The EBF would welcome clarifications on the following provisions of the draft RTS:
On article 2:
Definition 12, ‘legal risk’, we believe that the definition of “being sued or being the subject of a claim” does not constitute a necessary condition to consider an action accountable as legal risk. A more precise definition of legal risk should be aligned with the one of the Basel Committee: “the possibility of being sanctioned, fined or forced to pay punitive damages resulting from supervisory actions or private agreements between the parties”. Alternatively, the definition could be improved by adding “due to (but not merely alleging)” instead of merely “due to.” The part of the definition that says “inaccurately drafted contracts,” covers only partly legal risk. Therefore, we think it should be further developed to clarify what is included and what is not.
Definition 20, the concern appears to relate to perceived or actual misuse of suspense accounts and pending losses in relation to operational risk losses. These items are probably pending losses while the more certainty is achieved over the loss estimate, for example is it €10 Million or €10,000. The finance / accounting / control function operates pending losses and suspense accounts within the formal accounting standards. For clarity the second portion of the definition should be deleted.
Definition 21, the given definition in Nr. 21 for “recovery” only refers to what is commonly known as “indirect recovery”. We propose to also give a definition of “direct recoveries”. Alternatively the definition could be completed “… received from the first party or from a third party, such as insurers or other parties.”
On articles 4: Provisions of Article 4 (2) (b), 4(3) (a) stipulate that events related to breaches of ethical conduct rules have to be included in the scope of operational risk. From our point of view, this provision leaves wide room for interpretation because the notion of ethical conduct may differ considerably over time, between institutions, jurisdictions or individuals. We propose to exclude the term from the provisions listed above as well as from the provisions of Article 4(5) especially considering the fact that many institutions has in place a Code of Conduct or comparable internal rules. Taking into consideration that the breach of internal rules also has to be included in the scope of operational risk, the provision would further sufficiently cover the envisaged scope whilst limiting the scope to the events related to written rules which are communicated to the appropriate employee level in a duly manner.
It is unclear why breaching an institution’s internal rules is considered as legal risk as long as it does not breach legislative or regulatory rules at the same time. Further uncertainty is created about the exact nature of the internal rules (whether principles, policies, standards or procedures). For clarity, we propose to delete some text so that the paragraph becomes “events related to decisions made by an internal competent decision-maker but breaching legislative or regulatory rules”. To provide consistency paragraphs 4 and 5 (a) should be amended the same way.
On article 5: it is unclear why all “Operational risk events occurring in market-related activities shall be classified as boundary events between operational risk and market risk.” We think that there is a wide variety of possible operational risk events in market-related activities which do not generate market risk. For clarity, we propose to amend the text to “Operational risk events occurring in market-related activities that generate market risk shall be classified as boundary events between operational risk and market risk.” In our opinion it is not necessary to introduce a second flag (besides the market risk flag) for events in market-related activities as this information is already given by assigning business lines to operational risk events.
On article 6 (1): Consideration of credit related events under AMA model seems to be very problematic for various reasons:
­ Removing of Credit frauds from Credit risk capital requirement to Operational risk capital requirement represents non-systematic step because Credit risk capital requirement will still contain ‘hidden / never identified credit fraud’.
­ Additional inconsistency will be created between loan granting models and IRB models. Credit models should include risk of fraudulent loans, because in majority of the cases at the time of loan granting fraudulent behaviour is not known. At the time of loan application, fraudulent behaviour is not identified (otherwise loans would not be granted), therefore it should be naturally considered in credit risk (scoring/rating) as well. If it remains to be considered under credit risk, there would be a duplicity inclusion under both risk types. If some types of frauds should be transferred under OR/AMA, then we would prefer to transfer only third party frauds"; Despite the fact "first party frauds" are very rare (none instalment from fraudsters, in fact many of them pay few instalments in order to hide their fraudulent behaviour), their transfer under AMA seems to be unsystematic (from risk point of view, there is no reason for specific treatment if there is none instalment or only negligible one).
