Basel II Overview

• What is Basel II

• Pillar I – Minimum Capital Requirements • Pillar I – Wholesale Credit Risk• Pillar I – Retail Credit• Pillar I - Securitization• Pillar I – Operational Risk

• Pillar II – Supervisory Review and Internal Capital Adequacy Assessment Process (ICAAP)

• Pillar III – Disclosure

• Qualification Process

• Board and Internal Audit Responsibilities

Basel II OverviewTable of Contents

Basel II Overview What Is Basel II in the US

Risk Based Capital Standards: Advanced Capital Adequacy Framework - Basel II; Final Rule (Effective Date: April 8, 2008)

Basel II is a highly complex set of guidelines and regulations related to measurement, management and monitoring of capital Promotes more sophisticated capital framework intended to accommodate the banking industry's risk diversity.

Closely aligns regulatory capital requirements with the industry’s risk measurement & management practices and more comprehensive view of bank’s risks through inclusion of operational risk.

More flexible and risk-sensitive capital requirements.

Better and more integrated risk and capital management practices and more formalized risk management programs.

To align the bank regulatory capital measurement framework with sound contemporary practices in economic capital allocation, promote

improvements in risk management, and enhance financial stability

RudimentaryRudimentary risk-basedrisk-based

regulatory capitalregulatory capital(Basel I)(Basel I)

RudimentaryRudimentary risk-basedrisk-based

regulatory capitalregulatory capital(Basel I)(Basel I)

Enhanced Enhanced Risk-based Risk-based

regulatory capitalregulatory capital(Basel II)(Basel II)

Enhanced Enhanced Risk-based Risk-based

regulatory capitalregulatory capital(Basel II)(Basel II)

Economic CapitalEconomic CapitalEconomic CapitalEconomic Capital Risk ManagementRisk ManagementRisk ManagementRisk Management

Stimulate convergence of regulatory driven riskmanagement towards economic driven risk management

Basel II OverviewObjectives of Basel II

Pillar I: Minimum Capital Requirements

Calculation of Risk Measures to Determine Requirements

Pillar II: Supervisory Review Internal Control

Structure, Processes, and Methods

Pillar III: Market Discipline

Increased Risk Disclosure

Disclosure requirements depending on yet-to-be-developed guidance and market demands

Focus on Adequacy of Governance Process and Other Risks: Liquidity, IRR Concentrations etc

For U.S. banks, adoption of Advanced Credit IRB and Operational Risk AMA required

Basel II’s Three Pillars

Designed to align the bank regulatory capital measurement framework with sound contemporary practices in economic capital allocation, promote improvements in risk management, and enhance financial stability

Basel II OverviewBasel II Framework - Summary of the Three Pillars


• Pillar I – Minimum Capital Requirements • Pillar I – Wholesale Credit Risk

• Pillar I – Retail Credit

• Pillar I - Securitization

• Pillar I – Operational Risk






Basel II Pillar 1 requires all banks subject to the Final Rule to calculate capital requirements for exposure to Credit Risk and Operational Risk. Capital requirements for market risk remain largely unchanged.

It sets forth:

•Three approaches to calculating the Credit Risk capital requirement;

•Three approaches to calculating Operational Risk capital requirement.

Basel II OverviewPillar 1 – Minimum Capital Requirements

IRB Foundation IRB Advanced

Credit Risk Measurement and Management Techniques

Internal Ratings Based (IRB)

Basel II Credit Risk Measurement Approaches

Standard

Prospective need of capitalData requirements/complexity

Note: the US bank regulatory agencies only allow US banks to use the Advanced IRB approach in order to promote enhanced risk measurement

Basel II OverviewPillar I – Wholesale Credit Risk

•Primary objective of Advanced Internal Rating Based (A-IRB) approach is to enhance the sensitivity of the minimum regulatory capital requirements for credit risk for Corporate and Sovereign Credit Exposures.

•Under the A-IRB approach, banks will assign risk parameters to individual exposures.

•These parameters will then be used for the determination of minimum regulatory capital.

• IRB will require a rigorous framework of advanced credit risk quantification, data maintenance, control and oversight mechanisms that is characterized by independence, transparency, and accountability.

Basel II OverviewPillar I – Wholesale Credit Risk - Corporate and Sovereign Exposures

• Qualifying banks will be expected to have an A-IRB system consisting of five interdependent components for Corporate/Sovereign exposures:

1. A system that assigns ratings to individual wholesale obligors and exposures.

2. A quantification system that translates risk ratings into IRB parameters that are used as inputs to the IRB risk-based capital formula – PD, LGD, EAD and Maturity.

3. A data maintenance system that supports the A-IRB system.

4. Oversight and control mechanisms that ensure that the A-IRB system is functioning effectively and producing accurate ratings.

5. An ongoing process that validates the accuracy of the rating assignments, segmentations, and risk parameters.

• The regulators will expect that corporate credit rating systems operate dynamically.

As ratings are assigned, quantified and used, estimates will be compared with actual results (back-testing)

Data will need to be maintained to support oversight and validation efforts and to better inform future estimates

• The Rating System Review and Internal Audit functions will serve as control mechanisms that ensure the process of ratings assignment and quantification function according to policy and design and that noncompliance is identified and reported.

Basel II OverviewPillar I – Wholesale Credit Risk - Corporate and Sovereign Exposures

A bank needs to address three essential questions:

Expected Loss (EL): Parameters and Data

Expected Loss (EL): Modeling

Capital Calculations: Mapping and Formulas

• What parameters and data do I use?

