Response to consultation on Regulatory Technical Standards on operational risk loss

Go back

Question 1: Do you think that the granularity of and the distinction between the different Level 2 categories is clear enough? If not, please provide a rationale.

We would like to raise some concerns on the granularity of and the distinction between the different Level 2 categories. 

 

Due to the very detailed classification and heterogeneity of the Level 2 categories, banks will face very serious operational challenges. Indeed, the current processes (i.e. annual review of risk mapping, development and maintenance of internal models for the needs of the ICAAP) and risk databases are based on the existing Basel 2 requirements and will need to be revised (including incident databases) to incorporate the more detailed second-level taxonomy of losses, required by the draft RTS; This will require additional resources and efforts given the short timeframe to implement these changes and significant IT developments will be necessary.

 

We regret that the operational risk taxonomy as proposed in the drat RTS is not more aligned with the EBA's SREP guidelines. For example, the categories “ICT data integrity”, “ICT change”, “ICT security risk” are not clearly identifiable in the draft RTS classifications. However, it is a clear request that the ECB has made to certain banks to rely on the EBA's SREP guidelines on for this matter. Banks need SREP guidelines and taxonomy set by EBA RTS to be fully aligned.

 

Further clarification on the different Level 2 categories is needed on the following matters:

 

  • Level 1 “Internal Fraud”:
    • We propose to rename this Level 1 into “Internal Fraud and internal attack”. Indeed, internal fraud gathers fraud coming from the inside and fraud against the institution. In our opinion, internal fraud means that the fraud comes from the inside, but it may be oriented against clients or other stakeholders
    • “Insider Trading not on institution’s account”: could you confirm that it is indeed an employee using insider information to trade for his personal account?
    • “Malicious physical damage to employees, institution’s physical assets and public assets”: 
      • This Level 2 category does not appear to be well categorized. We think it should be in the Damage to Physical Assets type event or in the Employment Practices and Workplace Safety event if the damage affects an employee. However, if the objective is to maintain this Level 2 category in the Internal Fraud event type, clarifications would be needed as to whether internal fraud is considered under the Level 2 classification as a physical damage caused to employees and not a damage caused by an employee that damages the company's physical assets. If it is the case, we propose to rename this Level 2 to “Malicious physical damage caused by employees to institution’s physical assets and public assets”. 

“Internal fraud committed against the institution”: fraud is committed by an internal party, but it must be directed towards the Group's assets.

  • The “Cyber-attacks” category which is present in the External fraud event type should also be added in the Internal Fraud event type in order to enhance completeness. The cyber-attack could also be integrated in the Level 2 “Malicious physical damage caused by employees to institution’s physical assets and public assets”. 

 

  • Level 1 “External Fraud”
    • We propose to rename this Level 1 into “External Fraud and external attack. External fraud:  no or little information currently exists on the classifications “first party fraud”, “second party fraud”, “third party fraud”. Banks will have to look at all existing loss events in their risk databases to review the risk description before assigning it to the appropriate category; therefore, clarifications would be very helpful.

 

  • Level 1 “Clients, Products & Business Practices”:
    • The category “Improper market practices, product and service design or licensing” does not clearly distinguish between unintentional error and malicious behaviour.
    • The category “Rights/obligation failures in preparation phase” is not explicit enough. Indeed, the notion of customer is not mentioned. Thus, the definition of this category seems to correspond more to the event type “Execution, Delivery & Process Management”.
    • For the category: “Insider Trading on institution's account”, could you confirm that this is the case where the employee uses privileged information to benefit clients?
    • The description of the category description: “Model / methodology design error”, is not clear enough and too restrictive. Indeed, the impacts on customers could come from errors in the design of the model and/or implementation in the model systems. In general it would be appropriate to find the notions of model intended for commercial activities (as well as design and implementation).
    • The categories “Accidental sanctions violations” and “Accidental money laundering and terrorism financing” appear similar. Wouldn't it be possible to group these two categories into one? Furthermore, how is it possible to qualify the accidental nature in these two Levels 2 versus the Levels 2 of the Internal fraud type events which mention the intentional aspect?
    • The category “Accidental money laundering and terrorism financing” seems misleading to us as it includes also fines for deficiencies on AML processes but with no occurrence of accidental flows related to AML.
    • The category “Insider trading not on institution's account” would also need to be clarified. We understand that it refers to trading on own/personal account.

 

 

 

  • Level 1 “Business Disruption and System Failures”:
    • For the category “Hardware failure not related to management of transactions”, what is the implication behind the management of transactions? 
    • “Inadequate business continuity planning / event management”: we don’t understand the presence of this line, which is an organizational subject. 

