Part II

[Federal Register: February 28, 2007 (Volume 72, Number 39)]

[Notices]

[Page 9083-9193]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr28fe07-132]

[[Page 9083]]

Part II

Department of the Treasury

Office of the Comptroller of the Currency

Office of Thrift Supervision

Federal Reserve System

Federal Deposit Insurance Corporation

Proposed Supervisory Guidance for Internal Ratings-Based Systems for Credit Risk, Advanced Measurement Approaches for Operational Risk, and the Supervisory Review Process (Pillar 2) Related to Basel II Implementation; Notice

[[Page 9084]]

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

[Docket No. OCC-2007-0004]

FEDERAL RESERVE SYSTEM

[Docket No. OP-1277]

FEDERAL DEPOSIT INSURANCE CORPORATION

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

[No. 2007-06]

Proposed Supervisory Guidance for Internal Ratings-Based Systems for Credit Risk, Advanced Measurement Approaches for Operational Risk, and the Supervisory Review Process (Pillar 2) Related to Basel II Implementation

AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC); Board of Governors of the Federal Reserve System (Board); Federal Deposit Insurance Corporation (FDIC); and Office of Thrift Supervision, Treasury (OTS) (collectively, the Agencies).

ACTION: Proposed supervisory guidance with request for public comment.

SUMMARY: The Agencies are publishing for comment three documents that set forth proposed supervisory guidance for implementing proposed revisions to the risk-based capital standards in the United States (New Advanced Capital Adequacy Framework or proposed framework). These proposed revisions, which would implement the ``International Convergence of Capital Measurement and Capital Standards: A Revised Framework,'' published in June 2004 by the Basel Committee on Banking Supervision (Basel II), in the United States, were published in the Federal Register on September 25, 2006 as a notice of proposed rulemaking (NPR or proposed rule). The proposed framework outlined in the NPR would require some and permit other qualifying banks to calculate their regulatory risk-based capital requirements using an internal ratings-based (IRB) approach for credit risk and the advanced measurement approaches (AMA) for operational risk (together, the advanced approaches); it also provides guidelines for the supervisory review process (Pillar 2). The proposed supervisory guidance documents provide additional detail for the advanced approaches and the supervisory review process that should help banks satisfy the qualification requirements in the NPR.

DATES: Comments on the three proposed supervisory guidance documents must be submitted on or before May 29, 2007.

ADDRESSES:

OCC: You must include OCC and Docket Number OCC-2007-0004 in your comment. You may submit comments by any of the following methods:

Agency Web site: http://www.occ.treas.gov. Click on

``Contact the OCC,'' scroll down and click on ``Comments on Proposed Regulations.''

E-mail address: regs.comments@occ.treas.gov.

Fax: (202) 874-4448.

Mail: Office of the Comptroller of the Currency, 250 E Street, SW., Mail Stop 1-5, Washington, DC 20219.

Hand Delivery/Courier: 250 E Street, SW., Attn: Public Information Room, Maila Stop 1-5, Washington, DC 20219.

Instructions: All submissions received must include the agency name (OCC) and docket number for this proposed notice. In general, OCC will enter all comments received into the docket without change, including any business or personal information that you provide.

You may review comments and other related materials by any of the following methods:

Viewing Comments Personally: You may personally inspect and photocopy comments at the OCC's Public Information Room, 250 E Street, SW., Washington, DC. You can make an appointment to inspect comments by calling (202) 874-5043.

Viewing Comments Electronically: You may request e-mail or CD-ROM copies of comments that the OCC has received by contacting the OCC's Public Information Room at: regs.comments@occ.treas.gov.

Docket: You may also request available background documents and project summaries using the methods described above.

Board: You may submit comments, identified by Docket No. OP-1277, by any of the following methods:

Agency Web site: http://www.federalreserve.gov Follow the instructions for submitting comments at http://www.federalreserve.gov/.

.

Federal eRulemaking Portal: http://www.regulations.gov.

Follow the instructions for submitting comments. docket number in the subject line of the message.

Fax: (202) 452-3819 or (202) 452-3102.

Mail: Jennifer J. Johnson, Secretary, Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue, NW., Washington, DC 20551.

All public comments are available from the Board's Web site at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as

submitted, unless modified for technical reasons. Accordingly, your comments will not be edited to remove any identifying or contact information. Public comments also may be viewed electronically or in paper form in Room MP-500 of the Board's Martin Building (20th and C Streets, NW.) between 9 a.m. and 5 p.m. on weekdays.

FDIC: You may submit comments by any of the following methods:

Agency Web Site: http://www.fdic.gov/regulations/laws/federal. Follow instructions for submitting comments on the Agency Web

Site.

E-mail: Comments@FDIC.gov. Include ``Basel II Supervisory Guidance'' in the subject line of the message.

Mail: Robert E. Feldman, Executive Secretary, Attention: Comments, Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429.

Hand Delivery/Courier: Guard station at the rear of the 550 17th Street Building (located on F Street) on business days between 7 a.m. and 5 p.m. (EST).

Federal eRulemaking Portal: http://www.regulations.gov.

Follow the instructions for submitting comments.

Public Inspection: All comments received will be posted without change to http://www.fdic.gov/regulations/laws/federal including any

personal information provided. Comments may be inspected and photocopied in the FDIC Public Information Center, 3501 North Fairfax Drive, Room E-1002, Arlington, VA 22226, between 9 a.m. and 5 p.m. (EST) on business days. Paper copies of public comments may be ordered from the Public Information Center by telephone at (877) 275-3342 or (703) 562-2200.

OTS: You may submit comments, identified by No. 2007-06 by any of the following methods:

Federal eRulemaking Portal: http://www.regulations.gov.

Follow the instructions for submitting comments. 2007-06 in the subject line of the message, and include your name and telephone number in the message.

Fax: (202) 906-6518.

[[Page 9085]]

Mail: Regulation Comments, Chief Counsel's Office, Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552, Attention: No. 2007-06.

Hand Delivery/Courier: Guard's Desk, East Lobby Entrance, 1700 G Street, NW., from 9 a.m. to 4 p.m. on business days, Attention: Regulation Comments, Chief Counsel's Office, Attention: No. 2007-06.

Instructions: All submissions received must include the agency name and document number. All comments received will be posted without change to http://www.ots.treas.gov/pagehtml.cfm?catNumber=67&an=1,

including any personal information provided.

Docket: For access to the docket to read background documents or comments received, go to http://www.ots.treas.gov/pagehtml.cfm?catNumber=67&an=1. In addition, you may inspect comments

at the Public Reading Room, 1700 G Street, NW., by appointment. To make an appointment for access, call (202) 906-5922, send an e-mail to public.info@ots.treas.gov, or send a facsimile transmission to (202)

906-7755. (Prior notice identifying the materials you will be requesting will assist us in serving you.) We schedule appointments on business days between 10 a.m. and 4 p.m. In most cases, appointments will be available the next business day following the date we receive a request.

FOR FURTHER INFORMATION CONTACT:

OCC: IRB guidance: Fred Finke, Senior Basel Policy Liaison (202- 874-4468 or fred.finke@occ.treas.gov); AMA guidance: Mark O'Dell, Deputy Comptroller for Operational Risk (202-874-4316 or mark.odell@occ.treas.gov); or guidance on supervisory review: Akhtarur

Siddique, Lead Expert (202-874-4665 or akhtarur.siddique@occ.treas.gov); Office of the Comptroller of the

Currency, 250 E Street, SW., Washington, DC 20219.

Board: IRB guidance: Sabeth Siddique, Assistant Director, Credit Risk Section (202-452-3861); AMA guidance: Stacy Coleman, Assistant Director, Operational Risk Section (202-452-2934) or Connie Horsley, Senior Supervisory Financial Analyst, Operational Risk Section (202- 452-5239); or guidance on supervisory review: David Palmer, Senior Supervisory Financial Analyst, Credit Risk Section (202-452-2904); Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue, NW., Washington, DC 20551. Users of Telecommunication Device for Deaf (TTD) only, call (202) 263-4869.

FDIC: IRB guidance: Pete Hirsch, Chief, Large Bank Supervision (202-898-6751 or phirsch@fdic.gov), Curtis Wong, Senior Examination Specialist, Planning and Program Development Section (202-898-7327 or cwong@fdic.gov); AMA guidance: Mark S. Schmidt, Regional Director (678-

916-2189 or maschmidt@fdic.gov), Alfred Seivold, Senior Examination Specialist, Large Bank Supervision (415-808-8248 or aseivold@fdic.gov); or guidance on supervisory review: Bobby Bean, Chief, Capital Markets Policy Section (202-898-3575 or bbean@fdic.gov), Gloria Ikosi, Senior Quantitative Risk Analyst, Capital Markets Policy Section (202-898-3997 or gikosi@fdic.gov); Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429.

OTS: IRB guidance: David Tate, Manager, Examination Quality Review (202-906-5717); AMA guidance: Eric Hirschhorn, Senior Financial Economist, Credit Policy (202-906-7350); or guidance on supervisory review: Sonja White, Senior Project Manager, Capital Policy (202-906- 7857); Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552.

SUPPLEMENTARY INFORMATION: The Agencies issued an NPR on September 25, 2006,\ 1\ which seeks comment on the New Advanced Capital Adequacy Framework that revises the existing general risk-based capital standards as applied to large, internationally active U.S. banks.\2\ The public comment period on the NPR closes on March 26, 2007.\3\ The proposed framework would implement Basel II in the United States.

\1\ See 71 FR 55830 (Sept. 25, 2006).

\2\ For simplicity, and unless otherwise noted, the term ``banks'' is used here to refer to banks, savings associations, and bank holding companies. The terms ``bank holding company'' and ``BHC'' refer only to bank holding companies regulated by the Board and do not include savings and loan holding companies regulated by the OTS. For a detailed description of the institutions covered by this notice, refer to part I, section 1, of the NPR.

\3\ See 71 FR 77518 (Dec. 26, 2006).

As described in the NPR, Basel II sets forth a three-pillar framework encompassing regulatory risk-based capital requirements (Pillar 1); supervisory review of capital adequacy (Pillar 2); and market discipline through enhanced public disclosures (Pillar 3). The proposed framework outlined in the NPR for Pillar 1 would require some and permit other qualifying banks to calculate their regulatory risk- based capital requirements using the IRB approach for credit risk and the AMA for operational risk.\4\ The NPR also requires a process for the supervisory review of capital adequacy under Pillar 2, and outlines requirements for enhanced public disclosures under Pillar 3.\5\ The NPR describes the qualification process and provides qualification requirements for obtaining supervisory approval for use of the advanced approaches.\6\ The qualification requirements are written broadly to accommodate the many ways a bank may design and implement robust credit and operational risk measurement and management systems, and to permit industry practice to evolve.

\4\ While Basel II provides several approaches for calculating regulatory risk-based capital requirements under Pillara1, only the advanced approaches are proposed for implementation in the United States.

\5\ Supervisory expectations pertaining to a bank's public disclosures are not part of this notice.

\6\ See part III, section 22 of the NPR.

The proposed supervisory guidance documents are companion guidance to the September 2006 NPR and, as such, are designed to be consistent with the proposed rule and do not address any public comments since the NPR was issued. They provide additional detail that should help banks satisfy the qualification requirements in the NPR. However, the publication of these guidance documents for comment does not imply that the outcome of the NPR has already been determined. As part of the regulatory rulemaking process, the proposed guidance documents are subject to change as needed based on, among other things, the public comments on the guidance and the Agencies' decisions regarding any final rule.

The Agencies believe that the proposed supervisory guidance documents are necessary to supplement the proposed framework with standards to promote safety and soundness and encourage comparability across banks. A bank's primary Federal supervisor will review the bank's framework relative to the qualification requirements in the NPR to determine whether the bank may apply the advanced approaches and has complied with the proposed rule in determining its regulatory capital requirements.

In August 2003, the Agencies issued an advance notice of proposed rulemaking (ANPR), which described the proposed revisions to the existing risk-based capital framework in general terms and sought public comment.\7\ The content of the ANPR was based, in large part, on the April 2003 version of the Basel II framework.\8\ Contemporaneously with the ANPR, the Agencies also issued for public

[[Page 9086]]

comment two proposed supervisory guidance documents relating to the proposed framework.\9\ The first proposed 2003 guidance document described supervisory views on the credit risk measurement and management systems that should be implemented by banks that adopt the IRB approach for computing risk-based capital requirements for corporate credit risk exposures. The second proposed 2003 guidance document provided supervisory views on the operational risk measurement and management systems that should be implemented by banks that adopt the AMA for computing risk-based capital requirements for operational risk, including their operational risk management, data elements, and quantification processes. In October 2004, the Agencies also issued for public comment proposed supervisory guidance on IRB systems for retail credit risk exposures.\10\

\7\ See 68 FR 45900 (Aug. 4, 2003).

\8\ See The New Basel Capital Accord (April 2003) (available at http://www.bis.org).

\9\ See 68 FR 45949 (Aug. 4, 2003).

\10\ See 69 FR 62748 (Oct. 27, 2004), and 70 FR 423 (Jan. 4, 2005) (correction).

The first guidance document presented in this notice sets forth proposed supervisory guidance on IRB systems for credit risk covering the wholesale and retail exposure categories, as well as guidance on the equity and securitization exposure categories (IRB Guidance). Under the IRB framework, banks would use internal estimates of certain risk components as key inputs in the determination of their regulatory risk- based capital requirement for credit risk. As mentioned above, the Agencies previously published proposed supervisory guidance on a bank's IRB systems for corporate and retail exposures in 2003 and 2004, respectively. Since the release of those documents, the Agencies have continued to refine the proposals based on insights gained from public comment and the collective efforts of the interagency IRB working groups. The IRB Guidance updates and consolidates the previously proposed supervisory guidance on corporate and retail exposures. It also provides new guidance on systems a bank may need to differentiate the risk of other credit exposure types, such as equity and securitization exposures, as well as to recognize the benefits of financial collateral in mitigating counterparty credit risk in certain transactions or to use the double default treatment for certain wholesale exposures.

The IRB Guidance is structured somewhat differently from the proposed supervisory guidance issued in 2003 and 2004. Those guidance documents contained four chapters covering corporate ratings and retail segmentation systems, quantification, data management and maintenance, and controls, with discussion of validation and stress testing contained within the rating and segmentation and quantification chapters. The structure of the IRB Guidance generally follows the key components of a bank's advanced systems for credit risk outlined in the NPR. Chapter 1 provides guidance on governance of a bank's overall advanced systems for credit risk. Chapters 2 through 5 cover the components of a bank's IRB systems for wholesale and retail exposures. Chapters 6 and 7 provide guidance on data management and maintenance and the control and validation framework. Chapter 8 provides guidance on stress testing. Chapters 9 through 11 provide guidance on the other systems a bank may need to differentiate risk in certain transactions subject to counterparty credit risk, equity exposures, and securitization exposures.

The IRB Guidance supplements the NPR and provides additional context and detail to help banks meet the qualification requirements in the NPR relevant to a bank's systems and processes for credit risk. Thus, the guidance should be read alongside the NPR to obtain a full perspective of the underlying requirements in the proposed rule. The guidance does not contain additional proposed requirements that are not in the NPR. Chapters 5, 9, 10, and 11, are being issued for the first time and supplement the detailed discussion of those topics in the NPR. Similar to the previously proposed corporate and retail guidance, the IRB Guidance contains supervisory standards (designated with an ``S'') that highlight important elements of a bank's advanced systems for credit risk. The supervisory standards contained in the previously proposed corporate and retail guidance documents have been consolidated and updated and new supervisory standards are proposed.

The second guidance document in this notice sets forth proposed supervisory guidance on the AMA for operational risk (AMA Guidance), updating the proposed AMA Guidance published in 2003. Since the issuance of that proposed AMA Guidance, the Agencies have revised the guidance to clarify issues and simplify, wherever possible, supervisory standards. The revisions are based on insights gained from public comment and the collective efforts of the interagency AMA working group. Under the AMA framework, a bank would rely on internal estimates of its operational risk exposure to generate its regulatory risk-based capital requirement for operational risk. The AMA Guidance provides additional context and detail to help a bank meet the qualification requirements outlined in the NPR relevant to operational risk.

Some of the specific revisions to the AMA Guidance include: (1) Clarifying the roles of a bank's board of directors and management in developing and overseeing the implementation of the bank's AMA framework; (2) expanding standard 5 to address the integration of the bank's operational risk management, data and assessment, and quantification processes into the bank's existing risk management decision-making processes; (3) expanding and clarifying operational risk quantification standards both to reflect the evolution of industry practices, as well as to address supervisory concerns; (4) clarifying supervisory expectations regarding the use of scenario analysis, the key elements used to support operational risk management and measurement, and eligible operational risk offsets (see standards 20, 24, and 26, respectively); (5) adding standard 25 that discusses how frequently a bank must recalculate its estimate of operational risk exposure and its risk-based capital requirement for operational risk; (6) adding standard 27 that a bank must employ a unit of measure that is appropriate for its range of business activities and the variety of operational loss events to which it is exposed; (7) expanding the discussion on dependence modeling in standard 28; and (8) adding a section that discusses a bank's use, in certain limited circumstances, of an alternative quantification system to estimate its operational risk exposure.

The Agencies recognize that a bank required to adopt an AMA framework may have developed an implementation plan using the proposed supervisory standards in the 2003 proposed AMA Guidance to assess its status in meeting the requirements proposed in the ANPR and to determine additional work needed to comply with those requirements. The table below maps the current proposed supervisory standards to those in the 2003 proposed AMA Guidance.

Comparison of Current Proposed AMA Supervisory Standards to the 2003 Proposed AMA Supervisory Standards

2003 Proposed Current Proposed Standard Number

Standard Number

  1. 1

    [[Page 9087]]

  2. 8 3.......................................................

    11 4.......................................................

    2 5.......................................................

    3 6.......................................................

    4 7.......................................................

    5 8.......................................................

    6 9.......................................................

    7 10......................................................

    9, 10 11......................................................

    12 12......................................................

    13, 14 13......................................................

    15 14......................................................

    16 15......................................................

    17 16......................................................

    18 17......................................................

    19 18......................................................

    20 19......................................................

    21 20......................................................

    24 21......................................................

    22 22......................................................

    23 23......................................................

    25 24......................................................

    27 25......................................................

    New 26......................................................

    28 27......................................................

    New 28......................................................

    29 29......................................................

    30 30......................................................

    26 31......................................................

    31 32......................................................

    32, 33

    The third document sets forth proposed supervisory guidance on the supervisory review process (Pillar 2) in the New Advanced Capital Adequacy Framework. The process of supervisory review described in this proposed guidance document reflects a continuation of the longstanding approach employed by the Agencies in their supervision of banks. However, new methods for calculating regulatory risk-based capital requirements--such as those in the proposed framework--and development of improved risk monitoring and management tools within the industry often bring changes in the relative emphasis placed on the various aspects of supervisory review. This proposed guidance document highlights aspects of existing supervisory review that are being augmented or more clearly defined to support the proposed framework. Under the framework, in determining the extent to which banks should hold capital in excess of regulatory minimums, supervisors would consider the combined implications of a bank's compliance with qualification requirements for regulatory risk-based capital standards, the quality and results of its internal capital adequacy assessment process (ICAAP), and supervisory assessment of its risk management processes, control structure, and other relevant information relating to its risk profile and capital position. The ICAAP (while not mandating the determination of economic capital) should, to the extent possible, identify and measure material risks, which may include (but should not necessarily be limited to) credit risk, market risk, operational risk, interest rate risk, and liquidity risk, and account for concentrations within and among risk types.

    The Agencies solicit comment on all aspects of the supervisory guidance documents. In addition, the Agencies believe an important goal for any regulatory capital system is to achieve a measure of consistency in the capital requirements assigned to exposures with similar risk profiles held by different banks. The Agencies seek comment on the extent to which this proposed supervisory guidance will promote that objective.

    Paperwork Reduction Act

    1. Request for Comment on Proposed Information Collection

      In accordance with the requirements of the Paperwork Reduction Act of 1995, the Agencies may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number. The Agencies are requesting comment on a proposed information collection. The Agencies are also giving notice that the proposed collection of information has been submitted to OMB for review and approval.

      Comments are invited on:

      (a) Whether the collection of information is necessary for the proper performance of the Agencies' functions, including whether the information has practical utility;

      (b) The accuracy of the estimates of the burden of the information collection, including the validity of the methodology and assumptions used;

      (c) Ways to enhance the quality, utility, and clarity of the information to be collected;

      (d) Ways to minimize the burden of the information collection on respondents, including through the use of automated collection techniques or other forms of information technology; and

      (e) Estimates of capital or start up costs and costs of operation, maintenance, and purchase of services to provide information.

      Comments should be addressed to:

      OCC: Communications Division, Office of the Comptroller of the Currency, Public Information Room, Mail stop 1-5, Attention: 1557-NEW, 250 E Street, SW., Washington, DC 20219. In addition, comments may be sent by fax to (202) 874-4448, or by electronic mail to regs.comments@occ.treas.gov. You can inspect and photocopy the comments

      at the OCC's Public Information Room, 250 E Street, SW., Washington, DC 20219. You can make an appointment to inspect the comments by calling (202) 874-5043.

      Board: You may submit comments, identified by FR 4199, by any of the following methods:

      Agency Web Site: http://www.federalreserve.gov Follow the instructions for submitting comments at http://www.federalreserve.gov/.

      .

      Federal eRulemaking Portal: http://www.regulations.gov.

      Follow the instructions for submitting comments.

      Fax: (202) 452-3819 or (202) 452-3102.

      Mail: Jennifer J. Johnson, Secretary, Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue, NW., Washington, DC 20551.

      All public comments are available from the Board's Web site at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as

      submitted, except as necessary for technical reasons. Accordingly, your comments will not be edited to remove any identifying or contact information. Public comments may also be viewed electronically or in paper form in Room MP-500 of the Board's Martin Building (20th and C Streets, NW.) between 9 a.m. and 5 p.m. on weekdays.

      FDIC: You may submit comments by any of the following methods:

      Agency Web Site: http://www.fdic.gov/regulations/laws/federal. Follow instructions for submitting comments on the Agency Web

      Site.

      E-mail: Comments@FDIC.gov. Include ``Basel II Supervisory Guidance'' in the subject line of the message.

      Mail: Robert E. Feldman, Executive Secretary, Attention: Comments, Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429.

      Hand Delivery/Courier: Guard station at the rear of the 550 17th Street Building (located on F Street) on business days between 7 a.m. and 5 p.m. (EST).

      [[Page 9088]]

      Federal eRulemaking Portal: http://www.regulations.gov.

      Follow the instructions for submitting comments.

      Public Inspection: All comments received will be posted without change to http://www.fdic.gov/regulations/laws/federal including any

      personal information provided. Comments may be inspected and photocopied in the FDIC Public Information Center, 3501 North Fairfax Drive, Room E-1002, Arlington, VA 22226, between 9 a.m. and 5 p.m. (EST) on business days. Paper copies of public comments may be ordered from the Public Information Center by telephone at (877) 275-3342 or (703) 562-2200.

      A copy of the comments may also be submitted to the OMB desk officer for the Agencies: By mail to U.S. Office of Management and Budget, 725 17th Street, NW., 10235, Washington, DC 20503 or by facsimile to 202-395-6974, Attention: Federal Banking Agency Desk Officer.

      OTS: Information Collection Comments, Chief Counsel's Office, Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552; send a facsimile transmission to (202) 906-6518; or send an e-mail to infocollection.comments@ots.treas.gov. OTS will post comments and the

      related index on the OTS Internet site at http://www.ots.treas.gov. In

      addition, interested persons may inspect the comments at the Public Reading Room, 1700 G Street, NW., by appointment. To make an appointment, call (202) 906-5922, send an e-mail to public.info@ots.treas.gov, or send a facsimile transmission to (202)

      906-7755.

    2. Proposed Information Collection

      Title of Information Collection: Proposed Basel II Interagency Supervisory Guidance for IRB, AMA, and the Supervisory Review Process.

      Frequency of Response: Event-generated.

      Affected Public:

      OCC: National banks.

      Board: State member banks, bank holding companies, affiliates and certain non-bank subsidiaries of bank holding companies, commercial lending companies owned or controlled by foreign banks, and Edge and agreement corporations.

      FDIC: Insured nonmember banks and certain subsidiaries of these entities.

      OTS: Savings associations and certain of their subsidiaries.

      Abstract: The notice sets forth three proposed supervisory guidance documents for implementing proposed revisions to the risk-based capital standards in the United States (New Advanced Capital Adequacy Framework). The proposed guidance documents concern (1) the internal ratings-based systems for credit risk (IRB), (2) the advanced measurement approaches for operational risk (AMA), and (3) the supervisory review process (Pillar II).

      The Agencies believe that the documentation, prior approvals, and disclosures included in the proposed IRB and AMA guidance are directly related to the information collection requirements found in the Basel II notice of proposed rulemaking (NPR) published in the Federal Register on September 25, 2006 (71 FR 55830). More specifically, the information collection aspects of the proposed IRB and AMA guidance tie to the following sections of the NPR: 21, 22, 44, 53, and 71. The Agencies believe that the burden estimates developed for the NPR adequately cover the additional specificity contained in the proposed IRB and AMA guidance.

      For the proposed Pillar II portion of the guidance, the Agencies believe that paragraphs 25, 31, 35, 37, and 42 impose new information collection requirements that were beyond the scope of the burden estimates developed for the NPR. The agencies burden estimates for these additional information collection requirements are summarized below. Note that the estimated number of respondents listed below include both institutions for which the Basel II risk-based capital requirements are mandatory and institutions that may be considering opting-in to Basel II (despite the lack of any formal commitment by most of these latter institutions).

      Estimated Burden:

      OCC

      Number of Respondents: 52.

      Estimated Burden per Respondent: 140 hours.

      Total Estimated Annual Burden: 7,280 hours.

      Board

      Number of Respondents: 15.

      Estimated Burden per Respondent: 420 hours.

      Total Estimated Annual Burden: 6,300 hours.

      FDIC

      Number of Respondents: 19.

      Estimated Burden per Respondent: 420 hours.

      Total Estimated Annual Burden: 7,980 hours.

      OTS

      Number of Respondents: 4.

      Estimated Burden per Respondent: 420 hours.

      Total Estimated Annual Burden: 1,680 hours.

      The proposed supervisory guidance documents follow:

      Proposed Supervisory Guidance on Internal Ratings-Based Systems for Credit Risk

      Table of Contents

      Introduction

      1. Purpose II. Scope of Guidance

        Chapter 1: Advanced Systems for Credit Risk

        Rule Requirements

      2. Overview II. Governance of Advanced Systems

        Chapter 2: Wholesale Risk Rating Systems

        Rule Requirements

      3. Overview II. Credit Rating Assignment Techniques

    3. Expert Judgment

    4. Models

    5. Constrained Judgment

    6. Rating Overrides III. Definition of Default IV. Independence of the Wholesale Risk Rating Process V. IRB Risk Rating System Architecture

    7. Two-Dimensional Risk-Rating System

    8. Other Considerations

      Chapter 3: Retail Segmentation Systems

      Rule Requirements

      1. Overview II. Definition of Default III. Retail Segmentation Architecture

    9. Criteria for Retail Segmentation

    10. Assignment of Exposures to Retail Segments

      Chapter 4: Quantification

      Rule Requirements

      1. Overview

    11. Stages of the Quantification Process

    12. General Standards for Sound Quantification II. Probability of Default (PD)

    13. Data

    14. Estimation

    15. Mapping

    16. Application III. Expected Loss Given Default (ELGD) and Loss Given Default (LGD)

    17. Data

    18. Estimation

    19. Mapping

    20. Application IV. Exposure at Default (EAD)

    21. Data

    22. Estimation

    23. Mapping

    24. Application V. Maturity (M) VI. Special Cases and Applications

    25. Loan Sales

    26. Multiple Legal Entities Appendix A: Illustrations of the Quantification Process for Wholesale

      [[Page 9089]]

      Portfolios Appendix B: Illustrations of the Quantification Process for Retail Portfolios

      Chapter 5: Wholesale Credit Risk Protection

      Rule Requirements

      Chapter 6: Data Management and Maintenance

      Rule Requirements

      1. Overview II. General Data Requirements

    27. Life Cycle Tracking for Wholesale Exposures

    28. Rating Assignment Data for Wholesale Exposures

    29. Segmentation Data for Retail Exposures

    30. Outsourced Activities

    31. Asset Sales III. Data Applications

    32. Validation and Refinement

    33. Applying IRB System Improvements Historically

    34. Calculating Risk-Based Capital Ratios and Reporting to the Public

    35. Supporting Risk Management IV. Managing Data Quality and Integrity

    36. Documentation and Definitions

    37. Electronic Storage and Access Appendix A: Data Elements for Wholesale and Retail Exposures

    38. Examples of Data Elements for Wholesale Exposures

    39. Examples of Data Elements for Retail Exposures Appendix B: Applying Risk Rating System Improvements Historically

      Chapter 7: Controls and Validation

      Rule Requirements

      1. Overview II. Reviews of the IRB System III. Consistency Between IRB Systems and Risk Management Processes IV. Internal Audit V. Validation Activities

    40. General Validation Requirements

    41. Validation Activities

    42. Minimum Frequency of Validation

      Chapter 8: Stress Testing of Risk-Based Capital Requirements

      Rule Requirements

      Chapter 9: Counterparty Credit Risk Exposure

      Rule Requirements

      1. Overview II. Transactions with Counterparty Credit Risk III. Definitions IV. Netting V. Determination of Eligibility for EAD Adjustment VI. Methods for Determining EAD

    43. Methodologies for Repo-style Transactions and Eligible Margin Loans

    44. EAD for OTC Derivative Contracts

    45. Internal Models Methodology VII. Defaulted Counterparties

      Chapter 10: Risk-Weighted Assets for Equity Exposures

      Rule Requirements

      1. Overview II. Definition of Banking Book Equities III. Applying the Framework IV. Using Internal Models for Equity Exposures V. Quantification of Equity Exposures

    46. Reference Data

    47. External Data

    48. Estimation VI. Validation of Internal Models for Equity Exposures VII. Consistency Between Internal Models Used for Equity Exposures and Risk Management Processes

      Chapter 11: Securitizations

      Rule Requirements

      1. Overview II. Scope of Application III. General Principles of the Securitization Framework

    49. Risk Transference

    50. Implicit Support

    51. Servicer Cash Advances

    52. Clean-up Calls

    53. Maximum Capital Requirements for Securitization Exposures IV. Hierarchy of Approaches V. IRB Approaches for Securitization Exposures

    54. Ratings-Based Approach

    55. Internal Assessment Approach VI. Internal Credit Assessment Process in the IAA VII. Validation of IAA

    56. Supervisory Formula Approach VIII. Early Amortization Provisions IX. Data Management Requirements

    57. Data Elements Appendix A: Description of the Supervisory Formula Approach (SFA). Appendix B: Examples of Data Elements for Securitization Exposures Attachment A: The NPR Qualification Requirements Related to the IRB Framework Attachment B: Supervisory Standards Attachment C: Acronym List

      Introduction

      1. Purpose

  3. This proposed guidance (``guidance''), published jointly by the U.S. Federal banking agencies \1\ provides supervisory guidance for U.S. banks, thrifts, and bank holding companies (``banks'') that adopt the Advanced Internal Ratings-Based Approach (``IRB'' or ``IRB framework'') for calculating minimum regulatory risk-based capital (``risk-based capital'') requirements for credit risk under the Basel II capital regulation.

    \1\ The Federal banking agencies are: The Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Office of the Comptroller of the Currency; and the Office of Thrift Supervision; and will collectively be referred to as ``the Agencies,'' ``supervisors,'' or ``regulators'' in this guidance.

  4. This guidance supplements the notice of proposed rulemaking (``NPR'' or ``proposed rule'') published in the Federal Register on September 25, 2006.\2\ The NPR proposes a regulatory framework within which all banks subject to the proposed rule must develop their IRB systems. The NPR contains qualification requirements that each bank subject to the proposed rule must meet to the satisfaction of its primary Federal supervisor before using its IRB systems to calculate risk-based capital requirements. As stated in the preamble to the NPR, the qualification requirements for these systems are written in broad terms to accommodate the many ways a bank may design and implement a robust internal risk measurement and management system and to permit industry practice to evolve. As a supplement to the NPR, this guidance provides supervisory standards and additional detail on credit risk measurement and management systems that will assist banks in satisfying the requirements in the NPR.

    \2\ 71 FR 55830 (Sept. 25, 2006).

    1. Scope of Guidance

  5. The focus of this guidance is on wholesale, retail, equity, and securitization exposures. A bank subject to the IRB framework for credit risk in the NPR is required to have systems for determining risk-based capital requirements for its wholesale and retail exposures. The wholesale category includes corporate exposures (for example, exposures to companies and banks, as well as commercial real estate exposures and other types of specialized lending), sovereign exposures, and other non-retail exposures. The retail category includes residential mortgage exposures, qualifying revolving exposures (QRE), and other retail exposures.

  6. A bank may also need systems to differentiate the risk of other exposure types, such as equity and securitization exposures, as well as to recognize the benefits of financial collateral in mitigating counterparty credit risk in certain transactions or to use double default treatment for certain wholesale exposures.

  7. In aggregation, the IRB systems and other systems for differentiating credit risk are defined in the NPR and in this guidance as a bank's ``advanced systems.'' This guidance covers advanced systems for all of a bank's credit-related exposure types. A bank's advanced systems also include its systems for determining risk-based capital requirements for its operational risk exposures under the proposed Advanced Measurement Approaches (``AMA'') framework, which is the subject of a separate supervisory

    [[Page 9090]]

    guidance document. Certain banks subject to the proposed rule may also be required to calculate risk-based capital requirements for their market risk exposures.

  8. As described in separate guidance relating to supervisory review (Pillar 2), in addition to meeting qualification requirements for regulatory risk-based capital standards, a bank must have a rigorous process for assessing its overall capital adequacy in relation to its risk profile and a comprehensive strategy for maintaining an appropriate level of capital. This process (while not mandating the determination of economic capital) should, to the extent possible, identify and measure material risks, which may include (but should not necessarily be limited to) credit risk, market risk, operational risk, interest rate risk, and liquidity risk, and account for concentrations within and among risk types. One of the main objectives of the internal capital adequacy assessment process is to identify the extent to which banks need to hold capital above regulatory minimums, in order to address risks not adequately captured by minimum regulatory capital requirements.

  9. A primary objective of the IRB framework is to make the risk- based capital requirements more sensitive to credit risk. In general, the IRB framework incorporates recent developments in risk management and banking supervision. Under this framework, banks use their own internal risk rating and segmentation systems, as well as their quantification processes, to generate estimates of risk parameters that are inputs to the calculation of the risk-based capital requirements. Data that support accurate and reliable credit risk measurements, as well as rigorous management oversight and controls, including continuous monitoring and validation, are crucial to the prudent application of the IRB framework.

  10. This guidance, which is written for supervisors and bankers, describes the important elements and characteristics of a bank's advanced systems for credit risk. Toward this end, this guidance designates certain of those elements as supervisory standards denoted by the prefix ``S.'' These supervisory standards generally implement or clarify the requirements in the NPR and, whenever possible, are principle-based to provide banks with flexibility in implementing the framework. However, when prudential concerns or the need for standardization outweigh the benefits of flexibility, the supervisory standards are specified in greater detail. Furthermore, nothing in this guidance should be interpreted as weakening, modifying, or superseding the safety and soundness principles articulated in the Agencies'' existing statutes, regulations, or guidance. The standards are contained within each chapter with a full compilation of the standards provided in Attachment B.

  11. Supervisors will consider this guidance in evaluating banks' advanced systems for credit risk. This guidance assumes that readers are familiar with the proposed framework for calculating risk-based capital requirements for credit risk articulated in the NPR.

  12. The conceptual framework outlined in this guidance is not intended to dictate the precise manner by which banks should meet the qualification and other requirements in the NPR. Supervisors will determine compliance with the qualification requirements by evaluating, on an individual bank basis, the extent to which banks meet the substance and spirit of those requirements as they relate to each of the components of a bank's advanced systems for credit risk. However, evaluating each qualification requirement individually is not sufficient to determine a bank's overall compliance. The components of a bank's advanced systems for credit risk should complement and reinforce one another to ensure the accuracy of risk measurements. As part of the supervisory review of a bank's advanced systems, supervisors will analyze the extent to which a bank's advanced systems incorporate the substance and spirit of the standards outlined in this guidance.

  13. The structure of this guidance generally follows the key components of the advanced systems for credit risk. Chapter 1 provides guidance on governance of a bank's overall advanced systems. Chapters 2 through 7 cover the components of a bank's IRB systems for wholesale and retail exposures. Chapter 8 provides guidance on stress testing. Chapters 9 through 11 provide guidance on the other systems a bank may need to differentiate risk for certain transactions subject to counterparty credit risk, equity exposures, and securitization exposures and supplements the detailed discussion of these exposure types in the NPR. The data standards and control framework provided in Chapters 6 and 7, respectively, of this guidance generally apply to these other systems as well.

  14. To aid the reader, the applicable NPR qualification requirements are listed at the front of each chapter, as well as listed together in Attachment A. Also, certain NPR requirements, such as definitions, are either repeated in this guidance or paraphrased to provide context. However, readers must look to the NPR for the exact proposed rule requirements.

  15. What follows is a brief description of each chapter:

    Chapter 1: Advanced Systems for Credit Risk

    The chapter provides a discussion of the governance and system and process requirements for a bank's advanced systems for credit risk. It also outlines the key components of a bank's advanced systems for credit risk.

    Chapter 2: Wholesale Risk Rating Systems

    A key component of an IRB system for wholesale exposures is the risk rating system. This chapter describes the design and operation of wholesale risk rating systems. Banks should use the principles outlined in this chapter when designing and operating wholesale risk rating systems.

    Chapter 3: Retail Segmentation Systems

    A key component of an IRB system for retail credit exposures is the segmentation system, which groups retail exposures into segments according to risk characteristics. This segmentation is the retail portfolio analogue of assigning ratings to exposures in wholesale portfolios. This chapter describes the design and operation of an IRB segmentation system. The retail framework provides banks with substantial flexibility to use the retail segmentation that is most appropriate for their activities.

    Chapter 4: Quantification

    Another key component of an IRB system is a quantification process that assigns numerical values to the key risk parameters that are used as inputs to the IRB risk-based capital formulas. This chapter provides guidance on the quantification process for wholesale and retail exposures. These risk parameters are probability of default (``PD''), expected loss given default (``ELGD''), loss given default (``LGD''), and exposure at default (``EAD''), and for wholesale exposures only, the effective remaining maturity (``M''). The quantification of these risk parameters should be the result of a disciplined process as described in this chapter. The chapter also includes specific examples for both wholesale rating systems and retail segmentation systems in the two appendices.

    Chapter 5: Wholesale Credit Risk Protection

    This chapter supplements the detailed discussion of credit risk mitigation in

    [[Page 9091]]

    the NPR by providing guidance on how banks may recognize contractual arrangements for exposure-level credit protection (eligible guarantees and eligible credit derivatives) that transfer risk to one or more third parties. Each of these forms of credit protection must meet certain specific standards of eligibility, as articulated in the NPR, for recognition of the associated risk mitigation.

    Chapter 6: Data Management and Maintenance

    A bank must have advanced data management and maintenance systems that support credible and reliable risk parameter estimates. This chapter describes how a bank should collect, maintain, and manage the data needed to support the other IRB system components for wholesale and retail exposures (e.g., risk rating and segmentation systems, the quantification process, and validation and other control processes), as well as the bank's broader risk management and reporting needs.

    Chapter 7: Controls and Validation

    A bank must have a system of controls that ensures that the components of the IRB system are functioning effectively. This chapter provides guidance on the important elements of an effective control environment, including independent review processes, a comprehensive validation process (evaluation of developmental evidence, ongoing monitoring, and outcomes analysis), and an internal audit review and reporting process.

