Response to consultation on draft Regulatory Technical Standards on assessment methodologies for the Advanced Measurement Approaches for operational risk
Go back
The change in event categorisation must be supported primarily by the credit risk management function and its regulators. For credit risk management, the implications range from data collection to data history in risk analysis to the amount of capital required for credit risk. In the credit risk consultative paper, it will be necessary to incorporate requirements that have the same implications and effects as Article 6. The operational risk management functions cannot be expected to implement data collection in relation to the credit area without the active support of regulators specialising in the credit area.
Fraudulently incurred credit events are an integral part of the parameterisation of credit risk models. As credit risk models are exposure-based, they provide forward-looking risk assessment and risk awareness that is directly linked to current business decisions. The removal of operational risk losses from credit risk models would reduce the credit risk provisions instantly without corresponding improvements in the credit processes. Furthermore, in most institutions the fraud prevention methodology is closely linked to credit rating development.
AMA models are based on historical losses, not on current exposures. As fraudulently incurred credit defaults are far more exposure-based than other operational risk events, pooling this data for operational risk modelling is extremely challenging. The precise allocation of fraudulently incurred credit losses is beyond the scope of current standards in operational risk modelling.
To prevent double-counting, institutions would have to be permitted to eliminate such fraud events from their credit risk calculations. However, this would entail a considerable implementation effort, both at the institutions themselves and at the data consortia and the agencies calculating the ratings. Institutions would face severe implementation challenges, especially in cases where they do not simultaneously apply the IRBA to their credit risk and the AMA to their operational risk. This would affect institutions that do not use an AMA, for example, but measure credit risk using rating methodologies from joint consortia. We think it would be impossible at a practical level to document all fraud events above the de minimis threshold currently in widespread use for OpRisk losses. The current data collection thresholds for OpRisk losses related to credit risk are many times higher than the threshold now being proposed. However, if this data collection become mandatory, it should also be acknowledged that the data collection process for operational risk losses related to credit risk is significantly different to that for other operational risk losses. Fraudulently incurred default losses are typically identified in a ‘post mortem analysis’ which is economically feasible only at a higher collection threshold. The analysis whether fraud has been committed can take several months. Losses would thus have to be moved from credit risk models to AMA models once the fraud has been proven. This needlessly causes instability both for credit risk and for AMA models. Secondly, the data collection threshold will have a significant impact on firms collecting the data. ORX has a threshold of €500,000 for the investigation of credit risk losses that may have operational risk elements. However, one interpretation of Article 6(3) is that, if firms collect their operational risk losses starting from a lower threshold, for example €10,000 or even lower, this is then the threshold at which they must also collect data about fraud in the credit area. While a firm may have hundreds of defaults with write-offs of €500,000, the same firm may have hundreds of thousands of defaults with write-offs of €10,000 or lower. This increased workload is then compounded by the time that it takes the firm to determine if a fraud has, or has not, been committed. An unscientific poll shows that the time taken to determine if there has, or has not, been a fraud can be three months or even longer. The resource and cost implications probably exceed the anticipated benefits.
We expressly urge a rethink of the de minimis threshold, which should if possible be increased to a level such that at least small-volume mass-market business is excluded from loss data collection. We are proposing a threshold of EUR 100 thousand (credit amount) in this context. Furthermore, we estimate the costs for such an implementation to be extremely high and disproportionate compared with the additional information gained for OpRisk management.
Moreover, the implementation period stipulated in Article 48 would be far too short. A two-year transitional period would not be sufficient to adequately address the challenges surrounding double-counting. In addition, the data history would be breached by changing the definition. To ensure the reliability of the data, a corresponding data pool would have to be developed in order to capture cases of fraud in the small-volume credit business. This would in any event take longer than the envisaged two-year period. Adding the time needed for technical implementation means that a suitable implementation period would need to be around five years. We estimate the costs for such an implementation to be extremely high and disproportionate compared with the additional information gained for OpRisk management.
Therefore, we strongly do not support the inclusion of these events for AMA capital calculation as this does not enhance the overall evaluation and management of these risks. We are convinced that credit risk models are the best solution for modelling operational risk losses related to credit risk due to their exposure-based nature.
