Newsletter January 2005
Agencies seek pragmatic solutions to op risk split
Practical issues loom large as Basel II implementation takes centre stage. Impact study and benchmarking might hold answers By Melvyn Westlake
"Pragmatic solutions" will be found to the thorny issues that surround the implementation of operational risk rules at large banks, and divide US regulators preparing the way for America's adoption of the new Basel capital accord. But, such solutions will have to take account of the practical realities and constraints that the banks face in trying to measure the op risks of their smaller subsidiaries, according to Kevin Bailey, deputy comptroller, regulation policy, at the Office of the Comptroller of the Currency, in Washington.
As the results come in from the recent quantitative impact study conducted in the US, as well as bank implementation case studies, and data collection and benchmarking exercises that are all key elements in the accord's American adoption process, "we will," he says, "have the information on which to take important decisions that we can all live with." As chairman of the Accord Implementation Group's newly formed Operational Risk Sub-Group, Kevin Bailey is also critically involved in the search for pragmatic solutions to the equally difficult cross-border implementation problems.
These problems have moved centre stage following last summer's publication of the new Basel capital accord - Basel II - aimed at bolstering the solvency of the international banking system. The Accord Implementation Group (AIG), set up by the Basel Committee, architect of the new accord, is becoming pivotal now that the main effort is on putting the new capital regime into practice.
Not least of the problems is how a bank deploying advanced measurement approaches (AMAs) calculates its exposure to such operational hazards as fraud, technology failures or trade settlement foul-ups when it has a large number of subsidiaries around the world, many of them quite small. As reported in the December issue of Global Risk Regulator, Washington's regulatory agencies are split over the proposed solutions.
The problem has both national and international dimensions. Within the US, the Federal Deposit Insurance Corporation, one of four Washington bank regulators, takes the view that each banking entity it insures must be fully capitalised on a stand-along basis against operational risk. Many regulators in countries that are host to the subsidiaries of global banking groups share this view.
The Federal Reserve Board, on the other hand, is sympathetic to the so-called "hybrid" approach to implementing AMAs. This approach, first proposed by the Basel Committee a year ago, would allow a banking group to use a combination of stand-alone AMA calculations for "significant" subsidiaries and an allocated portion of the group-wide AMA capital requirement for others. Banks prefer the hybrid approach because it allows them to obtain the diversification benefits of a large network, and will usually result in them holding less capital overall.
Although refusing to be publicly identified with either camp, deputy comptroller Bailey emphasises the problems that banks face in calculating AMAs for their smaller subsidiaries. "Banks simply cannot undertake a rigorous modeling of operational risk exposures at their non-significant subsidiaries. Whether there are data constraints or other practical constraints, they simply cannot undertake a modeling process that would pass supervisory muster," he says.
"Simply saying that banks must do it, ignores reality." Even if a parent bank were able to model an exposure at a very small subsidiary, "we supervisors have to make certain that the model appropriately reflects the riskiness of that individual entity.
"If there is insufficient data for that entity, it calls into question the legitimacy of its capital estimates," adds Bailey. "There are challenges for banks, but those challenges also have implications for supervisors, in their ability to rely upon the resulting capital numbers," he says.
"Significant" undefined
The Basel Committee deliberately chose not to define what it meant by "significant." Giving this term greater definitional clarity is one of the tasks that the AIG's Operational Risk Sub-Committee, chaired by Bailey, is now struggling to achieve. The outcome of its endeavours is going to be particularly important for the home and host countries of an international active banking group with many subsidiaries.
Despite the different perspectives among Washington regulatory agencies about what is sometimes called the risk allocation problem, there is a general acknowledgement that any solution will have to balance "two fundamental realities that are in conflict," supervisors say.
One is the responsibility of directors and supervisors, at the individual subsidiary - or legal entity - level, to ensure that the capital number used for regulatory purposes accurately reflects the riskiness of that entity's activities. "This is the issue that the FDIC has quite appropriately identified," says the OCC deputy comptroller.
The conflicting reality is that many of the large financial conglomerates manage their exposures on a business line basis and the data that is available can differ drastically from subsidiary to subsidiary.
Whatever the final pragmatic solution may be, the op risk exposure estimate must reflect the relative riskiness of a given subsidiary, says Bailey. "That is an area where everybody agrees. The question is how best do you get to that."
However, the deputy comptroller is confident "that we can craft a solution that addresses the concerns of both sides."
