar 1 approach to credit risk and the
disclosures mandated under Pillar 3. However, it is the relaxed
implementation of the ORBC charge that is of most concern to the FGG.
The EU is expected to "require fewer, different and apparently less
demanding [qualifying criteria for the AMA] than those specified by
Basel." We hope the U.S. regulators will work to eliminate Pillar 1
treatment of operational risk, ensuring that U.S. banks are not further
harmed by its inconsistent application.
B. Non-bank Competitors
U.S. banks often operate in major lines of business, such as asset
management, custody and payments processing services, in which they
compete head-to-head with non-bank institutions. In the U.S. - in sharp
contrast to plans in the EU - only banks will be covered by the Basel
Accord and its stringent operational risk-based capital charge. Their
non-bank counterparts will be exempt. Some U.S. regulators have
suggested from time to time that the SEC might adopt a rule comparable
to the ORBC one, but this does not appear likely. Indeed, proposed
capital standards for "investment bank holding companies" and
"consolidated supervised entities" are notable in their complete
avoidance of any comparable ORBC requirement for these very large, very
important non-bank competitors.29
This disparity will place banks at a substantial competitive
disadvantage relative to their non-bank counterparts. The
above-mentioned Credit Suisse study reports that "[r]egulated banks that
must comply with capital requirements are...placed at a competitive
disadvantage within the financial services market." This competitive
disadvantage is particularly pronounced for FGG members, which
specialize in fee-based asset management, custody and payments
processing lines of business.30 These lines of business are dominated by
non-bank institutions. For example, seventeen of the top twenty five
U.S. money managers are non-banks. 31 The competitive pressures imposed
by this disadvantage could force some U.S. banks to move these lines of
business out of the bank, or to sell these businesses, de-banking
completely. Such a development could increase systemic risk because
major institutions would operate outside bank supervision.
VI. Pillar 2 Alternative
The FGG continues strongly to recommend that the Basel Committee
address operational risk in Pillar 2. This will create a strong
incentive for improved internal controls and capital allocation, in
sharp contrast to the arbitrary Pillar 1 approach that - even with the
AMA - will result in undue regulatory arbitrage and risk-taking. We are
grateful for the request for a meaningful Pillar 2 approach to
operational risk, and appended to this letter we have provided a
detailed proposal presented in U.S. regulatory language suitable for
rapid adoption in conjunction with the credit risk sections of the Basel
Accord.
VII. Definitional Problems
Serious definitional problems remain as to OR in the ANPR, with these
problems exacerbated by the proposal to add "opportunity cost" to those
counted as operational risk. Here, we discuss the fundamental flaws in
the ORBC definition that make Pillar 1 treatment untenable. In the
section below on specific U.S. concerns on which comment is sought in
the ANPR, we note specific problems with adding opportunity cost to this
already dubious definition.
A. Lack of Agreement
Despite the proposed operational risk definition, there is wide
disagreement on how in fact it should be measured or determined. Note,
for example, the BIS's own Committee on the Global Financial System
conclusion that, "[operational, legal and liquidity] risks are more
difficult to measure than credit and market risk, and it may be
difficult to deal with them in quantitative capital rules and disclosure
standards. A more qualitative approach, focusing on risk management, may
be needed."32 We note above similar concerns from a wide range of U.S.
entities, including several Federal Reserve Banks. Standard & Poor's
agrees that a qualitative approach is needed, noting that "the lack of
consistent industry-wide operational loss data represents a large
obstacle to the development of a statistical methodology that could
carry the analysis beyond the qualitative" and that "the assessment of
OR remains essentially a qualitative analysis closely linked to the
assessment of management."33
We would also refer the agencies to the results of the Risk
Management Group (RMG) 2002 loss data collection (LDC) exercise for
operational risk. As with the 2001 exercise, the LDC is intended to
substantiate the ORBC charge. While the 2002 report shows considerable
improvement in such areas as number of participating banks and bank
confidence in the data presented, the results still show variations in
operational risk measurement and the way economic capital is assigned.
The RMG itself states that these results should be used with "caution"
and that data "does not allow identification of the business lines
and/or event types that are the largest source of operational risk."
Similarly, the RMG notes that it is "not clear the extent to which the
sample of banks in the survey was representative of the banking industry
as a whole." The data on OR losses and loss recovery are found also to
be of dubious quality due to the range of methodological problems still
dogging the LDC.34
Key points from the RMG study include:
• 89 banks in 19 countries reported, with only 63 meeting various
sample criteria that permit broad use of their data. This small number
in so many countries suggests very wide variations in data applicability
to large numbers of banks in individual countries. Data problems are
compounded by the fact that, of these 89 banks, only 32 said that the
reported data comprise all OR for all business lines. Over half of the
reporting banks said data were not comprehensive for any business line.
• There is wide variability in the number of reported OR loss
incidents (ranging from one to over 2,000), with doubts about the
validity of these data. Of the eight banks reporting 1,000 or more
incidents, only two said data were comprehensive; however, of the 35
banks reporting 100 or fewer losses, 17 said data were comprehensive.
• Data are very clustered, making it difficult to infer capital
charges either by event type or business line. For example, over 36% of
incidents were in one area: external fraud in retail banking. This is
perhaps the best understood area of OR and one for which pricing and
reserves are in place, although the ORBC charge does not permit offsets
for either. Further, this risk remains double-counted due to the credit
risk charge related to these losses. Physical and system disruptions
were only 2% of the reported incidents, but 20% of the loss (perhaps due
to the fact that 9/11 was in this year's report). Insurance related to
these losses is generally not recognized in ORBC.
• Of the 89 banks, 60 provided some data on economic capital for OR,
although only approximately 40 provided data either on OR overall and/or
on business lines. The average and median amounts of economic capital
for OR reported by the 40 banks were 15% and 14% respectively,
indicating that a large number of the banks fell within this range.
