Divison Bank and Insurance, Austrian Federal Economic Chamber
Overall the provisions are sufficiently clear and promote higher level of homogeneity and common understanding of the AMA framework. The specific comments and questions can be found in the attached file.
Yes, we support the treatment of fraud events in the credit area upon clarification of whether this change is retroactive or not and after alignment of the gross loss definition with the accounting standards used in credit risk area (e.g. Specific Loan Loss Provision in IFRS). Regarding implementation there is timing issue as the fraud investigation (coupled with police process) can take long time until the fraud is proven, therefore these cases can be considered in credit risk (scoring/rating) for an interim period.
Furthermore, we propose that the integration of first and third party fraud events in the AMA and subsequently the exclusion of these events from credit risk shall be reconciled with the authority for credit risk.
Yes, we support the general phase-in approach of one year, but we propose an extension of the phase-in for Article 6(1) to four years from the entry into force. The extension is necessary in order to collect first and third party events for at least three years and to develop an AMA model suitable for these data.
Moreover we would like to submit some concerns which relate to the following practicalities.
Firstly, the experience showed that making progress on this topic and achieving the clarity requested by the EBA will require consistent and transparent support from the regulators specializing in Credit Risk. Operational Risk Managers cannot be expected to comply with these requirements if there is incomplete regulatory support for the change.
The change will have an impact upon regulatory capital calculations and the capital estimates generated as a result. This will have an impact upon the Credit Risk Management function. The Credit Risk Management function cannot be expected to make such significant changes if the changes are not actively supported by the Credit Risk regulators.
It is anticipated that a Regulatory Technical Standard will be published for Credit Risk. We will look for clauses with the same effect as Article 6 in that document.
Secondly, the level of granularity at which these requirements are to be applied is unclear. For example, is it a single transaction with a customer, or once a fraud has been detected it is assumed to apply to all transactions involving the same product or all transactions across all products with the same customer?
It is proposed that the EBA ask Credit Risk Management functions about the level of granularity that are applied today and then issue guidance promoting consistency.
Thirdly, there is the threshold at which this data is to be captured. The ORX Operational Risk reporting Standards currently use a threshold of €500,000. If the threshold for investigating whether a credit loss is a fraud or not is reduced significantly then the resources required, to meet this requirement, could be substantial. While a firm may have 100s of credit losses of €500,000 this number will increase substantially if the threshold is reduced significantly, for example 100,000s.
The number of events presents system and data collection issues. However, there is also the question of skilled resources to determine whether a fraud has or has not been committed. Currently the determination about fraud involves forensic accounting skills. It is not clear if the credit department currently has the level of resources required to conduct the analysis on this potential volume of losses. The choice of initial data collection threshold, for these losses, will heavily influence whether two years is sufficient time to begin data collection.
Fourthly, it is unclear who is in charge of the burden proofing the fraud relation in credit related cases.
Sixthly, for banks planning to apply for the AMA in 2015 it is unclear what is expected. External losses will not apply the same standards as internal losses as long as the other AMA units apply for these standards. Internal data will not be available for the expected time frame now backwards.
Seventhly, from a measurement point of view, the possibility of exposure-based models should not be made impossible for an accurate modelling of fraud events in the credit area. Simply modelling these losses in an LDA would discard the additional information of the exposure.
While “opportunity costs / lost revenues” (Article 7 §2) may influence the economic value of the firm there are practical issues to consider. The practical issues include how to estimate these values with a degree of consistency across the businesses and event types and a degree of accuracy.
Given that it is unlikely that this practical issue will be resolved in the very near future, it is proposed that “opportunity costs / lost revenues” should be deleted.
Theoretically “internal costs such as overtime or bonuses” contribute to the total impact of an operational risk event upon the firm. However, the general ledger is not set-up to provide this information on a regular basis. For functions closely linked to the control environment, for example compliance, or reconciliations, or payments, or the legal department, their total HR costs are known.
In exceptional circumstances, for example a particularly large remediation project, then the cost of allocated internal staff may be available, but may not separately show overtime or bonuses.
It is proposed that “internal costs such as overtime or bonuses” should be deleted.
Article 4: “Operational risk events related to legal risk” name prompts a boundary risk type and legal risk is rather a secondary effect for most of the OpRisk events. The “risk of being sued” is very broad category so complete identification of these cases is hardly possible.
Marking OpRisk events as legal cases (really being sued or being subject of a claim) could be more appropriate solution as events originally classified in accordance with the primary risk driver.
Article 6: The par. 2(b) fraudulent use of credit funds event can include the cases when a client uses a loan not for the intended purpose and the fraud definition is limited to no intention of any repayment.
The par. 2(d) loan application by client using fictitious identity can happen with stolen identity.
In this article we miss a definition for the boundary between operational risk and credit risk, otherwise operational risk could be interpreted too broadly.
Article 7: We support the listed items in paragraph 1 with the exception of uncollected revenues where the quantification is unambiguous and the lack of clear distinction in the business decisions (e.g. for waiving fees for OpRisk event or other factors could have been also taken into account like client’s bargaining position).
In 26(3) the guidance states that “The dependence structure shall not be based on Gaussian or Normal-like distributions”, in this case more clarity would be welcome on what constitutes a “Normal-like” copula, in particular at what point the number of degrees of freedom of a t-copular mean the copula is “Normal-like”.
The stated limitation on the number of degrees of freedom “with few degrees of freedom (e.g. 3 or 4) in most cases appears more appropriate to capture the dependencies between operational risk events” seems particularly restrictive, and may not be appropriate in some situations.
More flexible guidance could state that “The dependence structure shall not be based on assumptions that rule out high level of tail dependence a-priori (e.g. by using a Gaussian copula).”
We fully support the application of the AMA framework for the purposes of internal capital adequacy assessment. But here we would like to point out that the output of the two models can be materially different due to the scope of consolidation and the confidence level at which the VaR is measured.