French Banking Federation

We are in favor of a common rulebook on operational risks but some provisions included in this draft RTS deserve additional clarifications or reactions from the French banks:

- Modification of boundary between credit risk and operational risk (article 6) : We do not agree with the proposed changes regarding the boundary between credit risk and operational risk. They are significant changes to existing practices and not currently enforced at the Basel level. They would introduce a significant uneven level playing field between European and non-European institutions. Furthermore, if the issues raised are relevant, the answer given appears inadequate and doesn’t comply with the clarification target.
This topic is developed in Q2 answer

- Modeling prescription: Internal model used under AMA are in essence risk sensitive. They do incent organizations to move up the ORM (operational risk management) learning curve and keep pace with industry changes through regular back-testing and audit process by translating ORM progress in a quantitative assessment. We do not support new and too prescriptive restrictions/recommendations for modelling choices, especially regarding the choice of distribution law or dependences modelling, given the fact that in the current practices, we have in any case to produce quantitative and qualitative evidence that our modeling choices are duly justified. We consider it is not appropriate to change this well established practice by introducing prescriptive restrictions/recommendations. irrespective to the nature of data, risk profile and the general modeling framework defined by a given entity.
Therefore the provisions contained in articles 23 (3) (loss distribution determination), article 26 (3) (dependence, see also Q5 answer) and 41 (d) (use of AMA pillar I modeling place of quantitative ICAAP for OR assessment, see also Q6 answer) would lead to a very significant modification of our whole current practices and internal modeling framework, that we do not support.
The main concerned topics are:
• Loss distribution determination (article 23 (3)) :
The ex-ante prioritisation of sub-exponential distributions above other functions does not seem appropriate in this connection. Moreover, the quality of loss distribution selection process is already and efficiently covered by Article 23 (6) and 23 (8) (resp. attention paid to kurtosis related parameters and prescription of goodness-of-fit tests). The provisions described in these two articles ensure that the determination of the loss distribution pays sufficient attention to tail events.
• Dependence (article 26(3)) : see Q5 answer
• Alignment between ICAAP and AMA models: see Q6 answer.

Moreover, we are not completely in agreement with article 21 (3) (extension of the observation period) and 24 (4) (monotonic principle). Indeed, the possibility to extend the observation period for some categories breaches the time consistency of the dataset to be modeled even as this case is already explicitly covered by the option given by the regulator to use either external data or scenario analysis.

The assumption under which a good operational risk measurement device systematically fulfils the monotonic principle seems also quite doubtful given that OR measure is not “exposure based”. Indeed risk profile may increase even if activity doesn’t grow, OR profile is in fact much more sensitive to the effectiveness of the operational risk management than to the size of business. This is also part of the critics made by regulators to the current TSA framework.

- Parallel running (article 34, 35 & 36): the propositions described in these articles are extensive and need to be refined.
Our views and proposals are as follows:
• In case of first introduction of AMA within an institution: agreement on the EBA’s proposal of a one year post implementation parallel run, above the existing pre implementation parallel run
• In case of material changes of an already validated AMA model: No post implementations parallel run. As per Art 34 - § 1, the competent authorities will already get an assessment of the impacts through a pre implementation parallel run. When the permission is granted, running a post implementation parallel run, which implies operating several AMA models in parallel, appears far too complex, from an operational and IT perspective, notwithstanding the fact there maybe overlapping AMA changes within this one year period.
• In case of roll out of an authorized AMA model to a new entity within the group, no post implementation parallel run. The reasons are the same as exposed for the previous case: existence of a pre implementation parallel run plus complexity of running several AMA model (the extension to a new entity may also impact the allocation of the AMA capital requirement to the different entities including AMA ones before the supplementary roll out).

- Governance: The provisions of the articles 11 (2a) and (2c) may raise issues in some jurisdictions where the respective roles of the management body and the Senior Management have been defined differently than what is stated here. We would like that after the institution's management body" in these subarticles, the following be inserted "or the general management, given the national provisions regarding the respective roles of these two bodies”. Indeed, the Board of Directors in France for instance, who is in charge of setting the strategy of the company but also of controlling the action of the Senior Management, cannot be responsible for too many operational tasks in order to be capable of assuming efficiently its control mission".

