Primary tabs

German Banking Industry Committee

In our opinion the following provisions in the draft RTS are not sufficiently clear:

Article 1(2) Scope of operational risk

Some important elements of the definition of operational risk are missing from the scope of operational risk, in particular processes, systems, people or external events.

The inclusion of compliance risk is necessary to ensure consistency with the EBA’s ‘Draft Guidelines for common procedures and methodologies for the supervisory review and evaluation process’ (paragraph 244). The inclusion of process and organisational risk, as well as HR risk, would be consistent with the examples given for Business Environment and Internal Control Factors in Article 19(1) and the subsequent Explanatory Box (eg employee turnover, frequent reorganisations, key employee dependencies, ineffective controls, poor process design or execution).

The statement on exclusions from the definition of OR is confusing, especially as those ‘other kinds of risk’ are not described. If risks such as business, strategic and reputational risk are required to be excluded (in line with the definition of operational risk), it would be more appropriate to mention them explicitly.

The EBA has provided clarification on the scope of operational risk with respect to compliance risk in the Single Rulebook Q&A (Question ID: 2014_1153), stating that ‘risk arising from an institution’s non-compliance with its legal or statutory responsibilities or requirements must be included in the definition of operational risk’. We would recommend that the corresponding definition of compliance risk should also be included in Article 2 of the Regulation.

Article 2(2) Definitions
With regard to Article 1(2), it would be helpful to additionally give a clear definition of the kind of model risk that has to be included within the scope of operational risk. This definition should be consistent with the one given in Article 3(1)(11) of the CRD and with the assessment of model risk contained in the EBA’s ‘Draft Guidelines for common procedures and methodologies for the supervisory review and evaluation process’.
Article 2(12) Definitions
Depending upon the jurisdiction, firms can be sued for a wide variety of issues. The ‘risk of being sued’ is too broad and impractical. If a firm is being sued, there is no risk or uncertainty. Due to the influence of jurisdiction on the likelihood of being sued and the range of potential lawsuits, we recommend deleting this element of the definition.

Article 2(20) Definitions
The underlying concern appears to relate to perceived or actual misuse of suspense accounts and pending losses in relation to operational risk losses. Items are probably classified as pending losses in those cases in which there is greater certainty about the loss estimate, for example whether it is €10 million or €10,000.
The finance/accounting/control function manages pending losses and suspense accounts in line with the formal accounting standards. For clarity, the second part of the definition should be deleted.

Article 2(21) Definitions
The definition given for ‘recovery’ in (21) only refers to what is commonly known as ‘indirect recovery’. We are proposing that a definition of ‘direct recoveries’ should also be given. Alternatively, the definition could be supplemented to read ‘… received from the first party or from a third party, such as insurers or other parties’.
Article 4(2)(a) and (3)(a) Operational risk events related to legal risk
The provisions of Article 4(2)(b) and (3)(a) stipulate that events related to breaches of ethical conduct rules have to be included in the scope of operational risk. From our point of view, this provision leaves a lot of scope for interpretation because the notion of ethical conduct may differ considerably over time, between institutions, jurisdictions or individuals. We propose excluding the term from the provisions listed above as well as from the provisions of Article 4(5), especially considering the fact that many institutions have in place a code of conduct or comparable internal rules. Since any breach of internal rules also has to be included in the scope of operational risk, the provision would still sufficiently cover the envisaged scope, whilst limiting that scope to events related to written rules that are duly communicated to the appropriate employee level.
It is unclear why breaching an institution’s internal rules is considered to constitute legal risk even though it does not breach legislative or regulatory rules at the same time. Further uncertainty is created about the exact nature of the internal rules (whether they be principles, policies, standards or procedures). For clarity, we propose to shorten the text so that the paragraph reads ‘events related to decisions made by an internal competent decision-maker but breaching legislative or regulatory rules’. To ensure consistency, paragraphs (4) and (5)(a) should be amended in the same way.

Article 5 Operational risk events related to market risk
It is unclear why all ‘Operational risk events occurring in market-related activities shall be classified as boundary events between operational risk and market risk’. We think that there are a wide variety of possible operational risk events in market-related activities that do not generate market risk.