­ Modification of pricing (expected loss from credit frauds should be added to standard cost of risk);
­ The definition of loss amount should be clarified: Is it the original notional amount or the notional amount including all fees and interest?
­ The proposal can create inconsistency in capital calculation for credit risk (IRB) between AMA and non-AMA entities. It is not clear how non-AMA methods for Operational risk capital calculation will be adjusted, i.e. if not adjusted accordingly it can handicap AMA entities. Would it be standardised approaches (BIA, TSA, ASA) adjusted as well to accommodate this significant AMA model change to keep comparability of different approaches?
­ It is not clear if such change in IRB and AMA models will require new validation by regulator.
Rules for excluding credit frauds from IRB should be clearly described to avoid double counting both in Credit and Operational risk capitals.
On article 6 (2): It is not clear whether fraudulent use of credit funds should be considered even in case of standard (fully repaid) loans.
On article 6 (2 Explanatory box): If the events are currently treated under IRB, would a potential transfer of risks to OR mean an IRB model change requiring approval by regulators? Is it possible to change IRB approval and its condition just in order to accommodate these new AMA requirements? What would be rules for entities using STA for credit risk and AMA for operational risk?
On article 6 (4): The given definition of first party fraud and third party fraud should be clarified with regard to the following aspects:
- The definitions of first party fraud („when the party misrepresents its financial abilities on the application forms and by using another person's identifying information“) and third party fraud („a fraud that is committed by means of use of a person’s identity“) is overlapping. For clarity, we propose to delete “and using another person’s identifying information” from Article 6 (4) Nr. 1.
- We understand that any fraud which is initiated by an existing customer at a later stage of the lifecycle of a credit product (not on the application form) is neither first nor third party fraud. As this definition distinguishes from the commonly known one, this fact should be stated explicitly.
On article 7: for clarity, we propose to amend Article 7 (1) d. One of the main reasons that a loss might be pending is that the actual amount of the loss is not known. We propose to replace “actual” so that the phrase becomes “recognition of the pending losses anticipated amount in the loss database”. The inclusion of “pertinent scenario analysis” when used in a paragraph on pending losses is confusing and should be deleted.
For uncollected revenues it is impossible to ensure completeness. Policy statement with penalties for non-compliance and/or high thresholds must be allowed to make this practical.
According to the definition in Article 2 (27) timing losses “result in the temporary distortion of an institution’s financial accounts”, they usually do not generate an effective loss to the institution, even if they span more than one accounting year. Hence it is not clear why – according to article 7 (1) d - the timing loss itself shall be included in the scope of AMA calculation. However in case the timing loss causes legal risk, this legal risk should be considered for AMA calculation. This treatment is consistent to the example iii) given in the Explanatory Box on page 28. We propose to amend the text to “legal risks arising from timing losses that span more than one accounting year.”
On articles 8: (1a), for clarity, a change should be made, in particular inserting “external”. It is proposed that this paragraph should be: “all the external expenses incurred as a result of the operational risk event…”.
(3), there is uncertainty as to whether the expenses are internal and external or just external. Article 7 §1b1 refers to external expenses and §1b2 cost of repair.
On article 8(1d), several questions are put forward to the EBA:
­ What does “outstanding amounts” exactly mean? Current balance or current provisions plus write-off or just write-off amount (last option might be booked many months or years after fraudulent behaviour discovery since only provisions might be booked for long time).
­ What would a gross loss be if a loan is fully repaid - zero? Always non-zero provision should be booked according to provisioning principles even if payment schedule is followed before the final maturity?
­ What would be recoveries: Further instalments after write-off, reduction of provisions.
­ How to consider off-balance items? These open issues should be further clarified, if credit frauds transfer under AMA is obligatory.
On article 8(2):
­ What does “rapidly recovered events” mean? Some events might be rapidly recovered only partially; should a near miss event in the original amount be collected in such case as well?
