Response to consultation on draft Regulatory Technical Standards on assessment methodologies for the Advanced Measurement Approaches for operational risk
Go back
The operational risk related to credit risk is an intricate notion that requests deep analysis on a case-by-case basis. In order to guarantee consistent practices for all cases, and to avoid unsystematic transfer of these losses under AMA, the principles of the Article 6 need therefore to be clarified.
Furthermore, there is a risk to double count the same risk in both credit and operational risk capitals, and that credit risk capital requirement still contains “hidden / never identified credit fraud”. To avoid double counting, institutions should be authorised to extract from their database such fraud events from the credit risk. We therefore look for a clarification on the credit risk methodological assessment side in order to preserve the intrinsic consistency of the CRD standards. However, this would involve considerable implementation effort for both the institutions themselves and data consortia may they concern operational risk or credit risk. The question arises as to how the current rating procedures could remain in existence if some banks had to consider losses from the credit risk and others not.
The change in event categorisation must be supported by Credit Risk Management functions and regulators. For Credit Risk Management the implications range from data collection, to data history in risk analysis, to the amount of capital required for Credit Risk. The Credit Risk consultation paper will necessarily need to be consistent with the implications and effects in Article 6. Operational Risk Management functions cannot be expected to implement data collection related to the credit area without the active support of regulators specialising in the credit area.
Fraudulently incurred credit events are an integral part of the parameterization of credit risk models. As credit risk models are exposure based they provide forward looking risk assessment and risk awareness directly linked to the current business decisions. The removal of operational risk losses from credit risk models would reduce the credit risk provisions instantly without the connection to improvements of the credit processes. Furthermore in most institutions the fraud prevention methodology is closely linked to the credit rating development. AMA models are based on historical losses, not on current exposures. As fraudulently incurred credit defaults are way more exposure based than other operational risk events, the pooling of this data for operational risk modelling is extremely challenging. The precise allocation of fraudulently incurred credit losses is beyond current standards in operational risk modelling. Therefore, we strongly do not support the inclusion of these events for AMA capital calculation as it does not enhance the overall evaluation and management of these risks. We are convinced that credit risk models are the best solution for the modelling of operational risk losses related to credit risk due to their exposure based nature.
We also estimate the costs for implementation extremely high and not appropriate compared to the additional information gained for OpRisk management. We therefore propose a higher collection threshold.
The analysis whether fraud has been committed can take several months. Thus losses would have to be moved from credit risk models to AMA models once the fraud has been proven. This needlessly causes instability both for credit risk and for AMA models.
It may therefore introduce several sources of uneven playing field. Indeed, it introduces discrepancies between IRBA/AMA banks compared to IRBA only entities. Furthermore, it hampers a fair comparability across institutions belonging to different jurisdictions. In addition to the complexity of implementation in operational and credit Risks IT systems, it would induce uneven playing field if only applicable to EBA regulated perimeter without any convergence with BCBS standards.
We consider also the amount of the loss to be recorded to be problematic (Article 8(1d)). It should be mentioned that loss mitigations could be included (realization of collateral for instance).The outstanding amount of credit at the time of discovery of the fraud does not necessarily correspond to the amount of the write-off. Further repayments of principal and proceeds from realisation of collateral should be eligible as loss mitigation. In particular, the amount of the credit guarantees collected and the associated amount of the unsecured portion played a key role in the decision to grant credit. Accordingly, it should also be possible to take into consideration the eligible value of the collateral in the assessment of the operational risk.
Under the assumption that our remarks are considered and implemented we support the contemplated phase-in approach given a new timeline of 5 years.
Concerning specifically the items mentioned in Article 7 (2), we support the principles provided that it is only for managerial purposes (deletion of the reference “at least” would be welcome). In fact some data will be very difficult to collect exhaustively, such as near-misses, overtime and bonuses, even if they contain interesting information for OR management purpose:
- a&b - Near-misses and operational risk gains : The implementation of this requirement would pose a large number of challenges for the institutions. We point out that in contrast to genuine losses, near-misses leave no “traces” behind in accounts and therefore the exhaustiveness of the recording of the relative operational risk events cannot be guaranteed. Then the bias induced in the loss collection doesn’t allow a proper statistical use of these data.