For clarity, we propose amending the text to read ‘Operational risk events occurring in market-related activities that generate market risk shall be classified as boundary events between operational risk and market risk’. In our opinion it is not necessary to introduce a second flag (besides the market risk flag) for events in market-related activities, as this information is already provided by assigning business lines to operational risk events.
For clarity, we propose adding a reference to data entry errors in paragraph (2)(d).
Article 6(4) Fraud events in the credit area
The definition of first party fraud and third party fraud given should be clarified with regard to the following aspects:

- The definitions of first party fraud (‘when the party misrepresents its financial abilities on the application forms and by using another person's identifying information’) and third party fraud (‘a fraud that is committed by means of use of a person’s identity’) overlap. For clarity, we propose deleting ‘and using another person’s identifying information’ from Article 6(4)(1).
- We understand the text to mean that any fraud that is initiated by an existing customer at a later stage of the lifecycle of a credit product (not on the application form) is neither first nor third party fraud. As this definition differs from the commonly used definition, this fact should be stated explicitly.
Article 7 Scope of operational risk loss
For clarity, we propose amending Article 7(1)(d). One of the main reasons that a loss might be pending is that the actual amount of the loss is not known. We propose replacing ‘actual’ so that the phrase reads ‘recognition of the anticipated amount of pending losses in the loss database’. The inclusion of ‘pertinent scenario analysis’ when used in a paragraph on pending losses is confusing and should be deleted.

It is impossible to ensure completeness in the case of uncollected revenues. A policy statement with penalties for non-compliance and/or high thresholds must be added to make this practical.

According to the definition in Article 2(27), although timing losses ‘result in the temporary distortion of an institution’s financial accounts’, they usually do not generate an effective loss for the institution, even if they span more than one accounting year. Hence it is not clear why – according to Article 7(1)(d) – the timing loss itself must be included in the scope of the AMA calculation. However in the event that the timing loss causes legal risk, this legal risk should be considered for AMA calculation purposes. This treatment is consistent with example iii) given in the Explanatory Box on page 28. We propose amending the text to read ‘legal risks arising from timing losses that span more than one accounting year’.

Additionally, we do not see any need to extend the data set used to calculate regulatory capital using an AMA model to include opportunity costs. Expanding the underlying data set to include opportunity costs overturns the previously clear limitation of the data used for calculating regulatory capital to losses that are recognised in P&L. There is no charge to P&L in either case (ie (d) and (e)). Moreover, in the case of pending losses, this is ruled out by definition (see Article 2(20)). We would therefore propose deleting (d) and (e) as components of the data set used for calculating regulatory capital in Article 7(1). As well as opportunity costs and internal costs, there is also a proposed requirement to record near-misses and OpRisk gains, at least for AMA management purposes, in the OpRisk database.

Implementing this requirement would pose numerous challenges for the institutions. On the one hand, it should be considered that – in contrast to actual losses – near-misses do not leave any ‘traces’ in accounts. There can therefore be no assurance that these OpRisk events can be recorded in full. On the other, the question arises of which incentives could be offered to employees in order to ensure that these near-misses are recorded as completely as possible throughout the entire institution. For these reasons, we advocate limiting this requirement to material events that are of significance for the institution.

Article 8(1)(a) Recorded loss amount of the operational risk items
For clarity, a change should be made to Article 8(1)(a), specifically by inserting the word ‘external’. We propose rewording this paragraph to read: ‘all the external expenses incurred as a result of the operational risk event…’.

Article 8(1)(d) Recorded loss amount of the operational risk items
For fraud events, the outstanding credit amount at the time of discovery of the fraud will be recorded as the OpRisk loss.
We believe that the amount of the loss to be recorded is problematic. The outstanding credit amount at the time when the fraud is discovered is not necessarily the same as the amount of the write-off. It should be permitted to reduce the amount of the loss by further repayments and income from the realisation of collateral. In particular the amount of collateral received and the related unsecured amount of the loan played a key role in the original loan decision. Accordingly, the eligible value of the collateral should also be factored into the measurement of operational risk.

