Response to consultation on draft Regulatory Technical Standards on assessment methodologies for the Advanced Measurement Approaches for operational risk
Go back
The EBA intends to move First and Third Party Fraud from the Credit Risk (CR) regime into the OR regime. Although we agree that this is conceptually sound, the practical implications are enormous. While it is difficult to gauge what the net capital implications are (overall levels could either rise or fall), the cost/benefit proposition is unclear. A critical prerequisite to introducing such a change is a section in the upcoming Credit Risk RTS (due around September 2014) fully in line with the OR RTS, because the bulk of the process changes will be on the CR side.
Primarily, the change in event categorisation must be supported by CR Management functions and regulators. For CR Management the implications range from data collection, to data history in risk analysis, to the amount of capital required for Credit Risk.
Consistency between the upcoming CR consultation paper, and the implications and effects in Article 6 of this consultation, is necessary. Operational Risk Management functions cannot be expected to implement data collection related to the credit area without the active support of regulators specialising in the credit area.
Second, the final calibration of the data collection threshold will have a significant impact upon firms. The Operational Riskdata eXchange Association (ORX) currently has a threshold of €500,000 for the investigation of Credit Risk losses that may have Operational Risk elements. However, we interpret Article 6 §3 as stating that firms collecting Operational Risk Losses from a lower threshold, €10,000 or even lower, must also collect data about fraud in the credit area from the same threshold.
We urge the EBA to keep in mind that whilst a firm may have hundreds of defaults with write-offs of €500,000, the same firm may have hundreds of thousands of defaults with write-offs of €10,000 or lower. This increased workload is then compounded by the time that it takes the firm to determine if a fraud has, or has not, been committed. As a rough guide the time taken to determine if there has, or has not, been a fraud can be three months or longer. We deem the resource and cost implications would outweigh the anticipated benefits.
With regard to the threshold it should be acknowledged that the data collection process for operational risk losses related to credit risk is significantly different from other operational risk losses. Fraudulently incurred default losses are typically identified in a “post mortem analysis” which is economically feasible only at a higher collection threshold.
A potential approach is to extend the phase-in concept to thresholds as well as time. For example the initial data collection target could use a relatively high threshold, such as €500,000. Once firms have embedded systems and have been collecting this data as operational risk losses for a period of time, then a review could be undertaken to determine if there is sufficient value in reducing the data collection threshold. We estimate the implementation costs to be extremely high and disproportionate to the additional information gained for OR management.
There are some practicalities that should be considered in relation to Article 6 §3. Presently the thresholds for collecting OR loss data relate to the business line and their OR appetite. Requiring the initial data collection of fraud in the credit risk space at the same threshold is expected to create a significant implementation challenge.
In addition to the system challenges there may also be the need to recruit additional staff to perform the forensic analysis in order to determine whether a fraud has been committed. This forensic analysis can take over three months.
Risks for which there is a known maximum exposure (as is the case with the aforementioned fraud events in the credit area) can be modelled in a different way to the more typically operational risk data for which there is effectively uncapped severity. Accurate modelling of fraud events in the credit area can be effectively achieved using an exposure-based model which incorporates the extra information, rather than a Loss Distribution Approach which discards it.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 6, Item 4 (1):
There seems to be some overlap between the description of First and Third Party Fraud. This paragraph refers to “using another person’s identifying information”. In our view this is more closely aligned with Third Party Fraud than to First Party Fraud. To amend this, we propose that “and using another person’s identifying information” be deleted.
We request that the definitions of First Party Fraud and Third Party fraud be clarified with regard to the following aspects:
• If first party fraud occurs when the party misrepresents its financial abilities on the application forms and by using another person's identifying information“, how should it be differentiated from third party fraud which is “a fraud that is committed by means of use of a person’s identity”?
• We understand that any fraud which is initiated by an existing customer at a later stage of the lifecycle of a credit product (not on the application form) is neither first nor third party fraud. As this definition differs from the commonly used one, we request that this be stated explicitly.
