via e-mail
November 3, 2003Ms.
Jennifer J. Johnson
Secretary, Board of Governors
Federal Reserve System
20th Street and Constitution Avenue, NW
Washington, D.C. 20551
Office of the Comptroller of the Currency
250 E Street, SW
Public Information Room, Mailstop 3-6
Washington, DC 20219
Regulation Comments
Chief Counsel's Office
Office of Thrift Supervision
1700 G. St, NW.
Washington, DC 20552
Robert E. Feldman
Executive Secretary
Attention: Comments
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429
Re: Draft Supervisory Guidance on the
Internal Ratings-Based Systems for Corporate Credit and Operational
Risk: FDIC (no reference number listed); FRB Docket No.
OP-1153; OCC Docket No. 03–15; OTS No. 2003–28; Capital
Adequacy; Implementation of New Basel Capital Accord; 68 Federal
Register 45949; August 4, 2003
Ladies and Gentlemen:
On August 4, the banking agencies in the
United States (Agencies) published for comment an Advance Notice of
Proposed Rulemaking (ANPR) on how the proposed New Basel Capital Accord
(New Accord) as currently proposed in the Consultative Paper No. 3,
(CP3) would be implemented in the United States. As proposed, the United
States would apply only the advanced internal ratings-based approach (A-IRB)
out of the New Accord and only to a core group of the largest,
internationally active banks. At the same time, the Agencies published a
request for comments on a “Draft Supervisory Guidance on the Internal
Ratings-Based Systems for Corporate Credit and Operational Risk.” This
letter sets out the American Bankers Association’s (ABA) comments on
that Draft Supervisory Guidance on the Operating Risk AMA. The American
Bankers Association brings together all elements of the American banking
community to best represent the interests of this rapidly changing
industry. Its membership – which includes community, regional, and money
center banks and holding companies, as well as savings institutions,
trust companies, and savings banks – makes ABA the largest banking trade
association in the United States.
Our comments are divided into three
sections: (1) background regarding the proposal and the unique vantage
point we can provide through the work of ABA’s Operating Risk Committee
(ORC); (2) comments on nine areas of specific concern to our members;
and (3) comments (with references to the level of concern) in response
to the 33 supervisory principles enunciated in the Draft Supervisory
Guidance.
There are several key themes that
characterize much of the detailed discussion presented below.
- Banks should be allowed to
determine which combination of elements is appropriate to assess and
manage operational risk within their institutions. Banks understand
that they will need to defend the appropriateness of their
methodology and underlying assumptions to the Banking Agencies. How
an institution does this should be within the purview of the
institution, and regulatory mandates or specific quantitative
requirements should be avoided. Such an approach is consistent with
a principles-based regulatory approach and is management oriented
and tailored to the individual institution’s business.
- Flexibility is needed and
specific quantitative tests or requirements should be avoided.
Flexibility is important because integrating external data into an
AMA model in a useful manner will be very challenging. Modeling will
clearly change as experience is gained, as economic and business
conditions require, as databases become more sophisticated and as
risk management procedures and methodologies improve. The goal is to
encourage good operational risk management, and this should not be
driven by arbitrary standards.
- The use of external data to provide
a benchmark for performance can be very useful and should be
encouraged. Addressing industry concerns about confidentiality of
external data will help to foster convergence in the methodologies
for measuring and managing operational risk and facilitate more
scenario testing.
As is noted below, the ABA has worked
closely with bankers to form an operating risk committee, which has as
its primary objective the development of an accurate, consistent and
reliable dataset on bank operational risk losses that could be used for
benchmarking. Thus, we believe we have a unique perspective on these
issues and the use of external data in managing this risk.
We would also like at the outset to
acknowledge the improvements that have been made which are reflected in
the ANPR and the Supervisory Guidance. Certainly, banks that anticipate
that they will be required to comply with the Basel II requirement and
those that are likely to “opt-in” are making plans to meet the standard.
Many of these banks believe that the inclusion of operating risk in
Pillar 1 encourages a full understanding of the risk profile of an
institution and will foster a convergence in the methodologies for
measuring and managing operational risk. Other banks, however, remain
concerned about an explicit capital charge for operational risk, as they
believe that the current state-of-the-art for operating risk measurement
has not progressed sufficiently to warrant its use in regulatory capital
standards. Should the agencies move forward with explicit capital
treatment, addressing the concerns presented below become even more
important.