Article 8(3) Timing Losses
There is uncertainty as to whether the expenses are internal and external, or just external. Article 7(1)(b)(1) refers to external expenses and (1)(b)(2) to costs of repair.

Article 14(1)(d)
It is not clear why the detection of deficiencies in the policies, processes and procedures for managing operational risk should lead to ad hoc reporting rather than ad hoc validation. We suggest requiring ad hoc validation in these cases as this is more effective for improving policies, processes and procedures, and or preventing losses caused by these deficiencies.

Article 19(2) Business Environment and Internal Control Factors
Article 19(2) limits the influence of risk indicators and introduces processes to handle cases where limits are exceeded.

This requirement is appropriate for flat-rate positive or negative adjustments. However, the question arises of whether this requirement is also expected to apply to cases in which the risk indicators flow directly into the evaluation of scenario analyses. Any limitation here, in particular with respect to business environment factors such as fund volumes, would not seem to make sense. We are requesting further clarification of this issue.

Article 21(3) Building the calculation data set
It is not sufficiently clear whether the observation period greater than five years is expected for severity or frequency modelling. Severity data is always limited in the tail. As far as severity modelling is concerned, an observation period of more than 5 years is reasonable. However, for frequency estimation an extended observation period delays the reaction of the capital figure to changes to the business process that can measurably influence the frequency of loss events. Thus an extended observation period for frequency calibration reduces the incentive effect of the capital model. We propose changing the text to read ‘The competent authority shall verify that, for operational risk categories with low frequency of events, an observation period greater than five years is adopted for severity modelling in order to ensure sufficient data to generate reliable operational risk measures’.
In principle, we welcome the ability to enhance the data set by extending the observation period in cases where the amount of available data is limited. We are requesting clarification as to how this observation period could be reduced again at a later date if the amount of available data is sufficient even for a reduced observation period.

Article 21(5) Building the calculation data set
We are asking the EBA to clarify Article 21(5). There appears to be a conflict between the requirement in this paragraph to use all operational risk losses and Article 21(1), which implies that firms can construct relevant internal loss data sets.

Article 21(6) Building the calculation data set
Some banks apply inflation adjustments. Thus, we suggest removing the mandatory requirement and evaluating the use of inflation adjustments within the overall framework of the institution.

Appropriate inflation rates are very specific (real estate in different countries/cities, expenses for medical treatment, etc.). We consider finding an appropriate index for the loss events to be extremely challenging. In addition, we expect that such model components would increase arbitrariness.

Moreover, it is only possible to understand external loss events in the database to a limited extent, and this cannot be reasonably reproduced by other institutions. In any case, loss events from external data pools suffer from unwanted scaling effects, eg different business volumes, which are very difficult to correct for.

For some risk categories – particularly for significant event type 4 – finding an index appears impossible. The question ‘What would the loss figure be today?’ is highly hypothetical and already addressed in the scenario analysis.

In our opinion, properly integrating scenario analysis into the capital model would be much more effective than any inflation adjustment.

Article 21(7) Building the calculation data set
We are asking the EBA to clarify Article 21(7) and (10) with respect to the concrete definition of ‘single root event’ and ‘root event’. Conceptually, we understand and appreciate the idea; however our concern relates to practicality issues and support for a consistent approach by firms across the EU.

Depending upon the practical interpretation of ‘root event’, this could amend the data collection and aggregation requirements. For example, if the ’root event’ refers to a process/control failure (because the firm has implicitly or explicitly decided to accept the risk), then the events would be aggregated/grouped over time. It is not clear if the time period for grouping matches the annual accounting period or crosses accounting periods.

The practicalities may be similar to those involved in identifying a root cause.

Article 21(8) Building the calculation data set
In our opinion, the data set used for the severity model should only contain integral losses, as splitting losses would distort severity modelling.