    Chapter 8: Stress Testing of Risk-Based Capital Requirements

    Banks must conduct stress testing analysis of their advanced systems for credit risk as part of the risk-based capital management process. Stress testing analysis is a means of understanding how economic downturns, as described by stress scenarios, cause migration across ratings or segments and the concomitant change in required risk- based capital. This chapter discusses considerations for conducting stress testing analyses.

    Chapter 9: Counterparty Credit Risk Exposure

    For certain transactions subject to counterparty credit risk, banks may be allowed to recognize the risk mitigating effect of financial collateral through an adjustment to EAD. This chapter supplements the detailed discussion of counterparty credit risk in the NPR by describing some of the elements of counterparty credit risk mitigation, providing information to aid banks in choosing among the alternative methods to calculate EAD for these transactions, and providing some descriptions and illustrative examples of acceptable modeling practices for the estimation of EAD under the alternative methods.

    Chapter 10: Risk-Weighted Assets for Equity Exposures

    This chapter supplements the detailed discussion of equity exposures provided in the NPR. It provides guidance on determining risk-based capital requirements for equity exposures held in the banking book for banks subject to the Market Risk Rule and for all equity exposures for banks not subject to the Market Risk Rule.

    Chapter 11: Securitization Exposures

    A securitization exposure is any exposure whose credit risk reflects the tranching of risk of one or more underlying exposures. This chapter describes the concepts, eligibility, and mechanics associated with applying the three approaches for calculating risk- based capital requirements for securitization exposures.

    Chapter 1: Advanced Systems for Credit Risk

    Rule Requirements

    Part III, Section 22(a)(2): The systems and processes used by a bank for risk-based capital purposes [in the NPR] must be consistent with the bank's internal risk management processes and management information reporting systems.

    Part III, Section 22(a)(3): Each bank must have an appropriate infrastructure with risk measurement and management processes that meet the qualification requirements [in the NPR] and are appropriate given the bank's size and level of complexity. Regardless of whether the systems and models that generate the risk parameters necessary for calculating a bank's risk-based capital requirements are located at any affiliate of the bank, the bank itself must ensure that the risk parameters and reference data used to determine its risk-based capital requirements are representative of its own credit risk and operational risk exposures.

    Part III, Section 22(j)(1): The bank's senior management must ensure that all components of the bank's advanced systems function effectively and comply with the qualification requirements [in the NPR].

    Part III, Section 22(j)(2): The bank's board of directors (or a designated committee of the board) must at least annually evaluate the effectiveness of, and approve, the bank's advanced systems.

    Part III, Section 22(k): Documentation. The bank must adequately document all material aspects of its advanced systems.

    1. Overview

  16. This chapter provides a discussion of the governance and system and process requirements for a bank's advanced systems for credit risk. Board of directors and senior management oversight is critical to ensure that the design and function of the advanced systems are appropriate. Regardless of the specifics of a bank's advanced systems for credit risk, a bank should have a rigorous credit risk management infrastructure that complements these systems.

  17. A bank subject to the framework for credit risk in the NPR is required to have an internal ratings-based system (``IRB system'') for determining risk-based capital requirements for its wholesale and retail exposures.

    S 1-1 An IRB system must have five interdependent components that enable an accurate measurement of credit risk and risk-based capital requirements.

  18. The components of an IRB system are:

    A risk rating and segmentation system that differentiates risk by assigning ratings to individual wholesale obligors and exposures and individual retail exposures to segments;

    A quantification process that translates the risk characteristics of wholesale obligors and exposures and segments of retail exposures into numerical risk parameters that are used as inputs to the IRB risk-based capital formulas. These risk parameters are probability of default (``PD''), expected loss given default (``ELGD''), loss given default (``LGD''), and exposure at default (``EAD''), and for certain wholesale exposures only, the effective remaining maturity (``M'');

    A data management and maintenance system that supports the IRB system;

    Oversight and control mechanisms that ensure the IRB system is functioning effectively and producing accurate results; and

    An ongoing process that validates the accuracy of the risk rating assignments, segmentations, and the risk parameters.

  19. If applicable, a bank will also need systems to differentiate risk for other credit exposure types, such as for equity and securitization exposures, as well as to recognize the benefits of financial collateral in mitigating counterparty credit risk in certain transactions or to

    [[Page 9092]]

    use double default treatment for certain wholesale exposures.

  20. In aggregation, the IRB system and other systems for differentiating credit risk are defined in the NPR and in this guidance as a bank's ``advanced systems'' for credit risk. Chapters 2 through 7 of this guidance provide supplemental guidance on IRB systems for wholesale and retail exposures. Chapter 8 provides banks with guidance on conducting stress testing analyses of their advanced systems for credit risk. Chapters 9 through 11 cover additional systems a bank may need to have for other credit exposure types.

    1. Governance of Advanced Systems

    S 1-2 Senior management must ensure that all of the components of the bank's advanced systems for credit risk function effectively and comply with the qualification requirements in the NPR.

  21. Senior management should provide ongoing, active oversight of the advanced systems outlined in this supervisory guidance, and articulate the expectations for the technical and operational performance of the advanced systems, including the control framework. To provide effective oversight of the advanced systems, senior management should have extensive knowledge of the advanced systems' policies, underwriting standards, lending practices, account management activities, and collection and recovery practices. Senior management should understand how these factors affect all of the components of the advanced systems.

  22. The scope and depth of risk management reports should be sufficient for senior management to monitor the performance of the components of the advanced systems. Detailed reports should include, but are not limited to, the following topics:

    Risk profile by rating for wholesale exposures and by segment for retail exposures;

    Migration across ratings and segments with emphasis on unexpected results;

    Updates to the quantification performance results;

    Validation results;

    Comparative analysis of risk-based and internal capital assessments; and

    Control process assessments.

    S 1-3 The board of directors or its designated committee must at least annually evaluate the effectiveness of, and approve, the bank's advanced systems.

  23. The board of directors or its designated committee should at least annually ensure that management has appropriate processes and controls in place that support effective advanced systems for credit risk. The board should be provided with information that will enable it to conclude, with reasonable assurance, that management has appropriate processes and controls in place that support effective advanced systems for credit risk. To allow for ongoing monitoring, the board should be provided with reports summarizing the design and performance of the advanced systems. The board's strategic direction and oversight is essential to effective advanced systems.

    S 1-4 Each bank (including each depository institution) must ensure that the risk parameters and reference data used to determine its risk- based capital requirements are representative of its own credit risk.

  24. Each bank must have an appropriate infrastructure with risk measurement and management processes that meet the qualification requirements in the NPR. Each bank's advanced systems for credit risk should also incorporate the supervisory standards in this guidance. This infrastructure must be appropriate given the bank's size and level of complexity. Regardless of whether the systems and models that generate the risk parameters necessary for calculating a bank's risk- based capital requirements are located at any affiliate of the bank, the bank must ensure that the risk parameters and reference data used to determine its risk-based capital requirements are representative of the bank's credit risk profile.

  25. While some organizations may conduct rating, segmentation, quantification, and validation activities on a consolidated basis, each bank subject to the capital requirements for advanced systems must determine its risk-based capital requirements for credit risk on a stand-alone basis and hold its own separate risk-based capital in proportion to the risk exposure of its portfolios. Specifically, the PD, ELGD, LGD, and EAD estimates used to determine risk-based capital levels must be applied to exposures at the exposure or segment level, and risk-based capital requirements for each relevant bank should be based on the proportionate share of each exposure or segment owned by such bank.

  26. The board of directors should ensure that senior management at each bank confirm, through periodic evaluations, that risk parameters assigned to its credit exposures are appropriate on a stand-alone basis, and that the control and validation standards in Chapter 7 of this guidance are met.

    S 1-5 Banks should establish specific accountability for the overall performance of their advanced systems for credit risk.

  27. An individual or group of individuals should be responsible for the design and operation of the overall advanced systems. This accountability includes oversight for all of the components of the advanced systems for credit risk, regardless of which organizational units perform those processes. Authority and key responsibilities should be thoroughly documented and responsible individuals should be held accountable for the performance of the advanced systems.

    S 1-6 A bank's advanced systems should be transparent.

  28. Banks must adequately document all material aspects of their advanced systems. Adequate documentation will ensure transparency of a bank's advanced systems. A bank demonstrates the transparency of its advanced systems by comprehensively documenting all the systems'' components. Transparency through documentation is important so that third parties, such as a bank's supervisors and auditors, are able to understand, evaluate, and assess the effectiveness of the bank's advanced systems.

  29. Documentation should encompass, but is not limited to, the internal risk rating and segmentation systems, risk parameter quantification processes, data collection and maintenance processes, and model design, assumptions, and validation results. The guiding principle governing documentation is that it should support the requirements for the quantification, validation, and control and oversight mechanisms as well as the bank's broader credit risk management and reporting needs. Documentation is critical to the supervisory oversight process.

    Chapter 2: Wholesale Risk Rating Systems

    Rule Requirements

    Part III, Section 22(b)(1): A bank must have an internal risk rating and segmentation system that accurately and reliably differentiates among degrees of credit risk for the bank's wholesale and retail exposures.

    Part III, Section 22(b)(2): For wholesale exposures, a bank must have an internal risk rating system that accurately and reliably assigns each obligor to a single rating grade (reflecting the obligor's likelihood of default). The bank's wholesale obligor

    [[Page 9093]]

    rating system must have at least seven discrete rating grades for non- defaulted obligors and at least one rating grade for defaulted obligors. Unless the bank has chosen to directly assign ELGD and LGD estimates to each wholesale exposure, the bank must have an internal risk rating system that accurately and reliably assigns each wholesale exposure to loss severity rating grades (reflecting the bank's estimate of the ELGD and LGD of the exposure). A bank employing loss severity rating grades must have a sufficiently granular loss severity grading system to avoid grouping together exposures with widely ranging ELGDs or LGDs.

    Part III, Section 22(b)(4): The bank's internal risk rating policy for wholesale exposures must describe the bank's rating philosophy (that is, must describe how wholesale obligor rating assignments are affected by the bank's choice of the range of economic, business, and industry conditions that are considered in the obligor rating process).

    Part III, Section 22(b)(5): The bank's internal risk rating system for wholesale exposures must provide for the review and update (as appropriate) of each obligor rating and (if applicable) each loss severity rating whenever the bank receives new material information, but no less frequently than annually.

    1. Overview

  30. This chapter describes the design and operation of IRB risk rating systems for wholesale exposures. Banks will have latitude in designing and operating wholesale risk rating systems, subject to four broad principles:

    Two-dimensional risk rating system--Banks must be able to make meaningful and consistent differentiations among credit exposures along two dimensions--obligor default risk and loss severity in the event of a default.

    Rank order risks--Banks must rank obligors by their likelihood of default, and wholesale exposures (e.g., loans, facilities) by the loss severity expected in the event of default.

    Quantification--The risk rating system must be designed to facilitate quantification of obligor ratings in terms of PD and loss severity in terms of ELGD and LGD.

    Accuracy--The risk rating system must be designed to ensure that ratings are accurate, so that obligors within a rating grade have similar default risk and wholesale exposures within a loss severity rating grade have similar risk of loss in the event of default.

    1. Credit Rating Assignment Techniques

  31. In general, a credit rating is a summary indicator of the relative risk of a credit exposure. Credit ratings can take many forms. Regardless of the form, meaningful credit ratings share two characteristics:

    They group exposures to discriminate among possible outcomes.

    They rank the perceived level of credit risk.

  32. Banks have used credit ratings of various types for a variety of purposes. Some ratings are intended to rank obligors by risk of default and some are intended to rank wholesale exposures by expected loss, which incorporates risk of default and loss severity. Only risk rating systems that distinguish probability of default from loss given default meet the two-dimensional requirements for the IRB framework.

  33. Banks use different techniques, such as expert judgment and models, to assign credit risk ratings. How ratings are assigned is important because different techniques will require different validation processes and control mechanisms to ensure the integrity of the rating system. Validation and controls are discussed in Chapter 7 of this guidance. Some rating assignment techniques are described below; any of these techniques--expert judgment, models, constrained judgment, or a combination thereof--could be acceptable in an IRB system, provided the bank meets the qualification requirements in the NPR and the substance and spirit of the standards outlined in this guidance.

    1. Expert Judgment

  34. Historically, banks have used expert judgment to assign ratings to wholesale exposures. With this technique, an individual weighs relevant information and reaches a conclusion about the appropriate risk rating. The rater makes informed judgments based on knowledge gained through experience and training.

  35. The key feature of expert-judgment systems is flexibility. The prevalence of judgmental rating systems reflects the view that the determinants of default are too complicated to be captured by a single quantitative model. The quality of management is often cited as an example of a risk determinant that is difficult to assess using a quantitative model. In order to foster internal consistency, banks employing expert judgment rating systems should provide narrative guidelines that set out specific quantitative and qualitative rating criteria for each rating grade. However, the expert should decide how much weight to give to each of these criteria in assigning a risk rating grade to an obligor.

  36. The flexibility possible in the assignment of judgmental ratings has implications for how the accuracy of the ratings is reviewed. One goal of the ratings review validation process is to confirm that raters followed policy. However, two individuals exercising judgment can use the same information to support different ratings. Thus, individuals reviewing an expert judgment rating system should have sufficient credit expertise and a thorough knowledge of how the bank's rating methodology and policies should be applied.

    1. Models

  37. In recent years, models have been developed to assign ratings to wholesale exposures. In a model-based approach, inputs are numeric and provide quantitative and qualitative information about an obligor. The inputs are combined using mathematical equations to produce a number that is translated into a categorical rating. An important feature of models is that the rating is perfectly replicable by another party, given the same inputs.

  38. Models to assign wholesale ratings typically are statistically derived or based on expert-judgment techniques.

  39. Some models are the result of statistical optimization, in which well-defined mathematical criteria are used to choose the model that has the closest fit to the observed data. Numerous techniques can be used to build statistical models; regression is one widely recognized example. Such models are often referred to as scoring models or scorecards, because they produce a single number, or ``score,'' as an output that may be related, for example, to the estimated probability of default of each individual obligor in a portfolio. Regardless of the specific statistical technique used, a knowledgeable independent reviewer should exercise judgment in evaluating the reasonableness of a model's development, including its underlying logic, and the methods used to handle the data.

  40. In other cases, banks have built rating models by asking their experts to decide what weights to assign to critical variables in the models. Drawing on their experience, the experts first identify the observable variables that affect the likelihood of default. They then reach agreement on the weights to be assigned to each of the variables. Unlike statistical optimization, the experts are not necessarily using clear,

    [[Page 9094]]

    consistent criteria to select the weights attached to the variables. Indeed, expert-judgment model building is often a practical choice when there is not enough data to support a statistical model building. Despite its dependence on expert judgment, this method can be called model-based as long as the resulting equation, most likely with linear weights, is used to rate the credits. Once the equation is set, the model can be replicated, a feature shared with statistically derived models. However, while some banks refer to these types of expert- derived models as ``scorecards,'' they are not scoring models in the conventional use of the term. The term scoring model or scorecard is customarily reserved for a rating model derived using strictly statistical techniques, as described in the preceding paragraph. Generally, independent credit experts use judgment to evaluate the reasonableness of the development of these expert-derived models.

    1. Constrained Judgment

  41. The alternatives described above present the extremes; in practice, banks use risk rating systems that combine models with judgment. Two approaches are common.

    Judgmental systems with quantitative guidelines or model results as inputs. Individuals exercise judgment about risks subject to policy guidelines containing quantitative criteria such as minimum values for particular financial ratios. Banks develop quantitative criteria to guide individuals in assigning ratings, but the criteria may need to be augmented with additional information.

    One version of this constrained judgment approach features a model output as one among several criteria that an individual may consider when assigning ratings. The individual assigning the rating is responsible for prioritizing the criteria, reconciling conflicts between criteria, and, if warranted, overriding some criteria. Even if individuals incorporate model results as one of the factors in their ratings, they will exercise judgment in deciding what weight to attach to the model result. The appeal of this approach is that the model combines many pieces of information into a single output, which simplifies analysis, while the rater retains flexibility regarding the use of the model output.

    Model-based ratings with judgmental overrides. When banks use rating models, individuals are permitted to override the results under certain conditions and within tolerance levels for frequency. Credit- rating systems in which individuals can override models raise many of the same issues presented separately by pure judgment and model-based systems. If overrides are rare, the system can be evaluated largely as if it is a model-based system. If, however, overrides are prevalent, the system will be evaluated more like a judgmental system.

    1. Rating Overrides

  42. Regardless of the rating assignment technique in use, banks should define, within their IRB rating system documentation, what constitutes a ratings override. A judgmental override occurs when judgment is used to reject a rating suggested by an objective rating process, such as a model or scorecard. A policy override occurs whenever a rating is assigned in a manner that deviates from the bank's approved rating policy and procedures. Overrides should be specifically identified, monitored, and analyzed to evaluate their impact on the bank's IRB rating system.

    1. Definition of Default

    S 2-1 Banks must identify obligor defaults in accordance with the IRB definition of default.

  43. The consistent identification of defaults is fundamental to any IRB risk rating system. For IRB purposes, a bank's wholesale obligor is in default if, for any wholesale exposure of the bank to the obligor, the bank has:

    Placed the exposure on non-accrual status consistent with the Call Report Instructions or the Thrift Financial Report (``TFR'') and the TFR Instruction Manual;

    Taken a full or partial charge-off or write-down on the exposure due to the distressed financial condition of the obligor; or

    Incurred a credit-related loss of 5 percent or more of the exposure's initial carrying value in connection with the sale of the exposure or the transfer of the exposure to the held-for-sale, available-for-sale, trading account, or other reporting category.

  44. Partial charge-offs or write-downs for reasons not related to the distressed financial condition of the obligor do not trigger the default definition. For example, taking a write-down or charge-off to reflect forgiveness of a minor fee for relationship purposes unrelated to financial distress does not trigger the default definition.

  45. An obligor in default remains in default until the bank has reasonable assurance of repayment and performance for all contractual principal and interest payments on all exposures of the bank to the obligor (other than exposures that have been fully written-down or charged-off).

    1. Independence of the Wholesale Risk Rating Process

    S 2-2 Banks should demonstrate that their wholesale risk rating processes are sufficiently independent to produce objective ratings.

  46. Independence in the rating process helps to ensure the integrity of ratings. Banks can promote more independence by implementing a variety of controls and reporting structures. For example, a bank could structure its organizational reporting lines so that the credit approval and the rating assignment decisions are separate from each other. Banks that separate the credit approval process from the rating assignment/review functions are often better able to manage the conflicts that arise between loan volume and credit quality goals. Banks should be aware of the full range of potential conflicts and should develop effective controls to mitigate any conflicts that might arise.

  47. However, banks that choose to maintain less separation in organizational reporting lines between credit approval and rating assignment should strengthen controls and consider conducting a post- closing review process. A post-closing review provides an independent review of a rating that has been assigned by those who are not fully independent of the approval process. Any post-closing review, which serves to ensure that the initial rating is appropriate, should be conducted shortly after a credit is originated. The less independent the rating process is, the more rigorous the post-closing review should be.

  48. Whether ratings integrity is achieved by creating structural independence in reporting lines or through a combination of other control processes, a bank should demonstrate that its rating processes ensure integrity in ratings throughout the economic cycle.

    1. IRB Risk Rating System Architecture

    1. Two-Dimensional Risk-Rating System

    S 2-3 IRB risk rating systems must have two dimensions obligor default and loss severity corresponding to PD (obligor default), and ELGD and LGD (loss severity).

  49. Regardless of the type of rating system(s) used by a bank, the IRB framework imposes some specific requirements. The first requirement is that an IRB risk rating system must be two-dimensional. Banks will assign obligor ratings, which will be associated with a PD. They will also assign either

    [[Page 9095]]

    a loss severity rating(s), which will be associated with ELGD and LGD estimates, or ELGD and LGD estimates directly to each wholesale exposure.

  50. The process of assigning the obligor rating and either loss severity ratings or ELGD/LGD values--hereafter referred to as the rating system--is discussed below, and the process of quantifying the PD, ELGD and LGD risk parameters is discussed in Chapter 4. Obligor Ratings

    S 2-4 Banks must assign discrete obligor rating grades.

  51. While banks may use models to estimate probabilities of default for individual obligors, the IRB framework requires banks to group the obligors into discrete rating grades. Each obligor rating grade, in turn, must be associated with a single PD.

    S 2-5 The obligor rating system must rank obligors by likelihood of default.

  52. For example, if a bank uses a rating system based on a 10-point scale, with 1 representing obligors of highest financial strength and 10 representing defaulted obligors, rating grades 2 through 9 should represent groups of ever-increasing risk. In a rating system in which risk increases with the rating grade, an obligor with a rating grade 4 is riskier than an obligor with a rating grade 2, but need not be twice as risky.

    S 2-6 Banks must assign an obligor to only one rating grade.

  53. As noted above, the IRB framework requires that the obligor rating be distinct from the loss severity rating, which is assigned to the wholesale exposure. The obligor rating should focus on the obligor's ability and willingness to service any obligation and to follow through on any commitments it has with the bank to avoid default. For example, in a 1-to-10 rating system, where risk increases with the number rating grade, an otherwise defaulted obligor with a fully cash-secured transaction should be rated 10--defaulted-- regardless of the remote expectation of loss on a specific exposure. Conversely, a nondefaulted obligor whose financial condition warrants the highest investment grade rating should be rated 1, even if the bank's transactions are subordinate to other creditors and unsecured. Since the obligor rating is assigned to the obligor and not to its individual exposures, the bank must ensure that all the exposures to the same obligor bear the obligor's rating grade.

  54. At the bottom of any IRB rating scale is at least one default rating grade. Once an obligor is in default on any exposure to the subject bank, the obligor rating grade associated with all of its exposures to that bank will be the default rating grade--even for those exposures of the obligor that have not triggered any element of the definition of default. Ratings Philosophy and Expected Ratings Migration

    S 2-7 A bank's rating policy must describe its ratings philosophy and how quickly obligors are expected to migrate from one rating grade to another in response to economic cycles.

    S 2-8 In assigning an obligor to a rating grade, a bank should assess the risk of obligor default over a period of at least one year taking into account the possibility of adverse economic conditions.

  55. The term rating philosophy is used to describe how obligor rating assignments are affected by a bank's choice of the range of economic, business, and industry conditions that are considered in the rating process. It establishes the bank's philosophy on the manner in which it rates credits and the scenarios under which ratings would be expected to change. In assigning an obligor rating grade, banks must consider both the current risk characteristics of the obligor and the impact that adverse economic, business, and industry conditions could have on the obligor's ability to repay; however, nothing in this guidance requires any specific rating philosophy be employed.

  56. Rating grades should group obligors that are expected to share similar default frequencies. The rating assignment for an obligor may be based upon a combination of obligor-specific (idiosyncratic) risk characteristics and the general economic, business, and industry (systematic) risk characteristics or conditions that obligors in the rating may experience.

  57. The time horizon used for the assignment of obligors to rating grades should be one year or longer. The obligor rating should reflect the obligor's ability as evidenced by its financial capacity, as well as its willingness to service any obligation and to follow through on any commitments it has with the bank to avoid default. The time horizon chosen for the rating assignment process should be appropriate to the business line or geography for which the respective obligor rating system will be used.

  58. That general description, however, still leaves open different possible implementations, depending upon what range of future systematic risk conditions the bank considers when making a rating assignment and the weight given to those conditions. In practice, it appears that most banks have adopted a rating philosophy where an obligor's rating would have some sensitivity to changes in economic conditions. Regardless of the approach taken, banks should document their choice of economic, business, and industry conditions considered in each risk rating system and the expected frequency of rating changes over economic cycles. Such differences have important implications for validation and other aspects of the operation of rating systems, and therefore should be clearly articulated and well understood. A bank should also understand the effects of ratings migration on its risk- based capital requirements and ensure that sufficient capital is maintained during all phases of the economic cycle.

  59. A bank's ratings philosophy can be empirically demonstrated through an analysis of how its obligors migrate across rating grades as economic and industry conditions change. While individual obligor ratings may change due to changes in obligor-specific risk characteristics, the average migration observed through time is likely to reveal how sensitive rating assignments are to systematic risk changes. Rating systems in which obligor ratings are more closely linked at a given point in time to particular economic conditions are more likely to be associated with higher overall average rates of rating migration than are other systems. Ratings that respond primarily to obligor-specific (idiosyncratic) changes may be less sensitive to changes in economic and industry conditions, and be more stable throughout the economic cycle. Obligor-Rating Granularity

    S 2-9 Banks must have at least seven discrete obligor rating grades for non-defaulted obligors and at least one rating grade for defaulted obligors.

  60. A risk rating system's grades should be sufficiently numerous to ensure that management can meaningfully differentiate risk in the portfolio, without being so numerous that they limit the system's practical use. To determine the appropriate number of rating grades beyond the minimum seven non-default rating grades, each bank should perform its own internal analysis.

    S 2-10 Banks should justify the number of obligor rating grades used in its risk rating system and the distribution of obligors across those grades.

  61. Some portfolios may have a majority of obligors assigned to only a few of the available rating grades. The mere existence of a concentration of exposures in a rating grade (or rating

    [[Page 9096]]

    grades) does not, by itself, reflect weakness in a rating system. For example, banks focused on a particular type of lending, such as asset- based lending, may lend to obligors having similar default risk. Banks with focused lending activities may use the minimum number of obligor rating grades, while banks with a broad range of lending activities should have more rating grades. However, banks with a high concentration of obligors in a particular rating grade should perform a thorough analysis that supports such a concentration.

  62. A concentration of obligors in a rating grade is inappropriate when the financial strength of those obligors varies considerably. If such is the case, the following questions should be answered:

    Are the criteria for each rating grade clear? Are rating criteria too vague to allow raters to make clear distinctions? Ambiguity may be an issue throughout the rating scale or it may be limited to the most commonly used ratings.

    How diverse are the obligors? Is the bank targeting a narrow segment of obligors with homogeneous risk characteristics?

    Are the bank's internal rating categories considerably broader than those of other lenders? Recognition of Implied Support

    S 2-11 Banks may recognize implied support as a rating criterion subject to specific supervisory considerations; however, banks should not rely upon the possibility of U.S. government financial assistance, except for the financial assistance that the U.S. government has legally committed to provide.

  63. Implied support is support from a third party that is less than a legally enforceable guarantee. Banks that use implied support as a ratings criterion typically rely on a wide range of policies and procedures for its use. As the impact of implied support arrangements has typically been difficult to quantify, the circumstances under which banks use such arrangements as a ratings criterion should be limited.

  64. Supervisors will assess the appropriateness of a bank's usage of implied support as a ratings criterion. A bank should recognize implied support only if the following are true:

    The support is from a parent corporation or sovereign; however, banks should not rely upon the possibility of U.S. government financial assistance, except for the financial assistance that the U.S. government has legally committed to provide;

    The implied support provider is rated investment grade by an NRSRO;

    The implied support is a factor only in assigning an obligor rating, not a loss severity rating;

    The final rating assigned to the obligor reflects greater credit risk than the rating assigned to the implied support provider (the parent corporation or sovereign);

    The bank has considered the magnitude of the rating benefit accorded from the recognition of implied support and the bank has performed and documented comprehensive due diligence to assess the parent corporation or sovereign's willingness and capacity to support the obligor. To assess the willingness to support the obligor, a bank may consider prior situations where the support provider has supported the obligor or other obligors under similar circumstances, extended credit to the obligor at beneficial rates, or made large scale investments of cash or resources in the obligor. To assess capacity, a bank should conduct a thorough analysis of the financial position of the support provider and its ability to provide support including during periods of financial stress;

    There is broad market recognition of the implied support. This can be evidenced through a number of market indicators including situations where the external ratings of the parent corporation and subsidiary are closely linked or the ratings of the parent or sovereign reflect an expectation of support. It could also include evidence derived from traded credit spreads of the parent and subsidiary;

    For a bank whose rating system design incorporates external ratings as a tool in assigning an internal rating, the internal rating does not additionally incorporate implied support when there is evidence that the external rating has already benefited from the assumption of support;

    The bank has established a stand-alone rating for the obligor and continues to monitor the stand-alone rating throughout the term of the exposure;

    The bank's internal tracking processes monitor the dollar volume of credit exposures where implied support is a material consideration in the rating assignment; and

    The provision of significant implied support to a subsidiary or subsidiaries is incorporated into the parent corporation's obligor rating. Loss Severity Ratings

    S 2-12 Banks must have a loss severity rating system that is able to assign loss severity estimates (ELGD and LGD) to each wholesale exposure.

  65. The term loss severity rating system refers to the method by which a bank assigns loss severity estimates to wholesale exposures. This assignment can be accomplished through a loss severity rating process or via direct assignment to each wholesale exposure. A wholesale exposure's ELGD and LGD estimates are expressed as a percentage of the estimated EAD of the exposure. Both the ELGD and the LGD are required inputs into the IRB risk-based capital formulas.

    S 2-13 Banks should have empirical support for their loss severity rating system and the rating system should be capable of supporting the quantification of ELGD estimates (and LGD estimates if approved for internal estimates).

  66. ELGD and LGD analysis is in the early stages of development compared to default risk modeling. Over time, banks' methodologies are expected to evolve. Longstanding banking experience and existing research on ELGD and LGD, while preliminary, suggests that type of collateral (in terms of liquidity and marketability), collateral values, seniority, industry position and whether an exposure is secured or unsecured are the most commonly used predictors of loss severity.

  67. Whether a bank assigns ELGD and LGD values directly or, alternatively, rates wholesale exposures and then quantifies ELGD and LGD for the rating grades, the bank should conscientiously identify characteristics that influence ELGD and LGD. Each of the loss severity rating categories should be associated with empirically supported ELGD and LGD estimates. (Even though the grouped exposures have common characteristics and a common expected ELGD and LGD, realized loss severity for individual exposures may vary). Loss Severity Rating/LGD Granularity

    S 2-14 Banks must have a sufficiently granular loss severity rating system to group exposures with similar estimated loss severities or a process that assigns estimated ELGDs and LGDs to individual exposures.

  68. While there is no stated minimum number of loss severity ratings, the systems that provide ELGD and LGD estimates must be granular enough to separate wholesale exposures with significantly varying estimated LGDs. For example, a bank using a loss severity rating-scale approach that has credit products with a variety of collateral packages or financing structures should have more ELGD and

    [[Page 9097]]

    LGD rating grades than those banks with fewer options in their credit products.

  69. Like obligor rating grades, the mere existence of an exposure concentration in an ELGD or LGD rating grade (or rating grades) does not, by itself, signify a rating system's weakness. However, banks with a high concentration within ELGD and LGD rating grades should perform a thorough analysis that supports such a concentration.

    1. Other Considerations

    Rating Criteria

    S 2-15 Rating criteria should be written, clear, consistently applied, and include the specific qualitative and quantitative factors used in assigning ratings.

  70. Each obligor and loss severity rating (including ratings with modifiers such as + or -) should be defined. The definitions should describe all significant quantitative and qualitative ratings criteria used to promote consistent application of risk ratings. The ratings should be sufficiently transparent to allow replication by a third party. This is particularly important in expert-judgment rating systems where establishing the transparency of rating assignments is more challenging. Without clearly defined rating criteria, expert-judgment rating systems are not sufficiently transparent. A risk rating system with vague criteria or one defined only by PDs, ELGDs, or LGDs is neither replicable nor transparent. Transparent criteria promote accurate and consistent ratings within and across business lines and geographies, and permit the rating process to be refined over time. Use of External Rating Tools

  71. Banks may use results from external rating tools, such as vendor default models or agency ratings, as inputs into their internal rating processes for obligors and wholesale exposures. The validation standards in this guidance apply to a bank's use of external rating tools as well as internal ones. Therefore, banks should apply the same level of rigor to their external tools as to their internal tools. In addition, any external rating tool employed should be consistent with the architecture of the bank's IRB rating systems. To verify this consistency, a bank should analyze and understand:

    The predictive ability of the external rating tool;

    The factors and criteria used by the external rating tools to assign ratings; and

    The expected effect of using the external rating tool on the migration of internal ratings.

  72. Sole reliance on external rating tools is not appropriate. Every rating tool has limitations, and banks should have a process to ensure that accurate ratings are assigned despite such limitations. How much additional analysis is required will depend on the exposure's rating, relative size and complexity. Banks should maintain data on the critical factors underpinning an external rating tool's obligor or loss severity ratings (as the banks would for any rating assignment process). Timeliness of Ratings

    S 2-16 Risk ratings must be updated whenever new material information is received, but in no instance less than annually.

  73. A bank should have a policy that ensures that obligor and loss severity ratings reflect current information. That policy should also specify minimum financial reporting and collateral valuation requirements. When loss severity ratings or estimates depend on collateral values or other factors that change periodically, that policy should take into account the need to update these factors.

  74. Banks' policies may include an alternative timetable for updating ratings of exposures below a de minimis amount that the bank determines has no material impact on risk-based capital levels. For example, some banks use triggering events to prompt them to update their ratings on de minimis exposures rather than adhering to a specific timetable. Multiple Ratings Systems

  75. A bank's complexity and sophistication, as well as the size and range of products offered, will affect the types and number of rating systems employed. However, each risk rating system should conform to the standards in this guidance, must be validated for accuracy and consistency, and should be used consistently. Validation exercises should produce evidence that the ratings have been applied consistently.

    Chapter 3: Retail Segmentation Systems

    Rule Requirements

    Part III, Section 22(b)(1): A bank must have an internal risk rating and segmentation system that accurately and reliably differentiates among degrees of credit risk for the bank's wholesale and retail exposures.

    Part III, Section 22(b)(3): For retail exposures, a bank must have a system that groups exposures into segments with homogeneous risk characteristics and assigns accurate and reliable PD, ELGD, and LGD estimates for each segment on a consistent basis. The bank's system must group retail exposures into the appropriate retail exposure subcategory and must group the retail exposures in each retail exposure subcategory into separate segments. The bank's system must identify all defaulted retail exposures and group them in segments by subcategories separate from non-defaulted retail exposures.

    Part III, Section 22(b)(5): The bank's retail exposure segmentation system must provide for the review and update (as appropriate) of assignments of retail exposures to segments whenever the bank receives new material information, but no less frequently than quarterly.

    1. Overview

  76. This chapter describes the design and operation of an IRB retail segmentation system. An IRB retail segmentation system groups retail exposures into segments with homogeneous risk characteristics within each of the three retail exposure subcategories (residential mortgage exposures, qualifying revolving exposures (QRE), other retail exposures). Examples of segmentation techniques include the use of obligor (such as income and past credit performance) and exposure (such as product type and loan-to-value) characteristics; or grouping loans by similar estimated default rates and estimated loss severities. The segmentation system used for IRB will often differ from segmentation used for other purposes, such as for marketing and scorecards. The retail risk parameter estimates that determine risk-based capital requirements are assigned at the segment level.

  77. The retail IRB framework provides banks substantial flexibility to use the retail segmentation that is most appropriate for their activities, subject to the following broad principles:

    Differentiation of risk--Segmentation should provide meaningful differentiation of risk. Accordingly, in developing the segmentation system, banks should select risk drivers that separate risk distinctly and consistently over time.

    Reliable risk characteristics--Segmentation uses borrower risk characteristics and loan-related risk characteristics that reliably differentiate a segment's risk from that of other segments and that perform consistently over time.

    [[Page 9098]]

    Consistency--The risk drivers used to segment exposures must be consistent with the predominant risk characteristics the bank uses to measure and manage credit risk.

    Accuracy--The segmentation process should generate segments that separate exposures by realized performance. It should be designed so that actual long-run outcomes closely approximate the retail risk parameters estimated by the bank.

  78. Defaulted retail exposures must be segmented separately from non-defaulted exposures. In addition, retail segments should not cross national jurisdictions unless the bank can demonstrate that the exposures in the different jurisdictions have homogeneous risk characteristics.

    1. Definition of Default

    S 3-1 Banks must use the IRB definition of default when identifying defaulted retail exposures.

  79. For retail exposures, banks must use the following definition of default for its IRB system: A retail exposure of a bank is in default if:

    The exposure is 180 days past due, in the case of a residential mortgage exposure or revolving exposure;

    The exposure is 120 days past due, in the case of all other retail exposures; or

    The bank has taken a full or partial charge-off or write- down of principal on the exposure for credit related reasons.

  80. The exposure remains in default until the bank has reasonable assurance of repayment and performance for all contractual principal and interest payments on the exposure.

  81. For retail exposures, the definition of default is applied to a particular exposure rather than to the obligor. That is, default by an obligor on one obligation would not require a bank to consider all other obligations of the same obligor in default.

    1. Retail Segmentation Architecture

    1. Criteria for Retail Segmentation

    S 3-2 Banks must first place exposures into one of the three retail exposure subcategories (residential mortgage, QRE, and other retail). Banks must then separate exposures into segments with homogeneous risk characteristics.

    S 3-3 A retail segmentation system must produce segments that accurately and reliably differentiate risk and produce accurate and reliable estimates of the risk parameters.

  82. While banks have considerable flexibility in determining retail segments, they should consider factors affecting the risk characteristics of both borrowers and loans when determining segmentation criteria. Statistical modeling, expert judgment, or some combination of the two may determine the most relevant risk drivers.

  83. Examples of acceptable approaches to segmentation include:

    Segmenting exposures by common risk drivers that are relevant and material in determining the loss characteristics of a particular retail product. For example, a bank may segment mortgage loans by LTV band, age from origination, geography, and/or origination channel.

    Segmenting exposures by common risk drivers that are relevant and material in determining the loss characteristics of a particular borrower population. For example, a bank may segment by credit bureau score bands, behavior score bands, and/or delinquency status. In the case of mortgage products, more borrower information may be available and a bank could include the debt-to-income ratio, current income, and/or years at present location.

    Segmenting by grouping exposures with similar estimated loss characteristics, such as expected average loss rates, expected default rates, or expected loss severity rates. Some banks have developed models that rank order default risk or generate an estimated default rate, loss severity, and/or exposure at default for individual exposures. A bank could use such estimates as criteria in their segmentation system.

  84. Each retail segment will have an estimated PD, ELGD, LGD, and EAD. In some cases, it may be reasonable to use the same risk parameter estimates for multiple segments. This may occur more frequently for bank estimates of ELGD and LGD as banks may have less robust historical data for estimating these IRB risk parameters. In such cases, the bank should demonstrate that there are no material differences in ELGD or LGD among those segments. Over time, supervisors expect banks to develop more precise data and methodologies for determining ELGD and LGD.

  85. Data for certain retail loans are sometimes missing or incomplete, such as data for purchased loans or loans originated with policy exceptions. The overall segmentation system should adequately capture the risk associated with these loans based on the data available. In some cases, missing or incomplete data itself may be a significant risk factor used for segmentation purposes.

  86. A bank should substantiate the degree of granularity in its segmentation system and the distribution of exposures across segments. (Here, ``granularity'' is how finely the portfolio is segmented.)

  87. Banks have flexibility in determining the granularity of their segmentation system. Each bank should perform internal analysis to determine how granular segments must be to group homogeneous exposures. For example, a bank using credit score ranges to segment its portfolio should provide the rationale for the ranges chosen.

  88. A concentration of exposures in a segment (or segments) does not, by itself, reflect a deficiency in the segmentation system. For example, a bank may lend within a narrow risk range and, therefore, have a smaller number of segments than a bank that lends across a wider spectrum of risk. However, a bank with a high concentration of exposures in a particular segment will be expected to show that the bank's segmentation criteria are carefully delineated and well- documented. The bank should be able to demonstrate that there is little risk differentiation among the exposures within the segment, and that the segmentation method produces reliable estimates for each of the risk parameters. A bank should not artificially group exposures into segments specifically to avoid the 10 percent LGD floor for mortgage products. A bank should use consistent risk drivers to determine its retail exposure segmentations and not artificially segment low LGD loans with higher LGD loans to avoid the floor.