On article 8(3), there is uncertainty as to whether the expenses are internal and external or just external. Article 7 §1b1 refers to external expenses and §1b2 cost of repair.
On article 11: The provisions of the articles 11(2a) and (2c) may raise issues in some jurisdictions where the respective roles of the Management Body and the Senior Management have been defined differently than what is stated in some countries. The Board of Directors in France for instance, who is in charge of setting the strategy of the company but also of controlling the action of the Senior Management, cannot be loaded with too operational tasks in order to be capable of assuming efficiently its control mission. We would like that after "the institution's Management Body" in these sub-articles, the following be inserted "or the Senior Management, given the national provisions regarding the respective roles of these two bodies",
On article 14 (1d): it is not clear why the detection of deficiencies in the policies, processes and procedures for managing operational risk should lead to ad hoc reporting rather than ad hoc validation. We suggest requiring ad hoc validation in these cases as this is more effective to improve policies, processes and procedures and prevent losses caused by these deficiencies.
On article 21:
(5) There appears to be a conflict between the requirement in this paragraph to use all operational risk losses and Article 21 (1) which implies that firms can construct relevant internal loss data sets.
(6) Some banks apply inflation adjustments. Thus, we suggest to remove the mandatory requirement and evaluate the use of inflation adjustment in the overall framework of the institution.
Appropriate inflation rates are very specific (real estate in different countries/cities, expenses for medical treatment, etc.). We consider finding an appropriate index for the loss events as extremely challenging. In addition we expect that such model components increase arbitrariness. Moreover, the understanding of external loss events in the database is limited and cannot be done by other institutes in a reasonable manner. Loss events from external data pools suffer anyway from unwanted scaling effects, e.g. from different business volumes, which can hardly be corrected.
For some risk categories - particularly for the significant event type 4 - finding an index appears impossible. The question "What would the loss figure be today?" is highly hypothetical and already addressed in the scenario analysis. A proper integration of scenario analysis into the capital model is much more effective than inflation adjustment.
(7), a clarification to Articles 21 (7) & (10) is requested in relation to the concrete definition of “single root event” and “root event”. Conceptually the idea is understood and appreciated, however the concern relates to the practicality and supporting a consistent approach by firms across the EU.
Depending upon the practical interpretation of “root event”, this could amend the data collection and aggregation requirements. For example, if the “root event” refers to a process / control failure (because the firm has implicitly or explicitly decided to accept the risk) then the events would be aggregated / grouped overtime. It is not clear if the time period for grouping matches the annual accounting period or crosses accounting periods. The practicalities may be similar to finding a root cause.
(8), the data set which is used for the severity model should only contain integral losses as the splitting of losses would distort severity modelling.
Events with an initial reference date outside the observation period are less relevant for the current risk profile as recent events regardless whether there have been recent adjustments of the loss amount. E.g., some legal risk can take several years to settle. After the settlement there might be a booking of a loss whereas a provision is dissolved. This does not imply that the event is relevant for the current risk profile.
We therefore suggest including only events in the AMA calculation which have a reference date within the observation period. We strongly suggest not splitting up loss amounts.
Instead of mixing different reference dates of losses we propose to extend the observation period for severity modelling. Longer observation periods would also mitigate the situation where losses fall outside the scope of AMA modelling.
On article 23
Modeling prescription: Internal models used under AMA are in essence risk sensitive. They do incentivise organizations to move up the ORM (operational risk management) learning curve and keep pace with industry changes through regular back-testing and audit process by translating ORM progress in a quantitative assessment. We do not support new and too prescriptive restrictions or recommendations for modelling choices, especially regarding the choice of distribution law or dependences modelling, given the fact that in the current practices, we have in any case to produce quantitative and qualitative evidence that our modeling choices are duly justified. We consider it is not appropriate to change this well-established practice by introducing prescriptive restrictions/recommendations irrespective to the nature of data, risk profile and the general modeling framework defined by a given entity.
