Chapter I – General Provisions, Article 1, Item 2:
The definition of operational risk is missing some important elements which we would like to see added. Of particular are definitions of terms such as: “processes”; “systems”; “people or external events”.
We would like further clarity on the statement on ‘exclusions from OR definition.’ As drafted this is unclear as the referenced “other kinds of risk” are not described. If risks such as ‘Business’, ‘Strategic’ and ‘Reputational’ are to be excluded, we request that these be mentioned explicitly.
Furthermore ‘Model Risk’ is not defined in the document, but is referred to in several places (Art 5 §2c, Art 5 §3h & I, Art 5 §5a & b). Further guidance in this area would be helpful.
The EBA has provided the clarification on the scope of operational risk with respect to compliance risk in the Single Rulebook Q&A (Question ID: 2014_1153) stating that “risk arising from an institution's non-compliance with its legal or statutory responsibilities or requirements must be included in the definition of operational risk”. We recommend that the corresponding definition of compliance risk be included in Article 2 of these rules.
Chapter I – General Provisions, Article 2, Item 12:
Depending upon the jurisdiction, firms can be sued for a wide variety of issues. Thus the term “risk of being sued” is too broad to be practical. Due to the influence of jurisdiction on the likelihood of being sued and the range of potential lawsuits, we request that this element of the definition is deleted.
Chapter I – General Provisions, Article 2, Item 20:
This section appears to relate to perceived or actual misuse of suspense accounts and pending losses in relation to operational risk losses. The finance / accounting / control function operates pending losses and suspense accounts within the formal accounting standards. For clarity, we believe that the second portion of the definition should be deleted.
Chapter I – General Provisions, Article 2, Item 21:
It should be kept in mind that any direct recovery may not necessarily come from a third party. Instead it can result from the increased value realised when selling assets possessed following a fraud.
The given definition in Item 21 for “recovery” only refers to what is commonly known as “indirect recovery”. We request that the definition of “direct recoveries” be added. Alternatively the given definition could be completed by adding “… received from the first party or from a third party, such as insurers or other parties.”
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 5, Item 2 d):
For clarity, we request that the EBA add a reference to data entry errors.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 7, Item 1 d):
Firms mainly use pending losses and suspense accounts when they do not know the actual amount of the loss. We therefore propose that the word “actual” be deleted. Additionally this will need to be included in the AMA calculations by the date of occurrence as, at this point, the loss estimate has not yet been recognised in profit and loss numbers.
The wording seems to be geared to improper accounting practices regarding suspense accounts in a few countries. Thus we urge the EBA to consult more broadly to ensure the wording is applicable across all relevant jurisdictions.
In our view, the inclusion of “pertinent scenario analysis” in the context of pending losses is potentially confusing and should therefore be deleted.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 8, Item 1 a):
It is unclear to us whether the referenced expenses are internal and external or just external. Article 7 §1b1 refers to external expenses and §1b2 cost of repair – we request that the EBA provide clarification in this area.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 8, Item 1 d):
There is uncertainty here as the “total outstanding amount” is not the same as the “whole write-off, total credit loss”. For example, in the case of a fraudulent mortgage the “total outstanding amount” might be €1,000,000, but the “write-off” might only be $200,000 due to the value of the collateral. Additionally if there is fraud, it will no longer be a “credit loss” but an “operational risk loss”.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 8, Item 3:
As in Article 8 §a it is not clear if this refers to internal and external or just external expenses.
The paragraph comments on aspects of timing losses that could be confusing, we propose that this last portion of the paragraph be deleted.
It is not clear why the detection of deficiencies in the policies, processes and procedures for managing operational risk should lead to ad hoc reporting rather than ad hoc validation.
We suggest requiring ad hoc validation in these cases as this is a more effective way to improve policies, processes and prevent losses caused by these deficiencies.