    S 3-4 Banks should clearly define and document the criteria for assigning an exposure to a particular retail segment.

  89. Banks should choose risk drivers that accurately reflect an exposure's risk. Risk drivers selected must be consistent with risk measures used for credit risk management.

  90. The method of segmentation will help determine the risk parameters, as well as which techniques should be used for validation and which control mechanisms will best ensure the integrity of the segmentation system. Described below are some techniques for determining whether the segmentation was done appropriately:

    Statistical Models--Banks may incorporate results of statistical underwriting models or scoring models directly into their segmentation process. For example, a bank may use a custom or bureau credit score as a segmenting criterion. In that case, the bank should support the choice of the score, and should demonstrate that it has adequate controls for the credit scoring system.

    [[Page 9099]]

    Inputs to Models--Banks may incorporate the variables from a statistical model into their segmentation processes. For example, a bank that uses a statistical model to predict losses for its mortgage portfolio could select some or all of the major inputs to that model, such as debt-to-income and LTV, as segmentation criteria. As part of its validation and controls for the segmentation system, the bank should provide an appropriate rationale and empirical evidence for its choice of the particular set of risk drivers from the loss prediction model.

    Expert Judgment--Banks may combine expert judgment with statistical analysis in determining segmentation criteria. However, expert judgment must be well-documented and supported by empirical evidence demonstrating that the chosen risk factors are reliable predictors of risk.

  91. A bank should be able to demonstrate a strong relationship between IRB risk drivers and comparable measures used for credit risk management. Specifically, a bank should demonstrate that the segmentation system differentiates credit risk across the portfolio and captures changes in the level and direction of credit risk using measures that are similar to those used in credit risk management. For example, even if a bank uses custom scores for underwriting or account management, generic bureau scores may be used for IRB segmentation purposes if the bank can demonstrate a relationship between these measures.

  92. Banks should have clear policies to define the criteria for modifying the segmentation system. Changes in the segmentation system should be documented and supported to ensure consistency and historically comparable measurements.

    1. Assignment of Exposures to Retail Segments

    S 3-5 Banks should develop and document their policies to ensure that risk-driver information is sufficiently accurate and timely to track changes in underlying credit quality and that the updated information is used to assign exposures to appropriate segments.

  93. Under the IRB framework, a bank initially assigns retail exposures to segments based on the risk-driver information available at the time of origination or acquisition. The bank should then continue to monitor the risk characteristics of the exposures and assign exposures to appropriate segments based on refreshed information gathered by the bank as part of its monitoring process.

  94. In accordance with industry practices in retail credit risk management, a bank should have a well-documented policy on monitoring and updating information about exposure risk characteristics. The policy should specify the risk characteristics to be updated and the frequency of updates for each product type or sub-portfolio within its retail portfolio. Updating of relevant information on these risk drivers should be consistent with sound risk management.

    S 3-6 The bank's retail exposure segmentation system must provide for the review and update (as appropriate) of assignments of retail exposures to segments whenever the bank receives new material information, but no less frequently than quarterly.

  95. Decisions regarding the frequency of obtaining refreshed information should reflect the specific risk characteristics of individual segments and/or the potential impact on risk-based capital levels. The frequency of updates will generally vary for different risk drivers and for different products. The underlying principle is that, in every estimation period, retail exposures are assigned to segments that accurately reflect their risk profile and produce accurate risk parameters.

  96. Banks should assess their approach to updating information and migrating exposures when validating the segmentation process.

    Chapter 4: Quantification

    Rule Requirements

    Part III, Section 22(c)(1): The bank must have a comprehensive risk parameter quantification process that produces accurate, timely, and reliable estimates of the risk parameters for the bank's wholesale and retail exposures.

    Part III, Section 22(c)(2): Data used to estimate the risk parameters must be relevant to the bank's actual wholesale and retail exposures, and of sufficient quality to support the determination of risk-based capital requirements for the exposures.

    Part III, Section 22(c)(3): The bank's risk parameter quantification process must produce conservative risk parameter estimates where the bank has limited relevant data, and any adjustments that are part of the quantification process must not result in a pattern of bias toward lower risk parameter estimates.

    Part III, Section 22(c)(4): PD estimates for wholesale and retail exposures must be based on at least 5 years of default data. ELGD and LGD estimates for wholesale exposures must be based on at least 7 years of loss severity data, and ELGD and LGD estimates for retail exposures must be based on at least 5[aacute]years of loss severity data. EAD estimates for wholesale exposures must be based on at least 7 years of exposure amount data, and EAD estimates for retail exposures must be based on at least 5 years of exposure amount data.

    Part III, Section 22(c)(5): Default, loss severity, and exposure amount data must include periods of economic downturn conditions, or the bank must adjust its estimates of risk parameters to compensate for the lack of data from periods of economic downturn conditions.

    Part III, Section 22(c)(6): The bank's PD, ELGD, LGD, and EAD estimates must be based on the definition of default [in the NPR].

    Part III, Section 22(c)(7): The bank must review and update (as appropriate) its risk parameters and its risk parameter quantification process at least annually.

    Part III, Section 22(c)(8): The bank must at least annually conduct a comprehensive review and analysis of reference data to determine relevance of reference data to bank exposures, quality of reference data to support PD, ELGD, LGD, and EAD estimates, and consistency of reference data to the definition of default contained [in the NPR].

    1. Overview

  97. Quantification is the process of assigning numerical values to the key risk parameters that are used as inputs to the IRB risk-based capital formulas. This chapter provides guidance on the quantification process for wholesale and retail exposures. For both wholesale and retail portfolios these risk parameters are the probability of default (``PD''), expected loss given default (``ELGD''), loss given default (``LGD''), and exposure at default (``EAD''). Wholesale exposures also require determination of the exposure's maturity (``M''). Risk parameters are assigned to each exposure for wholesale portfolios and to each segment for retail portfolios. Specific quantification issues related to counterparty credit risk transactions, equity exposures, and securitization exposures are described in Chapters 9, 10, and 11, respectively.

  98. In any discussions of the IRB system, the risk rating or segmentation system design and the quantification process should be considered together. This chapter focuses on quantification given an existing risk rating or segmentation system design, as covered in Chapters 2 and 3, respectively.

  99. Section I establishes an organizing framework for considering

    [[Page 9100]]

    quantification and develops general standards that apply to the entire process. Sections II, III, and IV cover specific supervisory standards that apply to PD, ELGD and LGD, and EAD respectively. The maturity risk parameter receives somewhat different treatment in section V, since it is much less dependent on statistical estimates from historical data. Special cases and applications for quantification are covered in section VI.

    1. Stages of the Quantification Process

  100. For each risk parameter, quantification may be broken down into four stages: obtaining historical reference data; estimating the relationship between risk characteristics and the risk parameters in the reference data; mapping the correspondence between risk characteristics in the reference data and those in the existing portfolio; and applying the relationship between risk characteristics and risk parameters to the existing portfolio. An evaluation of a bank's quantification process focuses on the overall adequacy of the bank's approach, including an understanding of how the bank breaks down the quantification process where applicable into the four stages.

  101. Banks are not required to separate the quantification process into four stages. The four stages are a conceptual framework, and may serve as a useful analytical and implementation guide. Readers may find it helpful to refer to the appendices to this chapter, which illustrate how this four-stage framework can be applied to quantification approaches in practice. The four stages of quantification are described below.

    Data--First, the bank constructs a reference data set, or source of data, from which risk parameters can be estimated.

    A ``reference data set'' consists of a set of exposures and their associated identifying information and risk characteristics. Reference data sets may include internal data, external data, or pooled data from different internal and external sources. Internal data refers to any data on exposures held in a bank's existing or historical portfolios, including data elements or information provided by third parties (e.g., data from a credit bureau about one's own customers would be considered internal data). External data refers to information on exposures held outside the bank's portfolio, including aggregate industry trends or economic data.

    The reference data is described using a set of observed characteristics; consequently, the data set contains variables that can be used for this characterization. For example, risk characteristics for wholesale exposures include obligor and exposure characteristics related to the risk parameters, such as agency debt ratings, risk ratings, financial measures, geographic regions, and the economic environment and industry/sector trends during the time period of the reference data. Risk characteristics for retail exposures include borrower and loan characteristics, such as loan terms, loan-to-value, credit score, income, debt-to-income, or payment history. A bank may use more than one reference data set to improve the robustness or accuracy of the risk parameter estimates.

    Estimation--Second, the bank applies statistical techniques to the reference data to determine the relationship between risk characteristics and the estimated risk parameter.

    The result of this step is a model that ties descriptive risk characteristics, or drivers, to the risk parameter estimates. In this context, the term ``model'' is used in the most general sense; a model may be a simple calculation of historical averages or a more sophisticated approach based on advanced statistical techniques (e.g., regression). This step may include adjustments for differences between the IRB definition of default and the default definition in the reference data set, as well as adjustments for data limitations.

    More than one estimation technique may be used to generate estimates of the risk parameters, especially if there are multiple sets of reference data or multiple sample periods. If multiple estimates are generated, the bank should have a clear and consistent policy for reconciling and combining them into a single estimate at the application stage.

    Mapping--Third, the bank creates a link between its portfolio data and the reference data based on corresponding characteristics.

    Variables or characteristics used in the estimation model are mapped, or linked, to the variables that are available for the existing portfolio. In order to map effectively, a bank should have reference data characteristics that allow the construction of rating and segmentation criteria that are consistent with those used on the bank's portfolio.

    An important element of mapping is making adjustments for differences between reference data sets and the bank's exposures. The bank should map each reference data set and each combination of risk characteristics used in any estimation model.

    Application--Fourth, the bank applies the relationship estimated for the reference data to the actual portfolio data.

    The ultimate aim of quantification is to attribute a PD, ELGD, LGD, and EAD to each exposure within the wholesale portfolio and to each segment of exposures in the retail portfolio. If multiple data sets or estimation methods are used, the bank should adopt a means of combining the various estimates at this stage.

    For wholesale portfolios, this step may include adjustments to default rates or loss rates to ``smooth'' the final risk parameter estimates. If the estimates are applied to individual transactions, the bank must in some way aggregate the estimates at the rating level.

    For retail portfolios, the bank may simply apply the risk parameter estimates derived for each segment to the corresponding segment in the existing portfolio. However the application stage could be more complex if multiple data sets or estimation methods were used or if the mapping stage required adjustments.

  102. The four-stage quantification process described above outlines a framework that a bank may use for assigning numerical values to the IRB key risk parameters. Whether the quantification process explicitly delineates each aspect of the four stages of quantification for PD, ELGD, LGD, and EAD, or the quantification process is more integrated, each aspect of the quantification process for the key risk parameters should be justified, documented, and subject to monitoring and follow- up.

  103. A number of examples are given in this chapter to aid exposition and interpretation of specific quantification issues. None of the examples is sufficiently detailed to incorporate all of the considerations discussed in this chapter. Moreover, technical progress in the area of quantification is rapid. Thus, banks should not interpret a specific example that is consistent with the standard being discussed, and that resembles the bank's current practice, as being a ``safe harbor.'' Banks should consider this guidance in its entirety when determining whether systems and practices are adequate.

    1. General Standards for Sound Quantification

  104. Several core principles apply to the overall quantification process of risk rating and segmentation systems. Those principles and the general standards that reflect them are discussed in this introductory section. Other supervisory

    [[Page 9101]]

    standards specific to particular stages or risk parameters are discussed in later sections.

  105. The risk parameters should be estimated in a manner consistent with sound credit risk management practices and the IRB standards. In addition, a bank should have processes to ensure that these estimates are independently and thoroughly validated and the results reported to senior management.

  106. Supervisory evaluation of the quantification process requires consideration of all the standards in this chapter, both general and specific. Particular practical approaches to quantification may be highly consistent with some standards, and less so with others. In assessing a bank's approach, supervisors will weigh the approach's strengths and weaknesses using all the supervisory standards in this chapter as a guide.

    S 4-1 Banks should have a fully specified process covering all aspects of quantification (reference data, estimation, mapping, and application). The quantification process should be fully documented.

  107. A fully specified quantification process should describe how all four stages (data, estimation, mapping, and application) are addressed for each parameter. The linkages between the bank's quantification and validation processes should also be explicit.

  108. An important aspect of the quantification process is the appropriate capture and analysis of developmental evidence in support of techniques applied by the bank. A few examples of such developmental evidence are:

    For reference data--a discussion of how the best available data are chosen from various sources so that the data include periods of economic downturn conditions and the portfolio in the reference data is comparable to the existing portfolio;

    For estimation--discussions of why the bank uses various averaging methods on historical data, how it specifies downturn estimates, or how it develops predictive models;

    For mapping--discussions of how risk characteristics in the reference data compare with those in the existing portfolio; and

    For application--a discussion of the combination of multiple estimates, aggregations of estimates across exposures, or any judgmental adjustments.

  109. Major decisions in the design and implementation of the quantification process should be justified and fully documented. Documentation promotes consistency and allows third parties to review and replicate the entire process.

    S 4-2 Risk parameter estimates must be based on the IRB definition of default. At least annually, a bank must conduct a comprehensive review and analysis of reference data to determine the relevance of reference data to the bank's exposures, quality of reference data to support risk parameter estimates, and consistency of reference data to the IRB definition of default.

  110. Many different sources of data might be appropriately used in an estimation model or the quantification process. Regardless of the data used to derive the risk parameter estimates, such estimates must reflect the IRB definition of default.

  111. As part of its annual review of its reference data, a bank must assess the consistency of the reference data with the IRB definition of default. In the early stages of IRB implementation, a bank's internal historical reference data might not include an element that fully conforms to the IRB definition of default. In addition, a bank may change its policies regarding charge-offs or non-accrual. For any internal or external historical data that are not fully consistent with the IRB definition of default, a bank must still ensure that the derived risk parameter estimates are based on the IRB definition of default. This will likely entail making conservative adjustments to reflect data discrepancies; larger discrepancies require greater conservatism.

  112. To support quantification and validation of the risk parameter estimates, one of the elements in a bank's internal data should conform to the IRB definition of default. The collection of internal data is discussed in Chapter 6 (Data Management and Maintenance) of this guidance and validation is discussed in Chapter 7 (Controls and Validation).

    S 4-3 Banks must separately quantify wholesale risk parameter estimates before adjusting the estimates for the impact of eligible guarantees and eligible credit derivatives.

  113. As discussed in Chapter 5, the benefits of wholesale credit risk mitigation from eligible guarantees and eligible credit derivatives are recognized through adjustments to ratings and risk parameter estimates. However, banks must perform the basic quantification of the risk parameters separately from the process of determining an adjustment to an exposure's risk rating assignment resulting from the credit protection or any adjustments to the risk parameters for recognition of the credit protection. In quantifying the impact of the credit protection, banks may make necessary adjustments to the reference data or mapping process, or may estimate the impact of the credit protection on the bank's existing portfolio. Chapter 5 deals with recognized types of contractual arrangements and instruments that transfer all or part of an exposure's credit risk from the bank to one or more third parties.

    S 4-4 Banks may take into account the risk-reducing effects of guarantees in support of retail exposures when quantifying the PD, ELGD, and LGD of the segment.

  114. A bank may take into account the risk reducing effects of guarantees in support of retail exposures in a segment when quantifying the PD, ELGD, and LGD of the segment, but only for guarantees of individual retail exposures, or guarantees covering all or a pro rata portion of all contractual payments due on a group of retail exposures. (See Example 5 in Appendix B of this chapter.) Insurance in support of retail exposures, for example private mortgage insurance (``PMI''), generally would be considered a guarantee.

  115. The risk parameters for exposures covered by retail guarantees should be based on historical experience of exposures with similar coverage and the expected benefits of the guarantees on future performance. Segments benefiting from retail guarantees are still subject to applicable regulatory floors, such as the 10 percent LGD floor for residential mortgages.

  116. Retail guarantees may affect PD or ELGD and LGD. In most cases, and in particular for PMI, banks reflect the effects of retail guarantees primarily through the quantification of ELGD and LGD. For retail exposures, banks may directly reflect the expected benefit of retail guarantees in the risk parameters, in contrast to the two-step process that is required for guarantees of wholesale exposures.

  117. Banks should monitor and assess potential counterparty risk for guarantees of retail exposures through tracking and analyzing the financial strength of each guarantor. When reflecting guarantees of retail exposures in PD or ELGD and LGD estimates banks should take into account the credit quality of the guarantor. Other things equal, PD or ELGD and LGD estimates should be increased if the credit quality of the guarantor deteriorates. In addition, banks should consider the potential for additional counterparty risk during economic downturn conditions.

  118. Banks may also choose to incorporate retail guarantee coverage into their segmentation systems. For example, mortgage loans without PMI could be placed into different segments than those with PMI.

    [[Page 9102]]

  119. Since there are a variety of programs for retail guarantees that provide differing types and levels of coverage, banks incorporating retail guarantees into the IRB risk parameters should ensure that their systems are sufficient to estimate the expected benefits based on the actual amount of coverage within the existing portfolio, regardless of whether or not they segment by coverage. This may require exposure-by-exposure tracking over the life of the exposure to accurately reflect the expected benefits for different forms of retail guarantees. Banks also should develop appropriate reference data sets that can be used to estimate the effect on PDs or ELGDs and LGDs for exposures that are covered by retail guarantees.

    S 4-5 Banks may only reflect the risk-reducing benefits of tranched guarantees of multiple retail exposures by meeting the definition and operational criteria for synthetic securitizations.

  120. Guarantees of multiple retail exposures that do not cover all or a pro rata portion of all contractual payments due on the underlying exposures are considered to be tranched. (See Example 5 in Appendix B of this chapter.)

  121. A bank may obtain a reduction in risk-based capital requirements in the case of such tranched guarantees of multiple retail exposures, but only through applying the rules for securitization exposures provided in the NPR. To obtain any benefits, tranched guarantees of multiple retail exposures must satisfy all aspects of the definition of synthetic securitization and comply with all requirements for securitization treatment in the NPR. (Also see Chapter 11 (Securitizations) for additional guidance.)

  122. In some cases, the determination of the risk-based capital benefit for a qualifying tranched guarantee will be relatively straightforward. For example, the securitization framework provides three general approaches for determining risk-weighted assets: The ratings-based approach, the internal assessment approach, and the supervisory formula approach (``SFA''). A bank can use the RBA if its exposure is externally rated or has an inferred rating. The SFA may be employed when external or inferred ratings are not available for tranching structures. (See Chapter 11 for a more detailed discussion of the applicability of the various approaches in different circumstances.)

    S 4-6 At a minimum, the quantification process and the resulting risk parameters must be reviewed annually and updated as appropriate.

  123. All material aspects of the quantification process should be reviewed annually, with adjustments and enhancements made as needed. A bank should have a well-defined policy for reviewing and updating the quantification design. New analytical techniques and evolving industry practice should be taken into account in considering changes to quantification techniques. The review should evaluate the judgmental adjustments embedded in the estimates; new data or evolving industry practice may suggest a need to modify those adjustments. Particular attention should be given to any changes that may have resulted in a significant change in the composition of exposures, such as new business lines, material mergers or acquisitions, and material divestitures, loan sales or securitizations. Such changes, which raise questions about the appropriateness of risk ratings, the segmentation system, and the quantification process, should trigger a review and revisions as needed.

  124. The review process is particularly relevant for the reference data stage because new data become available frequently. A bank must ensure continued applicability of the reference data to its existing exposures, and the reference data should reflect the types of exposures found in the bank's existing portfolio. Reference data must be of sufficient quality to support PD, ELGD, LGD, and EAD estimates. A well- defined and documented process should be in place to ensure that the reference data are updated as frequently as needed, as fresh data become available or as portfolio changes make necessary. All data sources, characteristics, and the overall processes governing data collection should be fully documented, and that documentation should be readily available for review.

  125. At a minimum, risk parameter estimates must be reviewed at least annually, and the process for doing so should be documented in the bank's policy. If the review reveals that risk parameter estimates should be updated, the updates should be performed promptly and documented clearly. New data should be incorporated into the risk parameter estimates using a well-defined process to correctly merge data sets over time, and the frequency of risk parameter updates and the process for doing so should be justified and documented in bank policy.

  126. The risk parameter estimates may be particularly sensitive to changes in the way banks manage exposures. When such changes take place, the bank should consider them in all steps of the quantification process. Changes likely to significantly increase a risk parameter value should prompt increases in the risk parameter estimates. When changes seem likely to reduce the risk parameter value, estimates should be reduced only after the bank accumulates a significant amount of actual experience under the new policy to support the reductions.

  127. The mappings of the existing portfolio to the reference data used in estimation should also be reviewed with sufficient frequency to ensure that the mappings continue to be appropriate. Mappings should be reaffirmed at least annually for both internal and external reference data, regardless of whether the risk rating or segmentation systems have undergone explicit changes during the period covered by the reference data set, because the relationship between a bank's existing exposures and the reference data may change over time. For example, in wholesale portfolios the relationships between internal rating grades and external agency ratings may change during the economic cycle because of differences in expected rating migration. When significant characteristics have been changed, added, or dropped, the characteristics of the existing exposures should be newly mapped to the characteristics of the reference data.

    S 4-7 Quantification should be based upon the best available data for the accurate estimation of the risk parameters.

  128. Banks should always use the best available data when quantifying the risk parameters. In order to derive accurate risk parameter estimates, banks should incorporate relevant data, whether such data are internal or external. One objective of the IRB framework is to encourage further development of credit risk quantification techniques. Improving the quality, capture, and retention of internal data is an essential prerequisite for such advances.

  129. Internal data refers to any data on exposures existing or historically held in a bank's own portfolio, including historical exposure and risk characteristics as well as exposure performance--even if some data components are purchased from outside sources. For example, property appraisals purchased from a third-party appraiser for updating the LTVs of a bank's mortgage exposures are considered internal data. However, if a bank purchases data on risk characteristics or performance for exposures outside of its own portfolio, these data would be considered external.

  130. A bank should incorporate relevant external data for quantifying risk parameters if internal data are

    [[Page 9103]]

    insufficient to produce accurate and appropriate estimates. For example, the use of external data may be necessary when internal data do not provide adequate coverage of economic downturns or when there are significant data gaps, either for periods of time or for the types of exposures in the bank's existing portfolio. Banks should demonstrate that all data used to quantify risk parameters are relevant.

  131. A bank should have a process for vetting potential reference data, whether the data are internal or external. The vetting should assess whether the data are sufficiently accurate, sufficiently complete, sufficiently representative, and sufficiently informative of the bank's existing exposures.

  132. Furthermore, a bank should have adequate data to estimate risk parameters for all exposures on the books, even if some are likely to be sold or securitized before their long-term credit performance can be observed.

    S 4-8 The sample period for the reference data must meet the minimum length for each risk parameter by portfolio.

    S 4-9 The reference data must include periods of economic downturn conditions, or the parameter estimates must be adjusted to compensate for the lack of data from such periods.

  133. For PD estimation, a minimum of five years of data are required for all portfolios. For ELGD, LGD and EAD estimation, a minimum of seven years of data are required for wholesale portfolios, and five years of data are required for retail portfolios.

  134. This requirement for a minimum of five or seven years of data should not be taken to imply that reference data sets of this length are optimal. The range of conditions covered by the sample period may be as important as its length. Specifically, lack of inclusion of periods of economic downturn conditions could bias PD, ELGD, LGD, or EAD estimates downward and lead to unjustifiably lower risk-based capital requirements.

  135. If a bank's reference data do not include periods of economic downturn conditions, the bank must adjust its risk parameter estimates to compensate for the lack of these data. Given the particular importance of periods of economic downturn, a bank may choose to augment an existing reference data set with additional data from such a period without including all of the intervening years, if the overall data set satisfies required minimums, otherwise covers the appropriate range of economic conditions and is appropriate for the bank's existing portfolio. Alternatively, a bank may draw more heavily on sub-samples of its internal portfolio (for example, particular MSAs or geographic regions) that experienced economic downturn periods, or use appropriate external data. However, the bank should justify the exclusion of available internal data for portions of its portfolio and any inclusion of alternative internal or external data sources, as well as its weighting assumptions.

  136. The minimum data requirement may be met using internal data, external data, or pooled data combining internal data with similar data from other sources. However, as noted above, the minimum sample period for reference data should not be construed as generally providing optimum results. A longer sample period usually fosters more robust estimation; for example, a longer sample will include more default observations for ELGD, LGD or EAD estimation. Banks should consider the use of additional data when more than the minimum length of historical data is available. However, the potential increase in precision afforded by a larger sample should be weighed against the potential for diminished comparability of older data to the existing portfolio; striking the correct balance is a matter of judgment. Reference data must not differ systematically from the existing portfolio in ways that seem likely to be related to default risk, loss severity, or exposure at default.

    S 4-10 Banks should clearly document how they adjust for the absence of significant data elements in either the reference data set or the existing portfolio.

  137. Some exposures in the reference data set and the existing portfolio will have missing data elements, some of which are important factors for measuring risk. Banks may use a variety of statistical methods to impute values for the missing factors--provided these factors are sufficiently correlated to known information about the exposure. Expertise is required to judge whether such correlations can be established. Regardless of the approach and level of sophistication, the bank should have a clear and well-documented process describing how it treats missing data elements in the estimation and mapping stages.

  138. For example, in the development of a default model, missing data elements can be imputed and the estimates of the missing data elements input to the model. However, if particular data elements are missing on significant portions of the population, this may justify the estimation of separate models where data elements are missing.

    S 4-11 Judgmental adjustments to risk parameter estimates, either upward or downward, may be an appropriate part of the quantification process, but must not result in an overall bias toward lower risk parameter estimates.

  139. Judgment will inevitably play a role in the quantification process and may materially affect the estimates. Judgmental adjustments to estimates are often necessary because of some limitations on available reference data or because of inherent differences between the reference data and the bank's existing exposures. The bank must ensure that adjustments are not biased toward optimistically low risk parameter estimates. This standard does not prohibit individual adjustments that result in lower estimates of risk, because both upward and downward adjustments are expected. Individual adjustments are less important than broad patterns; consistent signs of judgmental decisions that lower parameter estimates materially may be evidence of bias. The bank should also ensure that large judgmental adjustments are well justified and infrequent, as frequent large adjustments could indicate a problem with the rating methodology.

  140. The reasoning and empirical support for any adjustments, as well as the mechanics of the process, should be documented. The bank should conduct sensitivity analysis to demonstrate that the adjustment procedure is not biased toward reducing risk-based capital requirements. The analysis should consider the impact of any judgmental adjustments on estimates and risk-based capital requirements, and should be fully documented.

    S 4-12 Risk parameter estimates should incorporate a degree of conservatism that is appropriate for the overall rigor of the quantification process.

  141. Estimated values of the risk parameters should be as precise and accurate as possible. However, estimates are inherently subject to uncertainty and potential error. Aspects of the quantification process that are apt to induce uncertainty and error include model error, differences in default definitions, errors in judgment, and data deficiencies. A general principle of the IRB framework is that the assumptions and adjustments embedded in the quantification process should reflect the degree of uncertainty or potential error inherent in the process.

  142. In practice, a reasonable estimation approach likely will result in a range of defensible risk parameter values. The choices of the particular

    [[Page 9104]]

    assumptions and adjustments that determine the final estimate, within the defensible range, should reflect the uncertainty in the quantification process. That is, the more uncertainty in the process, the more risk-based capital should be required.

  143. The degree of conservatism should be related to factors such as the relevance and depth of the reference data, the quality of the mapping, the precision of the statistical estimates, and the amount of judgment used throughout the process. Conservative methodologies should also be considered for new products, such as new residential mortgage products. Margins of conservatism need not be added at each step, as that could produce an excessively conservative result. Instead, the overall margin of conservatism should adequately account for all uncertainties and weaknesses. Improvements in the quantification process (use of better data, estimation techniques, and so on) may allow risk parameter estimates to become less conservative over time.

    S 4-13 Mapping should be based on a comparison of available data elements that are common to the existing portfolio and each reference data set.

  144. Sound mapping practice uses elements that are available in both the existing portfolio and the reference data. If a bank chooses to ignore certain variables or to weight some variables more heavily than others, those choices should be supported. At least two kinds of mapping challenges may arise:

    First, even if similarly named variables are available in the historical reference data and the existing portfolio data, they may not be directly comparable. Hence, a bank should ensure that linked variables are truly similar. Although adjustments to enhance comparability can be appropriate, they should be rigorously developed and documented.

    Second, levels of aggregation may vary. The bank's information systems for its existing exposures might supply more detail. For example, to apply the estimates derived from the reference data, the portfolio data could be regrouped to match the coarser aggregation of the reference data.

  145. Mapping should be consistent with the risk rating and segmentation systems. Levels and ranges of key characteristics for each rating or segment of the bank's existing exposures should approximate the values of similar characteristics for the reference data.

  146. The standard allows for use of a limited set of common variables that are predictive of default, loss or exposure risk, in part to permit flexibility in early years when data may be far from ideal for some portfolios. Nevertheless, mapping exercises should aim to provide the greatest possible assurance that it is appropriate to apply the bank's estimation framework to the existing portfolio of exposures. In instances where banks rely on a limited set of common variables, or where those variables are not clearly identical, banks should compensate by being more conservative in other stages of the quantification process.

    S 4-14 A mapping process should be established for each reference data set and for each estimation model.

  147. Banks should never assume that the rationale for a mapping is self-evident. Even when reference data are drawn from internal default and loss experience, a bank should still link the characteristics of the reference data with those of the existing portfolio. The use of internal data for reference data purposes does not eliminate the need for a mapping requirement because changes in bank strategy or external economic forces may alter the risk characteristics or composition of the portfolio over time, even within the same wholesale obligor/loss severity ratings or within the same retail segments.

    For example, a wholesale rating system that has been explicitly designed to replicate external agency ratings may or may not be effective in producing a replica; formal mapping would be performed. Indeed, in such a system the kind of analysis involved in mapping may help identify inconsistencies in the rating process itself.

    Similarly for retail portfolios, even if the bank uses the same segmentation system over time, it should verify that the risk factors behind the segmentation capture the same types of borrowers in today's portfolio as they did in the reference data. For example, a given product offering may attract types of customers that differ over time in ways that affect risk but are not fully reflected in the risk factors used for segmentation.

  148. Banks often use multiple reference data sets, and then combine the resulting estimates to get a risk parameter estimate for a wholesale obligor/loss severity rating or for a retail segment. A bank that does so should conduct a rigorous mapping process for each data set.

    S 4-15 Banks that combine estimates from internal and external data or that use multiple estimation methods should have a clear policy governing the combination process and should examine the sensitivity of the results to alternative combinations.

  149. To ensure that the best available data are used to produce accurate risk estimates a bank might combine data from multiple sources and may use multiple estimation methods. Banks often combine internal data with external data and use data from different sample periods. For example, for a wholesale portfolio a bank may combine results from corporate-bond default databases with results from equity-based models of obligor default.

  150. The manner in which the estimates from multiple data sets or estimation methods are combined is extremely important, since different combinations will produce different risk parameter estimates. A bank should investigate risk parameter estimates' sensitivity to different ways of combining data sets or combining estimation methods. When results are highly sensitive to how data or estimates are combined, a bank should make every effort to understand the nature (reasons and implications) of the instability (including use of statistical tests) and choose among the alternatives conservatively. A bank should document why it selected the combination techniques it did, and these techniques should be subject to appropriate approval and oversight by management.

    S 4-16 The aggregation of risk parameter estimates from individual exposures within rating grades or segments should be governed by a clear and well-documented policy.

  151. Because different methods of aggregation are possible, a bank should have a clear and well-supported policy regarding how aggregation should be accomplished. Banks are required to have a quantification system in which the rating grades or segments are homogeneous with regard to risk; in this case, each obligor or exposure within homogeneous grades or segments would receive equal emphasis in quantification.

  152. For wholesale exposures, rating grade-based mapping naturally produces an average risk parameter estimate by rating grade. Conversely, obligor-based or loss severity-based mappings require the aggregation of the individual risk parameter estimates to the rating grade level. The bank should document this aggregation and compare the results of alternative mappings. These mappings are discussed in the relevant PD and ELGD and LGD sections.

  153. If a bank uses a prediction model for a retail portfolio that assigns a risk parameter estimate to each exposure, it

    [[Page 9105]]

    should specify and document the process by which it aggregates the exposure-level risk parameters to assign segment-level estimates.

    1. Probability of Default (PD)

    1. Data

  154. For PD quantification, a minimum of five years of data that include periods of economic downturn conditions is required; in the event that such data are not available, a bank must adjust its PD estimates to compensate for the lack of data from periods of economic downturn conditions. The data for PD quantification should include relevant characteristics of both defaulted and non-defaulted exposures such as information on the exposures at different points in time, payment history and ultimate disposition.

  155. To estimate PD accurately and support the determination of risk-based capital requirements, a bank must have a comprehensive reference data set with observations that should be representative of the bank's existing exposures. For wholesale portfolios the reference data should map to obligors, and for retail portfolios the reference data should map to segments of the existing portfolio. Clearly, the data set used for estimation should be similar to the portfolio to which such estimates will be applied. The same comparability standard applies to both internal and external data sets.

  156. To ensure ongoing applicability of the reference data, a bank should assess the characteristics of its existing exposures relative to the characteristics of exposures in the reference data. Such variables might include qualitative and quantitative information on the exposure, internal and external wholesale ratings and rating dates, updated retail credit scores, corporate lending relationships, retail product type and loan terms, or geography. A bank should maintain documentation that fully describes all explanatory variables in the data set, including any changes to those variables over time. A well-defined and documented process should be in place to ensure that the reference data are updated as frequently as is practical, as fresh data become available or portfolio changes make necessary. Example

    A bank determines that the aggregate national retail mortgage portfolio has not experienced downturn conditions during the time horizon for which internal reference data are available. However, regional sub-portfolios did experience default rates that were significantly higher than average during the available data history. Data are available from regional recessions in New England (late 1980s and 1990 -1995), Texas (1983-1989), and California (1991-1995). The bank demonstrates that the drivers of significantly higher default rates in these regional recessions can be extrapolated to the national portfolio, and the bank justifies and documents the resulting adjustments that would be necessary in the mapping and application stages.

    1. Estimation

  157. Estimation of PD is the process by which risk characteristics of the reference data are related to default rates for each wholesale obligor or for each retail segment in the reference portfolio. The relevant risk characteristics that are predictive of the likelihood of default are referred to as ``drivers of default.'' Drivers for wholesale obligors might include financial ratios, management expertise and industry. Drivers for retail segments might include product, loan and borrower characteristics such as loan-to-value, credit line utilization, credit score, or delinquency status. Also, a portfolio separator such as geographic region, while not a direct driver of default, might indicate separate relationships of the PD to these drivers by geographic region.

    S 4-17 PD estimates must be empirically based and must represent a long-run average.

  158. The PD is an estimate of the long-run average of one-year default rates for wholesale rating grades, for segments of non- defaulted retail exposures where seasoning is not material, or for a segment of non-defaulted retail exposures in a retail exposure subcategory for which seasoning effects are not material.

  159. PD estimates should represent averages of one-year default rates over a mix of economic conditions (including economic downturn conditions) sufficient to provide a reasonable estimate of the one-year default rate over the economic cycle for the rating grade or retail segment as specified above. If a bank uses the best available historical data to estimate PD as the mean of yearly realized default rates over at least five years, and the bank can empirically support that this period includes economic downturn conditions, then this is likely to adequately represent long-run experience. The emphasis should not solely be on time span; the long-run average concept captures the breadth, as well as the length, of experience.

  160. Estimation generally should treat data from different time periods similarly. A bank choosing instead to place greater relative weight on data from particular time periods should empirically demonstrate that doing so produces a more accurate estimate of future default behavior for each wholesale rating grade and retail segment in its existing portfolio. For example, more recent data might be given more weight in the estimation process if the bank demonstrates that doing so is more predictive of future default behavior.

  161. For a statistical model to satisfactorily produce long-run PD estimates, the reference data used in the default model must meet the long-run requirement. A model can be used to relate risk drivers to the outcome--default or non-default. Drivers might include wholesale financial ratios, retail borrower credit scores, loan terms, economic conditions or industry variables. Such a model must be calibrated to capture the default experience over a reasonable mix of economic conditions. For example, a Merton-style model's estimate of distance to default must be calibrated to the default rate using long-run experience. Whether a PD model is developed internally or by a vendor, a bank should verify that the model's results have been calibrated to a long-run average PD.

  162. Adjustments that are part of the PD estimation process must not result in an overall bias toward lower risk parameter estimates. The bank should rigorously validate, justify, and document such adjustments. Example 1

    If the bank's internal data history does not include any periods of economic downturn, the bank may use external data sources that include an economic downturn period to adjust PD estimates upward. The bank should justify the assumption that the relationship between the long- run average PD and the risk drivers observed in the external data applies to its portfolio. This practice is consistent with this guidance. Example 2

    A bank uses internal default experience to estimate PDs for its wholesale portfolio. However, the bank has historically failed to recognize defaults under the IRB default definition. For example, exposures sold at a material credit loss were not captured as defaults. The realized PD using the IRB definition would be higher than that observed by the bank

    [[Page 9106]]

    (and LGD rates might differ as well). If the bank made no adjustment for the missing defaults, its practice would not be acceptable.

    S 4-18 Effects of seasoning, when material, must be considered in the PD estimates for retail portfolios.

  163. A bank should determine whether age since origination is a significant risk factor for its retail exposures on the balance sheet. If so, then seasoning may be a material risk factor.

  164. Material seasoning effects are generally indicated when default rates of a segment of retail exposures follow a characteristic age profile, rising for the first several periods following origination. Seasoning of this type is often significant for longer-maturity consumer products such as residential mortgages, but may also be important for shorter-lived portfolios.

  165. Additional common indicators of material seasoning effects are large or rapidly growing portfolio concentrations of unseasoned exposures where age is a significant risk factor. Such concentrations could result from a high growth rate of originations, unusually high prepayment or attrition rates, or high rates of sales or securitization of seasoned exposures.

  166. Even when age is a significant risk factor and default rates follow a characteristic age profile, seasoning effects may not be material if a retail exposure subcategory's age distribution is stable and the age distribution of the portfolio is not concentrated in unseasoned exposures.

  167. The operational definition of material seasoning effects for a segment of retail exposures is that the annualized cumulative default rate for that segment materially exceeds the long-run average of one year default rates.

  168. If seasoning effects are material for the retail exposure subcategory, banks must use a PD that reflects a longer-run horizon and provides adequate risk-based capital to cover potential credit losses for its unseasoned segments in that subcategory. Specifically, rather than the best estimate of the long-run average of 1-year default rates, the higher PD that must be used is defined as the estimated annualized cumulative default rate of the segment over the expected remaining life of the exposures in the segment.\3\

    \3\ Expected remaining life is the average period from today until an exposure of a particular type will prepay, pay in full through normal amortization, or default.

  169. Estimates of expected remaining life should reflect a long-run average for exposures in the segment; banks should avoid undue volatility in their estimates caused by short-term fluctuations in market factors (such as interest rates). Also, banks may incorporate discounting of cash flows into their estimates of expected remaining life if they so choose.

  170. Even if the exposures are potentially subject to material seasoning effects, a bank may use the definition of PD specified in Paragraph 62 of this chapter for certain exposures that are originated for sale or securitization, provided that:

    The bank credibly demonstrates its ability and intent to sell or securitize the exposures within a 90-day time frame. It can do so by:

    --An established historical track record of sales or securitizations for similar exposures; or

    --Commitments in the form of forward sales agreements or other contractual pipeline arrangements that provide reasonable assurances that the exposures will be sold within 90 days.