This data is perceived as being useful for operational risk management. However, capturing these kinds of losses is difficult since internal costs are hard to quantify and cannot be allocated. This would only be reasonable in specific areas and with high thresholds. The practical issues include how to estimate these values with a degree of consistency across the businesses, event types and with a degree of accuracy. Given that it is unlikely that this issue be resolved in the near future, we request “opportunity costs / lost revenues” be deleted. We believe it should also be acknowledged that higher thresholds can be applied for the collection of these. This is because only high-impact events can be identified with reasonable effort and are relevant for OR management decisions.
We would appreciate clarification about the Article 7 §2 use of the term “AMA management”. Is this intended to refer to the operational risk management or the team managing the AMA model?
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 7, Item 2 d):
This data is perceived as being useful for operational risk management. However, capturing these kind of losses is difficult since internal costs are hard to quantify, cannot be allocated and are not booked in the general ledger. This would only be reasonable in specific areas and with high thresholds. We believe it should also be acknowledged that higher thresholds can be applied for the collection of these. This is because only high-impact events can be identified with reasonable effort and are relevant for OR management decisions
Accordingly, we propose that “internal costs such as overtime or bonuses” be deleted.
As per our comment above, clarity is needed around the Article 7 §2 use of the term “AMA management”.
We find the reference to industry practice unclear. A number of industry practices have been found to be against “legislative or regulatory rules”.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 4, Item 4:
This paragraph should be aligned with paragraph 2b.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 4, Item 5:
Examples could include various forms of business or strategic risk. Given the exclusions from the definitions it would be helpful if the same terminology could be used here.
From the perspective of consistency with the definition of operational risk, it would be useful to explicitly mention Strategic and Reputational Risks as being excluded.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 5, Item 1:
It is unclear to us why all “Operational risk events occurring in market-related activities shall be classified as boundary events between operational risk and market risk.” There is a wide variety of possible operational risk events in market-related activities which do not generate market risk.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 5, Item 2 c):
Models and model risk are included in the scope of operational risk. However, the lack of a definition of model or model risk in Article 2 creates uncertainty about the interpretation and practical scope of this paragraph.
If a definition of model risk were to be added, this paragraph would no longer be needed.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 5, Item 3 b):
We propose to amend the this guidance as in general, errors in data entries account for as many errors, if not more, than software errors. For clarity, we propose adding a reference to data entry errors to Article 5 paragraph 3b. An appropriate addition might be “errors in classification due to data entry errors and/or the software used by the front and middle office.”
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 5, Item 3 f):
This should be aligned with the broader scope of the Article.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 6, Item 2 a):
The impression given is that fraud is only committed at the beginning and not during the life of a transaction. So if fraudulent details are provided during the life of a credit transaction then the fraud is still to be allocated to Credit Risk. If this is what is intended then it would lead to an inconsistent capital treatment of fraud – sometimes OR and sometimes CR depending upon the timing of the fraud.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 7, Item 1 e):
It is recognised and appreciated that uncollected revenues are an economic loss to the firm. However, capturing these losses is difficult. One potential data source, the General Ledger, is used to tracking things that did happen rather than things that did not happen. In our view firms should be able to agree a threshold with their home regulator, for capturing uncollected revenues.
For uncollected revenues it is impossible to ensure completeness. Policy statement with penalties for non-compliance and/or high thresholds must be allowed to make this practical.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 7, Item 1 f):
We support the definition of timing losses. However tax related payments should be explicitly excluded since these are not related to operational risk (for tax events only interest and fines are recorded).
Section 2 requires independence of loss events within a category, whereas section 3 requires dependence of tail events.
Empirical analysis shows that event severities are independent within and across risk categories. Moreover independence of loss severities is a widely accepted model assumption in the loss distribution approach: Statistical techniques mentioned in Article 24, particularly the single loss approximation and the Panjer recursion, require the independence assumption.