Chapter IV – Operational Risk Measurement, Article 21, Item 3:
Firms making the transition from a standardised approach to AMA usually only have 3 years of data. So this paragraph creates a conflict. We also note that there is no cross reference to Articles 34 – 36 which discuss parallel running which could be a potential solution.
We do not consider it sufficiently clear whether the observation period greater than five years is expected for severity or frequency modelling. Severity data is always sparse in the tail. As far as severity modelling is concerned, we find an observation period of more than 5 years reasonable.
However, for frequency estimation an extended observation period delays the reaction of the capital figure to changes in business process which can materially influence the frequency of loss events. Thus an extended observation period for frequency reduces the incentive effect of the capital model.
Chapter IV – Operational Risk Measurement, Article 21, Item 4:
We do not believe that the calculation in this section can be met: In some cases we suggest to remove or to restrict the requirement. Examples for inclusion of the data later in the calculation set are:
• Losses below calculation threshold at the accounting date and with a calculation later it exceeds this threshold
• The accounting date of an undiscovered Fraud may be well before entry into calculation once the Fraud is discovered.
Consequently, the usage of first accounting date of loss events or date of occurrence for modelling purposes may lead to an underestimation of loss frequency.
Chapter IV – Operational Risk Measurement, Article 21, Item 5:
We request a clarification to Article 21 §5. There appears to be a conflict between the requirement in this paragraph to use all operational risk losses and Article 21 §1 which implies that firms can construct relevant internal loss data sets.
Chapter IV – Operational Risk Measurement, Article 21, Item 6:
We support the application of inflation adjustments on loss events.
Chapter IV – Operational Risk Measurement, Article 21, Item 7:
A clarification to Articles 21 §7 & 10 is requested in relation to the concrete definition of “single root event” and “root event”. Conceptually the idea is understood and appreciated, however our concern relates to the practicality of the provisions and the need for a consistent approach by firms across the EU.
Depending upon the practical interpretation of “root event”, this could amend the data collection and aggregation requirements. For example, if the “root event” refers to a process / control failure (because the firm has implicitly or explicitly decided to accept the risk) then the events would be aggregated / grouped overtime. It is not clear if the time period for grouping matches the annual accounting period or crosses accounting periods. The practicalities may be similar to finding a root cause.
Chapter IV – Operational Risk Measurement, Article 21, Item 8:
We understand this paragraph as stating that firms will need to record the date at which the loss amount is changed.
Events with an initial reference date outside the observation period are less relevant for the current risk profile than recent events regardless whether there have been recent adjustments of the loss amount. We therefore suggest only including events in the AMA calculation which have a reference date within the observation period for the severity and the frequency distribution. We strongly suggest not splitting up loss amounts.
Chapter IV – Operational Risk Measurement, Article 22, Item 2:
This is a challenging requirement which is hard to satisfactorily demonstrate. We propose that softer requirements be used instead since “homogeneity, independency and stationarity” cannot be objectively achieved in practice.
Chapter IV – Operational Risk Measurement, Article 23, Item 8:
The proposal relies too strongly on statistical measures when selecting appropriate distributions (see out comment on Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 8, Item 1 d). For example, ‘goodness of fit measures’ are not stable over time, as they change with new data coming in over time. Thus, frequent changes of distributions create jumps specifically in the allocation of Divisions, making risk management and communication of results impossible.
We propose that clarification is required in order to put Article 23 into perspective. We are concerned that the current over reliance on statistical measures may be in conflict with the Use Test.
Chapter IV – Operational Risk Measurement, Article 24, Item 4:
While in general Article 24 Item 4 “the competent authority shall verify that the institution applies appropriate techniques to avoid: (a) capping the maximum single loss;” is sensible, perhaps a caveat is needed so that it does not dismiss the use of exposure-based models – these are an important part of the risk tool-box and must be maintained.
A suggestion may be that “capping the maximum single loss, if an institution cannot provide a clear objective rationale for the existence of an upper bound (for example in the case of fraud events in the credit area).”