I. Background
Under the ANPR’s framework, a banking
organization meeting the AMA supervisory standards would use its
internal risk measurement system to calculate its regulatory capital
requirement for operational risk. As the ANPR states:
In calculating the operational risk
exposure, an AMA-qualified institution would be expected to estimate
the aggregate operational risk loss that it faces over a one-year
period at a soundness standard consistent with a 99.9 percent
confidence level. The institution’s AMA capital requirement for
operational risk would be the sum of expected loss and unexpected
loss, unless the institution can demonstrate that an expected loss
offset would meet the supervisory standards for operational risk. The
institution would have to use a combination of internal loss event
data, relevant external loss event data, business environment and
internal control factors, and scenario analysis in calculating its
operational risk exposure.
Related to external data, the Draft
Supervisory Guidance states:
An institution would have to establish
and adhere to policies and procedures that provide for the use of
relevant external loss data in the operational risk framework.
External data would be particularly relevant where an institution’s
internal loss history is not sufficient to generate an estimate of
major unexpected losses. Management would have to systematically
review external data to ensure an understanding of industry
experience. The Agencies seek comment on the use of external data and
its optimal function in the operational risk framework.
The ABA’s Operating Risk Committee (ORC)
has a unique perspective on the proposal. As mentioned above, a primary
mission of the ABA’s ORC is to develop an accurate, consistent and
reliable dataset on bank operational risk losses that could be used for
benchmarking. The genesis of this benchmarking program is to improve the
management of operating risk and to lower the costs to participating
banks. Thus, good management practices – not regulatory requirements –
were the driving factor behind this initiative.
Reporting of quarterly operating loss
data began the first quarter of this year. In setting up the operating
loss data collection effort, the group considered many of the issues
raised in the ANPR Part V. The comments in this section therefore
reflect the views of bankers on the ABA’s ORC. Our committee also met to
discuss these issues with the Risk Management Association and we want to
acknowledge their important observations on these issues.
In order to give context to the following
comments on external data collection and use for operational risk
analysis, a description of the ABA ORC project may be helpful. Each ABA
ORC data reporter agrees to file a quarterly report of operating loss
statistics based on prescribed data definitions. Data are provided for
all material lines of business and loss categories within two years of
participating, starting January 1, 2004, or sooner. A consistent
internal methodology is specified for assigning losses charged to
corporate support, parent company or technology unit back to an
appropriate line of business, as defined by the Basel Committee, for
U.S. subsidiaries and operations only. Banks report new loss events and
provide updates to previously reported loss events each quarter. If
subsequent recoveries or payments are associated with a previously
reported loss event, the bank reports a loss event record with the
updated amount using the previous source and event identification.
II. Significant Issues Raised by the
Proposed Supervisory Guidance
ABA has consulted with the ORC in
preparing these comments on data issues. The participating risk managers
identified nine issues with Part V of the ANPR of significant concern:
1. The distinction between credit and
operating losses should be based upon industry practices, not
regulatory dictates.
2. Expected losses should not require
capital charges.
3. Consistent standards of reporting
are needed.
4. Thresholds should be set by
institutions to reflect their own criteria for managing operating
risk.
5. The Supervisory Guidance should
specify that different “significance” thresholds would be acceptable
for external data, as compared to those used internally.
6. The Supervisory Guidance should
allow banks to determine the most effective way to use external data
in their AMA models.
7. The Banking Agencies should confirm
consortium data confidentiality and data scaling to support
development of external operational loss data.
8. All defendable risk mitigation
should be recognized to the extent that it offsets risk exposure.
9. Specific quantitative requirements
should be avoided.
These concerns are discussed in greater
detail below.
1. The distinction between credit
and operating losses should be based upon industry practices, not
regulatory dictates.
There are several issues related to
distinguishing between credit and operational losses. Current
definitions of credit losses include losses due to a breach of contract
between the borrower and the bank. Treatment of errors or losses
related to a credit product, but caused by a third party or
an unknown party could be categorized as an operational loss, not a
credit loss. The facts of the situation will dictate the treatment and
banks should be allowed to make that determination. Of particular
concern to banks would be trying to distinguish the difference for
losses with high frequency but low severity. Perhaps the best examples
of this are credit card fraud losses. The burden to change the treatment
of these types of losses from industry practices to regulatory dictates
would likely result in undue expense – and no benefit – for the bank.