    The exposures are specifically identified at origination.

    The bank monitors sales or securitization market indicators, including an assessment of counterparty risk, to ensure its continuing ability to sell or securitize these exposures in a variety of market conditions.

    Exposures that are not sold or securitized within 90 days should be assigned to segments that fully reflect their risk profile based on their updated risk characteristics.

  171. Banks should note that under the rules for securitization exposures in the NPR, a bank may need to quantify the IRB risk parameters for some securitized exposures. For that quantification process, a bank must meet the quantification requirements for estimating PDs for retail exposures held on balance sheet, including the requirements for estimating PD when seasoning effects are material.

  172. The account age profile may be tracked by using account age as a criterion in the segmentation system for the retail exposures or as a predictive variable in a PD quantification model. Several methods can be used to account for seasoning in the PD estimates. See example 4 in Appendix B of this chapter.

    1. Mapping

  173. Mapping is establishing a linkage between the bank's existing exposures and the reference obligor data used in the default model. Hence, mapping involves identifying how drivers of default for the existing exposures correspond to the reference data's drivers. Wholesale drivers include financial and nonfinancial variables, and assigned rating grades; retail segment drivers include exposure and borrower risk characteristics.

  174. Key drivers of default should be factored directly into the obligor rating or segmentation process. But in some circumstances, certain effects related to industry, geography, or other factors are not reflected in wholesale obligor risk rating assignments, retail segmentation, or default estimation models. In such cases, it may be appropriate for banks to capture the impact of the omissions by using different mappings for different business lines or types of exposures. Supervisors expect this practice to be transitional, and that banks eventually will incorporate the omitted effects into the wholesale obligor risk rating, the retail segmentation system or the PD estimation process as they are uncovered and documented, rather than adjusting the mapping.

  175. Banks may use multiple reference data sets or estimation methods, and then combine the resulting estimates to get an obligor rating grade or segment PD. A bank that does so should conduct a rigorous mapping process for each data set and estimation method. For example, when using data from a number of wholesale rating agencies, the mapping should take into consideration differences in the agencies' rating methods by mapping each agency's obligor rating scale separately. Similarly, when combining the results from internal historical data and a default prediction model over a retail portfolio, the bank should map both the historical long-run PD and the model's output to the existing portfolio. Retail Mapping

  176. For retail portfolios, mapping involves linking segments in the reference data to segments in the existing portfolio. If the bank's segmentation process has been in place for a long time, the mapping between internal historical data and the existing portfolio data may be straightforward. However, if the bank's retail segmentation system has varied over time, the bank should demonstrate a mapping between its existing segmentation system and the segments in the reference data. In either case, the bank should demonstrate that the mapping is appropriate and conduct periodic assessments to verify this. Example

    2ven if similarly named characteristics are available in the reference data and the existing portfolio data, they may not be directly comparable. For example, in a retail portfolio of auto loans, the particular

    [[Page 9107]]

    types of auto loans (for example, new or used, direct or indirect) may vary from one application to another. Hence, a bank should ensure that linked drivers are truly similar in PD estimation. Although adjustments to enhance comparability can be appropriate, they should be rigorously developed and documented. Wholesale Mapping

  177. There are two broad approaches to the mapping process for wholesale portfolios, obligor mapping and rating grade mapping.

  178. In obligor mapping, each existing obligor is mapped to the reference data based on its individual characteristics. For example, if a bank applies a default model to estimate an obligor-level default probability, that model uses certain obligor-level variables as inputs. The values of these variables for each obligor are used as inputs to the obligor-level default probability estimation model.

    Example

    In estimating rating grade PDs, a bank relies on observed default rates on bonds in various agency ratings. To map its internal rating grades to the agency ratings, the bank identifies variables that together explain much of the rating variation in the bond sample. The bank then conducts a statistical analysis of those same variables within its portfolio of obligors, using a multivariate distance calculation to assign each portfolio obligor to the external rating whose characteristics it matches most closely (for example, assigning obligors to ratings so that the sum of squared differences between the external rating averages and the obligor's characteristics is minimized). This practice is broadly consistent with sound mapping practices.

  179. In rating grade mapping, characteristics of the obligors within an internal rating grade are averaged or otherwise summarized to construct a ``typical'' or representative obligor for each rating grade. Then, the bank maps that representative obligor to the reference data. For example, if the bank uses a model that takes certain variables as inputs to produce an obligor-level default probability estimate, a representative value for each input variable would be determined for each internal rating grade, creating in effect a ``typical obligor'' for a rating grade; the default probability associated with that typical obligor will serve as the rating grade PD in the application stage. As an alternative example, a bank maps the typical obligor from each internal rating grade to a particular external NRSRO rating based on quantitative and qualitative characteristics and assigns the realized long-run average one-year default rate for that external rating to the internal rating grade in the application stage.

    Example

    A bank uses rating grade mapping to link portfolio obligors to the reference data set described by agency ratings. The bank reviews publicly-rated portfolio obligors within an internal rating grade to determine the most common agency rating, does the same for all rating grades, and creates a linkage between internal and agency ratings. The strength of the linkage is a function of the number of externally rated obligors within each rating grade, the distribution of those agency ratings within each rating grade and the similarity of externally rated obligors in the grade to those not externally rated. This practice is broadly consistent with sound mapping practices, and, for the reasons discussed below, may require adjustments and the addition of margins of conservatism.

  180. An acceptable quantification process could include the use of either a rating grade mapping or obligor mapping approach. However, in the absence of other compelling considerations, banks should use obligor mapping because rating grade mapping has the following drawbacks:

    First, default probabilities are nonlinear using many estimation approaches. As a result, the typical obligor's default probability using the rating grade mapping approach is often lower than the mean of the individual obligor default probabilities using the obligor mapping approach.

    Second, a hypothetical obligor with a rating grade's average characteristics may not represent well the risks presented by the rating grade's typical obligor, since different types of obligors might end up in the same grade.

  181. A bank electing to use rating grade mapping instead of obligor mapping should be especially careful in choosing a ``typical'' obligor for each grade. Doing so generally requires that the bank examine the actual distribution of obligors within each rating grade, as well as the characteristics of those obligors. Banks should be aware that different statistical measures (such as mean, median, or mode) will produce different results, and may result in materially different PDs for a particular rating grade. The bank should justify its choice and should have a clear and consistent policy toward the calculation.

  182. In addition to the general requirement to compare elements that the reference data and portfolio have in common, both obligor and rating grade mappings should also take into account differences in rating philosophy (as commonly revealed through analysis of rating migration) between any ratings embedded in the reference data set and the bank's own rating regime.

    1. Application

  183. The application stage produces final PD estimates that will be used in the determination of risk-based capital requirements. This stage is expected to be relatively mechanical for most retail portfolios, except when the bank uses multiple reference data sets or multiple estimation methods or significantly changes its segmentation system over time. Judgmental adjustments to the risk parameter estimates should be rare for retail portfolios.

  184. This stage may be somewhat more involved for wholesale portfolios. After the bank applies the PD estimation method to its existing exposures using the mapping process, adjustments to the raw results derived from the estimation stage may be appropriate to obtain final rating grade PD estimates. For example, the bank might aggregate individual obligor default probabilities to the rating grade level or otherwise produce a rating grade PD estimate, or might smooth results because a rating grade's PD estimate was higher than a lower quality grade. The bank should explain and support all such adjustments when documenting its quantification process.

  185. The bank must ensure that the PD applied in the determination of risk-based capital requirements for each wholesale exposure or retail segment is not less than the regulatory floor of 0.03 percent, except for exposures to or directly and unconditionally guaranteed by a sovereign entity, the Bank for International Settlements, the International Monetary Fund, the European Commission, the European Central Bank, or a multi-lateral development bank, to which the bank assigns a rating grade associated with a PD of less than 0.03 percent.

    Example

    A bank uses external data to estimate long-run average PDs for each wholesale rating grade. The resulting PD estimate for Grade 2 is slightly higher than the estimate for Grade 3, even though Grade 2 is supposedly of higher credit quality. The bank uses statistics to demonstrate that this anomaly occurred because defaults are rare in the highest quality rating grades. The bank judgmentally adjusts the PD estimates for Grades 2

    [[Page 9108]]

    and 3 to preserve the expected relationship between obligor rating grade and PD, but demonstrates that total risk-weighted assets across both rating grades using the adjusted PD estimates are no less than total risk-weighted assets based on the unadjusted estimates, using a typical distribution of obligors across the two rating grades. An adjustment such as given in this example is consistent with this guidance.

    1. Expected Loss Given Default (ELGD) and Loss Given Default (LGD)

  186. The ELGD and LGD quantification process is similar to the PD quantification process. Once a bank identifies and obtains a reference data set of defaulted exposures and relevant descriptive characteristics, it selects a technique to estimate the credit-related economic loss per dollar of EAD for a defaulted wholesale exposure with a given array of characteristics or for all defaulted exposures in a reference retail segment. The reference data should then be mapped to the bank's existing exposures so that the bank can estimate ELGD and LGD for each wholesale exposure, loss severity rating, or retail segment, as the case may be. Finally, application adjustments may be made to obtain final risk parameter estimates.

  187. The ELGD is an estimate of the default-weighted average economic loss (where individual defaults receive equal weight), per dollar of EAD, the bank expects to incur in the event that the obligor were to default within a one-year horizon over a mix of economic conditions, including economic downturn conditions. LGD estimates reflect the estimate of the economic loss per dollar of EAD that the bank expects to incur if the obligor were to default within a one-year horizon during economic downturn conditions. Accordingly, ELGD estimates incorporate a mix of economic conditions (including economic downturn conditions) while LGD estimates reflect losses that would occur during economic downturn conditions (i.e., conditions in which aggregate default rates are significantly higher than average). LGD estimates cannot be less than ELGD estimates for a particular wholesale exposure or retail segment.

    1. Data

  188. Unlike reference data sets used for PD estimation, data sets for ELGD and LGD estimation contain only exposures to defaulted obligors. At least two broad categories of data are necessary to produce ELGD and LGD estimates.

  189. First, factors must be available to group the defaulted exposures in meaningful ways. Wholesale exposures are grouped by characteristics that are likely to be important in predicting loss rates--for example, whether an exposure is secured and the type and coverage of collateral, the seniority of a claim, economic conditions, and the obligor's industry. The retail segmentation system may separate exposures by borrower and exposure risk characteristics predictive of loss severity or by an ELGD or LGD score--for example, credit score, business line, credit line utilization for unsecured credit lines, or loan-to-value for mortgage loans.

  190. Although the characteristics identified above have been found to be significant in academic and industry studies, a bank's quantification of ELGD and LGD certainly need not be limited to these variables. For example, a bank might examine many other potential drivers of loss severity, including geographic location, exposure type, tenor of the relationship, wholesale obligor size, or retail borrower wealth.

  191. Second, data must be available to calculate the realized economic loss of each defaulted exposure. Such data may include the market value of the wholesale exposure at default or the market value for a pool of charged-off retail exposures, which can be used to proxy a recovery rate. Alternatively, economic loss may be calculated for wholesale exposures and retail segments using the EAD (including principal and accrued but unpaid interest or fees), losses on the sale of repossessed collateral, direct workout costs, an appropriate allocation of indirect workout costs, the timing and amount of subsequent recoveries, and the discount rate appropriate to the risk of the exposure.

  192. Data should be comprehensive. All cash flow data should include dollar amounts and dates. For example, roll to charge-off or non- accrual, number of days past due, or bankruptcy status should be captured if these factors are expected to be significant for ELGD and LGD. Recovery data should include direct payments from the obligor/ borrower, the sale of the collateral or realized income from the sale of defaulted exposures. Supportable net realizable value of defaulted exposures and collateral acquired in default that has yet to be disposed of can be included as part of the reference data. Cost data comprise the material direct and indirect costs associated with workouts and collections.

  193. Ideally, loss severity should be measured once all recoveries and costs have been realized. However, a bank may not resolve a defaulted wholesale obligation for many years following default. For practical purposes, banks relying on actual recovery data may choose to close the period of observation before this final resolution occurs-- that is, at a point in time when most costs have been incurred and when recoveries are substantially complete. Banks that do so should estimate the additional costs and recoveries that would likely occur beyond this period and include them in ELGD and LGD estimates. A bank should document its choice of the period of observation, and how it estimated additional costs and recoveries beyond this period.

  194. Reference data sets may contain individual loss observations that are less than 0 percent or greater than 100 percent. However, extra diligence is required for loss realizations reported to be less than 0 percent to ensure that economic loss is being measured.\4\

    \4\ Banks are not required to truncate the loss severity data used to derive ELGD and LGD parameter estimates. Nonetheless, final ELGD and LGD estimates should not be negative or zero. Readers are directed to the discussion of the application stage for ELGD and LGD in a later section of this guidance for elaboration of related supervisory expectations regarding ELGD and LGD quantification.

    Example 1

    A bank with internal wholesale data covering the period 1997 through 2003 relies primarily on these data for quantifying its wholesale risk parameter estimates. The bank will continue to extend this internal data set as time progresses. Its current policy mandates that credits be resolved within two years of default, so the data set contains the most recent data available. Although the existing data set satisfies the seven-year requirement for ELGD quantification, the bank is aware that it does not include appropriate economic downturn conditions for certain portfolios. In comparing its loss estimates with rates published in external studies that cover longer time periods and include economic downturn periods for similarly stratified data, the bank observes that its estimates are systematically lower. To be consistent with the NPR, the bank must reflect economic downturn conditions in its ELGD estimates, as such estimates represent the loss the bank expects to incur in the event that the obligor of the exposure defaults within a one-year horizon over a mix of economic conditions, including economic downturn conditions. Example 2

    A bank develops evidence that during the 2001 to 2003 period of highly

    [[Page 9109]]

    elevated mortgage prepayments owing to record-low interest rates, losses were likely deferred in mortgage portfolios because of readily available refinancing options. The bank also concludes that losses on foreclosures during this period were limited because housing prices generally increased throughout the United States despite a recession. However, the bank notes that a similar (though not as substantial) drop in interest rates occurred in the early 1990s, during a recession that was characterized by a sharp drop in property values in many parts of the country. Because the recent period may have been atypical, the bank chooses to weigh older data (perhaps from external sources) more heavily than recent data for ELGD quantification. Such an approach to weighting the data would be consistent with this guidance.

  195. The following examples illustrate how definitions of default in the reference data that are different from the IRB definition complicate ELGD estimation. Example 1

    For ELGD estimation, a bank includes in its default database only exposures that actually experience a loss and excludes exposures for which no loss was recorded (effectively applying a ``loss given loss'' concept). This practice is not consistent with the NPR because the bank's default definition is narrower than the IRB definition. Example 2

    A bank relies on two external data sources to estimate ELGD because it lacks sufficient internal data. Both sources use definitions that deviate from the IRB definition; one uses ``bankruptcy filing'' to indicate default while another uses ``missed principal or interest payment.'' Although the different definitions result in significantly different loss estimates for the loss severity ratings defined by the bank, the bank simply combines the external data sources in deriving its ELGD estimates. The bank's practice is not consistent with the guidance. The bank should determine the impact on the parameter estimates of the different definitions used in the reference data sets. For minor definitional differences, the bank may be able to make appropriate adjustments during the estimation stage. If the differences are difficult to quantify, an appropriate level of conservatism should be applied or the bank should seek other sources of reference data.

    1. Estimation

  196. Estimation of ELGD and LGD is the process by which characteristics of the reference data are related to loss severity. Relevant characteristics for wholesale exposures might include variables such as seniority, collateral, exposure type, or business line. For retail portfolios, as discussed in Chapter 3, a common ELGD or LGD might be applied so long as the estimate is accurate for each segment and exposures within those segments have homogenous risk characteristics.

  197. In estimating ELGD and LGD, banks should identify drivers of loss. One estimation approach is to separate the reference defaults into groups that do not overlap, for example, by business line, predominant collateral type, or loan-to-value coverage. The ELGD estimate for each category could then be based on the default-weighted average economic loss per dollar of EAD, and LGD could be similarly derived using data from periods of economic downturn conditions. In most cases, it will not be acceptable to calculate ELGD as the average of annual loss rates (where loss severity for each year receives equal weight). Years with a relatively large number of defaults generally provide richer data for measuring loss severity compared to years when there are relatively few defaults. Thus, in general, years with a relatively large number of defaults contribute more information and should be appropriately weighted when estimating ELGD. In addition, if years of relatively low default rates typically have relatively low loss severity rates, then using the average of annual loss rates will tend to understate ELGD.

  198. A statistical model, for example a regression model using data on loss severity and some quantitative measures of the loss drivers, could be applied to estimate ELGD or LGD. Any model must meet the requirements for validation discussed in Chapter 7. Other methods for estimating ELGD or LGD could also be appropriate. Example 1

    To estimate ELGD, a bank uses only internal data. Although information on security and seniority is lacking, no adjustments for the lack of data are made in the estimation or application steps. This practice is not consistent with the guidance because there is ample external evidence that security and seniority are relevant in estimating ELGD. A bank with such limited internal default data must incorporate external or pooled data. Example 2

    A bank groups observed defaults in the reference data according to geographic region and collateral. One of the pools has too few observations to produce a reliable estimate. By augmenting the loss data with data from similar geographic regions with the same collateralization, the bank derives an ELGD estimate. Provided the bank can adequately support the process used to establish the relevance of the data from other regions, this approach would be consistent with the guidance.

  199. Banks should evaluate adjustments in the ELGD and LGD estimation process to ensure that they do not result in an overall bias toward lower estimates of risk. Example 1

    A bank is unable to properly discount a segment's cash flows because the reference data do not include the dates of recoveries (and related costs). However, the bank has sufficient internal data to calculate economic loss for defaulted exposures in another portfolio segment. The bank can support the assumption that the timing of cash flows for the two segments is comparable. Using the available data and informed judgment, the bank adjusts the estimates for the data-poor segment to reflect how much the measured loss without discounting should be grossed up to account for the time value of money and the distressed nature of the assets. This practice is consistent with the guidance. Example 2

    Collateral is one factor used by a bank to estimate ELGD. Although the available internal and external data indicate a higher ELGD, the bank judgmentally assigns a loss estimate of 2 percent for exposures secured by cash collateral. The bank contends that the lower estimate is justified because it expects to do a better job of following policies for monitoring cash collateral in the future. Such an adjustment is generally not appropriate because it is based on projections of future performance rather than realized experience. This practice generally is not consistent with the guidance.

    S 4-19 ELGD and LGD estimates must be empirically based and must reflect the concept of ``economic loss.''

  200. ELGD and LGD are based on the concept of economic loss, which is a broader, more inclusive concept than accounting measures of loss. Broadly speaking, economic loss incorporates the mark-to-market loss of value of a defaulted exposure and collateral,

    [[Page 9110]]

    including material accrued but unpaid interest or fees, and all material direct and indirect costs of workout and collections, net of recoveries. Losses, recoveries, and costs should all be discounted to the time of default. See the fourth paragraph of the LGD definition in section 2 of the NPR for the definition of economic loss.

  201. Banks often estimate loss using data on costs and recoveries from workouts of defaulted exposures; however, appropriate estimates may sometimes be developed using market data on defaulted exposures.

  202. The scope of cash flows included in recoveries and costs is meant to be broad. Material recovery costs that can be clearly attributed to certain exposures, plus material indirect cost items, must be reflected in the bank's ELGD and LGD assignments for those exposures. Recovery costs include the costs of running the bank's collection and workout departments and the cost of outsourced collection services directly attributable to recoveries during a particular time or for a particular segment or portfolio, at as granular a level as possible. Recovery costs also include an appropriate percentage of other ongoing costs, such as overhead.

  203. Recovery costs can be allocated using the same principles and techniques of cost accounting that are usually used to determine the profit and loss of activities within any large enterprise. Collection and workout departments, however, may cover services not 100 percent attributable to defaulted exposures. For example, the same call center may manage reminder calls to delinquent retail accounts, many of which will never default, as well as collection calls. The expenses for these functions should be differentiated to allocate only collection expenses attributable to defaulted exposures.

  204. When costs cannot be allocated because of data limitations, the bank may assign those costs using broad averages. For example, the bank could allocate costs by outstanding dollar amounts of loans, including accrued but unpaid interest or fees at the time of default, within each rating grade or segment.

  205. All costs, and recoveries should be discounted to the time of default using the time interval between the date of default and the date of the realized loss, incurred cost, or recovery; this calculation should be on a pooled basis for retail exposures. The discount rate should reflect the costs of holding defaulted assets over the workout period, including an appropriate risk premium.\5\ As such, an appropriate discount rate will reflect the uncertainty of recovery cash flows and the presence of undiversifiable risk.

    \5\ This implies that the appropriate discount rate for IRB purposes likely will differ from the interest rate required under FAS 114 for accounting purposes.

    S 4-20 ELGD estimates must reflect the expected default-weighted average economic loss rate over a mix of economic conditions, including economic downturn conditions.

  206. For wholesale exposures, ELGD is the best estimate of the economic loss per dollar of EAD that would be incurred in the event that the obligor (or a typical obligor in the applicable loss severity rating) defaults within a one-year horizon. For retail segments, ELGD is the best estimate of the economic loss per dollar of EAD that would be incurred on the segment from exposures that default within a one- year horizon.

  207. ELGD estimates should reflect expected long-run loss severities and should represent an estimate of the default-weighted average economic loss as observed over a complete credit cycle. Similar to PD quantification, loss severity data must include periods of economic downturn conditions or the bank must adjust its estimates to compensate for the lack of data from economic downturn conditions. Economic Downturn LGD

    S 4-21 LGD estimates must reflect expected loss severities for exposures that default during economic downturn conditions, and must be greater than or equal to ELGD estimates.

  208. In addition to ELGD, banks must quantify LGD in a way that appropriately reflects downturn conditions for each wholesale exposure and for each retail segment. LGD is an estimate of the percentage of EAD that would be lost in the event of a default during the one-year horizon, if that default were to occur during a period of economic downturn. Under economic downturn conditions default rates are higher than under more neutral conditions, and LGD estimates must reflect expected loss rates resulting from downturn conditions.

  209. If a bank obtains supervisory approval to use its own estimates of LGD for an exposure subcategory, it must use internal estimates of LGD for all exposures within that subcategory. Within retail, the three subcategories are residential mortgage, QRE, and other retail, while within wholesale credit the two subcategories are high-volatility commercial real estate (``HVCRE'') and all other wholesale.

  210. If a bank has not received prior written approval from its primary Federal supervisor to use internal LGD estimates, the bank must use the supervisory mapping function. The supervisory mapping function calculates LGD by taking 92 percent of the ELGD and adding eight percentage points to that result.

  211. The LGD estimate for an exposure or segment may never be less than the ELGD assigned to that exposure or segment, and must be higher than ELGD if a higher estimate is appropriate based on robust analysis of the impact of economic downturn conditions on loss severity. The LGD for some exposures or segments may be substantially higher than ELGD, while for others it may not.

    S 4-22 A bank may use internal estimates of LGD only if supervisors have previously determined that the bank has a rigorous and well- documented process for assessing the effects of economic downturn conditions on loss severities and for producing LGD estimates consistent with downturn conditions. The process must appropriately identify downturn conditions, identify the impact of economic downturn conditions on loss rates, identify any material adverse correlations between drivers of default and LGD, and incorporate any identified correlations and/or downturn impact into the quantification of LGD.

  212. In determining whether to approve a bank's use of internal estimates of LGD for a subcategory of exposure, supervisors will consider whether the process for generating LGD estimates is consistent with the supervisory standard above and produces internal estimates of LGD that are reliable and sufficiently reflective of economic downturn conditions.

  213. To meet the requirements for internal estimates, a bank should satisfy the following conditions:

    The bank should establish policies to govern the process for identifying downturn conditions and generating LGD estimates. The policy should address:

    --Criteria for identifying downturn conditions;

    --The level of product and geographic scope to be used for identification of economic downturn conditions;

    --Data requirements;

    --Methods to determine the impact of downturn conditions on loss severities; and

    --Quantification methodologies to produce LGD estimates.

    The bank must have a rigorous quantification process (covering all stages of quantification, including

    [[Page 9111]]

    reference data, estimation, mapping, and application) for estimating LGD. The bank must be able to identify economic downturns, determine the impact of downturn conditions on loss severities, and appropriately quantify LGD.

  214. In principle, quantification of LGD is no different from quantification of any other IRB risk parameter. The target of the quantification process is different, but the stages of quantification (data, estimation, mapping, and application) apply to LGD just as they do to other risk parameters such as PD and ELGD. However, the details necessarily differ; the remainder of this section discusses supervisory standards related to quantification of own-estimates of LGD to reflect economic downturn conditions.

    Identifying Economic Downturn Conditions

  215. To identify periods of downturn conditions, the bank should first articulate both product and geographic scope, since default rates for different types of exposures in different areas are themselves likely to differ. At the product level, the highest level of aggregation is a given IRB subcategory of exposure (i.e., residential mortgage, QRE, other retail, HVCRE, and all other wholesale). Thus, for example, downturn conditions for wholesale exposures other than HVCRE are defined as periods of high default rates for non-HVCRE wholesale exposures in general. A bank may choose to use lower levels of aggregation in order to achieve better measurement of actual credit risk and greater risk sensitivity. For example, a bank with an industry concentration in a subcategory of exposures (such as corporate exposures to technology companies) may find that information relating to a downturn in that industry sector may be more relevant for the bank than a general downturn affecting many regions or industries.

  216. The geographic scope for identification of economic downturn conditions is the geographic ``footprint'' of the bank within an exposure subcategory, that is, the geographic area from which exposures of each type are drawn (or can be expected to be drawn customarily). This ``footprint'' need not be the same for each subcategory of exposures. Banks are not required to further subdivide with regard to geography; for example, if a bank's HVCRE exposures are drawn from two distinct regions such as the Southeast and the Northeast, they may define a downturn in HVCRE as a period of significantly above-average default rates in HVCRE for the two regions jointly, rather than considering each separately. Nonetheless, as is the case with product scope, banks are permitted to further subdivide geographically if they choose to do so.

  217. The exception to the ``footprint'' scope is that separate countries must be treated separately. For example, a bank with residential mortgage exposures in the United States and Japan must separately identify the conditions under which residential mortgage default rates would be significantly higher than average in each national jurisdiction.

  218. Given these requirements for product and geographic scope, downturn conditions with respect to a wholesale exposure or retail segment are defined as those conditions under which the aggregate default rate for the exposure's wholesale or retail exposure subcategory (or subdivision of such subcategory selected by the bank) within the related geographic footprint and/or jurisdiction (or finer subdivision selected by the bank) would be significantly higher than average.

  219. It may be useful to distinguish this definition of economic downturn from other definitions that might seem reasonable. For example, an economic downturn for purposes of LGD estimation is not defined as a period of high loss severity, that is, a period in which realized losses given default are high. Loss severities may be high during an economic downturn--indeed, that is the primary motivation for the separate estimation of economic downturn LGD--but this is not the defining characteristic; high realized loss severity rates do not define a downturn. Similarly, economic downturns are not defined as periods of depressed collateral values, although collateral values may be low when default rates are high. Finally, economic downturn conditions for purposes of LGD estimation are not defined as periods of poor economic performance as determined by other measures such as GDP growth or other traditional measures of business conditions and economic climate. Traditional measures of economic activity may indeed show weakness during periods corresponding to ``economic downturn conditions'' as defined for purposes of LGD estimation, but a period of weak economic activity does not in and of itself indicate the existence of economic downturn conditions as defined in the NPR. Economic downturn conditions are identified only through reference to default rates for exposure subcategories within relevant geographic regions.

    Estimation of LGD

  220. Once relevant downturn conditions are identified, a bank must determine the impact of such conditions on loss severities and construct appropriate estimates of LGD under economic downturn conditions for each wholesale loss severity rating grade or exposure and each retail segment. LGD should be the empirically based best estimate of the loss severity as a percentage of exposure if the obligor were to default during economic downturn conditions. Note that although estimates are empirically based, the purpose of quantification is not to measure past patterns and dependencies, but to generate predictions of likely future outcomes.

  221. Banks may choose to focus the quantification process on LGD directly. However, in many cases it may be more practical to estimate the extent to which loss rates can be expected to exceed ELGD under economic downturn conditions, through estimation of the difference (LGD-ELGD) or estimation of the percentage increase in the loss rate, or perhaps through some other translation of ELGD into LGD. In that case, the result of one estimation process--that for ELGD--is used an input to the LGD estimation process, and any evaluation of the robustness of LGD estimates would have to adequately consider the potential modeling error and estimation error introduced by their reliance on ELGD as a key input.

  222. Identification of the impact of economic downturn conditions on LGD, and incorporation of that impact into LGD estimates, requires suitable design of all stages of the quantification process. No single approach is presumed to be correct, and there are many alternative approaches that, if properly carried out, could satisfy the supervisory requirements for use of internal estimates of LGD. Several examples, while not intended to be exhaustive, can serve to illustrate the point. Example 1

    A bank estimates a relationship between loss rates and a set of independent variables or risk drivers that is robust over periods covering a wide range of conditions, including economic downturns. The bank determines that the main impact of an economic downturn on LGD arises through changes in certain risk drivers (such as collateral values) under economic downturn conditions. The bank quantifies LGD through a process similar to a stress test, with the

    [[Page 9112]]

    identified drivers of loss severity stressed to the values they would assume under economic downturn conditions, based on historical observations. Example 2

    A bank conducts rigorous analysis to construct a model linking risk drivers for LGD to variables that characterize economic downturn conditions, including underlying economic variables and the way those variables tend to change in a downturn. The bank uses that model to directly simulate the impact of downturn conditions on LGD rather than using downturn values for the variables that tend to determine loss severity rates under more normal conditions. Example 3

    A bank determines that the impact of economic downturn conditions on LGD arises from a fundamental change in the relationship between risk drivers and LGD during a downturn. That is, the bank finds that loss severities rise in a downturn because certain risk drivers or variables that have an impact on losses, such as collateral type or seniority, have a different quantitative influence on loss severity during a downturn than during other periods. The bank estimates a relationship between loss severity rates and risk driving variables using data from periods of economic downturn conditions.

    The approaches briefly described in the examples above also require careful consideration of appropriate mapping, since use of an estimated relationship between LGD and any other variables or risk drivers would require mapping of currently observed values of those variables for exposures, rating grades, or segments to the corresponding values of those drivers during economic downturn conditions. Example 4

    A bank conducts a rigorous comparison of average recovery rates with recovery rates observed during appropriately identified downturn periods, finding that the impact of economic downturn conditions can be characterized as a fixed, across-the-board reduction in recovery rates. The bank is able to provide evidence that this relationship is statistically robust, and superior to other approaches to LGD quantification. The bank uses the implied, empirically based adjustments in the application stage of the LGD quantification process to reflect the impact of economic downturns.

    1. Mapping

  223. ELGD and LGD mapping follows the same general standards as PD mapping. A mapping should be plausible and should be based on a comparison of loss severity-related data elements common to both the reference data and the existing portfolio. The mapping approach is expected to be unbiased, such that the exercise of judgment does not consistently lower ELGD and LGD estimates. The default definitions in the reference data and the existing portfolio of exposures should be comparable, as should be the methods of recovery. The mapping process should be updated regularly, well-documented, and independently reviewed.

  224. Mapping involves matching exposure-specific data elements available in the existing portfolio to the factors in the reference data set used to estimate expected loss severity rates. Examples of factors that influence loss rates include collateral type and coverage, seniority, industry, and location. Reference data often do not include workout costs and will often use different discount rates. Judgmental adjustments for such differences should be well-documented and empirically based to the extent possible.

  225. Different data sets and different approaches to ELGD and LGD estimation may be appropriate, especially for different business segments or product lines. Each mapping process must be specified and documented.

    1. Application

  226. At the application stage, banks apply the ELGD and LGD estimation framework to their existing portfolio of credit exposures. This step might require banks to aggregate retail segment-level ELGD and LGD estimates derived from more granular reference data into estimates applicable to broader segments in the existing portfolio, to aggregate individual wholesale ELGD and LGD estimates into discrete loss severity ratings, or to combine estimates.

  227. The inherent variability of recovery, due in part to unanticipated circumstances, demonstrates that no exposure type is risk-free, regardless of structure, collateral type, or collateral coverage. The existence of recovery risk dictates that the application stage should result in an ELGD and LGD above 0 percent. As was discussed in the data section, a data set may include observations with negative realized loss rates. Although these transactions may be included in the ELGD and LGD estimation process, no exposure or rating grade should be assigned an ELGD or LGD estimate that is less than or equal to zero percent for purposes of risk-based capital calculations.

  228. The LGD (i.e., the economic downturn loss estimate) for each segment of residential mortgage exposures (other than segments of residential mortgage exposures for which all or substantially all of the principal of each exposure is directly and unconditionally guaranteed by the full faith and credit of a sovereign entity) may not be less than 10 percent.

    1. Exposure at Default (EAD)

  229. As EAD quantification is somewhat less advanced than other areas of quantification, it is addressed in somewhat less detail in this guidance. Banks should continue to innovate in the area of EAD estimation, refining and improving practices in EAD measurement.

  230. A bank must provide an estimate of EAD for each exposure in its wholesale portfolio and for each segment in its retail portfolio. For fixed exposures like term loans, EAD is equal to the carrying value unless there is an allocated transfer risk reserve for the exposure or the exposure is held available-for-sale. For variable exposures such as loan commitments, revolving exposures and other lines of credit, EAD for each exposure includes the outstanding balance at the point of capital measurement plus an estimate of net additions to the total balance due, including estimated future additional advances of funds, including principal and accrued but unpaid interest and fees that are likely to occur before and after default assuming that the exposure were to default within a one-year horizon. The estimate of net additions must reflect what would be expected during a period of economic downturn conditions.

  231. Refer to Chapter 9 of this guidance and the NPR for guidance on quantifying EAD for OTC derivative contracts, repo-style transactions, and eligible margin loans.

  232. For retail and wholesale exposures in which only the drawn balance has been securitized (e.g., a typical credit card securitization), the bank must reflect its share of the exposures' undrawn balances in EAD. The undrawn balances of exposures for which the drawn balances have been securitized must be allocated between the seller's and investors' interests on a pro rata basis, based on the proportions of the seller's and investors' shares of the securitized drawn balances.

    [[Page 9113]]

  233. A number of methods can be used to estimate EAD. One common approach is based on loan equivalent exposure (``LEQ''), which is typically expressed as a percentage of the current total committed but undrawn amount.\6\ EAD can thus be represented as:

    \6\ This is frequently referred to as the credit conversion factor (CCF).

    EAD = current outstanding + LEQ x (total committed - current outstanding)

    1. Data

  234. Like reference data sets used for ELGD and LGD estimation, EAD data sets typically contain only exposures to defaulted obligors, although data on troubled non-defaulted obligors also could be informative in estimation of these parameters. The same reference data are often used for ELGD, LGD and EAD quantification. In addition to relevant descriptive characteristics (referred to as ``drivers'') that can be used in estimation, the reference data must include historical information on the exposure (both drawn and undrawn amounts) as of some date prior to default, as well as the drawn exposure at the date of default.

  235. As discussed below under ``Estimation,'' EAD estimates may be developed using either a cohort method or a fixed-horizon method. The bank's reference data set should be structured so that it is consistent with the estimation method the bank applies. Thus, the data should include information on the total commitment, the undrawn amount, and the exposure drivers for each defaulted exposure, either at fixed calendar dates for the cohort method or at a fixed interval prior to the default date for the fixed-horizon method.

  236. The reference data should contain variables that enable the bank to group the exposures to defaulted obligors in meaningful ways. Banks should consider how a wide range of obligor and exposure characteristics affect EAD. Examples include time from origination, time to expiration or renewal, economic conditions, risk rating changes, or certain types of covenants. Some potential drivers may be linked to a bank's credit risk management skills, while others may be external to the bank.

    1. Estimation

  237. To derive EAD estimates for lines of credit and loan commitments, characteristics of the reference data are related to additional drawings on an exposure up to and after the time a default event is triggered. Estimates of any additional extensions of credit expected by a bank subsequent to realization of a default event should be factored into the quantification of EAD. The estimation process should be capable of producing a plausible average estimate of draws on unused available credit (e.g., LEQ) to support the EAD calculation for each exposure or retail segment. Example

    A bank determines that a business unit forms a homogeneous pool for the purposes of estimating EAD. That is, although the exposures in this pool may differ in some respects, the bank determines that the credit lines share a similar drawdown experience in default. The bank should provide reasonable support for this pooling through analysis of lending practices and available internal and external data.

  238. Two broad types of estimation methods are used in practice, the cohort method and the fixed-horizon method.

  239. Under the cohort method, a bank groups defaults into discrete calendar periods, such as a year. A bank may use a longer period if it provides a more accurate estimate of future gross losses arising from undrawn exposures. For retail exposures, the bank estimates the relationship between the balances for defaulted exposures at the start of the calendar period and at the time at default. For wholesale exposures, the bank estimates the relationship between the drivers as of the start of that calendar period and LEQ for each exposure to a defaulter. For each exposure category or retail segment (that is, for each combination of exposure drivers identified by the bank), an LEQ estimate could be based on the mean additional drawing for exposures in that category or segment as a proportion of the undrawn lines. One approach to combine results for multiple periods into a single long-run average would be weighting the period-by-period means by the proportion of defaults occurring in each period, so that each default receives equal weight.

  240. Under the fixed-horizon method, for each defaulted exposure the bank compares additional drawdowns to the gross committed but undrawn amount that existed at a fixed date prior to the date of the default (the horizon). For example, the bank might base its estimates on a reference data set that supplies the actual amount outstanding and any additional extensions along with the drawn and undrawn amounts (as well as relevant drivers) at a date a fixed number of months prior to the date of each default, regardless of the actual calendar date on which the default occurred. Estimates of LEQ for wholesale exposures are computed from the average drawdown proportions that occur over the fixed-horizon interval, for whatever combinations of the driving variables the bank has determined are relevant for explaining and predicting EAD. LEQs estimated for retail segments are computed from the increase in balances that occur over the fixed-horizon interval for the defaults in the segment relative to their credit limits. The time interval used for the fixed-horizon method should be sufficiently long to capture the additional drawdowns generated by exposures that default during the year for which the risk parameters are being estimated. In particular, the appropriate fixed interval will be influenced by charge-off policies. For example, using a six-month time interval for credit card loans would underestimate EAD. Special Considerations for Retail EAD Estimation

  241. Different methods are used to estimate EAD for open credit lines. The LEQ method outlined in this guidance is one technique observed in practice. Other methods directly estimate the defaulted balances for a segment over a one-year window without taking the committed line limit into account. These other methods may be acceptable if the bank could show that the size of the line is not relevant given the other risk factors used in the analysis.

  242. EAD for a segment should accurately estimate the total exposure at default for the segment. Poor segmentation may result in inaccurate EADs. For example, if loans within a segment do not have homogenous risk characteristics because larger exposures are more likely to default than smaller exposures, then estimated EADs may be biased downward.

    S 4-23 Estimates of additional drawdowns must reflect net additional draws expected during economic downturn periods.

  243. Conceptually, banks should approach EAD quantification in a fashion parallel to LGD quantification with respect to the potential for volatility over the economic cycle. Specifically, estimates of net additional drawdowns should reflect what would be expected during economic downturn periods. Certain exposure types may not exhibit cyclical EAD variability; in these cases, use of a long-run default- weighted average draw proportion used to derive EAD in the IRB risk- based capital calculation is appropriate. But for exposure types for which drawdowns are expected to be larger when default rates are significantly higher than average EAD--estimates

    [[Page 9114]]

    should take into account this cyclical variability. In such cases, the estimated draw proportion used to derive the EAD input to the risk- based capital calculation should exceed the long-run default-weighted average, and should be the bank's estimate of the net additional drawdown proportion per default expected during economic downturn conditions. For this purpose, banks may use averages of EADs observed during economic downturn periods, forecasts based on appropriately conservative assumptions, or other similar methods.