- c – opportunity costs / lost revenues : they are in fact already covered by article 7 (1 d & e) (pending losses and lost revenues). For all these items, it is doubtful to include them in a data collection exercise given the fact that, as mentioned above and indicated in Article 2 itself, they do not lead to any charge in the P&L,
- d - Internal costs such as overtime or bonuses: a precise assessment of overtime is quite complex considering that, in most of the case, internal staff first perform a trade off with their other tasks and postpone it to focus on risk event treatment. Therefore, the overtime cost isn’t a fair assessment of cost of OR loss.
It should be acknowledged that higher thresholds can be applied for the collection of these events as only events with a high impact can be identified with reasonable effort and only those events are relevant for Operational Risk management decisions.
On article 7(1): Moreover, we want to point out the difficulties of performing a fair estimation of cost of repair or replacement mentioned in Article 7 (1b2). Indeed, after a risk event, one may choose to enhance the former situation rather than just to restore it. It is then quite unclear to assess which part of the cost should be considered to include in OR database. When deciding to take all the components of the enhancement, it would unduly burden the entities promoting enhancement rather than pure restoration. We propose the text should make it clear that it should be assessed on a best effort basis
Furthermore, the provisions of the article 7 (1d) leave a room for interpretation that may lead to very heterogeneous practices across institutions. We would prefer a simpler rule such as pending losses over 2 years or over a certain amount that could be 1 % of the NBI of a given entity.
Concerning Article 4 paragraph 3 point (a), we sustain that internal rules and/or ethical conduct should not be considered as legal risk. Regarding point (b): “expenses stemming from legal disputes or from interpretations of legislative or regulatory rules which prove to be against industry practice,” we see these expenses as legal risk if only prevails in them. With respect to point (c), when voluntary compensation to customers is done, it should be only to the extent that it was used to avoid a legal risk, in line with Article 4 paragraph 2 point (a). Also concerning point (c), the identification of the ‘same event’ is not straightforward in practice given that the marketing of a product will depend on the personal and financial circumstances of the customer, for instance.
In general, we think the wording of Article 4 is quite confusing and should therefore be clarified. In particular, paragraph 3 should be more concrete and specific. It is not clear the distinction between paragraph 2 and 3 (in Article 4), and we think it might be better to integrate them into a single paragraph. It is unclear whether the specific cases cited in paragraph 3 materialize in the events referred in paragraph 2 or, conversely, are part of the whole or in addition to the events listed in paragraph 2. The scope of ‘regulatory rules’ should be clarified, even if it is a commonly accepted term to avoid interpretative doubts. We would like to know what consideration/implication out-of-court settlements as an operation risk event. Among these, are there cases in which financial institutions should consider that there is operational risk?
Regarding paragraph 5: Examples could include various forms of business or strategic risk. Given the exclusions from the definitions it would be helpful if the same terminology could be used here. From the perspective of consistency with the definition of operational risk, it would be useful to explicitly mention Strategic and Reputational Risks as being excluded.
According to Article 5(3)(g), the wording appears unclear to us. If it was to mean unauthorized excess of limits, we consider this should not be considered as an operational risk event. Should it nevertheless be so, it would be very complex to track and record properly for a limited added value, as the situations that may be at risk are currently properly covered from a prudential perspective through breaches in the VaR. If what is at stake is, as currently, more deliberate and fraudulent behaviour, which is undoubtedly an operational risk event, then the wording needs to be adapted.
We do not understand to which type of “errors in classification due to software” Art 3 (b) intends to cover and to which extent they are to be considered as operational risk.
Model risk that falls under operational risk should be clearly defined in this document. The EBA/CP/ 2014/14 on the SREP process mentions a definition and suggest a split. We consider first, this rule should not be in document on SREP process and second that the proposal included in the EBA/CP/ 2014/14 should be improved.
Finally, the treatment described in Article 8(1b) partially differs from former regulatory position, to ensure consistency throughout the historical data, we advocate for keeping things unchanged from previous standards.
