Supervisory
Guidance: Supervisory Review
Process of
Capital Adequacy (Pillar 2) Related
to the
Implementation of the Basel II Advanced Capital
Framework
AGENCIES: Office of
the Comptroller of the Currency, Treasury (OCC); Board
of Governors of the Federal Reserve System (Board);
Federal Deposit Insurance Corporation (FDIC); and Office
of Thrift Supervision, Treasury (OTS) (collectively, the
agencies).
ACTION: Final
supervisory guidance.
SUMMARY:
The agencies
are publishing guidance regarding the supervisory review process for capital
adequacy (Pillar 2) provided in the Basel II
advanced approaches final rule, which was published in the Federal Register on
December 7, 2007 (advanced approaches final
rule).
The
supervisory review process described in this guidance
outlines the agencies’ standards for
(i)
satisfying the qualification requirements provided in
the advanced approaches final rule;
(ii)
addressing the limitations of the minimum risk-based
capital requirements for credit risk and operational
risk;
(iii)
ensuring that each institution has a rigorous process
for assessing its overall capital adequacy in relation
to its risk profile and a comprehensive strategy for
maintaining appropriate capital levels; and
(iv)
encouraging each institution to improve its risk
identification and measurement techniques.
This
supervisory guidance applies to any bank, savings
association, or bank holding company1 implementing
the advanced approaches final
rule.
SUPPLEMENTARY
INFORMATION: The
agencies issued a notice of proposed rulemaking (NPR) on
September 25, 2006, seeking
comment on a new risk-based capital adequacy framework
that requires some and permits other qualifying banks to
use an internal ratings-based (IRB) approach to
calculate regulatory capital requirements for credit
risk and certain advanced measurement approaches (AMA)
to calculate regulatory capital requirements for
operational risk (together, the IRB and the AMA are
referred to as the “advanced approaches”).
On December
7, 2007, the agencies published the advanced approaches
final rule.
The advanced
approaches final rule is based largely on a series of
publications by the Basel Committee on Banking
Supervision (BCBS) that culminated in a comprehensive
release in June 2006, titled, “International Convergence
of Capital Measurement and Capital Standards: A Revised
Framework” (New Accord).
The New
Accord presents a three-pillar framework for determining
risk-based capital requirements for credit risk, market
risk, and operational risk (Pillar 1); supervisory
review of capital adequacy (Pillar 2); and market
discipline through enhanced public disclosure (Pillar
3).
On February 28, 2007, the agencies
published in the Federal Register three separate
documents proposing supervisory guidance related
to the implementation of the advanced
approaches.
Two of those
documents provided guidance for certain aspects of
Pillar 1, that is, for the IRB systems for determining
the credit risk of retail and wholesale exposures, and
other systems for equity and securitization exposures,
and for the AMA for determining operational risk.
The third
document proposed guidance for Pillar 2.
This final guidance document provides
supervisory guidance only for Pillar 2, and it
does not provide Pillar 1 guidance on the systems for
determining regulatory capital requirements for credit
risk or for determining regulatory capital requirements
for operational risk.
This
document does not differ significantly from the proposed
Pillar 2 guidance.
The agencies recognize that a number of
institutions may need additional guidance to implement
the advanced approaches final rule.
Accordingly,
consistent with the proposed guidance for Pillar 2, this
guidance document highlights certain aspects of existing
supervisory review that are being augmented or clarified
to support the implementation of the supervisory
assessment of overall capital adequacy under the
advanced approaches final rule.
In making
this assessment, the agencies will consider, among other
items, whether each institution
(i) has
satisfied the qualification requirements for
implementing the advanced approaches;
(ii) has a
rigorous process for assessing its overall capital
adequacy in relation to its risk profile and a
comprehensive strategy for maintaining appropriate
capital levels (internal capital adequacy assessment
process -- ICAAP); and
(iii)
maintains a satisfactory risk management and control
structure, consistent with its capital position and
overall risk profile.
The agencies
received ten public comments on the proposed guidance
from banking organizations, trade associations
representing the banking or financial services industry,
and other interested parties.
Overall, the
commenters supported the principles-based orientation of
the guidance.
However,
some commenters recommended revisions to certain
sections of the guidance that they viewed as overly
prescriptive.
One
commenter expressed concern that the guidance appeared
to suggest that increases in risk should result in
greater capital, even if an institution already
maintains a substantial capital buffer.
To address
this concern, the agencies have revised the guidance to
clarify that an increase in risk may not necessarily
require an increase in capital where the bank already
holds capital at a level exceeding what its internal
processes and supervisors regard as
adequate.
