Response to consultation on Regulatory Technical Standards on operational risk loss
Question 1: Do you think that the granularity of and the distinction between the different Level 2 categories is clear enough? If not, please provide a rationale.
General Remarks:
The proposed change in data governance is perceived as (a) rather disruptive as it is diverting from Basel taxonomy (in Level 1 and level 2) and (b) disproportionate in terms of the requirement to reclassify historical data, which will be very burdensome. Some attributes and their additional benefit and/or definitional boundaries remain unclear and further clarification is needed. For example concerning the flags “Legal risk – other than misconduct” (see Q7) or “greenwashing risk” (see Q4).
In principle, we consider the consultation deadlines specified by the EBA to be too short and would prefer a) a longer consultation phase or b) a further consultation phase at a time when all relevant technical standards, some of which build upon each other (data structure and the associated reporting system), are available. Only in this way can institutions carry out a comprehensive analysis of the proposed regulations.
The implementation of the new taxonomy and the associated complex mapping of legacy data to the new taxonomy also requires far-reaching changes, in particular software solutions must be further developed. We therefore request a sufficient implementation period and clear instructions for the (re)mapping with the new classification criteria (especially concerning the new Level 2 categories and the existing Basel Level 2). We propose first-time application on 1 January 2026, however, at least one year after the final RTS is published.
- The definition of market risk in connection with operational risk is significantly expanded in this technical standard. We consider this expansion to be excessive, as the additional expense for labelling is not offset by any added value for the management of operational risks. The losses concerned are already part of the loss data collection and are included in all processes (reporting, economic capital calculation, management, etc.), meaning that this expansion is not necessary for the adequate mapping of operational risks.
Question 1: Do you think that the granularity of and the distinction between the different Level 2 categories is clear enough? If not, please provide a rationale.
Some of the Level 2 categories are defined very granularly. For example, we do not agree with the Level 2 categories of Level 1 Event “External Fraud” in terms of “First party fraud”, “Second party fraud” and “Third party fraud”. For risk controlling aspects there is no added value to distinguish between these fraud types. It makes more sense to distinguish between fraud types like Phishing, Check fraud, Payment fraud, Account opening fraud, Theft and so on.
In addition, we do not agree with the shift of IT failures related to management of transactions to the Level 1 event type “Execution, Delivery & Process Management”. Whether IT failures are related to management of transactions or not, there should not be a different handling in the Level 1 event type.- Overall, considerable manual effort is required to adjust the data history to the new Level 2 categories. In addition, the current Level 2 categories do not appear to focus consistently on the causes of the events, but rather partly on their effects (see category 7.1). We therefore suggest streamlining and revising the current categorisation.
- According to the presentation at the public hearing on 4 July 2024, some attributes must be assigned on a mandatory basis, while others are optional. Does the optional assignment refer to ‘white’ fields to which damage events can be added? If entire attributes are optional, please clarify which attributes this applies to.
Question 2: Do you perceive the attribute “greenwashing risk” as an operational risk or as a reputational risk event? Please elaborate.
In our opinion, the attribute ‘greenwashing risk’ can impact both types of risk. Example:
- Operational risk: Following a court judgement against a financial institution in connection with greenwashing, compensation payments are required to be made to customers.
- Reputational risk: Damage to reputation from the same issue that was made public in different media.
Question 3: To which Level 1 event types and/or Level 2 categories would you map greenwashing losses? Please provide a rationale.
L1: Clients, Products & Business Practices, L2: Sale service failure as greenwashing is always connected to a claim when materializing as an OpRisk. The respective claim always contains a mis-selling / incorrect advice aspects.
Nevertheless, greenwashing risk is a part of transition risks. Hence, a separate attribute is not necessary from our perspective or at least make that clear in the definition of the “transition risk” attribute (see Q4).
Question 4: Is “Environmental – transition risk” an operational risk event? If yes, to which Level 2 categories should it be mapped? Please provide a rationale.
Environmental risk and broader ESG factors are primarily drivers of existing traditional risks such as market risk or credit risk, thus large parts of what constitutes transition risks are already covered by other risk categories. But they can lead to operational risk, for instance if there is a penalty.