However, the full range of reported economic capital varied from 0.09%
to 41%. The average and median amounts of economic capital for asset
management were 7% and 5%, respectively - far off the charges in the
proposed standardized approach.
• Only one-third of reporting banks estimate expected OR. Data here
are most inconsistent due to different definitions of OR and other
factors.
We fail to see how a Pillar 1 ORBC charge can be deemed viable at
this time when the Basel Committee's own group assessing it has found
such wide variability and incomplete data. Even though some findings
cluster around the averages on which the basic-indicator and
standardized approaches are based, many institutions assess their
appropriate economic OR capital far differently without any indication
that these differences are unsafe or unsound. We recognize that the AMA
is intended to accommodate some of these differences, but the
fundamental lack of agreement - conceptual, methodological or even
factual - on how OR is defined or measured makes an AMA in Pillar 1
inappropriate at this time.
A recent study of 309 risk professionals - the majority of who work
for banks - confirms the industry-wide difficulties of assembling this
data.35 When asked what their greatest concerns were regarding
implementation of the new Basel Accord, over 60% of the respondents
replied that they were concerned with the lack of operational risk data
- second only to cost of compliance.
B. Treatment of "Legal Risk"
The ANPR, like CP3, would define operational risk to include "legal
risk." Page five of the supervisory guidance includes an array of
regulatory, legal and even social policy risks. The FGG believes that
including legal risk in a regulatory capital charge will have unintended
and, as discussed above, adverse-competitive consequences. We are
particularly struck by the inclusion of legal risk in the face of the
explicit exclusion of reputational risk from the definition. This is of
special note when reputational risk has in recent years proven itself a
serious one even as banks around the world continue to manage their
legal risk without any potential threat to safety and soundness.
For example, rules against nondiscrimination are unique to the U.S.
in terms of both the scope of the rules and the significant penalties
associated with them. Similarly, the U.S. has a unique tort and
environmental liability environment that subjects firms to far greater
potential costs for an array of offenses that go without cost elsewhere.
While all operational risk is difficult to quantify, these types of
legal risks are even more so. For example, two large banks have recently
been sued for their participation - over 200 years ago - in the slave
trade. How would this type of litigation risk be quantified or capital
be assessed against it? Some rule of reason clearly must apply in
judging legal risk, but none is noted in the ANPR or supervisory
guidance. It is also important to note that, within the U.S., these
types of risks can vary greatly by state and municipality. Furthermore,
legal risk is unique in that the initial estimated exposure - for which
U.S. firms are required to allocate reserves for - is often less than
expected and often not resolved for many years. Of course, insurance is
also a widely accepted - and successful - mitigant of this type of risk.
One might argue that it is appropriate for an ORBC regime to capture
greater risks for U.S. banks if they do in fact exist. However, other
requirements in U.S. law already capture the operational risks
associated with legal liability. For example, U.S. securities laws
require allocation of a specific reserve for legal costs and disclosure
of them once a publicly-traded company has determined that legal risks
pose a material challenge. There is no evidence that these reserves have
ever proved inadequate, nor is there any evidence of a bank that has
failed due to the operational risk associated with U.S.-specific legal
liability.
VIII. Specific Concerns with the U.S. Proposal
A. Flexibility
The ANPR says this will be "flexible," but then says supervisors must
ensure that institutions are "subject to a common set of standards." The
document also notes the need for consistent application and enforcement
of the AMA charge, while at the same time again emphasizing
"flexibility" and the need to encourage innovation. The ANPR also states
that supervisors are considering "additional measures to facilitate
consistency." Still more regulatory detail in the already complex and
prescriptive AMA would further undermine the already questionable
"flexibility" in the AMA. A "consistent" approach is likely to benchmark
itself against simple measures easy for institutions and supervisors to
calculate, and these in turn would likely end up the same or comparable
to the basicindicator and standardized approaches to ORBC in CP3. These
are based on gross income - a factor with absolutely no correlation to
operational risk correctly rejected by the agencies for application in
the United States. Keeping the AMA in Pillar 1, however, would likely
result in application of these highly flawed standards, with the
additional problem of wide variability from examiner to examiner that
could exacerbate the comparability and perverse incentives issues noted
above.
The ANPR is likely also to force banks to calculate ORBC on
standardized business lines, despite the fact that allocation of
activities to these lines is often arbitrary and inconsistent with
individual corporate organizations. This will essentially require banks
to keep two sets of books on OR, with one tracking the standardized
approach and the other the bank's own business structure and its
perceived actual OR. Supervisors will clearly review AMA calculations
based on the standardized business lines against the standardized
charges, and banks may have difficulty explaining lower capital
calculations under the AMA.
Banks may be forced to use one of the few approaches approved by
regulators at the outset of the Basel Accord. This will, in turn, force
ORBC calculations into a few, as yet unproven models. Should these prove
incorrect, systemic OR will actually be increased, in contrast to
reliance on more diverse systems which would not create this type of
models risk.
B. Requalification
The FGG has long opposed the proposed limits on recognition of the
advanced models in the Basel proposal, and we again express concern over
them as proposed in the ANPR. Both CP3 and the ANPR propose that banks
qualified through the onerous standards and disclosures to use the
advanced credit risk model and the AMA could hold capital no less than
90% of their current Basel I levels in the first year after
implementation and no less than 80% in the second year. This creates
little, if any, incentive for low-risk institutions to make the
substantial investments - $100 million or more for most large banks - in
all of the Basel models. Further, given the impact of the Pillar 1 ORBC
proposal, specialized banks are likely to see a net increase in overall
RBC on day one - an increase that would go into effect immediately even
as offsetting efforts to reduce risk go unrecognized. These limits make
Basel II all pain and no gain - again in sharp contrast to the
ostensible Basel goal of quick improvement in the alignment between
regulatory and economic capital.
