Response to consultation on draft Regulatory Technical Standards on assessment methodologies for the Advanced Measurement Approaches for operational risk
Go back
Regarding the proposal itself, the need for enhanced clarity on risks that are borderline between credit and operational risks is undisputable. The answers proposed in this paper do not appear to be appropriate for many reasons.
- The proposed set up is complex, with distinctions between first and third party fraud and fraud at the origin or after the granting of the credit that will be subject to a high level of interpretation. In many situations a case by case analysis will be needed.
- We consider also the amount of the loss to be recorded to be problematic (Article 8(1d)). It should be mentioned that loss mitigations could be included (realization of collateral for instance).The outstanding amount of credit at the time of discovery of the fraud does not necessarily correspond to the amount of the write-off. Further repayments of principal and proceeds from realization of collateral should be eligible as loss mitigation. In particular, the amount of the credit guarantees collected and the associated amount of the unsecured portion played a key role in the decision to grant credit. Accordingly, it should also be possible to take into consideration the eligible value of the collateral in the assessment of the operational risk. The assessment of the loss has to be undertaken on the basis of the amount of the reserve.
- The proposed change in definition would interrupt the data history. In order to ensure the reliability of data, a corresponding data stock including consideration of the credit risk would have to be built up.
- When the credit event appears the analysis wherever the fraud has been committed or not can take several months. Thus losses would have to be moved from credit risk models to AMA models once the fraud has been proven. This needlessly causes instability both for credit risk and for AMA models.
- There is a risk to double count the same risk in both credit and operational risk capital, especially as credit risk capital requirement still contains “hidden / never identified credit fraud”. To avoid double counting, institutions should be authorized to extract from their database such fraud events from the credit risk. We would therefore need a clarification on the credit risk methodological assessment side in order to preserve the intrinsic consistency of the CRD standards.
- Furthermore, this would imply tremendous implementation efforts from an operational and IT perspective, for both operational risk and credit risk system that it seems hardly achievable even in 5 years. Indeed, it will induce to restructure the ratings data bases and processes as well as EAD and LGD linked IT systems, procedures and computation. This will have a significant impact on all IRB parameters and then on RWA. Finally, according to the “use test” principle, it will have widespread impact on client global management (application process, collateral policy, cross selling policy, CRM).
- a&b - Near-misses and operational risk gains: The implementation of this requirement would pose a large number of challenges to the institutions. We point out that in contrast to genuine losses, near-misses frequently leave no “traces” behind in accounts and therefore the exhaustiveness of the recording of the relative operational risk events cannot be guaranteed. Then the bias induced in the loss collection doesn’t allow a proper statistical use of these data.
- c – opportunity costs / lost revenues : It is doubtful to include them in an exhaustive data collection exercise given the fact that, as indicated in Article 2 itself, they do not lead to any charge in the P&L,
- d - Internal costs such as overtime or bonuses: a precise assessment of overtime is quite complex considering that, in most of the case, internal staff first perform a trade off with their other tasks and postpone it to focus on risk event treatment. Therefore, the overtime cost could be not a fair assessment of cost of OR loss.
Moreover, we want to point out the difficulties of performing a fair estimation of cost of repair or replacement mentioned in Article 7 (1, b2). Indeed, after a risk event, one may choose to enhance the former situation rather than just to restore it. It is then quite unclear to assess which part of the cost should be considered including in OR database. When deciding to include all the components of the enhancement, it would unduly burden the entities promoting enhancement rather than pure restoration. We propose the text should make it clear that it should be assessed on a best effort basis
The provisions of the article 7 (1,d) leave room for interpretation that may lead to very heterogeneous practices across institutions. We would prefer a simpler rule such as pending losses over 2 years or over a certain amount that could be 1 % of the NBI of a given entity.
Article 4 on legal risk
We do not have any comments.
Article 5 on market risk
According to Article 5(3)(g), unauthorized market positions taken in excess of limits are to be considered as operational risk events. The wording appears unclear to us. If it was to mean unauthorized excess of limits, we consider this should not be considered as an operational risk event. Should it nevertheless be so, it would be very complex to track and record properly for a limited added value, as the situations that may be at risk are currently properly covered from a prudential perspective through breaches in the VaR. If what is at stake is, as currently, more deliberate and fraudulent behavior, which is undoubtedly an operational risk event, then the wording needs to be adapted.
We do not understand to which type of “errors in classification due to software” Art 3 (b) are intended to be covered and to which extent they are to be considered as operational risk.
Model risk that falls under operational risk should be clearly defined in this document. The EBA/CP/ 2014/14 on the SREP process mentions a definition and suggest a split. We consider first, this rule should not be in the guidelines on SREP process and second that the proposal included in the EBA/CP/ 2014/14 should be improved.
Finally, the treatment described in Article 8(1b) partially differs from former regulatory position, to ensure consistency throughout the historical data, we advocate for keeping things unchanged from previous standards.