• What are my inputs, processes, and outputs?

• How does this link to my capital requirements?

Basel II OverviewPillar I – Wholesale Credit Risk - Key Parameters & Requirements

Maturity Maturity (M)(M)

Maturity Maturity (M)(M)

• Remaining effective maturity of the EAD

• Remaining effective maturity of the EAD

Loss Loss Given DefaultGiven Default

(LGD)(LGD)

Loss Loss Given DefaultGiven Default

(LGD)(LGD)

• Loss after the event of a default

• Magnitude of loss, expressed as a %

• Loss after the event of a default

• Magnitude of loss, expressed as a %

ExposureExposureat Defaultat Default

(EAD)(EAD)

ExposureExposureat Defaultat Default

(EAD)(EAD)

• Outstanding amount at time of default

• Bank’s exposure amount in dollar terms

• Outstanding amount at time of default

• Bank’s exposure amount in dollar terms

Probability Probability of Defaultof Default

(PD)(PD)

Probability Probability of Defaultof Default

(PD)(PD)

• Probability of default of the borrowers in each risk grade (rating) on a one year time horizon

• Expressed as a %

• Regulatory definition of default event

• Probability of default of the borrowers in each risk grade (rating) on a one year time horizon

• Expressed as a %

• Regulatory definition of default event

These parameters are used for all types of credit risk exposures

Basel II OverviewPillar I – Wholesale Credit Risk - Key Parameters

Expected Loss = PD x (LGD – RC) x EADRC represents realizable collateralMaturity (M) is used in calculating ‘Risk Weighted’ assets

Advanced Approach Equals Lower Expected Loss

U.S. mandatory banks must use advanced Internal Ratings Based (IRB)

StandardizedFoundation

IRBAdvanced

IRB

Nominal $10m $10m $10m

PD AA (20%) 0.4% 0.4%

LGD 45% (fixed–para 256) 20%

Expected Loss $2m $0.018m $0.008m

EL Parameters and Data

ELModeling

Capital Calculations

Basel II OverviewPillar I – Wholesale Credit Risk - Key Parameters & Calculation

Maturity Consideration

LGD Estimation and/or Exposure Assessment

PD Estimation

Bank Passes Approval Process

Maturity M

Recognition obligatory (max. five years)

LGD

Own estimations if certain criteria are met

EAD

Own estimations if certain criteria are met

PD

Own estimations connected with Internal Rating Systems


ELModeling


Basel II OverviewPillar I – Wholesale Credit Risk - Key Parameters & Calculation

CREDIT GRADE RISK LEVEL PD (bp) S&P

Performing

1 Minimal 0–1 AAA

2 Modest 2–4 AA

3 Average 5–10 A

4 Acceptable 11–50 BBB

5 Acceptable with Care 51–200 BB

6 Management Attention 201–1,000 B

Substandard

7 Special Mention 1000 CCC

8 Substandard Interest Suspense CCC/CC

9 Doubtful Provision CC/C

10 Loss Default/Loss D


ELModeling


Basel II OverviewPillar I – Wholesale Credit Risk - Key Parameter: Probability of Default (PD)


ELModeling


Note how the differences between the grades increases, the worse the ratings

Basel II OverviewPillar I – Wholesale Credit Risk - Key Parameter: Probability of Default by Grade

• Historical loss database estimate LGD (7 years)

• Historical exposure database estimate EAD (7 years)

• Full risk data warehouse

• Rating data

• Data on default events

• Historical data (timelines) estimate PDs (5 years)

• Collateral data

Note: Basel II measures capital requirements at the facility level


ELModeling


Basel II OverviewPillar I – Wholesale Credit Risk - Key Parameter: Data Requirements

• Borrower has one PD, but different facility grades

• Facility grades based on LGD

Example: One borrower, 2 facilities: a secured wholesale mortgage on a factory and an unsecured

overdraft. The property mortgage would have a lower EL because the LGD would be lower due to the

value in the property whereas there is no security supporting the unsecured overdraft.

• Lower facility rating

• Shortage of data


ELModeling


Note: Basel measures capital requirements at a facility level

Basel II OverviewPillar I – Wholesale Credit Risk - Key Parameter: Facility Grades - Loss Given Default/ Recovery Rates

Seniority Class Mean Standard Deviation %

Senior Secured Debt 58.30 26.86

Senior Unsecured Debt 51.13 25.54

Senior Subordinated Debt 38.52 21.81

Subordinated Debt 32.74 20.18

Junior Subordinated Debt 17.09 10.90


ELModeling


This demonstrates the wide range for LGD values.

Basel II OverviewPillar I – Wholesale Credit Risk - Key Parameter: Examples of S & P Recovery Rates

• Having the right data is a major challenge: PD, LGD, EAD – Challenge due to multiple platforms (M&A, etc)

– Organizational Changes overtime

– New products and changes to existing products

– Changes in the rating scheme over time

– Potential differences in definition of credit default between Basel II and the bank

• Ensuring models developed are used appropriately (Bulletin OCC 2000-16): – The Goldilocks solution: do not use models slavishly (“All models are wrong; some are useful”)

– Nor ignore or continually override them

• Developing the right corporate culture – Where senior executives understand the quantitative and qualitative requirements of Basel (required under Pillar

II)

• Instilling corporate discipline to price assets properly– In line with the more sensitive risk-based capital requirements from Basel II

Basel II OverviewPillar I – Wholesale Credit Risk - Challenges

• Quantification is central element of approach to credit risk management.