Other
commenters expressed concern regarding the agencies’
position that liquidity risk should be addressed within
the ICAAP.
However, the
proposed guidance was consistent with the agencies’ view
of liquidity risk as a material risk that can affect
capital adequacy.
The agencies clarified this section
of the guidance to indicate that, within the ICAAP,
institutions should consider the
capital adequacy implications of liquidity risk.
One
commenter expressed the concern that each bank’s ICAAP
measures would be compared to (and reconciled with)
Pillar
1 measures
and to other institutions’ ICAAP results.
The agencies
acknowledge that there may be limited comparability to
Pillar 1 measures because a bank’s ICAAP under Pillar 2
should be tailored to its individual risk profile, while
Pillar 1 measures are based on certain common
assumptions that may not apply to each individual bank.
Accordingly,
there is likely to be some limit to the comparisons that
can be made across institutions.
Some
commenters expressed confusion about the stress testing
requirement in Pillar 1 and stress testing discussed in
the Pillar 2 guidance.
The agencies regard stress testing as a
critical component in the identification and measurement
of material risks.
Although
there are no prescriptive stress testing requirements in
Pillar 2, institutions should use stress testing or
similar exercises in their ICAAP to consider the
consequences of unlikely but severe events and outcomes
as an input to the capital adequacy assessment
process.
Finally, one
commenter indicated that it might not be practical to
incorporate the ICAAP into bank management’s
decision-making process.
The agencies
believe that for the ICAAP to be meaningful and
relevant, it should be consistent with the bank’s other
risk management practices.
Supervisory
Review Process of Capital Adequacy (Pillar 2) Related to
the Implementation
of the
Advanced Approaches Final Rule
1. This
guidance supplements the final rule published jointly by
the U.S. Federal banking agencies in the Federal Register
on December 7, 2007 (advanced approaches
rule).
The advanced
approaches rule implements a new risk-based capital
framework encompassing three pillars:
• minimum
risk-based capital requirements (Pillar
1);
•
supervisory review (Pillar 2);
and
• market
discipline through enhanced public disclosures (Pillar
3).
The minimum
risk-based capital requirements in Pillar 1 of the
advanced approaches rule apply to a bank’s calculation
of minimum risk-based capital requirements for credit
risk and operational risk.
If the bank is also
subject to the market risk rule,
then the
minimum risk based capital requirements in that rule
would apply.
2. This
document addresses the process for supervisory review in
the advanced approaches rule.
As described
in this guidance, supervisory review covers three main
areas:
•
comprehensive supervisory review of capital
adequacy;
• compliance
with regulatory capital requirements;
and
• internal
capital adequacy assessment process
(ICAAP).
3. The
process of supervisory review described in this guidance
reflects a continuation of the
longstanding approach employed by the agencies in their
supervision of banks.
However,
because implementation of the advanced approaches rule
affects certain aspects of supervisory review, this
guidance highlights areas of existing supervisory review
that are being augmented or more clearly defined to
support implementation of the advanced approaches rule
by U.S. banks.
4. The
supervisory review process described in this document is
intended to help ensure overall capital adequacy
by:
• confirming
a bank’s compliance with regulatory capital
requirements;
• addressing
the limitations of minimum risk-based capital
requirements as a measure of a bank’s full risk profile
– including risks not covered or not adequately
addressed or quantified in Pillar
1;
• ensuring
that each bank is able to assess its own capital
adequacy (beyond minimum risk-based capital
requirements) based on its risk profile and business
model; and
•
encouraging banks to develop and use better techniques
to identify and measure risk.
5. This
guidance neither supersedes nor alters the functioning
of the existing Prompt Corrective Action
requirements.
Similarly,
this guidance does not affect any other requirements for
compliance with existing regulations and supervisory
standards related to risk-management practices or other
areas.
The
supervisory review process described in this guidance
supports the supervisors' existing ability
to:
• require an
individual bank to take measures to prevent its capital
from falling below the level needed to adequately
support its risks; or
• otherwise
intervene to ensure that the bank’s capital levels are
adequate.
COMPREHENSIVE
SUPERVISORY REVIEW OF CAPITAL
ADEQUACY
6. Capital
helps protect individual banks from
insolvency, thereby promoting safety and soundness in
the overall U.S. banking system.
Minimum
risk-based capital requirements establish a threshold
below which a sound bank’s risk-based capital must not
fall.
Risk-based
capital ratios permit some comparative analysis of
capital adequacy across banks because they are based on
certain common assumptions.
However,
supervisors must perform a more
comprehensive review of capital adequacy that considers
the risks that are specific to each individual bank,
including those not incorporated in risk-based capital
requirements.