On article 6 (2a), the impression given is that fraud is only committed at the beginning and not during the life of a transaction. So if fraudulent details are provided during the life of a credit transaction then the fraud is still to be allocated to Credit Risk. If this is what is intended then it would lead to an inconsistent capital treatment of fraud – sometimes OR and sometimes CR depending upon the timing of the fraud.
With regards to the list of operational risk in Article 7, the legal expenses should be excluded when the sentence or ruling is favorable to the Bank. The legal expenses should be closely linked to provisions raised for them.
We wonder the necessity of article 7.1 if given that legal risk is already covered by article 4. We do not clearly understand why this focus on ‘timing losses that span more than one accounting year and give rise to legal risks’, therefore clarification is needed.
The general definition of Timing Losses reported in article 2 (27) is “timing losses means negative economic impacts booked in an accounting period due to operational risk events impacting the cash flows or financial statements of previous accounting periods. Timing impacts typically relate to the occurrence of operational risk events that result in the temporary distortion of an institution’s financial accounts (such as revenue overstatement, accounting errors and mark-to-market errors)”.
In addition in the EBA document it is specified that:
• article 7 - , “timing losses that span more than one accounting year and give rise to legal risks” should be included in the operational risk losses;
• article 8.3 - “In case of timing losses, the loss amount to be recorded comprises all the expenses incurred as a result of the operational risk event, including the correction of the financial statement, when it involves the direct relation with third parties (such as customers or authorities) or employees of the institution, and excluding the correction of the financial statement in all other cases”.
With regards to Article 7 (1e), it is recognised and appreciated that uncollected revenues are an economic loss to the firm. However, capturing these losses is difficult. One potential data source, the General Ledger, is used to tracking things that did happen rather than things that did not happen. Firms should be able to agree a threshold, with their home regulator, for capturing uncollected revenues. For uncollected revenues it is impossible to ensure completeness. Policy statement with penalties for non-compliance and/or high thresholds must be allowed to make this practical.
We support the definition under Article 7 (1f) of timing losses however tax related payments should be explicitly excluded since these are not related to operational risk.
For the items listed under Article 7 (2) it should be acknowledged that higher thresholds can be applied for the collection of these events as only events with a high impact can be identified with reasonable effort and only those events are relevant for OpRisk management decisions.
Finally, the treatment described in Article 8(1b) partially differs from former regulatory position, to ensure consistency throughout the historical data, we advocate for reassessing the former boundary risk event at least for the most significant of them.
As regards the potential inclusion of more items in these lists, we do not see any additional items to be included in these different lists.
This judgment seems to be to blunt since the dependence structure depends mainly on the way the operational risk categories are defined, on the way how data is grouped and finally how the dependence structure interact within the full modeling framework.
Firstly, the document should clarify to which quantity the proposed Student copula should apply. Indeed, depending on the bank, some dependence models are based on aggregate cells losses, others are based on frequencies (number of events) and others are based on severities. Given the parameters, it is well known in the literature that these three approaches lead to very different impacts. Secondly, should the Student copula be correct for frequency dependences, it could be incorrect for aggregating loss dependences for instance. Thirdly, the data may be compliant with the Gaussian copula and invalidate the Student copula. What would happen in this case?
Furthermore, we do not support too prescriptive restrictions/recommendations for modelling choices given the fact that we have in any case to produce quantitative and qualitative evidence that our modeling choices are duly justified (see article 26 (5)). Concerning the explanation given in the corresponding explanatory box, it seems not that obvious one could apply lessons learned on credit and market risks directly to operational risk without any consideration of the data (see article 23 (2.a) which emphasizes the absolute necessity to study the data before taking any modelling assumption for instance) and the modelling framework.
Q2: Do you support the treatment under an AMA regulatory capital of fraud events in the credit area, as envisaged in Article 6? Do you support the phase-in approach for its implementation as set out in Article 48?
We do not support the modifications envisaged in article 6 because this would introduce a significant uneven playing field between banks subject to EBA/ECB rules and all the other banks BCBS compliant and also between IRBA/AMA banks compared to IRBA or AMA only entities. We strongly oppose to any changes from the actual regulation.The operational risk related to credit risk is an intricate notion that requests deep analysis on a case-by-case basis. In order to guarantee consistent practices for all cases, and to avoid unsystematic transfer of these losses under AMA, the principles of the Article 6 need therefore to be clarified.
