There have been many criticisms levelled at the Basel Committee’s approach for calculating op risk capital – too simplistic, overreliance on historical loss data – but the far more damning criticism may be that it unintentionally crimps lending and market-making, while leaving banks ill-equipped to tackle emerging risks such as cyber crime.
This is the argument of Jamie Dimon, chief executive of JP Morgan, who said op risk capital should be “significantly modified, if not eliminated” in a letter to investors published last week.
According to Dimon, US banks hold approximately $200 billion of op risk capital – “an unnecessarily large add-on”, he says. As for JP Morgan, “we hold excess operational risk capital which is not being utilised to support our economy”.
Dimon is not alone in his critique.
Peter Sands, the former chief executive of Standard Chartered, made much the same point in a recent interview with Risk.net. He contends that operational risk-weighted assets (RWAs) are inherently backward-looking since they are calculated based on past losses, and hence represent “dead capital”.
The current approach to op risk capital is problematic on two fronts.
Firstly, when a bank incurs a large operational loss such as a fine or legal settlement, the only way it can maintain its capital ratio is by reducing RWAs elsewhere – namely in its credit or markets businesses – since operational RWAs can’t be reduced and will probably even increase as a result of the loss. So, an operational loss may cause a bank to trim its credit portfolio or shutter a market-making desk.
Secondly, approaches based on past losses are almost certain to misjudge future risks – growing cyber threats being the most clear and present example. Thus far, banks’ financial losses directly attributable to cyber risk have been relatively low. According to op risk data collective, ORX, cyber currently accounts for just one per cent of the $468 billion in total losses stemming from the top 250 publicly disclosed operational loss events at banks. By contrast, regulatory fines represent 76% of the top 250 op risk losses, and fraud represents 16%.
Yet cyber consistently ranks at or near the top of operational risk managers’ priorities. Cyber risk is the number one operational risk for 2017, according to Risk.net’s annual survey of op risk practitioners – the second straight year it has received the top ranking.
An op risk capital framework based on historical loss patterns serves to deter forward-looking assessment and prevention of cyber risk. A bank that incurs a multibillion fine for mortgage-backed securities (MBS) will need to maintain that level of op risk capital for up to 10 years after the events that triggered the fine took place – even if it exits that business line. By the time the fines roll off, a whole new set of risks wholly unrelated to MBS – including cyber – will have emerged, but because the bank’s op risk capital is tied up by MBS, it will have that much less to invest in preventative measures to combat cyber risk.
The Basel Committee’s proposed standardised measurement approach for op risk capital – which would restrict the use of internal models – does little to address this problem, and has received pushback from within the banking industry and even among some regulators.
Supervisory chiefs postponed a meeting to finalise the standardised measurement approach slated for March 19, with June as the next most likely date.
The Basel Committee declined to comment on the apparent disconnect between the backward-looking nature of op risk RWAs and the forward-looking nature of cyber.
Dimon and Sands are not opposed to the idea of op risk capital entirely. Sands recommends replacing operational RWAs with a capital buffer, which would include a component for low-loss, high-frequency events that can be internally modelled, and a component for high-loss, low-frequency events, which would be set by the bank’s prudential regulator.
For his part, Dimon called for a complete rethink of the way op risk capital is calculated. “If you are going to have operational risk capital, it should be forward looking, fairly calculated, co-ordinated with other capital rules and consistent with reality,” he wrote in his letter to shareholders.
What both men do agree on is that an approach based on operational RWAs doesn’t help the cause of proactive risk management, and should be scrapped.