Events with an initial reference date outside the observation period are less relevant for the current risk profile than recent events, regardless of whether there have been recent adjustments to the loss amount. For example, some legal risks may take several years to be settled. After the settlement, a loss may be recorded and a provision reversed. This does not imply that the event is relevant for the current risk profile.

We therefore suggest including only those events in the AMA calculation whose reference date falls inside the observation period. We strongly urge not splitting up loss amounts.

Instead of mixing different reference dates for losses, we propose extending the observation period for severity modelling. Longer observation periods would also mitigate the situation where losses fall outside the scope of AMA modelling.

Article 23(3) Identification of the probability distribution
The estimate is based on the best fit of data to distributions. Since the ex ante prioritisation of sub-exponential distributions over other distributions does not appear to be appropriate in this context, we are proposing that this requirement be deleted.

Article 23(8) Identification of the probability distribution
The EBA appears to be moving towards overly strong reliance on statistical measures when selecting appropriate distributions. For example, goodness-of-fit measures are not stable over time, as they change when new data arrive over time. Thus, frequent changes of distributions create jumps specifically in the allocation of Divisions, making risk management and the communication of results impossible. Clearer wording is thus required to put Article 23 into its proper perspective.

Article 24(4) Determination of aggregated loss distributions and risk measures
The competent authority is required to verify that the institution applies appropriate techniques to determine the aggregated loss distributions. It must therefore verify that the institutions apply techniques to avoid capping the maximum single loss.

It would be helpful if the EBA were to provide a more precise definition of ‘capping’ to avoid confusion. From a technical point of view, it may be necessary– in some rare cases (depending on the data structure) – for instance to truncate the loss distribution on the right (which is mathematically not the same as capping and, we hope, is not what the EBA means by ‘capping’) to ensure an acceptable robustness when performing sensitivity analysis, especially in the case of very high losses. This may occur when the data – and hence the fitted distribution – have extreme outliers (this is generally the case when massive losses are added in a sensitivity analysis) and appear to have very a large tail. When massive losses are included in the data, they can become overweight compared with the rest of the data because the history is too short. The best-fitted distribution (not right-truncated) may then generate unrealistic losses with a too high probability/duration.

We would welcome a decision by the EBA to permit right-truncation of the loss distribution for robustness purposes, provided the truncated point can be economically validated. Such a method has the advantage of being transparent and easy for supervisors to understand.

Article 25 Expected losses
There are three commonly used definitions of expected loss:
i. Statistical, eg a 50% confidence interval
ii. Accounting
iii. Losses that are expected
The expected loss figure derived from statistical distributions will vary with the type of distribution and the data used. The perception is that the accounting standards narrowly define expected loss, especially with regard to the creation of specific or general reserves. Clearer wording for the entire Article 25 is thus required.

Paragraphs (2) and (3)
We understand that the EL should be estimated per category rather than for the whole bank, and that the estimated EL for one category cannot offset capital for other categories. However, it is not clear in this context what is meant by ‘operational risk category’. As the assessment of the expected loss for operational risk has to be considered in the business planning, we propose assessing the expected loss at the level of an institution’s business segments. As each institution has individual categories for operational risk modelling, most institutions will not be able to perform P&L planning at the level of operational risk model categories and will instead perform P&L planning at the level of business segments.

Articles 34 to 36
We assume that Articles 34, 35 and 36 apply to institutions that intend to move to AMA from a simpler regulatory methodology (eg BIA or TSA). We do not expect it to refer to extensions or changes to AMA (including changes of IT systems) for institutions that have already been granted permission to use AMA, especially as there is no corresponding provision in Regulation (EU) No 529/2014.

For clarity, we propose amending Article 34(1) and (2) to read:

‘The competent authority shall verify that an institution that intends to apply for permission to move to AMA from a simpler operational risk regulatory methodology…’

‘In order to demonstrate the stability and robustness of the AMA output and to benchmark the AMA capital figure against the former regulatory measurement approach, …’

Article 45(2)(b) Audit and internal validation reviews
We concur with the requirement for an annual cycle for validating the operational risk management and measurement system. However, it is not clear why the audit function should verify the integrity of the operational risk policies, processes and procedures and assess whether these comply with legal and regulatory requirements, as well with established controls, on annual basis. This requirement goes far beyond the requirement of CRR Article 321(1)(e) (‘an institution shall subject its operational risk management processes and measurement systems to regular reviews performed by internal or external auditors’).