• However, as recent events have shown that effective management of credit risk requires a holistic approach including non-quantitative elements such as management oversight and qualitative judgment.

• Senior management’s responsibilities include:– Reviewing portfolio’s risk profile, changing portfolio trends, risk parameter accuracy, economic and regulatory capital, and stress testing

results– Confirming activities conducted across multiple legal entities meet the following criteria:

– Products managed centrally using consistent policy– Segments have homogeneous risk characteristics– Exposure outside U.S. not grouped with domestic exposures– Validation and back-testing activities for each entity are accurate

• Independent risk management function provides oversight of lending activities– Responsible for setting credit policies – Ensuring credit standards are followed– Effective and independent loan review function

• Internal Audit function must be independent of business-line management and must at least annually assesses the effectiveness of the

controls supporting the bank’s advanced systems and reports its findings to the bank’s board of directors (or a committee thereof).

• The full board or a designated committee of the board:– Must have access to high-level reports summarizing the performance of the credit risk system– Is responsible for reviewing and approving key elements of the IRB system

Basel II OverviewPillar I – Wholesale Credit Risk - Quantification and Risk Management

• Establishment of quality controls and confirmation that lending activities follow established policies – Quality control function should operate independently of loan production process, collections, and

servicing functions

– Quality control function should generate monthly reports

• Management information systems (MIS) – Monitor and measure credit quality and performance

– Allow proactive and effective risk management

• Adoption and documentation of a sound loan loss methodology – Addressing credit risk assessment policies, procedures, and controls for assessing credit risk,

identifying problem loans, and determining loan provisions in a timely manner

• Controls and monitoring systems in place to supervise all third parties

Basel II OverviewPillar I – Wholesale Credit Risk - Quantification and Risk Management

US Regulators have stated that they will focus on the following issues during their quantification reviews:

• classification purposes What type of data exists describing the reference credit event?

– This is the reference data set

– Includes a balance of internal and external data

• How is the data being used to estimate a loss?

• Mapping describes the credit portfolio risk in terms of these characteristics - this is where banks are weak

• Estimated relationship is applied to the portfolio using mapping to produce IRB parameters

• Capital for the portfolio is computed using these parameters

The draft IRB supervisory guidance is built around this process, and the gaps and plans should clearly address these areas specifically:

• The quantification process is no stronger than the weakest part of the process noted above

• Institutions are expected to perform an annual review, to ensure that the process is logical

• LGD and EAD are linear, but the effects from slight differences in PD can result in significant differences in capital. Institutions will need to indicate that they have reviewed the quality of the PD calculation process

• Retail segmentation should be clearly defined and may not be the same as segments created for other

Basel II OverviewPillar I – Wholesale Credit Risk - Regulatory Expectations

• Individual consumer or small business exposures

• Similar types of loans are grouped into pools

• Risk Assessment at the loan pool or segment level

• Segment risk aggregated to portfolio level

• Securitized assets also evaluated

Basel II OverviewPillar I – Retail Credit - What is Included?

•Advanced IRB approach for retail exposures requires

–Manage retail exposures at segment level

–Estimated loss computation at segment level

–Derive capital requirements for each asset class

•Collect and maintain historical performance data

•Documentation and validation

Basel II OverviewPillar I – Retail Credit Requirements

Residential Mortgage Loans

Qualifying Revolving Exposures

Other Retail Loans

Credit

Card

Small

Business

Basel II OverviewPillar I – Retail Credit - Retail Assets Categories

Residential Mortgages

Segment 1 Segment 2 Segment 3 Segment 4

• Risk drivers used in segmentation• Defaulted assets segmented

separately• Guarantees recognized and included • Schemes validated on ongoing basis• Documentation required for:

– Segmentation methodologies– Validation techniques/ procedures– Updates to segments and risk drivers

QRE's


Other Retail Loans


Basel II OverviewPillar I – Retail Credit - Retail Portfolio Segmentation

• Identify detailed risk characteristics

• Long-run performance data available

• Construct appropriate reference data sets

Basel II OverviewPillar I – Retail Credit: Quantification Under Loan Sale or Securitization

Credit Data Repository

Credit Data

Loan Servicing System

Loan Data

Storage

Credit Analysis Queries

Reports

Data

Basel II OverviewPillar I – Retail Credit: Advanced IRB Data Requirement Guideline

•Data Architecture

–Format of stored data allows timely retrieval

–Unified management systems

•Data Gaps

–Use of internal/external reference data

•Documentation and Validation

–Develop and maintain comprehensive documentation

–Validate logical and data-related processes

Basel II OverviewPillar I – Retail Credit: Data Management Policy

• Core banks must follow advanced IRB guidelines

• Compute own risk parameters from internal/external data

• Consider PD, LGD, and EAD

• Three asset categories estimated separately

• Unique asset correlation (r)

Asset Category Correlation

Residential Mortgage r =0.15

Qualifying Revolving Exposures r =0.04

Other Retail r =0.03 plus/minus an adjustment

Basel II OverviewPillar I – Retail Credit: Retail Credit Risk Quantification

Step 5

Review Control and Governance

Mechanism

• Assessment and analysis of validation for end-to-end process• Practical recommendations for improvement that reflect Basel II requirements

Benchmark against leading practice and regulatory requirements

Apply specialist knowledge and experience

Step 4

Review Risk Parameters

Quantification Process

Step 3

Review Segmentation

Process

Step 2

Review Asset Categorization

Step 1

Review Data Maintenance

Practice

Basel II OverviewPillar I – Retail Credit: Proposed Retail Credit Validation Process

• Data integrity and the availability of historical data

• Ensuring models developed are used appropriately (Bulletin OCC 2000-16):

• Developing the right corporate culture

• Instilling corporate discipline to price assets properly

• Setting consistent asset categorization and segmentation criteria

Basel II OverviewPillar I – Retail Credit: Challenges

• One of the regulatory arbitrage opportunities the global regulatory community wanted to remove was the distinction between economic and regulatory breaks with the current securitization framework.