Article 6 on credit risk
Same arguments as for Q2, so please refer to Q2.
Article 7 on operational risk losses
The current wording of § 1 leaves no room for excluding some loss from the AMA calculation. As mentioned in Article 6, there may be case where boundary losses have to be deducted from the loss database to consider. We propose to insert the mention “unless otherwise specified” within the first sentence of §1.
Inclusion of more items in these lists
We do not see any additional items to be included in these different lists.
Indeed, the dependence structure depends mainly on the way the operational risk categories are defined, on the way how data is grouped and finally how the dependence structure interact within the full modeling framework.
Firstly, the document should clarify to which quantity the proposed Student copula should apply. Indeed, depending on the bank, some dependence models are based on aggregate cells losses, others are based on frequencies (number of events) and others are based on severities. Given the parameters, it is well known in the literature that these three approaches lead to very different impacts. Secondly, should the Student copula be correct for frequency dependences, it could be incorrect for aggregating loss dependences for instance. Thirdly, the data may be compliant with the Gaussian copula and invalidate the Student copula. we do not support too prescriptive restrictions/recommendations for modelling choices given the fact that we have in any case to produce quantitative and qualitative evidence that our modeling choices are relevant, conservative and duly justified, (see article 26 (5)).
We support the idea of using the operational risk system for ICAAP purposes. We suggest the EBA to elaborate more to which extent the AMA model has to be used for ICAAP purposes. We think the opportunity should be left open to each institution to use or not the AMA model for assessing its ICAAP. Moreover, supervisors have always the opportunity to assess the efficiency of the internal modelling through the SREP process.
Q2: Do you support the treatment under an AMA regulatory capital of fraud events in the credit area, as envisaged in Article 6? Do you support the phase-in approach for its implementation as set out in Article 48?
We do not support the modifications envisaged in article 6 because this would introduce a significant uneven playing field between banks subject to EBA/ECB rules and all the other banks BCBS compliant and also between IRBA/AMA banks compared to IRBA or AMA only entities. We consequently strongly opposed to any changes from the actual regulation.Regarding the proposal itself, the need for enhanced clarity on risks that are borderline between credit and operational risks is undisputable. The answers proposed in this paper do not appear to be appropriate for many reasons.
- The proposed set up is complex, with distinctions between first and third party fraud and fraud at the origin or after the granting of the credit that will be subject to a high level of interpretation. In many situations a case by case analysis will be needed.
- We consider also the amount of the loss to be recorded to be problematic (Article 8(1d)). It should be mentioned that loss mitigations could be included (realization of collateral for instance).The outstanding amount of credit at the time of discovery of the fraud does not necessarily correspond to the amount of the write-off. Further repayments of principal and proceeds from realization of collateral should be eligible as loss mitigation. In particular, the amount of the credit guarantees collected and the associated amount of the unsecured portion played a key role in the decision to grant credit. Accordingly, it should also be possible to take into consideration the eligible value of the collateral in the assessment of the operational risk. The assessment of the loss has to be undertaken on the basis of the amount of the reserve.
- The proposed change in definition would interrupt the data history. In order to ensure the reliability of data, a corresponding data stock including consideration of the credit risk would have to be built up.
- When the credit event appears the analysis wherever the fraud has been committed or not can take several months. Thus losses would have to be moved from credit risk models to AMA models once the fraud has been proven. This needlessly causes instability both for credit risk and for AMA models.
- There is a risk to double count the same risk in both credit and operational risk capital, especially as credit risk capital requirement still contains “hidden / never identified credit fraud”. To avoid double counting, institutions should be authorized to extract from their database such fraud events from the credit risk. We would therefore need a clarification on the credit risk methodological assessment side in order to preserve the intrinsic consistency of the CRD standards.
- Furthermore, this would imply tremendous implementation efforts from an operational and IT perspective, for both operational risk and credit risk system that it seems hardly achievable even in 5 years. Indeed, it will induce to restructure the ratings data bases and processes as well as EAD and LGD linked IT systems, procedures and computation. This will have a significant impact on all IRB parameters and then on RWA. Finally, according to the “use test” principle, it will have widespread impact on client global management (application process, collateral policy, cross selling policy, CRM).
Q3: Do you support the collection of ’opportunity costs/loss revenues‘ and internal costs at least for managerial purposes, as envisaged in Article 7(2)?
Concerning specifically the items mentioned in Article 7 (2), we support the principles provided that it is only for managerial purposes (deletion of the reference “at least” would be welcome). In fact some data will be very difficult to collect exhaustively, such as near-misses, uncollected revenues, overtime and bonuses, even if they contain interesting information for OR management purpose:- a&b - Near-misses and operational risk gains: The implementation of this requirement would pose a large number of challenges to the institutions. We point out that in contrast to genuine losses, near-misses frequently leave no “traces” behind in accounts and therefore the exhaustiveness of the recording of the relative operational risk events cannot be guaranteed. Then the bias induced in the loss collection doesn’t allow a proper statistical use of these data.