Therefore the provisions contained in articles 23 (3) (loss distribution determination), article 26 (3) (dependence, see also Q5 answer) and 41 (d) (use of AMA pillar I modeling place of quantitative ICAAP for OR assessment, see also Q6 answer) would lead to a very significant modification of our whole current practices and internal modeling framework, that we do not support.
The main concerned topics are:
­ Loss distribution determination (article 23 (3):
The ex-ante prioritisation of sub-exponential distributions above other functions does not seem appropriate in this connection. Moreover, the quality of loss distribution selection process is already and efficiently covered by Article 23 (6) and 23 (8) (resp. attention paid to kurtosis related parameters and prescription of goodness-of-fit tests). The provisions described in these two articles ensure that the determination of the loss distribution pays sufficient attention to tail events.
­ Dependence (article 26(3)) see answer to question 5.
­ Alignment between ICAAP and AMA models: see answer to question 6.
(8): EBA seems to move to overly strong reliance on statistical measures when selecting appropriate distributions. For examples goodness of fit measures are not stable over time, as they change with new data coming in over time. Thus, frequent changes of distributions create jumps specifically in allocation of Divisions, making risk management and communication of results impossible. Thus clearer wording is required to put Article 23 into perspective.
On article 24 (4): Competent authority shall verify that the institution applies appropriate techniques to determine the aggregated loss distributions. Therefore they should verify that the institutions apply techniques to avoid capping the maximum single loss.
It would be advantageous from EBA to precise the word “capping” to avoid confusions. It may be necessary, in some rare cases on the data structure, from a technical point of view for instance to truncate the loss distribution on the right (which is mathematically not the same as capping and hopefully from EBA not meant with “capping”) to ensure an acceptable robustness by performing sensitivity analysis, especially against very high losses. This may occur, when the data- and so the fitted Distribution too- have far outliers (is most of the time the case by adding huge losses in a sensitivity analysis) and seem to have very high tail. When huge losses are included in the data, they can get overweight, compared to the rest of the data, because of the too short history. The best fitted Distribution (not right-truncated) may then generate unrealistic losses with a too high probability/duration.
In fact it should be permitted and appreciated from EBA to right-truncate the loss Distribution for robustness purpose, provided the truncated point can be economically validated. Such a method has the advantage to be simple to understand for controllers and transparent.
On article 24 (4), we are not completely aligned with article 21 (3) (extension of the observation period) and 24 (4) (monotonic principle). Indeed, the possibility to extend the observation period for some categories breaches the time consistency of the dataset to be modeled even as this case is already explicitly covered by the option given by the regulator to use either external data or scenario analysis.
The assumption under which a good operational risk measurement device systematically fulfils the monotonic principle seems also quite doubtful given that OR measure is not “exposure based”. Indeed risk profile may increase even if activity doesn’t grow, OR profile is in fact much more sensitive to the effectiveness of the operational risk management than to the size of business. This is also part of the critics made by the regulator to the current TSA framework.
On article 25: there are three commonly used definitions of expected loss:
­ Statistical e.g. 50% confidence interval
­ Accounting
­ Losses that are expected
The expected loss figure derived from statistical distributions will vary with the type of distribution and the data used. The perception is that the accounting standards narrowly define expected loss, especially with regard to the creation of specific or general reserves. Thus clearer wording for the entire Article 25 is required.
(2), (3), We understand that the EL estimation should be made per category, not for the whole bank and that the estimated EL for one category cannot offset capital for other categories. However, in this context it is not clear what is meant by “operational risk category”. As the assessment of the expected loss for operational risk shall be considered in the business planning, we propose to assess the expected loss on the level of an institution’s business segments. As each institution has individual categories for operational risk modelling, most institutions will not be able to perform P&L planning on the level of operational risk model categories and will perform P&L planning on the level of business segments instead.