• With large banks bringing Structured Investment Vehicles (SIVs) onto their balance sheet (e.g. Citibank) and the resulting losses, we understand why.

• As a result the capital treatment is harsh (e.g. deductions of first loss from capital).

Basel II OverviewPillar I – Securitization: Quantification

Basel I Basel II

Generally

First loss

Type of Exposure Risk Weight

100%

Deduct

0%Unfunded < one year

Standardized banks A-IRB banks

Risk weights based on rating of position. If exposure unrated, then deduct from capital except in case of:

• Most senior exposure (look-through to average risk weight of pool)

• Second loss position or better (look-through to higher of 100% and highest risk weight of pool)

• Liquidity facilities (credit conversion factors depending on type and length of liquidity commitment)

Hierarchy of approach:

• If exposure rated must determine risk weight based on ratings based approach (RBA)

• If unrated exposure to ABCP conduit may use internal assessments approach (IAA) if conditions met

• If unrated exposure may use supervisory formula approach (SFA) if can determine inputs (including using top down methodology)

• If unrated exposure and RBA, IAA and SFA unavailable, may use exceptional “look through” approach with regulator consent on temporary basis for liquidity facilities

• Otherwise, must deduct unrated exposure from capital

Basel II OverviewPillar I – Securitization: Quantification

Source: Text

• Options– IRB bank must calculate capital on basis of:

1. External ratings pursuant to ratings based approach (RBA)

2. Inputs into supervisory formula (SF) approach

3. Internal assessments approach (IAA)

– Cap: If IRB would require more capital for securitization exposure than had the position not been securitized, bank may use IRB capital requirement for underlying exposures

• Hierarchy – Under Credit Risk A-IRB, a bank must use ratings based approach

(RBA) to calculate capital if external rating or inferred rating available

– Where RBA not available, bank may use SF or IAA if available

– Where neither RBA nor SF or IAA are available, bank may use look-through approach, otherwise, the position must be deducted

Basel II OverviewPillar I – Securitization: Quantification – Capital Charges





• Pillar I – Operational Risk AMA






Significant Losses

• Billions of $ lost to operational loss events

• Common causes include:– Weaknesses in business practices– lack of ownership of risk– inadequate reporting of risk– absence of methodologies – need for improvement in controls

Regulatory Pressures

• Regulators, risk-based approachto supervision

• Corporate governance and Sarbanes-Oxley

• Basel Committee, capital adequacy framework

• Globalization resulting in increased international exposure

Changing Environment

• Infrastructure and technology• Speed of new products to and exit

from market• Greater distribution of control

responsibility• Cost and expense base pressures

Basel II OverviewPillar I – Operational Risk AMA: Why Is Operational Risk Important?

Qualifying Criteria

Standardized

Measurement Options

Basic IndicatorAdvanced

Measurement (AMA)

Prospective Need of Capital Data Requirements/Complexity

Basel II OverviewPillar I – Operational Risk AMA: Quantification Options

The Basel II Accord definition of operational risk is:

“The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk, but excludes strategic or reputational.”

‘The New Basel Capital Accord’ – April 2003: Basel Committee on Banking Supervision

Basel II OverviewPillar I – Operational Risk AMA: What Is Operational Risk?

Why include Operational Risk in Pillar I? Potential operational risks are significant and rising due to reliance on technology, people and processesOperational risk has been a major contributor to depletion of capital and failure of banksThus, operational risk is included as an explicit component of the firm-wide risk management system and economic capital allocation process

Basic Indicator

• No Specific Criteria

• Capital charge = 15% of Annual Gross Income (averaged over most recent 3 years)

Standardized

• Board of Directors / senior management involvement

• Operational Risk management function

• Operational Risk management system

• Capital charge = sum of charge per eight business lines calculated as a fixed % of Annual Gross Income (12%, 15%, or 18% - again averaged over the most recent 3 years)

Advanced Measurement

• Standardized, plus:

• Risk management and measurement

• Risk management and measurement process review

• Quantitative standards

• Capital charge = a bank’s internal Operational Risk measurements system of calculation

Basel II OverviewPillar I - Operational Risk AMA: U.S. Approach

*Operational risk management – Basel II AMA - ( to include Risk assessment/profiling, Economic capital allocation, Loss data, Key risk indicators, Scorecard management, Scenario analysis, Business line risk data analysis, etc.) **AML – Anti-money laundering requirements, Bank Secrecy Act, USA Patriot Act etc.

Operational Risk Management

Operational Risk

Framework*

SOX

Change RiskManagement

Indicates various activities/processes that are part of Operational Risk Management.