As long as the audit function verifies the functionality of the operational risk management and measurement system as well as the internal processes for its validation on a regular basis, we do not see the need for an annual review of all its components.

We propose changing paragraph (2) to read:

‘In particular, the competent authority shall verify

(a) at least on annual basis that the internal validation function provides a reasoned and well-informed opinion on whether the operational risk measurement system works as predicted, and whether the outcome of the model is suitable for its various internal and supervisory purposes;

(b) on a regular basis that the audit function verifies the integrity of the operational risk policies, processes and procedures, assessing whether these comply with legal and regulatory requirements as well with established controls, and verifies the functionality of internal processes for their validation. For this purpose, emphasis shall be provided to verify the quality of the sources and data used for operational risk management and measurement purposes.’
In general, we support the collection of fraud events in the credit area for OpRisk management purposes. As is the case to a certain extent with the proposal for classifying boundary events between operational risk and market risk, it is certain that only a small proportion of the original credit risk and a high proportion of operational risk would be identified if these loss events were to be hypothetically analysed. Nevertheless, we believe that this proposal does usefully implement the requirements of Article 322(3)(b) of Regulation 575/2013. However, it would appear that the EBA intends moving first and third party fraud from the CR regime into the OR regime. From our perspective, the practical implications of this are enormous.

The change in event categorisation must be supported primarily by the credit risk management function and its regulators. For credit risk management, the implications range from data collection to data history in risk analysis to the amount of capital required for credit risk. In the credit risk consultative paper, it will be necessary to incorporate requirements that have the same implications and effects as Article 6. The operational risk management functions cannot be expected to implement data collection in relation to the credit area without the active support of regulators specialising in the credit area.

Fraudulently incurred credit events are an integral part of the parameterisation of credit risk models. As credit risk models are exposure-based, they provide forward-looking risk assessment and risk awareness that is directly linked to current business decisions. The removal of operational risk losses from credit risk models would reduce the credit risk provisions instantly without corresponding improvements in the credit processes. Furthermore, in most institutions the fraud prevention methodology is closely linked to credit rating development.

AMA models are based on historical losses, not on current exposures. As fraudulently incurred credit defaults are far more exposure-based than other operational risk events, pooling this data for operational risk modelling is extremely challenging. The precise allocation of fraudulently incurred credit losses is beyond the scope of current standards in operational risk modelling.

To prevent double-counting, institutions would have to be permitted to eliminate such fraud events from their credit risk calculations. However, this would entail a considerable implementation effort, both at the institutions themselves and at the data consortia and the agencies calculating the ratings. Institutions would face severe implementation challenges, especially in cases where they do not simultaneously apply the IRBA to their credit risk and the AMA to their operational risk. This would affect institutions that do not use an AMA, for example, but measure credit risk using rating methodologies from joint consortia. We think it would be impossible at a practical level to document all fraud events above the de minimis threshold currently in widespread use for OpRisk losses. The current data collection thresholds for OpRisk losses related to credit risk are many times higher than the threshold now being proposed. However, if this data collection become mandatory, it should also be acknowledged that the data collection process for operational risk losses related to credit risk is significantly different to that for other operational risk losses. Fraudulently incurred default losses are typically identified in a ‘post mortem analysis’ which is economically feasible only at a higher collection threshold. The analysis whether fraud has been committed can take several months. Losses would thus have to be moved from credit risk models to AMA models once the fraud has been proven. This needlessly causes instability both for credit risk and for AMA models. Secondly, the data collection threshold will have a significant impact on firms collecting the data. ORX has a threshold of €500,000 for the investigation of credit risk losses that may have operational risk elements. However, one interpretation of Article 6(3) is that, if firms collect their operational risk losses starting from a lower threshold, for example €10,000 or even lower, this is then the threshold at which they must also collect data about fraud in the credit area. While a firm may have hundreds of defaults with write-offs of €500,000, the same firm may have hundreds of thousands of defaults with write-offs of €10,000 or lower. This increased workload is then compounded by the time that it takes the firm to determine if a fraud has, or has not, been committed. An unscientific poll shows that the time taken to determine if there has, or has not, been a fraud can be three months or even longer. The resource and cost implications probably exceed the anticipated benefits.