In short,
supervisors must ensure that a bank’s overall capital
does not fall below the level required to support its
entire risk profile.
7.
Supervisors generally expect banks to hold capital
above their minimum risk-based
capital levels, commensurate with their individual risk
profiles, to account for all material
risks.
Going
forward under the advanced approaches rule, supervisors
will continue to review the overall capital adequacy of
any bank through a comprehensive evaluation that
considers all relevant available information.
In
determining the extent to which banks should hold
capital in excess of risk-based capital minimums,
supervisors will consider:
the combined
implications of a bank’s compliance with qualification
requirements for regulatory capital standards;
the quality
and results of a bank’s own process for determining
whether capital is adequate (the
ICAAP);
and the
bank’s risk-management processes, control structure, and
other relevant information relating to the bank’s risk
profile and capital
level.
This review
is consistent with current supervisory practice, under
which the agencies assess a bank’s overall capital
adequacy through a comprehensive evaluation of all
relevant information.
8. The
supervisory
review process assesses whether a
bank has a satisfactory process to determine that its
overall capital is adequate, and that the bank maintains
adequate capital on an ongoing basis, as underlying conditions
change.
For example, changes in a bank’s risk
profile or in relevant capital measures are areas of
particular focus that are effectively addressed through
the supervisory review process.
Generally, a bank should hold more capital
for material increases in risk that are not otherwise
mitigated, unless the bank already holds capital at a
level exceeding what its internal processes and
supervisors would regard as adequate.
Conversely, a bank may be able to reduce overall capital (to a level still
above regulatory minimums) if the supervisory review
supports the conclusion that the bank’s inherent risk
has materially declined or that it has been
appropriately mitigated.
9. As a
result of its comprehensive supervisory review,
a bank’s
primary Federal supervisor may take action if it is not
satisfied that capital is adequate.
The primary Federal supervisor may require
the bank to take actions to address identified
supervisory concerns, which may include requiring the
bank to hold additional capital to bring capital to
levels that the supervisor deems commensurate with the
bank’s risk profile.
In addition, the primary
Federal supervisor
may, under its
enforcement authority, require a bank to modify or
enhance risk management and internal-control processes, reduce
its exposure to risk, or take any action deemed
necessary to address identified supervisory
concerns.
COMPLIANCE WITH REGULATORY
CAPITAL REQUIREMENTS
10. In order to use the advanced
approaches rule to calculate minimum risk-based capital
requirements, a bank must meet
certain process and systems requirements.
As part of the supervisory review process,
the agencies will ensure that each bank meets these
requirements.
The advanced approaches rule provides an
explanation of these qualification requirements for any
systems and processes used.
11. A bank using the advanced approaches
rule must comply with the rule’s
qualification requirements for both initial and ongoing
qualification.
A bank that falls out of compliance with
the qualification requirements would be required to
establish a plan to return to compliance that satisfies
its primary Federal supervisor.
12. Supervisors will ensure that each bank
using the advanced approaches rule complies with the
qualification requirements both at
the consolidated level and at any subsidiary bank
that uses the advanced approaches rule.
Thus, each bank that applies the advanced
approaches rule must have appropriate risk-measurement
and risk-management processes and systems that meet the
rule's qualification
requirements.
THE
ICAAP
13. The qualification requirements in the
advanced approaches rule state that “a bank must have a rigorous process for
assessing its overall capital adequacy in relation to
its risk profile and
a comprehensive strategy for maintaining an appropriate
level of capital.”
Because minimum risk-based capital requirements
are based on certain assumptions and address only
a subset of
risks faced by an individual bank, each bank must
conduct an internal assessment of whether its capital is
adequate, given its risk profile.
A bank must
conduct this assessment, using the ICAAP, in addition to
its calculation of minimum risk-based capital
requirements.
Accordingly,
a bank’s capital should exceed the level required by its
minimum risk-based capital requirements, and also should
be adequate according to its own ICAAP.
14. The
fundamental objectives of a sound ICAAP
are:
•
identifying and measuring material
risks;
• setting
and assessing internal capital adequacy goals that
relate directly to risk;
and
• ensuring
the integrity of internal capital adequacy
assessments.
15.
Assessing overall capital adequacy through the ICAAP
requires thorough
identification of all material risks, measurement
of those that can be reliably quantified, and systematic
assessment for the limitations of minimum risk-based
capital requirements.
The ICAAP
should address the capital implications arising from
both on- and off-balance sheet positions, as well as
from provisions of explicit or implicit support.
Material
risks include those that in isolation do not appear to
be material at first, but when combined with other risks
could lead to material losses.