On articles 34, 35 and 36 (Parallel running): the propositions described in these articles seem to be quite demanding especially for roll out purpose even as the already validated AMA has proved itself. We suggest a lightening of this proposition in case of roll out notably concerning the 1 Y period mentioned in 34 (2).
We assume that Article 34, 35 and 36 apply for institutions that intend to move to AMA from a simpler regulatory methodology (e.g. BIA or TSA). We anticipate it does not refer to extensions or changes to AMA (including changes of IT systems) for institutions that already have permission to use AMA, especially as there is no corresponding article in Regulation (EU) No 529/2014. Our views and proposals are as follows:
In case of first introduction of AMA within an institution: agreement on the EBA’s proposal of a one year post implementation parallel run, above the existing pre-implementation parallel run.
In case of material changes of an already validated AMA model: No post implementations parallel run. As per Art 34 - § 1, the competent authorities will already get an assessment of the impacts through a pre implementation parallel run. When the permission is granted, running a post implementation parallel run, which implies operating several AMA models in parallel, appears far too complex, from an operational and IT perspective, notwithstanding the fact there maybe overlapping AMA changes within this one year period.
In case of roll out of an authorized AMA model to a new entity within the institution, no post implementation parallel run. The reasons are the same as exposed for the previous case: existence of a pre implementation parallel run plus complexity of running several AMA model (the extension to a new entity may also impact the allocation of the AMA capital requirement to the different entities including AMA ones before the supplementary roll out).
On article 37(2) Data quality and IT Infrastructure: We need to avoid multiple requests on the data from national competent authorities. When the AMA calculation for an entity is done by the parent company and ruled by a Service Level Agreement between the parent company and the entity, as the parent company has its own supervisor, accessibility to the data for the local authorities could be unnecessary.
Art. 45 (2): We request the frequency to be changed to a risk-based approach over a multiannual audit cycle. We agree and understand the need for having a strong and periodic audit and internal validation of the AMA system. According to standard principle governing the activities of the internal audit, missions are planned over a cycle of some years, i.e. more than one year, in consideration of the risk involved and based upon a Risk Based Audit Plan. Requesting an “at least annual” audit is not in line with this principle. Furthermore in view of the size of the banking groups involved, it is very difficult to check every year all the items mentioned in the article 45 - 2 - b) for all the group entities at a detailed level.
We propose to change paragraph 2 to: “In particular, the competent authority shall verify that (a) at least on annual basis the internal validation function provides a reasoned and well-informed opinion on whether the operational risk measurement system works as predicted, and whether the outcome of the model is suitable for its various internal and supervisory purposes; (b) on a regular basis the audit function verifies the integrity of the operational risk policies, processes and procedures assessing whether these comply with legal and regulatory requirements as well with established controls and verifies the functionality of internal processes for the validation hereof. For this purpose, emphasis shall be provided to the verification of the quality of the sources and data used for operational risk management and measurement purposes.”"
We do not support the modifications envisaged in article 6 because this would introduce a significant uneven playing field between banks subject to EBA/ECB rules and all the other banks BCBS compliant and also between IRBA/AMA banks compared to IRBA or AMA only entities. We strongly oppose to any changes from the actual regulation.
The operational risk related to credit risk is an intricate notion that requests deep analysis on a case-by-case basis. In order to guarantee consistent practices for all cases, and to avoid unsystematic transfer of these losses under AMA, the principles of the Article 6 need therefore to be clarified.
Furthermore, there is a risk to double count the same risk in both credit and operational risk capitals, and that credit risk capital requirement still contains “hidden / never identified credit fraud”. To avoid double counting, institutions should be authorised to extract from their database such fraud events from the credit risk. We therefore look for a clarification on the credit risk methodological assessment side in order to preserve the intrinsic consistency of the CRD standards. However, this would involve considerable implementation effort for both the institutions themselves and data consortia may they concern operational risk or credit risk. The question arises as to how the current rating procedures could remain in existence if some banks had to consider losses from the credit risk and others not.