Furthermore, there is a risk to double count the same risk in both credit and operational risk capitals, and that credit risk capital requirement still contains “hidden / never identified credit fraud”. To avoid double counting, institutions should be authorised to extract from their database such fraud events from the credit risk. We therefore look for a clarification on the credit risk methodological assessment side in order to preserve the intrinsic consistency of the CRD standards. However, this would involve considerable implementation effort for both the institutions themselves and data consortia may they concern operational risk or credit risk. The question arises as to how the current rating procedures could remain in existence if some banks had to consider losses from the credit risk and others not.
The change in event categorisation must be supported by Credit Risk Management functions and regulators. For Credit Risk Management the implications range from data collection, to data history in risk analysis, to the amount of capital required for Credit Risk. The Credit Risk consultation paper will necessarily need to be consistent with the implications and effects in Article 6. Operational Risk Management functions cannot be expected to implement data collection related to the credit area without the active support of regulators specialising in the credit area.
Fraudulently incurred credit events are an integral part of the parameterization of credit risk models. As credit risk models are exposure based they provide forward looking risk assessment and risk awareness directly linked to the current business decisions. The removal of operational risk losses from credit risk models would reduce the credit risk provisions instantly without the connection to improvements of the credit processes. Furthermore in most institutions the fraud prevention methodology is closely linked to the credit rating development. AMA models are based on historical losses, not on current exposures. As fraudulently incurred credit defaults are way more exposure based than other operational risk events, the pooling of this data for operational risk modelling is extremely challenging. The precise allocation of fraudulently incurred credit losses is beyond current standards in operational risk modelling. Therefore, we strongly do not support the inclusion of these events for AMA capital calculation as it does not enhance the overall evaluation and management of these risks. We are convinced that credit risk models are the best solution for the modelling of operational risk losses related to credit risk due to their exposure based nature.
We also estimate the costs for implementation extremely high and not appropriate compared to the additional information gained for OpRisk management. We therefore propose a higher collection threshold.
The analysis whether fraud has been committed can take several months. Thus losses would have to be moved from credit risk models to AMA models once the fraud has been proven. This needlessly causes instability both for credit risk and for AMA models.
It may therefore introduce several sources of uneven playing field. Indeed, it introduces discrepancies between IRBA/AMA banks compared to IRBA only entities. Furthermore, it hampers a fair comparability across institutions belonging to different jurisdictions. In addition to the complexity of implementation in operational and credit Risks IT systems, it would induce uneven playing field if only applicable to EBA regulated perimeter without any convergence with BCBS standards.
We consider also the amount of the loss to be recorded to be problematic (Article 8(1d)). It should be mentioned that loss mitigations could be included (realization of collateral for instance).The outstanding amount of credit at the time of discovery of the fraud does not necessarily correspond to the amount of the write-off. Further repayments of principal and proceeds from realisation of collateral should be eligible as loss mitigation. In particular, the amount of the credit guarantees collected and the associated amount of the unsecured portion played a key role in the decision to grant credit. Accordingly, it should also be possible to take into consideration the eligible value of the collateral in the assessment of the operational risk.
Under the assumption that our remarks are considered and implemented we support the contemplated phase-in approach given a new timeline of 5 years.
Q3: Do you support the collection of ’opportunity costs/loss revenues‘ and internal costs at least for managerial purposes, as envisaged in Article 7(2)?
Clarification is sought on the following concepts:Concerning specifically the items mentioned in Article 7 (2), we support the principles provided that it is only for managerial purposes (deletion of the reference “at least” would be welcome). In fact some data will be very difficult to collect exhaustively, such as near-misses, overtime and bonuses, even if they contain interesting information for OR management purpose:
- a&b - Near-misses and operational risk gains : The implementation of this requirement would pose a large number of challenges for the institutions. We point out that in contrast to genuine losses, near-misses leave no “traces” behind in accounts and therefore the exhaustiveness of the recording of the relative operational risk events cannot be guaranteed. Then the bias induced in the loss collection doesn’t allow a proper statistical use of these data.