In this
manner, the ICAAP should contribute broadly to the
development of better risk management within the
organization at both the individual entity and
consolidated levels.
16. Each
bank implementing the advanced approaches rule should have an ICAAP that is appropriate
for its unique risk characteristics and should not rely
solely upon the assessment of capital adequacy at the
parent company level.
This does
not preclude the use of a consolidated ICAAP as an
important input to a subsidiary bank's own ICAAP,
provided that each entity's board and senior management
ensure that the ICAAP is appropriately modified to
address the unique structural and operating
characteristics and risks of the subsidiary
bank.
17. In
general, the ICAAP
will likely go beyond the assumptions built into minimum
risk-based capital requirements.
However, in
certain instances a bank’s ICAAP – when supported by
proper justification and evidence – may build upon and
utilize the methods, practices, and results it uses to
determine minimum risk-based capital requirements.
For example,
in developing the ICAAP, a bank may choose to use data,
ratings, or estimates from internal ratings-based
approaches for credit risk;
or a bank
may choose to use the advanced measurement approaches as
the basis for its internal assessment of operational
risk.
Furthermore,
although the ICAAP should be a distinct and
comprehensive process that produces its own capital
measures, in some cases a bank may be able to
demonstrate that minimum risk based capital measures
appropriately reflect certain aspects of a bank’s risk
profile and thus are appropriate for use in its
ICAAP.
18. The
design and operation of any systems used to meet the
ICAAP requirements will likely
differ, depending on the complexity of each
bank’s operations and risk profile.
Many banks employ “economic
capital” measures
for some elements of risk management, such as
limit setting, or
for evaluating performance or determining aggregate
capital needs.
In some
cases, economic capital measures may relate
directly to a bank’s assessment of capital adequacy
under the ICAAP;
however, in other cases, a bank may be
using economic capital measures that are not intended
for capital adequacy assessments.
In the latter case, a bank does not
necessarily need to change its existing process or
systems, but it may need to build upon or adjust its
economic capital measures for use in the ICAAP and the
bank would have to demonstrate clearly how it does
so.
Notably,
economic capital is not the only means to meet
the ICAAP requirement.
Regardless of the specific implementation
method(s) chosen, the bank’s ICAAP should address the
three ICAAP objectives listed in
paragraph.
Identifying and Measuring
Material Risks
19.
The first
objective of the ICAAP is to identify all material
risks.
Risks that can be reliably measured and quantified
should be treated as rigorously as data and
methods allow.
The appropriate means and methods to
measure and quantify those material risks are likely to
vary across banks.
The key point is for a bank to be able to
identify all material risks and measure those that can
be reliably quantified in order to determine how those
risks affect the bank’s overall capital
adequacy.
20. Some of
the risks to which a bank may be exposed include
credit risk, market risk, operational risk, interest
rate risk in the banking book, and liquidity
risk (as
outlined below).
Other risks, such as reputational risk, business or strategic
risk, and country risk may also be material for a bank
and, in such cases, should be given equal consideration
to the more formally defined risk
types.
Additionally, if a bank employs risk
mitigation techniques it should the risk to be mitigated and the
potential effects of that mitigation (including
enforceability and
effectiveness).
• Credit risk: A bank
should have the ability to assess credit risk at the
portfolio level in addition to the exposure or
counterparty level. In making this assessment, the bank
should be particularly attentive to identifying any
credit risk concentrations and ensuring that their
effects are adequately assessed.
The bank should consider the various types of dependence among
exposures, and the credit risk effects of extreme
outcomes, stress events, and shocks to assumptions about
portfolio and exposure behavior.
The bank also should carefully assess
concentrations in counterparty credit exposures,
including those that result from trading in less liquid
markets, and determine the effect that these exposures
might have on capital adequacy.
• Market
risk: A bank
should be able to identify risks in trading and capital
markets activities resulting from a movement in market
prices and rates.
This determination should consider factors
such as illiquidity of instruments, leverage,
concentrated positions, one-way markets, non-linear or
deep out-of-the money option positions as well as
embedded optionality, and the potential for significant
shifts in correlations or other types of dependence
structures.
Assessments that incorporate extreme
events, idiosyncratic variations, credit migrations or
changes in credit spreads, defaults, and shocks should
also be tailored to capture key portfolio
vulnerabilities.
•
Operational risk: A bank
should be able to assess the potential risks resulting
from inadequate or failed internal processes, people,
and systems, as well as from events external
to the
bank.
This
assessment should include the effects of extreme events
and shocks relating to operational risk.
Extreme events could include a substantial
or sudden increase in failed processes across business
units or a significant incidence of failed internal
controls.