In fact, there may be no need to separate
credit and operational losses for these high-frequency, low-severity
events. The loss is already included in expected losses. Certainly, we
acknowledge that separating components of credit product losses by
operating risk or credit risk does become an issue on low-frequency,
high-value events, such as on checks backed by a home equity line of
credit. Removing expected losses from regulatory capital
considerations might help resolve any ambiguity between credit and
operating losses, particularly given that expected losses are likely to
be addressed by appropriate pricing of products (see the next section).
Bank case management systems readily handle the normal, small magnitude
losses that can be confused between operating and credit losses.
Regulators should rely on industry practices to distinguish between
credit and operating losses.
2. Expected losses should not
require capital charges.
The proposed new Capital Accord (until
the recently proposed change) would have required banks to hold capital
against all expected losses. We have expressed in previous comment
letters on the Basel proposals that this requirement should be
eliminated. In this regard, we note that in its statement of October 11,
2003, the Basel Committee indicated that it changed its proposal and
will treat expected and unexpected credit losses differently,
with the capital requirement focusing on unexpected credit losses,
not expected credit losses – a change long advocated by the banking
industry. Consistent with this policy change, we believe that expected
operating losses should similarly be treated separately from unexpected
operating losses.
Operational losses are part of normal,
everyday business. While not anticipated individually (or else they
would be avoided), they are anticipated in aggregate. Banks cover these
costs in reserves and the prices for individual products. Therefore,
there is no need for supervisory capital to be charged against the
expected costs.
For credit risk exposure, the
Basel Committee has now recognized that offsets in the form of reserves,
product pricing and future margin income can make capital requirements
unnecessary. The logic is no different for operating loss exposure.
While more attention has been given to offsets for credit, as compared
to operating loss exposures in the past, this does not justify
differing treatment. Many institutions, particularly the AMA banks, are
now formalizing structures for reserves and product pricing offsets for
operating risks, and therefore warrant the same treatment as for credit
loss exposure.
The key for operating losses, just as for
credit losses, is the institution’s ability to defend its offsets,
subject to supervisory review. If a bank can demonstrate to examiners
that it has covered expected losses, for credit or operational risk, in
reserves, product pricing, future margin income, etc., then it should
not be subject to additional capital penalties.
3. Consistent standards for
reporting are needed.
The ANPR and the Supervisory Guidance
appear to require that operational loss data should be recorded
consistent with Generally Accepted Accounting Principles (GAAP). This
seems consistent with the idea that regulatory capital addresses the
tangible risks that can be accounted for uniformly across all
institutions. Limiting the scope of operational loss data to those
reported in the general ledger seems reasonable to promote uniform
treatment. Such consistent treatment is the only way to provide
meaningful benchmarking. In fact, this is the current reporting approach
taken by the ABA ORC data consortium. Only actual losses are to be
submitted; no estimates are to be reported. If specific reserves or
accruals are actually booked to the general ledger, the amount can be
reported, then updated with the actual amount when it is known.
It should also be recognized that the
exact point in time that a loss occurs is rarely definitive. There can
be a long lag between an initial event that could indicate loss and
final actual loss. At some point in between, the financial consequences
are typically recognized. Further, potential offsets (such as
self-insurance), make the reconciliation of the loss database to the
general ledger difficult. Of course, timing of events and recognition of
losses are always an issue. The important principle is to have
consistent standards for reporting financial information, whether for
operating loss or any other financial transaction. We encourage banking
regulators to work with accounting standard setters in coordination of
regulatory and accounting requirements. If the regulators were to
require different treatment for recognition of operating losses, it
would inevitably lead to lengthy interpretation of their own rules.
While we agree that the reporting of
operational losses should be consistent with GAAP – despite the
challenges enunciated above – there is an additional issue of concern to
the industry. Most banks wait until the reserving event to recognize a
loss financially. However, recent interpretations by the Financial
Accounting Standards Board are moving GAAP away from reserves for credit
losses that are not specific to individual events. This interpretation
can prevent banks from booking the operating loss under unallocated
reserves. On the other hand, operating losses by their very nature are
not linked to specific reserves. Thus, the new interpretation is making
it harder for banks to book and reconcile operating losses. In fact, the
Banking Agencies have just filed a comment letter on the American
Institute of Certified Public Accountants’ (AICPA’s) proposed new
treatment of unallocated reserves strongly urging the proposal be
abandoned. This issue remains open until the question of any change in
GAAP is resolved.