We expressly urge a rethink of the de minimis threshold, which should if possible be increased to a level such that at least small-volume mass-market business is excluded from loss data collection. We are proposing a threshold of EUR 100 thousand (credit amount) in this context. Furthermore, we estimate the costs for such an implementation to be extremely high and disproportionate compared with the additional information gained for OpRisk management.

Moreover, the implementation period stipulated in Article 48 would be far too short. A two-year transitional period would not be sufficient to adequately address the challenges surrounding double-counting. In addition, the data history would be breached by changing the definition. To ensure the reliability of the data, a corresponding data pool would have to be developed in order to capture cases of fraud in the small-volume credit business. This would in any event take longer than the envisaged two-year period. Adding the time needed for technical implementation means that a suitable implementation period would need to be around five years. We estimate the costs for such an implementation to be extremely high and disproportionate compared with the additional information gained for OpRisk management.

Therefore, we strongly do not support the inclusion of these events for AMA capital calculation as this does not enhance the overall evaluation and management of these risks. We are convinced that credit risk models are the best solution for modelling operational risk losses related to credit risk due to their exposure-based nature.

Nevertheless, following the approach taken by Article 6 and Article8(1)(d), we would be grateful if the EBA were able to consider the following aspects:
If, as proposed in Article 6(2)(a) and (b), ‘credit losses related to OR’ were also to be switched to a pure OR regime, this could lead to an ‘unclear mixture’ or an ‘incorrect picture’. Consider, for example, the case of a customer with three loans paid out in three different years, one after another. Faked financial statements were provided in the last year/for the last loan only. What loss amount attributable operational risk should be recorded? What is the pure credit risk? The total outstanding amount attributable to the customer, or solely the third loan? How should repayments/returns of collateral be handled? In the LLP for the customer or the LLP for the single loan? We therefore strongly suggest not splitting loss amounts into CR and OR portions for capital calculation purposes. However, treating the total credit loss (LLP/write-off) as the loss amount attributable to OR also cannot be considered to be the ‘right picture’.

As we do not believe that the scope of the relevant credit-related (fraud) losses and the loss amount are coherent, we do not support the treatment of fraud events as envisaged in Article 6.
We generally support the collection of opportunity costs/loss revenues and internal costs for OpRisk management purposes. However, collecting these items should not be mandatory, not least because calculating eg opportunity costs involves a certain amount of judgement and it may be very difficult to allocate internal costs such as overtime. In our opinion, this provision should rather be formulated as an option to collect opportunity costs, lost revenues and internal costs in cases where they are deemed relevant by an institution. It should be acknowledged that higher thresholds can be applied for collecting these events, as only events with a high impact can be identified with reasonable effort and only those events are relevant for OpRisk management decisions. We would not support including those effect types in the AMA calculation as this would distort the meaning of the capital figures.

The use of the term ‘AMA management’ in Article 7(2) creates uncertainty. Is this intended to refer to operational risk management or to the team managing the AMA model? This data is regarded as useful for operational risk management.

Article 7(2)(d)
This data is regarded as useful for operational risk management. However, capturing this kind of loss is difficult since internal costs are hard to quantify, cannot be allocated and are not recorded in the general ledger. This is neither sensible, practical, nor feasible. It would only be reasonable in specific areas where it makes sense and is accompanied by high thresholds. It should be acknowledged that higher thresholds can be applied for collecting these events, as only events with a high impact can be identified with reasonable effort and only those events are relevant for OpRisk management decisions. We propose deleting ’internal costs such as overtime or bonuses’.
In general we support the items in the lists of operational risk events in Articles 4, 5 and 7.
Article 4(3)(b)

The reference to industry practice is confusing. A number of industry practices have been found to be contrary to ‘legislative or regulatory rules’.
Article 4(5)
Examples could include various forms of business or strategic risk. Given the exclusions from the definitions, it would be helpful if the same terminology could be used here.

