FDIC Federal Register Citations

Aon Corporation's Response to the
Advanced Notice of Proposed Rulemaking

Aon would like to thank the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision for the opportunity to comment on the Advanced Notice of Proposed Rulemaking. Aon Corporation is a global leader in risk management, insurance and reinsurance brokerage, human capital and management consulting, and outsourcing. The firm invests in a wide range of industry- and product-related expertise, to include intellectual capital devoted to the financial services sector.

Aon welcomes the direction that the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation and the Office of Thrift Supervision have taken with Basel II. In general, Aon agrees with the treatment of operational risk through Pillar I and welcomes the acknowledgement of the role of insurance as a mitigant. In our response, we will concentrate our comments on this aspect of Pillar I and, in particular, on the following three areas:

• The role of insurance as a mitigant for operational risk capital;

• The use of external loss data; and

• The development of insurance products to mitigate operational risk.

Aon has responded to these particular details in the order in which they appear in the text of the Advanced Notice of Proposed Rulemaking.

Supervisory Standard S8

The institution must have policies and procedures that clearly describe the major elements of the operational risk management framework, including identifying, measuring, monitoring, and controlling operational risk.

Operational risk management policies, processes and procedures should be documented and communicated to appropriate staff. The policies and procedures should outline all aspects of the institution's operational risk management framework, including:

• The capture and use of internal and external operational risk loss data, including large potential events (including the use of scenario analysis).

Aon agrees that it is fundamental that both internal and external loss data are used in tandem for the tasks of identifying, assessing, measuring, monitoring, and managing operational risk. Aon shares the view that a robust warehouse of loss events is an essential factor in empowering banks to address their requirements regarding operational risk management.

Specifically, Aon sees singular value in the ability of a sufficient amount of detailed loss data to enhance banks' efforts in the following areas:

• Quantifying operational risk exposures using statistical/actuarial techniques;

• Improving application of qualitative risk assessment tools such as scenario analysis;
  and

• Integrating a forward-looking perspective into the operational risk management
  framework through optimizing the selection and calibration of measures including key
  risk indicators.

Supervisory Standard S12

The institution must demonstrate that it has appropriate internal loss event data, relevant external loss event data, assessments of business environment and internal controls factors, and results from scenario analysis to support its operational risk management and measurement framework.

Aon shares the view that external data is not only necessary but essential to good risk management and best practice. For external data to be considered relevant it must be accurate, reliable, scalable, and detailed. Furthermore, for quantitative information to be used effectively, external data must contain details about the context in which the events occurred, including the failures and inadequacies in the control environment, which permitted and or aggravated the loss.

While quantitative analysis is a key part of operational risk measurement and management, to obtain full value from external data banks must move beyond simply applying this data in statistical models and incorporate the lessons to be learned from the experience of similar institutions in their own risk management methodology.

Supervisory Standard S20

The institution must have policies and procedures that provide for the use of external loss data in the operational risk framework.

Aon fully endorses the creation of policies and procedures that provide for the structured and appropriate use of external data in operational risk management frameworks. These policies and procedures must form a key element of the corporate governance structure. The AMA approach, as well as evolving best practice, requires the use of external data while even non AMA banks adopting simpler approaches can benefit from exposure to the loss experience of their peers when designing their own frameworks. However, there are significant challenges to be overcome in designing systems that make best use of external loss data so that errors and biases are not imported into the bank's calculations.

• The bank must be satisfied that all the data is accurate. A major premise behind the importation of external data is that it focuses on high value losses and any inaccuracies in this data will have a disproportionate effect on capital calculations whether economic or regulatory.

• Consideration must be given to the question of mixing internal with external data for quantitative analysis. For example, are the loss datasets to be analyzed separately and the results integrated or will external and internal losses be used interchangeably?

• Appropriate weightings must be decided upon when incorporating external data into quantitative models for exposure and capital allocation

• Internal and external losses must be mapped into loss types and business lines according to similar protocols.

• External sources may also contain other data that is of value in operational risk management and assessment such as qualitative information surrounding the occurrence of losses. Provision must be made for extracting this data and assigning it the appropriate weight before integrating it into the correct components of the banks' risk management systems.

Supervisory Standard S21

Management must systematically review external data to ensure an understanding of industry experience.

To fully comprehend the nature and implications of operational risk exposures, all levels of management must develop an understanding of these risks. External data provides a useful avenue for the lessons learned from industry experience to be incorporated into management thinking. While the careful examination of the causes of losses provides a valuable tool for assessing sources of exposure and the probabilities of a loss, banks should take a more active view and consider the study of "near-misses" and instances where controls were effective as an opportunity to incorporate industry best practices into their own risk management structure.