Chapter IV – Operational Risk Measurement, Article 25, Item 1:
There are three commonly used definitions of expected loss:
i. Statistical e.g. 50% confidence interval
iii. Losses that are expected
The expected loss figure derived from statistical distributions will vary with the type of distribution and data used.
The perception is that the accounting standards narrowly define expected loss, especially with regard to the creation of specific or general reserves.
Thus we feel that wording for Article 25 which ensures these are reflected is required.
Chapter IV – Operational Risk Measurement, Article 25, Item 2:
A clarification is requested to Article 25 §2. It is not clear to us why the expected loss (however defined) should be assessed at the level of the “operational risk category”. Capital adequacy is assessed at the firm level and it seems appropriate to determine expected loss at the same organisational level. We request addition clarification on what is meant by “operational risk category”.
Chapter IV – Operational Risk Measurement, Article 25, Item 4:
We are not clear about what is intended by “exceptional operational risk losses”. The importance of this phrase is linked to the interpretation of “Expected Loss” and needs clarification.
A clarification is requested for Article 33 §1b on the granularity of the capital allocation. For example, does the capital allocation refer to business lines within a legal entity, legal entities within a jurisdiction or legal entities between jurisdictions? We do not believe it would be optimal for regulators to focus upon the allocation of capital to business lines within a legal entity. The business lines within a legal entity are unlikely to correspond to regulatory business lines.
Furthermore, the intention behind “quality of operational risk management and internal control” is not clear. If the capital allocation between business lines is a zero sum game, then some business lines will be allocated less then prescribed by an algorithm. Is this a reference to perceived shortcomings in the use of Business Environment & Internal Control Factors (KRIs) and their integration into the AMA model?
Chapter IV – Operational Risk Measurement, Article 35, Item 1:
A parallel run period after implementation would be an unnecessary burden, however we support a parallel run period prior to implementation. This would allow impact studies on how new models compare to old models over time.
In addition, clarification is necessary for which situations a parallel run is required. For example should this focus on first time application of an AMA or for each model change of already approved AMA models?
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 6, Item 3:
The EBA intends to move First and Third Party Fraud from the Credit Risk (CR) regime into the OR regime. Although we agree that this is conceptually sound, the practical implications are enormous. While it is difficult to gauge what the net capital implications are (overall levels could either rise or fall), the cost/benefit proposition is unclear. A critical prerequisite to introducing such a change is a section in the upcoming Credit Risk RTS (due around September 2014) fully in line with the OR RTS, because the bulk of the process changes will be on the CR side.
Primarily, the change in event categorisation must be supported by CR Management functions and regulators. For CR Management the implications range from data collection, to data history in risk analysis, to the amount of capital required for Credit Risk.
Consistency between the upcoming CR consultation paper, and the implications and effects in Article 6 of this consultation, is necessary. Operational Risk Management functions cannot be expected to implement data collection related to the credit area without the active support of regulators specialising in the credit area.
Second, the final calibration of the data collection threshold will have a significant impact upon firms. The Operational Riskdata eXchange Association (ORX) currently has a threshold of €500,000 for the investigation of Credit Risk losses that may have Operational Risk elements. However, we interpret Article 6 §3 as stating that firms collecting Operational Risk Losses from a lower threshold, €10,000 or even lower, must also collect data about fraud in the credit area from the same threshold.
We urge the EBA to keep in mind that whilst a firm may have hundreds of defaults with write-offs of €500,000, the same firm may have hundreds of thousands of defaults with write-offs of €10,000 or lower. This increased workload is then compounded by the time that it takes the firm to determine if a fraud has, or has not, been committed. As a rough guide the time taken to determine if there has, or has not, been a fraud can be three months or longer. We deem the resource and cost implications would outweigh the anticipated benefits.