4. Thresholds should be set by
institutions to reflect their own criteria for managing operating
risk.
We agree that thresholds are needed so
that meaningful operational losses are identified for risk measurement
and management purposes. Our Committee believes that a prudent approach
would be for each institution to set its own internal thresholds
relative to its own operations, subject to supervisory review. An
institution should be able to demonstrate the appropriateness of its
threshold to the banking agencies. This is more management oriented and
tailored to the individual institution’s business. Of course, aggregated
external data typically requires a consistent threshold, but it must be
recognized that a bank may choose to have a different internal threshold
that best suits its own risk management systems.
We would note that most errors and other
operational loss events are so trivial that collecting figures on their
costs would be excessively burdensome. Banks will, therefore, pick
thresholds that will provide the detail required to effectively manage
operational risk but will also avoid the collection of untold minutia of
data. As such determinations are likely to be different for different
banks, specific guidelines from the agencies should be avoided in favor
of flexibility with appropriate justification by institutions as to why
the threshold was set as it was.
5. The Supervisory Guidance should
specify that different “significance” thresholds would be acceptable
for the external data, as compared to those used internally.
It is certainly possible – and reasonable
– for an institution to use a lower threshold for internal purposes than
would be provided to an external benchmarking effort, such as ABA’s data
consortium. This would appear to create a conflict if an institution
uses its own lower thresholds for its AMA but intends to benchmark using
data from the consortium based on higher thresholds. However,
institutions will be able to statistically adjust for differences in
their own AMAs, and thereby not undermine the usefulness of the external
data. Therefore, the Supervisory Guidance needs to specify that the
Banking Agencies will accept different thresholds as
appropriate to different institutions –
yet nonetheless accept higher common thresholds for the external data
from the consortium. It would be inappropriate to set an external data
standard for all banks based on the lowest level set by an individual
institution for its internal use. Doing so would impose huge costs with
no material benefit to the risk management within institutions that
believe a higher threshold is appropriate for their business and
operations.
6. The Supervisory Guidance should
allow banks to determine the most effective way to use external data
in their AMA models.
External data can be very useful in
helping a bank manage its risk. The ANPR appropriately allows
flexibility as to how AMA models can use external data. Flexibility is
important because integrating external data into an AMA model in a
useful manner will be very difficult, requiring scaling for a wide
variety of factors related to product lines, control environment, and
scale of activity. Moreover, the integration of such data is highly
experimental and its value, as yet, unproven. In some cases, external
data and information may not be available or may not accurately
represent the bank’s risk. Good business practices, suited to the
particular institution should be the guiding principle for regulatory
oversight of external data in AMA models.
We note that other questions remain,
which would most appropriately be addressed in Pillar 2. These include:
• What constitutes “relevant” external
loss data?
• Will relevance mean within the same
business line as opposed to from a bank of the same size?
• How will the supervisors determine
that an institution has surveyed an “appropriate set” of external
data?
• Should data be scaled domestically or
internationally?
• How will the supervisors uniformly
compare data in various consortia and public databases?
7. The Banking Agencies should
confirm consortium data confidentiality and data scaling to support
development of external operational loss data.
We believe that data consortia, like the
ABA’s ORC, are important for benchmarking purposes and fostering
convergence in the methodologies for measuring and managing operational
risk. Privacy and confidentiality are critical to achieving bank
participation in data reporting consortia. To foster these collection
efforts and to facilitate the participation of banks in providing
operating loss data, it is critically important that the Banking
Agencies clearly establish in writing the confidentiality of such data
collection and aggregation.
The ABA’s ORC has gone to great lengths
to protect the confidentiality of information provided for benchmarking.
Each reporter must sign a confidentiality agreement and agree to
safeguards for data security and integrity. Moreover, loss data
presented in any summary report prepared by the ABA are masked and
scaled, thereby protecting disclosure of the raw data. The source data
remains the confidential and proprietary property of the submitting
bank. None of the participants have direct access to the loss data
contained in the database except through summaries prepared by ABA.
Because of the confidentiality concerns,
ABA’s consortium does not collect descriptive information about
individual loss events. Without such information, the potential
applications for scenario testing are more limited. Therefore, in order
to encourage robust scenario testing, protection of confidentiality is
vital and regulatory acknowledgement of this and support for ways to
protect this information are needed.