However, we want to stress that we disagree with the introduction of an independent “Greenwashing risk” attribute, which is not known to CRR3 (see Art. 4 52g encompassing greenwashing). Given that the proposed framework associates the ESG attributes to few or none risk categories, we do not understand the “split” in 5 attributes as it will lead to difficulties in differentiation and is not align with the current status of ESG risk management practices, especially in the case of “greenwashing risk”. In our view, further clarification of the definition and the provision of examples are necessary in any case to make the distinction more comprehensible. Besides of “greenwashing risk” which should be considered part of “transition risk”, it could be mapped to different Level 2 categories. For instance:
- Increased error rate in the execution of existing processes due to Environmental risks (e.g., Transaction Mgmt., ext. Reporting) (L1: Execution, Delivery & Process Management, L2: Processing / execution failures)
- General inappropriate market and sales practices that may be considered bad ESG conduct as defined by Conduct Risk (negligence) and lead to lawsuits. (L1: Clients, Products & Business Practices, L2: Improper market practices, product and service design or licensing).
- Misuse of confidential information (information theft, whistleblowing) by internal ‘ESG fundamentalists’. (L2: Inadequate Employment practice).
Question 5: Which of these attributes do you think would be the most difficult to identify? Please elaborate.
Attribute “Credit risk boundary (those not included in RWA on credit risk)” is the most difficult to identify. We believe that this flag could never be used because each fraud case related to credit risk leads to a default. As each default is considered in the credit risk RWA as per definition, there should be no gap. Further examples would therefore be helpful in this context to accurately identify the attribute; this also applies to market price risk. In the case of model risk, we see difficulties in distinguishing it from other risk types, considering that AI-driven algorithms could potentially be regarded as separate models in the future.
Furthermore, we see difficulties in the precise classification of governance risks (definition according to Art. 4 (52) (i) CRR is unspecific) and social risks (definition according to Art. 4 (52) (h) CRR is unspecific). The same applies to the Environmental Risk - Transition Risk attribute already commented on above.
In addition, we believe that the attribute “Third party risk” should not be set in case of a “Third party fraud” event. “Third party risk” is always connected to a outsourcing provider, subcontractors of them or supplier.
Question 6: Do you agree with the inclusion of the attribute “Large loss event”? If not, please elaborate.
We understand the banking supervisory authorities' interest in this information, which in our view could equally be made available via regulatory reports (irrespective of its inclusion as a separate attribute). In our view, there is a fundamental contradiction between the dynamic attributes ‘Large Loss Event’ and ‘Ten Largest Loss Events’ and the other absolute attributes. For reasons of consistency, we therefore suggest dispensing with these attributes and reporting them elsewhere.
As a minimum, we consider it necessary to clarify the definition of the attributes ‘large events’ and ‘ten largest loss events’. It is currently not clear for which period these are to be determined (on a quarterly or annual basis). The labelling could only be temporary for some loss events, as larger losses may have been added over time. Would the attribute then have to be deleted again?
If the major loss event is included as an attribute, we also have the question of whether this attribute should be updated regularly for historical loss events on the basis of the last 10 financial years and which date should be selected for the first calculation. In the case of provisions (particularly for legal risks), reversals/additions to provisions also result in changes in gross and net losses.
Question 7: Do you think that the granularity the proposed list of attributes is clear enough? Would you suggest any additional relevant attribute? Please elaborate your rationale.
At this stage, we advise against making strict guidelines as to which links between Level 1 categories (Level 1 event types) and the new attributes (e.g. governance risk) are permissible or not permissible and to first gain experience with flagging the data. The matrix already reveals gaps in the governance risk (e.g. losses from structurally flawed process design cannot be assigned to an approved level 1 category) and social risk categories. Permissible and impermissible connections cannot yet be conclusively determined. Initial experience with the flagging of data should therefore be gained in spart ensure adequate control according spar new attributes.
Further ambiguities that will only become fully apparent in practice are, for example, the attributes social risk and greenwashing, which are closely linked according to EBA report EBA/REP/2024/09, but have no overlaps in the taxonomy. This makes the categorisation all the more complex. This is another argument for including greenwashing risk spart of environmental risk – transition risk. This should be recognised in the definition (see Q4).