AML**

Business continuity

Event/IssueMgmt

Privacy & Information

Security

Model Validation& Governance

• Operational Risk Management (ORM) Encompasses all processes shown here

• Integrated management of ORM involves:- Consistent methodology for risk identification, risk assessment and Risk measurement- A process to develop And report risk indicators- A process to aggregate risk across all these functions to have a holistic view of Operational Risk across the Bank

• Risk quantification/ OR losses policy for Basel II should cover covers all these areas

Systems External Events

People Processes

Documentation / Records Mgmt

Product Risk Management

Basel II OverviewPillar I – Operational Risk AMA - Risk Management Assessment Integrated Operational Risk Management

Third Party Risk Management

Four AMA Components:1.Internal Loss Data

2.External Loss Data

3.Business Environment and Control Factors

4.Scenario Analysis

Other Considerations:

1.Risk Strategy

2.Firm-wide Operational Risk Management Function

3.Definitions, Linkages, and Structures

4.Risk & Control Self-Assessments (RCSA)

5.Key Risk Indicators (KRIs)

6.Mitigation

7.Capital Modeling

8.Reporting

9.Information & Technology

Overview of Basel IIPillar I - Operational Risk – AMA: Core Components and Associated Considerations

•Operational loss means a loss (excluding insurance or tax effects) resulting from an operational loss event. Operational loss includes all expenses associated with an operational loss event except for opportunity costs, forgone revenue, and costs related to risk management and control enhancements implemented to prevent future operational losses.

•Operational loss event means an event that results in loss and is associated with any of the seven operational loss event type categories

•A minimum of five years of historical data is required

Basel II OverviewPillar I – Operational Risk AMA: Core Component - Internal Loss Data

Bank must track internal loss data according to following criteria:

• Must have written policies and procedures related to collection of losses that will be used consistently across a bank.

• Must collect the loss data using Basel II defined loss event categories as well as Basel II defined business lines shown on next slide. (A bank is not required to organize the company along Basel II business lines nor it is required report its operational losses along Basel II loss event categories. However, it must be able to map its own business lines and loss event categories to supervisory definitions per the Final Rule).

• Must have documented procedure for assessing the on-going relevance of historical loss data.

• Must be comprehensive and complete. Must have documented justification for any excluded activities, losses, or business line.

• Must have documented criteria with supporting rationale to show allocation of losses from support functions.

• Must have documented criteria with supporting rationale to show allocation of losses from a single loss event to multiple business units.


• A bank must incorporate proper treatment of operational losses that also could be attributed to either credit risk or market risk.

• A banks must treat operational losses that are related to market risk as operational losses for purposes of calculating risk-based capital requirements under this final rule. For example, losses incurred from a failure of bank personnel to properly execute a stop loss order, from trading fraud, or from a bank selling a security when a purchase was intended, must be treated as operational losses.

• Under the proposed rule, banks would treat losses that are related to both operational risk and credit risk as credit losses for purposes of calculating risk-based capital requirements. However, a bank must include credit risk boundary losses in its operational risk loss data base to understand and perform root cause analysis and implement steps to reduce such losses.

Basel II OverviewPillar I – Operational Risk AMA: Core Component - Internal Loss Data: Boundary Losses

• The internal loss database must include all business lines, geographic locations, and bank activities.’

• A bank should also collect “near miss” events into its database. However, it is a challenge to define a “near miss” event and collect it consistently across the entire company.

• AMA data maintenance requires significant up-front investment & far reaching enterprise-wide process changes

• To use internal estimates for regulatory capital, banks must:– Collect & analyze essential OpR loss data inputs consistently

– Perform “front end” validation & back testing

– Make ongoing refinements to the AMA data capture system

– Maintain data over long timeframes

• Systems to fully implement AMA do not exist today at most banks

• Mergers & acquisitions will need to be integrated

Basel II OverviewPillar I – Operational Risk AMA: Core Component - Internal Loss Data: Comprehensiveness

Seven Level I Loss Event Categories

1. Internal Fraud

2. External Fraud

3. Employment practices and workplace safety

4. Clients, products and business practices

5. Damage to physical assets

6. Business disruption and system failures

7. Execution, delivery and process management

Eight Basel II Defined Business Lines*

1. Corporate Finance

2. Trading & Sales

3. Wholesale Banking

4. Retail Banking

5. Payment & Settlement

6. Agency Services

7. Asset Management

8. Retail Brokerage

9. Other / Corporate(* Support functions such as HR, Finance, etc. are allocated to business lines

for the purpose of capital calculation.)


The final rules define external operational loss event data for a bank as gross operational loss amounts, dates, recoveries, and relevant causal information for operational loss events occurring at organizations other than the bank.

• A bank must establish a systematic process to determine its methodologies for incorporating external operational loss event data into its operational risk data and assessment systems.

• The external loss data is required for the following reasons:

– Limited internal operational loss event data;

– Need to understand industry loss experience;

– A measure to assess the adequacy of a bank’s own internal loss event data

• Two major sources of External Loss Event data

– Vendor provided data (Fitch Algo OpVantage)

– Industry Consortium (ORX, ABA)

Basel II Overview Pillar I - Operational Risk – AMA: Core Component - External Loss Data

• A bank must have a systematic process for determining its methodologies for incorporating scenario analysis into its operational risk data and assessment systems.

• It is especially relevant for business lines or operational loss event types where internal data, external data, and assessments of the business environment and internal control factors do not provide a sufficiently robust estimate of the bank’s exposure to operational risk events with high severity.

• Scenario analysis provide a means for a bank to incorporate a forward-looking element into its operational risk data and assessment systems.

• Scenario analysis should draw upon knowledge and experience of business managers as well as risk experts.

Basel II OverviewPillar I - Operational Risk – AMA: Core Element - Scenario Analysis

• Internal and external operational loss event data provide a historical perspective on operational risk. It is also important that a bank incorporate forward-looking elements into its operational risk data and assessment systems.

