X1PART THREECAPITAL REQUIREMENTS

TITLE IIIOWN FUNDS REQUIREMENTS FOR OPERATIONAL RISK

CHAPTER 4Advanced measurement approaches

Article 321Qualitative standards

The qualitative standards referred to in Article 312(2) are the following:

  1. (a)

    an institution's internal operational risk measurement system shall be closely integrated into its day-to-day risk management processes;

  2. (b)

    an institution shall have an independent risk management function for operational risk;

  3. (c)

    an institution shall have in place regular reporting of operational risk exposures and loss experience and shall have in place procedures for taking appropriate corrective action;

  4. (d)

    an institution's risk management system shall be well documented. An institution shall have in place routines for ensuring compliance and policies for the treatment of non-compliance;

  5. (e)

    an institution shall subject its operational risk management processes and measurement systems to regular reviews performed by internal or external auditors;

  6. (f)

    an institution's internal validation processes shall operate in a sound and effective manner;

  7. (g)

    data flows and processes associated with an institution's risk measurement system shall be transparent and accessible.

Article 322Quantitative Standards

1.

The quantitative standards referred to in Article 312(2) include the standards relating to process, to internal data, to external data, to scenario analysis, to business environment and to internal control factors laid down in paragraphs 2 to 6 respectively.

2.

The standards relating to process are the following:

(a)

an institution shall calculate its own funds requirement as comprising both expected loss and unexpected loss, unless expected loss is adequately captured in its internal business practices. The operational risk measure shall capture potentially severe tail events, achieving a soundness standard comparable to a 99,9 % confidence interval over a one year period;

(b)

an institution's operational risk measurement system shall include the use of internal data, external data, scenario analysis and factors reflecting the business environment and internal control systems as set out in paragraphs 3 to 6. An institution shall have in place a well documented approach for weighting the use of these four elements in its overall operational risk measurement system;

(c)

an institution's risk measurement system shall capture the major drivers of risk affecting the shape of the tail of the estimated distribution of losses;

(d)

an institution may recognise correlations in operational risk losses across individual operational risk estimates only where its systems for measuring correlations are sound, implemented with integrity, and take into account the uncertainty surrounding any such correlation estimates, particularly in periods of stress. An institution shall validate its correlation assumptions using appropriate quantitative and qualitative techniques;

(e)

an institution's risk measurement system shall be internally consistent and shall avoid the multiple counting of qualitative assessments or risk mitigation techniques recognised in other areas of this Regulation.

3.

The standards relating to internal data are the following:

(a)

an institution shall base its internally generated operational risk measures on a minimum historical observation period of five years. When an institution first moves to an Advanced Measurement Approach, it may use a three-year historical observation period;

(b)

an institution shall be able to map their historical internal loss data into the business lines defined in Article 317 and into the event types defined in Article 324, and to provide these data to competent authorities upon request. In exceptional circumstances, an institution may allocate loss events which affect the entire institution to an additional business line corporate items . An institution shall have in place documented, objective criteria for allocating losses to the specified business lines and event types. An institution shall record the operational risk losses that are related to credit risk and that the institution has historically included in the internal credit risk databases in the operational risk databases and shall identify them separately. Such losses shall not be subject to the operational risk charge, provided that the institution is required to continue to treat them as credit risk for the purposes of calculating own funds requirements. An institution shall include operational risk losses that are related to market risks in the scope of the own funds requirement for operational risk;

(c)

an institution's internal loss data shall be comprehensive in that it captures all material activities and exposures from all appropriate sub-systems and geographic locations. An institution shall be able to justify that any excluded activities or exposures, both individually and in combination, would not have a material impact on the overall risk estimates. An institution shall define appropriate minimum loss thresholds for internal loss data collection;

(d)

aside from information on gross loss amounts, an institution shall collect information about the date of the loss event, any recoveries of gross loss amounts, as well as descriptive information about the drivers or causes of the loss event;

(e)

an institution shall have in place specific criteria for assigning loss data arising from a loss event in a centralised function or an activity that spans more than one business line, as well as from related loss events over time;

(f)

an institution shall have in place documented procedures for assessing the on-going relevance of historical loss data, including those situations in which judgement overrides, scaling, or other adjustments may be used, to what extent they may be used and who is authorised to make such decisions.

4.