However, the ANPR exacerbates the Basel proposal's implementation
problems. That is because the agencies propose not only to include all
of the costly and complex qualifications to use the advanced models and
the limits on benefiting from them, but also a subsequent
requalification period in the third year or thereafter. Even if a bank
had won approval to use the advanced models and done so under the limits
in the first two years, it would need to be recertified by supervisors
should the limits on Basel II recognition be dropped going forward.
Given that banks will have had an extensive supervisory review and model
verification process in advance of the initial approval to use the
advanced models, we see no point - and considerable cost to both banks
and supervisors - of the requalification process.
We would also note that a bank that in fact passes these two hurdles
- initial limited use and then requalification - could thereafter fall
off the Basel wagon and begin to vary models or capital in a fashion
that results in inappropriate capital ratios. Supervisors need to
preserve their scarce resources for the ongoing checks of Basel models
and bank decision-making required by the complex proposal, not undertake
unnecessary and costly re-approvals of already approved systems at
arbitrary times in the implementation process.
C. Indirect Loss
The ANPR suggests that the definition of OR - already very
problematic, as noted above - be expanded in the U.S. also to include
"indirect losses," such as opportunity cost. The FGG believes that doing
so would exacerbate the already grave flaws in the proposed definition
of OR and the proposal to base a Pillar 1 regulatory capital charge on
it.
It is most unclear, for example, how "indirect losses" are to be
calculated. Should a decision to forego a particular line of business
based on an ultimately unwise management decision be considered
operational risk? If so, who is to determine how much revenue was
foregone and what capital charge is appropriate against it. At what
point will management be deemed to have considered an alternative
strategy, and thus trigger a capital requirement? Currently, all
institutions pay for such risk through their profit-and-loss statements
- that is, if they don't make wise business decisions, their
profitability suffers. U. S. courts view such decisions as within the
"business judgment" protections of corporate governance standards,
rightly eschewing efforts to second guess legitimate management
decisions that prove unwise. To date, this has not been considered the
business of regulators nor an area where regulatory capital has any
role, and the FGG believes that current policy in this area should be
continued.
Indeed, as with so much else in this proposal, a capital charge for
"indirect loss" could create a perverse incentive against prudent risk
management. Often, management foregoes a line of business, investment or
particular loan due to fears about undue risk. In such cases, there can
well be an "opportunity cost," especially if management fears turn out
to be unrealized. Again, any such losses are reflected in the P&L. A
regulatory capital charge - calculated who knows how - for such "loss"
could inspire management to take undue risk to avoid a back-door penalty
in cases where fears turn out to be unwarranted and an "opportunity
cost" is determined under some model or by some regulator.
The ANPR notes that these "indirect losses" have resulted in
"substantial cost" to some institutions. Other than the ongoing success
or failure of individual bank strategic planning, we know of no cases of
losses related to indirect factors. In the list of failures occasionally
provided by the Federal Reserve to justify the Pillar 1 ORBC charge, no
indirect loss-related case is apparent.
D. Treatment of Expected Loss
As noted at the outset of this letter, the FGG does not believe that
a Pillar 1 capital charge for expected loss related to operational risk
is any more appropriate than one for credit risk. We recognize that the
ANPR proposes that the AMA recognize future margin income to the degree
that a bank can demonstrate that funds budgeted for future margin income
are "capital-like," and that "data thresholds" are not violated. We do
not understand what this means. Do supervisors propose to review line-of- business
budgets in detail on an ongoing basis to validate future margin income
calculations? What "data thresholds" are meant - correct guesses about
profitability? We know of no model against which supervisors can
validate EL expectations on which a bank anticipates future margin
income, and case-by-case determinations by supervisors on the basis
outlined in the ANPR would involve regulators in day-to-day business
decisions in an inappropriate and unnecessary fashion.
The ANPR also states that reserves cannot be recognized for
regulatory capital purposes because of problems related to GAAP.
However, reserves are an essential element of prudent banking and a very
effective offset to operational risk. Reliance on them in a sound Pillar
2 approach to operational risk presents no GAAP problems, while creating
an appropriate set of incentives for effective OR mitigation.
IX. Conclusion
For all of the reasons noted above, the FGG strongly advises U.S.
regulators to delete from future rules any Pillar 1 capital charge for
operational risk. Instead, the focus should shift at home and abroad to
an effective and enforceable set of safety-and-soundness standards to
anticipate, manage and mitigate operational risk. We stand ready to
commit significant resources to support U.S. regulators and the Basel
Committee in construction and implementation of these essential
prudential standards.
Sincerely,
Karen Shaw Petrou
Executive Director
1 Sizing Operational Risk and the Effect of Insurance:
Implications for the Basel II Capital Accord, Andrew Kuritzkes and Hal Scott, June 18, 2002. This determination assumes: Total Risk
Weighted Assets (RWA) for the U.S. banking system are approximately $5.9
trillion. The total regulatory capital requirement is fixed at 8% of RWA.
The proposed 12% calibration would imply $56 billion of regulatory
capital for operational risk. Our calculation for the top twenty five
U.S. banks - assuming the findings of QIS3 that capital is expected to
increase 13% is correct - is a cost of $62 billion (see Section III for
a more detailed explanation).
2 Credit Risk Transfer, Committee on the Global Financial System,
Bank for International Settlements, January 2003 and Sound Practices for
Management and Supervision of Operational Risk, Basel Committee on Bank
Supervision, Risk Management Group, February 2003.
3 Federal Reserve Bank of Chicago Response to BIS Capital Proposal;
Federal Reserve Bank of Chicago; May, 2001.