In part to assure data security, the
ABA’s ORC found it necessary to scale figures reported by its reporting
institutions. Scaling is appropriate for a wide variety of factors
related to product lines, control environment, and the scale of activity
and can be easily adapted for comparative analysis. The Supervisory
Guidelines should clearly indicate acceptance of scaling.
8. All defendable risk mitigation
should be recognized to the extent that it offsets risk exposure.
The restriction proposed in the
Supervisory Guidance that institutions may reduce their operational risk
exposure results by no more than 20 percent to reflect the impact of
risk mitigants is arbitrary and does not promote the use and development
of risk mitigation. In fact, it may actually lead institutions to choose
risk-mitigation programs that are less than optimal. Certainly, we
acknowledge that exposure cannot be reduced by 100 percent of policy
coverage because not all claims get paid and there are often added
litigation costs. Our committee recommends eliminating the 20 percent
limit and focus on addressing the issues of extent and certainty of
coverage and solvency. For example, institutions should be allowed to
use a probability of payment, justified by historical data and including
added litigation costs.
Moreover, the Supervisory Guidance
provides that an institution’s AMA model can consider insurance to
offset losses – but only if the provider is an A-rated insurance
company. However, some banks self insure or acquire insurance from a
captive insurance company. This captive or self-insurance clearly can
mitigate losses, and credit for this coverage should be provided.
Understandably, the Banking Agencies are concerned about the ability of
the captive or self-insurance to pay off claims. However, if a captive
or self-insurer can demonstrate that its claims-paying ability is up to
the standards of a rated insurance company, then its protection should
also be factored into the AMA model. Even an insurer with less than an
“A” rating provides risk mitigation. While it may provide relatively
less than the A-rated carrier, the offset should be recognized in the
AMA model.
Further, to foster enhancements in risk
mitigation, the Banking Agencies should clearly articulate that all
forms of risk mitigation will be considered as can be justified by the
institution.
9. Specific quantitative
requirements should be avoided.
There are several provisions in the ANPR
that require quantitative support (e.g., for assumptions about
correlations among operations losses across business lines) and an
analytical framework to estimate an institution’s operational risk
exposure. An institution should be responsible to demonstrate the
appropriateness of its assumptions. A particular concern of our bankers
is that regulators will apply the methodology or analytical framework
used by one or more institutions as the “appropriate” or “minimum”
standard that should apply to all institutions. A one-size-fits-all
framework could not possibly work, given the diversity of activities and
risk management approaches that exist. Thus, how an institution
demonstrates the appropriateness of its assumptions should be within the
purview of the institution, and regulatory mandates or specific
quantitative requirements should be avoided. Given the wide scope of
operational risks, the inherent unpredictability of operational losses,
and the current lack of sufficient historical data, such requirements
are unreasonable.
Similarly, true testing and verification
of certain elements of the operational risk framework will not be
possible until several years of experience have been acquired. Only with
sufficient historical information can control mechanisms be evaluated,
leading indicators confirmed, accuracy of quantitative methods assessed,
and appropriateness of a qualitative adjustment for the current
environment be evaluated. Some institutions with decentralized
operations would find many of these requirements particularly
challenging. The agencies should allow for databases to evolve and
become more sophisticated. The bottom line is that flexibility is
required and specific quantitative tests and requirements should be
avoided. The goal is to encourage good operational risk management, and
this should not be driven by arbitrary standards.
III. Specific Responses on Key
Questions of Concern
The proposed Supervisory Guidance lists
33 supervisory principles for use of the AMA framework. The ABA’s ORC
member banks were asked to review those 33 supervisory principles and to
rank them on a scale of 1 to 3, with 1 being “low concern” and 3 being
“high concern.” While most of the supervisory principles were not of
major concern to the ORC members, five scored over 2.00, and so pose
significant issues. These include, in order of concern, S 29, S 28, S
30, S12 and S 31. Additionally we would think that principles scoring
1.75 or more warrant attention, including S 20, S 23, S27, S 32, S 9, S
24 and S 25. The average score appears in parentheses on each
supervisory principle.
S 01. The institution’s operational
risk framework must include an independent firm-wide operational risk
management function, line of business management oversight, and
independent testing and verification functions. (1.25)
ABA’s ORC bankers believe in general that
they already meet this principle. Care must be taken so that the term
“independent” in the operations risk management function does not lead
to added requlatory requirements.