• A bank must incorporate business environment and internal control factors into its operational risk data and assessment systems to assess fully its exposure to operational risk.

• Key Elements of BE&IC are:• Inherent Risk

• Current Control Environment

• Residual Risk

• Direction of Risk

• A bank must prepare a composite Operational Risk Profiles.

• Based on the composite risk profile, a qualitative adjustment factor is calculated to adjust capital exposure calculated based on internal and external loss data.

• Process and outcome should be periodically validated through comparison to actual internal loss experience (known as back-testing).

Basel II OverviewPillar I - Operational Risk – AMA: Core Components – Risk and Control Self Assessment (RCSA) / Business Environment & Internal Control Factors (BE&CIF)

• U.S. banks are given significant flexibility in operational risk model design. A bank must have an operational risk quantification system that generates estimates of its operational risk exposure using its operational risk data and assessment systems.

• The final rule defines operational risk exposure as the 99.9th percentile of the distribution of potential aggregate operational losses, as generated by the bank’s operational risk quantification system over a one-year horizon (and not incorporating eligible operational risk offsets or qualifying operational risk mitigants).

• The bank’s analytical framework must use the combination of internal operational loss data, relevant external data, business environment and control assessments, and scenario analysis.

• The capital requirement is sum of EL and UL unless the institution can demonstrate, consistent with supervisory standards, the EL offset.

The mean of such a total loss distribution is the bank’s EOL. The final rule defines EOL as the expected value of the distribution of potential aggregate operational losses, as generated by the bank’s operational risk quantification system using a one year horizon.

• The bank’s UOL is the difference between the bank’s operational risk exposure and the bank’s EOL.

• Risk mitigation for operational risk, via insurance, subject to regulatory approval.

• Bank’s measurement approach must meet both qualitative and quantitative standards. Expectation is that the approach will be granular

– Need as many data points as possible in order to increase statistical precision– Fewer data points will lead to more focus on qualitative processes

Basel II OverviewPillar I - Operational Risk – AMA: Core Components - Risk Quantification and Capital Modeling

• Banks have considerable flexibility in developing operational risk management, data and assessment, and quantification processes that are appropriate for the nature of their activities, business environment, and internal controls.

• Banks are expected to uniquely tailor the framework to its organizational structure and culture.

• A bank’s operational risk capital charge will be an internally generated measure using the bank’s own operational risk measurement systems

• Key elements that must be incorporated into an AMA measurement system are: Internal Loss Data

External Loss Data

Scenario Analysis

Business Environment and Internal Control Factors

• A bank may develop and use Key Risk Indicators (KRIs) to: Monitor its operational risk

Support its risk assessment process

Provide additional information for its operational risk capital model

Pillar I - Operational Risk – AMACore Components - Risk Quantification and Capital Modeling

• Scoring information• Loss summary• Emerging risk• Potential exposure

RCSA

Scenario Analysis

Risks, Controls, KRIs,

Mitigants, Severity,

Frequency

KRIs

External Data Management Reporting

Economic Capital

Calculation

Loss Event Data


Expected loss

99%

Unexpected loss

Loss amount(capital)

Net risk(residual risk)

99.9%

Catastrophic loss

Gross risk(inherent risk)

Probability

Expected loss

99%

Unexpected loss

Loss amount(capital)

Net risk(residual risk)

99.9%

Catastrophic loss

Gross risk(inherent risk)

Probability


R I S K S T R A T E G Y

I N F O R M A T I O N T E C H N O L O G Y

O R G A N I Z A T I O N A LS T R U C T U R E

LossData

Capital Modeling

Risk Assessment

Key Risk Indicators

B U I L D I N G B L O C K S

Mitigation

Definitions, Linkages and

Structures

R E P O R T I N G

Monitoring

Management

Reporting

AssessmentIdentification

Basel II OverviewPillar I - Operational Risk AMA: Core Components of an Operational Risk Framework

Close link required between Pillar I regulatory parameters and parameters used in risk management framework

Sophistication of Pillar I approaches requires comparable sophistication in risk management framework

Basel II OverviewPillar II – Supervisory Review and Internal Capital Adequacy Assessment Process (ICAAP)

Pillar 1 Risk Types

Counterparty risks Interest rate risks in the banking book Liquidity risks

Operational risks Strategic risksReputation risks

Real estate valuation risks

Business riskMarket risks in the trading book

Capital Requirement

No Capital Requirement

Basel II OverviewPillar II – Supervisory Review and Internal Capital Adequacy Assessment Process (ICAAP): Risk Types Beyond Pillar I

Concentration risks

• Bridge gap between capital requirement and remaining risks

• Risk management enhancement

• Regulator assessment

Consequence 1 Consequence 3Consequence 2

Banks and regulator dialogue

Quantitative, as well as existing qualitative orientation

Structuring of regulatory

supervision

Pillar 2 Main Goals

Basel II OverviewPillar II – Supervisory Review and Internal Capital Adequacy Assessment Process (ICAAP): Role of Supervisors

ComprehensiveRisk

Assessment

Monitoringand

Reporting

Sound Capital

Assessment

Risk-Adjusted Business

Performance Evaluation

Internal Controls Review

Basel II OverviewPillar II – Supervisory Review and Internal Capital Adequacy Assessment Process (ICAAP): Capital Planning Process (ICCAP)

How will the supervisor provide necessary resources and how will costs be covered? Will principles be applied across the board?

Impact of benchmarking effect industry practices and Interagency influence?