The change in event categorisation must be supported by Credit Risk Management functions and regulators. For Credit Risk Management the implications range from data collection, to data history in risk analysis, to the amount of capital required for Credit Risk. The Credit Risk consultation paper will necessarily need to be consistent with the implications and effects in Article 6. Operational Risk Management functions cannot be expected to implement data collection related to the credit area without the active support of regulators specialising in the credit area.
Fraudulently incurred credit events are an integral part of the parameterization of credit risk models. As credit risk models are exposure based they provide forward looking risk assessment and risk awareness directly linked to the current business decisions. The removal of operational risk losses from credit risk models would reduce the credit risk provisions instantly without the connection to improvements of the credit processes. Furthermore in most institutions the fraud prevention methodology is closely linked to the credit rating development. AMA models are based on historical losses, not on current exposures. As fraudulently incurred credit defaults are way more exposure based than other operational risk events, the pooling of this data for operational risk modelling is extremely challenging. The precise allocation of fraudulently incurred credit losses is beyond current standards in operational risk modelling. Therefore, we strongly do not support the inclusion of these events for AMA capital calculation as it does not enhance the overall evaluation and management of these risks. We are convinced that credit risk models are the best solution for the modelling of operational risk losses related to credit risk due to their exposure based nature.
We also estimate the costs for implementation extremely high and not appropriate compared to the additional information gained for OpRisk management. We therefore propose a higher collection threshold.
The analysis whether fraud has been committed can take several months. Thus losses would have to be moved from credit risk models to AMA models once the fraud has been proven. This needlessly causes instability both for credit risk and for AMA models.
It may therefore introduce several sources of uneven playing field. Indeed, it introduces discrepancies between IRBA/AMA banks compared to IRBA only entities. Furthermore, it hampers a fair comparability across institutions belonging to different jurisdictions. In addition to the complexity of implementation in operational and credit Risks IT systems, it would induce uneven playing field if only applicable to EBA regulated perimeter without any convergence with BCBS standards.
We consider also the amount of the loss to be recorded to be problematic (Article 8(1d)). It should be mentioned that loss mitigations could be included (realization of collateral for instance).The outstanding amount of credit at the time of discovery of the fraud does not necessarily correspond to the amount of the write-off. Further repayments of principal and proceeds from realisation of collateral should be eligible as loss mitigation. In particular, the amount of the credit guarantees collected and the associated amount of the unsecured portion played a key role in the decision to grant credit. Accordingly, it should also be possible to take into consideration the eligible value of the collateral in the assessment of the operational risk.

Under the assumption that our remarks are considered and implemented we support the contemplated phase-in approach given a new timeline of 5 years.
Clarification is sought on the following concepts:
Concerning specifically the items mentioned in Article 7 (2), we support the principles provided that it is only for managerial purposes (deletion of the reference “at least” would be welcome). In fact some data will be very difficult to collect exhaustively, such as near-misses, overtime and bonuses, even if they contain interesting information for OR management purpose:
- a&b - Near-misses and operational risk gains : The implementation of this requirement would pose a large number of challenges for the institutions. We point out that in contrast to genuine losses, near-misses leave no “traces” behind in accounts and therefore the exhaustiveness of the recording of the relative operational risk events cannot be guaranteed. Then the bias induced in the loss collection doesn’t allow a proper statistical use of these data.
- c – opportunity costs / lost revenues : they are in fact already covered by article 7 (1 d & e) (pending losses and lost revenues). For all these items, it is doubtful to include them in a data collection exercise given the fact that, as mentioned above and indicated in Article 2 itself, they do not lead to any charge in the P&L,
- d - Internal costs such as overtime or bonuses: a precise assessment of overtime is quite complex considering that, in most of the case, internal staff first perform a trade off with their other tasks and postpone it to focus on risk event treatment. Therefore, the overtime cost isn’t a fair assessment of cost of OR loss.