 

  • Level 1 “Execution, Delivery & Process Management”:
    • The “Improper distribution/marketing” category does not seem coherent. In fact, it mixes a type of risk and an activity.
    • “Model implementation and use”: Could you confirm that this targets the models specific to the establishment (e.g.: model for calculating own fund requirements, trading room model for own account)? In this category we deal with the model error which impacts the institution whatever the nature of the error from the design to the implementation of the model and not just the implementation.
    • “Third party management failures”, could you confirm that this category refers to losses linked to external service providers and not intra-group losses? Furthermore, the “third party” notion needs to be clarified. Should we refer to TPRM concept (entity providing a service) or to something else?
    • We have noticed that purchasing isn’t covered by the definition. Would you please explain the rationale?

 

In addition, we would like to highlight the following points: 

 

  • In order to be exhaustive, we believe it would be relevant to add a Level 2 category related to theft in the Level 1 event type Internal Fraud. This would bring consistency with the level 1 event type External Fraud. Thus, it would be possible to distinguish internal theft and external theft.

 

  • The "misconduct" approach considers the responsibility of the group and not only the individual responsibility of its employees. This internal impact is not considered in this taxonomy, which is therefore not aligned with the RTS definition (article 4, paragraph 52a, point (d) of Regulation (EU) 575/2013).

 

  • We are also concerned by the introduction of the intentionality of the event which is a relevant change in paradigm (it would require detailed analysis on past events to and identification of compelling evidence and in addition would duplicate the risks depending on if it was intentional or not). 

 

  • In the case of external fraud, we would consider that the most relevant information for management purposes is not the ‘who’ (first party, second party, third party) but the ‘how’ (type of fraud, channel, product), to ensure the adequacy of risk mitigation and controls. In addition, little or no information currently exists on the classifications “first party fraud”, “second party fraud”, “third party fraud”. Banks will have to look at all existing claims in their risk databases to review the risk description before assigning it to the appropriate category.

 

Finally, we are concerned about the fact that the European Union has decided to move forward to propose a new taxonomy without having agreed it at international level first, for the following reasons:  

  • The new taxonomy, as we explain in detail below, diverts from the Basel taxonomy, as the modification of the level 2 categories implicitly generates a change in the level 1 Basel categories. 
  • It requires international banks to maintain two taxonomies at the same time: the EU one and the Basel one. The management of double taxonomies becomes even more complex in the case of large international banking groups with presence in EU and non-EU jurisdictions. The new taxonomy hasn´t been mapped to the level 2 Basel taxonomy, which creates more difficulties for the banks that need to maintain the full Basel taxonomy in some geographies. 
  • We are very much concerned that an international review may be carried out in the coming years, to ensure the consistency of data among jurisdictions at international level. If that is the case, extra time, and resources (consultancy, IT investments….) would be required from institutions in the EU that would have been avoided if the initiative had been launched at international level. 
  • We are also concerned that this initiative may lead other regulators to issue new taxonomies based on local priorities that would not be compatible to the European taxonomy. 
  • Financial institutions cannot have an historical event allocated to 2 different level 1 event types (it would defeat the purpose of having a taxonomy) 

 

Question 2: Do you perceive the attribute “greenwashing risk” as an operational risk or as a reputational risk event? Please elaborate.

In its “Progress report on Greenwashing Monitoring and Supervision” published in May 2023, the three ESAs high-level understanding is that greenwashing is a practice whereby sustainability-related statements, declarations, actions, or communications do not clearly and fairly reflect the underlying sustainability profile of an entity, a financial product, or financial services. This practice may be misleading to consumers, investors, or other market participants. 

This practice is not a risk in itself but should be considered as an aggravation/provoking factor of risk including operational and reputational risk (cf. article 129 of "Greenwashing Monitoring and Supervision” report published in September 2024: “While institutions could prioritise the integration of greenwashing-related financial risks as part of the management of conduct, operational and reputational risks, they should also consider assessing possible impacts on other types of risks. This could include taking into account the potential effects of greenwashing on liquidity and funding risks, for example as a result of funding withdrawal or reduced ability to issue green funding instruments. “ 

 

Greenwashing can be considered as a fact generating reputation risk and liability risk. In the latter case, there may be a consequence on operational risk, the liability risk being equivalent to legal risk

However, conduct situations related to green product and mis selling can generate “mis selling green”. Those situations are the only Greenwashing Operational Risk related according to us. There is a need to make a clear distinction between Greenwashing that we do not consider as an Operational Risk and Conduct situations.

