Unicredit Group

UniCredit Group supports the goals of these guidelines and considers them as a significant step towards the enhancement of the operational risk assessment methodology.
UniCredit Group “Operational and Reputational risks” department, following the analysis of the draft on “RTS” conducted within the operational risk management functions of the Group main legal entities, submit, within this response, its overview on the new topics.

Art.1 (2), Art. 5(2) (c), Art. 5(5) – Model Risk –
In order to apply correctly this provision, a formal and detailed definition for Model Risk would be welcome.
With regard to Article 5(5) (b) “losses caused by a pricing model where the potential exposure to the model risk had been previously assessed” shall be excluded from the scope of operational risk, we have some doubts on the correct implementation with respect to provisions laid down in Draft Regulatory Technical Standards on prudent valuation under Article 105(14), in particular, Article 17 on calculation of operational risk AVA.
According to Article 17(2) “Where an institution applies the Advanced Measurement Approach for Operational Risk as defined in Title III Chapter 4 of Regulation (EU) No 575/2013, it may report a zero operational risk AVA on condition that it provides evidence that the operational risk relating to valuation processes, as determined by complying with the requirements of paragraph 1, is fully accounted for by the Advanced Measurement Approach calculation.” Does the provision of Article 5(5) (b) mean that the losses caused by a pricing model where the potential exposure to the model risk had been previously assessed can only be excluded if a valuation adjustment for losses incurred as a result of operational risk related to valuation processes has been built? What kind of alternative assessment of potential exposure to the pricing model risk should be considered adequate for the purposes of compliance with the provisions of Article 5(5) (b)?

Art. 4(2) (b), Art.4 (3) (a) – Breaches of Ethical conduct rules
The provisions stipulate that the events related to breaches of ethical conduct rules have to be included in the scope of operational risk. From our point of view, this provision leaves room for interpretation because the notion of ethical conduct may differ considerably over time, between institutions, jurisdictions or individuals.

Art. 7(1) (e) - Uncollected revenue
The provision stipulates that “uncollected revenues related to contractual obligations with thirds parties, such as the decision to compensate a client following the operational risk event, rather than by a reimburse or direct payment, through a revenue adjustment waiving or reducing contractual fees for a specific future period of time” shall be included in the scope of operational risk for the purpose of AMA capital calculation. We understand the aim of the provision; anyway, we all agreed on the difficulty to guarantee the completeness and the quality of this loss data collection. The main concern is about the measurability and the quantification of these items due to discretion in determining specific conditions granted to a customer (i.e. the business may decide to compensate a client not only for a failure but also simply for changes in the business environment or for other strategic considerations). Furthermore, such decisions only affect the institution’s financial statement in an indirect manner, thus making it extremely difficult to carry out the accounting reconciliation in order assure the quality of data collection. We suggest that only events which have been disclosed internally, have a high visibility (e.g. managerial decision), materiality and that are traceable, should fall under this article. We therefore ask to consider the inclusion of a reference to an institution-internally defined threshold.

Art. 8(2) Timing loss
The cases described in the explanatory box are related to events characterized by a claim from a client or a fine from authorities. Are these elements always needed for the correct identification of a timing loss?

Art. 19(1) BE&ICF
In order to implement other BE&ICF, besides the Key Risk Indicators, we would like having more details on the implementation of the mentioned examples of BE&ICFs reported in the explanatory box.
UniCredit Group supports the purpose to add in AMA regulatory capital the treatment of fraud events in the credit area.
Nevertheless we would like to emphasize that categorising losses due to fraud in the credit space as operational risk losses will require the active support of the credit risk management functions; it is also evident that such rules should also be included within the Regulatory Guidelines on Credit Risk.
Due to the impact that the treatment would have on the operational risk and credit management areas and on the IT systems of the Group, we submit our request to review the delivery of phase-in approach for its implementation.
In order to understand correctly the new provisions, we hereafter submit to your attention some doubts and some questions.

Art 6(2) (a), 6(2) (b)
We do appreciate the efforts for clarifying the boundary between credit and operational risks. Nevertheless we would need some more clarifications on the criteria to adopt for the correct identification of the fraudulent use of credit funds.
Consider, for example, a customer with three loans paid out in three different years, one after another. Faked financial statements were given in the last year/for the last loan only. Which loss amount of operational risk should be recorded? What is the pure credit risk? The total outstanding amount of the customer related solely to the third loan? How to handle back payments/returns on collaterals? LLP of the customer or LLP of the single loan?

Article 6, 2 (c) (d) (e), Article 6, 2 (a) (b)
We find extremely challenging the different treatment of the credit position in case of frauds, based on the identity of the customer.
The treatment of this category of events could be very time consuming if applied also on the current “open credit positions” of the Bank, as it would be not easily feasible to analyze all the credit transactions already in place. It would require knowledge of the whole cycle of life of each product/position that could be difficult to perform on products/position negotiated/opened in the past.

Art 6 (3)
The required adjustment is extremely challenging as the threshold adopted for the pure operational risk losses is very low and not applicable to frauds events in credit related losses. For this reason we would like to keep the thresholds separated for the two loss categories. We propose to apply a reference that different thresholds on internal data can be applied within the AMA model.

We fully agree to having a phase in approach for the implementation. In order to make a feasible working plan with reachable deliveries, we however suggest the extension of the proposed timelines.
We agree that the identification and analysis of “opportunity costs / lost revenues” as well as of “internal costs such as overtime and bonuses” resulting out of operational risk events may provide valuable information for managerial purposes. However, we believe that the inclusion of opportunity costs and internal costs in the scope of operational risk data collection as a compulsory element could be very challenging, mainly due to the difficulties on their identification and, quantification. In our opinion, we would suggest that the provision should be rather formulated as an option to collect opportunity cost, lost revenues and internal costs in cases where it is deemed relevant by an institution an institution-internally defined threshold.
We consider the list as complete.
We support that the dependence structure between operational risk events cannot be based on Normal-like distributions (e.g. imposing a cap to 5 on degrees of freedom of Student-t copula) , unless it is feasible to provide strong evidences based on empirical data that the Normal-like distributions are acceptable.
We support the use of the operational risk measurement system not only for the calculation of the AMA regulatory capital but also for the purposes of internal capital adequacy assessment. In UniCredit Group, the operational risk measurement system is already used for both AMA regulatory capital and internal capital adequacy assessment.
Barbara Bonetti