Also, Legal risk – Misconduct and Legal risk - Other than conduct should not be mapped to internal fraud. We believe that an event qualifies as a legal risk event if the error was not made intentionally, because in cases of intentional misconduct there would be no legal proceeding. Intentional fraud cases are “compliance risks” that’s why we suggest to include compliance risk as an attribute, but merge Legal risk – misconduct and Legal risk – Other than conduct to one attribute. A cyber risk attribute would be helpful as well.
Question 8: Would it be disproportionate to also map the three years preceding the entry into force of these Draft RTS to Level 2 categories? If yes, what would be the main challenges?
We consider this requirement to be disproportionate compared to the additional benefits achieved. The assignment of loss events to the new Level 2 event categories requires in-depth and previously unrecorded detailed information. We have to consider each loss event case by case and map them to the new Level 2 categories or set the attributes manually. For instance, our current Level 2/Level 3 risk taxonomy is more detailed, e.g., for External fraud (Phishing, Check fraud, Payment fraud, Account opening fraud, Theft...). In the case of historical loss events, this requires particularly extensive research, which would involve considerable effort. There is no clear rule on how to map them according to the new taxonomy (Third-, Second- and First-party fraud). In addition, our current risk taxonomy contains IT related errors, but not the cause (hardware, network or software failure or inadequate business continuity planning). We propose not to map the historical loss data according to the new taxonomy.
Question 9: Is the length of the waivers (three years and one year) for institutions that, post merger or acquisition fall into the EUR 750 million – EUR 1 billion band for the business indicator, sufficient to set up the calculation of the operational risk loss following a merger or acquisition? If not, please provide a rationale.
NA
Question 10: Are there other cases where it should be considered to be unduly burdensome for institutions to calculate the annual operational risk loss?
NA
Question 11: Which of the provisions of Article 317(7), as developed by the draft RTS on the development of the risk taxonomy, and Article 318 of the CRR would be most difficult to implement after a merger or acquisition for the reporting entity? Please elaborate.
In general, we consider the subsequent categorization of loss events in the granularity outlined in the draft RTS—especially for the acquiring company—to be disproportionately time-consuming.
Question 12: In your experience, would the provisions of this article apply to most mergers and acquisitions, or would data usually be promptly implemented in the loss data set of the reporting institution?
In our view, the following applies to all subsidiaries acquired as part of mergers and acquisitions:
If the acquired company has previously maintained a loss database that includes a categorisation according to the previous methodology or according to the methodology of the new CRR III, the integration of a loss dataset can be completed more quickly and easily than if no such categorisation exists.
The further the requirements for the data set are expanded or extended (e.g., now through the attributes), the more complex the migration of the loss dataset becomes. This applies in particular to the loss dataset of subsidiaries that are not financial institutions.
Question 13: Are there other adjustments that should be considered in these draft RTS? If yes, please elaborate.
The distinction between the attributes ‘Misconduct’ and ‘Other Than Conduct’ for Legal Risk seems superfluous to us, as Misconduct is always directly linked to the Level 2 category, so there is no flexibility here. The Misconduct attribute therefore does not add any information. The same applies to the ‘Model Risk’ attribute. These can therefore be removed or merged with other attribute categories.
We do not consider the use of 4 aggregated business segments within the scope of the report instead of the established 9 business segments (BBLs) to be effective. The approach would have no recognisable added value, but could have a negative impact on the management of operational risks. Many methods and processes are based on the established 9 BBLs and have proven their worth (especially with regard to data exchange with other institutions). If the regulator now implements a further simplified taxonomy, this could inadvertently lead to an adjustment of the data collection processes in the medium term. This would lead to a loss of information, which on the one hand would have a negative impact on the quality of the established monitoring processes in Pillar 2 and on the other hand would lead to significant efforts in the long term with regard to adjustments to processes and methods. We suggest retaining the existing 9 business areas in the report. If desired, the supervisory authority can perform an internal aggregation.