Nevertheless, following the approach taken by Article 6 and Article8(1)(d), we would be grateful if the EBA were able to consider the following aspects:
If, as proposed in Article 6(2)(a) and (b), ‘credit losses related to OR’ were also to be switched to a pure OR regime, this could lead to an ‘unclear mixture’ or an ‘incorrect picture’. Consider, for example, the case of a customer with three loans paid out in three different years, one after another. Faked financial statements were provided in the last year/for the last loan only. What loss amount attributable operational risk should be recorded? What is the pure credit risk? The total outstanding amount attributable to the customer, or solely the third loan? How should repayments/returns of collateral be handled? In the LLP for the customer or the LLP for the single loan? We therefore strongly suggest not splitting loss amounts into CR and OR portions for capital calculation purposes. However, treating the total credit loss (LLP/write-off) as the loss amount attributable to OR also cannot be considered to be the ‘right picture’.
As we do not believe that the scope of the relevant credit-related (fraud) losses and the loss amount are coherent, we do not support the treatment of fraud events as envisaged in Article 6.
The use of the term ‘AMA management’ in Article 7(2) creates uncertainty. Is this intended to refer to operational risk management or to the team managing the AMA model? This data is regarded as useful for operational risk management.
Article 7(2)(d)
This data is regarded as useful for operational risk management. However, capturing this kind of loss is difficult since internal costs are hard to quantify, cannot be allocated and are not recorded in the general ledger. This is neither sensible, practical, nor feasible. It would only be reasonable in specific areas where it makes sense and is accompanied by high thresholds. It should be acknowledged that higher thresholds can be applied for collecting these events, as only events with a high impact can be identified with reasonable effort and only those events are relevant for OpRisk management decisions. We propose deleting ’internal costs such as overtime or bonuses’.
Article 4(3)(b)
The reference to industry practice is confusing. A number of industry practices have been found to be contrary to ‘legislative or regulatory rules’.
Article 4(5)
Examples could include various forms of business or strategic risk. Given the exclusions from the definitions, it would be helpful if the same terminology could be used here.
From the perspective of consistency with the definition of operational risk, it would be useful to explicitly mention that strategic and reputational risks are excluded.
Article 5(1)
It is unclear why all ‘Operational risk events occurring in market-related activities shall be classified as boundary events between operational risk and market risk’. There is a wide variety of possible operational risk events in market-related activities that do not generate market risk.
Article 5(2)(c)
Models and model risk are included within the scope of operational risk. However, the lack of a definition of model or model risk in Article 2 creates uncertainty about the interpretation and practical scope of this paragraph.
If model risk is defined, this paragraph may no longer be needed.
Article 6(2)(a)
The impression given is that fraud is only committed at the beginning and not during the life of a transaction. For example, if fraudulent details are provided during the life of a credit transaction, the fraud would still be allocated to credit risk. If this is what is intended, it would lead to the inconsistent capital treatment of fraud – it would be sometimes OR and sometimes CR, depending on the timing of the fraud.
Article 7(1)(e)
We recognise and appreciate that uncollected revenues are an economic loss to the firm. However, capturing these losses is difficult. One potential data source, the general ledger, is used to track things that did happen, rather than things that did not happen. Firms should be able to agree a threshold, with their home regulator, for capturing uncollected revenues.
It is impossible to ensure completeness in the case of uncollected revenues. A policy statement with penalties for non-compliance and/or high thresholds must be added to make this practical.
Article 7(1)(f)
We support the definition of timing losses. However, tax-related payments should be explicitly excluded since these are not related to operational risk.
Article 7(2)
In the case of the items listed under Article 7(2), it should be acknowledged that higher thresholds can be applied for collecting these events, as only events with a high impact can be identified with reasonable effort and only those events are relevant for OpRisk management decisions.
Article 26(2) requires the independence of loss events within a category, whereas paragraph (3) talks about dependence between tail events (different categories?).
Empirical analysis shows that event severities are independent within and across risk categories. Moreover, the independence of loss severities is a widely accepted model assumption in the loss distribution approach: Statistical techniques mentioned in Article 24, particularly the single loss approximation (SLA) and the Panjer recursion, require the assumption of independence.
Dependence can be adequately incorporated into the frequency model although empirical evidence is also low in this context. It only has a limited effect there because of a symptomatic property of sub-exponential severity distributions (in combination with moderate frequencies): The annual loss is typically determined by the largest single event. This is what we can observe in the historical data and it underlies the idea of the single loss approximation.