    1. Mapping

  244. If the characteristics that drive EAD in the reference data are the same as those used for the risk rating or segmentation system of the bank's existing portfolio, mapping may be relatively straightforward. However, if the relevant characteristics are not available in a bank's existing portfolio, the bank will encounter the same mapping complexities that it does when mapping PD, ELGD, and LGD in similar circumstances.

    1. Application

  245. In the application stage, the estimated relationship between risk drivers and EAD is applied to the bank's existing portfolio. Multiple reference data sets may be used for EAD estimation and combined at the application stage, subject to the general standards for using multiple data sets.

    S 4-24 Estimates of additional drawdowns prior to default for individual wholesale exposures or retail segments must not be negative.

  246. Analogous to the prior discussion of ELGD and LGD quantification, reference data sets used for estimation of additional drawdowns may contain individual negative drawdown observations and observations that exceed 100 percent of the undrawn line amount. Regardless, final estimates of additional drawdowns prior to default for individual wholesale exposures or retail segments must not be negative.

    1. Maturity (M)

  247. A bank must assign an effective maturity (``M'') to each wholesale exposure in its portfolio; this measure is also referred to as ``average life.'' In general, M is the weighted-average remaining maturity, measured in years, of the cash flows that the bank expects under the contractual terms of the exposure, using the undiscounted amounts of the cash flows as weights. Alternatively, a bank may apply the nominal remaining maturity, measured in years, of the exposure. M is a direct calculation; as such it is not subject to the four stages of the quantification process.

  248. The data required to calculate M are the undiscounted amount and timing of each remaining contractual cash flow, measured in years from the date of the calculation. Specifically, M is calculated as the sum of all time-weighted cash flows, where the weights are equal to the fraction of the total undiscounted cash flow to be received at each date. Example

    A bank holds an asset with two remaining contractual cash flows. 33 percent of the total remaining contractual cash flow is expected at the end of one year and the other 67 percent is expected two years from today. For risk-based capital purposes, M for this asset could be calculated as: M = (1 x 0.33) + (2 x 0.67) = 1.67; or simply M = 2, applying the nominal remaining contractual maturity.

  249. The relevant cash flows are the future payments the bank expects to receive from the obligor, regardless of form; they may include payments of principal, interest, fees, or other types of payments depending on the structure of the transaction.

  250. For exposures with pre-determined cash flow schedules (fixed- rate loans, for example), the calculation of the weighted-average remaining maturity is straightforward, using the scheduled timing and amounts of the individual undiscounted cash flows. Cash flows associated with other types of credit exposures may be less certain. In such cases, the bank should establish a method of projecting expected cash flows. In general, the method used for any exposure should be the same as the one used by the bank for purposes of valuation or risk management. The method should be well-documented and subject to independent review and approval. A bank should demonstrate either that the method used is standard industry practice, or that it is widely used within the bank for purposes other than risk-based capital calculations. A bank may use its best estimate of future interest rates to compute expected contractual interest payments on a floating-rate exposure, but it may not consider expected but non-contractually required returns of principal when estimating M.\7\

    \7\ Question 31 in the NPR requests comment on the appropriateness of permitting a bank to consider prepayments when estimating M, and on the feasibility and advisability of using discounted (rather than undiscounted) cash flows as the basis for estimating M.

  251. To be conservative, a bank may set M equal to the maximum number of years the obligor could take to fully discharge the contractual obligation (provided that the maximum is not longer than five years, as noted below). This maximum will often correspond to the stated or nominal maturity of the instrument. Banks should make this conservative choice (maximum nominal maturity) if the timing and amounts of the cash flows on the exposure cannot be projected with a reasonable degree of confidence.

  252. For repo-style transactions, eligible margin loans and over- the-counter derivatives contracts subject to qualifying master netting agreements, the bank may compute a single value of M for the transactions as a group by weighting each individual transaction's effective maturity by that transaction's share of the total notional value subject to the netting agreement, and summing the result across all of the transactions.

  253. For risk-based capital calculations, the value of M for any exposure is subject to certain upper and lower limits, regardless of the exposure's actual effective maturity. The value of M should never exceed 5 years. If an exposure clearly has a greater effective maturity, the bank may simply use a value of M = 5 rather than calculating the actual effective maturity.

  254. For most exposures, the value of M should be no less than one year. For certain short-term exposures that are not part of a bank's ongoing financing of a borrower and that have an original maturity of less than one year, M must be greater than or equal to one day or to the nominal or effective remaining maturity.\8\

    \8\ Section 31(d)(7) of the NPR defines an exposure that is not part of a bank's ongoing financing of the obligor as one where the bank (1) has a legal and practical ability not to renew or roll over the exposure in the event of credit deterioration of the obligor, (2) makes an independent credit decision at the inception of the exposure and at every renewal or rollover, and (3) has no substantial commercial incentive to continue its credit relationship with the obligor in the event of credit deterioration of the obligor.

    1. Special Cases and Applications

    1. Loan Sales

    S 4-25 Quantification of the risk parameters should appropriately recognize the risk characteristics of exposures that were removed from reference data sets through loan sales or securitizations.

  255. Loan sales and securitizations can pose substantial difficulties for quantification. For example, PDs might appear disproportionately low if loans are sold before their inherent long- term

    [[Page 9115]]

    risk becomes manifest. Upwardly adjusting risk parameter estimates to account for sales or securitization would be particularly important for a bank that sells off primarily exposures that are performing poorly (for example, delinquent loans).

  256. When risk parameter estimates use internal historical data as reference data sets and the potential bias created by loan sales and securitizations is material, the bank should identify, by detailed risk characteristics, the loans sold out of the pool or portfolio. Any potential bias caused by removing these loans should be corrected.

  257. For banks with a history of regularly selling or securitizing loans of particular types, long-run performance data may be available from the servicers or trustees. Alternatively, banks may be able to estimate the performance of the loans sold or securitized by constructing comparable reference data sets with similar risk drivers using internal historical data from retained pools or external data.

    1. Multiple Legal Entities

  258. Some banks have various portfolios that are centrally managed, even though the exposures are held by multiple legal entities. Certain activities, including ratings activities, segmentation and quantification, can be conducted across multiple legal entities. However, each bank member of the consolidated group must separately ensure that risk parameters assigned to its credit exposures are appropriate on a standalone basis. For example, if a particular bank within the banking group holds exposures with characteristics not representative of the broader consolidated organization (such as credit card loans originated through a specific marketing channel or mortgage loans in a certain location), the bank must ensure the quantification process produces PDs, ELGDs, LGDs, and EADs that reflect the risk associated with the exposures within that legal entity.

  259. Each bank (including each depository institution) within a banking group that has centrally managed quantification processes should perform periodic evaluations to confirm that its risk-based capital requirements accurately reflect its risk profile.

    Appendix A: Illustrations of the Quantification Process for Wholesale Portfolios

    This appendix provides examples to show how the logical framework described in this guidance, with its four stages (data, estimation, mapping, and application), applies when analyzing quantification practices. The framework is broadly applicable--for PD, ELGD, LGD or EAD; using internal, external, or pooled reference data; for simple or complex estimation methods--although the issues and concerns that arise at each stage depend on a bank's approach. These examples are intended only to illustrate the logic of the four-stage IRB quantification framework, and should not be taken to endorse the particular techniques presented in the examples.

    Example 1: PD Quantification From Bond Data

    A bank establishes a correspondence between its internal rating grades and external rating agency grades; the bank has determined that its Grade 4 is equivalent to \3\4\Ba and \1\4\B on the Moody's scale.

    The bank regularly obtains published estimates of mean default rates for publicly rated Ba and B obligors in North America from 1970 through 2002.

    The Ba and B historical default rates are weighted 75/25, and the result is a preliminary PD for the bank's internal Grade 4 exposures.

    However, the bank then increases the PD by 10 percent to account for the fact that the Moody's definition of default differs from the IRB definition.

    The bank makes a further adjustment to ensure that the resulting rating grade PD is greater than the PD attributed to Grade 3 and less than the PD attributed to Grade 5.

    The result is the final PD estimate for Grade 4. Process Analysis for Example 1:

    Data--The reference data set consists of issuers of publicly rated debt in North America over the period 1970 through 2002. The data description is very basic: Each issuer in the reference data is described only by its rating (such as Aaa, Aa, A, Baa, and so on).

    Estimation--The bank could have estimated default rates itself using a database purchased from Moody's, but since these estimates would just be the mean default rates per year for each rating grade, the bank could just as well (and in this example does) use the published historical default rates from Moody's; in essence, the estimation step has been outsourced to Moody's. The 10 percent adjustment of PD is part of the estimation process in this case because the adjustment was made prior to the application of the agency default rates to the internal portfolio data.

    Mapping--The bank's mapping is an example of a rating grade mapping; internal Grade 4 is linked to the 75/25 mix of Ba and B. Based on the limited information presented in the example, this step should be explored further. Specifically, the bank should justify the appropriateness of the 75/25 mix.

    Application--Although the application step is relatively straightforward in this case, the bank does make the adjustment of the Grade 4 PD estimate to give it the desired relationship to the adjacent rating grades. This adjustment is part of the application stage because it is made after the adjusted agency default rates are applied to the internal rating grades.

    Example 2: PD Quantification Using a Merton-Type Equity-Based Model

    A bank obtains a 20-year database of North American firms with publicly-traded equity, some of which defaulted during the 20-year period.

    The bank uses the Merton approach to modeling equity in these firms as a contingent claim, constructing an estimate of each firm's distance-to-default at the start of each year in the database.\9\ The bank then ranks the firm-years within the database by distance-to-default, divides the ordered observations into 15 equal groups or buckets, and computes a mean historical one-year default rate for each bucket. That default rate is taken as an estimate of the applicable PD for any obligor within the range of distance-to-default values represented by each of the 15 buckets.

    \9\ The term ``Merton approach'' is meant to include any structural credit risk model that values equity as a contingent claim, as promulgated in the seminal work of Merton and Black and Scholes.

    The bank next looks at all obligors with publicly-traded shares within each of its internal rating grades, applies the same Merton-type model to compute distance-to-default at quarter-end, sorts these observations into the 15 buckets from the previous step, and assigns the corresponding PD estimate.

    For each internal rating grade, the bank computes the mean of the individual obligor default probabilities and uses that average as the rating grade PD. Process Analysis for Example 2

    Data--The reference data set consists of the North American firms with publicly-traded equity in the acquired database. The reference data are described in this case by a single variable, specifically an identifier of the specific distance-to-default range from the Merton model (one of the 15 possible in this case) into which a firm falls in any year.

    Estimation--The estimation step is simple: The average default rate is calculated for each distance-to-default

    [[Page 9116]]

    bucket. Since the data cover 20 years and a wide range of economic conditions, including downturn conditions, the resulting estimates satisfy the long-run average requirement.

    Mapping--The bank maps selected portfolio obligors to the reference data set using the distance-to-default generated by the Merton model. However, not all obligors can be mapped, since not all have traded equity. This introduces an element of uncertainty into the mapping that requires additional analysis by the bank: Were the mapped obligors representative of other obligors in the same rating grade? The bank should demonstrate comparability between the publicly-traded portfolio obligors and those not publicly traded. It may be appropriate for the bank to make conservative adjustments to its ultimate PD estimates to compensate for the uncertainty in the mapping. The bank also should perform further analysis to demonstrate that the implied distance-to- default for each internal rating grade represented long-run expectations for obligors assigned to that rating grade; this could involve computing the Merton model for portfolio obligors over several years of relevant history that span a wide range of economic conditions.

    Application--The final step is aggregation of individual obligors to the rating grade level through calculation of the mean for each rating grade, and application of this rating grade PD to all obligors in the grade. The bank might also choose to modify PD assignments further at this stage, combining PD estimates derived from other sources, introducing an appropriate degree of conservatism, or making other adjustments.

    Example 3: ELGD Quantification From Internal Default Data

    For each wholesale exposure in its portfolio, a bank records collateral coverage as a percentage, as well as which of four types of collateral applies.

    A bank has retained data on all defaulted exposures since 1995. For each defaulted exposure in the database, the bank has a record of the collateral type within the same four broad categories. However, collateral coverage is only recorded at three levels (low, moderate, or high) depending on the ratio of collateral to EAD.

    The bank also records the timing and discounted value of recoveries net of workout costs for each defaulted exposure in the database.Cash flows are tracked from the date of default to a ``resolution date,'' defined as the point at which the remaining balance is less than 5 percent of the EAD. A recovery percentage is computed, equal to the value of recoveries discounted to the date of default, divided by the exposure at default.

    For each cell (each of the 12 combinations of collateral type and coverage), the bank computes a simple arithmetic mean realized loss severity percentage as the mean of one minus the recovery percentage. One of the categories has a mean realized loss severity percentage of less than zero (recoveries have exceeded exposure on average), so the bank sets the loss rate at zero.

    The bank assigns each exposure in the existing portfolio to one of the 12 cells based on collateral type and coverage. As its ELGD, the bank applies the mean historical realized loss severity percentage for that cell plus an additional five percentage points to account for the bank's relatively small number of default observations--in relation to the total number of defaults in the reference data--from years with the largest default rates. Process Analysis for Example 3

    Data--The reference data is the collection of defaults and associated loss amounts from the bank's historical portfolio. The reference data are described by the two categorical variables (level of collateral coverage and type of collateral). It would be important to determine whether the defaults over the past few years are comparable to defaults from the existing portfolio. One would also want to ask why the bank ignores potentially valuable information by converting the continuous data on collateral coverage into a categorical variable.

    Estimation--Conceptually, the bank is using a loss severity model in which 12 binary variables--one for each loan coverage/type combination--explain the percentage loss. The coefficients on the variables are just the arithmetic mean realized loss figures from the reference data.

    Mapping--Mapping in this case is fairly straightforward, since all the relevant characteristics of the reference data are also in the data system for the existing portfolio. However, the bank should determine whether the variables are being recorded in the same way (for example, using the same definitions of collateral types), otherwise some adjustment might be appropriate.

    Application--The bank is able to apply the loss severity model by simply plugging in the relevant values for the existing portfolio (or what amounts to the same thing, looking up the cell mean). The bank's assignment of zero ELGD for one of the cells merits special attention; while the bank represented this assignment as conservative, the adjustment does not satisfy the supervisory requirement that ELGD must exceed zero. A larger upward adjustment is necessary. Finally, the upward adjustment of the mean historical realized loss severity percentages to account for the relatively small influence of downturn conditions on the realizations may be appropriate but should be the outcome of a well-documented decision process supported by empirical analysis.

    Appendix B: Illustrations of the Quantification Process for Retail Portfolios

    Example 1: Quantification of Segment PD

    A bank that has been making indirect installment loans through furniture stores for a number of years. Seven years of internal data history are available, over a period that includes economic downturn conditions. The bank has segmented this portfolio over the entire period in a consistent manner: By bureau score, internal behavioral score and monthly disposable income. In addition, realized loss severities for this portfolio have demonstrated significant cyclical variability over the period covered by the bank's data history.

    The bank can empirically show that the participating furniture retailers, underwriting criteria, and collection practices have remained reasonably stable over the seven-year period, and the definition of default has been consistent with the IRB definition. However, there are frequent changes in the bank's products and in the borrowing population that affect the risk characteristics of its loans. Therefore, in quantifying PD the bank assigns more weight to recent data within the seven-year history. The segment PD is calculated as a weighted-average of the seven annual realized historical default rates with the assigned weights progressively lower for the earlier years of the sample. Process Analysis for Example 1

    As discussed in the main chapter text, quantification processes need not be explicitly structured as four stages. The four-stage structure is a conceptual framework, and an analytical and implementation guide. However, as in other wholesale and retail examples, this bank's quantification process for PD can be interpreted in terms of the four-stage framework:

    [[Page 9117]]

    Data--The bank's own seven-year historical data serve as the reference data.

    Estimation--Estimation consists of calculating a weighted-average of the annual default rates for each segment in the reference data.

    Mapping--Mapping consists primarily of ensuring that the segmentation schemes and the definition of default are consistent for the reference data and the bank's existing portfolio.

    Application--Application is a matter of using the PD estimate derived from the reference data for each segment of the existing portfolio in the risk-based capital formulas.

    Example 2: Quantification of PD for First-lien Mortgages

    For the past four years, a mortgage lender has begun making loans in a geographic region that has experienced relatively lower default rates than the bank had experienced previously. The bank has fourteen years of internal data history. The bank has analyzed external mortgage data over the same time period and has identified risk characteristics that vary by geographic region (e.g., volatility of house prices in a region). Analysis of the internal reference data also indicates the importance of these geographic risk factors.

    The recent four-year period does not include economic downturn conditions, so the bank uses its full fourteen years of data history to reflect downturn conditions. To estimate the PD parameter over a long run of data history that is also comparable to the current portfolio, the bank develops a statistical model of the PD based on the combined internal and external performance history. The variables used as PD predictors include geographic risk factors such as the volatility of employment and house prices in the region. The model also includes borrower risk characteristics (credit score, debt-to-income ratio) and loan risk characteristics (loan-to-value ratio and tenor). Models are built for each major product type, such as fixed-rate and adjustable- rate mortgages (FRM and ARM). The model results are robust according to standard statistical diagnostic tests, and the models have continued to perform satisfactorily in validations outside the development sample. Process Analysis for Example 2

    Data--The existing portfolio of first-lien mortgages is segmented by region, LTV, credit score, tenor, mortgage type (fixed-rate or ARM), and debt-to-income ratio. For a given segment, the bank has historical data from its own portfolio. The reference data consist of fourteen years of internal performance history for loans originated between 1990 and 2003. However, only four years of those internal data cover loans for the region of the country where the bank currently has a substantial mortgage portfolio. The internal data are supplemented by external mortgage data over the full fourteen year history (1990-2003).

    Estimation--The bank builds a set of statistical models for different product types in the portfolio (e.g., FRM and ARM). The models estimate segment PD as a function of the loan-to-value ratio, credit score, debt-to-income ratio, loan tenor, and measures the volatility of regional employment and house prices. The model is estimated on both the internal and external data.

    Mapping--Since the bank shifted a significant amount of its first- lien mortgage business to a different region of the country with generally lower default rates starting only in 2000, the bank has only four years of internal historical data (2000-2003) reflecting the performance of its mortgage business in the new region. Its older internal data from 1990 to 1999 represent credit performance in higher- risk regions. Therefore, the bank does not have sufficient historical data representing its current mortgage business to map directly, segment by segment, to estimate the PDs of the existing portfolio on the basis of the long-run average of the annual default rates of the comparable segments in the reference data.

    Instead, the bank has adopted the technique of building default prediction statistical models, based on internal and external data from the entire fourteen year history (before and since the change in the regional focus of the business in 2000) and using as causal, or independent, variables the risk drivers of mortgage default, including regional risk factors.

    In this framework, mapping consists of ensuring that the segmentation systems and definition of default for the two data historical data sets and the existing portfolio are all consistently applied in the process of deriving the values of the risk drivers used as inputs to the statistical models for each segment of the existing portfolio.

    Application--Application consists of using the estimated segment PDs produced by the statistical models as inputs into the residential mortgage formula for risk-based capital.

    Example 3A: PD Estimation in Dollar Terms

    The text defines both the historical default rate and estimated PD in unit, or account, terms. That is, the number of defaults in a segment as a proportion of the number of exposures on the balance sheet at the beginning of the time period under analysis.

    Many banks, however, prefer to, or have historically calculated the default rate in terms of dollar losses. This example shows that it is possible to derive PDs from dollar loss rates that will equal the required unit-or account-based default rates. However, a bank choosing to derive a default rate or PD in this manner must segment its portfolio properly and in a sufficiently granular manner, and must ensure that its estimates of EAD are accurate. A credit card bank directly measures its average dollars of economic loss for each segment and uses the percentage of dollars defaulted, rather than the percentage of loans defaulted, to derive the estimate of PD. Specifically, the ratio employed is the gross dollar loss divided by the exposure at default (EAD) over a one-year time horizon. The bank estimates EAD for a segment as the current outstanding balances plus the expected drawdowns on open lines (including accrued but unpaid interest and fees at the time of default) if all accounts in the segment default.

    The bank uses the appropriate IRB definition of default.

    The bank segments exposures by size of credit line and credit line utilization as well as by credit score.

    The bank regularly validates the accuracy of the EAD estimates and the consistency of the percentage-of-dollars-defaulted measure with the account-based default rate. Process Analysis for Example 3A

    Data--The historical reference data consist of measurements of the outstanding dollar balances and open credit lines for each segment at the beginning of the year. For accounts that defaulted over the following year, the gross defaulted balances (including accrued interest and fees) are also measured. The bank also tracks the number of accounts open at the beginning of the year in each segment and the number that default.

    Estimation--The bank's PD parameter is estimated as the long-run average of the one-year realized default rates in dollar terms, that is the gross balances of defaulted loans divided by the estimated EAD.

    The following table shows two segments of card exposures, both with

    [[Page 9118]]

    estimated default rates of 1 percent as measured from a single year of the historical reference data in the required manner in terms of numbers of accounts. In this case, the portfolio was segmented by average outstanding dollar balance and by average credit line per account. In addition, the EADs were estimated separately and accurately \10\ at the segment level, with the result that the dollar-denominated default rate (gross dollar loss / EAD) is equal to the unit-or account- measured PD.

    \10\ In this example, EADs are estimated by way of the LEQ ratio. As discussed in the main chapter text, this is only one method of estimating EAD currently in use.

    [GRAPHIC] [TIFF OMITTED] TN28FE07.000

    However, banks that attempt to estimate default rates or PDs in dollar terms from their historical reference data are often not as accurate as the example above, and they arrive at incorrect values. Most often, this results from insufficiently granular segmentation and consequent inaccuracy in the estimation of EADs.

    Because of the difficulties often encountered in dollar-denominated default and PD estimates, banks that choose this method should periodically demonstrate, as part of the validation of their PD quantification, that the dollar-derived PDs are essentially equal to those derived using an account-based definition.

    Mapping--Mapping involves linking segments in the reference data to segments in the existing portfolio based on the same drivers of default risk and drawdowns.

    Application--Application is generally a straightforward process, linking the estimates from segments in the reference data to segments in the existing portfolio.

    Example 3B: Another Case of Dollar Estimates of PD

    Once again, a bank prefers to calculate default rates or PDs in dollar terms. However, this example is based on fixed loans rather than revolving lines of credit such as the credit cards in the previous example. Because of a critical segmentation factor, the dollar-based default rates will rarely if ever equal the correct unit- or account- based rates.

    Using the cohort method for EAD discussed in the main chapter text, a bank calculates default rates or PDs as the accumulated gross dollar losses for each segment over the course of a year divided by the total outstanding dollar balances of the segment at the beginning of the year.\11\

    \11\ For simplicity, we assume no amortization of principal over the course of the year.

    The bank uses the appropriate IRB definition of default.

    The bank's segmentation is not particularly granular and uses few risk drivers, such that the average balance for those accounts defaulting tended to be much greater than those that did not. Process Analysis for Example 3B

    Data--The bank has 5 years of internal data history for this particular portfolio, including numbers and dollar balances of accounts at the beginning of each year and the number and dollar balances of defaulted accounts in the course of each year. The data include economic downturn conditions.

    Estimation--Because of the inadequate degree of granularity, the average January 1 dollar balances of accounts that ultimately defaulted at any time within the following year typically exceeded the beginning balances of accounts that did not default. In this case, the dollar- denominated PD (gross dollar losses divided by total beginning outstanding balances) consistently overestimated the correct (unit- based) PD. (See first line of table below, representing a single year in the historical reference data.) Conversely, if the beginning balances of accounts that ultimately defaulted were smaller than those that did not default within the following year, an unusual situation, this measure consistently underestimated PD. (See second line of table.)

    [GRAPHIC] [TIFF OMITTED] TN28FE07.001

    Mapping and Application--Since the estimation stage using this approach is very likely to be flawed, the quantification should not proceed to the mapping and application stages. Rather, the bank should revise its estimation to employ the required unit-or account-based methods of calculating historical default rates and of estimating PDs before proceeding to mapping and application.

    Example 4: PD Quantification With Adjustments for Seasoning

    Realized default rates for a bank's credit card portfolio exhibit a characteristic time profile by age--a seasoning curve.'' Using data from the past five years, including economic downturn conditions, the bank estimates the shapes of a family of ``seasoning curves for specific products, loan characteristics, and borrower credit quality at origination.

    The bank presents analyses indicating that the seasoning curves can be reasonably specified by borrower credit quality at origination, and the bank regularly analyzes new cohorts to capture any changes in the curves over changing economic and market environments. Systematic changes are incorporated into new seasoning curves.

    [[Page 9119]]

    The portfolio is segmented by borrower, product, and loan characteristics, including account age, or ``time on books.'' Process Analysis for Example 4

    Data--The reference data consists of five years of portfolio history, including economic downturn conditions. Supplemental data from earlier periods for similar products, borrower credit quality at origination, and loan type permit the estimation of annualized default rates over the remaining expected life of the loans.

    Estimation--It is necessary to calculate two different PDs for each segment of the portfolio: (1) The long-run average of one-year default rates from the historical reference data, in the same manner as for wholesale PDs, and (2) the estimated annualized cumulative default rate (``ACDR'') over the remaining expected life of the loans in the segment.

    If the ACDR is larger than the long-run average of one-year rates, then seasoning effects for this segment are deemed to be material, and the ACDR must be used as the estimated segment PD. \12\

    \12\ If the bank intends to sell or securitize the exposures in the segment within a 90-day time frame, the ``wholesale'' PD can be used even if the ACDR is greater than the long-run average. See the main chapter text for more details.

    For example, if the expected remaining life for a segment of cards that has been on the books for one year, based on historical data for defaults and attrition, is six years, and the estimated cumulative default rate over that period is five percent, the ACDR = 5/6 = 0.833. If, for the same segment, the five-year average of annual default rates from the historical reference data set is 0.75, then seasoning effects are deemed to be material and the bank must use 0.833 as the PD estimate for the coming (2nd) year.

    Mapping--The segmentation of the existing portfolio is the same as that employed for the reference data. This makes the mapping straightforward along the lines of product and loan characteristics and borrower credit quality.

    Application--At the application stage, either the ACDR or the long- run average default rate estimated from the reference data is applied as the estimated PD to the segments in the existing portfolio respectively, depending on whether or not seasoning effects are deemed to be material.

    Example 5: Guarantees for retail exposures

    Guarantees on individual retail exposures

    The following are examples of retail guarantees that would qualify under Standard 4-4:

    Consider an exposure of $85,000 secured by property valued at $100,000. The guarantee covers all losses up to $85,000.

    The guarantee covers a pre-specified dollar amount of losses less than $85,000, for example a first loss position of $20,000.

    The guarantee covers a pre-specified pro rata (or proportional) share of all losses, for example up to 20 percent of the $85,000 exposure, or $17,000.

    The guarantee covers a pre-specified pro-rata or proportional share of losses, but the pre-specified pro rata share is defined in terms of the value of the property that secures the exposure. For example, in the case of the exposure cited above, the guarantee covers losses up to 12 per cent of the value of the collateral, or $12,000. (This case represents traditional Private Mortgage Insurance (PMI) for first lien residential mortgages, where insurance is typically required for loan-to-value (``LTV'') ratios above 80 percent; for LTVs up to 85 percent, the typical requirement is for PMI in an amount equal to 12 percent of the value of the property.)

    Guarantees of Multiple Retail Exposures

    Guarantees of multiple retail exposures that involve tranching of the aggregate credit risk of the underlying exposures do not qualify under Standard 4-4. Such guarantees may qualify for treatment as synthetic securitizations (provided they meet all other requirements for securitization treatment) as specified in Standard 4-5 and succeeding paragraphs. Other guarantees of multiple retail exposures where there is no tranching of the aggregate credit risk, such as those in the following examples, may qualify under Standard 4-4:

    In some cases, a guarantee covers multiple retail exposures; however, coverage for each individual exposure meets all the requirements of Standard 4-4 and succeeding paragraphs and is consistent with any one of the four examples above. Furthermore, there are no additional limits, caps, or restrictions of any kind pertaining to the aggregate coverage. Such guarantees would meet the requirements as guarantees of individual retail exposures.

    --Consider a guarantee that covers multiple retail exposures, with a total exposure amount of $9.5 million secured by 100 residential properties each with a value of $100,000, thus an aggregate value of $10 million. The guarantee covers losses on each exposure up to an amount that will reduce the LTV on each exposure considered separately to 90 percent.

    Other guarantees on multiple retail exposures qualify under Standard 4-4, but only if they cover all or a pro rata, or proportional, share of all payments due on the aggregate exposure amount.

    --Consider the same multiple-exposure retail pool as before. There are 100 retail exposures with an aggregate exposure amount of $9.5 million. The guarantee covers all losses on the underlying exposures up to the full $9.5 million aggregate exposure amount.

    --Once again, consider the pool of multiple retail exposures above. In this case, the guarantee covers a pro rata share of losses, for example 20 percent of the $9.5 million aggregate exposure, or $1.9 million. (Alternatively, if the guarantee coverage had been pre- specified as a dollar amount, say the first $1.9 million of losses, rather than a pro rata share of the aggregate losses, that guarantee would not reflect the benefits of retail credit risk mitigation treatment. Such guarantees of multiple retail exposures would need to meet the requirements set forth in Standard 4-5 in order to qualify for securitization treatment.)

    Chapter 5: Wholesale Credit Risk Protection

    Rule Requirements

    Part III, Section 22(e): Double default treatment. A bank must obtain the prior written approval of [AGENCY] under section 34 [of the NPR] to use the double default treatment.

    Part IV, Section 33: Guarantees and Credit Derivatives: PD Substitution and LGD Adjustment Treatments

    Part IV, Section 34: Guarantees and Credit Derivatives: Double Default Treatment

  260. This chapter supplements the detailed discussion of credit risk mitigation in the NPR by providing guidance on how banks may recognize contractual arrangements for exposure-level credit protection--eligible guarantees and eligible credit derivatives--that transfer risk to one or more third parties. Each of these forms of credit protection must meet certain specific standards of eligibility, as articulated in the NPR, for recognition of the associated risk mitigation.

  261. An important aspect of either of these types of credit protection is that they are implemented at the exposure-

    [[Page 9120]]

    level, reducing credit risk faced by the bank due to a specific exposure to an individual obligor. Banks may use similar mitigants--for example, portfolio credit derivatives--to transfer credit risk associated with groups of exposures or whole portfolios. While such contracts may make a valuable contribution to broader risk management within the bank, and may be appropriately considered in an assessment of overall capital adequacy, their effects are not recognized for IRB calculations of risk-based capital requirements except in limited circumstances.

  262. Exceptions are made for certain types of basket credit derivatives and securitization exposures. In addition, banks may recognize the benefits in IRB calculations of pool-level guarantees (or credit derivatives) that are the functional equivalent of an exposure- by-exposure guarantee provided the following minimum conditions are met:

    The guarantee is an eligible guarantee.

    The contractual provisions of the guarantee must identify the specific exposures in the pool to which the guarantee applies.

    The guarantee must cover all or a pro-rata share of the pool's aggregate credit losses in a manner that ensures each individual exposure is provided the same level of loss protection under the guarantee.

    The guarantee must not contain cap provisions, deductibles, or other payout limitations that would effectively limit coverage.

    Once a bank demonstrates that the pool-level guarantee is the functional equivalent of an exposure-by-exposure guarantee, the benefits may be recognized in the IRB calculations using the credit risk mitigation framework as provided in the NPR and this document. This requires that the bank calculate its risk-based capital requirement for the pool on an exposure-by-exposure basis, as if the guarantee were applied at the level of each individual exposure.

    S 5-1 Risk-based capital benefits are only recognized for credit protection that transfers credit risk to third parties.

  263. Banks may recognize the risk-based capital benefits of credit protection associated with eligible guarantees and eligible credit derivatives from third parties. A bank may recognize the benefits of credit protection from a parent or sister company only if (a) the credit protection provider has the ability to fulfill its obligations to the bank independent of the financial support of the bank, and (b) the internal risk rating assigned to the affiliate fully excludes any support that is or may be derived from bank operations. Under no circumstances may a bank receive a risk-based capital benefit from credit protection from an internal department of the bank or from the bank's own subsidiary. Banks often manage credit risk through internal transactions that, while possibly structured in ways similar to guarantees or credit derivatives, do not in themselves result in a reduction of credit risk at the consolidated level. Such credit protection purchased internally may not be recognized for IRB purposes. Once the bank reliably demonstrates that the credit risk is ultimately transferred to a third party, for example through a matched offsetting contract, credit protection may be realized from the third party provider. However, if this protection provider is an affiliate, all of the above limitations apply.

  264. For wholesale exposures, credit risk mitigation from eligible guarantees and eligible credit derivatives is recognized through one of three mutually exclusive approaches. The approaches are identified by the primary mechanism through which risk mitigation is recognized: PD substitution, LGD adjustment, or the recognition of double-default benefits. Recognition is at the exposure level, so a bank may select among the three alternative approaches for each wholesale exposure, subject to the NPR and to relevant elements of the bank's internal policies and procedures.

  265. If a bank chooses to recognize credit protection through PD substitution, it substitutes the PD associated with the internal rating grade assigned to the protection provider in place of the PD of the obligor in the capital calculation. However, if the bank determines that this substitution overstates the degree of risk mitigation, a lesser adjustment may be made by using a PD associated with any internal rating grade inferior to that of the protection provider. Note that in either case, the PD applied is one that is associated with one of the bank's internal rating grades, determined in accordance with the bank's established processes for quantifying the default risk of those grades. Similar considerations apply in the case of double-default treatment; the PD for the protection provider used in the capital calculation should be the PD for an internal rating grade assigned to the protection provider.

  266. Under the LGD adjustment approach, the bank modifies the LGD assigned to the hedged exposure to reflect the risk mitigating effects of the credit protection, subject to limitations on the resulting risk weight as specified in the NPR. In determining the magnitude of any LGD adjustment, the bank should apply the general approach to IRB quantification developed elsewhere in this guidance; quantification of LGD adjustments for credit protection should reflect a rigorous application of standards no different from those that apply to LGD quantification generally.

  267. The NPR specifies various criteria that must be met in order for a bank to apply the double default treatment. Among those requirements are that a bank must have policies and processes to detect excessive correlation between the creditworthiness of the protection provider and the obligor for the hedged exposure. For example, the creditworthiness of a protection provider and an obligor would be excessively correlated if the obligor derives a high proportion of its income or revenue from transactions with the protection provider. Similarly, excessive correlation could arise from exposure to a common risk factor or set of risk factors, such as industry or region; in some cases a bank may be able to leverage other components of the bank's internal credit risk management processes to identify such dependence on common risk factors.

  268. A bank's choice among these approaches for reflecting the impact of credit protection for a given exposure should be made in accordance with specific criteria contained in a bank's credit policy. In addition to the specific eligibility requirements in the NPR and general consideration of the credit protection provider's ability and willingness to perform under the agreement, the criteria should include an assessment of the effect of the payout structure of the credit protection on the level and timing of recoveries. In some cases, the nature of the contractual arrangement reduces the likelihood that the bank will experience an obligor default (as defined within the IRB framework); in such cases, PD substitution (or double-default treatment, if applicable) is often more appropriate. In other cases, notably those in which the protection is likely to come into effect only after a default has occurred, it is more likely that the appropriate adjustment should be made through LGD.

  269. A bank recognizing risk mitigation from eligible guarantees or eligible credit derivatives should also have policies that ensure adequate control of any residual risks related to the use of such forms of credit protection.

    S 5-2 Banks must ensure that credit protection for which risk-based capital

    [[Page 9121]]

    benefits are claimed represents unconditional and legally binding commitments to pay on the part of the guarantors or counterparties.

  270. As specified in the NPR, forms of written third-party support that are conditional or are not legally binding are not recognized as credit risk mitigation. Refer to Standard 2-11 in the Wholesale Risk Rating Systems chapter of this guidance regarding the use of implied support as a rating criterion.

  271. In some instances, an eligible credit derivative may incorporate a reference asset that differs from the underlying asset for which a bank has acquired credit protection. A bank may recognize an eligible credit derivative that hedges an exposure that is different from the credit derivative's reference exposure used for determining the derivative's cash settlement value, deliverable obligation, or occurrence of a credit event only if:

    The reference exposure ranks pari passu (that is, equal) or junior to the hedged exposure; and

    The reference exposure and the hedged exposure share the same obligor (that is, the same legal entity) and legally enforceable cross-default or cross-acceleration clauses are in place.

  272. In such cases, a bank should evaluate and document the relationship between the reference asset and the hedged exposure to ensure that the reference asset is a reasonable proxy for the hedged exposure and is likely to behave in a similar manner upon the occurrence of a credit event.

    Chapter 6: Data Management and Maintenance

    Rule Requirements

    Part III, Section 22(i)(1): A bank must have data management and maintenance systems that adequately support all aspects of its advanced systems and the timely and accurate reporting of risk-based capital requirements.

    Part III, Section 22(i)(2): A bank must retain data using an electronic format that allows timely retrieval of data for analysis, validation, reporting, and disclosure purposes.

    Part III, Section 22(i)(3): A bank must retain sufficient data elements related to key risk drivers to permit adequate monitoring, validation, and refinement of its advanced systems.

    1. Overview

  273. Banks using the IRB framework for risk-based capital purposes must have advanced data management and maintenance systems that support credible and reliable risk parameter estimates. This chapter describes how a bank should collect, maintain, and manage the data needed to support the other IRB system components for wholesale and retail exposures (e.g., risk rating and segmentation systems, the quantification process, and validation and other control processes), as well as the bank's broader risk management and reporting needs. Additional detail specific to wholesale and retail exposures is provided in the appendices to this chapter.

  274. While this chapter specifically addresses data management and maintenance systems for wholesale and retail exposures, the framework outlined in this chapter generally applies to all of a bank's advanced systems for credit risk as described in Chapter 1 of this guidance. In addition, specific data requirements for securitizations are described in Chapter 11.

  275. Banks may implement different data management and maintenance systems for wholesale and retail exposures. Within a bank, moreover, such data systems and processes may differ across business lines and countries. Therefore, the data structures and practices, and the precise data elements to be collected will be dictated by the features and methodology of the IRB system employed by each bank.

  276. Reference data requirements related to IRB quantification, which are discussed in Chapter 4 of this guidance, describe the minimum requirements for historical default and loss reference data using the best available data for quantification, inclusive of internal, external or pooled data sets. Best available data should include historical performance information necessary to accurately estimate risk parameters for exposures in the bank's existing portfolio. Reference data for quantification are likely to comprise a smaller subset of the internal data elements cited in this chapter because the objectives of ongoing internal data management cover a wider range of purposes, such as the development of risk ratings or segmentation and the validation of the IRB system. Data histories built from the internal data maintenance framework described in this chapter will gain growing significance in the risk parameter estimation process over time.

    1. General Data Requirements

    S 6-1 Banks must collect and maintain sufficient data to support their IRB systems.

  277. While banks have substantial flexibility in designing their data management systems, the underlying principle in this guidance is that the data systems should be of sufficient depth, scope, and reliability to implement and evaluate the IRB system. The systems should be able to support the bank's ability to:

    Track obligors of wholesale exposures and to track wholesale exposures throughout their life cycle from origination to disposition;

    Capture all rating assignment data for wholesale portfolios, which include the significant quantitative and qualitative factors used to assign the obligor and loss severity ratings;

    Capture exposure and borrower characteristics and performance history for retail exposures over a historical time period;

    Capture all data for retail exposures necessary to develop the segmentation system and to assign exposures to segments;

    Develop internal risk parameter estimates;

    Validate risk parameter estimates;

    Validate the IRB system and processes;

    Refine the IRB system;

    Calculate risk-based capital ratios; and

    Produce internal and public reports.