S 02. The board of directors must
oversee the development of the firm-wide operational risk framework, as
well as major changes to the framework. Management roles and
accountability must be clearly established. (1.50)
ABA’s ORC bankers believe that banks will
be able to meet this requirement.
S 03. The board of directors and
management must ensure that appropriate resources are allocated to
support the operational risk framework. (1.56)
Our committee members believe that they
have appropriate and adequate resources for this function (assuming, of
course, that regulatory requirements are not excessively burdensome).
S 04. The institution must have an
independent operational risk management function that is responsible for
overseeing the operational risk framework at the firm level to ensure
the development and consistent application of operational risk policies,
processes, and procedures throughout the institution. (1.25)
ORC bankers believe in general that they
already meet this principle.
S 05. The firm-wide operational risk
management function must ensure appropriate reporting of operational
risk exposures and loss data to the board of directors and senior
management. (1.25)
ORC bankers are confident they will be
able to meet this requirement.
S 06. Line of business management is
responsible for the day-to-day management of operational risk within
each business unit. (1.00)
This appears to be the industry practice
to require that managers within the business areas be responsible for
the day-to-day management of operational risk.
S 07. Line of business management must
ensure that internal controls and practices within their line of
business are consistent with firm-wide policies and procedures to
support the management and measurement of the institution’s operational
risk. (1.25)
As indicated by the relatively low score,
ORC bankers believe that their internal controls are monitored and
determined to be consistent between business lines and the firm-wide
policies and procedures.
S 08. The institution must have
policies and procedures that clearly describe the major elements of the
operational risk management framework, including identifying, measuring,
monitoring, and controlling operational risk. (1.25)
This issue is of very low concern,
although several of the ORC members indicated that this is an ongoing
and evolving process.
S 09. Operational risk management
reports must address both firm-wide and line of business results. These
reports must summarize operational risk exposure, loss experience,
relevant business environment and internal control assessments, and must
be produced no less often than quarterly. (1.75)
There is a somewhat higher level of
concern about this supervisory principle that arises from uncertainty
about the term “relevant business environment.” Additionally, for banks
with a decentralized structure, aggregating and quantifying operational
risks across the enterprise will be difficult and will be an evolving
process.
S 10. Operational risk reports must
also be provided periodically to senior management and the board of
directors, summarizing relevant firm-wide operational risk information.
(1.50)
Again, this appears to be an evolving
process, and there is wide expectation that operational risk reports
would become more formalized and complete.
S 11. An institution’s internal
control structure must meet or exceed minimum regulatory standards
established by the Agencies. (1.13)
This is uniformly perceived as already
being met.
S 12. The institution must demonstrate
that it has appropriate internal loss event data, relevant external loss
event data, assessments of business environment and internal controls
factors, and results from scenario analysis to support its operational
risk management and measurement framework. (2.19)
The ABA’s ORC banks are participating
already in a program to meet this standard. However, members expressed
some concern about the term “relevant external loss data” and believe
that it is an institution’s responsibility to make such a determination,
consistent with industry practices and appropriate support for the
particular application (discussed in Nos. 4, 5, and 6, above). As noted
in No. 7 above, scenario testing may be limited if there is no
assurances of confidentiality of descriptive information for individual
loss events that may be collected as part of any outside data collection
and benchmarking effort.
S 13. The institution must include the
regulatory definition of operational risk as the baseline for capturing
the elements of the AMA framework and determining its operational risk
exposure. (1.13)
There is consensus that this has already
been done. However, there was some concern raised related to the
recognition of risk of litigation. It may well be that institutions will
settle nuisance or baseless lawsuits for insignificant sums of money in
order to put closure to the action and reduce legal costs. This could be
considered a cost of doing business, and clarification regarding these
actions versus the risk of litigation should be made.
S 14. The institution must have clear
standards for the collection and modification of the elements of the
operational risk AMA framework. (1.25)
Institutions understand that they will
need to justify the assumptions that underpin their AMA framework and
any changes that may be required. Regulatory flexibility is once again
extremely important, as the modeling will clearly change as experience
is gained, as economic and business conditions require, and as risk
management procedures and methodologies improve.
S 15. The institution must have at
least five years of internal operational risk loss data captured across
all material business lines, events, product types, and geographic
locations. (1.63)
Each institution should determine what
constitutes the appropriate business lines, events, geographic locations
and product types to be captured for effective risk management.