4 "The New Basel Accord " Second Consultative Package, January 2001;
Federal Reserve Bank of Richmond; May 30, 2001
5 FRBSF Economic Letter, Federal Reserve Bank of San Francisco,
January 25, 2002.
6 Management of Operational Risk in Foreign Exchange, The Foreign
Exchange Committee, March 2003.
7 The New Basel Capital Accord: A Status Report, Speech to the
Institute of International Bankers, John D. Hawke, Jr., March 4, 2002.
8 Operational Risk Capital Allocation and Integration of Risks, The
Judge Institute of Management, Cambridge University, Elena Medova, 2001.
9 The Regulation of Operational Risk in Investment Management
Companies, Charles W. Calomiris and Richard J. Herring, Investment
Company Institute - Perspective, September 2002.
10 Report on Consolidation in the Financial Sector, Group of Ten,
January 2001.
11 Liberalization, Moral Hazard in Banking, and Prudential
Regulation: Are Capital Requirements Enough?, Stanford University,
Graduate School of Business, Thomas Hellman, Kevin Murdock and Joseph
Stiglitz, 1998.
12 Moody's Analytical Framework for Operational Risk Management of
Banks, Moody's Investors Service, January 2003.
13 Comptroller's Handbook for Large Bank Supervision, Office of the
Comptroller of the Currency, May 2001
14 Basle II Prompts Strategic Rethinks, Euromoney, Thomas Garside and
Christian Pederson, December 2002.
15 Second quarter, 2003 data. See www.ffiec.gov.
16 Sizing Operational Risk and the Effect of Insurance: Implications
for the Basel II Capital Accord, Andrew Kuritzkes and Hal Scott, June
18, 2002.
17 Federal Reserve Bank of Chicago Response to BIS Capital Proposal,
Federal Reserve Bank of Chicago, May, 2001.
18 FRBSF Economic Letter, Federal Reserve Bank of San
Francisco, January 25, 2002.
19 CP3 comment letter, New York State Banking Department,
July 31, 2003.
20 Interagency Paper on Sound Practices to Strengthen the Resilience
of the U.S. Financial System, Federal Reserve, Office of the Comptroller of the Currency, and Securities and Exchange
Commission, September 5, 2002.
21 Potential Terrorist Attacks: Additional Actions Needed to Better
Prepare Critical Financial Market Participants, GAO 03-414, General Accounting Office, February 2003.
22 Quantitative Impact Study 3 Instructions, Basel Committee on
Banking Supervision, Bank for International Settlements, October 2002.
23 The Supervisory Approach: A Critique, The Judge Institute of
Management, Cambridge University, Jonathan Ward, 2002.
24 Moody's Says the Main Benefit of the New Basel Capita! Accord
Should be the Strengthening of Banks' Risk Culture Rather than Boost
Regulatory Capital - Which on Average is Already Adequate, Moody's
Investors Service, October 20, 2003.
25 Catastrophe Insurance Risks, GAO-03-1033, General Accounting
Office, September 2003.
26 Reaping the Rewards of Effective Business Continuity Management,
KPMG, Presentation to the Information Systems Audit and Control
Association - London, March 27, 2003.
27 Basel II Implications for Banks and Banking Markets, Credit Suisse
Economic & Policy Consulting, July 29, 2003.
28 EU Risk Based Capital Directive CAD3 -The Future EU Capital
Adequacy Framework, Financial Services Bulletin, October 2003.
29 Alternative Net Capital Requirements for Broker-Dealers
That Are Part of Consolidated Supervised Entities and Supervised
Investment Bank Holding Companies, Proposed Rules, Securities and
Exchange Commission, October 27, 2003.
30 Deep Impact - Judging the effects of new rules on bank
capital, The Economist, May 8, 2003.
31 Institutional Investor, July 2003.
32 Credit Risk Transfer, Committee on the Global Financial
System, Bank for International Settlements, January 2003.
33 Basel II: No Turning Back for the Banking Industry,
Standard & Poor's, Commentary and News, August 26, 2003.
34 2002 Operational Risk Loss Data Collection Exercise, Risk
Management Group, Bank for International Settlements, March 2003.
35 Fear and Moaning in Last Stages, Risk Magazine, October 2003.
Attachments:
1) Proposed Pillar 2 Alternative
2) Table Demonstrating Cost of ORBC for Specialized U.S. Banks
* The table can be inspected and photocopied at the FDIC's Public Information Center,
Room 100, 801 17th Street, NW., Washington, DC between 9 a.m. and 4:30
p.m. on business days.
Attachment 1
PROPOSED PILLAR 2 FOR OPERATIONAL RISK-BASED CAPITAL
The following proposed Pillar 2 for operational risk is adapted from
the Basel Committee's "Sound Practices for the Management and
Supervision of Operational Risk" and also draws heavily on the Federal
Reserve's SR 99-18. The FGG believes it outlines a comprehensive
framework for effective measurement, management and mitigation of
operational risk based on allocation of appropriate economic capital
against it. Thus, this approach ensures a comparable framework for banks
and their supervisors without the numerous hazards resulting from a
Pillar 1 ORBC requirement.
As discussed in detail in the accompanying comment letter, the FGG
believes U.S. regulators have ample ability to ensure supervisory
guidance without resort to the crude capital charge on which some
foreign supervisors feel they must rely. Numerous instances in which the
regulators have mandated significant sanctions - up to and including
closure - in cases of violations of prudential rules make this clear.
PROPOSED PILLAR 2
I. Background
While the exact approach for effective operational risk management
chosen by an individual bank will depend on a range of factors,
including its size, sophistication and the nature and complexity of its
activities, clear strategies and oversight by the board of directors and
senior management, a strong operational risk and internal control
culture (including, among other things, clear lines of responsibility
and segregation of duties), effective internal reporting, and
contingency planning are all crucial elements of an effective
operational risk management framework for banks of any size and scope.