  278. Data management and maintenance systems should enable banks to undertake necessary changes in their IRB systems and improve methods of credit risk management over time. Systems should be capable of providing detailed historical data and capturing new data elements for enhancing an IRB system. Given the importance of developing robust data histories in this process and the costs associated with collecting additional data at a later date, banks should err on the side of collecting not only data that they are currently using but also data that may potentially be useful to their IRB models or in validation processes.

    1. Life Cycle Tracking for Wholesale Exposures

    S 6-4 For wholesale exposures, banks must collect, maintain, and analyze essential data for obligors and exposures. This should be done throughout the life and disposition of the credit exposure.

  279. Using a life cycle or ``cradle to grave'' concept for each obligor and exposure supports front-end validation, backtesting, system refinements, and risk parameter estimates. A depiction of life-cycle tracking follows:

    [[Page 9122]]

    [GRAPHIC] [TIFF OMITTED] TN28FE07.002

  280. Data elements must be recorded at origination and whenever the rating is reviewed, regardless of whether the rating is changed. Data elements associated with current and past ratings must be retained. These elements include:

    Key borrower and exposure characteristics;

    Ratings for obligors and exposures;

    Key factors used to assign the ratings;

    Person responsible for assigning the rating and model(s) used in that assignment;

    Date rating assigned; and

    Overrides to the rating and authorizing individual.

    At disposition, data elements should include:

    Nature of disposition: Renewal, repayment, loan sale, default, restructuring;

    For defaults: Exposure, actual recoveries, source of recoveries, costs of workouts and timing of recoveries and costs;

    Guarantor support;

    Sale price for loans sold; and

    Other key elements that the bank deems necessary.

    See Appendix A for examples of data elements that banks should collect and maintain under an IRB data management framework for wholesale exposures.

    1. Rating Assignment Data for Wholesale Exposures

    S 6-3 Banks must capture and maintain all significant factors used to assign obligor and loss severity ratings.

  281. Assigning a rating to an obligor requires the systematic collection of various borrower characteristics, both quantitative and qualitative, because these factors are critical to validating the rating system. Obligors are rated using various methods, as discussed in Chapter 2. Each of these methods presents different challenges for input collection. For example, in judgmental rating systems, the qualitative factors used in the rating decision have not traditionally been explicitly recorded. For purposes of the IRB framework, to the extent qualitative factors play an important role in assigning ratings, banks should maintain these factors in a readily available database for validation purposes and to facilitate analysis to help banks improve the rating system over time.

  282. For loss severity estimates, banks should record the basic structural characteristics of exposures and the factors used in developing the loss severity rating or LGD estimate. These often include the seniority of the credit, the amount and type of collateral, the most recent collateral valuation date and the collateral's fair value.

  283. Banks should also track any overrides of the obligor or loss severity rating. Tracking overrides separately allows banks to identify whether the outcome of such overrides suggests either problems with rating criteria or too much discretion to adjust the ratings.

  284. Historical data, including rating histories on wholesale exposures, may be lost or irretrievable; for example, when exposures are acquired through mergers, acquisitions, or portfolio purchases. Banks are encouraged, whenever practical, to collect any missing historical data on rating assignment drivers and to re-rate the acquired obligors and exposures for prior periods. When retrieving historical data is not practical, banks may attempt to create a rating history by carefully mapping the legacy system and the new rating structure. Mapped ratings should be reviewed for accuracy. The level of effort placed on filling gaps in data should be commensurate with the size and significance of the exposures to be incorporated into the bank's IRB system.

    1. Segmentation Data for Retail Exposures

    S 6-4 For retail exposures, banks must collect and maintain all essential data elements used in segmentation systems and the quantification process. The data must cover a period of at least five years and must include a period of economic downturn conditions, or the bank must adjust its estimates of risk parameters to compensate for the lack of data from periods of economic downturn conditions.

  285. Banks should maintain a minimum five-year exposure-level history of the entire retail portfolio, including all exposures and lines that were open at any time during this period. The standard above establishes key risk drivers used in the segmentation system and in the quantification of the risk parameters. However, banks should retain additional data elements that are used in their internal credit risk management systems. (See Appendix A of this chapter for examples of retail data elements.)

  286. For retail exposures, if the most recent period of economic downturn conditions occurred more than five years ago, banks should retain additional data to cover the downturn period. These data need not cover the period between the downturn period and the most recent five-year period. These data may be in the form of representative statistical samples of the portfolio rather than data from all exposures. The method of any sampling should be statistically sound and well-documented.

  287. Banks should gather and retain disposition data, including recovery data on defaulted exposures (e.g., date and dollar value of recoveries and collection expenses) sufficient to develop ELGD, LGD, and EAD estimates for retail exposures. For many banks, information related to recoveries and

    [[Page 9123]]

    collection expenses currently exists only at an aggregate level. These banks should develop interim solutions and a plan to improve exposure- level data availability.

  288. For retail exposures, historical segmentation data can be lost or irretrievable; for example, when exposures are acquired through mergers, acquisitions, or portfolio purchases. In these cases, as an interim measure, banks should seek to obtain data from external sources to supplement internal data shortfalls. Alternatively, the reference data sometimes may be drawn from other sections of the portfolio, but only when the business lines, and exposure and borrower characteristics are sufficiently similar (for examples, see Chapter 3).

    1. Outsourced Activities

    S 6-5 Banks should ensure that outsourced activities performed by third parties are supported by sufficient data to meet IRB requirements.

  289. Certain processes, such as loan servicing, broker and correspondent origination, collection, and asset management, may be outsourced to or otherwise involve third parties. The necessary data capture and oversight of risk management standards for these portfolios and processes should be carried out as if they were conducted internally.

    1. Asset Sales

    S 6-6 Banks should maintain data to allow for a thorough review of asset sale transactions.

  290. It is important that banks be able to quantify the impact of asset sale activity on its IRB system. Documentation for these transactions should be sufficient for supervisors to determine how asset sale activity affects the integrity of the IRB system and the resulting risk-based capital calculation. For retail, asset sales may involve exposures from a variety of portfolio segments, and sale pricing may not be available at a granular level. A bank should be able to quantify the effect of removing a portion of the loans or other exposures from segments and the effect of such asset sale activity on risk parameter estimation.

    1. Data Applications

    1. Validation and Refinement

  291. The data elements collected by banks should facilitate meeting the validation standards described in Chapter 7. These standards include validating the bank's IRB system processes, including the ``front end'' aspects, such as assigning ratings or risk drivers used for segmentation, so that issues can be identified early. The data should support efforts to identify whether raters and models are following rating criteria and policies and whether ratings are consistent across portfolios. In addition, data should support the validation of risk parameters, particularly the comparison of realized outcomes with estimates. For backtesting risk parameters, data on default and disposition characteristics should be thorough.

  292. Data for validation should be rich in scope and depth in order to provide insights on the performance of the IRB system. This can contribute to a learning environment in which refinements can be made to the systems. These potential refinements include enhancements to rating assignment controls, segmentation design, processes, criteria or models, IRB system architecture, and risk parameter estimates.

    1. Applying IRB System Improvements Historically

  293. To maintain a consistent series of information for credit risk monitoring and validation purposes, banks should be able to take improvements they make to their risk rating systems for wholesale exposures and segmentation systems for retail exposures and apply them historically. Moreover, banks are encouraged to retain data beyond the minimum requirements because they should have robust historical databases containing key risk drivers and performance components over as long a historical period and as many variables as possible to facilitate the development and validation of better models and methods.

    See Appendix B for an example as to how a bank could apply new information to improve its risk rating system.

    1. Calculating Risk-Based Capital Ratios and Reporting to the Public

  294. Data retained by the bank will be essential for risk-based capital calculations and public reporting under the Pillar 3 disclosures. These uses underscore the need for a well-defined data management framework and strong controls over data integrity. Total exposures should be tied to systems of record and documentation should be maintained for this process for all reporting periods. Control processes and data elements themselves should also be subject to periodic verification and testing by internal auditors. Supervisors should rely on these processes and should also perform testing as circumstances warrant.

  295. This guidance should also be considered with the Proposed Agency Information Collections published by the Agencies on September 25, 2006 for public comment along with the NPR. The notice contained information collection templates (FFIEC 101) and information about the components of reporting entities' risk-based capital, risk-weighted assets by type of credit risk exposure under the IRB framework, including templates for credit risk and definitions of the data elements contained therein. These templates will assist banks in determining their data retention needs related to the risk-based capital requirements for credit risk under the IRB framework.

    1. Supporting Risk Management

  296. The information that can be gleaned from more extensive data collection will support a broad range of risk management activities. Risk management functions will rely on accurate and timely data to track credit quality, make informed portfolio risk mitigation decisions, and perform portfolio stress tests. Obligor and loss severity risk rating and segmentation data will be used to support such operations as internal capital allocation models, pricing models, ALLL calculations, and performance management measures. Summaries of these are included in reports to banks' boards of directors, regulators, and in public disclosures.

    1. Managing Data Quality and Integrity

    S 6-7 Banks should develop policies and controls around the integrity of the data maintained both internally and through third parties.

  297. Because data are collected at so many different stages involving a variety of groups and individuals, ensuring the quality of the data poses numerous challenges. For example:

    Qualitative risk-rating variables will have subjective elements and will be open to interpretation;

    Exposures will be acquired through mergers and purchases, but without an adequate and easily retrievable institutional rating history; and

    Data purchased from or maintained through third parties may not have controls similar to the bank's controls.

    Bank policies and controls should address these potential challenges. Specifically, banks should have policies employing change control management processes and practices to ensure the integrity of the data. In addition, banks should seek reasonable assurances from significant third-party providers concerning the integrity of the data.

    [[Page 9124]]

    1. Documentation and Definitions

    S 6-8 Banks should document the process for delivering, retaining, and updating inputs to the data warehouse and ensuring data integrity.

    S 6-9 Banks must maintain detailed documentation of changes to the data elements supporting the IRB system.

  298. Given the many challenges presented by data for an IRB system, the management of data should be formalized and banks should develop comprehensive definitions for their data elements. Fully documenting how the bank's flow of data is managed provides a means of evaluating whether the data management framework is functioning as intended. Moreover, banks should be able to communicate to persons developing or delivering various data the precise definition of the items intended to be collected. Consequently, a ``data dictionary'' and/or a ``data standards manual'' would ensure consistent inputs from business units and data vendors and would allow third parties (e.g., IRB system review process, auditors, or banking supervisors) to evaluate data quality and integrity.

  299. When changes are made to the IRB system and the supporting data elements, the source of any significant changes in the risk-based capital requirements should be documented. Therefore, it would be desirable to use change control management processes.

    1. Electronic Storage and Access

    S 6-10 Banks must retain data using an electronic format that allows timely retrieval of data for analysis, validation, reporting, and disclosure purposes.

  300. To meet the significant data management challenges presented by the validation and control features of the IRB system, banks must store their data electronically. Banks will have a variety of storage techniques and potentially a variety of systems to create their data warehouses and data marts. The data architecture should be designed to be scalable to allow for growth in portfolios, data elements, history, and product scope. IRB data requirements can be achieved by melding together existing accounting, servicing, processing, workout and risk management systems, provided the linkages between these systems are well-documented and include sufficient edit and integrity checks to ensure that the data can be used reliably.

  301. Banks lacking electronic databases for wholesale exposures would be forced to resort to manual reviews of paper files for ongoing backtesting and ad hoc ``forensic'' data mining and would be unable to perform that work in the timely and comprehensive manner required of the IRB system. Forensic mining of paper files to build an initial data warehouse from the bank's credit history is encouraged. Paper research may sometimes be necessary to identify data elements or factors not originally considered significant in estimating the risk of a particular class of obligor or exposure. The time and expense of this recovery effort highlights the importance of collecting a broad array of variables during the initial design of the IRB data system.

    Appendix A: Data Elements for Wholesale and Retail Exposures

    For illustrative purposes, the following section provides examples of the kinds of data elements banks should collect under an IRB data management and maintenance framework first for wholesale exposures and second for retail exposures.

    1. Examples of Data Elements for Wholesale Exposures

      General Descriptive Obligor and Exposure Data

      The data below could be from an exposure record or from various sources within the data warehouse. Data maintained for guarantors would be the same as that maintained for obligors. Obligor/Guarantor Data

      General data: name, address, industry;

      ID number (unique for all related parent/sub relationships);

      Rating, date, and rater; and

      PD corresponding to rating. General Exposure Characteristics

      Exposure amounts: committed, outstanding;

      Exposure type: term, revolver, bullet, amortizing, etc.;

      Purpose: acquisition, expansion, liquidity, inventory, working capital etc.;

      Covenants;

      Exposure ID number;

      Origination and maturity dates;

      Last renewal date;

      Obligor ID link;

      Rating, date and rater;

      ELGD;

      LGD; and

      EAD. Rating Assignment Data

      The data below provide an example of the categories and types of data that banks should retain in order to continually validate and improve rating systems. These data items should tie directly to the documented criteria that the bank employs when assigning ratings. For example, rating criteria often include ranges of leverage or cash flow for a particular obligor rating. In addition, banks are encouraged to develop and record quantitative representations of qualitative factors (such as management effectiveness) in numeric form. For example, a 1 may signify exceptionally strong management and a 5 very weak management. The rating data elements should be sufficient for evaluating the factors driving the rating decisions. Quantitative factors in obligor ratings

      Asset and sale size; and

      Key ratios used in rating criteria:

      --Profitability;

      --Cash flow;

      --Leverage;

      --Liquidity; and

      --Other relevant factors. Qualitative factors in obligor ratings

      Quality of earnings and cash flow;

      Management effectiveness, reliability;

      Strategic direction, industry outlook, position;

      Country factors and political risk; and

      Other relevant factors. Third-party obligor ratings

      Public debt rating and trend; and

      External credit model score and trend.

      Rating Notations

      Flag for overrides or exceptions; and

      Authorized individual who can change rating. Key exposure factors in ELGD and LGD ratings

      Seniority;

      Collateral type (cash, marketable securities, AR, stock, RE, etc.);

      Collateral value and valuation date;

      Advance rates, LTV;

      Industry; and

      Geography.

      Rating Notations

      Flag for overrides or exceptions; and

      Authorized individual who can change rating. Final disposition data

      Many banks maintain subsidiary systems for their problem exposures with details recorded, at times manually, on systems that are not linked to the bank's central exposure or risk management systems. The unlinked

      [[Page 9125]]

      data are a significant hindrance in developing reliable risk parameter estimates.

      In advanced systems, the ``grave'' portion of obligor and exposure tracking is essential for producing and validating risk parameter estimates and is an important feedback mechanism for adjusting and improving these estimates over time. Essential data elements are outlined below. Obligor/guarantor

      Default date; and

      Circumstances of default (e.g., nonaccrual, bankruptcy chapters 7-11, nonpayment). Exposure

      Outstandings at default; and

      Amounts undrawn and outstanding plus time series prior to and through default. Disposition

      Amounts recovered and dates (including source: cash, collateral, guarantor, etc.);

      Collection cost and dates;

      Discount factors to determine economic cost of collection;

      Final disposition (e.g., restructuring or sale);

      Sales price, if applicable; and

      Accounting items (charge-offs to date, purchased discounts).

    2. Examples of Data Elements for Retail Exposures

      Data Elements at Origination

      Customer identifiers, such as borrower name;

      External credit bureau attributes;

      Application attributes, such as income and financial information;

      Credit scores, including custom scores or generic scores;

      Other underwriting data used in the origination process;

      Score overrides and policy exceptions;

      Origination channel, such as a third-party vendor, telemarketing, direct mail, or Internet;

      Product type and loan terms, such as line amount, interest rate, payment terms, balance transfer amount, and reward programs;

      Collateral characteristics, such as appraised value, geographic location, and loan-to-value; and

      Guarantees or other credit risk mitigants, such as PMI. Ongoing Data Elements

      Refreshed credit bureau attributes;

      Payment history and performance characteristics, including payments, draws, fees, NSF checks, delinquency, overlimit status, and utilization;

      Collections activity, including workout or forbearance programs, restructurings, payment deferrals, re-aging and other similar programs;

      Behavior scores;

      Transaction-level information;

      Account management activities, such as line increase or decrease programs, pricing adjustments, changes in payment requirements or fee structures, and reward programs;

      Updated borrower information; and

      Updated collateral information. Collection and recovery information

      Default date;

      Loss severity information;

      Circumstances of default (e.g., nonaccrual, bankruptcy chapters 7-11, nonpayment);

      Outstandings at default;

      Amounts undrawn and outstanding plus time series prior to and through default;

      Amounts recovered and dates (including source: cash, collateral, guarantor, etc.);

      Collection cost and timing;

      Discount factors to determine economic cost of collection;

      Final disposition (e.g., restructuring or sale);

      Sales price, if applicable; and

      Accounting items (charge-offs to date, purchased discounts).

      Appendix B: Applying Risk Rating System Improvements Historically

      In the example below for wholesale exposures, a bank experiences unexpected and rapid migrations and defaults in its rating grade 4 category during 2006. Analysis of the actual financial condition of borrowers that defaulted compared with those that did not suggests that the debt-to-EBITDA range for its expert judgment criteria of 3.0 to 5.5 is too broad. Research indicates that rating grade 4 should be redefined to include only borrowers with debt-to-EBITDA ratios of 3.0- 4.5 and that rating grade 5 should be 4.5-6.5. In 2007, the change is initiated, but prior years' numbers are not recast (see Exhibit A). Consequently, a break in the series prevents the bank from evaluating credit quality changes over several years and from identifying whether applying the new rating criteria historically provides reasonable results.

      [GRAPHIC] [TIFF OMITTED] TN28FE07.003

      [[Page 9126]]

      Recognizing the need to provide senior managers and board members with a consistent risk trend, the new criteria are applied historically to obligors in rating grades 4 and 5 (see Exhibit B). The original ratings assigned to the rating grades are maintained along with notations describing what the grade would be under the new rating criteria. If the precise weight an expert has given one of the redefined criteria is unknown, banks are expected to make estimates on a best efforts basis. After the retroactive reassignment process, the bank observes that the mix of obligors in rating grade 5 declined somewhat over the past several years while the mix in rating grade 4 increased slightly. This contrasts with the trend identified before the retroactive reassignment. The result is that the multiyear transition statistics for rating grades 4 and 5 provide risk managers a clearer picture of risk.

      [GRAPHIC] [TIFF OMITTED] TN28FE07.004

      This example is based on applying ratings historically using data already collected by the bank. However, for some risk rating system refinements, banks may in the future identify drivers of default or loss that might not have been collected for borrowers or exposures in the past. That is why banks are encouraged to collect data that they believe may serve as stronger predictors of default in the future. For example, certain elements of a borrower's cash flow might currently be suspected of overstating the operational health of a particular industry. In the future, should a bank decide to reduce the weight given to cash flow for this overstatement, resulting in a downgrade of many obligor ratings, the bank that collected these data could apply this rating change to prior years. This would provide a consistent picture of risk over time and also present opportunities to validate the new criteria using historical data. Recognizing that banks will not be able to anticipate fully the data they might find useful in the future, banks are expected to reassign rating grades on a best efforts basis when practical.

      Chapter 7: Controls and Validation

      Rule Requirements

      Part III, Section 22(a)(2): The systems and processes used by a bank for risk-based capital purposes under [the NPR] must be consistent with the bank's internal risk management processes and management information reporting systems.

      Part III, Section 22(j)(2): The bank's board of directors (or a designated committee of the board) must at least annually evaluate the effectiveness of, and approve, the bank's advanced systems.

      Part III, Section 22(j)(3): A bank must have an effective system of controls and oversight that:

      (i) Ensures ongoing compliance with the qualification requirements

      [in the NPR] ;

      (ii) Maintains the integrity, reliability, and accuracy of the bank's advanced systems; and

      (iii) Includes adequate governance and project management processes.

      Part III, Section 22(j)(4): The bank must validate, on an ongoing basis, its advanced systems. The bank's validation process must be independent of the advanced systems' development, implementation, and operation, or the validation process must be subjected to an independent review of its adequacy and effectiveness. Validation must include:

      (i) The evaluation of the conceptual soundness of (including developmental evidence supporting) the advanced systems;

      (ii) An on-going monitoring process that includes verification of processes and benchmarking; and

      (iii) An outcomes analysis process that includes backtesting.

      Part III, Section 22(j)(5): The bank must have an internal audit function independent of business-line management that at least annually assesses the effectiveness of the controls supporting the bank's advanced systems and reports its findings to the bank's board of directors (or a committee thereof).

      1. Overview

  302. A bank must have a system of controls that ensures that the components of the IRB system are functioning effectively. This chapter provides guidance on the essential elements of an effective control environment for an IRB system for wholesale and retail exposures, including independent review processes, a comprehensive validation process, and an internal audit review and reporting process.

  303. While this chapter specifically addresses the control framework supporting a bank's IRB systems for wholesale and retail exposures, the framework outlined in this chapter generally applies to all of a bank's advanced systems for credit risk as described in Chapter 1 of this guidance.

    [[Page 9127]]

    In addition, specific validation requirements for certain counterparty credit risk transactions, equity exposures, and securitization exposures are provided in Chapters 9, 10, and 11, respectively.

    S 7-1 Banks must have an effective system of controls that ensures ongoing compliance with the qualification requirements, maintains the integrity, reliability, and accuracy of the IRB system, and includes adequate governance and project management processes.

  304. An accurate and reliable IRB system will allow bank management to make informed risk management and capital management decisions. While banks have flexibility in determining how integrity in the IRB system is achieved, the control framework that supports the IRB system should be constructed to ensure that the IRB system's design and performance are effective and that it continues to operate as intended.

  305. The specific IRB-system controls, as outlined in this chapter as well as in Chapter 1 of this guidance, should be part of a broader control infrastructure that embodies more generic control principles such as dual controls, separation of duties, and appropriateness of incentives that enable prudential corporate oversight.

    S 7-2 Control processes should be independent and transparent to supervisors and auditors.

  306. The objective of independence is to ensure the integrity of the IRB system. When independence is not fully achieved, there should be compensating controls to confirm that actions and conclusions are not compromised.

  307. Independence can be achieved structurally with organizational separation, or functionally, through policy and/or incentive based separation. For example, reviews performed by individuals who are not structurally independent could be acceptable as functionally independent reviews if the structure does not inhibit an objective evaluation. In these cases, job responsibilities and reporting relationships should be assessed to determine if they present any inherent conflicts that could impede conducting an effective review. Banks should consider a variety of factors when designing a control structure to adequately address independence, including:

    Expertise and experience of individuals conducting control activities;

    Potential for conflicts of interest and influence that could compromise the effectiveness of controls;

    Incentives for individuals that perform critical reviews;

    Separation of duties (individuals should not review their own work); and

    Fully documenting all aspects of the control structure to ensure it can be understood and evaluated by supervisors and auditors.

    1. Reviews of the IRB System

    S 7-3 The annual assessment of the IRB system presented to the board of directors should be supported by the bank's comprehensive and independent reviews of the IRB system.

  308. As discussed in Chapter 1, the bank's board of directors must at least annually evaluate the effectiveness of, and approve, the bank's advanced systems for credit risk. To do so, the board should be provided with information that would enable it to conclude, with reasonable assurance, that management has appropriate processes and controls in place that support an effective IRB system. This information should include results from the bank's comprehensive and independent reviews of the IRB system.

  309. The bank's independent review process may be tailored to the bank's management and oversight framework. The objective of these reviews should be to evaluate compliance with the requirements in the NPR and this supervisory guidance and to measure the effectiveness of the IRB system's design and operation. The review should include all components of the IRB system:

    Risk rating and segmentation systems;

    Quantification process, particularly the selection of reference data sets and risk parameter estimation techniques;

    Ongoing validation process;

    Data management and maintenance system that supports the IRB system; and

    Control infrastructure supporting the IRB system.

  310. Responsibility for the review process could be distributed across multiple areas or housed within one unit, so long as the bank can demonstrate that the review process provides a comprehensive and objective assessment of the areas reviewed. Individuals performing the reviews should possess the requisite technical skills and expertise.

  311. Validation will encompass some of the IRB system review standards described above. However, to the extent that validation or other control functions do not address a component of the IRB system or if they do not meet the independence requirements, a separate independent review of business-line management, risk management, and internal audit should be conducted as applicable. The validation activities, which are the evaluation of conceptual soundness (including developmental evidence), ongoing monitoring (i.e., process verification and benchmarking), and outcomes analysis (backtesting), are described in more detail later in this chapter.

    S 7-4 Validation activities must be conducted independently of the advanced systems' development, implementation, and operation, or subjected to an independent assessment of their adequacy and effectiveness.

  312. The developmental evidence supporting risk rating and segmentation systems' design and quantification is generally compiled by the systems' designers. This evidence should be subject to an ongoing substantive independent assessment by qualified staff. This independent review should be conducted at the time of system development and then updated whenever significant changes in methodology, data, or implementation occur.

  313. Furthermore, when process verification, benchmarking, or outcomes analysis (backtesting) activities are not completed by individuals independent of the risk rating and segmentation systems' design or use, these activities must be the focus of an ongoing substantive independent assessment. Responsibility for the assessment of developmental evidence and ongoing validation may be drawn from a variety of organizational structures provided functional independence and sufficient expertise are demonstrated.

    1. Consistency Between IRB Systems and Risk Management Processes

    S 7-5 The systems and processes used by a bank for risk-based capital purposes must be consistent with the bank's internal risk management processes and management information reporting systems.

  314. The systems and processes a bank uses for risk-based capital purposes must be consistent with the bank's internal credit risk management processes and management information reporting systems such that data from the latter system and processes can be used to verify the reasonableness of the risk parameter inputs the bank uses for risk- based capital purposes.

  315. The wholesale risk ratings used for risk-based capital purposes should be consistent with those used to guide day-to-day wholesale credit risk management activities. Wholesale risk ratings for IRB purposes should be

    [[Page 9128]]

    incorporated into and be consistent with a bank's credit risk management, internal capital assessment and planning, and corporate governance processes. The different uses and applications of the risk rating systems' outputs should promote greater accuracy and consistency of ratings across an organization. Banks should demonstrate that ratings used for IRB purposes are consistent with the bank's internal credit risk management processes.

  316. The risk drivers used for IRB retail segmentation should be consistent with those used to guide day-to-day retail credit risk management activities. Risk drivers for IRB segmentation purposes should correspond to risk drivers used as part of the overall credit risk management of business lines. Banks should demonstrate that the risk drivers used for IRB segmentation purposes are consistent with those used in its day-to-day planning, execution, and monitoring of retail lending activities. However, the IRB segmentation criteria do not have to be identical to those used in credit risk management.

  317. Risk parameters used for credit risk management should be consistent with the IRB risk parameters. Banks will be afforded some flexibility in their use of estimated risk parameters, since the estimates prescribed for risk-based capital purposes may not be appropriate for other uses. For example, the PDs used to estimate loan loss allowances could reflect current economic conditions that are different from the long-term averages appropriate for risk-based capital calculations. While risk parameters used for internal risk management purposes could be different from those used for risk-based capital purposes, banks should be able to demonstrate that the IRB measures of credit risk are consistent with similar measures used in internal credit risk management.

    1. Internal Audit

    S 7-6 Internal audit must, at least annually, assess the effectiveness of the controls supporting the IRB system and report its findings to the board of directors (or a committee thereof).

  318. A bank must have an internal audit function that is independent of business line management and that assesses at least annually the effectiveness of the controls supporting the IRB system and reports its findings to the board of directors (or its designated committee). At least annually, internal audit should review the validation process including procedures, responsibilities, appropriateness of results, timeliness, and responsiveness to findings. Further, internal audit should evaluate the depth, scope, and quality of the independent review processes and conduct appropriate testing to ensure that the conclusions of these reviews are well founded.

    1. Validation Activities

  319. Validation is an ongoing process that includes the review and monitoring activities that verify the accuracy of the risk rating and segmentation systems and the quantification process. The components of validation include evaluation of conceptual soundness (including developmental evidence), ongoing monitoring, and outcomes analysis.

    1. General Validation Requirements

    S 7-7 A bank's validation policy should cover the key aspects of risk rating and segmentation systems and the quantification process.

  320. The validation policy should be approved by the bank's senior management, and should:

    Describe the validation process;

    Outline the documentation requirements;

    Assign responsibilities;

    Outline the process for corrective actions; and

    Be updated periodically to incorporate new developments in validation practices and to ensure that validation methods remain appropriate.

    S 7-8 Validation must assess the accuracy of the risk rating and segmentation systems and the quantification process.

  321. The accuracy of risk rating and segmentation systems and the quantification process is measured by determining whether the:

    Assignment of exposures to risk ratings or segments has been implemented as designed;

    Performance data show that the risk rating or segmentation systems adequately differentiate risk over time;

    Migration of wholesale risk ratings is consistent with the bank's rating philosophy;

    Retail segmentation system separates exposures into stable and homogeneous segments; and

    Actual default, loss severity, and exposure experience of each rating grade or segment is consistent with risk parameter estimates.

  322. Some differences between observed outcomes for individual ratings or specific retail segments and the estimated risk parameters are expected. Risk parameter estimates should reflect a degree of conservatism appropriate for the inherent uncertainty in the bank's quantification process. As such, observed outcomes should not consistently or significantly exceed risk parameter estimates. This applies to each of the following:

    Actual long-run average default rates for each rating grade or segment and the assigned PD estimates;

    Actual long-run average economic loss rates on defaulted exposures and the assigned ELGD estimates;

    The economic loss rates on defaulted exposures during actual economic downturn conditions and the assigned LGD estimates; and

    The exposure size of defaulted exposures during actual economic downturn conditions and the assigned EAD estimates.

    Bias that results in a reduction of risk-based capital requirements should receive immediate attention from management.

    S 7-9 Validation processes for risk rating and segmentation systems, and the quantification process must include the evaluation of conceptual soundness, ongoing monitoring, and outcomes analysis.

  323. Validation should be designed to give the greatest possible assurances of the accuracy of the risk rating and segmentation systems and the quantification process. Three activities must be carried out:

    Evaluating conceptual soundness using developmental evidence--determining whether the approach is sound;

    Ongoing monitoring--verifying the process and comparing results to other sources of data or estimates (benchmarking); and

    Outcomes analysis--comparing actual outcomes with estimates by backtesting and other methods.

    These integral, ongoing activities must evaluate both internally and externally developed risk rating and segmentation systems, models, and the quantification process.

  324. Validation processes, especially outcomes analysis, should recognize that realized outcomes for default, loss severity, and additional drawdowns can vary in a systematic fashion with the economic cycle. Thus, realized outcomes for a given risk parameter can vary around the estimate of long run average. A bank's validation policy should specify how realized outcomes are expected to vary with the economic cycle given the design of the IRB system. For example, given a bank's obligor rating system design, a bank might expect realized defaults to be systematically below the PD estimate during good states of the economic cycle and systematically above the PD

    [[Page 9129]]

    estimate during bad states of the economic cycle. This should be specified in the policy documentation. Realized outcomes for loss severity are not directly comparable with LGD estimates unless an economic downturn is experienced. Nonetheless, outcomes analysis for conditions less severe than an economic downturn can shed light on the validity of the LGD quantification process.

    1. Validation Activities

    Evaluating Conceptual Soundness using Developmental Evidence

  325. Developmental evidence is the primary mechanism used to evaluate the conceptual soundness of the IRB system. The developmental evidence for risk rating and segmentation systems, and the quantification process should include documentation and empirical evidence supporting the methods used and the variables selected in the design and quantification of the IRB system. Where models are used, the evidence should include documentation and a description of the logic that supports the model and an analysis of any statistical model- building techniques.

  326. Developmental evidence supporting the risk rating system should include the reasons the system was selected over other systems. Other developmental evidence should at a minimum describe the bank's obligor ratings approach and ratings philosophy, the mapping methodology, and the use and design of facility ratings or loss severity estimates.

  327. In supporting the segmentation system, developmental evidence should describe the statistical design of the segmentation system and the selection of risk drivers. Additionally, it should explain why the system was selected over other segmentation approaches.

  328. Developmental evidence supporting a bank's quantification process should address each aspect of the quantification process, whether the process explicitly delineates the four stages of quantification or implicitly incorporates the stages.

  329. Developmental evidence is more persuasive when it includes empirical evidence. Developmental evidence in support of any model used in the risk rating and segmentation systems or the quantification process should include documentation and a discussion of the logic that supports the model, an analysis of any model-building techniques, sensitivity analysis (analysis of outcome sensitivity with respect to model input changes and model breakdown points), and an assessment of forecast quality. Models should be supported by evidence that they work well across reference data sets. Use of a ``holdout'' sample is a good model-building practice to ensure that a model is robust. It is possible to perform several out-of-sample tests by varying the holdout samples.

  330. Empirical developmental evidence for a judgmental rating system will likely be derived differently than such evidence for a model- driven system. One approach to capture empirical developmental evidence for analysis might entail having qualified, independent raters rate credits from prior periods. Ideally, the raters would not be familiar with the circumstances of the disposition of the credits (e.g., default, downgrade, upgrade, paid as agreed, etc.) and would only use information available to the original rater(s) at the time the credits were underwritten and subsequently reviewed. These retrospective ratings could then be compared to the outcomes to determine whether the ratings adequately differentiate risk. Conducting such tests may be difficult if historical data sets do not include a sufficient amount of the information actually used when a rating was assigned. Careful consideration should be given to future data needs and anticipated uses for validation, even if some variables are not used in the current model.

    S 7-10 Banks must evaluate the developmental evidence supporting the risk rating and segmentation systems and the quantification process.

  331. Evaluating developmental evidence involves assessing how well the risk rating and segmentation systems and the quantification process are designed and constructed. The review of developmental evidence should determine whether:

    Risk rating systems can be expected to accurately assess obligor and facility risk;

    Segmentation systems can be expected to separate exposures into segments with homogenous risk characteristics and to allow for the accurate measurements of risk within segments over time; and

    The quantification process can be expected to accurately estimate PDs, ELGDs, LGDs, and EADs.

  332. Developmental evidence should be reviewed whenever the bank makes material changes in its risk rating and segmentation systems or quantification process.

  333. Evaluation of developmental evidence includes comparisons of a bank's implemented framework with alternatives considered in the development process and the reason the bank selected the chosen framework. For retail portfolios, data may be available on alternative risk drivers for segmentation, and developmental evidence should include the empirical analysis conducted to choose between risk drivers.

  334. The development of risk rating and segmentation systems and the quantification process requires developers to exercise informed judgment. Whether the developmental evidence is sufficient will itself be a matter of expert opinion. Even if a system is model-based, an evaluation of developmental evidence will entail judging the merits of the model-building technique. Expert judgment is essential to the evaluation of the risk rating and segmentation systems and the quantification process development. Experts should be able to draw conclusions about the likelihood of the satisfactory performance of an implemented system. Ongoing Monitoring: Process Verification and Benchmarking

  335. The second component of the validation process for risk rating and segmentation systems and the quantification process is ongoing monitoring. The objective of ongoing monitoring is to confirm that the processes were implemented appropriately and continue to perform as intended. Such analysis involves process verification and benchmarking.

    S 7-11 Banks must conduct ongoing process verification of the risk rating and segmentation systems and the quantification process to ensure proper implementation and operation.

  336. Process verification encompasses a range of activities that are used to assess whether all internal risk rating and segmentation processes, as well as all quantification processes, are being used, monitored, and updated as designed and intended. It includes determining that data essential to these processes have appropriate integrity, and that all elements of these processes continue to be appropriate to the nature of the bank's exposures. Process verification should also ensure that identified deficiencies are corrected.

  337. Verification activities will vary depending on the risk rating and segmentation systems and quantification approaches and their related guidelines. Verification that data are accurate and complete is important for all IRB systems and applies to both internal and external data, including the data provided by a third party.

  338. For models-based risk rating and segmentation, verification includes an evaluation of the automated assignment

    [[Page 9130]]

    processes, such as verification of the correct computer coding of the model and data inputs. For expert-judgment and constrained-judgment risk rating systems, verification includes an evaluation of whether the rater adhered to the rating policy and criteria, given the information available to the rater and the documented rationale for the rating decisions.

  339. Process verification of risk rating and segmentation systems includes monitoring and analysis of overrides. An override is a generic term that may have different meanings in different contexts. Two types of overrides are discussed below.

    ``Judgmental overrides'' occur when judgments are made to reject the decision of an objective process, such as a model or scorecard, which rates a wholesale obligor, assigns an exposure to loss-severity rating grade, or assigns an exposure to a retail segment; judgmental overrides are an explicit component of such a rating system's design. As a matter of policy in a constrained judgment rating system for wholesale lending, a rater is generally allowed to adjust or override the results of a statistical rating model. For retail lending, the assignment of an exposure to a segment could be overridden, but such overrides generally are rare.

    ``Policy overrides'' refer to exceptions to bank policy with regard to risk rating assignment or segmentation. In the case of pure models-based rating and segmentation systems, an override would be considered to override policy. In a constrained judgment model, a policy override would occur when a rating is assigned by judgmental decision that does not conform to the bank's rating criteria. Overrides outside of policy are expected to be rare.\13\

    \13\ Another common use of overrides in retail lending, not included in this context, relates to underwriting decisions. ``Low side'' overrides approve applications that would normally be rejected and ``high side'' overrides reject applications that would normally be approved.

  340. Frequent overrides may call into question aspects of the risk rating or segmentation system. Overrides and adjustments should be monitored and the performance of ratings that have been adjusted or overridden should be tracked for both the validation of rating and segmentation systems and the IRB system as a whole. Banks should have a policy addressing criteria for judgmental overrides and tolerance levels for policy overrides. The frequency of overrides will depend upon the portfolio, the risk rating and segmentation design, and a bank's practices.

    S 7-12 Banks must benchmark their risk rating and segmentation systems, and their risk parameter estimates.

  341. Benchmarking is using alternative methods or alternative data to draw inferences about the appropriateness of ratings, segments, risk parameter estimates or model outputs before outcomes are actually known. Benchmarking is a useful validation method that can be applied to all rating, segmentation, and quantification processes.

  342. Benchmarking allows a bank to compare the consistency of its risk parameter estimates with those of other estimation techniques and data sources. Benchmarking can be a valuable diagnostic tool for uncovering potential weaknesses in a bank's quantification process. While benchmarking allows for inferences about the accuracy of the risk rating and segmentation systems, and the risk parameter estimates, it does not substitute for backtesting. When differences are observed in the benchmarking exercise, this does not necessarily indicate that the risk rating and segmentation systems, or the risk parameter estimates, are in error. A benchmark is merely an alternative measure, and the difference may be due to different data or methods. Nevertheless, when differences are revealed, proper benchmarking requires the bank to investigate the source of the differences and whether the extent of the difference is appropriate. This investigative process may identify ways in which a bank can improve its risk rating and segmentation systems, and the quantification process.

  343. To benchmark risk ratings and segmentation, a bank must at a minimum establish a process in which a representative sample of its internal ratings, portfolio segmentation, and risk parameters are compared to results from another source for the same exposures. Examples of other sources include independent internal raters such as loan review, external corporate rating agencies, or retail credit bureau models, and alternative internally developed credit risk models (``challenger models'').

  344. Benchmarking of a risk rating, regardless of the rating approach, customarily asks whether another rater or rating method attaches a comparable rating to a particular obligor or exposure. Benchmarking of a segmentation system customarily asks whether other risk drivers or other segmentation methods provide similar risk separation and assessments of the portfolio risk distribution.

  345. Benchmarking of quantification generally involves comparing different choices made in the four stages of quantification. Such benchmarking compares:

    Reference data with data from other data sources;

    Estimates of risk parameters with estimates developed by alternative methods using the same reference data;

    Mappings with alternative mappings that would be expected to provide similar results; and

    Adjustments at the application stage with alternatives.