Institutions understand that they will need to justify these judgements.
Flexibility is required, however, as questions will inevitably arise.
For example, several members suggested that data would be available for
key lines of business but would not be currently available for the
entire organization. Some members also asked if the geographic location
includes international operations, since the current data reporting
project only includes domestic locations.
Overall, the concern is relatively low to
meet this standard, as long as supervisory approval is granted to allow
for a shorter period, such as three years, which was suggested in the
ANPR.
S 16. The institution must be able to
map internal operational risk losses to the seven loss-event type
categories. (1.00)
ABA’s ORC bankers believe that they
already meet this principle.
S 17. The institution must have a
policy that identifies when an operational risk loss becomes a loss
event and must be added to the loss event database. The policy must
provide for consistent treatment across the institution. (1.00)
Committee members believe that they
already meet this principle. As noted above (No. 3) regarding GAAP
accounting, the exact point in time that a loss occurs is rarely
definitive, as there are timing issues between an initial event that
could indicate loss and final actual loss. Offsets make the
determination difficult as well. The important principle is to have
consistent standards for reporting financial information.
S 18. The institution must establish
appropriate operational risk data thresholds. (1.38)
See No. 4 above for a complete discussion
on thresholds.
S 19. Losses that have any
characteristics of credit risk, including fraud-related credit losses,
must be treated as credit risk for regulatory capital purposes. The
institution must have a clear policy that allows for the consistent
treatment of loss event classifications (e.g., credit, market, or
operational risk) across the organization. (1.50)
While we agree that the institution
should have a clear policy across the institution, we suggest that there
be flexibility for the institution in recognizing certain losses as
either credit or operational losses. This is especially true in regards
to retail credit products and related losses. (See No. 1 above for a
more complete discussion.)
S 20. The institution must have
policies and procedures that provide for the use of external loss data
in the operational risk framework. (1.88)
ABA’s ORC bankers feel confident that
they can meet this supervisory standard, provided that the regulators
permit scaling of data. In the ORC data reporting project, data are
currently scaled based on gross domestic income and assets (and, in
fact, participants provide full-time-equivalent employess, FTEs, and
other metrics for potential future use). This is done both to make the
data comparable among institutions and for data security. We believe
that the Supervisory Guidance should explicitly state that the scaling
approach is acceptable and that more than one method of scaling could be
adopted. (See No. 7 above.)
S 21. Management must systematically
review external data to ensure an understanding of industry experience.
(1.63)
ORC members believe that they can meet
this supervisory standard. However, the challenge for institutions will
be to determine what would be considered an “appropriate set” of
external data that best facilitates the effectiveness in managing
operational risk (see No. 6 above.)
S 22. The institution must have a
system to identify and assess business environment and internal control
factors. (1.50)
The ORC members will have such a system.
However, for some banks in a decentralized operating environment, the
challenge will be in assessing the risks and aggregating them.
S 23. Management must periodically
compare the results of their business environment and internal control
factor assessments against actual operational risk loss experience.
(1.88)
Again, comparison of the business
environment and internal control factor assessments against actual risk
loss experience in a decentralized operating environment may be a
challenge, as stated above under S 22.
S 24. Management must have policies
and procedures that identify how scenario analysis will be incorporated
into the operational risk framework. (1.75)
Given the limitations of outside data and
the expected evolution of explicit modeling, concern was expressed
regarding uncertainty as to how scenario analysis will weigh into the
capital model and its impact on the overall capital charge. Limitations
due to confidentiality concerns on external data and its impact on
scenario analysis should be considered here (see No. 7 above). Some
bankers thought that examples would be helpful as they consider the
appropriate method to incorporate scenario analysis.
S 25. The institution must have a
comprehensive operational risk analytical framework that provides an
estimate of the institution’s operational risk exposure, which is the
aggregate operational loss that it faces over a one-year period at a
soundness standard consistent with a 99.9 percent confidence level.
(1.75)
The 99.9 percent confidence level as a
minimum standard appears overly conservative. Certainly, the current
state of the art may not enable a meaningful estimate of risk exposure
at this confidence level, and given the wide scope of operational risk
and the inherent unpredictability of operational losses, it may never be
possible to meet this requirement.
S 26. Management must document the
rationale for all assumptions underpinning its chosen analytical
framework, including the choice of inputs, distributional assumptions,
and the weighting across qualitative and quantitative elements.