Question 3: To which Level 1 event types and/or Level 2 categories would you map greenwashing losses? Please provide a rationale.

Greenwashing can lead to disputes with authorities, disputes with clients or disputes with third parts (such as NGO). With regard to the proposed new taxonomy and considering the previous answers, Greenwashing could be mapped with:

  • Client mistreatment / failure to fulfil duties to customer to cover the other Conduct dimension (product non as green)
  • Improper market practices, product and service design or licensing
  • Rights/obligation failures in preparation phase
  • Sale service failure to cover the green mis selling
  • Client account mismanagement
  • Rights / obligation failures in execution phase 
  • Improper distribution / marketing
  • Regulatory and Tax authorities, including reporting

Question 4: Is “Environmental – transition risk” an operational risk event? If yes, to which Level 2 categories should it be mapped? Please provide a rationale.

The direct impact of an ESG risk in operational risk category is difficult to identify, assess unless it is a physical or climatic ESG risks that would have consequences on business continuity or on value of the bank assets. In our opinion, it would be considered as an operational risk only in specific cases of claims or summonses from clients NGO or authorities for non-compliance with ESG standards.

 

Question 5: Which of these attributes do you think would be the most difficult to identify? Please elaborate.

Pending losses. Pending losses are temporary and can’t be a stable taxonomy element to qualify a risk event. The exercise is theorical as financial institutions have processes and rules dedicated to suspense account provisioning depending on the materiality and age of the suspense and these processes and rules are the ones which take precedence.

In addition, pending losses are not considered as losses as long as they have not been provisioned. Cash/security breaks have a dedicated process to make sure that they are correctly monitored according to their amount and their age. In our opinion, pending losses should not be reported as losses but could be reported via KRI.

 

Credit risk boundary (those not included in RWA on credit risk). We do not understand what this attribute is referring to. Operational losses with credit risk boundary are included in credit risk RWA. It is not clear what losses could be “credit risk boundary” without being included in RWA on credit risk.

Question 6: Do you agree with the inclusion of the attribute “Large loss event”? If not, please elaborate.

As the definition of “large loss event” is based on the average annual loss calculated over the last 10 financial years, this attribute may evolve in time. Correctly tagging the losses will consequently require a review before each reporting submission and not only at the declaration of the loss. It will consequently require more IT developments to make sure the attribute is correctly updated on losses.

 

Accordingly, the attributes “large loss event” and “ten largest loss events” should not be part of the taxonomy as it is not a qualitative attribute and is not stable in time: an incident can be a large loss event during a specific year/window and not during other years/window. Besides these attributes need to be supported by dedicated precise instructions as it is the case in the COREP C17.02 or in the Stress Test. Consequently, these 2 attributes are more reporting related than taxonomy related.

 

Question 7: Do you think that the granularity the proposed list of attributes is clear enough? Would you suggest any additional relevant attribute? Please elaborate your rationale.

General comments:

 Some of them seem to be reporting attributes (i.e. large loss event, ten large loss events) that can change overtime, others are risk attributes. They should be distinguishable. 

  • The attributes “Large loss event” and “Ten large loss event” are more financial attributes and make little sense in terms of operational risk.  A loss event can be one of the 10 largest loss events for a given reporting year, but it will be not the following year because some loss events are long-lasting. These attributes refer to a notion of reporting and not to a notion of collecting loss events in the risk database.
  • It seems to us that the definition of ESG attributes retained in the draft RTS is focused on the ESG risks on banks’ counterparties and on the banks' investments whereas according to the CSRD, banks are required to measure the impact of ESG risks on their own activities and the impact of physical climate events on business continuity.
  • Some attributes correspond to business lines of the Basel framework, such as retail, commercial banking, trading and sales, other. However, the business line of the Basel framework is a reporting axis for a business that carries a risk and not a risk as such.
  • Some attributes are automatically deduced and systematic, therefore without added value to the risk taxonomy (e.g. model risk, Legal Misconduct), we believe this attribute should be removed.