- Audit and internal validation –art. 45. We agree and understand the need for having a strong and periodic audit and internal validation of the AMA system. According to standard principles governing the activities of the internal audit, missions are planned over a cycle of some years, i.e. more than one year, in consideration of the risk involved and based upon a Risk Based Audit Plan. Requesting an “at least annual” audit is not in line with this principle. Furthermore in view of the size of the banking groups involved, it is very difficult to check every year all the items mentioned in the article 45 - 2 - b) for all the group entities at a detailed level. We request the frequency to be changed to a risk-based approach over a pluriannual audit cycle . Finally, we would like to mention that audit reports do not need to be approved by the management body. We therefore propose to delete "for approval" in art 45-7.

- Data collection and modeling thresholds. We fully agree to the provisions of Art 21 §2 that either gross loss amounts or gross loss amount after all recoveries except insurance should be used in the calculation data set. Art. 16 § 2 is not specified exactly in the same way. We consider Art. 16 §2 regarding Internal loss data collection and modeling thresholds should be aligned with Art 21 §2. Furthermore, we consider that contrary to Art. 21 § 5, all operational losses may not be relevant as such for the modeling exercise. In some specific situations that must be carefully justified (when an institution withdraw from a business for instance), the corresponding internal losses should be disregarded in the calculation set.

- Data quality and IT Infrastructure (Article 37(2)): We need to avoid multiple requests for data from national competent authorities. When the AMA calculation for an entity is done by the parent company and ruled by a Service Level Agreement between the parent company and the entity, as the parent company has its own supervisor, accessibility to the data for the local authorities could be unnecessary."
We do not support the modifications envisaged in article 6 because this would introduce a significant uneven playing field between banks subject to EBA/ECB rules and all the other banks BCBS compliant and also between IRBA/AMA banks compared to IRBA or AMA only entities. We consequently strongly opposed to any changes from the actual regulation.

Regarding the proposal itself, the need for enhanced clarity on risks that are borderline between credit and operational risks is undisputable. The answers proposed in this paper do not appear to be appropriate for many reasons.
- The proposed set up is complex, with distinctions between first and third party fraud and fraud at the origin or after the granting of the credit that will be subject to a high level of interpretation. In many situations a case by case analysis will be needed.

- We consider also the amount of the loss to be recorded to be problematic (Article 8(1d)). It should be mentioned that loss mitigations could be included (realization of collateral for instance).The outstanding amount of credit at the time of discovery of the fraud does not necessarily correspond to the amount of the write-off. Further repayments of principal and proceeds from realization of collateral should be eligible as loss mitigation. In particular, the amount of the credit guarantees collected and the associated amount of the unsecured portion played a key role in the decision to grant credit. Accordingly, it should also be possible to take into consideration the eligible value of the collateral in the assessment of the operational risk. The assessment of the loss has to be undertaken on the basis of the amount of the reserve.

- The proposed change in definition would interrupt the data history. In order to ensure the reliability of data, a corresponding data stock including consideration of the credit risk would have to be built up.

- When the credit event appears the analysis wherever the fraud has been committed or not can take several months. Thus losses would have to be moved from credit risk models to AMA models once the fraud has been proven. This needlessly causes instability both for credit risk and for AMA models.
- There is a risk to double count the same risk in both credit and operational risk capital, especially as credit risk capital requirement still contains “hidden / never identified credit fraud”. To avoid double counting, institutions should be authorized to extract from their database such fraud events from the credit risk. We would therefore need a clarification on the credit risk methodological assessment side in order to preserve the intrinsic consistency of the CRD standards.

- Furthermore, this would imply tremendous implementation efforts from an operational and IT perspective, for both operational risk and credit risk system that it seems hardly achievable even in 5 years. Indeed, it will induce to restructure the ratings data bases and processes as well as EAD and LGD linked IT systems, procedures and computation. This will have a significant impact on all IRB parameters and then on RWA. Finally, according to the “use test” principle, it will have widespread impact on client global management (application process, collateral policy, cross selling policy, CRM).
Concerning specifically the items mentioned in Article 7 (2), we support the principles provided that it is only for managerial purposes (deletion of the reference “at least” would be welcome). In fact some data will be very difficult to collect exhaustively, such as near-misses, uncollected revenues, overtime and bonuses, even if they contain interesting information for OR management purpose:

- a&b - Near-misses and operational risk gains: The implementation of this requirement would pose a large number of challenges to the institutions. We point out that in contrast to genuine losses, near-misses frequently leave no “traces” behind in accounts and therefore the exhaustiveness of the recording of the relative operational risk events cannot be guaranteed. Then the bias induced in the loss collection doesn’t allow a proper statistical use of these data.