The management information system is an excellent vehicle for the dissemination and review of external data to both senior and line management. Linking external and internal data to this system enables the institution to make better informed decisions about issues affecting the risk tolerance and appetite of the bank from a day-to-day management point of view as well as at the strategic level.

Supervisory Standard S30

Institutions may reduce their operational risk exposure results by no more than 20% to reflect the impact of risk mitigants. Institutions must demonstrate that mitigation products are sufficiently capital - likely to warrant inclusion in the adjustment to the operational risk exposure.

There are many mechanisms to manage operational risk, including risk transfer through risk mitigation products. Because risk mitigation can be important element in limiting or reducing operational risk exposure in an institution, an adjustment is being permitted that will directly impact the amount of regulatory capital that is held for operational risk. The adjustment is limited to 20% of the overall operational risk exposure determined by the institution using its loss data, qualitative factors, and quantitative framework.

Currently, the primary risk mitigant used for operational risk is insurance. There has been discussion that some securities products may be developed to provide risk mitigation benefits; however, to date, no specific products have emerged that have characteristics sufficient to be considered capital - replacement for operational risk. As a result, securities products and other capital market instruments may not be factored in to the regulatory capital risk mitigation adjustment at this time.

For an institution that wishes to adjust its regulatory capital requirement as a result of the risk mitigating impact of insurance, management must demonstrate that the insurance policy is sufficiently capital-like to provide the cushion that is necessary. A product that would fall in this category must have the following characteristics:

• The policy is provided through a third party that has a minimum claims paying ability rating of A

• The policy has an initial term of one year

• The policy has no exclusions or limitations based upon regulatory action or for the receiver or liquidator of a failed bank

• The policy has clear cancellation and non-renewal notice periods; and

• The policy coverage has been explicitly mapped to actual operational risk exposure of the institution

Insurance policies that meet these standards may be incorporated into an institution's adjustment for risk mitigation. An institution should be conservative in its recognition of such policies, for example, the institution must also demonstrate that insurance policies used as the basis for the adjustment have a history of timely payouts. If claims have not been paid on a timely basis, the institution must exclude that policy from the operational risk capital adjustment. In addition, the institution must be able to show that the policy would actually be used in the event of a loss situation; that is, the deductible may not be set so high that no loss would ever conceivably exceed the deductible threshold.

The Agencies will not specify how institutions should calculate the risk mitigation adjustment. Nevertheless, institutions are expected to use conservative assumptions when calculating adjustments. An institution should discount (i.e., apply its own estimates of haircuts) the impact of insurance coverage to take into account factors, which may limit the likelihood or size of claims payouts. Among these factors are the remaining terms of a policy, especially when it is less than a year, the willingness and ability of the insurer to pay on a claim in a timely manner, the legal risk that a claim may be disputed, and the possibility that a policy can be cancelled before the contractual expiration.

Aon believes that through the recognition of insurance as a capital mitigant (for banks), an efficient capital frontier between banking and insurance capital will be established. However the existence of overly prescriptive legislation in this area may be detrimental to both the banking and insurance industries.

Disallowing the use of capital markets instruments in their entirety risks stifling innovation in operational risk management. We believe that the capital markets will have a central role to play in this area and that the most effective hedge for operational risk will most likely be products or programs that will achieve the status of capital by combining the coverage and control elements of insurance policies with the payout characteristics of securities instruments.

Aon believes that a more productive approach would be to apply to securities instruments standards consistent with those proposed for accepting insurance as a capital mitigant. Banks should be permitted to explore capital markets or capital markets / insurance hybrid instruments, however, they must prove to regulators' satisfaction that any products they propose to use to finance risks provide sufficient protection to form part of the capital base.

Aon believes that the Basel II Capital Accord should explicitly state that the 20% cap on risk mitigation is subject to continual review. This is to ensure that regulatory and economic capital remain aligned and sufficient incentives exist for the industry to develop appropriate risk financing instruments.