It should be acknowledged that higher thresholds can be applied for the collection of these events as only events with a high impact can be identified with reasonable effort and only those events are relevant for Operational Risk management decisions.
On article 7(1): Moreover, we want to point out the difficulties of performing a fair estimation of cost of repair or replacement mentioned in Article 7 (1b2). Indeed, after a risk event, one may choose to enhance the former situation rather than just to restore it. It is then quite unclear to assess which part of the cost should be considered to include in OR database. When deciding to take all the components of the enhancement, it would unduly burden the entities promoting enhancement rather than pure restoration. We propose the text should make it clear that it should be assessed on a best effort basis
Furthermore, the provisions of the article 7 (1d) leave a room for interpretation that may lead to very heterogeneous practices across institutions. We would prefer a simpler rule such as pending losses over 2 years or over a certain amount that could be 1 % of the NBI of a given entity.
Regarding Article 4 paragraph 2 on the list of operational risk events related to legal risk, we think internal rules and/or ethical conduct that do not imply a violation of external rules should not account as legal risk.
Concerning Article 4 paragraph 3 point (a), we sustain that internal rules and/or ethical conduct should not be considered as legal risk. Regarding point (b): “expenses stemming from legal disputes or from interpretations of legislative or regulatory rules which prove to be against industry practice,” we see these expenses as legal risk if only prevails in them. With respect to point (c), when voluntary compensation to customers is done, it should be only to the extent that it was used to avoid a legal risk, in line with Article 4 paragraph 2 point (a). Also concerning point (c), the identification of the ‘same event’ is not straightforward in practice given that the marketing of a product will depend on the personal and financial circumstances of the customer, for instance.
In general, we think the wording of Article 4 is quite confusing and should therefore be clarified. In particular, paragraph 3 should be more concrete and specific. It is not clear the distinction between paragraph 2 and 3 (in Article 4), and we think it might be better to integrate them into a single paragraph. It is unclear whether the specific cases cited in paragraph 3 materialize in the events referred in paragraph 2 or, conversely, are part of the whole or in addition to the events listed in paragraph 2. The scope of ‘regulatory rules’ should be clarified, even if it is a commonly accepted term to avoid interpretative doubts. We would like to know what consideration/implication out-of-court settlements as an operation risk event. Among these, are there cases in which financial institutions should consider that there is operational risk?
Regarding paragraph 5: Examples could include various forms of business or strategic risk. Given the exclusions from the definitions it would be helpful if the same terminology could be used here. From the perspective of consistency with the definition of operational risk, it would be useful to explicitly mention Strategic and Reputational Risks as being excluded.
According to Article 5(3)(g), the wording appears unclear to us. If it was to mean unauthorized excess of limits, we consider this should not be considered as an operational risk event. Should it nevertheless be so, it would be very complex to track and record properly for a limited added value, as the situations that may be at risk are currently properly covered from a prudential perspective through breaches in the VaR. If what is at stake is, as currently, more deliberate and fraudulent behaviour, which is undoubtedly an operational risk event, then the wording needs to be adapted.
We do not understand to which type of “errors in classification due to software” Art 3 (b) intends to cover and to which extent they are to be considered as operational risk.
Model risk that falls under operational risk should be clearly defined in this document. The EBA/CP/ 2014/14 on the SREP process mentions a definition and suggest a split. We consider first, this rule should not be in document on SREP process and second that the proposal included in the EBA/CP/ 2014/14 should be improved.
Finally, the treatment described in Article 8(1b) partially differs from former regulatory position, to ensure consistency throughout the historical data, we advocate for keeping things unchanged from previous standards.