The dependence structure may not be based on Gaussian or Normal-like distributions. This consultation paper therefore proposes that Gaussian or Normal-like copulas may not be used for operational risk modelling. These statements appear to be too sweeping. The dependence structure depends mainly on the way the operational risk categories are defined, and on how the data are grouped. It may happen that the data are grouped in such a way that the fit of a t-copula provides a high degree of freedom, and this in turn means that a Gaussian copula can indeed model the dependency well.
There is also a need to differentiate how the dependence structure is defined. In fact, it makes a significant difference for the results whether the copula assumption applies only to the frequency distribution or to the aggregated loss distribution whose dependence is actually being modelled.
The analogy to credit and market risk is therefore misleading:
Extreme losses in credit risk and market risk are driven by cumulative events. Events are dependent in this context, and the shape of the copula is critical for the fat tail of the portfolio loss. The use of t-copulas in credit risk and market risk is meaningful.
On the contrary, extreme losses in operational risk turned out to be rare single events of extreme extent, and not correlated cumulative events. The severity distribution is crucial for capital estimation.
We therefore do not support any axiomatic determination of Student t-Copulas for aggregating marginal events.
Q2: Do you support the treatment under an AMA regulatory capital of fraud events in the credit area, as envisaged in Article 6? Do you support the phase-in approach for its implementation as set out in Article 48?
In general, we support the collection of fraud events in the credit area for OpRisk management purposes. As is the case to a certain extent with the proposal for classifying boundary events between operational risk and market risk, it is certain that only a small proportion of the original credit risk and a high proportion of operational risk would be identified if these loss events were to be hypothetically analysed. Nevertheless, we believe that this proposal does usefully implement the requirements of Article 322(3)(b) of Regulation 575/2013. However, it would appear that the EBA intends moving first and third party fraud from the CR regime into the OR regime. From our perspective, the practical implications of this are enormous.The change in event categorisation must be supported primarily by the credit risk management function and its regulators. For credit risk management, the implications range from data collection to data history in risk analysis to the amount of capital required for credit risk. In the credit risk consultative paper, it will be necessary to incorporate requirements that have the same implications and effects as Article 6. The operational risk management functions cannot be expected to implement data collection in relation to the credit area without the active support of regulators specialising in the credit area.
Fraudulently incurred credit events are an integral part of the parameterisation of credit risk models. As credit risk models are exposure-based, they provide forward-looking risk assessment and risk awareness that is directly linked to current business decisions. The removal of operational risk losses from credit risk models would reduce the credit risk provisions instantly without corresponding improvements in the credit processes. Furthermore, in most institutions the fraud prevention methodology is closely linked to credit rating development.
AMA models are based on historical losses, not on current exposures. As fraudulently incurred credit defaults are far more exposure-based than other operational risk events, pooling this data for operational risk modelling is extremely challenging. The precise allocation of fraudulently incurred credit losses is beyond the scope of current standards in operational risk modelling.
To prevent double-counting, institutions would have to be permitted to eliminate such fraud events from their credit risk calculations. However, this would entail a considerable implementation effort, both at the institutions themselves and at the data consortia and the agencies calculating the ratings. Institutions would face severe implementation challenges, especially in cases where they do not simultaneously apply the IRBA to their credit risk and the AMA to their operational risk. This would affect institutions that do not use an AMA, for example, but measure credit risk using rating methodologies from joint consortia. We think it would be impossible at a practical level to document all fraud events above the de minimis threshold currently in widespread use for OpRisk losses. The current data collection thresholds for OpRisk losses related to credit risk are many times higher than the threshold now being proposed. However, if this data collection become mandatory, it should also be acknowledged that the data collection process for operational risk losses related to credit risk is significantly different to that for other operational risk losses. Fraudulently incurred default losses are typically identified in a ‘post mortem analysis’ which is economically feasible only at a higher collection threshold. The analysis whether fraud has been committed can take several months. Losses would thus have to be moved from credit risk models to AMA models once the fraud has been proven. This needlessly causes instability both for credit risk and for AMA models. Secondly, the data collection threshold will have a significant impact on firms collecting the data. ORX has a threshold of €500,000 for the investigation of credit risk losses that may have operational risk elements. However, one interpretation of Article 6(3) is that, if firms collect their operational risk losses starting from a lower threshold, for example €10,000 or even lower, this is then the threshold at which they must also collect data about fraud in the credit area. While a firm may have hundreds of defaults with write-offs of €500,000, the same firm may have hundreds of thousands of defaults with write-offs of €10,000 or lower. This increased workload is then compounded by the time that it takes the firm to determine if a fraud has, or has not, been committed. An unscientific poll shows that the time taken to determine if there has, or has not, been a fraud can be three months or even longer. The resource and cost implications probably exceed the anticipated benefits.