Deregulation and globalization of financial services, together with
the growing sophistication of financial technology, are making the
activities of banks and thus their risk profiles more complex. Greater
use of automation has the potential to transform risks from manual
processing errors to system failure risks, as greater reliance is placed
on globally integrated systems. Further, growth of ecommerce brings with
it potential risks (e.g., internal and external fraud and system
security issues). Large-scale acquisitions, mergers, de-mergers and
consolidations test the viability of new or newly integrated systems,
while the emergence of banks as large-volume service providers creates
the need for continual maintenance of high-grade internal controls and
back-up systems. Banks may engage in risk mitigation techniques (e.g.,
collateral, credit derivatives, netting arrangements, and asset
securitizations) to optimize their exposure to market risk and credit
risk, but these techniques may in turn produce other forms of risk.
Finally, growing use of outsourcing arrangements and the participation
in clearing and settlement systems can mitigate some risks but can also
present significant other risks to banks.
II. Operational Risk
In sum, all of these types of risk are operational risk, which the
agencies define as the risk of loss from inadequate or failed internal
processes, people and systems or from external events.
Operational risk includes:
• Internal fraud. For example, intentional misreporting of positions,
employee theft, and insider trading on an employee's own account.
• External fraud. For example, robbery, forgery, check kiting, and
damage from computer hacking.
• Clients, products and business practices. For example, fiduciary
breaches, misuse of confidential customer information, improper trading
activities on the bank's account, money laundering, and sale of
unauthorized products.
• Damage to physical assets. For example, vandalism, earthquakes,
fires and floods.
• Business disruption and system failures. For example, hardware and
software failures, telecommunication problems, and utility outages.
• Execution, delivery and process management. For example, data entry
errors, collateral management failures, incomplete legal documentation,
unapproved access given to client accounts, non-client counterparty
non-performance, and vendor disputes.
Operational risk exists in the natural course of corporate activity.
However, failure to properly manage operational risk can result in a
misstatement of an institution's risk profile and expose the institution
to significant losses. In some business lines with minimal credit or
market risk (e.g., asset management, and payment and settlement), the
decision to incur operational risk, or compete based on the ability to
manage and effectively price this risk, is an integral part of a bank's
risk/reward calculus.
III. Keys to Effective Operational Risk Management and Mitigation
1. Role of the Board of Directors
The board or a designated committee is responsible for monitoring and
oversight of a bank's risk management functions, and should approve and
periodically review the operational risk management framework prepared
by the bank's management. The framework should provide a firm-wide
definition of operational risk and establish the principles of how
operational risk is to be identified, assessed, monitored, and
controlled/mitigated.
The board of directors should approve the implementation of a
firm-wide framework to explicitly manage operational risk as a distinct
risk to the bank's safety and soundness. The board should provide senior
management with clear guidance and direction regarding the principles
underlying the framework, be responsible for reviewing and approving a
management structure capable of implementing the bank's operational risk
management framework, and should approve the corresponding policies
developed by senior management.
2. Internal Audit
The board (either directly or indirectly through its audit committee)
should ensure that the scope and frequency of the internal audit program
focused on operational risk is appropriately risk focused.
Audits should periodically validate that the firm's operational risk
management framework is being implemented effectively across the firm.
The board, or the audit committee, should ensure that the internal audit
program is able to carry out these functions independently, free of
management directive.
To the extent that the audit function is involved in oversight of the
operational risk management framework, the board should ensure that the
independence of the audit function is maintained. This independence may
be compromised if the audit function is directly involved in the
operational risk management process. The audit function may provide
valuable input to those responsible for operational risk management, but
should not itself have direct operational risk management
responsibilities. Some banks may involve the internal audit function in
developing an operational risk management program as internal audit
functions generally have broad risk management skills and knowledge of
the bank's systems and operations. Where this is the case, banks should
see that responsibility for day-to-day operational risk management is
transferred elsewhere in a timely manner.
3. Role of Senior Management
Senior management must ensure that the board-approved operational
risk framework is implemented at all levels of the organization and that
all levels of staff understand their responsibilities with respect to
operational risk management. Senior management should also have
responsibility for developing policies, processes, and procedures for
managing operational risk in all of the bank's material products,
activities, processes, and systems.
Management should translate the operational risk management framework
approved by the board of directors into specific policies, processes,
and procedures that can be implemented and verified within the different
business units. While each level of management is responsible for the
appropriateness and effectiveness of policies, processes, procedures,
and controls within its purview, senior management should clearly assign
authority, responsibility, and reporting relationships to encourage and
maintain this accountability, and ensure that the necessary resources
are available to manage operational risk effectively. Moreover, senior
management should assess the appropriateness of the management oversight
process in light of the risks inherent in a business unit's policy.
Senior management should ensure that bank activities are conducted by
qualified staff with necessary experience, independence, technical
capabilities and access to resources to carry out their duties.
Management should ensure that the bank's operational risk management
policy has been clearly communicated to staff at all levels in units
that incur material operational risks.
Senior management should ensure that the operational risk management
framework is integrated with efforts to manage credit, market, and other
risks. Failure to do so could result in significant gaps or overlaps in
a bank's overall risk management program.
Particular attention should be given to the quality of documentation
controls and to transactionhandling practices. Policies, processes, and
procedures related to advanced technologies supporting high transactions
volumes, in particular, should be well documented and disseminated to
all relevant personnel.
4. Operational Risk Identification
Banks should identify and assess the operational risk inherent in all
material products, activities, processes, and systems. Banks should also
ensure that, before new products, activities, processes, and systems are
introduced or undertaken, the operational risk inherent in them is
identified.