 

Specific comments by attributes:

 

  • Legal Misconduct Attribute
  • This taxonomy considers that we are in a case of Legal Misconduct if the event has an impact on the market (mismarking, insider trading) or on the client. In the event of misconduct by an employee, this internal impact is not considered in this taxonomy, which is therefore not aligned with the RTS definition (article 4, paragraph 52a, point (d) of Regulation (EU) 575/2013). 
  • The "misconduct" approach considers the responsibility of the group and not only the individual responsibility of its employees.
  • The Basel event type 2 “Regulatory and Tax authorities, including reporting” is considered a legal misconduct event in the matrix. 
  • We disagree with this classification which implies all tax events are conduct issues. It does not make the difference between a “tax evasion event” which could be considered as conduct and an “erroneous tax reporting” which is a process execution event. In addition, the definition of the conduct risk events proposed in the matrix is different from the one given in the Stress Test guidelines by including now events from the event type 7. Consequently, this attribute will create inconsistencies between the various reporting sent to the supervisory and regulatory authorities.
  • The definition of the attribute that should exclude conduct topic includes however the following definition: (f) non-compliance with any requirement derived from contractual arrangements, or with internal rules and codes of conduct established in accordance with national or international rules and practices”. We believe that this attribute should be removed or clarified as to whether conduct events are included or not.
  • The ICT attribute definition refers to security (malicious aspect) and human error (the use of network and information system). This seems to be restrictive and will be difficult to implement without clarifications.

 

  • Legal Other than conduct Attribute: The definition of the attribute that should exclude conduct topic includes however the following definition: (f) non-compliance with any requirement derived from contractual arrangements, or with internal rules and codes of conduct established in accordance with national or international rules and practices”. We believe that this attribute should be removed or clarified as to whether conduct events are included or not.

 

  • ICT Attribute : The ICT attribute definition refers to security (malicious aspect) and human error (the use of network and information system). This seems to be restrictive and will be difficult to implement without clarifications.

 

In conclusion, the rationale of the matrix presentation of categories and attributes seems unclear to us and difficult to implement as such. Moreover, depending on whether the mapping of certain risk categories with certain attributes is automatically deduced or not allowed, this will add complexity, create inconsistencies and will not pursue the taxonomy objectives.

 

Question 8: Would it be disproportionate to also map the three years preceding the entry into force of these Draft RTS to Level 2 categories? If yes, what would be the main challenges?

The implementation of the revised risk taxonomy on operational risk will impact all the components of the operational risk framework (RCSA, Controls, Permanent Control Actions,...). Consequently, it will generate the review of the entire risk databases (historical events, risk mappings, controls plan etc...), sometimes loss by loss and without enough detail allowing to map losses a posteriori. This review of sets will require an important workload, a deep analysis of level 2 categories and a parameterization of all the attributes, which will be complex. Indeed, each attribute has its own rules depending on Level 2 categories and depending on the binding or not-binding characteristic of the attribute. As a reminder any non-closed past event can trigger financial flows in future years (example: litigations which could last many years). The new taxonomy cannot be applied only to new events; it will require 1) updating not only the historical incidents database but also the other components of operational risk, 2) additional IT developments (automation of attributes when possible). Consequently, banks will have to deploy a huge effort in a very limited timeframe.

 

The historical data resumptions to map the types of Level 1 events to the types of Level 2 categories over the last 3 years would be disproportionate given the work that would need to be undertaken without clear benefits in terms of risk management.

Question 9: Is the length of the waivers (three years and one year) for institutions that, post merger or acquisition fall into the EUR 750 million – EUR 1 billion band for the business indicator, sufficient to set up the calculation of the operational risk loss following a merger or acquisition? If not, please provide a rationale.

We have no specific comments

Question 10: Are there other cases where it should be considered to be unduly burdensome for institutions to calculate the annual operational risk loss?

We have no specific comments

Question 11: Which of the provisions of Article 317(7), as developed by the draft RTS on the development of the risk taxonomy, and Article 318 of the CRR would be most difficult to implement after a merger or acquisition for the reporting entity? Please elaborate.

The most difficult part is the short timeframe to implement the risk taxonomy after a merger or acquisition of an entity. It will take time to analyse and integrate the database of the acquired entity and build mapping tables and migration rules.

Question 12: In your experience, would the provisions of this article apply to most mergers and acquisitions, or would data usually be promptly implemented in the loss data set of the reporting institution?

The one-year period to integrate and adjust the losses from merges or acquired entities or activities is too short given the heavy workload required to map historical internal loss data to event type and of historical data resumptions. Depending on the size/materiality of the acquired entity in comparison with the absorbing entity the delay could be longer/shorter.

Question 13: Are there other adjustments that should be considered in these draft RTS? If yes, please elaborate.

We wonder about the effective implementation date of the three draft RTS, especially the 1st reporting date. These RTS, which seem to be limited to historical incidents, impacts, in reality, the whole operational risk framework (RCSA, controls, …), as taxonomy is transversal to all components of the framework. If a stock reallocation must be made on the past 3 years, it will require a detailed analysis, which will be time consuming and excessively burdensome.

Upload files

Name of the organization

Fédération Bancaire Française