- c – opportunity costs / lost revenues : they are in fact already covered by article 7 (1 d & e) (pending losses and lost revenues). For all these items, it is doubtful to include them in a data collection exercise given the fact that, as mentioned above and indicated in Article 2 itself, they do not lead to any charge in the P&L,
- d - Internal costs such as overtime or bonuses: a precise assessment of overtime is quite complex considering that, in most of the case, internal staff first perform a trade off with their other tasks and postpone it to focus on risk event treatment. Therefore, the overtime cost isn’t a fair assessment of cost of OR loss.
It should be acknowledged that higher thresholds can be applied for the collection of these events as only events with a high impact can be identified with reasonable effort and only those events are relevant for Operational Risk management decisions.
On article 7(1): Moreover, we want to point out the difficulties of performing a fair estimation of cost of repair or replacement mentioned in Article 7 (1b2). Indeed, after a risk event, one may choose to enhance the former situation rather than just to restore it. It is then quite unclear to assess which part of the cost should be considered to include in OR database. When deciding to take all the components of the enhancement, it would unduly burden the entities promoting enhancement rather than pure restoration. We propose the text should make it clear that it should be assessed on a best effort basis
Furthermore, the provisions of the article 7 (1d) leave a room for interpretation that may lead to very heterogeneous practices across institutions. We would prefer a simpler rule such as pending losses over 2 years or over a certain amount that could be 1 % of the NBI of a given entity.
Q4: Do you support the items in the lists of operational risk events in Articles 4, 5 and 6, and the items in the list of operational risk loss in Article 7? Or should more items be included in any of these lists?
Regarding Article 4 paragraph 2 on the list of operational risk events related to legal risk, we think internal rules and/or ethical conduct that do not imply a violation of external rules should not account as legal risk.Concerning Article 4 paragraph 3 point (a), we sustain that internal rules and/or ethical conduct should not be considered as legal risk. Regarding point (b): “expenses stemming from legal disputes or from interpretations of legislative or regulatory rules which prove to be against industry practice,” we see these expenses as legal risk if only prevails in them. With respect to point (c), when voluntary compensation to customers is done, it should be only to the extent that it was used to avoid a legal risk, in line with Article 4 paragraph 2 point (a). Also concerning point (c), the identification of the ‘same event’ is not straightforward in practice given that the marketing of a product will depend on the personal and financial circumstances of the customer, for instance.
In general, we think the wording of Article 4 is quite confusing and should therefore be clarified. In particular, paragraph 3 should be more concrete and specific. It is not clear the distinction between paragraph 2 and 3 (in Article 4), and we think it might be better to integrate them into a single paragraph. It is unclear whether the specific cases cited in paragraph 3 materialize in the events referred in paragraph 2 or, conversely, are part of the whole or in addition to the events listed in paragraph 2. The scope of ‘regulatory rules’ should be clarified, even if it is a commonly accepted term to avoid interpretative doubts. We would like to know what consideration/implication out-of-court settlements as an operation risk event. Among these, are there cases in which financial institutions should consider that there is operational risk?
Regarding paragraph 5: Examples could include various forms of business or strategic risk. Given the exclusions from the definitions it would be helpful if the same terminology could be used here. From the perspective of consistency with the definition of operational risk, it would be useful to explicitly mention Strategic and Reputational Risks as being excluded.
According to Article 5(3)(g), the wording appears unclear to us. If it was to mean unauthorized excess of limits, we consider this should not be considered as an operational risk event. Should it nevertheless be so, it would be very complex to track and record properly for a limited added value, as the situations that may be at risk are currently properly covered from a prudential perspective through breaches in the VaR. If what is at stake is, as currently, more deliberate and fraudulent behaviour, which is undoubtedly an operational risk event, then the wording needs to be adapted.
We do not understand to which type of “errors in classification due to software” Art 3 (b) intends to cover and to which extent they are to be considered as operational risk.
Model risk that falls under operational risk should be clearly defined in this document. The EBA/CP/ 2014/14 on the SREP process mentions a definition and suggest a split. We consider first, this rule should not be in document on SREP process and second that the proposal included in the EBA/CP/ 2014/14 should be improved.