From the perspective of consistency with the definition of operational risk, it would be useful to explicitly mention that strategic and reputational risks are excluded.

Article 5(1)
It is unclear why all ‘Operational risk events occurring in market-related activities shall be classified as boundary events between operational risk and market risk’. There is a wide variety of possible operational risk events in market-related activities that do not generate market risk.

Article 5(2)(c)
Models and model risk are included within the scope of operational risk. However, the lack of a definition of model or model risk in Article 2 creates uncertainty about the interpretation and practical scope of this paragraph.

If model risk is defined, this paragraph may no longer be needed.

Article 6(2)(a)
The impression given is that fraud is only committed at the beginning and not during the life of a transaction. For example, if fraudulent details are provided during the life of a credit transaction, the fraud would still be allocated to credit risk. If this is what is intended, it would lead to the inconsistent capital treatment of fraud – it would be sometimes OR and sometimes CR, depending on the timing of the fraud.

Article 7(1)(e)
We recognise and appreciate that uncollected revenues are an economic loss to the firm. However, capturing these losses is difficult. One potential data source, the general ledger, is used to track things that did happen, rather than things that did not happen. Firms should be able to agree a threshold, with their home regulator, for capturing uncollected revenues.

It is impossible to ensure completeness in the case of uncollected revenues. A policy statement with penalties for non-compliance and/or high thresholds must be added to make this practical.

Article 7(1)(f)
We support the definition of timing losses. However, tax-related payments should be explicitly excluded since these are not related to operational risk.

Article 7(2)
In the case of the items listed under Article 7(2), it should be acknowledged that higher thresholds can be applied for collecting these events, as only events with a high impact can be identified with reasonable effort and only those events are relevant for OpRisk management decisions.
We do not support Article 26(3) for the following reason:

Article 26(2) requires the independence of loss events within a category, whereas paragraph (3) talks about dependence between tail events (different categories?).

Empirical analysis shows that event severities are independent within and across risk categories. Moreover, the independence of loss severities is a widely accepted model assumption in the loss distribution approach: Statistical techniques mentioned in Article 24, particularly the single loss approximation (SLA) and the Panjer recursion, require the assumption of independence.

Dependence can be adequately incorporated into the frequency model although empirical evidence is also low in this context. It only has a limited effect there because of a symptomatic property of sub-exponential severity distributions (in combination with moderate frequencies): The annual loss is typically determined by the largest single event. This is what we can observe in the historical data and it underlies the idea of the single loss approximation.

The dependence structure may not be based on Gaussian or Normal-like distributions. This consultation paper therefore proposes that Gaussian or Normal-like copulas may not be used for operational risk modelling. These statements appear to be too sweeping. The dependence structure depends mainly on the way the operational risk categories are defined, and on how the data are grouped. It may happen that the data are grouped in such a way that the fit of a t-copula provides a high degree of freedom, and this in turn means that a Gaussian copula can indeed model the dependency well.

There is also a need to differentiate how the dependence structure is defined. In fact, it makes a significant difference for the results whether the copula assumption applies only to the frequency distribution or to the aggregated loss distribution whose dependence is actually being modelled.

The analogy to credit and market risk is therefore misleading:

Extreme losses in credit risk and market risk are driven by cumulative events. Events are dependent in this context, and the shape of the copula is critical for the fat tail of the portfolio loss. The use of t-copulas in credit risk and market risk is meaningful.

On the contrary, extreme losses in operational risk turned out to be rare single events of extreme extent, and not correlated cumulative events. The severity distribution is crucial for capital estimation.

We therefore do not support any axiomatic determination of Student t-Copulas for aggregating marginal events.
We support the use of an internal model for the internal capital adequacy assessment process and internal OR management. However, details should be provided about which components can differ (eg insurance recognition, sub-allocation).
Bernhard Krob