• Interest
rate risk in the banking book: A bank
should incorporate interest rate risk in the banking
book into its assessment of capital adequacy.
In making
this assessment, the
bank should identify the risks associated with
changes in interest rates that impact both on- and off
balance sheet exposures in the banking book from a
short- and long-term perspective.
This might include the impact of changes
due to parallel yield curve shocks, yield curve twists,
yield curve inversions, changes in the adjustment of
rates earned and paid on different financial instruments
with otherwise similar repricing characteristics (basis
risk), and other relevant scenarios including some that
incorporate stress events, extreme outcomes, and shocks
to
assumptions.
The bank should be able to support any
assumptions it has made with respect to the behavioral
characteristics of servicing rights, non-maturity
deposits, positions subject to prepayment risk, and
other assets and liabilities, especially for those
exposures characterized by embedded
optionality.
• Liquidity
risk: A bank
should incorporate liquidity risk into the assessment of
its capital adequacy.
A bank should evaluate whether capital is
adequate given its own funding liquidity profile and
given the liquidity of the markets in which it operates.
This assessment should various types of
liquidity environments and include an evaluation of the
potential for a material disruption in the sources
of liquidity typically relied on by the
bank as a result of
bank-specific as well as systemic events.
A bank
should consider the capital adequacy implications of
lacking a well-diversified funding base, relying
predominantly on wholesale credit markets for its
funding, or relying heavily on volatile funding sources.
A bank
involved in
securitization activities
should consider the capital adequacy implications of
relying on market liquidity to distribute warehoused
assets, including the potential for disruptions that
would cause a bank to bring certain items onto its
balance sheet.
In its
assessment of the impact of liquidity risk on capital
adequacy, the bank should also challenge assumptions
built into its definition of liquid
products.
The risk
factors discussed above are not an
exhaustive list of those affecting any given bank.
A
well-developed ICAAP should include an assessment of all
relevant factors that present a material source of risk
to capital, and should account for concentrations within
each risk type.
21. A bank
should assess whether its capital is
sufficient to absorb any losses that may arise from
activities that expose the bank to multiple risks within
and across business lines or create concentrations across risk
types.
A bank
should recognize that losses could arise in several risk
dimensions at the same time, stemming from the same
event or a common set of factors.
For example,
a localized natural disaster could generate losses from
credit, market, and operational risks.
Additionally,
the ICAAP
should focus on any complex activities that give rise to
multiple risks, and to their interaction.
These
activities can involve instruments that may be complex,
illiquid, or difficult to value.
For example,
securitization activities expose a bank to a variety of
risks that can affect capital adequacy at the same time,
including credit, market, liquidity, and reputational
risks; structured products can have multiple embedded
risks that interact in complex ways and can present
losses in multiple risk areas across different business
lines at the same time.
In general,
the ICAAP should include an
assessment of the potential effects of convergence of
risks within and across business lines and their
combined impact on capital
adequacy.
22. The
ICAAP should take into consideration the linkage
between capital adequacy and damage or potential damage
to a bank’s reputation.
A bank might
incur losses affecting capital adequacy because of
damage to its reputation, or the bank might incur losses
trying to prevent or mitigate damage to its reputation.
In assessing
the linkage between reputational
risk and capital adequacy, a bank should assess
risks associated with both on-balance sheet and
off-balance sheet exposures and activities, as well as
risks associated with affiliates, subsidiaries,
counterparties, clients, or other third parties.
The
assessment should include activities for which the bank
acts as a sponsor or advisor, and cases in which the
bank provides explicit or implicit support.
A bank
should also assess the risk of having to
assume the losses of a third party to prevent
or mitigate damage to the bank’s
reputation.
23. The
bank’s ICAAP should assess risks associated with
new
products, markets and activities.
In making
this assessment, the bank should account for any
uncertainty in the valuation of new products, whether by
the bank or a third party, which could be more
challenging if the new products are particularly complex
or do not have liquid markets.
The ICAAP
should take into consideration changing dynamics in
markets for new products and uncertainty as to how new
markets might respond to stress conditions.
The ICAAP
should also assess the challenges presented by new
business lines or strategic acquisitions in terms of
their impact on capital adequacy.
24. All
measurements of risk should incorporate both quantitative and
qualitative elements.
Generally, a
quantitative approach should form the foundation of a
bank’s measurement framework.
Quantitative
approaches that focus on most likely outcomes for
budgeting, forecasting, or performance measurement
purposes may not be fully applicable for assessing
capital adequacy, which also should take less likely
outcomes into account.
25. In some
cases, quantitative tools can include
the use of large historical
databases.