Management must also document and justify any subsequent changes to
these assumptions. (1.63)
ORC bankers believe in general that they
already meet this principle.
S 27. The institution’s operational
risk analytical framework must use a combination of internal operational
loss event data, relevant external operational loss event data, business
environment and internal control factor assessments, and scenario
analysis. The institution must combine these elements in a manner that
most effectively enables it to quantify its operational risk exposure.
The institution can choose the analytical framework that is most
appropriate to its business model. (1.88)
Many comments in the previous section
address this concern. Our members anticipate meeting this standard,
although the process may not be straightforward. The flexibility to
choose the analytical framework that is most appropriate to an
institution’s business model is the appropriate approach and emphasizes
good business practices rather than arbitrary restrictions and
requirements.
S 28. The institution’s capital
requirement for operational risk will be the sum of expected and
unexpected losses unless the institution can demonstrate, consistent
with supervisory standards, the expected loss offset. (2.25)
As discussed in detail above in No. 2,
the ABA objects to the inclusion of expected losses in capital
calculation.
S 29. Management must document how its
chosen analytical framework accounts for dependence (e.g., correlations)
among operational losses across and within business lines. The
institution must demonstrate that its explicit and embedded dependence
assumptions are appropriate, and where dependence assumptions are
uncertain, the institution must use conservative estimates. (2.38)
As is discussed in detail in No. 9 above,
we have serious reservations concerning the ability of any institution
to collect sufficient data to defend correlation assumptions. Given the
sparse data available, explicit and objective determinations are not
always possible. Instead we recommend that heuristic and qualitative
experience should be allowed as bases for the required correlations.
S 30. Institutions may reduce their
operational risk exposure results by no more than 20% to reflect the
impact of risk mitigants. Institutions must demonstrate that mitigation
products are sufficiently capital-like to warrant inclusion in the
adjustment to the operational risk exposure. (2.25)
As noted in No. 8 above, our members
believe that the limitation on risk mitigation to no more than twenty
percent is simply arbitrary and capricious on the part of the Banking
Agencies. Keeping the floor on risk mitigation so low may force
institutions to use programs that are less protective than otherwise.
Our banks understand that exposure cannot be reduced by one hundred
percent of policy coverage because not all claims get paid and that
there are often added litigation costs. However, rather than imposing an
arbitrary floor, the Banking Agencies should focus on addressing the
issues of extent and certainty of coverage and solvency.
Additionally, the guidelines do not seem
to allow using captive insurance coverage as risk mitigation. Captive or
self-insurance with due diligence and coverage from reinsurance
companies should be allowed, as discussed above in No. 8. The regulation
should provide flexibility, allowing for recognition of other risk
mitigation products that emerge in the future.
S 31. Institutions using the AMA
approach for regulatory capital purposes must use advanced data
management practices to produce credible and reliable operational risk
estimates. (2.06)
There are several requirements built into
this standard, including the ability to factor in adjustments related to
risk mitigation, correlations, and risk assessments. This may prove to
be difficult for decentralized operating environments as well as the
issues surrounding correlations as noted in S 29.
S 32. The institution must test and
verify the accuracy and appropriateness of the operational risk
framework and results. (1.88)
ORC bankers believe in general that they
already meet this principle.
S 33. Testing and verification must be
done independently of the firm-wide operational risk management function
and the institution’s lines of business. (1.63)
ORC bankers believe in general that they
already meet this principle.
Conclusion
The shared goal among banks and the
Banking Agencies is to have effective risk management practices in place
and appropriate amounts of capital to support the risk that is assumed
by each institution. We believe the best way to accomplish this is to
allow institutions to determine which combination of elements is
appropriate to assess and manage operational risk within their
institutions. Banks understand that they must defend the assumptions
that underlie their methodologies. This approach is management oriented,
reflects an individual institution’s business, and is consistent with a
principles-based regulatory approach.
Moreover, flexibility is critical as
risk-management practices – including analytical techniques and use of
risk-mitigants – are evolving and will improve as experience is gained.
Arbitrary standards would fail to meet the test of time and should be
avoided.
Lastly, addressing concerns over
confidentiality of external data will help to foster convergence in the
methodologies for measuring and managing operational risk and facilitate
more scenario testing.
We appreciate the opportunity to comment
on this important issue.
Sincerely,
James Chessen
Chief Economist
American Bankers Association
Washington, DC
| 
