EBA to publish governance and op risk guidelines in September and October

The European Banking Authority (EBA) will publish two delayed sets of operational risk and internal governance guidelines in the next two months, according to Bernd Rummel, who focuses on internal governance, operational risk and auditing at the new European regulatory agency. The body is also gearing up to begin preliminary work on new technical standards that will be required under the proposed fourth version of the Capital Requirements Directive (CRD IV).

The first paper - a final version of guidelines on internal governance - will be published in mid-to-late September, says Rummel. A consultation paper on the topic was published in October 2010 by the EBA's predecessor, the Committee of European Banking Supervisors, and a hearing was held in December 2010. New processes required by the EBA's regulatory framework delayed the publication of the final guidance, Rummel says - the new agency was established in January, alongside two other new regulatory bodies, the European Securities and Markets Authority and the European Insurance and Occupational Pensions Authority.

The EBA guidelines will be launched roughly three months after a new paper from the Basel Committee on Banking Supervision, which provides supervisory guidelines for the advanced measurement approaches (AMA) to operational risk. The Basel paper advocates a vastly expanded role for the board of directors, including the approval and review of operational risk appetite, and the setting of policies on effectiveness testing of the overall operational risk framework. The Basel Committee also published principles on enhancing corporate governance in October 2010.

Rummel says the EBA paper is more generic than the Basel document, and deals with all aspects of internal governance. The EBA is set to produce draft regulatory technical standards for selected aspects of risk governance, and in particular on the "fit and properness of directors" topic, by the end of December 2015 as proposed by CRD IV.

The second release, due in October, provides guidelines on the supervisory processes required for banks to make changes to their AMA models. This follows the launch of a draft consultation paper last December, and a hearing in February.

However, this is not the end of the road for these guidelines, as CRD IV requires them to be turned into binding technical standards, with a draft version to be submitted to the European Commission (EC) by the end of 2013. Before drafting the standards, the EBA will undertake a study next year on the implementation of the new guidelines by banks, Rummel says.

The AMA change guidelines were drafted to fix an omission in the original capital requirements directive, Rummel explains. "Every time a bank wants to change its AMA, it has to go back to its supervisors and ask for their permission because you have to have permission to use the AMA, and you have only had approval for the AMA as it was applied for," says Rummel.

"In our AMA change policy, we are setting out communication procedures to the supervisor, but also we're introducing categories of the different kinds of changes. So for significant changes you actually need an approval, but there are also major or minor changes where you can go ahead without formal approval from the supervisor but still have to provide notification. It makes it easier for banks to go ahead with AMA changes, as they don't have to go through an approval process for every one," he says, adding that some countries already have their own domestic procedures for model change in place, which would be harmonised by the guidelines.

Alongside the new technical standards for the AMA change process, by the end of 2013 the EBA will also have to produce binding technical standards for the assessment methodology under which regulators allow institutions to use the AMA.

The deadlines for much of the other operational risk-related work the EBA must accomplish as part of CRD IV proposals are a little longer. Rummel points out that serious work on some of these issues can only begin once the final text of CRD IV is known, but says preliminary work will start shortly. By the end of 2016, the EBA must submit draft technical standards to the EC in six operational risk areas, including:

• Rules for regulators to assess whether firms are using an appropriate combination of approaches - which include the AMA, the alternative standardised approach (ASA), the standardised approach (TSA) and the basic indicator approach (BIA) - to capture all of their operational risks;
• Conditions under which regulators should require firms to use the AMA for a significant part of their risk if the firm is employing a mix of the various approaches;
• Rules on how to calculate gross income under the BIA, if the bank is not using the standards established under the accounting directve;
• Standards for the ASA that hardwire the specific conditions which must be met by banks using an ASA (retail or commercial banking activities to be 90% of income, as well as a requirement for a significant portion of retail or commercial banking activities to comprise loans associated with a high probability of default and providing an appropriate basis for calculating the capital requirement);
• Conditions on which to base an assessment of how sound institutions' correlation assumptions are and how they are implemented;
• Standards on the exceptional cases where firms may allocate losses to a new business line - "corporate items" - under the AMA.

By December 2017, the EBA has to submit draft technical standards to the EC on:

• How firms should develop and document policies and criteria for business line mapping under the TSA - a significant piece of work, which will include formulations on how firms should allocate difficult-to-map activities.