These
databases are most applicable when they are fully
reflective of all relevant risk characteristics,
incorporate appropriate variability, and have adequate
granularity and history;
for example,
they should include data based not just on benign but
also more stressful economic periods or operating
environments.
When
internal data are not available or do not reflect a
bank’s risk profile, a bank may rely
on external data for risk measurements, but should
ensure that external data have applicability to the
bank’s own activities and risk
profile.
26. The confidence a bank places in the
results of its ICAAP should depend on the quality and
robustness of the associated risk assessments.
When
measuring risks, a bank should understand that
estimation and measurement errors are common, and in
many cases are themselves difficult to quantify.
In general,
the bank’s ICAAP should reflect an appropriate level of
conservatism to account for uncertainty in risk
identification, risk mitigation or control, and risk
quantification.
In most
cases, appropriate
conservatism will result
in greater capital needs.
27. In many
cases, risk
assessments may rely to a significant degree on models
that use
both qualitative and quantitative inputs.
The use of
models can enhance the ICAAP, but it can also introduce
challenges. Specifically, models may fail to work as
intended or expected, or they may be used
inappropriately for purposes not considered in their
initial design.
These concerns apply to models purchased from
third-party vendors, as well as to models that are
internally developed.
A bank using
models as part of the ICAAP should recognize these
possibilities and ensure that appropriate controls, such
as rigorous initial and ongoing validation and
independent review, are in place to mitigate and manage
any risks related to model use.
A bank
should apply appropriate
conservatism to
compensate for any risks associated with models.
Additional
conservatism may be necessary to account for any
uncertainties in the use of models to value on or
off-balance
sheet exposures or for imperfections and volatility in
market-based valuations.
Additional
conservatism may be necessary to compensate for
increased risk, for example, when models or applications
are more complex, or when they have a more significant
influence on the ICAAP’s
results.
28. To gain
a fuller understanding of the risks beyond more typical
quantitative measures – such as those based on certain
parameter behavior or distributional assumptions – a bank should also rely on other types of
quantitative exercises.
For example,
stress
testing, including scenario analysis and sensitivity
analysis, is an
additional quantitative exercise that a bank should
regularly apply to complement more typical quantitative
measures.
A bank may
need to rely more heavily on such exercises when
internal or demonstrably relevant external
data
are scarce.
These
exercises can help gauge the consequences of outcomes
that are unlikely, but would have a considerable impact
on safety and soundness.
29. In
addition to quantitative approaches for assessing risk,
a bank should also employ qualitative approaches that
incorporate management experience and judgment.
Qualitative
measures should be employed not only for those cases in
which scarce data or unproven quantitative methods limit
a full assessment of risk, but also more generally to
complement even sophisticated quantitative estimates
based on extensive and high-quality
data.
30. A bank
should be cognizant that both quantitative and qualitative
approaches have inherent biases and assumptions that
affect risk assessment.
Accordingly,
a bank should recognize the biases and assumptions
embedded in, and the limitations of, the approaches
used.
31. An
effective ICAAP is comprehensive, assessing material risks across the entire
bank.
Each bank
should have systems capable of aggregating across risk
types.
A bank
should understand the challenges presented by risk
aggregation and the inherent uncertainty in quantitative
estimates used to aggregate risks (including the
difficulty in estimating concentrations across risk
types as noted in paragraph 21).
For example,
a bank is encouraged to consider the
various interdependencies among risk types,
the
different techniques used to identify such
interdependencies, and the channels through which those
interdependencies might arise – across risk types,
within the same business line, and across different
business lines.
Consistent
with paragraph 26, any associated uncertainty in
aggregating capital estimates across risk types and
business lines should translate into greater capital
needs.
32.
Management should be systematic and rigorous in
considering possible effects of diversification.
Assumptions about diversification
should be identified at each level where
diversification is recognized, supported by analysis and
evidence, and remain robust over time and under
different market environments, including stressed market
conditions.
For example,
a bank calculating the dependence structure within or
among risk types should consider data quality and
consistency, such as the volatility of correlations over
time and during periods of market stress.
In general,
a bank should consider a wide range of possible adverse
outcomes that have the potential to affect multiple
risks at the same time and to limit expected
diversification benefits.
Consistent
with paragraph 26, uncertainty in diversification
estimates should translate into greater capital
needs.
Setting and
Assessing Capital Adequacy Goals that Relate to
Risk
33.
The second
objective of the
ICAAP is to set and assess capital
adequacy goals in relation to all material risks.
Under this
objective, a bank should have a well-defined process to
translate estimates of risk into an assessment of
capital adequacy.