- c – opportunity costs / lost revenues : It is doubtful to include them in an exhaustive data collection exercise given the fact that, as indicated in Article 2 itself, they do not lead to any charge in the P&L,

- d - Internal costs such as overtime or bonuses: a precise assessment of overtime is quite complex considering that, in most of the case, internal staff first perform a trade off with their other tasks and postpone it to focus on risk event treatment. Therefore, the overtime cost could be not a fair assessment of cost of OR loss.
Moreover, we want to point out the difficulties of performing a fair estimation of cost of repair or replacement mentioned in Article 7 (1, b2). Indeed, after a risk event, one may choose to enhance the former situation rather than just to restore it. It is then quite unclear to assess which part of the cost should be considered including in OR database. When deciding to include all the components of the enhancement, it would unduly burden the entities promoting enhancement rather than pure restoration. We propose the text should make it clear that it should be assessed on a best effort basis

The provisions of the article 7 (1,d) leave room for interpretation that may lead to very heterogeneous practices across institutions. We would prefer a simpler rule such as pending losses over 2 years or over a certain amount that could be 1 % of the NBI of a given entity.
From a general viewpoint, we welcome the intent of clarifications. They are needed regarding the different items listed for operational risk, on whether or not they are effectively considered as operational risk. We think there are several events that should not be part of operational risk, therefore boundaries between operational risk and others risks have to be clearly stated.

Article 4 on legal risk
We do not have any comments.

Article 5 on market risk
According to Article 5(3)(g), unauthorized market positions taken in excess of limits are to be considered as operational risk events. The wording appears unclear to us. If it was to mean unauthorized excess of limits, we consider this should not be considered as an operational risk event. Should it nevertheless be so, it would be very complex to track and record properly for a limited added value, as the situations that may be at risk are currently properly covered from a prudential perspective through breaches in the VaR. If what is at stake is, as currently, more deliberate and fraudulent behavior, which is undoubtedly an operational risk event, then the wording needs to be adapted.
We do not understand to which type of “errors in classification due to software” Art 3 (b) are intended to be covered and to which extent they are to be considered as operational risk.
Model risk that falls under operational risk should be clearly defined in this document. The EBA/CP/ 2014/14 on the SREP process mentions a definition and suggest a split. We consider first, this rule should not be in the guidelines on SREP process and second that the proposal included in the EBA/CP/ 2014/14 should be improved.
Finally, the treatment described in Article 8(1b) partially differs from former regulatory position, to ensure consistency throughout the historical data, we advocate for keeping things unchanged from previous standards.

Article 6 on credit risk
Same arguments as for Q2, so please refer to Q2.

Article 7 on operational risk losses
The current wording of § 1 leaves no room for excluding some loss from the AMA calculation. As mentioned in Article 6, there may be case where boundary losses have to be deducted from the loss database to consider. We propose to insert the mention “unless otherwise specified” within the first sentence of §1.

Inclusion of more items in these lists
We do not see any additional items to be included in these different lists.
We do not support this proposal and that the dependence structure cannot be Gaussian.

Indeed, the dependence structure depends mainly on the way the operational risk categories are defined, on the way how data is grouped and finally how the dependence structure interact within the full modeling framework.

Firstly, the document should clarify to which quantity the proposed Student copula should apply. Indeed, depending on the bank, some dependence models are based on aggregate cells losses, others are based on frequencies (number of events) and others are based on severities. Given the parameters, it is well known in the literature that these three approaches lead to very different impacts. Secondly, should the Student copula be correct for frequency dependences, it could be incorrect for aggregating loss dependences for instance. Thirdly, the data may be compliant with the Gaussian copula and invalidate the Student copula. we do not support too prescriptive restrictions/recommendations for modelling choices given the fact that we have in any case to produce quantitative and qualitative evidence that our modeling choices are relevant, conservative and duly justified, (see article 26 (5)).
The concerned article is 41 d rather than 42 d.

We support the idea of using the operational risk system for ICAAP purposes. We suggest the EBA to elaborate more to which extent the AMA model has to be used for ICAAP purposes. We think the opportunity should be left open to each institution to use or not the AMA model for assessing its ICAAP. Moreover, supervisors have always the opportunity to assess the efficiency of the internal modelling through the SREP process.
Sarah Quemon