On article 6 (2a), the impression given is that fraud is only committed at the beginning and not during the life of a transaction. So if fraudulent details are provided during the life of a credit transaction then the fraud is still to be allocated to Credit Risk. If this is what is intended then it would lead to an inconsistent capital treatment of fraud – sometimes OR and sometimes CR depending upon the timing of the fraud.
With regards to the list of operational risk in Article 7, the legal expenses should be excluded when the sentence or ruling is favorable to the Bank. The legal expenses should be closely linked to provisions raised for them.
We wonder the necessity of article 7.1 if given that legal risk is already covered by article 4. We do not clearly understand why this focus on ‘timing losses that span more than one accounting year and give rise to legal risks’, therefore clarification is needed.
The general definition of Timing Losses reported in article 2 (27) is “timing losses means negative economic impacts booked in an accounting period due to operational risk events impacting the cash flows or financial statements of previous accounting periods. Timing impacts typically relate to the occurrence of operational risk events that result in the temporary distortion of an institution’s financial accounts (such as revenue overstatement, accounting errors and mark-to-market errors)”.
In addition in the EBA document it is specified that:

• article 7 - , “timing losses that span more than one accounting year and give rise to legal risks” should be included in the operational risk losses;
• article 8.3 - “In case of timing losses, the loss amount to be recorded comprises all the expenses incurred as a result of the operational risk event, including the correction of the financial statement, when it involves the direct relation with third parties (such as customers or authorities) or employees of the institution, and excluding the correction of the financial statement in all other cases”.

With regards to Article 7 (1e), it is recognised and appreciated that uncollected revenues are an economic loss to the firm. However, capturing these losses is difficult. One potential data source, the General Ledger, is used to tracking things that did happen rather than things that did not happen. Firms should be able to agree a threshold, with their home regulator, for capturing uncollected revenues. For uncollected revenues it is impossible to ensure completeness. Policy statement with penalties for non-compliance and/or high thresholds must be allowed to make this practical.
We support the definition under Article 7 (1f) of timing losses however tax related payments should be explicitly excluded since these are not related to operational risk.
For the items listed under Article 7 (2) it should be acknowledged that higher thresholds can be applied for the collection of these events as only events with a high impact can be identified with reasonable effort and only those events are relevant for OpRisk management decisions.
Finally, the treatment described in Article 8(1b) partially differs from former regulatory position, to ensure consistency throughout the historical data, we advocate for reassessing the former boundary risk event at least for the most significant of them.
As regards the potential inclusion of more items in these lists, we do not see any additional items to be included in these different lists.
We do not support this proposal and that the dependence structure cannot be Gaussian.
This judgment seems to be to blunt since the dependence structure depends mainly on the way the operational risk categories are defined, on the way how data is grouped and finally how the dependence structure interact within the full modeling framework.
Firstly, the document should clarify to which quantity the proposed Student copula should apply. Indeed, depending on the bank, some dependence models are based on aggregate cells losses, others are based on frequencies (number of events) and others are based on severities. Given the parameters, it is well known in the literature that these three approaches lead to very different impacts. Secondly, should the Student copula be correct for frequency dependences, it could be incorrect for aggregating loss dependences for instance. Thirdly, the data may be compliant with the Gaussian copula and invalidate the Student copula. What would happen in this case?
Furthermore, we do not support too prescriptive restrictions/recommendations for modelling choices given the fact that we have in any case to produce quantitative and qualitative evidence that our modeling choices are duly justified (see article 26 (5)). Concerning the explanation given in the corresponding explanatory box, it seems not that obvious one could apply lessons learned on credit and market risks directly to operational risk without any consideration of the data (see article 23 (2.a) which emphasizes the absolute necessity to study the data before taking any modelling assumption for instance) and the modelling framework.
We support the idea of using the operational risk system for ICAAP purposes. We suggest the EBA to elaborate more to which extent the AMA model has to be used for ICAAP purposes. We think the opportunity should be left open to each institution to use or not the AMA model for assessing its ICAAP.