Risk identification is paramount for the subsequent development of a
viable operational risk monitoring and control system. Effective risk
identification considers both internal factors (such as the bank's
structure, the nature of the bank's activities, the quality of the
bank's human resources, organizational changes, and employee turnover)
and external factors (such as changes in the industry and technological
advances) that could adversely affect the achievement of the bank's
objectives.
In addition to identifying the most potentially adverse risks, banks
should assess their vulnerability to these risks. Effective risk
assessment allows the bank to better understand its risk profile and
most effectively target risk management resources.
Amongst the possible tools used by banks for identifying and
assessing operational risk are:
• Self or Risk Assessment: a bank assesses its operations and
activities against a menu of potential operational risk vulnerabilities.
This process is internally driven and often incorporates checklists
and/or workshops to identify the strengths and weaknesses of the
operational risk environment. Scorecards, for example, provide a means
of translating qualitative assessments into quantitative metrics that
give a relative ranking of different types of operational risk
exposures. Some scores may relate to risks unique to a specific business
line while others may rank risks that cut across business lines. Scores
may address inherent risks, as well as the controls to mitigate them. In
addition, scorecards may be used by banks to allocate economic capital
to business lines in relation to performance in managing and controlling
various aspects of operational risk.
• Risk Mapping: in this process, various business units,
organizational functions or process flows are mapped by risk type. This
exercise can reveal areas of weakness and help prioritize subsequent
management action.
• Risk Indicators: risk indicators are statistics and/or metrics,
often financial, which can provide insight into a bank's risk position.
These indicators tend to be reviewed on a periodic basis (such as
monthly or quarterly) to alert banks to changes that may be indicative
of risk concerns. Such indicators may include the number of failed
trades, staff turnover rates and the frequency and/or severity of errors
and omissions.
• Measurement: some firms have begun to quantify their exposure to
operational risk using a variety of approaches. For example, data on a
bank's historical loss experience could provide meaningful information
for assessing the bank's exposure to operational risk and developing a
policy to mitigate/control the risk. An effective way of making good use
of this information is to establish a framework for systematically
tracking and recording the frequency, severity and other relevant
information on individual loss events.
5. Risk Monitoring
Banks should implement a process to regularly monitor operational
risk profiles and material exposures to losses. There should be regular
reporting of pertinent information to senior management and the board of
directors that supports the proactive management of operational risk.
An effective monitoring process is essential for adequately managing
operational risk. Regular monitoring activities can offer the advantage
of quickly detecting and correcting deficiencies in the policies,
processes, and procedures for managing operational risk. Promptly
detecting and addressing these deficiencies can substantially reduce the
potential frequency and/or severity of a loss event.
In addition to monitoring operational loss events, banks should
identify appropriate indicators that may provide early warning of an
increased risk of future losses. Such indicators (often referred to as
key risk indicators or early warning indicators) should be
forward-looking and could reflect potential sources of operational risk
such as rapid growth, the introduction of new products, employee
turnover, transaction breaks, and system downtime, among others. When
thresholds are directly linked to these indicators an effective
monitoring process can help identify key material risks in a transparent
manner and enable the bank to act upon these risks appropriately.
The frequency of monitoring should reflect the risks involved and the
frequency and nature of changes in the operating environment. Monitoring
should be an integrated part of a bank's activities. The results of
these monitoring activities should be included in regular management
reports, as should compliance reviews performed by the internal audit
and/or risk management functions. Reports generated by (and/or for)
supervisory authorities may also be useful in this monitoring and should
likewise be reported internally to senior management, where appropriate.
Senior management should receive regular reports from appropriate
areas such as business units, group functions, the operational risk
management office and internal audit.
The operational risk reports should contain internal financial,
operational, and compliance data that are relevant to decision making.
Reports should be distributed to appropriate levels of management and to
areas of the bank on which areas of concern may have an impact. Reports
should fully reflect any identified problem areas and should motivate
timely corrective action on outstanding issues. To ensure the usefulness
and reliability of these risk and audit reports, management should
regularly verify the timeliness, accuracy, and relevance of reporting
systems and internal controls in general. Management may also use
reports prepared by external sources (auditors, supervisors) to assess
the usefulness and reliability of internal reports. Reports should be
analyzed with a view to improving existing risk management performance
as well as developing new risk management policies, procedures, and practices.
In general, the board of directors should receive sufficient
higher-level information to enable them to understand the bank's overall
operational risk profile and focus on the material and strategic
implications for the business.
6. Operational Risk Mitigation
Banks should have policies, processes, and procedures to control
and/or mitigate material operational risks. Banks should periodically
review their risk limitation and control strategies and should adjust
their operational risk profile accordingly using appropriate strategies,
in light of their overall risk appetite and profile.
Control activities are designed to address the operational risks that
a bank has identified. For all material operational risks that have been
identified, the bank should decide whether to use appropriate procedures
to control and/or mitigate the risks, or bear the risks. For those risks
that cannot be controlled, the bank should decide whether to accept
these risks, reduce the level of business activity involved, or withdraw
from this activity completely. Control processes and procedures should
be established and banks should have a system in place for ensuring
compliance with a documented set of internal policies concerning the
risk management system. Principal elements of this could include, for
example:
• top-level reviews of the bank's progress towards the stated
objectives;
• auditing for compliance with management controls;
• policies, processes, and procedures concerning the review,
treatment and resolution of noncompliance issues; and
• a system of documented approvals and authorizations to ensure
accountability to an appropriate level of management.
Although a framework of formal, written policies and procedures is
critical, it needs to be reinforced through a strong control culture
that promotes sound risk management practices. Both the board of
directors and senior management are responsible for establishing a
strong internal control culture in which control activities are an
integral part of the regular activities of a bank. Controls that are an
integral part of the regular activities enable quick responses to
changing conditions and avoid unnecessary costs.