Finally, the treatment described in Article 8(1b) partially differs from former regulatory position, to ensure consistency throughout the historical data, we advocate for keeping things unchanged from previous standards.
On article 6 (2a), the impression given is that fraud is only committed at the beginning and not during the life of a transaction. So if fraudulent details are provided during the life of a credit transaction then the fraud is still to be allocated to Credit Risk. If this is what is intended then it would lead to an inconsistent capital treatment of fraud – sometimes OR and sometimes CR depending upon the timing of the fraud.
With regards to the list of operational risk in Article 7, the legal expenses should be excluded when the sentence or ruling is favorable to the Bank. The legal expenses should be closely linked to provisions raised for them.
We wonder the necessity of article 7.1 if given that legal risk is already covered by article 4. We do not clearly understand why this focus on ‘timing losses that span more than one accounting year and give rise to legal risks’, therefore clarification is needed.
The general definition of Timing Losses reported in article 2 (27) is “timing losses means negative economic impacts booked in an accounting period due to operational risk events impacting the cash flows or financial statements of previous accounting periods. Timing impacts typically relate to the occurrence of operational risk events that result in the temporary distortion of an institution’s financial accounts (such as revenue overstatement, accounting errors and mark-to-market errors)”.
In addition in the EBA document it is specified that:
• article 7 - , “timing losses that span more than one accounting year and give rise to legal risks” should be included in the operational risk losses;
• article 8.3 - “In case of timing losses, the loss amount to be recorded comprises all the expenses incurred as a result of the operational risk event, including the correction of the financial statement, when it involves the direct relation with third parties (such as customers or authorities) or employees of the institution, and excluding the correction of the financial statement in all other cases”.
With regards to Article 7 (1e), it is recognised and appreciated that uncollected revenues are an economic loss to the firm. However, capturing these losses is difficult. One potential data source, the General Ledger, is used to tracking things that did happen rather than things that did not happen. Firms should be able to agree a threshold, with their home regulator, for capturing uncollected revenues. For uncollected revenues it is impossible to ensure completeness. Policy statement with penalties for non-compliance and/or high thresholds must be allowed to make this practical.
We support the definition under Article 7 (1f) of timing losses however tax related payments should be explicitly excluded since these are not related to operational risk.
For the items listed under Article 7 (2) it should be acknowledged that higher thresholds can be applied for the collection of these events as only events with a high impact can be identified with reasonable effort and only those events are relevant for OpRisk management decisions.
Finally, the treatment described in Article 8(1b) partially differs from former regulatory position, to ensure consistency throughout the historical data, we advocate for reassessing the former boundary risk event at least for the most significant of them.
As regards the potential inclusion of more items in these lists, we do not see any additional items to be included in these different lists.
Q5. Do you support that the dependence structure between operational risk events cannot be based on Gaussian or Normal-like distributions, as envisaged in Article 26 (3)? If not, how could it be ensured that correlations and dependencies are well-captured?
We do not support this proposal and that the dependence structure cannot be Gaussian.This judgment seems to be to blunt since the dependence structure depends mainly on the way the operational risk categories are defined, on the way how data is grouped and finally how the dependence structure interact within the full modeling framework.
Firstly, the document should clarify to which quantity the proposed Student copula should apply. Indeed, depending on the bank, some dependence models are based on aggregate cells losses, others are based on frequencies (number of events) and others are based on severities. Given the parameters, it is well known in the literature that these three approaches lead to very different impacts. Secondly, should the Student copula be correct for frequency dependences, it could be incorrect for aggregating loss dependences for instance. Thirdly, the data may be compliant with the Gaussian copula and invalidate the Student copula. What would happen in this case?
Furthermore, we do not support too prescriptive restrictions/recommendations for modelling choices given the fact that we have in any case to produce quantitative and qualitative evidence that our modeling choices are duly justified (see article 26 (5)). Concerning the explanation given in the corresponding explanatory box, it seems not that obvious one could apply lessons learned on credit and market risks directly to operational risk without any consideration of the data (see article 23 (2.a) which emphasizes the absolute necessity to study the data before taking any modelling assumption for instance) and the modelling framework.