- c – opportunity costs / lost revenues : It is doubtful to include them in an exhaustive data collection exercise given the fact that, as indicated in Article 2 itself, they do not lead to any charge in the P&L,
- d - Internal costs such as overtime or bonuses: a precise assessment of overtime is quite complex considering that, in most of the case, internal staff first perform a trade off with their other tasks and postpone it to focus on risk event treatment. Therefore, the overtime cost could be not a fair assessment of cost of OR loss.
Moreover, we want to point out the difficulties of performing a fair estimation of cost of repair or replacement mentioned in Article 7 (1, b2). Indeed, after a risk event, one may choose to enhance the former situation rather than just to restore it. It is then quite unclear to assess which part of the cost should be considered including in OR database. When deciding to include all the components of the enhancement, it would unduly burden the entities promoting enhancement rather than pure restoration. We propose the text should make it clear that it should be assessed on a best effort basis
The provisions of the article 7 (1,d) leave room for interpretation that may lead to very heterogeneous practices across institutions. We would prefer a simpler rule such as pending losses over 2 years or over a certain amount that could be 1 % of the NBI of a given entity.
Q4: Do you support the items in the lists of operational risk events in Articles 4, 5 and 6, and the items in the list of operational risk loss in Article 7? Or should more items be included in any of these lists?
From a general viewpoint, we welcome the intent of clarifications. They are needed regarding the different items listed for operational risk, on whether or not they are effectively considered as operational risk. We think there are several events that should not be part of operational risk, therefore boundaries between operational risk and others risks have to be clearly stated.Article 4 on legal risk
We do not have any comments.
Article 5 on market risk
According to Article 5(3)(g), unauthorized market positions taken in excess of limits are to be considered as operational risk events. The wording appears unclear to us. If it was to mean unauthorized excess of limits, we consider this should not be considered as an operational risk event. Should it nevertheless be so, it would be very complex to track and record properly for a limited added value, as the situations that may be at risk are currently properly covered from a prudential perspective through breaches in the VaR. If what is at stake is, as currently, more deliberate and fraudulent behavior, which is undoubtedly an operational risk event, then the wording needs to be adapted.
We do not understand to which type of “errors in classification due to software” Art 3 (b) are intended to be covered and to which extent they are to be considered as operational risk.
Model risk that falls under operational risk should be clearly defined in this document. The EBA/CP/ 2014/14 on the SREP process mentions a definition and suggest a split. We consider first, this rule should not be in the guidelines on SREP process and second that the proposal included in the EBA/CP/ 2014/14 should be improved.
Finally, the treatment described in Article 8(1b) partially differs from former regulatory position, to ensure consistency throughout the historical data, we advocate for keeping things unchanged from previous standards.
Article 6 on credit risk
Same arguments as for Q2, so please refer to Q2.
Article 7 on operational risk losses
The current wording of § 1 leaves no room for excluding some loss from the AMA calculation. As mentioned in Article 6, there may be case where boundary losses have to be deducted from the loss database to consider. We propose to insert the mention “unless otherwise specified” within the first sentence of §1.
Inclusion of more items in these lists
We do not see any additional items to be included in these different lists.
Q5. Do you support that the dependence structure between operational risk events cannot be based on Gaussian or Normal-like distributions, as envisaged in Article 26 (3)? If not, how could it be ensured that correlations and dependencies are well-captured?
We do not support this proposal and that the dependence structure cannot be Gaussian.Indeed, the dependence structure depends mainly on the way the operational risk categories are defined, on the way how data is grouped and finally how the dependence structure interact within the full modeling framework.
Firstly, the document should clarify to which quantity the proposed Student copula should apply. Indeed, depending on the bank, some dependence models are based on aggregate cells losses, others are based on frequencies (number of events) and others are based on severities. Given the parameters, it is well known in the literature that these three approaches lead to very different impacts. Secondly, should the Student copula be correct for frequency dependences, it could be incorrect for aggregating loss dependences for instance. Thirdly, the data may be compliant with the Gaussian copula and invalidate the Student copula. we do not support too prescriptive restrictions/recommendations for modelling choices given the fact that we have in any case to produce quantitative and qualitative evidence that our modeling choices are relevant, conservative and duly justified, (see article 26 (5)).
Q6: Do you support the use of the operational risk measurement system not only for the calculation of the AMA regulatory capital but also for the purposes of internal capital adequacy assessment, as envisaged in Article (42)(d)?
The concerned article is 41 d rather than 42 d.We support the idea of using the operational risk system for ICAAP purposes. We suggest the EBA to elaborate more to which extent the AMA model has to be used for ICAAP purposes. We think the opportunity should be left open to each institution to use or not the AMA model for assessing its ICAAP. Moreover, supervisors have always the opportunity to assess the efficiency of the internal modelling through the SREP process.