  346. Benchmarking activities can be accomplished in a number of ways and at different levels of aggregation. Some benchmarking activities are conducted more frequently than others; for example, a bank benchmarks a system to evaluate its performance more frequently than it benchmarks the system to determine whether to renovate it completely, an activity that must be considerably more thorough. Examples of benchmarking activities for risk rating and segmentation systems, and the quantification process are listed below: Risk Ratings or Segmentation Benchmarking

    On an ongoing basis, analyzing the characteristics of obligors or exposures that have been assigned the same wholesale risk rating or retail segment, and comparing the distribution of the portfolio by these ratings or segments between different time periods.

    Periodically re-rating a sample of wholesale credits previously rated under the bank's standard method; examples of benchmark ratings include alternate individual raters in a judgmental system, an alternative internally developed rating model, or third- party credit or debt ratings.

    Periodically comparing the separation power of the IRB retail segmentation to alternative segmentations used in credit risk management and comparing the risk parameter estimates derived from the IRB retail segmentation with an alternative segmentation. Quantification Benchmarking

    On an ongoing basis, comparing a bank's PD, ELGD, LGD, and EAD estimates with available alternative risk estimates, such as business line loss forecasts or allowance methodologies. Within retail portfolios, vintage analyses (tracking loss rates over the life of the loan, given the same origination time and borrower characteristics) can be compared between different origination periods.

    Periodically comparing a bank's PD, ELGD, LGD, and EAD estimates with

    [[Page 9131]]

    risk parameter estimates derived from alternative choices at some step(s) of the quantification process, such as different reference data sources, different estimation models, etc. Outcomes Analysis

    S 7-13 Banks must analyze outcomes and must develop statistical methods to backtest their risk rating and segmentation systems and the quantification process.

  347. The third component of the validation process is outcomes analysis, which is the comparison of risk parameter estimates and model results with actual outcomes. Although banks are expected to employ all the components of the validation process, the data to perform comprehensive outcomes analysis on the existing portfolio may not be available in the early stages of implementation and may be difficult when a bank's process for assessing risks changes significantly. Therefore, banks may at times need to rely more heavily on other validation activities such as developmental evidence, process verification, and benchmarking.\14\

    \14\ For wholesale risk rating systems, banks face the challenge of how to measure the system's performance when backtesting is not conclusive. Because of the rarity of defaults in most years and the bunching of defaults in a few years, the other parts of the validation process will assume greater importance. If risk rating and segmentation processes are developed in a learning environment in which banks attempt to change and improve them, backtesting may be delayed even further. In its early stages, the validation of risk rating and segmentation systems will depend on bank management's exercising informed judgment about the strength of the systems, not simply on empirical tests.

  348. Backtesting is the statistical comparison of estimates to realized outcomes. Banks must back-test their risk parameter estimates by regularly comparing actual portfolio or rating grade/segment-level default rates, loss severities, and exposure-at-default experience with the PD, ELGD, LGD, and EAD estimates on which risk-based capital calculations are based. Backtesting indicates the combined effectiveness of the assignment of exposures to wholesale obligor and loss severity ratings or to retail segments and the quantification of the risk parameters attached to those ratings or segments.

    S 7-14 Banks should establish ranges around the estimated values of risk parameter estimates and model results in which actual outcomes are expected to fall and have a validation policy that requires them to assess the reasons for differences and that outlines the timing and type of remedial actions taken when results fall outside expected ranges.

  349. Banks have considerable flexibility in developing statistical tests to back-test the performance of their risk rating and segmentation systems and the accuracy of their quantification process. Regardless of the backtesting method used, the bank should establish expected ranges for validation results. Backtesting often will not identify the specific reasons for discrepancies between expectations and outcomes. Rather, it will indicate only that further investigation is necessary.

  350. When establishing expected ranges, banks should consider relevant elements of a bank's risk rating or segmentation systems that may affect outcomes, for example whether the system is designed to measure risk parameter estimates at a point in time, through the cycle, or at stressed periods. Also, changes in economic or market conditions and portfolio composition between the historical data and data from the present period can lead to differences between outcomes and risk parameter estimates.

  351. In establishing expected ranges, a bank should consider which elements of its risk rating or segmentation system, and the quantification process, are most likely to affect outcomes of the risk parameter estimates. However, determining expected ranges can be difficult if a bank has changed its method of quantifying risk parameters and the estimates were calculated by a different method than the outcomes. If so, it may be appropriate to recalculate historical estimates in a manner consistent with the new method. If a bank adjusts final risk parameter estimates to be conservative, it may be appropriate to do its backtesting on the unadjusted estimates.

  352. Differences in realized default, loss severity, or exposure rates from expected ranges may point to issues in the reference data, estimation, mapping or application elements of quantification. They may also indicate potential problems in other parts of the risk rating or segmentation system. The bank's validation policy should describe (at least in broad terms) the types of responses that should be considered when actual outcomes fall outside the expected ranges. If the discrepancies demonstrate a systematic tendency to decrease risk-based capital requirements, the nature and source of the bias requires even more detailed scrutiny.

    1. Minimum Frequency of Validation

    S 7-15 Each of the three activities in the validation process should be conducted often enough to ensure the ongoing integrity, reliability, and accuracy of the IRB risk rating and segmentation systems, and the quantification process.

    S 7-16 Developmental evidence must be updated whenever significant changes in methodology, data, or implementation occur. Other validation activities must be ongoing and must not be limited to a point in time.

  353. Process verification, benchmarking, and backtesting activities should be conducted often enough to ensure ongoing integrity of the risk rating and segmentation systems, and the quantification process. For example, during high-default periods, banks should analyze realized default and loss severity rates more frequently, perhaps quarterly. They should document the results of validation, report them to appropriate levels of senior risk management, and take action as appropriate.

    Chapter 8: Stress Testing of Risk-Based Capital Requirements

    Rule Requirements

    Part III, Section 22(j)(6): The bank must periodically stress test its advanced systems. The stress testing must include a consideration of how economic cycles, especially downturns, affect risk-based capital requirements (including migration across rating grades and segments and the credit risk mitigation benefits of double default treatment).

  354. Under the IRB framework, changes in borrower credit quality will lead to changes in the risk-based capital requirements. Because credit quality typically improves or deteriorates in conjunction with economic conditions, risk-based capital requirements may also vary with the economic cycle. During an economic downturn, risk-based capital requirements typically increase as obligors or exposures migrate toward lower credit quality risk ratings or segments.

  355. Stress testing analysis is a means of understanding how economic cycles, especially downturns, as represented by stress scenarios, will affect risk-based capital requirements through migration across risk ratings or segments, effects on double default treatment, and through effects on other relevant aspects of a bank's advanced systems.\15\

    \15\ Stress testing is a general term that can be applied to different types of analysis, depending on the purpose of the exercise. Examples of stress testing that have a different purpose than contemplated here include a stress test of bank solvency and a stress test of an individual obligor.

    S 8-1 Banks must conduct and document stress testing of their advanced systems as part of managing risk-based capital.

    [[Page 9132]]

  356. Supervisors expect that banks will manage their risk-based capital position so that they remain at least adequately capitalized during all phases of the economic cycle. A bank that is able to accurately estimate risk-based capital levels during a downturn can be more confident of appropriately managing risk-based capital. Stress testing analysis consists of identifying a stress scenario and then translating that scenario into its effect on the levels of key performance measures, including risk-based capital ratios.

  357. Banks should use a range of scenarios and methods when stress testing to manage risk-based capital. Scenarios may be historical, hypothetical, or model-based. Key variables specified in a scenario could include, for example, interest rates, transition matrices (ratings and score-band segments), asset values, credit spreads, market liquidity, economic growth rates, inflation rates, exchange rates, or unemployment rates. A single scenario may apply to the entire portfolio, or a number of scenarios may apply to various sub- portfolios. The severity of the stress scenario should be consistent with the periodic economic downturns experienced in the bank's market areas. Such scenarios may be less severe than those used for other purposes, such as testing a bank's solvency.

  358. Given a scenario, a bank then estimates the effect of the scenario on risk-weighted assets and its future capital ratios relative to the risk-based capital minimums. Estimating capital ratios includes estimating levels of capital (the numerator of the ratio) as well as measures of risk-weighted assets (the denominator).

  359. For example, suppose the scenario for both a retail and a wholesale portfolio is a specific historical recession. For the retail portfolio, score-band transition matrices observed during the recession could be used to quantify migration between segments and thus supply the new distribution of segments expected for the current portfolio, given the scenario. For the wholesale portfolio, internal or rating agency ratings transition matrices observed during the recession could be used to quantify ratings migration, and thus supply the distribution of rating grades. The distribution of segments and rating grades would allow the calculation of risk-weighted assets that would be expected during the recession scenario. Transitions into default would allow banks to estimate the effects of credit losses on income and capital. As part of this analysis, the bank should ensure that the rating philosophy (as revealed by rating migration patterns) of the rating agency, or any other source of ratings, associated with the recession transition matrix is consistent with the bank's rating system, or appropriate adjustments should be made for differences in rating philosophy.

  360. The scope of this estimation exercise should be broad and include all material portfolios under the framework for advanced systems. The time horizon of the stress testing analysis should be consistent with the specifics of the scenario and should be long enough to measure the material effects of the scenario on key performance measures. For example, if a scenario such as a historical recession materially affected income and segment or ratings migration over two years, the appropriate time horizon is at least two years.

  361. The bank's management of risk-based capital should also take into account the effect of a bank's discretionary actions on risk-based capital levels. For example, a bank's plan to reduce dividends in the face of lowered income would, if implemented, affect retained earnings and the capital accounts. Such discretionary actions should be consistent with the bank's documented risk-based capital management policy. Because discretionary plans may or may not be implemented, a bank should estimate the relevant capital ratios both with and without these actions.

    Chapter 9: Counterparty Credit Risk Exposure

    Rule Requirements

    Part III, Section 22(d): Counterparty credit risk model. A bank must obtain the prior written approval of [AGENCY] under section 32 [of the NPR] to use the internal models methodology for counterparty credit risk.

    Part IV, Section 32: Counterparty Credit Risk

    1. Overview

  362. This chapter supplements the detailed discussion of counterparty credit risk in the NPR by describing some of the elements of counterparty credit risk mitigation, providing information that may aid banks in choosing among the alternative methods to calculate EAD for these transactions, and providing some descriptions and illustrative examples of acceptable modeling practices for estimation of EAD under the alternative methods.

    1. Transactions With Counterparty Credit Risk

  363. Transactions with counterparty credit risk are those where the credit risk exposure varies with a market variable such as an interest rate or security price. For certain transactions subject to counterparty credit risk where there is financial collateral, a bank may be allowed to recognize the risk mitigating effect of that collateral through an adjustment to EAD.

  364. As provided in the NPR, transactions with counterparty credit risk for which a bank may adjust EAD rather than LGD include:

    Repo-style transactions including repurchase and reverse repurchase agreements, and securities lending and securities borrowing transactions;

    Eligible margin loans; and

    Over-the-counter (``OTC'') derivatives transactions.

  365. Several methods are available to calculate EAD depending on the type of transaction, presence of eligible collateral, legal agreements surrounding a transaction, the operational capability of a bank, and the modeling capability of a bank:

    A collateral haircut approach that includes standard supervisory haircuts or the bank's own estimates of the haircuts-- applied to individual repo-style transactions, eligible margin loans, and single-product groups of such transactions subject to a qualifying master netting agreement (netting set). Additionally, the haircut approach is available to recognize financial collateral in the current exposure methodology for OTC derivatives;

    A simple VaR methodology--applied to single-product netting sets of repo-style transactions and eligible margin loans;

    A current exposure methodology for OTC derivatives; and

    An internal models methodology available for all three transaction types.

  366. Supervisor approval is required for all methods except the collateral haircut approach using standard supervisory haircuts and the current exposure methodology for OTC derivatives. To receive approval, a bank should demonstrate to its primary Federal supervisor:

    Internal operational processes used to determine the eligibility of transactions for the method chosen;

    Internal processes used to determine the regulatory and legal ability to net transactions in bankruptcy;

    Appropriate model validation and backtesting procedures;

    Appropriate internal controls for counterparty credit risk;

    Appropriate collateral management processes, which, at a minimum, determine whether collateral meets the definition of financial collateral; and

    [[Continued on page 9133]]

    From the Federal Register Online via GPO Access [wais.access.gpo.gov] ]

    [[pp. 9133-9182]] Proposed Supervisory Guidance for Internal Ratings-Based Systems for Credit Risk, Advanced Measurement Approaches for Operational Risk, and the Supervisory Review Process (Pillar 2) Related to Basel II Implementation

    [[Continued from page 9132]]

    [[Page 9133]]

    Adequacy of the modeling techniques used and how the models meet qualification requirements.

  367. If a transaction qualifies for one of the EAD adjustment approaches and the bank elects to use one of the EAD adjustment methods for the transaction, collateral may only be taken into account in the estimation of EAD and may not also affect the other parameters, such as LGD. For eligible transactions, the capital requirement is based on an estimate of the PD of the counterparty and LGD for an unsecured exposure to the counterparty. The EAD is adjusted to reflect a net exposure amount. Credit exposures that do not qualify for the EAD adjustment approach as discussed in this section must follow the IRB approach described elsewhere in this guidance. For those transactions, (i) the LGD for each individual transaction can be adjusted, based on the collateral for the transaction; and (ii) except for the current exposure methodology for OTC derivatives, netting cannot be considered in determining either EAD or PD.

    1. Definitions

  368. A repo-style transaction is a repurchase or reverse repurchase transaction, or a securities borrowing or securities lending transaction, including a transaction in which the bank acts as agent for a customer and indemnifies the customer against loss, provided that:

    The transaction is based solely on liquid and readily marketable securities or cash;

    The transaction is marked to market daily and subject to daily margin maintenance requirements;

    The transaction is executed under an agreement that provides the bank the right to accelerate, terminate, and close-out the transaction on a net basis and to liquidate or set off collateral promptly upon an event of default (including upon an event of bankruptcy, insolvency, or similar proceeding) of the counterparty, provided that, in any such case, any exercise of rights under the agreement will not be stayed or avoided under applicable law in the relevant jurisdictions; \16\ and

    \16\ Where all transactions under the agreement are (i) executed under U.S. law and (ii) constitute ``securities contracts'' or ``repurchase agreements '' under section 555 or 559, respectively, of the Bankruptcy Code (11 U.S.C. 555 or 559), qualified financial contracts under section 11(e)(8) of the Federal Deposit Insurance Act (12 U.S.C. 1821(e)(8)), or netting contracts between or among financial institutions under sections 401-407 of the Federal Deposit Insurance Corporation Improvement Act of 1991 (12 U.S.C. 4401-4407) or the Federal Reserve Board's Regulation EE (12 CFR Part 231), this requirement is deemed to be met.

    The bank has conducted and documented sufficient legal review to conclude with a well-founded basis that the agreement mentioned above meets these requirements and is legal, valid, binding, and enforceable under applicable law in the relevant jurisdictions.

  369. An eligible margin loan is an extension of credit where:

    The credit extension is collateralized exclusively by debt or equity securities that are liquid and readily marketable;

    The collateral is marked to market daily and the transaction is subject to daily margin maintenance requirements;

    The extension of credit is conducted under an agreement that provides the bank the right to accelerate and terminate the extension of credit and to liquidate or set off collateral promptly upon an event of default (including upon an event of bankruptcy, insolvency, or similar proceeding) of the counterparty, provided that, in any such case, any exercise of rights under the agreement will not be stayed or avoided under applicable law in the relevant jurisdictions; and

    The bank has conducted and documented sufficient legal review to conclude with a well-founded basis that the agreement mentioned above meets these requirements and is legal, valid, binding, and enforceable under applicable law in the relevant jurisdictions.

  370. An OTC derivative contract is a derivative contract that is not traded on an exchange that requires the daily receipt and payment of cash-variation margin.

    A derivative contract means a financial contract whose value is derived from the values of one or more underlying assets, reference rates, or indices of asset values or reference rates. Derivative contracts include interest rate derivative contracts, exchange rate derivative contracts, equity derivative contracts, commodity derivative contracts, credit derivatives, and any other instrument that poses similar counterparty credit risk.

    Derivative contracts also include unsettled securities, commodities, and foreign exchange transactions with a contractual settlement or delivery lag that is longer than the lesser of the market standard for the particular instrument or 5 business days. This would include, for example, agency mortgage-backed securities transactions conducted in the To-Be-Announced market.

  371. Financial collateral is the following set of financial instruments in which the bank has a perfected, first priority security interest or the legal equivalent:

    Cash on deposit with the bank (including cash held for the bank by a third-party custodian or trustee);

    Gold bullion;

    Long-term debt securities that have an applicable external rating of one category below investment grade or higher (e.g., at least BB-);

    Short-term debt instruments that have an applicable external rating of at least investment grade (e.g., at least A-3);

    Equity securities that are publicly traded;

    Convertible bonds that are publicly traded; and

    Money market mutual fund shares and other mutual fund shares if a price for the shares is publicly quoted daily.

    1. Netting

    S 9-1 All transactions with a counterparty subject to a qualifying master netting agreement constitute a netting set and may be treated as a single exposure, otherwise each transaction shall have its risk-based capital requirement calculated on a standalone basis.

  372. Counterparty credit risk may be calculated at the level of a netting set. Consistent with the industry's general practice for computing exposures to counterparty credit risk, a bank can estimate the exposure amount or EAD, and calculate the associated capital requirement on the basis of one or more defined bilateral ``netting sets.'' A ``netting set'' is a group of transactions with a single counterparty that are subject to a legally enforceable bilateral netting agreement that meets the requirements to be a qualifying master netting agreement or qualifying cross product master netting agreement under the terms of the NPR. If a transaction with a counterparty is not subject to a qualifying master netting agreement, it comprises its own netting set and the EAD will need to be calculated for that transaction on its own. The total exposure amount or EAD for a given counterparty is the sum of the exposure amounts or EADs of the individual netting sets with that counterparty.

  373. Cross-product netting allows for banks using the internal models methodology to recognize bilateral netting arrangements across repo-style transactions, eligible margin loans, and OTC derivatives. To recognize cross-product netting for risk-based capital purposes:

    Transactions must be conducted under a qualifying master netting agreement;

    A bank must be able to effectively integrate the risk- mitigating effects of cross-product netting into its risk

    [[Page 9134]]

    management and other information technology systems; and

    The bank must obtain the prior written approval of its primary Federal supervisor.

  374. Netting other than on a bilateral basis, such as netting across transactions entered into by affiliates (known as cross-affiliate netting), is not recognized for the purposes of calculating risk-based capital requirements.

    1. Determination of Eligibility for EAD Adjustment

    S 9-2 Banks should have an appropriately documented process for determining whether transactions are eligible for an EAD adjustment approach if they choose to use an EAD adjustment approach.

  375. The process for determining if a transaction is eligible for an EAD adjustment approach should consider whether the transaction meets the definition of a repo-style transaction, eligible margin loan, or OTC derivative. In addition, it must consider the operational requirements for tracking the exposures of such transactions. To determine which EAD adjustment approach to apply, the bank should consider the treatment for similar transactions, the need for regulatory approval, operational and legal requirements, and the scope and complexity of the bank's business in each of the areas. In addition, banks should consider whether transactions otherwise eligible for the EAD adjustment approach are subject to the automatic stay under the U.S. Bankruptcy Code or similar provisions under other applicable bankruptcy law.

    1. Methods for Determining EAD

  376. There are three EAD-based methodologies--a collateral haircut approach, a simple VaR methodology, and an internal model methodology-- that a bank may use instead of an ELGD/LGD estimation methodology to recognize the benefits of financial collateral in mitigating the counterparty credit risk associated with repo-style transactions and eligible margin loans. For OTC derivative contracts, there are two EAD- based methodologies--the current exposure methodology and an internal models methodology. The current exposure methodology for calculating EAD for an OTC derivative contract or set of OTC derivative contracts subject to a qualifying master netting agreement is similar to the methodology in the general risk-based capital rules.\17\ If the OTC derivative is collateralized and the internal models methodology is used, the collateral is recognized within that approach. If the OTC derivative contract is collateralized and the current exposure methodology is used, the bank may use either the ELGD/LGD estimation methodology to recognize the benefits of financial collateral or the collateral haircut approach. Table 1 illustrates which EAD estimation methodologies may be applied to particular types of exposure.

    \17\ The general risk-based capital rules are in 12 CFR part 3, Appendix A (national banks), 12 CFR part 208, Appendix A (state member banks), 12 CFR part 225, Appendix A (bank holding companies), 12 CFR part 325, Appendix A (state non-member banks), and 12 CFR part 567 (savings associations).

    \18\ Only repo-style transactions and eligible margin loans subject to a single-product qualifying master netting agreement are eligible for the simple VaR methodology.

    \19\ In conjunction with the current exposure methodology.

    Table 1

    Models approach Current exposure Collateral haircut --------------------------------------- methodology

    approach

    Simple VaR \18\ Internal models methodology

    methodology

    OTC derivative.................. Yes............... No................ No................ Yes. Recognition of collateral for No................ Yes \19\.......... No................ Yes. OTC derivatives. Repo-style transaction.......... No................ Yes............... Yes............... Yes. Eligible margin loan............ No................ Yes............... Yes............... Yes. Cross-product netting set....... No................ No................ No................ Yes.

    S 9-3 Banks must use the same method for determining risk-based capital requirements for all similar transactions.

  377. Banks must use the same method for similar transactions, but may use different methods for different transaction types. A bank may use a separate methodology for agency securities lending transactions-- that is, repo-style transactions in which the bank, acting as agent for a customer, lends the customer's securities and indemnifies the customer against loss--and all other repo-style transactions.

    S 9-4 The method for calculating EAD for transactions subject to counterparty credit risk should be appropriate for the risk, extent, and complexity of the bank's activity.

  378. Banks that are engaged in prime brokerage, market making, and other sophisticated securities financing and repurchase activities should consider using the VaR model approach or the internal models approach. Banks that do not engage in such activities but are principally using repurchase agreements and other financial contracts for liquidity, cash management, and other risk management purposes may use a collateral haircut approach for eligible margin loans and repo- style transactions, and the current exposure methodology for OTC derivatives.

    1. Methodologies for Repo-Style Transactions and Eligible Margin Loans

  379. Under any of the available methodologies for repo-style transactions and eligible margin loans, a bank can recognize the risk mitigating effect of financial collateral that secures a repo-style transaction, eligible margin loan, or single-product netting set of such transactions subject to a qualifying master netting agreement through an adjustment to EAD rather than ELGD and LGD. The bank may use a collateral haircut approach or one of two models approaches: A simple VaR methodology (for single-product netting sets of repo-style transactions or eligible margin loans) or an internal models methodology (the internal models methodology is described under the methods for OTC derivatives, but may be applied to repo-style transactions and margin loans as well). Figure 1 illustrates the methodologies available for eligible margin loans and repo-style transactions.

    [[Page 9135]]

    [GRAPHIC] [TIFF OMITTED] TN28FE07.005

    Collateral Haircut Approach

  380. Under the collateral haircut approach, a bank would set EAD equal to the sum of three quantities:

    The value of the exposure less the value of the collateral;

    The sum across all securities of (i) the absolute value of the net position in a given security (where the net position in a given security equals the sum of the current market values of the particular security the bank has lent, sold subject to repurchase, or posted as collateral to the counterparty minus the sum of the current market values of that same security the bank has borrowed, purchased subject to resale, or taken as collateral from the counterparty); multiplied by (ii) the market price volatility haircut appropriate to that security; and

    The sum across all currencies different from the settlement currency of (i) the absolute value of the net position of both cash and securities in a given currency; multiplied by (ii) the haircut appropriate to that currency mismatch.

    To determine the appropriate haircuts, a bank could choose to use standard supervisory haircuts or its own estimates of haircuts.

  381. For purposes of the collateral haircut approach, a ``given security'' would include, for example, all securities with a single Committee on Uniform Securities Identification Procedures (``CUSIP'') number and would not include securities with different CUSIP numbers, even if issued by the same issuer with the same maturity date.

    Standard Supervisory Haircuts

  382. If a bank chooses to use standard supervisory haircuts, it would use an eight percent haircut for each currency mismatch and the haircut appropriate to each security in Table 2 below. The haircuts in the table assume a 10 business-day holding period (appropriate for eligible margin loans). These haircuts must be multiplied by the square root of \1/2\ to convert the standard supervisory haircuts from the 10 business-day holding period to the 5 business-day holding period appropriate for repo-style transactions. A bank would be required to adjust the supervisory haircuts upward to a holding period longer than 10 business days for eligible margin loans or 5 business days for repo- style transactions to take into account collateral illiquidity. To convert the haircut to a holding period longer than 10 business days, the haircut should be multiplied by the square root of the ratio of the actual holding period to the 10 business day minimum holding period. As an example, assume a bank that uses standard supervisory haircuts has extended an eligible margin loan of $100 that is collateralized by 5- year U.S. Treasury notes with a market value of $100. The value of the exposure less the value of the collateral would be zero, and the net position in the security ($100) times the supervisory haircut (.02) would be $2. There is no currency

    [[Page 9136]]

    mismatch. Therefore, the EAD of the exposure would be $0 + $2 = $2.

    \20\ The market price volatility haircuts in Table 2 are based on a 10-business-day holding period.

    \21\ Residual maturity refers to the residual contractual maturity of the debt security. For example, the remaining maturity to call dates or reset dates for floating rate notes should not be used for the residual maturity.

    \22\ The proposed rule defines a ``main index'' as the S&P 500 Index, the FTSE All-World Index, and any other index approved by the bank's primary Federal supervisor for purposes of the rule.

    Table 2.--Standard Supervisory Market Price Volatility Haircuts \20\

    Issuers exempt External rating grade category for debt

    Residual maturity for debt from the 3 b.p. Other issuers securities

    securities\21\

    floor

    Two highest investment grade rating

    1 year, 5 years.......................

    .04

    .08 Two lowest investment grade rating categories 1 year, 5 years.......................

    .06

    .12 One rating category below investment grade... All............................

    .15

    .25 Main index equities \22\ (including convertible bonds) and gold.......15 ..... Other publicly-traded equities (including convertible bonds)..........25 ..... Mutual funds.....................................Highest haircut applicable to any security in which the fund can invest Cash on deposit with the bank (including a certificate of deposit issue0 by the bank).

    Own Estimates of Haircuts

  383. With the prior written approval of the bank's primary Federal supervisor, a bank may calculate security type and currency mismatch haircuts using its own internal estimates of market price volatility and foreign exchange volatility. When a bank calculates its own estimates haircut on a TN-day holding period, which is different from the minimum holding period for the transaction type, the applicable haircut (HM) is calculated using the following square root of time formula:

    [GRAPHIC] [TIFF OMITTED] TN28FE07.006

    where

    (i) TM= 5 for repo-style transactions and 10 for eligible margin loans; (ii) TN= holding period used by the bank to derive HNand (iii) HN= haircut based on the holding period TN.

    Requirements for the Use of Internally Estimated Haircuts

  384. A bank must meet the following eligibility requirements to use internal estimates of collateral haircuts:

    The bank must use a 99th percentile one-tailed confidence interval, a minimum five-business-day holding period for repo-style transactions, and a minimum 10-business-day holding period for eligible margin loans;

    The bank must adjust holding periods upward where and as appropriate to take into account the illiquidity of an instrument;

    The bank must select a historical observation period for calculating haircuts of at least one year;

    The bank must update its data sets and re-compute haircuts no less frequently than quarterly and must reassess its data sets and haircuts whenever market prices change materially; and

    The bank generally must estimate individually the volatilities of each security and foreign exchange rate separately, and may not take into account the correlations between them. Simple VaR Methodology

  385. With the prior written approval of its primary Federal supervisor, a bank may estimate EAD for repo-style transactions and eligible margin loans subject to a qualifying master netting agreement using a VaR model. Under the simple VaR methodology, a bank's EAD for the transactions subject to such a netting agreement would be equal to the value of the exposures minus the value of the collateral plus a VaR-based estimate of the potential future exposure (``PFE'').

  386. The VaR model must estimate the PFE as the bank's empirically- based, best estimate of the 99th percentile, one-tailed confidence interval for an increase in the value of the net collateralized exposure ([Sigma]E-[Sigma]C) over a 5-business-day holding period for repo-style transactions or over a 10-business-day holding period for eligible margin loans using a minimum one-year historical observation period of price data on the instruments that the bank has lent, sold subject to repurchase, posted as collateral, borrowed, purchased subject to resale, or taken as collateral. In cases where the underlying collateral is less liquid, a longer time period may be appropriate.

    S 9-5 Banks that use the VaR model approach for single product netting sets of repo-style transactions or eligible margin loans must conduct rigorous and regular backtesting to validate its model.

  387. The qualifying requirements for the use of such a model are less stringent than the qualification requirements for the internal model methodology described below. In principle, the VaR model generally should meet the quantitative and qualitative criteria for recognition of internal market risk models set out in the Market Risk Amendment (``MRA''). The main ongoing qualification requirement for using the simple VaR model is that the bank must validate its VaR model by establishing and maintaining a rigorous and regular backtesting regime to ensure the validity of the model the bank uses. A backtesting regime that is conducted once every quarter to compare values of one, five, and/or ten day 99 percent VaRs with changes in market values of representative portfolios would be appropriate and generally would be a part of a regular program of backtesting.

    [[Page 9137]]

  388. In general, the repo-style backtest should include the backtesting of several representative portfolios that compares the one day 99 percent VaR figure with the change in market value for each portfolio tested. The representative portfolios could be based on actual counterparty portfolios, hypothetical portfolios, or a combination of real and hypothetical portfolios that are designed to test specific aspects of the model, or specific risk factors.

    1. EAD for OTC Derivative Contracts

  389. A bank may use either the current exposure methodology or the internal models methodology to determine the EAD for OTC derivative contracts. Figure 2 illustrates the possible methodologies for the calculation of EAD for OTC derivatives.

    [GRAPHIC] [TIFF OMITTED] TN28FE07.007

    Current Exposure Methodology

  390. The current exposure methodology for determining EAD for OTC derivative contracts is similar to the methodology set forth in the general risk-based capital rules, in that the EAD for an OTC derivative contract would be equal to the sum of the bank's current credit exposure and potential future exposure (``PFE'') on the derivative contract. The proposal's conversion factor (``CF'') matrix used to compute PFE is based on the matrices in the general risk-based capital rules, with two exceptions:

    The CF for credit derivatives that are not used to hedge the credit risk of exposures subject to an IRB risk-based capital requirement is specified to be 5.0 percent for contracts with investment grade reference obligors and 10.0 percent for contracts with non-investment grade obligors. The CFs for credit derivative contracts do not depend on the remaining maturity of the contract; and

    Floating/floating basis swaps are not exempt from the CF for interest rate derivative contracts.

  391. A bank may reflect the credit risk mitigating effects of financial collateral by adjusting the ELGD and LGD of the contract or exposure. Alternatively, if the transaction is subject to daily marking-to-market and re-margining, the bank may adjust the EAD of the contract using the collateral haircut approach for repo-style transactions and eligible margin loans. A bank applying the collateral haircut approach to OTC derivatives must use a 10-business-day minimum holding period.

    [[Page 9138]]

    1. Internal Models Methodology

  392. The internal models methodology for the calculation of EAD can be applied to repo-style transactions, eligible margin loans, and OTC derivatives. The internal models methodology requires a risk model that captures counterparty credit risk and estimates EAD at the level of a ``netting set,'' that is, transactions with a single counterparty that are subject to a qualifying master netting agreement. A transaction not subject to a qualifying master netting agreement is considered to be its own netting set and EAD must be calculated for each such transaction individually. A bank may use the internal model methodology for OTC derivatives (collateralized or uncollateralized) and single- product netting sets thereof, for eligible margin loans and single- product netting sets thereof, or for repo-style transactions and single-product netting sets thereof. A bank may choose to use the internal models methodology for one or two of these three types of exposures and not the other types. As described in paragraph 12 of this chapter, in cases where a bank has been approved by its primary Federal supervisor to incorporate the effects of cross-product netting agreements in their internal models methodology, the bank may use the internal models methodology for combinations of repo-style transactions, eligible margin loans, and OTC derivatives conducted under a qualifying cross-product netting agreement.

  393. Banks use several measures to manage their exposure to counterparty credit risk, including peak exposure (``PE''), expected exposure (``EE''), and expected positive exposure (``EPE''). PE is the maximum exposure estimated to occur on a future date at a high level of statistical confidence. Banks often use PE when measuring counterparty credit risk exposure against counterparty credit limits. EE is the probability-weighted average exposure to a counterparty estimated to exist at any specified future date, whereas EPE is the time-weighted average of individual expected exposures to a counterparty where the weights are the proportion of the time interval that an individual exposure represents.

  394. Effective EPE, described below, is to be used in the calculation of EAD under the internal models methodology. EAD is calculated as a multiple of effective EPE.

  395. EE and EPE may not capture additional risk arising from the replacement of existing short-term positions over the one year horizon used for risk-based capital requirements (that is, rollover risk) or may underestimate the exposures of eligible margin loans, repo-style transactions, and OTC derivatives with short maturities. For this reason, a netting set's ``effective EPE'' will be used as the basis for calculating EAD for counterparty credit risk. Effective EPE is the time-weighted average of effective EE over one year where the weights are the proportion that an individual effective EE represents in a one- year time interval. If all contracts in a netting set mature before one year, effective EPE is the average of effective EE until all contracts in the netting set mature. Effective EE is defined as:

    Effective EEtk= max (Effective EEtk-1, EEtk)

    where exposure is measured at future dates t1, t2, t3, * * * and effective EEt0equals current exposure. Under the internal models methodology, a measure that is more conservative than effective EPE for every counterparty (for example, a measure based on peak exposure) can be used in place of effective EPE with prior approval of the primary Federal supervisor.

  396. The internal model methodology scales effective EPE using a multiplier, termed ``alpha.'' Alpha is set at 1.4; a bank's primary Federal supervisor has the flexibility to raise this value in appropriate situations. With approval of the primary Federal supervisor, a bank may use its own estimate of alpha as described below, subject to a floor of 1.2.

  397. The maturity adjustment for transactions under the internal models methodology is described in the NPR. This maturity formula for M is based on the effective credit duration of the counterparty exposure. A bank that uses an internal model to calculate a one-sided credit valuation adjustment can use the effective credit duration estimated by such a model for maturity, M, if the bank can demonstrate to its primary Federal supervisor that the effective credit duration used by the bank gives the same value for M as the maturity formula for Counterparty Credit Risk (``CCR'') described in the NPR. A Description of the Modeling Process for Effective Expected Positive Exposure

  398. The basis of the calculation is to forecast, based on observed price movements, the range of possible values that a portfolio of transactions with a counterparty that constitute a netting set can take in the future and assign probabilities to those possible values. This is the statistical probability distribution of the market values for the portfolio. There are many possible methods for making this forecast ranging from Monte Carlo simulation to using an analytic formula.

  399. The process generally starts with a calculation of the current market value of the transactions with a counterparty that are in a netting set. Cases where the current market value of the netting set is positive represent an exposure to the counterparty (the counterparty owes the bank money). Cases where the current market value is negative do not represent exposures to the counterparty since the bank owes the counterparty money. To determine the current exposure, the market value of collateral posted by the counterparty is subtracted from the current market value of the netting set. If this difference is negative the current exposure is zero.

  400. The distribution of exposures on a future date can also include the exposure reducing effect of financial collateral. In cases where financial collateral is held, the distribution of market values of the positions and the collateral held against the netting set is calculated together and cases of negative combined market values of transactions and collateral are set to zero since they do not represent a credit exposure if the counterparty were to default (the counterparty has posted more collateral than it owes the bank, or the bank owes the counterparty).

  401. The bank will have to determine for which future dates to calculate probability distributions of the market value of transactions in the netting set. These should be chosen to accurately reflect the cashflows of transactions in a netting set.

  402. For these future dates (e.g., 1, 3, 5, and 10 days in the future and every month out to one year \23\) the bank will calculate the distribution of market values for the netting set.

    \23\ These example dates are given to clarify the meaning of future dates, they do not represent a requirement. As described in paragraph 47 of this chapter, as well as in the NPR, a large number of future dates may be computationally burdensome, and the number of future dates will depend explicitly on a trade off between the ability to calculate effective EPE in an expeditious manner and the accuracy of the computation.

  403. Expected exposure (``EE'') is defined as the expected value of the probability distribution of credit risk exposures to a counterparty at any specified future date before the maturity date of the longest term transaction in the netting set. Banks will need to convert from market values of transactions to credit risk exposures to make this calculation. When the transactions in a netting set have a

    [[Page 9139]]

    positive value, the counterparty owes money to the bank and there is a credit risk exposure equal to the positive market value of the transactions. When the transactions have a negative market value, the bank owes the counterparty money and there is no credit risk exposure. Generally, banks will start by calculating the probability distribution of the market value of the transactions in a netting set with a counterparty on a future date. To convert from a probability distribution of market values to a probability distribution of credit risk exposures, cases where the market value is negative should correspond to a credit risk exposure of zero, and cases where the market value is positive should correspond to a credit risk exposure equal to the market value of the transactions. This means that expected exposure includes in the probability weighted average a value of zero for all cases where the market value, including the effect of collateral, is negative.

  404. Effective expected exposure on a future date is the greater of expected exposure on that date or effective expected exposure on the previous future date. Effective expected exposure is calculated recursively, and the value for the first future date should be the greater of the expected exposure calculated on that date or the current exposure. This means that effective expected exposure is not allowed to decline as one moves to future dates that are further in the future, and that effective expected exposure will always be greater than or equal to current exposure.

  405. Effective expected positive exposure then takes the time- weighted average of effective expected exposures. For example, if effective expected exposure is calculated each month for the first six months as 5, 6, 6, 6, 7 and 7 in order, and each quarter for the second half of the year as 7 and 7, respectively, then those first six monthly values would each get a weight of 1/12 and the quarterly observations in the second half of the year would each get a weight of 1/4 in the average. Effective expected positive exposure using these values at these dates would be 6.583.

  406. If the longest maturity contract in the netting set was less than a year then the effective expected positive exposure only includes the effective expected exposures out to the longest maturity and the time-weighted average only goes out to the longest maturity. For example, if the longest maturity contract in the netting set is 5 months and the effective expected exposures are calculated for each month for those five months as (3, 3, 4, 4, 6), each monthly calculation would get a weight of 1/5 and the effective expected positive exposure would be 4. The zero exposure values for months six through twelve would not be included in the average nor would the average be computed over a full year. Requirements for the Internal Models Methodology

    S 9-6 Banks must meet certain qualifying criteria that consist of operational requirements, modeling standards, and model validation requirements before receiving their primary Federal supervisor's approval to use the internal models method.

  407. Banks must have the systems capability to estimate EE on a daily basis. While this does not require the bank to report EE daily, or even to estimate EE daily, the bank must be able to demonstrate that it is capable of performing the estimation daily.

  408. Banks must estimate EE at enough future time points to accurately reflect all future cash flows of contracts in the netting set. In order to accurately reflect the exposure arising from a transaction, the model should incorporate those contractual provisions, such as reset dates, that can materially affect the timing, probability, or amount of any payment. The requirement reflects the need for an accurate estimate of effective EPE. However, in order to balance the ability to calculate exposures with the need for information on a timely basis, the number of time points is not specified. Supervisors will assess the tradeoff between the computation requirements of more future time points against the need for the ability to perform timely assessments of counterparty credit risk in determining the number of time points that banks should use in establishing a counterparty's EE profile. EE should be calculated for enough future dates to accurately reflect the timing of cash flows. This accuracy should be subject to the bank's internal review process.