• The policy is provided through a third party that has a minimum claims paying ability
  rating of A

Aon appreciates that the counterparty must have a credit rating which is satisfactory to the institutions and regulators. A pragmatic approach would allow banks to assess the financial security of the insurance companies on a case-bycase basis. This has the advantage that banks can design appropriate adjustments based on the actual ratings, rather than a stipulated minimum threshold. In addition, if the rating were to vary during the period of contract, then banks can model this alteration into their adjustments especially if the rating is downgraded from A plus to A or A to A minus. The other issue that institutions must consider is the fact different rating agencies often provide a different rating value for the same company i.e. the Lloyds' of London Market is rated A by some rating agencies and A minus by others. Also of note, several carriers with different ratings may be a part of one insurance program.

• The policy has an initial term of one year

Aon agrees with this stipulation. Moreover, policies of at least one - year duration are the industry standard while, until recently, multi-year policies were widely available.

Aon believes that the requirement for an adjustment of the mitigatory effect for policies with a residual period of less than one year stems from an incomplete understanding of the way in which insurance covers risks. Unlike other hedging techniques, the cover provided by an insurance policy is not a function of the instrument's time to expiration. A claim made on the day before expiration has the same likelihood of being paid as a claim made on the first day of the coverage period.

Aon has amassed a large body of knowledge concerning the historical performance and payment patterns of insurance policies for financial institutions. Aon would be pleased to work with the regulatory authorities to determine the true effect of time-to-expiry on the coverage provided by insurance.

• The policy has no exclusions or limitations based upon regulatory action or for the
  receiver or liquidator of a failed bank

Aon believes that an insurance policy which does not have exclusions or limitations based upon regulatory action is a cause of moral hazard and as such is not in the public interest. A bank having blanket insurance against regulatory fines will not be incentivized to promote sound risk management as all regulatory fines will be paid by the insurance industry.

With respect to the appointment of a receiver / liquidator, typically the legal ownership of the entity changes. In such circumstances, as a matter of public policy the contract will become null and void. That said, insurance companies traditionally honor claims made after the appointment of a receiver / liquidator for events which occurred prior to the said appointment. It should also be noted, that it is common practice for the receiver / liquidator to have in place appropriate insurance.

• The policy has clear cancellation and non-renewal notice periods

Aon concurs that all insurance policies must have clear cancellation and nonrenewal notice periods. Aon proposes that contracts receiving capital relief include a cancellation clause stating that the insurer must notify the bank and the bank's specified regulator in the event of intended cancellation by the insurer. Aon's ultimate goal is to work with insurers and other interested parties to develop solutions that are non-cancellable

• The policy coverage has been explicitly mapped to actual operational risk exposure of the institution

Aon believes that this is an AMA entry requirement and that matching exposures to appropriate policies is a fundamental premise behind any effective insurance program.

An institution should be conservative in its recognition of such policies, for example, the institution must also demonstrate that insurance policies used as the basis for the adjustment have a history of timely payouts. If claims have not been paid on a timely basis, the institution must exclude that policy from the operational risk capital adjustment. In addition, the institution must be able to show that the policy would actually be used in the event of a loss situation; that is, the deductible may not be set so high that no loss would ever conceivably exceed the deductible threshold

Aon agrees that insurance policies should be assigned the correct value in terms of their operational risk mitigating effects. Aon believes that the question of liquidity has already been addressed by the stipulation that insurance companies must have a minimum claims paying rating. Aon also is very attentive to working with all parties to develop an acceptable insurance solution that balances an appropriate scope of coverage with a claim payout requirement that ensures timely payments from the insurance provider(s).

Appendix A

Empirical Evidence Supporting the Efficacy of Insurance

The following 2 slides demonstrate the speed of payments and the correlation between size of loss to payment. The data points are for over 100 bankers blanket bond claims in Aon's database and have been selected on a random basis.

The first chart* shows the time between resolution of the insurance claim and the payment made to the bank. The payment was the full and final agreed settlement. This chart demonstrates that in 90% of cases banks received the full payment within 3 months of the claim being resolved.

The second slide* shows there is no direct correlation (or dependency) between the size of the claim and the time to payment. With the exception of the three outliers, the majority of claims were settled between 0 and 3 months with the remainder settled between 3 and 6 months. In certain situations in the past, all participating insurance companies in the contract had to individually agree to the settlement. This is most likely to account for the outliers, it may also account for a significant number of points in the 3 to 6 month bracket on this diagram. However, the insurance industry has demonstrated a willingness to put into place mechanisms that provide for rapid resolution and payment of claims i.e. rogue trading policies which standardly have a fast track thirty day resolution and payment clause.

* The chart and slide show can be viewed in the FDIC Public Information Center during business days, from 8:00 a.m. to 5:00 p.m. at  801 17th St, NW, Washington, DC.