We expressly urge a rethink of the de minimis threshold, which should if possible be increased to a level such that at least small-volume mass-market business is excluded from loss data collection. We are proposing a threshold of EUR 100 thousand (credit amount) in this context. Furthermore, we estimate the costs for such an implementation to be extremely high and disproportionate compared with the additional information gained for OpRisk management.
Moreover, the implementation period stipulated in Article 48 would be far too short. A two-year transitional period would not be sufficient to adequately address the challenges surrounding double-counting. In addition, the data history would be breached by changing the definition. To ensure the reliability of the data, a corresponding data pool would have to be developed in order to capture cases of fraud in the small-volume credit business. This would in any event take longer than the envisaged two-year period. Adding the time needed for technical implementation means that a suitable implementation period would need to be around five years. We estimate the costs for such an implementation to be extremely high and disproportionate compared with the additional information gained for OpRisk management.
Therefore, we strongly do not support the inclusion of these events for AMA capital calculation as this does not enhance the overall evaluation and management of these risks. We are convinced that credit risk models are the best solution for modelling operational risk losses related to credit risk due to their exposure-based nature.
Nevertheless, following the approach taken by Article 6 and Article8(1)(d), we would be grateful if the EBA were able to consider the following aspects:
If, as proposed in Article 6(2)(a) and (b), ‘credit losses related to OR’ were also to be switched to a pure OR regime, this could lead to an ‘unclear mixture’ or an ‘incorrect picture’. Consider, for example, the case of a customer with three loans paid out in three different years, one after another. Faked financial statements were provided in the last year/for the last loan only. What loss amount attributable operational risk should be recorded? What is the pure credit risk? The total outstanding amount attributable to the customer, or solely the third loan? How should repayments/returns of collateral be handled? In the LLP for the customer or the LLP for the single loan? We therefore strongly suggest not splitting loss amounts into CR and OR portions for capital calculation purposes. However, treating the total credit loss (LLP/write-off) as the loss amount attributable to OR also cannot be considered to be the ‘right picture’.
As we do not believe that the scope of the relevant credit-related (fraud) losses and the loss amount are coherent, we do not support the treatment of fraud events as envisaged in Article 6.
Q3: Do you support the collection of ’opportunity costs/loss revenues‘ and internal costs at least for managerial purposes, as envisaged in Article 7(2)?
We generally support the collection of opportunity costs/loss revenues and internal costs for OpRisk management purposes. However, collecting these items should not be mandatory, not least because calculating eg opportunity costs involves a certain amount of judgement and it may be very difficult to allocate internal costs such as overtime. In our opinion, this provision should rather be formulated as an option to collect opportunity costs, lost revenues and internal costs in cases where they are deemed relevant by an institution. It should be acknowledged that higher thresholds can be applied for collecting these events, as only events with a high impact can be identified with reasonable effort and only those events are relevant for OpRisk management decisions. We would not support including those effect types in the AMA calculation as this would distort the meaning of the capital figures.The use of the term ‘AMA management’ in Article 7(2) creates uncertainty. Is this intended to refer to operational risk management or to the team managing the AMA model? This data is regarded as useful for operational risk management.
Article 7(2)(d)
This data is regarded as useful for operational risk management. However, capturing this kind of loss is difficult since internal costs are hard to quantify, cannot be allocated and are not recorded in the general ledger. This is neither sensible, practical, nor feasible. It would only be reasonable in specific areas where it makes sense and is accompanied by high thresholds. It should be acknowledged that higher thresholds can be applied for collecting these events, as only events with a high impact can be identified with reasonable effort and only those events are relevant for OpRisk management decisions. We propose deleting ’internal costs such as overtime or bonuses’.
Q4: Do you support the items in the lists of operational risk events in Articles 4, 5 and 6, and the items in the list of operational risk loss in Article 7? Or should more items be included in any of these lists?
In general we support the items in the lists of operational risk events in Articles 4, 5 and 7.Article 4(3)(b)
The reference to industry practice is confusing. A number of industry practices have been found to be contrary to ‘legislative or regulatory rules’.