In practice,
capital adequacy goals may be reflected in various ways.
A bank may
choose to hold capital in excess of the level internal
processes would regard as adequate for any number of
business or strategic reasons.
Excess
capital may fluctuate over time.
Each bank
should recognize that minimum
risk-based capital requirements represent a floor
below which the bank’s overall capital level must not
fall, even if bank management believes that there is
justification to maintain less capital.
34. A bank
may establish its risk-tolerance
level to reflect a desired level of risk coverage
and/or a certain degree of creditworthiness, such as an
explicit solvency standard.
Accordingly,
assessments of risk and capital adequacy should reflect
the chosen risk tolerance of the bank.
Because risk
profiles and choices of risk tolerance may differ across
banks, capital targets may also differ.
However, if
for internal capital adequacy purposes a bank were to
choose to apply a level of risk coverage or a solvency
standard that is less than that implied by minimum
risk-based capital requirements, the bank would have to
be able to:
identify and
support the rationale for a lower solvency standard;
demonstrate clearly that its ICAAP addresses
low-probability, high-severity events;
and ensure
that there is sufficient capital to absorb losses
associated with such extreme events.
Regardless
of the solvency standard used, supervisors expect banks
to hold capital at a level above that established by
minimum risk-based capital
requirements.
35. A bank
should consider external
conditions and other factors that influence its
overall capital adequacy, including the potential impact
of contingent exposures and changing economic and
financial environments.
The ICAAP
should address the
potential impact of broader market or systemic
events, which could
cause risk to increase beyond the bank’s chosen
risk-tolerance level, and have appropriate contingency
plans for such outcomes.
Such
exercises may include stress
testing, such as
scenario and sensitivity analysis; however, in all cases
they
should
incorporate both quantitative and qualitative
methods.
36. Through
the ICAAP, a bank should ensure that
adequate capital is held against all material risks, and
that capital remains adequate not just at a point in
time, but over time, to account for changes in a
bank's strategic direction, evolving economic
conditions, and volatility in the financial environment.
A bank
should be cognizant of the impact of market-driven
valuations on the volatility of capital.
Moreover,
recognizing the sensitivity of capital to economic and
financial cycles should be a
critical component of a bank’s planning for current and
future capital needs.
For example,
a bank should consider the potential effects of a
sudden, sustained economic downturn.
The level of
capital deemed adequate by a bank given its ICAAP might
also be influenced by the bank's intention to hold
additional capital to mitigate the
impact of volatility in capital
requirements, its need to support acquisition plans, or
its decision to accommodate market perceptions of
capital adequacy and their impact on funding
costs.
37. In
analyzing capital adequacy, a bank should evaluate the capacity of its capital to
absorb losses.
Because
various definitions of capital are used within the
banking industry, each bank should state clearly the
definition of capital used in any aspect of its ICAAP.
Since
components of capital are not necessarily alike and have
varying capacities to absorb losses, a bank should be
able to demonstrate the relationship between its
internal capital definition and its assessment of
capital adequacy.
If a bank’s
definition of capital differs from the regulatory
definition, the bank
should reconcile such differences and provide an
analysis to support the inclusion of any capital
instruments that are not recognized under the regulatory
definition.
Although
common equity is generally the predominant component of
a bank’s capital structure, a bank may be able to
support the inclusion of other capital instruments in
its internal definition of capital if it can demonstrate
a similar capacity to absorb losses.
The bank
should document any changes in its internal definition
of capital, and the reason for those
changes.
38. An
effective capital plan recognizes a bank’s short- and long-term capital needs and
objectives.
Accordingly,
a bank should evaluate whether long-run capital targets are consistent
with short-run goals, based on current and
planned changes in risk profiles.
In
developing its capital plan, the bank also should
recognize that accommodating additional capital needs
can
require
significant lead time, can be costly, or can be quite
difficult, especially during downturns or other times of
stress.
A bank
should have contingency
plans to address unexpected capital
needs.
Ensuring
Integrity of Internal Capital Adequacy
Assessments
39.
A
satisfactory ICAAP comprises a complete process with
proper oversight and controls, and not just an ability
to carry out certain capital calculations.
The various
elements of a bank’s ICAAP should complement and
reinforce one another to achieve the overall objective
of assessing capital adequacy, taking into account the
bank’s risk profile.
40. A bank
should
maintain adequate internal controls to ensure
the integrity, objectivity, and consistent application
of the ICAAP.
Decisions
regarding the design and operation of the ICAAP should
reflect sound risk management, and should not be unduly
influenced by competing business objectives.