Supervisors in the US are just starting to examine the early results of the fourth quantitative impact study (QIS4), to look at the real effect on banks of the Basel II rules, an exercise being carried out in some other countries, including Britain and Germany. A few banks have also started putting their implementation plans into effect. Additionally, a loss data collection exercise (LDCE) has recently been undertaken.
When supervisors have finished examining all the resulting information, they will, at least, have a better sense of the real scale of the problem. "Once you address some of the component parts of the problem, whether it is treatment of retail fraud or the amount of available data in certain exposure types, I think the issues become narrower and easier to deal with," explains Bailey. Examining the underlying components of these issues will allow some of them to be dealt with more readily, and "the problem areas of potential dispute become smaller," he adds.
A UL and EL question
Another area of operational risk that is not completely resolved is exactly when regulatory capital is required to cover both expected and unexpected losses and when it covers unexpected losses only. A similar question in relation to credit risk became the source of some controversy earlier, until a formula was devised in autumn 2003, which allowed unexpected losses (UL) to be covered by capital and expected losses (EL) to be met from reserves.
In the case of credit risk, a bank holds an asset offset by reserves. But in op risk, there is no asset, only an exposure. The Basel II text says that the regulatory capital requirement for op risk should be the sum of EL and UL, unless the bank can "demonstrate to the satisfaction of its national supervisor that it has measured and accounted for its EL exposure."
The problem is that it is not clear what "accounted for" means - whether it means banks holding reserves or, perhaps, pricing the risk into the cost of the product. The most frequently cited example is credit card fraud and the average rates of interest that banks charge to cover such losses.
QIS 4 questionnaire
Washington supervisors are seeking to gain a better understanding of this issue by asking for additional information in the questionnaire that accompanied the QIS4 spreadsheets sent to around 30 of the largest US banks. Bankers were specifically asked how they believe they can demonstrate that they have measured and accounted for expected op risk losses.
The questionnaires actually sought additional information on a wide range of issues. Together with the spreadsheets, they were all due to be sent back to regulators by January 28, although at least another two weeks will be needed for analysis of the results before a clear picture emerges. Unlike the internationally-co-ordinated QIS3 exercise two years ago, supervisors will go back to the banks for more information and clarification, if necessary. "The bar has been raised for QIS4, to ensure better data quality," says Bailey.
Separately, US supervisors have completed two to three week on-site visits at a number of banks for what is called a benchmarking exercise. This was designed to check whether the supervisory guidance and standards published in August 2003, remained appropriate; and to give an idea of the current state of development of op risk measurement and management processes at the banks. The aim was to see whether concepts and standards developed by supervisors actually made sense in the real word of banking. Supervisors report that it proved a very successful exercise. An up-dated guidance document is likely to be published in the second half of this year.
On top of this, a loss data collection exercise has also recently been completed. Internal loss data is a critical element of AMA risk modeling. The loss data collection exercise was aimed at getting a more granular breakdown of the nature and volume of these internal losses.
Now, US supervisors say, the absolute priority is to produce the Notice of Proposed Rulemaking (NPR), scheduled for June. Unlike the Advanced Notice of Proposed Rulemaking, issued in the summer of 2003, which only described the proposal, the NPR will provide the regulation text. Keeping to the timetable is critical if the new bank capital regime is to take effect in the US as planned at the beginning of 2008.
The Operational Risk Sub-Group is also facing a tight timetable in finding pragmatic solutions to op risk implementation issues. It was formed as a result of a recent restructuring of the Basel Committee's hierarchy of sub-committees, which saw the demise of the Risk Management Committee, as the focus shifted from writing the new rules to making them work. Kevin Bailey identifies four broad categories of issues that the Operational Risk Sub-Group is trying to tackle.
The broadest category relates to home-host issues, such as the risk allocation problem. Dividing regulatory responsibilities between home and host countries raises issues that are certainly not exclusive to op risk, or even the Basel bank capital regime. At heart it turns on whether a supervisor in one country can rely on the work of a supervisor in another country, comments Bailey. The question is how best to coordinate supervision of financial institutions that operate in many countries, he adds.
Corporate governance
Other categories of issues that the sub-group will deal with concern the quality and appropriate use of data, AMA risk modeling and corporate governance. Explaining the inclusion of corporate governance issues on the sub-group's agenda, the deputy comptroller says: "the objective of the advanced approach to operational risk measurement [and advanced credit risk calculations] is not simply to get to a number, but to ensure banks meet the intended risk management objectives. And that will entail an appropriate level of scrutiny by the board of directors, by senior management, by heads of individual business lines and by an audit process. These are all critical elements of a [big banking group's] internal controls and risk management."