An effective internal control system also requires that there be
appropriate segregation of duties and that personnel are not assigned
responsibilities which may create a conflict of interest. Assigning such
conflicting duties to individuals, or a team, may enable them to conceal
losses, errors or inappropriate actions. Therefore, areas of potential
conflicts of interest should be identified, minimized, and subject to
careful independent monitoring and review.
In addition to segregation of duties, banks should ensure that other
internal practices are in place as appropriate to control operational
risk. Examples of these include:
• close monitoring of adherence to assigned risk limits or
thresholds;
• maintaining safeguards for access to, and use of, bank assets and
records;
• ensuring that staff have appropriate expertise and training;
• identifying business lines or products where returns appear to be
out of line with reasonable expectations; and
• regular verification and reconciliation of transactions and
accounts.
Operational risk can be more pronounced where banks engage in new
activities or develop new products (particularly where these activities
or products are not consistent with the bank's core business
strategies), enter unfamiliar markets, and/or engage in businesses that
are geographically distant from the head office. Moreover, in many such
instances, firms do not ensure that the risk management control
infrastructure keeps pace with the growth in the business activity. A
number of the most sizeable and highest-profile losses in recent years
have taken place where one or more of these conditions existed.
Therefore, it is incumbent upon banks to ensure that special attention
is paid to internal control activities where such conditions exist.
Some significant operational risks have low probabilities but
potentially very large financial impact. Moreover, not all risk events
can be controlled (e.g., natural disasters). Risk mitigation tools or
programs can be used to reduce the exposure to, or frequency and/or
severity of, such events. For example, insurance policies, particularly
those with prompt and certain pay-out features, can be used to
externalize the risk of "low frequency, high severity" losses which may
occur as a result of events such as third-party claims resulting from
errors and omissions, physical loss of securities, employee or
third party fraud, and natural disasters.
However, banks should view risk mitigation tools as complementary to,
rather than a replacement for, thorough internal operational risk
control. Having mechanisms in place to quickly recognize and rectify
legitimate operational risk errors can greatly reduce exposures. Careful
consideration also needs to be given to the extent to which risk
mitigation tools such as insurance truly reduce risk, or transfer the
risk to another business sector or area, or even create a new risk (e.g.
legal or counterparty risk).
Investments in appropriate processing technology and information
technology security are also important for risk mitigation. However,
banks should be aware that increased automation could transform
high-frequency, low-severity losses into low-frequency, high-severity
losses. The latter may be associated with loss or extended disruption of
services caused by internal factors or by factors beyond the bank's
immediate control (e.g., external events). Such problems may cause
serious difficulties for banks and could jeopardize an institution's
ability to conduct key business activities. As discussed below, banks
should establish disaster recovery and business continuity plans that
address this risk and comply fully with all agency rules, guidance and
orders.
Banks should also establish policies for managing the risks
associated with outsourcing activities, doing so in full compliance with
all applicable agency rules, guidance, and orders. Outsourcing of
activities can reduce the institution's risk profile by transferring
activities to others with greater expertise and scale to manage the
risks associated with specialized business activities. However, a bank's
use of third parties does not diminish the responsibility of management
to ensure that the third party activity is conducted in a safe and sound
manner and in compliance with applicable laws. Outsourcing arrangements
should be based on robust contracts and/or service level agreements that
ensure a clear allocation of responsibilities between external service
providers and the outsourcing bank. Furthermore, banks need to manage
residual risks associated with outsourcing arrangements, including
disruption of services.
Depending on the scale and nature of the activity, banks should
understand the potential impact on their operations and their customers
of any potential deficiencies in services provided by vendors and other
third-party or intra-group service providers, including both operational
breakdowns and the potential business failure or default of the external
parties. Management should ensure that the expectations and obligations
of each party are clearly defined, understood and enforceable. The
extent of the external party's liability and financial ability to
compensate the bank for errors, negligence, and other operational
failures should be explicitly considered as part of the risk assessment.
Banks should carry out an initial due diligence test and monitor the
activities of third party providers, especially those lacking experience
of the banking industry's regulated environment, and review this process
(including re-evaluations of due diligence) on a regular basis. The bank
should pay particular attention to use of third-party vendors for
critical activities.
In some instances, banks may decide to either retain a certain level
of operational risk or self-insure against that risk. Where this is the
case and the risk is material, the decision to retain or self-insure the
risk should be transparent within the organization and should be
consistent with the bank's overall business strategy and appetite for
risk.
7. Contingency Planning
Senior management should ensure compliance with all applicable agency
rules, guidance and orders regarding contingency planning. Banks should
have in place contingency and business continuity plans to ensure their
ability to operate on an ongoing basis and limit losses in the event of
severe business disruption.
For reasons that may be beyond a bank's control, a severe event may
result in the inability of the bank to fulfill some or all of its
business obligations, particularly where the bank's physical,
telecommunication, or information technology infrastructures have been
damaged or made inaccessible. This can, in turn, result in significant
financial losses to the bank, as well as broader disruptions to the
financial system through channels such as the payments system. This
potential requires that banks establish disaster recovery and business
continuity plans that take into account different types of plausible
scenarios to which the bank may be vulnerable, commensurate with the
size and complexity of the bank's operations.
Banks should identify critical business processes, including those
where there is dependence on external vendors or other third parties,
for which rapid resumption of service would be most essential. For these
processes, banks should identify alternative mechanisms for resuming
service in the event of an outage. Particular attention should be paid
to the ability to restore electronic or physical records that are
necessary for business resumption, including the construction of
appropriate backup facilities.