How should the Basel II implementation be harmonized? (Home Host Issue)

Basel II OverviewPillar II – Supervisory Review and Internal Capital Adequacy Assessment Process (ICAAP): Open Questions for Implementation and Qualification







• Pillar III - Disclosure



Goals • Higher transparency of business and risk structures

• Strengthened risk management and internal control systems

Consequences • Investors distinguish between well and badly managed banks

– Well managed banks benefit from better market conditions

– Badly managed banks penalized by the market

Basel II OverviewPillar III – Disclosure: Market Discipline

• Base Case: (6 mo)• Qualitative and

stable information (12 mo)

• Quantitative and volatile information (3 mo)

• Banks with low risk profile (12 mo)

• Restricted Disclosure

• No detailed information required to public

• Full set of information to regulatory body

• Large degree of national discretion

• Materiality definition dependent on information disclosed

• Dialogue with accounting bodies necessary

Frequency MaterialityConfidentiality

Basel II OverviewPillar III – Disclosure: Basic Considerations

Subject of Disclosure Details

Scope of application Group of consolidation

CapitalStructure

Adequacy

Risk positions and risk assessment

Credit risk

Market risk

Operational risk

Interest rate risk in the banking book

Basel II OverviewPillar III – Disclosure: Scope of Disclosure


• Pillar I – Minimum Capital Requirements

• Pillar I – Wholesale Credit Risk









1. Written Basel II Implementation Plan

• “Mandatory” U.S. banks must adopt a written Basel II implementation plan no later than 6 months after the effective date of Final Rule. The plan must incorporate an explicit first floor period start date no later then 36 months after the effective date of the Final Rule

• The bank’s implementation plan must address in detail how the bank complies, or intends to comply, with the qualification requirements (including data, models, systems, resources)

• The bank also must maintain a comprehensive and sound planning and governance process to oversee the implementation efforts.

• At a minimum, the Basel II implementation plan must:

– Comprehensively address the qualification requirements for the bank and each consolidated subsidiary (U.S. and foreign-based) of the bank with respect to all portfolios and exposures of the bank and each of its consolidated subsidiaries

Basel II OverviewQualification Process: Regulatory Expectations

1. Written Basel II Implementation Plan (continued)

• Justify and support any proposed temporary or permanent exclusion of immaterial business lines, portfolios or exposures from application of the advanced approaches

• Include the bank’s self-assessment of its current status in meeting the qualification requirements; and the consistency of its current practices with the supervisory guidance for the advanced approaches

• Based on the self-assessment, the bank must identify areas in which it needs to undertake additional work to comply with the qualification requirements (gap analysis)

• Describe the specific actions the bank will take to address the areas identified in the gap analysis

• Identify objective, measurable milestones, including delivery dates and the date when the bank’s implementation of the methodologies will be fully operational

• Describe resources that have been budgeted and are available to implement the plan

• Receive Board of Directors approval

Basel II OverviewQualification Process: Regulatory Expectations (continued)

2. Parallel Run

• Before determining its risk-based capital requirements under the advanced methodologies, the bank must conduct a successful parallel run.

• A satisfactory parallel run is a period of no less than 4 consecutive calendar quarters during which the bank complies with all of the qualification requirements to the satisfaction of its primary U.S. supervisor

– Comprehensively address the qualification requirements for the bank and each consolidated subsidiary (U.S. and foreign-based) of the bank with respect to all portfolios and exposures of the bank and each of its consolidated subsidiaries

3. Ongoing Compliance Process

• The bank must have an adequate process to ensure ongoing compliance with the qualification requirements

4. Transitional Floor Period

• 1st floor year – 95% transitional floor percentage

• 2nd floor year – 90% transitional floor percentage

• 3rd floor year – 85% transitional floor percentage


5. Supervisory Review Process (Pillar 2)

• Comprehensive supervisory assessment of capital adequacy

– U.S. Regulators must perform a more comprehensive assessment of capital adequacy that considers risk specific to the bank, conducting analyses that go beyond minimum regulatory capital requirements

• Compliance with regulatory capital requirements

– Each bank applying the U.S. advanced framework must have appropriate risk measurement and management processes and systems that meet the rule’s qualification requirements

• Internal capital adequacy assessment process (ICAAP)

– The bank must have a rigorous internal process, the ICAAP, for assessing its overall capital adequacy in relation to its risk profile and a comprehensive strategy for maintaining an appropriate level of capital

– The fundamental objectives of a sound ICAAP are:- Identifying and measuring all material risks (including credit, market, operational, interest

rate, liquidity, reputational, strategic, country and concentration risks)

- Setting and assessing internal capital adequacy goals that relate directly to risk

- Ensuring the integrity of internal capital adequacy assessments


Basel Accord Implementation Timeline

• From YE 2006: First Possible Year for Parallel Calculation and Impact Studies on Advanced Approaches; and Standardized and Foundation approaches to be implemented

• From YE 2007: Second Parallel Calculation Year for Advanced Approaches

• From YE 2008: First Possible Year for Implementation of Advanced Apporaches -- Transitional Floor of 90%.

• From YE 2009: Second Possible Year for Implementation of Advanced Approaches -- Transitional Floor of 80%.

U.S. Basel II Implementation Timeline *

• 27 March 2007: Comments Due on Basel II NPR and Basel IA NPR

• 29 May 2007: Comments Due on Proposed Supervisory Guidance for Advanced Approaches and Pillar 2

• 01 January 2008: First Possible Year for Parallel Run of Basel II Advanced Approaches

• 01 January 2009: First Possible Year for 1st Transitional Floor of 95%

• 01 January 2010: First Possible Year for 2nd Transitional Floor of 90%

• 01 January 2011: First Possible Year for 3rd Transitional Floor of 85%.