With regard to the threshold it should be acknowledged that the data collection process for operational risk losses related to credit risk is significantly different from other operational risk losses. Fraudulently incurred default losses are typically identified in a “post mortem analysis” which is economically feasible only at a higher collection threshold.
A potential approach is to extend the phase-in concept to thresholds as well as time. For example the initial data collection target could use a relatively high threshold, such as €500,000. Once firms have embedded systems and have been collecting this data as operational risk losses for a period of time, then a review could be undertaken to determine if there is sufficient value in reducing the data collection threshold. We estimate the implementation costs to be extremely high and disproportionate to the additional information gained for OR management.
There are some practicalities that should be considered in relation to Article 6 §3. Presently the thresholds for collecting OR loss data relate to the business line and their OR appetite. Requiring the initial data collection of fraud in the credit risk space at the same threshold is expected to create a significant implementation challenge.
In addition to the system challenges there may also be the need to recruit additional staff to perform the forensic analysis in order to determine whether a fraud has been committed. This forensic analysis can take over three months.
Risks for which there is a known maximum exposure (as is the case with the aforementioned fraud events in the credit area) can be modelled in a different way to the more typically operational risk data for which there is effectively uncapped severity. Accurate modelling of fraud events in the credit area can be effectively achieved using an exposure-based model which incorporates the extra information, rather than a Loss Distribution Approach which discards it.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 6, Item 4 (1):
There seems to be some overlap between the description of First and Third Party Fraud. This paragraph refers to “using another person’s identifying information”. In our view this is more closely aligned with Third Party Fraud than to First Party Fraud. To amend this, we propose that “and using another person’s identifying information” be deleted.
We request that the definitions of First Party Fraud and Third Party fraud be clarified with regard to the following aspects:
• If first party fraud occurs when the party misrepresents its financial abilities on the application forms and by using another person's identifying information“, how should it be differentiated from third party fraud which is “a fraud that is committed by means of use of a person’s identity”?
• We understand that any fraud which is initiated by an existing customer at a later stage of the lifecycle of a credit product (not on the application form) is neither first nor third party fraud. As this definition differs from the commonly used one, we request that this be stated explicitly.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 7, Item 2 c):
This data is perceived as being useful for operational risk management. However, capturing these kinds of losses is difficult since internal costs are hard to quantify and cannot be allocated. This would only be reasonable in specific areas and with high thresholds. The practical issues include how to estimate these values with a degree of consistency across the businesses, event types and with a degree of accuracy. Given that it is unlikely that this issue be resolved in the near future, we request “opportunity costs / lost revenues” be deleted. We believe it should also be acknowledged that higher thresholds can be applied for the collection of these. This is because only high-impact events can be identified with reasonable effort and are relevant for OR management decisions.
We would appreciate clarification about the Article 7 §2 use of the term “AMA management”. Is this intended to refer to the operational risk management or the team managing the AMA model?
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 7, Item 2 d):
This data is perceived as being useful for operational risk management. However, capturing these kind of losses is difficult since internal costs are hard to quantify, cannot be allocated and are not booked in the general ledger. This would only be reasonable in specific areas and with high thresholds. We believe it should also be acknowledged that higher thresholds can be applied for the collection of these. This is because only high-impact events can be identified with reasonable effort and are relevant for OR management decisions
Accordingly, we propose that “internal costs such as overtime or bonuses” be deleted.
As per our comment above, clarity is needed around the Article 7 §2 use of the term “AMA management”.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 4, Item 3 b):
We find the reference to industry practice unclear. A number of industry practices have been found to be against “legislative or regulatory rules”.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 4, Item 4:
This paragraph should be aligned with paragraph 2b.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 4, Item 5:
Examples could include various forms of business or strategic risk. Given the exclusions from the definitions it would be helpful if the same terminology could be used here.