Article 4(5)
Examples could include various forms of business or strategic risk. Given the exclusions from the definitions, it would be helpful if the same terminology could be used here.
From the perspective of consistency with the definition of operational risk, it would be useful to explicitly mention that strategic and reputational risks are excluded.
Article 5(1)
It is unclear why all ‘Operational risk events occurring in market-related activities shall be classified as boundary events between operational risk and market risk’. There is a wide variety of possible operational risk events in market-related activities that do not generate market risk.
Article 5(2)(c)
Models and model risk are included within the scope of operational risk. However, the lack of a definition of model or model risk in Article 2 creates uncertainty about the interpretation and practical scope of this paragraph.
If model risk is defined, this paragraph may no longer be needed.
Article 6(2)(a)
The impression given is that fraud is only committed at the beginning and not during the life of a transaction. For example, if fraudulent details are provided during the life of a credit transaction, the fraud would still be allocated to credit risk. If this is what is intended, it would lead to the inconsistent capital treatment of fraud – it would be sometimes OR and sometimes CR, depending on the timing of the fraud.
Article 7(1)(e)
We recognise and appreciate that uncollected revenues are an economic loss to the firm. However, capturing these losses is difficult. One potential data source, the general ledger, is used to track things that did happen, rather than things that did not happen. Firms should be able to agree a threshold, with their home regulator, for capturing uncollected revenues.
It is impossible to ensure completeness in the case of uncollected revenues. A policy statement with penalties for non-compliance and/or high thresholds must be added to make this practical.
Article 7(1)(f)
We support the definition of timing losses. However, tax-related payments should be explicitly excluded since these are not related to operational risk.
Article 7(2)
In the case of the items listed under Article 7(2), it should be acknowledged that higher thresholds can be applied for collecting these events, as only events with a high impact can be identified with reasonable effort and only those events are relevant for OpRisk management decisions.
Q5. Do you support that the dependence structure between operational risk events cannot be based on Gaussian or Normal-like distributions, as envisaged in Article 26 (3)? If not, how could it be ensured that correlations and dependencies are well-captured?
We do not support Article 26(3) for the following reason:Article 26(2) requires the independence of loss events within a category, whereas paragraph (3) talks about dependence between tail events (different categories?).
Empirical analysis shows that event severities are independent within and across risk categories. Moreover, the independence of loss severities is a widely accepted model assumption in the loss distribution approach: Statistical techniques mentioned in Article 24, particularly the single loss approximation (SLA) and the Panjer recursion, require the assumption of independence.
Dependence can be adequately incorporated into the frequency model although empirical evidence is also low in this context. It only has a limited effect there because of a symptomatic property of sub-exponential severity distributions (in combination with moderate frequencies): The annual loss is typically determined by the largest single event. This is what we can observe in the historical data and it underlies the idea of the single loss approximation.
The dependence structure may not be based on Gaussian or Normal-like distributions. This consultation paper therefore proposes that Gaussian or Normal-like copulas may not be used for operational risk modelling. These statements appear to be too sweeping. The dependence structure depends mainly on the way the operational risk categories are defined, and on how the data are grouped. It may happen that the data are grouped in such a way that the fit of a t-copula provides a high degree of freedom, and this in turn means that a Gaussian copula can indeed model the dependency well.
There is also a need to differentiate how the dependence structure is defined. In fact, it makes a significant difference for the results whether the copula assumption applies only to the frequency distribution or to the aggregated loss distribution whose dependence is actually being modelled.
The analogy to credit and market risk is therefore misleading:
Extreme losses in credit risk and market risk are driven by cumulative events. Events are dependent in this context, and the shape of the copula is critical for the fat tail of the portfolio loss. The use of t-copulas in credit risk and market risk is meaningful.
On the contrary, extreme losses in operational risk turned out to be rare single events of extreme extent, and not correlated cumulative events. The severity distribution is crucial for capital estimation.
We therefore do not support any axiomatic determination of Student t-Copulas for aggregating marginal events.
Q6: Do you support the use of the operational risk measurement system not only for the calculation of the AMA regulatory capital but also for the purposes of internal capital adequacy assessment, as envisaged in Article (42)(d)?
We support the use of an internal model for the internal capital adequacy assessment process and internal OR management. However, details should be provided about which components can differ (eg insurance recognition, sub-allocation).Upload files
GBIC Comments on AMA RTS.pdf
(152.12 KB)