• July 2009: Enhanced guidance on Basel II

* Delayed with first initial parallel run now in 2009

Basel II OverviewQualification Process: Comparison of EU and US Basel II Implementation Timelines


• Pillar I – Minimum Capital Requirements

• Pillar I – Wholesale Credit Risk









Governance

• According to The Final Rule (Part III, Section 22(j)(5) a bank must have an

Internal Audit function that is independent of business-line management and

at least annually assesses the effectiveness of the controls supporting the bank’s

advanced systems and reports its findings to the bank’s board of directors (or a

committee thereof).

Basel II OverviewBoard and Internal Audit Responsibilities

Credit IRB

• Internal audit must, at least annually, assess the effectiveness of the controls supporting the IRB system and report its findings to the board of directors (or a committee thereof).

– A bank must have an Internal Audit function that is independent of business line

management and that assesses at least annually the effectiveness of the controls

supporting the IRB system and reports its findings to the board of directors (or its

designated committee).

– At least annually, Internal Audit should review the validation process including

procedures, responsibilities, appropriateness of results, timeliness, and

responsiveness to findings.

– Further, Internal Audit should evaluate the depth, scope, and quality of the

independent review processes and conduct appropriate testing to ensure that the

conclusions of these reviews are well founded.


Credit IRB (continued)

• Banks’ internal credit assessment processes should be comprehensive, transparent,

independent, well-defined, and fully documented.

– The bank must have an Internal Audit function independent from the ABCP

program business line and internal credit assessment process that assesses at least

annually whether the controls over the internal credit assessment process function

as intended.


Operational Risk

• The bank must validate, on an ongoing basis, its AMA system. The bank’s validation process must be independent of the AMA System’s development, implementation, and operation, or the validation process must be subject to an independent review of its adequacy and effectiveness.

– Banks may use independent and qualified internal (for example, Internal Audit, and quality assurance) or external parties to perform verification and validation. The verification and validation functions should annually assess and report to the board of directors on the adequacy of the overall AMA System.

– The independent assessment should include the review of both the accuracy and integrity of the AMA System, control elements, as well as the scope and effectiveness of operational risk reporting. The verification and validation functions should also review reporting processes to ensure the timeliness, accuracy, and comprehensiveness of operational risk reporting systems, both at the firm-wide and the line of business levels.


Operational Risk (continued)

– Other areas of assessment include, but are not limited to:

- Organizational structure, governance, and oversight;

- Internal and external data sources, collection processes, and repositories;

- Scenario analysis;

- Reporting and MIS;

- Business environment and internal control factor assessments

• The bank must ensure that an effective framework is in place to identify, measure, monitor, and control operational risk, and to accurately compute the bank’s operational risk component of the bank’s risk-based capital requirement. The board of directors must at least annually evaluate the effectiveness of, and approve, the bank’s AMA System, including the strength of the bank’s control infrastructure. (Note: this requirement underscores the role and responsibility of Internal Audit)


Operational Risk (continued)

The board of directors and management should ensure that the bank’s operational risk management, data and assessment, and quantification processes are appropriately integrated into the bank’s existing risk management and decision-making processes and that there are adequate resources to support these processes throughout the bank.

– Important sources of information about the effectiveness of the AMA System include:

- Internal Audit’s annual review of the effectiveness of operational risk controls and the independent verification function’s annual assessment of the adequacy of the overall operational risk framework, and

- The results of the validation function’s testing of model results and assessment of quantification processes

ICAAP

Additionally, internal audit should play a key role in the controls and governance surrounding an ICAAP on an ongoing basis.


Ensure Appropriate Audit Program & Structure

Testing & Verifying Accuracy & Appropriateness of Risk

Management Framework

Data Inputs & Economic Capital allocation Support Board of Directors’ Oversight

• Basel II requires more of a continuous audit approach aligned with risk areas and categories

• Effective Internal Audit data gathering, systems & reporting processes

• Testing & model validation capabilities

• Sufficient & qualified audit staff resources, considering bank’s business lines / risk profile

• Succession planning, turnover & continuity issues

• Independence & access to Board

• Internal Audit must independently test & verify:– Key risk management

processes & systems for credit risk, operational risk, market risk; and securitization:

– Adherence to policies & procedures

– Quarterly Reporting requirements

– Accuracy of disclosures under Pillar 3

• Internal Audit (*) must independently test & validate the data collection & economic capital allocation methodologies, including:– Data feeds & processes

associated with credit risk, operational risk, market risk; and securitization exposures

– Adjustments to management’s empirical credit and operational risk estimates

– Periodic certification of credit, operational and market risk models and their assumptions

– Data integrity and comprehensiveness

• Internal Audit must summarize its findings & regularly report to Board or its delegated committee regarding both qualitative & quantitative Basel II factors, including:– Internal audit validation work– Appropriate allocation of

resources– Regularly verify adequacy of

internal control system & risk governance processes

– Internal Audit also must alert Board to identified risk issues that may impact the bank horizontally, across all units

(*) Or technically competent individuals who are independent of the development, implementation, or operation of the model should perform validation. These individuals may or may not be a part of the internal audit function. If validation is done by internal audit, staff performing the validation of bank models should not participate in the verification of the validation process.

Basel II OverviewSummary of Internal Audit’s Responsibilities for Basel II Implementation

Basel II Overview

Documents

Transcript of Basel II Overview