Banks should periodically review their disaster recovery and business
continuity plans so that they are consistent with the bank's current
operations and business strategies. Moreover, these plans should be
tested periodically to ensure that the bank would be able to withstand
high-severity risk.
IV. Allocation of Appropriate Economic Capital
To a large extent, a robust, diversified earnings stream is often the
best protection against both expected and unexpected operational losses.
While capital is important, it should only focus on unexpected loss.
Expected losses should always be considered as an expense, and covered
by revenue, earnings, or reserves. A banking organization's capital
should reflect the perceived level of precision in the risk measures
used, and the relative importance to the institution of the activities
producing the risk. Capital adequacy should be assessed after evaluation
of the sum total of an organization's activities, with appropriate
adjustments made for risk correlations between activities and the
benefit resulting from diversified lines of business that, in aggregate,
reduce operational risk to the consolidated organization. Capital levels
should also reflect that historical correlations among exposures can
rapidly change.
Explicit goals for operational risk capitalization should be included
in evaluation of capital adequacy. Goals may differ across institutions,
which should evaluate whether their long-run capital targets might
differ from short-run goals, based on current and planned changes in
risk profiles and the recognition that accommodating new capital needs
can require significant lead time. The goals should be reviewed and
approved by the board and implemented by senior management.
1. Assessing Conformity to the Institution's Stated Objectives
Both the target level and composition of capital, along with the
process for setting and monitoring such targets, should be reviewed and
approved periodically by the institution's board of directors.
2. Composition of Capital
Analysis of capital adequacy should couple a rigorous assessment of
the particular measured and unmeasured risks faced by the institution
with consideration of the capacity of the institution's paid-in equity
and other capital instruments to absorb unexpected losses. Common equity
(that is, common stock and surplus and retained earnings) should be the
dominant component of a banking organization's capital structure.
Common equity allows an organization to absorb losses on an ongoing
basis and is permanently available for this purpose. Further, this
element of capital best allows organizations to conserve resources when
they are under stress because it provides full discretion as to the
amount and timing of dividends and other distributions. Consequently,
common equity is the basis on which most market judgements of capital
adequacy are made.
Consideration of the capacity of an institution's capital structure
to absorb unexpected losses should also take into account how that
structure could be affected by changes in the institution's performance,
or by the outside economic environment. For example, an institution
experiencing a net operating loss - perhaps due to realization of
unexpected losses - not only will face a reduction in its retained
earnings, but also possible constraints on its access to capital
markets. Other issues may arise in relation to use of optionality in its
capital structure. Such adverse magnification effects could be further
accentuated should adverse events take place at critical junctures for
raising or maintaining capital, for example, as limited-life capital
instruments are approaching maturity or as new capital instruments are
being issued.
3. Examiner Review of Internal Capital Adequacy Analysis
As part of the regular supervisory and examination process, examiners
should review internal capital assessment processes at large and complex
banking organizations as well as the adequacy of their capital and their
compliance with regulatory standards. In general, this review should
assess the degree to which an institution has in place, or is making
progress toward implementing, a sound internal process to assess capital
adequacy. Examiners should briefly describe in the examination report
the approach and internal processes used by the institution to assess
its capital adequacy with respect to the risks it takes. Examiners
should then document their evaluation of the adequacy and
appropriateness of these processes for the risk profile of the
institution, along with their assessment of the quality and timing of
the institution's plans to develop and enhance its processes for
evaluating capital adequacy with respect to risk.
In all cases, the findings of this review should be considered in
determining the institution's supervisory rating for management.
Examiners should expect complex institutions to have sound internal
processes for assessing capital adequacy in place.
Beyond its consideration in evaluating management, over time this
review should also become an integral element of assessing, and
assigning a supervisory rating for capital adequacy as the institution
develops appropriate processes for establishing capital targets and
analyzing its capital adequacy as described above. If these internal
assessments suggest that capital levels appear to be insufficient to
support the risks taken by the institution, examiners should note this
finding in examination and inspection reports, discuss plans for
correcting this insufficiency with the institution's directors and
management and, as appropriate, initiate follow-up supervisory actions.
4. Relating Capital to the Level of Operational Risk
Banking organizations should be able to demonstrate through internal
analysis that their capital levels and composition are adequate to
support the risks they face and that these levels are properly monitored
by senior management and reviewed by directors. Examiners should review
this analysis, including the target levels of capital chosen, to
determine whether it is sufficiently comprehensive and relevant to the
current operating environment. Examiners should also consider the extent
to which the institution has provided for unexpected events in setting
its capital levels. In this connection, the analysis should cover a
sufficiently wide range of external conditions and scenarios, and the
sophistication of techniques used should be commensurate with the
institution's activities. Finally, supervisors should consider the
quality of the institution's management information reporting and
systems, the manner in which business risks and activities are
aggregated, and management's record in responding to emerging or
changing risks.
As a final matter, in performing this review, supervisors and
examiners should be careful to distinguish between a comprehensive
process that seeks to identify an institution's capital requirements on
the basis of measured economic risk, and one that focuses only narrowly
on the calculation and use of allocated capital or "economic value
added" (EVA) for individual products or business lines for internal
profitability analysis. This latter approach, which measures the amount
by which operations or projects return more or less than their cost of
capital, can be important to an organization in targeting activities for
future growth or cutbacks. It requires, however, that the organization
first determine - by various methods - the amount of capital necessary
for each area of risk. It is that process for determining the necessary
capital that is the topic of this guidance, and it should not be
confused with related efforts of management to measure relative returns
of the firm or of individual business lines, given an amount of capital
already invested or allocated. Moreover, such EVA approaches often are
unable to meaningfully aggregate the allocated capital across business
lines as a tool for evaluating the institution's overall capital
adequacy.
| 