The qualifying standards relating to external data are the following:

(a)

an institution's operational risk measurement system shall use relevant external data, especially when there is reason to believe that the institution is exposed to infrequent, yet potentially severe, losses. An institution shall have a systematic process for determining the situations for which external data shall be used and the methodologies used to incorporate the data in its measurement system;

(b)

an institution shall regularly review the conditions and practices for external data and shall document them and subject them to periodic independent review.

5.

An institution shall use scenario analysis of expert opinion in conjunction with external data to evaluate its exposure to high severity events. Over time, the institution shall validate and reassess such assessments through comparison to actual loss experience to ensure their reasonableness.

6.

The qualifying standards relating to business environment and internal control factors are the following:

(a)

an institution's firm-wide risk assessment methodology shall capture key business environment and internal control factors that can change the institutions operational risk profile;

(b)

an institution shall justify the choice of each factor as a meaningful driver of risk, based on experience and involving the expert judgment of the affected business areas;

(c)

an institution shall be able to justify to competent authorities the sensitivity of risk estimates to changes in the factors and the relative weighting of the various factors. In addition to capturing changes in risk due to improvements in risk controls, an institution's risk measurement framework shall also capture potential increases in risk due to greater complexity of activities or increased business volume;

(d)

an institution shall document its risk measurement framework and shall subject it to independent review within the institution and by competent authorities. Over time, an institution shall validate and reassess the process and the outcomes through comparison to actual internal loss experience and relevant external data.

Article 323Impact of insurance and other risk transfer mechanisms

1.

The competent authorities shall permit institutions to recognise the impact of insurance subject to the conditions set out in paragraphs 2 to 5 and other risk transfer mechanisms where the institution can demonstrate that a noticeable risk mitigating effect is achieved.

2.

The insurance provider shall be authorised to provide insurance or re-insurance and shall have a minimum claims paying ability rating by an ECAI which has been determined by EBA to be associated with credit quality step 3 or above under the rules for the risk weighting of exposures to institutions under Title II, Chapter 2.

3.

The insurance and the institutions' insurance framework shall meet all the following conditions:

(a)

the insurance policy has an initial term of no less than one year. For policies with a residual term of less than one year, an institution shall make appropriate haircuts reflecting the declining residual term of the policy, up to a full 100 % haircut for policies with a residual term of 90 days or less;

(b)

the insurance policy has a minimum notice period for cancellation of the contract of 90 days;

(c)

the insurance policy has no exclusions or limitations triggered by supervisory actions or, in the case of a failed institution, that preclude the institution's receiver or liquidator from recovering the damages suffered or expenses incurred by the institution, except in respect of events occurring after the initiation of receivership or liquidation proceedings in respect of the institution. However, the insurance policy may exclude any fine, penalty, or punitive damages resulting from actions by the competent authorities;

(d)

the risk mitigation calculations shall reflect the insurance coverage in a manner that is transparent in its relationship to, and consistent with, the actual likelihood and impact of loss used in the overall determination of operational risk capital;

(e)

the insurance is provided by a third party entity. In the case of insurance through captives and affiliates, the exposure has to be laid off to an independent third party entity that meets the eligibility criteria set out in paragraph 2;

(f)

the framework for recognising insurance is well reasoned and documented.

4.

The methodology for recognising insurance shall capture all the following elements through discounts or haircuts in the amount of insurance recognition:

(a)

the residual term of the insurance policy, where less than one year;

(b)

the policy's cancellation terms, where less than one year;

(c)

the uncertainty of payment as well as mismatches in coverage of insurance policies.

5.

The reduction in own funds requirements from the recognition of insurances and other risk transfer mechanisms shall not exceed 20 % of the own funds requirement for operational risk before the recognition of risk mitigation techniques.

Article 324Loss event type classification

The loss events types referred to in point (b) of Article 322(3) are the following:

Table 3

Event-Type Category

Definition

Internal fraud

Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involves at least one internal party

External fraud

Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party

Employment Practices and Workplace Safety

Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity/discrimination events

Clients, Products & Business Practices

Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product

Damage to Physical Assets

Losses arising from loss or damage to physical assets from natural disaster or other events

Business disruption and system failures

Losses arising from disruption of business or system failures

Execution, Delivery & Process Management

Losses from failed transaction processing or process management, from relations with trade counterparties and vendors