Controversial changes to Pillar I

BASEL, SWITZERLAND -- Changes to the operational risk criteria in Pillar I in the Basel Committee on Banking Supervision’s third consultative paper (CP3) are something of a mixed bag for the financial industry.

The biggest change to Pillar I is the introduction of the alternative standardised approach (ASA) for the retail and commercial banking business lines under the standardised approach (STA). Banks can opt for the ASA under those two business lines with their regulator’s approval. Under the ASA, banks calculate the other six business lines -- corporate finance, trading and sales, payment and settlement, agency services, asset management and retail brokerage -- under the regular STA rules, using gross income as the exposure indicator. But for the commercial and retail banking business lines under ASA, "loans and advances" replaces gross income as the exposure indicator.

The alpha, which is the multiplier that determines risk capital to be held under the basic indicator approach (BIA), has been set at 15%, which is the same as it was under the technical guidance of the third quantitative impact survey (QIS3). The betas under STA have also withstood the test of QIS3, and remain the same, ranging by business line between 12% and 18%. Banks are permitted under the ASA to aggregate commercial and retail banking lines, but must use a beta of 15% if they do so. In addition, if they are unable to disaggregate their gross income into the other six business lines, they can aggregate the total gross income for those six business lines with a beta of 18%.

The level of the alpha and betas did not sit well with many observers. "We’ve always said that the highest beta shouldn’t be higher than the alpha, because you need to have an incentive to move," said John Thirlwell, executive director of the Operational Risk Research Forum in London. "And there they are talking about how they really want people to move, and yet all the incentives seem to be counter to this. So I think I’m disappointed that not only the betas are exactly where they were, but also that the alternative system defaults to the highest beta."

Partial implementation

Financial institutions will now be able to adopt the AMA in some sections of the organisation, and use the BIA or the STA in others. There are some caveats, though. Banks will not be allowed to choose to revert back to either the BIA or the STA once they’ve adopted the AMA in a particular unit, without specific supervisory approval. On the other hand, regulators have the option to force banks back on to the BIA or STA if the regulator feels that the bank no longer meets the qualifying criteria for the AMA. Lastly, banks must provide regulators with a plan for adopting the AMA across all material business lines and legal entities, driven by the practicality and feasibility of moving to the AMA.

Insurance recognised

Banks under the AMA can now recognise insurance as an operational risk mitigant when calculating regulatory capital. Banks will be limited to recognition of insurance to 20% of their total op risk capital charge, however, and other criteria apply. The insurance provider must have a minimum claims paying ability rating of "A" or better; it must have no exclusions or limitations based on regulatory action or for the receiver or liquidator of a failed bank; it must be explicitly mapped to the actual operational risk loss exposure of the institution; and it must be provided by a third party entity. Policies must be for an initial term of not less than one year, and haircuts must be taken to reflect the residual term of the policy. Also, policies must have a minimum notice period for cancellation and non-renewal of the contract. The Committee said it recognised that this last item might cause problems, and said that during the comment period it would "continue to work with the industry to define the minimum threshold". "It’s perhaps not entirely surprising that they’ve floated the idea of haircuts for residual risks," says Richard Metcalfe, co-head of the European office of the International Swaps and Derivatives Association. "Haircuts are new to the public debate, and I wonder whether that is something which, along with the cancellation threshold issue, will need further discussion and can be resolved within the three month comment period."

STA changes

The qualifying criteria under STA have been changed substantially, bringing them much closer to the standards set out under the AMA. The criteria now call for the specific creation of "an operational risk management system with clear responsibilities assigned to an operational risk management function". According to the revisions, the op risk function is responsible for developing strategies to "identify assess, monitor and control/mitigate operational risk; codifying firm-level policies and procedures concerning operational risk management and controls; for the design and implementation of the firm’s operational risk assessment methodology and for the design and implementation of a risk-reporting system for operational risk". Now, firms must be tracking operational risk by business line to qualify -- in QIS3’s technical notes they could just be beginning this process. The operational risk information brought in from systems must "play a prominent role in risk reporting, management reporting, and risk analysis. The bank must have techniques for creating incentives to improve the management of op risk throughout the firm". The new rules also specifically say that op risk reports must be regularly submitted to senior management, the board of directors, and business unit management.

Again, industry pundits said this was a move in the wrong direction. "There is not much of a gap at all between this and the AMA," says ORRF’s Thirlwell. "There is no material difference between the STA and the AMA. It really doesn’t encourage firms to move to the standardised, which I think is an opportunity missed."

There are also changes to the AMA’s qualifying criteria. Now, operational risk losses related to credit risk that have historically been tracked in the bank’s credit risk loss database -- such as collateral management failures -- will continue to be treated as credit risk for the purposes of calculating regulatory capital. Previously, it seemed they would have to be calculated under the op risk framework. To make this work, the Committee has asked that internal op risk measurement systems are now consistent not only with the Basel definition of operational risk but also with the loss events defined by the Committee. Losses related to credit risk must then be flagged separately. OpRisk

Ellen Leander