Dependence can be well incorporated into the frequency model although empirical evidence in this context is low. It only has a limited effect because of a symptomatic property of sub exponential severity distributions (in combination with moderate frequencies): The annual loss is typically determined by the largest single event. This is what we observe in historical data and indeed is the idea of the single loss approximation.
In 26(3) the guidance states that “The dependence structure shall not be based on Gaussian or Normal-like distributions”, in this case more clarity would be welcome on what constitutes a “Normal-like” copula, in particular at what point the number of degrees of freedom of a t-copular means the copula is “Normal-like”. The stated limitation on the number of degrees of freedom “with few degrees of freedom (e.g. 3 or 4) in most cases appears more appropriate to capture the dependencies between operational risk events” seems particularly restrictive, and in many cases may not be appropriate.
The analogy to credit and market risk is therefore misleading. Extreme losses in credit risk and market risk are driven by cumulated events. In this context events are dependent, the shape of the copula is critical for the fat tail of the portfolio loss. The use of t-copulas in credit risk and market risk is meaningful.
On the contrary, extreme losses in operational risk turned out to be rare single events of extreme extent and not correlated cumulated events. The severity distribution is crucial for the capital estimation.
We support the use of an internal model for internal capital adequacy assessment process and the internal OR management. However, we would appreciate more detail on which components can differ (e.g. insurance recognition, suballocation).
Q2: Do you support the treatment under an AMA regulatory capital of fraud events in the credit area, as envisaged in Article 6? Do you support the phase-in approach for its implementation as set out in Article 48?
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 6, Item 3:The EBA intends to move First and Third Party Fraud from the Credit Risk (CR) regime into the OR regime. Although we agree that this is conceptually sound, the practical implications are enormous. While it is difficult to gauge what the net capital implications are (overall levels could either rise or fall), the cost/benefit proposition is unclear. A critical prerequisite to introducing such a change is a section in the upcoming Credit Risk RTS (due around September 2014) fully in line with the OR RTS, because the bulk of the process changes will be on the CR side.
Primarily, the change in event categorisation must be supported by CR Management functions and regulators. For CR Management the implications range from data collection, to data history in risk analysis, to the amount of capital required for Credit Risk.
Consistency between the upcoming CR consultation paper, and the implications and effects in Article 6 of this consultation, is necessary. Operational Risk Management functions cannot be expected to implement data collection related to the credit area without the active support of regulators specialising in the credit area.
Second, the final calibration of the data collection threshold will have a significant impact upon firms. The Operational Riskdata eXchange Association (ORX) currently has a threshold of €500,000 for the investigation of Credit Risk losses that may have Operational Risk elements. However, we interpret Article 6 §3 as stating that firms collecting Operational Risk Losses from a lower threshold, €10,000 or even lower, must also collect data about fraud in the credit area from the same threshold.
We urge the EBA to keep in mind that whilst a firm may have hundreds of defaults with write-offs of €500,000, the same firm may have hundreds of thousands of defaults with write-offs of €10,000 or lower. This increased workload is then compounded by the time that it takes the firm to determine if a fraud has, or has not, been committed. As a rough guide the time taken to determine if there has, or has not, been a fraud can be three months or longer. We deem the resource and cost implications would outweigh the anticipated benefits.
With regard to the threshold it should be acknowledged that the data collection process for operational risk losses related to credit risk is significantly different from other operational risk losses. Fraudulently incurred default losses are typically identified in a “post mortem analysis” which is economically feasible only at a higher collection threshold.
A potential approach is to extend the phase-in concept to thresholds as well as time. For example the initial data collection target could use a relatively high threshold, such as €500,000. Once firms have embedded systems and have been collecting this data as operational risk losses for a period of time, then a review could be undertaken to determine if there is sufficient value in reducing the data collection threshold. We estimate the implementation costs to be extremely high and disproportionate to the additional information gained for OR management.