From the perspective of consistency with the definition of operational risk, it would be useful to explicitly mention Strategic and Reputational Risks as being excluded.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 5, Item 1:
It is unclear to us why all “Operational risk events occurring in market-related activities shall be classified as boundary events between operational risk and market risk.” There is a wide variety of possible operational risk events in market-related activities which do not generate market risk.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 5, Item 2 c):
Models and model risk are included in the scope of operational risk. However, the lack of a definition of model or model risk in Article 2 creates uncertainty about the interpretation and practical scope of this paragraph.
If a definition of model risk were to be added, this paragraph would no longer be needed.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 5, Item 3 b):
We propose to amend the this guidance as in general, errors in data entries account for as many errors, if not more, than software errors. For clarity, we propose adding a reference to data entry errors to Article 5 paragraph 3b. An appropriate addition might be “errors in classification due to data entry errors and/or the software used by the front and middle office.”
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 5, Item 3 f):
This should be aligned with the broader scope of the Article.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 6, Item 2 a):
The impression given is that fraud is only committed at the beginning and not during the life of a transaction. So if fraudulent details are provided during the life of a credit transaction then the fraud is still to be allocated to Credit Risk. If this is what is intended then it would lead to an inconsistent capital treatment of fraud – sometimes OR and sometimes CR depending upon the timing of the fraud.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 7, Item 1 e):
It is recognised and appreciated that uncollected revenues are an economic loss to the firm. However, capturing these losses is difficult. One potential data source, the General Ledger, is used to tracking things that did happen rather than things that did not happen. In our view firms should be able to agree a threshold with their home regulator, for capturing uncollected revenues.
For uncollected revenues it is impossible to ensure completeness. Policy statement with penalties for non-compliance and/or high thresholds must be allowed to make this practical.
Chapter II – Scope of Operational Risk and Operational Risk Loss, Article 7, Item 1 f):
We support the definition of timing losses. However tax related payments should be explicitly excluded since these are not related to operational risk (for tax events only interest and fines are recorded).
We recognise that the modelling of dependence is challenging and a conservative approach is sensible, although analysis of operational risk loss data consistently implies general low levels of tail dependence. However, we believe that the guidance on dependence in these rules is too prescriptive. The explicit exclusion of a broad range of approaches is based on questionable statistical reasoning and references to credit and market risk, which are incomparable.
Section 2 requires independence of loss events within a category, whereas section 3 requires dependence of tail events.
Empirical analysis shows that event severities are independent within and across risk categories. Moreover independence of loss severities is a widely accepted model assumption in the loss distribution approach: Statistical techniques mentioned in Article 24, particularly the single loss approximation and the Panjer recursion, require the independence assumption.
Dependence can be well incorporated into the frequency model although empirical evidence in this context is low. It only has a limited effect because of a symptomatic property of sub exponential severity distributions (in combination with moderate frequencies): The annual loss is typically determined by the largest single event. This is what we observe in historical data and indeed is the idea of the single loss approximation.
In 26(3) the guidance states that “The dependence structure shall not be based on Gaussian or Normal-like distributions”, in this case more clarity would be welcome on what constitutes a “Normal-like” copula, in particular at what point the number of degrees of freedom of a t-copular means the copula is “Normal-like”. The stated limitation on the number of degrees of freedom “with few degrees of freedom (e.g. 3 or 4) in most cases appears more appropriate to capture the dependencies between operational risk events” seems particularly restrictive, and in many cases may not be appropriate.
The analogy to credit and market risk is therefore misleading. Extreme losses in credit risk and market risk are driven by cumulated events. In this context events are dependent, the shape of the copula is critical for the fat tail of the portfolio loss. The use of t-copulas in credit risk and market risk is meaningful.
On the contrary, extreme losses in operational risk turned out to be rare single events of extreme extent and not correlated cumulated events. The severity distribution is crucial for the capital estimation.
Chapter VI – Use Test, Article 41, Item 1 d):
We support the use of an internal model for internal capital adequacy assessment process and the internal OR management. However, we would appreciate more detail on which components can differ (e.g. insurance recognition, suballocation).