A bank
should identify any deficiencies in
its ICAAP and plan and take remedial actions to
address the deficiencies in a timely manner.
The
principles underlying a bank's ICAAP should be
incorporated into policies that are reviewed and
approved at appropriate levels within the
organization.
41. A bank
should maintain thorough
documentation of its ICAAP to
ensure transparency.
At a minimum, this should
include a description of the bank’s
overall capital management process,
including the committees and individuals responsible for
the ICAAP;
the frequency and distribution of ICAAP-related
reporting;
and the
procedures for the periodic evaluation of the
appropriateness and adequacy of the ICAAP.
In addition,
where applicable, ICAAP documentation should demonstrate
the bank’s sound use of quantitative methods (including
model selection and limitations) and data–selection
techniques, as well as appropriate
maintenance, controls, and
validation.
A bank should document and
explain the role of third
party and vendor
products, services and information – including
methodologies, model inputs, systems, data, and ratings
– and the extent to which they are used within the
ICAAP.
A bank
should have a process to regularly
evaluate the performance of third-party and vendor
products,
services and
information.
As part of
the ICAAP documentation, a bank should document the
assumptions, methods, data, information, and judgment
used in its quantitative and qualitative
approaches.
42.
The ICAAP
should be enhanced and refined over
time, with
learning and experience (both quantitative and
qualitative) contributing to its improvement.
The ICAAP
should evolve with changes in the risk profile and
activities of the bank, as well as with advances in risk
measurement and management practices.
For example,
a bank should incorporate in its
ICAAP the introduction of new products and business
lines and activities to ensure that the bank’s
capital plan is responsive to changes in the operational
and/or business environment.
43. The
board of directors and senior
management have certain responsibilities in
developing, implementing, and overseeing the ICAAP.
The board
should approve the ICAAP and its components.
The board or
its appropriately delegated agent should review the
ICAAP and its components on a regular basis, and approve
any revisions.
That review
should encompass the effectiveness of the ICAAP, the
appropriateness of risk tolerance levels
and
capital
planning, and the strength of control infrastructures.
Senior management should continually ensure that the
ICAAP is functioning effectively and as intended, under
a formal review policy that is explicit and well
documented.
Additionally,
a bank’s internal audit
function should play a key role in reviewing the
controls and governance surrounding the ICAAP on an
ongoing basis.
44. Each
bank should ensure that the
components of its ICAAP, including any models and their
inputs, are subject to the bank’s validation policies and procedures.
Validation
should be independent of the development,
implementation, and operation of the
ICAAP components, or the validation process should be
subject to an independent review of its adequacy
and
effectiveness.
Validation
is generally defined as an ongoing process that
includes, but is not limited to, the collection and
review of developmental evidence, process
verification, benchmarking, outcomes analysis, and
monitoring activities used to confirm that processes are
operating as designed.
Validation
policies and procedures should reflect the bank’s
business, structure, and sophistication, as well as the
relative importance of each component of the ICAAP.
Accordingly,
a bank is encouraged to consult the agencies’ existing
guidance on validation.
45. A bank’s
ICAAP should be aligned with and be a part of the bank’s wider internal
governance structure and overall risk-management
processes.
The ICAAP
should not be viewed as simply a compliance exercise.
Rather, it
is a dynamic and evolving process that is used by a bank to provide internal
assurance that capital is adequate given the bank’s risk
profile.
Management
is responsible for ensuring that the
ICAAP is fully consistent with the overall risk
management framework of the bank.
Information
derived through the ICAAP process should influence
decision making at both the
consolidated and individual business-line levels, and be
used to inform other management processes related to
risk assessment, business planning and forecasting,
pricing strategies, and performance
measurement.
46. As part
of the ICAAP, the board or its
delegated agent, as well as appropriate senior
management, should periodically review the resulting
assessment of overall capital
adequacy.
This review, which should occur at least
annually, should include an analysis of how
measures of internal capital adequacy
compare with other capital measures (such as regulatory,
accounting based or
market-determined).
Upon
completion of this review, the board or its delegated
agent should determine that, consistent with safety and
soundness, the bank’s capital takes
into account all material risks and is appropriate for
its risk profile.
However, in
the event a capital deficiency is uncovered (that is, if
capital is not consistent with the bank’s risk profile
or risk tolerance) management should
consult and adhere to formal procedures to correct the
capital deficiency.
Read more
about our
Certified Basel
ii Professional (CBiiPro)
program
Read more
about our Certified Pillar 2 Expert
(CP2E)
program
Read more about our
Certified Pillar 3 Expert
(CP3E)
program
Read
more about our Certified
Stress Testing Expert (CSTE)
program
   
|