There are some practicalities that should be considered in relation to Article 6 §3. Presently the thresholds for collecting OR loss data relate to the business line and their OR appetite. Requiring the initial data collection of fraud in the credit risk space at the same threshold is expected to create a significant implementation challenge.
In addition to the system challenges there may also be the need to recruit additional staff to perform the forensic analysis in order to determine whether a fraud has been committed. This forensic analysis can take over three months.
Risks for which there is a known maximum exposure (as is the case with the aforementioned fraud events in the credit area) can be modelled in a different way to the more typically operational risk data for which there is effectively uncapped severity. Accurate modelling of fraud events in the credit area can be effectively achieved using an exposure-based model which incorporates the extra information, rather than a Loss Distribution Approach which discards it.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 6, Item 4 (1):
There seems to be some overlap between the description of First and Third Party Fraud. This paragraph refers to “using another person’s identifying information”. In our view this is more closely aligned with Third Party Fraud than to First Party Fraud. To amend this, we propose that “and using another person’s identifying information” be deleted.
We request that the definitions of First Party Fraud and Third Party fraud be clarified with regard to the following aspects:
• If first party fraud occurs when the party misrepresents its financial abilities on the application forms and by using another person's identifying information“, how should it be differentiated from third party fraud which is “a fraud that is committed by means of use of a person’s identity”?
• We understand that any fraud which is initiated by an existing customer at a later stage of the lifecycle of a credit product (not on the application form) is neither first nor third party fraud. As this definition differs from the commonly used one, we request that this be stated explicitly.
Q3: Do you support the collection of ’opportunity costs/loss revenues‘ and internal costs at least for managerial purposes, as envisaged in Article 7(2)?
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 7, Item 2 c):This data is perceived as being useful for operational risk management. However, capturing these kinds of losses is difficult since internal costs are hard to quantify and cannot be allocated. This would only be reasonable in specific areas and with high thresholds. The practical issues include how to estimate these values with a degree of consistency across the businesses, event types and with a degree of accuracy. Given that it is unlikely that this issue be resolved in the near future, we request “opportunity costs / lost revenues” be deleted. We believe it should also be acknowledged that higher thresholds can be applied for the collection of these. This is because only high-impact events can be identified with reasonable effort and are relevant for OR management decisions.
We would appreciate clarification about the Article 7 §2 use of the term “AMA management”. Is this intended to refer to the operational risk management or the team managing the AMA model?
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 7, Item 2 d):
This data is perceived as being useful for operational risk management. However, capturing these kind of losses is difficult since internal costs are hard to quantify, cannot be allocated and are not booked in the general ledger. This would only be reasonable in specific areas and with high thresholds. We believe it should also be acknowledged that higher thresholds can be applied for the collection of these. This is because only high-impact events can be identified with reasonable effort and are relevant for OR management decisions
Accordingly, we propose that “internal costs such as overtime or bonuses” be deleted.
As per our comment above, clarity is needed around the Article 7 §2 use of the term “AMA management”.
Q4: Do you support the items in the lists of operational risk events in Articles 4, 5 and 6, and the items in the list of operational risk loss in Article 7? Or should more items be included in any of these lists?
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 4, Item 3 b):We find the reference to industry practice unclear. A number of industry practices have been found to be against “legislative or regulatory rules”.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 4, Item 4:
This paragraph should be aligned with paragraph 2b.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 4, Item 5:
Examples could include various forms of business or strategic risk. Given the exclusions from the definitions it would be helpful if the same terminology could be used here.
From the perspective of consistency with the definition of operational risk, it would be useful to explicitly mention Strategic and Reputational Risks as being excluded.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 5, Item 1:
It is unclear to us why all “Operational risk events occurring in market-related activities shall be classified as boundary events between operational risk and market risk.” There is a wide variety of possible operational risk events in market-related activities which do not generate market risk.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 5, Item 2 c):
Models and model risk are included in the scope of operational risk. However, the lack of a definition of model or model risk in Article 2 creates uncertainty about the interpretation and practical scope of this paragraph.
If a definition of model risk were to be added, this paragraph would no longer be needed.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 5, Item 3 b):
We propose to amend the this guidance as in general, errors in data entries account for as many errors, if not more, than software errors. For clarity, we propose adding a reference to data entry errors to Article 5 paragraph 3b. An appropriate addition might be “errors in classification due to data entry errors and/or the software used by the front and middle office.”
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 5, Item 3 f):
This should be aligned with the broader scope of the Article.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 6, Item 2 a):
The impression given is that fraud is only committed at the beginning and not during the life of a transaction. So if fraudulent details are provided during the life of a credit transaction then the fraud is still to be allocated to Credit Risk. If this is what is intended then it would lead to an inconsistent capital treatment of fraud – sometimes OR and sometimes CR depending upon the timing of the fraud.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 7, Item 1 e):
It is recognised and appreciated that uncollected revenues are an economic loss to the firm. However, capturing these losses is difficult. One potential data source, the General Ledger, is used to tracking things that did happen rather than things that did not happen. In our view firms should be able to agree a threshold with their home regulator, for capturing uncollected revenues.
For uncollected revenues it is impossible to ensure completeness. Policy statement with penalties for non-compliance and/or high thresholds must be allowed to make this practical.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 7, Item 1 f):
We support the definition of timing losses. However tax related payments should be explicitly excluded since these are not related to operational risk (for tax events only interest and fines are recorded).
Q5. Do you support that the dependence structure between operational risk events cannot be based on Gaussian or Normal-like distributions, as envisaged in Article 26 (3)? If not, how could it be ensured that correlations and dependencies are well-captured?
We recognise that the modelling of dependence is challenging and a conservative approach is sensible, although analysis of operational risk loss data consistently implies general low levels of tail dependence. However, we believe that the guidance on dependence in these rules is too prescriptive. The explicit exclusion of a broad range of approaches is based on questionable statistical reasoning and references to credit and market risk, which are incomparable.Section 2 requires independence of loss events within a category, whereas section 3 requires dependence of tail events.
Empirical analysis shows that event severities are independent within and across risk categories. Moreover independence of loss severities is a widely accepted model assumption in the loss distribution approach: Statistical techniques mentioned in Article 24, particularly the single loss approximation and the Panjer recursion, require the independence assumption.
Dependence can be well incorporated into the frequency model although empirical evidence in this context is low. It only has a limited effect because of a symptomatic property of sub exponential severity distributions (in combination with moderate frequencies): The annual loss is typically determined by the largest single event. This is what we observe in historical data and indeed is the idea of the single loss approximation.
In 26(3) the guidance states that “The dependence structure shall not be based on Gaussian or Normal-like distributions”, in this case more clarity would be welcome on what constitutes a “Normal-like” copula, in particular at what point the number of degrees of freedom of a t-copular means the copula is “Normal-like”. The stated limitation on the number of degrees of freedom “with few degrees of freedom (e.g. 3 or 4) in most cases appears more appropriate to capture the dependencies between operational risk events” seems particularly restrictive, and in many cases may not be appropriate.
The analogy to credit and market risk is therefore misleading. Extreme losses in credit risk and market risk are driven by cumulated events. In this context events are dependent, the shape of the copula is critical for the fat tail of the portfolio loss. The use of t-copulas in credit risk and market risk is meaningful.
On the contrary, extreme losses in operational risk turned out to be rare single events of extreme extent and not correlated cumulated events. The severity distribution is crucial for the capital estimation.
Q6: Do you support the use of the operational risk measurement system not only for the calculation of the AMA regulatory capital but also for the purposes of internal capital adequacy assessment, as envisaged in Article (42)(d)?
Chapter VI – Use Test, Article 41, Item 1 d):We support the use of an internal model for internal capital adequacy assessment process and the internal OR management. However, we would appreciate more detail on which components can differ (e.g. insurance recognition, suballocation).