  409. Banks must have been using an internal model that broadly meets the minimum standards to calculate the distributions of exposures upon which the EAD calculation is based for a period of at least one year prior to approval. This requirement is to ensure that the bank has integrated the modeling into its counterparty credit risk management process.

  410. Bank models must account for the non-normality of exposure distribution where appropriate. Non-normality of exposures means that high loss events occur more frequently than would be expected on the basis of a normal distribution, the statistical term for which is leptokurtosis. In many instances, there may not be a need to account for this. The characteristics of leptokurtosis will have a greater proportional effect on the measures of peak exposure (or some high threshold percentile measure) than on the measure of expected exposure used here. However, the bank should adjust its EAD measure appropriately when the underlying distribution of the market risk factors displays a significant degree of leptokurtosis.

  411. Banks must measure, monitor, and control both current exposure to counterparties and counterparty credit risk over the whole life of the contracts in a netting set with a counterparty. The bank should exercise active management of both existing exposure and exposure that could change in the future due to market moves.

  412. Banks must measure and manage current exposures gross and net of collateral held, where appropriate. The bank must estimate expected exposure for OTC derivatives contracts both with and without the effects of collateral agreements.

  413. Banks must have procedures to identify, monitor, and control specific wrong way risk throughout the life of an exposure. Wrong way risk in this context is the risk that future exposure to a counterparty will be high when the counterparty's probability of default is also high.

  414. The data used by banks should be adequate for the measurement and modeling of the exposures. In particular, current exposures must be calculated on the basis of current and accurate market data. When historical data are used to estimate model parameters, at least three years of data that cover a wide range of economic conditions must be used. This requirement reflects the longer horizon for counterparty credit risk exposures compared to market risk exposures. The data should be updated at least quarterly or more frequently when conditions warrant. Banks are also encouraged to incorporate model parameters based on forward-looking measures.

    S 9-7 Banks that use the internal models methodology for counterparty credit risk transactions must establish initial model validation and ongoing model review procedures. The model review should consider whether the inputs and risk factors as well as the model outputs are appropriate. The review of outputs should include a backtesting regime that compares the model's output with realized exposures.

    [[Page 9140]]

  415. Because counterparty exposures are driven by movements in market variables, the validation of an EPE model is similar to the validation of a VaR model that is used to measure market risk. A validation of either type of model compares forecasted changes in value to realized changes. However, the EPE simulation model forms an average of credit exposures over a 1-year time horizon, whereas a market risk VaR typically forms an estimate of value changes. These differences make backtesting internal models used to measure counterparty credit risk more difficult to conduct and reliably interpret than backtesting VaR models used to measure market risk.

  416. The pricing models used to calculate counterparty credit risk exposure for a given scenario of future shocks to market risk factors should be tested as part of the model validation process. These pricing models may be different from those used to calculate VaR over a short horizon. Pricing models should account for the nonlinearity of option value with respect to market risk factors where appropriate.

  417. Historical backtesting on representative counterparty portfolios should be part of the model validation process. The representative portfolio should be held fixed over the backtesting interval. A bank should conduct such backtesting on a number of representative counterparty portfolios (actual or hypothetical) looking back an appropriate time period. These representative portfolios should be chosen based on their sensitivity to the material risk factors and correlations to which the firm is exposed. It would appropriate to conduct such backtests once each quarter.

  418. Starting at a particular historical date, the backtest would use the internal model to forecast each portfolio's probability distribution of exposure at various time horizons. Using historical data on movements in market risk factors, the backtest then computes the actual exposures that would have occurred on each portfolio at each time horizon assuming no change in the portfolio's composition. These realized exposures would then be compared with the model's forecast distribution at various time horizons. The above should be repeated for several historical dates covering a wide range of market conditions (e.g., rising rates, falling rates, quiet markets, volatile markets). Significant differences between the realized exposures and the model's forecast distribution could indicate a problem with the model or the underlying data.

    Modeling Requirements for the Internal Models Method

    Time Horizon

  419. The time horizon over which the time-weighted average of effective expected exposures is taken for the calculation of effective expected positive exposure is one year or the longest maturity of any transaction in a netting set, whichever is shorter. Examples are provided in paragraphs 44 and 45. Banks which receive approval to incorporate the effect of collateral agreements using the shortcut method described below may also use a shorter time horizon than one year. Recognition of Collateral

  420. With the prior written approval of its primary Federal supervisor, a bank may fully incorporate into its internal model the effect of a collateral agreement that requires receipt of collateral when exposure to the counterparty increases. Banks may not capture the effects of agreements that require receipt of collateral when counterparty credit quality deteriorates. A bank may use a shortcut method where the effective EPE is equal to the lesser of:

    The threshold, defined as the exposure amount at which the counterparty is required to post collateral under the collateral agreement, if the threshold is positive, plus an add-on that reflects the potential increase in exposure over the margin period of risk. The add-on is computed as the expected increase in the netting set's exposure beginning from current exposure of zero over the margin period of risk. The margin period of risk is defined in the NPR. The minimum margin period of risk is 5 business days for repo-style transactions and 10 business days for other transactions when liquid collateral is posted under a daily margin maintenance requirement. This period should be extended to cover any additional time between margin calls, any potential close out difficulties, and the time to sell out collateral, particularly if it is illiquid; or

    Effective EPE without a collateral agreement.

    Risk Management and Modeling

  421. The modeling approval requirements reflect the need for accurate and timely estimates of EAD, secure contractual rights for collateral and netting, sound management of counterparty credit risk using appropriate risk measures, consideration of risks that are outside of models when managing risk, and an operational system that facilitates the management of counterparty credit risk using the appropriate models and tools.

  422. The use of effective EPE for determining risk-based capital requirements does not necessitate the use of effective EPE for setting counterparty exposure limits. Peak exposure may be, and often is, a more appropriate measure to limit counterparty exposures. However, the probability distributions of future exposures that are used for the effective EPE calculation should be the same as those used for risk management and limit setting. This underlying distribution of future exposures should be used for one year at the bank prior to the bank being approved to use internal models for its risk-based capital calculation, but not necessarily to calculate EPE or Effective EPE.

  423. Banks should estimate the probability distribution of future exposures out to the longest remaining maturity of any contract with a counterparty, even though Effective EPE for risk-based capital purposes is calculated over one year. The exposures beyond one year must be monitored and controlled by the bank.

  424. The bank should exercise active management of both existing exposure and exposure that could change in the future due to market moves. The bank should measure, monitor, and control the exposure to a counterparty over the whole life of all contracts in the netting set, in addition to accurately measuring and actively monitoring the current exposure to counterparties. Alternative Models for Counterparty Credit Risk

  425. Banks that opt to use the internal models method can choose to model EAD for some transactions using a model different than an alpha (of 1.4 or higher) times effective EPE. The bank must receive approval of its primary Federal supervisor in such cases, and must demonstrate to its supervisor that the alternative model is more conservative than effective EPE multiplied by an alpha of 1.4 for each counterparty. This demonstration is necessary to receive initial approval, and should be demonstrated to the primary Federal supervisor whenever circumstances change. For example, banks may already have a peak exposure model for some transactions that is more conservative than effective EPE multiplied by 1.4. Rather than develop an Effective EPE model, the bank may choose to continue to use the peak exposure model for these transactions for a period of time, while adopting an effective EPE model for other transactions. The bank would have to

    [[Page 9141]]

    demonstrate that it meets the qualification requirements to use an internal model for the peak exposure model and that the model results in a conservative EAD.

  426. Cases where a bank might opt to use a more conservative model than alpha times effective EPE include transactions for which the bank has legacy models, new business lines, and structured transactions that are not expected to comprise an ongoing business and the conservative model is less computationally intensive.

  427. Alternative models for counterparty credit risk should be applied to all similar transactions. Own Estimates of Alpha

  428. The value of alpha for a bank using internal models of EPE is 1.4 unless (i) the primary Federal supervisor raises the value of alpha in appropriate circumstances based on the bank's specific characteristics of counterparty credit risk or (ii) the bank meets the requirements outlined in the NPR and has supervisory approval to use its own estimate of alpha. A bank with sufficiently sophisticated models that can perform the necessary credit and market risk simulations and that has supervisory approval to do its own estimate of alpha may use the greater of that estimated alpha or 1.2.

  429. For banks that receive supervisory approval to model alpha,

    [GRAPHIC] [TIFF OMITTED] TN28FE07.008

    Where:

    ULCCR= the bank's own internal estimate of the 99.9 percentile unexpected losses from CCR over a one-year time horizon, and ULBII= the measure of unexpected losses from CCR using the Basel II risk-based capital requirement, but with the EAD component of that requirement calculated using an alpha set equal to 1.0.

  430. The estimate of alpha is calculated as the ratio of the bank's internal measure of unexpected losses due to counterparty credit risk at a one-year 99.9 percent confidence level (numerator) to the estimate of losses using the internal model method in the NPR, but with alpha set equal to one (denominator). This ratio must be run at least quarterly, and evidence of the stability of this estimate over a quarter should be presented to the bank's primary Federal supervisor.

  431. The numerator is determined considering the PD, EAD, and LGD together to determine unexpected losses. A simulation, or other model, which considers the variation of PD and EAD together should be used to determine the distribution of counterparty credit losses. The estimate of unexpected losses at a one-year 99.9 percent confidence level should capture the correlation of a counterparty's PD with exposure, the effect of concentrated exposures, the proportion of a counterparty exposure that is accounted for by a market risk factor, and the correlation of exposures across counterparties.

  432. The bank should provide a description of the sources of model risk for the calculation of the numerator. The primary Federal supervisor will review the models to determine if the internally estimated alpha is acceptable, if any adjustment to the internally estimated alpha is necessary, or if the models used to estimate alpha need to be adjusted.

  433. If a bank uses a conservative internal model to determine EAD for some transactions, the primary Federal supervisor may require the bank to remove these transactions from both the numerator and denominator for the purposes of estimating alpha. Counterparty Credit Risk Mitigation Using Credit Derivatives

  434. Under the internal models method, the reference instrument underlying a credit derivative that pays the bank on the default of a counterparty may be entered as a short exposure into a netting set of the counterparty that credit protection is purchased on. The reference instrument underlying the credit derivative should also be entered as a long exposure into the netting set of the seller of the credit protection. The purchase of a credit derivative on a counterparty exposure transfers the risk of the instrument referenced in the credit derivative contract from the counterparty to the seller of the credit derivative.

  435. Banks may apply the PD substitution approach, the LGD adjustment approach, or (if applicable) the double default treatment to a CCR exposure hedged by an eligible guarantee or eligible credit derivative.

    1. Defaulted Counterparties

  436. Operational or settlement errors do not necessarily trigger a default event for PD assignment purposes. However, if a credit-related charge-off occurs as the result of a counterparty's failure to perform on a financial contract, this would constitute a default event for risk-based capital purposes and the PDs for all exposures to that obligor should be adjusted to the value of one.

    Chapter 10: Risk-Weighted Assets for Equity Exposures

    Rule Requirements

    Part III, section 22(g): Equity exposures model. A bank must obtain the prior written approval of [AGENCY] under section 53 [of the NPR] to use the internal models approach for equity exposures.

    Part VI: Risk-Weighted Assets for Equity Exposures

    1. Overview

  437. This chapter supplements the detailed discussion of equity exposures in the NPR. It describes supervisory guidance for determining risk-based capital requirements for equity exposures held in the banking book for banks subject to the Market Risk Rule and for all equity exposures for banks not subject to the Market Risk Rule.

    1. Definition of Banking Book Equities

  438. Equity exposure means:

    A security or instrument (whether voting or non-voting) that represents a direct or indirect ownership interest in, and a residual claim on, the assets and income of a company, unless:

    --The issuing company is consolidated with the bank under Generally Accepted Accounting Principles (``GAAP'');

    --The bank is required to deduct the ownership interest from Tier 1 or Tier 2 capital under the NPR;

    --The ownership interest is redeemable;

    --The ownership interest incorporates a payment or other similar obligation on the part of the issuing company (such as an obligation to pay periodic interest); or

    --The ownership interest is a securitization exposure.

    A security or instrument that is mandatorily convertible into a security or instrument described in the first bullet of this definition;

    An option or warrant that is exercisable for a security or instrument described in the first bullet of this definition; or

    Any other security or instrument (other than a securitization exposure) to the extent the return on the security or instrument is based on the performance of a security or instrument described in the first bullet of this definition.

    1. Applying the Framework

  439. Under the proposed framework for equity exposures in the NPR, a bank would have the option to use either a simple risk-weight approach (``SRWA'') or an internal models approach (``IMA'') for equity exposures that are not

    [[Page 9142]]

    exposures to an investment fund. A bank would use a look-through approach for equity exposures to an investment fund. Under the SRWA, a bank would generally assign a 300 percent risk weight to publicly- traded equity exposures and a 400 percent risk weight to non-publicly- traded equity exposures. Certain equity exposures to sovereigns, multilateral institutions, and public sector enterprises would have a risk weight of 0 percent, 20 percent, or 100 percent. Also, community development equity exposures, as well as hedged equity exposures that meet specified conditions are risk weighted at 100 percent. Non- significant equity exposures (i.e., exposures that aggregate to an amount that is less than or equal to 10 percent of the bank's Tier 1 plus Tier 2 capital) are also risk weighted at 100 percent.

  440. The ``adjusted carrying value'' of an equity exposure is:

    For the on-balance sheet component of an equity exposure, the bank's carrying value of the exposure reduced by any unrealized gains on the exposure that are reflected in such carrying value but excluded from the bank's Tier 1 and Tier 2 capital; and

    For the off-balance sheet component of an equity exposure, the effective notional principal amount of the exposure, the size of which is equivalent to a hypothetical on-balance sheet position in the underlying equity instrument that would evidence the same change in fair value (measured in dollars) for a given small change in the price of the underlying equity instrument, minus the adjusted carrying value of the on-balance sheet component of the exposure as calculated in the previous bullet.

  441. Publicly-traded equity exposures can be hedged to reduce their risk-based capital requirement. However, private equities cannot be hedged to reduce their risk-based capital requirement.

    S 10-1 Banks must apply the same methodology to like instruments.

  442. A bank may apply (i) the SRWA to private equity exposures and the IMA to public equities, or (ii) the IMA to all equity exposures, or (iii) the SRWA to all equity exposures. As described further in the NPR, the IMA provides for the application of SRWA risk weights for those equity exposures that would qualify for a risk weight between zero and 100 percent.

  443. Equity exposures in investment funds must use one of three look- through approaches (where the fund holdings are treated as if proportionally held directly by the bank) to determine risk-based capital requirements under this framework. The three approaches are:

    The full look-through approach;

    The simple modified look-through approach; or

    The alternative modified look-through approach.

  444. There is a risk-weighted asset floor of 7 percent of the adjusted carrying value of a bank's exposure to an investment fund. A zero percent risk weight can still be applied to a particular exposure class within an investment fund; the 7 percent floor applies to an investment fund, not its constituents.

  445. A bank may use the full look-through approach only if the bank is able to compute a risk-weighted asset amount for each of the exposures held by the investment fund (calculated under the proposed rule as if the exposures were held directly by the bank). Under this approach, a bank would set the risk-weighted asset amount of the bank's equity exposure to the investment fund equal to the greater of:

    (i) The product of

    (A) the aggregate risk-weighted asset amounts of the exposures held by the fund as if they were held directly by the bank and

    (B) the bank's proportional ownership share of the fund; and

    (ii) 7 percent of the adjusted carrying value of the bank's equity exposure to the investment fund.

  446. Under the simple modified look-through approach, a bank may set the risk-weighted asset amount for its equity exposure to an investment fund equal to the adjusted carrying value of the equity exposure multiplied by the highest risk weight in Table L of the NPR that applies to any exposure the fund is permitted to hold under its prospectus, partnership agreement, or similar contract that defines the fund's permissible investments. The bank may exclude derivative contracts that are used for hedging, not speculative purposes, and do not constitute a material portion of the fund's exposures. A bank may not assign an equity exposure to an investment fund to an aggregate risk weight of less than 7 percent under this approach.

  447. Under the alternative modified look-through approach, a bank may assign the adjusted carrying value of an equity exposure to an investment fund on a pro rata basis to different risk-weight categories in Table L of the NPR according to the investment limits in the fund's prospectus, partnership agreement, or similar contract that defines the fund's permissible investments. If the sum of the investment limits for all exposure classes within the fund exceeds 100 percent, the bank must assume that the fund invests to the maximum extent permitted under its investment limits in the exposure class with the highest risk weight under Table L, and continues to make investments in the order of the exposure class with the next highest risk-weight under Table L until the maximum total investment level is reached. If more than one exposure class applies to an exposure, the bank must use the highest applicable risk weight. A bank may exclude derivative contracts held by the fund that are used for hedging, not speculative, purposes and do not constitute a material portion of the fund's exposures. The overall risk weight assigned to an equity exposure to an investment fund under this approach may not be less than 7 percent.

    1. Using Internal Models for Equity Exposures

    S 10-2 If a bank chooses to use an internal model, it must produce reliable estimates of the potential loss in the bank's portfolio from equity holdings under stress market conditions.

  448. To qualify to use the IMA to calculate risk-based capital requirements for equity exposures, a bank must receive prior written approval from its primary Federal supervisor. To receive such approval, the bank must demonstrate to its primary Federal supervisor's satisfaction that the bank meets the following criteria:

    The bank must have a model that:

    --Assesses the potential decline in value of its modeled equity exposures;

    --Is commensurate with the size, complexity, and composition of the bank's modeled equity exposures; and

    --Adequately captures both general market risk and idiosyncratic risk.

    The bank's model must produce an estimate of potential losses for its modeled equity exposures that is no less than the estimate of potential losses produced by a VaR methodology employing a 99.0 percent, one-tailed confidence interval of the distribution of quarterly returns for a benchmark portfolio of equity exposures comparable to the bank's modeled equity exposures using a long-term sample period.

    The number of risk factors and exposures in the sample and the data period used for quantification in the bank's model and benchmarking exercise must be sufficient to provide confidence in the accuracy and robustness of the bank's estimates.

    The bank's model and benchmarking process must incorporate

    [[Page 9143]]

    data that are relevant in representing the risk profile of the bank's modeled equity exposures, and must include data from at least one equity market cycle containing adverse market movements relevant to the risk profile of the bank's modeled equity exposures. If the bank's model uses a scenario methodology, the bank must demonstrate that the model produces a conservative estimate of potential losses on the bank's modeled equity exposures over a relevant long-term market cycle. If the bank employs risk factor models, the bank must demonstrate through empirical analysis the appropriateness of the risk factors used.

    Daily market prices must be available for all modeled equity exposures, either direct holdings or proxies.

    The bank must be able to demonstrate, using theoretical arguments and empirical evidence, that any proxies used in the modeling process are comparable to the bank's modeled equity exposures and that the bank has made appropriate adjustments for differences. The bank must derive any proxies for its modeled equity exposures and benchmark portfolio using historical market data that are relevant to the bank's modeled equity exposures and benchmark portfolio (or, where not, must use appropriately adjusted data), and such proxies must be robust estimates of the risk of the bank's modeled equity exposures.

  449. No one particular type of model is preferred or required. Appropriate internal models may include either traditional VaR models (e.g., historical simulation, variance/covariance, or Monte Carlo simulation) or scenario analysis ``stress tests.'' These models are subject to the validation framework outlined in Chapter 7 of this guidance.

  450. The use of either single or multi-factor models is permitted, provided that the factors are sufficient to capture all material risks of a bank's equity holdings. Risk factors should correspond to the appropriate equity market characteristics (e.g., public, private, large cap, small cap, industry sectors) in which the bank holds significant positions.

    1. Quantification of Equity Exposures

    1. Reference Data

  451. The data used to represent return distributions or depict stress scenarios should reflect as long a sample period for which data are available and meaningful in representing the risk profile of equity holdings. In the case of VaR models, the data used should be sufficient to provide statistically reliable and robust loss estimates and should include at least one equity market cycle containing adverse market movements relevant to the risk profile of the bank's specific holdings. In the case where the internal model uses a scenario or stress test methodology, the bank should demonstrate that the shock employed provides a conservative estimate of potential losses over a relevant long-term market or business cycle.

  452. In constructing VaR models estimating potential quarterly losses, banks should use quarterly data to the extent practicable. Where estimates based on shorter time periods are converted to a quarterly equivalent, the conversion should be made through the use of an analytically appropriate method supported by empirical evidence, and should be applied through a well-developed and well-documented thought process and analysis. In general, time horizon conversions should be applied conservatively and consistently over time. Furthermore, where only limited data are available or where technical limitations are such that estimates from any single method will be of uncertain quality, banks should add appropriate margins of conservatism.

    1. External Data

  453. It is recognized that there are significant challenges associated with deriving market-based measures of risk for both privately-held and publicly-traded equities where objectively- determined market prices may not be readily available. Accordingly, banks with significant equity holdings with these characteristics may need to use external data in modeling the risks associated with these holdings.

  454. Banks should be able to demonstrate that the external data adequately capture the risks of the underlying equity portfolio. Documentation should identify the relevant factors (e.g., business lines, balance sheet characteristics, geographic location, company age, industry sector and subsector, operating characteristics) used in mapping the external data to the bank's individual equity exposures.

    1. Estimation

  455. Banks will have discretion to recognize and estimate empirical correlations, provided that the bank's system for measuring correlations is sound and empirically supported. When calculating correlations, consideration should be given to data consistency, relevant time period, and the volatility of correlations under stressed market conditions. The appropriateness of correlation assumptions and estimation techniques should be discussed in model documentation.

  456. Survivorship bias is a particularly important issue in cases where banks choose to use databases of actual returns of equity exposures. Internal data on private equity exposure returns may reflect only those private equity exposures that have experienced positive returns and were exited successfully (i.e., where a true market price has been revealed). In short, the returns on investments that have achieved success measure only the winners--as opposed to the entire population of relevant private equities (including those that failed). This imparts an upward bias on the ex-ante returns expected by banks. Accordingly, banks that choose to use actual return statistics for individual private equity exposures or private equity funds, whether provided by external vendors or internally generated databases, should fully understand how these statistics are computed and, where necessary, should make adjustments to account for any selection biases that may be present.

    1. Validation of Internal Models for Equity Exposures

    S 10-3 Banks must validate internal models used for equity exposures.

  457. The developmental evidence provided for a VaR model should include a discussion of the results from a rigorous and comprehensive stress testing of the model and estimation procedure. This stress test should be applied to volatility computations and make use of either hypothetical or historical scenarios that reflect worst-case losses given underlying positions. Stress tests should provide information about the effect of tail events beyond the level of confidence assumed in the internal models approach.

  458. For purposes of evaluating the capital requirements produced by a bank's internal model methodology, banks should demonstrate that non- VaR based internal models for equity exposures (e.g., a stress scenario analysis) provide risk estimates and capital requirements that are at least as conservative as those produced by a 99 percent VaR over one quarter for a benchmark portfolio. The benchmark portfolio should have sufficient data to calculate a one quarter 99 percent VaR. To demonstrate this, the bank should run their internal model on the benchmark portfolio and show that the internal model produces a capital amount for the benchmark portfolio that is at least as great as the one quarter 99 percent VaR for the benchmark portfolio. Banks that choose a scenario

    [[Page 9144]]

    analysis ``stress-test''-type model or some other form of non-VaR-based model do not have to run a VaR model in parallel, but banks should be able to compare their internal model to the VaR for the benchmark portfolio.

  459. For VaR models, model validation through backtesting must be conducted on a regular basis. Banks using such models should construct and maintain appropriate databases on the actual quarterly performance of their equity exposures, as well as on the estimates derived using their internal models. Banks should also backtest the volatility estimates used within their internal models and the appropriateness of any external data used in the model. Banks will have data available on different equity exposures at different frequencies. For example, price data for public equities may be available daily, and price data for private equities may be available on a monthly or quarterly basis. Banks can divide their equity portfolio into several smaller portfolios based on data availability and conduct backtesting on the smaller portfolios. When sufficient data are available, banks should employ statistical-based measures of the accuracy of their VaR models.

    1. Consistency Between Internal Models Used for Equity Exposures and Risk Management Processes

    S 10-4 Internal models used to calculate risk-based capital requirements for equity exposures must be consistent with models used in the bank's risk management processes and management information reporting systems.

  460. The internal model should be fully integrated into the bank's risk management infrastructure. It should, when appropriate, be used to establish equity price risk limits, to evaluate alternative investments, and to measure and assess equity portfolio performance (including the risk-adjusted performance). The bank should demonstrate the internal model's role in risk management (using investment committee minutes, for example).

    Chapter 11: Securitizations

    Rule Requirements

    Part III, Section 22(f): Securitization exposures. A bank must obtain the prior written approval of [AGENCY] under section 44 [of the NPR] to use the internal assessment approach for securitization exposures to ABCP programs. Part V: Risk-Weighted Assets for Securitization Exposures

    1. Overview

  461. This chapter supplements the detailed discussion of the framework for securitization exposures in the NPR. It describes the concepts, eligibility criteria, and mechanics associated with applying each of the three allowed approaches--the ratings-based approach (``RBA''), the internal assessment approach (``IAA''), and the supervisory formula approach (``SFA''). It also discusses related topics, such as risk transference, implicit support, early amortization provisions, and control and validation. This guidance applies to a bank regardless of its role in the securitization--investor or originator.

    S 11-1 Banks must use the securitization framework for any exposures that involve the tranching of credit risk (with the exception of a tranched guarantee that applies only to an individual retail exposure).

  462. The securitization framework relies principally on one of two sources of information, where available: (1) An assessment of the securitization exposure's external credit risk ratings or (2) the IRB risk-based capital requirement and expected loss of the underlying exposures as if the exposures had not been securitized. See section 2 of the NPR for the definition of a securitization exposure.

  463. To determine risk-weighted assets for securitization exposures, a bank must: (1) Identify all securitization exposures subject to the framework, (2) assign each exposure to an approach according to the specified hierarchy, and (3) calculate risk-weighted assets (or required deductions from capital) according to the requirements for the applicable approach.

    S 11-2 Banks should develop written implementation policies and procedures describing the allowed approaches, methods of application, and designated responsibilities for complying with the securitization framework.

  464. In addition to the IRB requirements, originating banks should maintain specific securitization policies and procedures including the appropriate accounting treatment for the securitization exposure (FASB 140, FIN 46R), pooling and servicing agreements for each securitization exposure (to assess compliance with risk transference and recourse requirements, waterfall structure, trigger requirements for early amortization structures), and contractual arrangements related to risk mitigation of the securitization exposure (net interest margin transactions, mitigating residual interest exposure).

  465. Certain basic risk management practices are also important to the framework's implementation. The central component is a full written description, or implementation guide, detailing each step in the process. The guide should include all key processes, such as methods of identifying exposures, selecting approaches, documenting approvals and data elements, and establishing responsibility for oversight and quality control. The remainder of this chapter expands on how to apply the various approaches, as well as supervisory guidance regarding eligibility and sound risk management practices.

    1. Scope of Application

  466. Tranching of credit risk is the structuring of cash flows and credit exposure so that an investor's share of the credit losses differ from its pro rata interest in the underlying exposures. Another characteristic of a securitization exposure is that payments to the various parties depend on performance of the underlying exposures, as opposed to an obligation of the entity originating those exposures.

  467. Examples of securitization exposures include asset-backed securities, mortgage-backed securities (including those issued by Fannie Mae and Freddie Mac),\24\ stripped mortgage-backed securities, credit enhancements and liquidity facilities to asset-backed commercial paper (``ABCP'') programs, collateralized debt obligations (``CDO''), loan participation agreements that include a tranching of payments such as last-in and first-out, guarantees and credit derivatives that provide tranched (i.e., non-proportional) credit protection against a pool of credit exposures, reserve accounts, and other retained residual interests.

    \24\ Fannie Mae and Freddie Mac mortgage-backed pass-through securities are to be treated as securitization transactions even though the risk of the securitized mortgage pool has not been tranched among investors.

  468. Since securitization transactions may be structured in a variety of ways, the economic substance of the transaction rather than its legal form should guide both the designation of exposures and the calculation of risk-based capital requirements.

    1. General Principles of the Securitization Framework

    1. Risk Transference

    S 11-3 Securitization transactions must transfer credit risk to at least one

    [[Page 9145]]

    third party to qualify for treatment under the securitization framework.

  469. Securitization exposures must meet all of the risk transference requirements imposed by Generally Accepted Accounting Principles (``GAAP'') and regulatory requirements. In this regard, banks should continue to use published supervisory guidance related to risk transference, recourse, and other activities that constitute implicit recourse.

  470. For an exposure to qualify for treatment under the securitization framework, the transaction must meet the requirements outlined in Statement of Financial Accounting Standards No. 140 and must transfer credit risk from the originator of the underlying exposures to at least one third party. In synthetic securitizations, credit risk mitigants are often used to transfer the credit risk of the underlying exposures, which generally remain on the bank's balance sheet. In order to exclude the underlying exposures from risk-based capital requirements, banks must comply with the operational requirements for recognition of credit risk mitigants in synthetic securitizations set forth in section 41 of the NPR. When the transaction does not qualify for GAAP sales treatment, does not satisfy the risk transference requirement, contains an ineligible clean-up call, or the bank has tainted the transaction by providing implicit support to the transaction,\25\ the bank must include the underlying exposures in the calculation of risk-based capital requirements as if the securitization transaction did not occur. For example, transactions reported as GAAP sales that do not transfer credit risk to third parties, such as transfers of assets subject to credit-enhancing representations and warranties, require the bank to include the underlying exposures in the calculation of risk-based capital as if the transfer had not occurred.

    \25\ In addition, as discussed in the NPR, if a bank provides implicit support to any securitization, the bank's primary Federal supervisor may require the bank to hold risk-based capital against the underlying exposures of some or all of the bank's other securitizations.

    1. Implicit Support

    S 11-4 Banks that provide implicit support to securitization transactions must hold risk-based capital as if the underlying assets had not been securitized, and must deduct from Tier 1 capital any after-tax gain-on-sale resulting from the securitization.

  471. Implicit support is credit support provided by a bank in excess of its contractual obligation under the original terms of the transaction. The issuer provides such support often to maintain access to funding and/or to protect its reputation in the market. Providing implicit support violates the risk transference principles inherent in a securitization transaction and, for risk-based capital purposes, requires that the bank treat the underlying securitized assets as if the securitization transaction had not occurred.\26\ For example, banks are considered to have provided implicit support when they either:

    \26\ A bank that provides implicit support is also subject to related disclosure requirements in section 42(h) of the NPR.

    Sell assets to a securitization trust or other special- purpose entity (SPE) at a discount from the price specified in the securitization documents (typically par value);

    Purchase assets from a securitization trust or other SPE at an amount greater than fair value;

    Exchange performing assets for nonperforming assets; or

    Provide credit enhancements beyond contractual requirements.

  472. Policies governing securitization activities should explicitly refer to the issue of implicit support, and include criteria for identifying and reporting instances of implicit support. An independent risk management or review group should systematically monitor securitization transactions to identify actions that constitute implied support and ensure appropriate regulatory capital treatment is applied.

    1. Servicer Cash Advances

  473. The risk-based capital requirement for servicer cash advances generally will be calculated using either the RBA or SFA. The RBA can be used if the bank can assign an inferred rating to the servicer cash advance based upon a rated subordinated tranche. If the RBA is not available, and the bank can compute the risk parameter estimates for the SFA, the bank can apply the SFA.

  474. A bank is not required to hold risk-based capital against the undrawn portion of an eligible servicer cash advance facility. An eligible servicer cash advance is a servicer cash advance facility in which:

    The servicer is entitled to full reimbursement of advances (except that a servicer may be obligated to make non-reimbursable advances if any such advance with respect to any underlying exposure is limited to an insignificant amount of the outstanding principal balance of the underlying exposure);

    The servicer's right to reimbursement is senior in right of payment to all other claims on the cash flows from the underlying exposures of the securitization; and

    The servicer has no legal obligation to, and does not, make advances to the securitization if the servicer concludes that the advances are unlikely to be repaid. The advance is made only after expected repayment is supported by a credit assessment that is consistent with prudent lending standards.

  475. If these conditions are not satisfied, a bank that provides a servicer cash advance facility must determine its risk-based capital requirement for the undrawn portion of the facility in the same manner as the bank would determine its risk-based capital requirement for any other undrawn securitization exposure.

    1. Clean-Up Calls

  476. A clean-up call is a contractual provision that permits a bank to call securitization exposures before their stated maturity date. In a traditional securitization, a clean-up call is generally accomplished by repurchasing the remaining securitization exposures once the amount of underlying exposures or outstanding securitization exposures fall below a specified level and it becomes uneconomical to maintain the transaction. In the case of a synthetic securitization, the clean-up call may take the form of a clause that extinguishes the credit protection once the amount of underlying exposures has fallen below a specified level. An originating bank may exclude securitized exposures from its risk-weighted assets calculated in connection with a securitization that has a clean-up call only if the clean-up call is an eligible clean-up call as defined in the NPR. The following are required criteria for an eligible clean-up call:

    The exercise of the clean-up call is solely at the discretion of the servicer;

    The clean-up call is not structured to avoid allocating losses to securitization positions held by investors, or otherwise structured to provide credit enhancements to the securitization; and

    The clean-up call is only exercisable for traditional securitizations when 10 percent or less of the principal amount of underlying exposures or securitization exposures are outstanding, or for synthetic securitization transactions, when 10 percent or less of the principal amount of the original reference portfolio is outstanding.

    S 11-5 A clean-up call constitutes implicit support if, in exercising the call, the bank provides support in

    [[Page 9146]]

    excess of its contractual obligation to provide support to the securitization.

  477. The ultimate determination of whether the exercise of a clean- up call constitutes implicit support depends on the facts. If the bank affects a clean-up call on terms that differ from contractual provisions, the following actions will point to a finding of implicit support:

    Exercising a clean-up call that serves as the functional equivalent of a credit enhancement; or

    Purchasing assets from a trust or other SPE at an amount greater than fair value.

    1. Maximum Capital Requirements for Securitization Exposures

    S 11-6 The maximum risk-based capital requirement for all securitization exposures held by a bank associated with a single securitization transaction is the amount of risk-based capital plus expected losses that would have been required had the underlying exposures not been securitized.

  478. Unless one or more of the underlying exposures does not meet the definition of a wholesale, retail, securitization, or equity exposure, the total risk-based capital requirement for all securitization exposures held by a single bank associated with a single securitization--including any risk-based capital requirement that relates to an early amortization provision, but excluding any capital requirements that relate to the bank's gain-on-sale or CEIOs (and any accrued interest receivables (``AIR'') that meet the definition of a CEIO) associated with the securitization--cannot exceed the sum of (i) the bank's total risk-based capital requirement for the underlying exposures as if the bank directly held the underlying exposures; and (ii) the bank's total expected credit loss for the underlying exposures.

  479. If a bank has multiple securitization exposures to an ABCP program that provide overlapping coverage of the underlying exposures, such as when a bank provides a program-wide credit enhancement and multiple pool-specific liquidity facilities, the bank is not required to hold duplicative risk-based capital against the overlapping position. Instead, the bank may limit its capital requirement for the overlapping positions to the single applicable treatment that results in the highest capital requirement. However, if different banks have overlapping exposures to an ABCP program, each bank must hold capital against the entire amount of its exposure.

  480. When a bank sponsors an ABCP program and is required to consolidate the program as a variable interest entity under GAAP solely because it qualifies as a primary beneficiary, it may exclude the consolidated ABCP program assets from risk-weighted assets. However, the decision to exclude the consolidated program from risk-weighted assets does not exempt the bank from holding risk-based capital against any exposures to that program in accordance with the overall securitization framework.

    1. Hierarchy of Approaches

    S 11-7 Banks must follow the specified hierarchy of approaches to determine risk-weighted asset amounts for all securitization exposures.

  481. The first step in determining the risk-weighted asset amount for a securitization exposure for either an investing or originating bank is to deduct entirely from Tier 1 capital all increases in capital due to after tax gain-on-sale income from the transaction. In addition, any CEIOs, including any AIRs that meet the definition of a CEIO, must be deducted 50 percent from Tier 1 capital and 50 percent from Tier 2 capital.\27\ If the amount deductible from Tier 2 capital exceeds the amount of actual Tier 2 capital, the excess must be deducted from Tier 1 capital.

    \27\ For specific guidance on the treatment of AIRs see the Interagency Advisory on the Regulatory Capital Treatment of Accrued Interest Receivable Related to Credit Card Securitizations, dated May 17, 2002, and the Interagency Advisory on the Accounting Treatment of Accrued Interest Receivable Related to Credit Card Securitizations, dated December 4, 2002.

  482. Next, the bank applies one of the three approaches for determining risk-weighted assets: The RBA, the IAA, or the SFA. The RBA and the IAA calculate risk-weighted assets using supervisory tables based on external or inferred ratings. Subject to specific conditions, the SFA may be used for securitization exposures when the IAA or RBA is not available. Securitization exposures that do not qualify for one of these three approaches are deducted from regulatory capital.

  483. Banks must apply the three approaches according to the following hierarchy:

  484. RBA--If the securitization exposure is not required to be deducted and qualifies for the RBA, the bank must apply the RBA.\28\ In general, an originating bank qualifies to use the RBA if its retained securitization exposure has at least two external ratings or an inferred rating based on at least two external ratings, while an investing bank qualifies to use the RBA if its securitization exposure has one or more external or inferred ratings.

    \28\ Regardless of any other provision, the risk weight for a non-credit enhancing interest-only residential mortgage backed security (e.g., FNMA IO Strip), may not be less than 100 percent.

  485. IAA or SFA--If a securitization exposure is not required to be deducted, does not qualify for the RBA, and is an exposure to an ABCP program, the bank may apply either the IAA or the SFA. However, the bank must consistently use either the IAA or the SFA when this type of exposure would be eligible for both approaches.

  486. SFA--If the securitization exposure is not required to be deducted, does not qualify for the RBA, and is not an exposure to an ABCP program, the bank may apply the SFA if it is able to calculate, on an ongoing basis, the SFA risk parameters.

  487. When a securitization exposure does not qualify for the RBA, IAA, or SFA, a bank is required to deduct the exposure 50 percent from Tier 1 capital and 50 percent from Tier 2 capital. If the amount deductible from Tier 2 capital exceeds the bank's actual Tier 2 capital, however, the bank must deduct the shortfall amount from Tier 1 capital.

  488. The following diagram illustrates the hierarchy for the treatment of a securitization exposure for either an investing or originating bank:

    [[Page 9147]]

    [GRAPHIC] [TIFF OMITTED] TN28FE07.009

    1. IRB Approaches for Securitization Exposures

    1. Ratings-Based Approach

  489. Banks may use the RBA to determine the appropriate risk weight for a securitization exposure if the exposure is externally rated, or for a non-rated exposure for which a rating can be inferred. The appropriate risk weight is multiplied by the securitization exposure amount to arrive at the appropriate risk-weighted asset amount.

    S 11-8 In order to use the RBA, the securitization exposure must be externally rated by an NRSRO, or be eligible for an inferred rating.

  490. For a bank to utilize the RBA, the securitization exposure must be rated by an NRSRO as defined in the NPR.

  491. A rating may be inferred if the subject securitization exposure is senior to another securitization exposure in the transaction (that is backed by the same underlying obligations and is issued by the same issuer) that has an external rating from an NRSRO. The applicable rating to be applied for an inferred rating is the current rating of the subordinate rated tranche. Inferred ratings should be updated at least annually, or more frequently when warranted, so that any changes in the external rating or characteristics of the rated exposure are reflected in a timely manner. An inferred rating cannot be derived from a proxy securitization exposure (e.g., a similarly structured but separate securitization exposure).

    S 11-9 The securitization transaction must have an external rating assigned by an NRSRO that fully reflects the credit risk associated with timely repayment of principal and interest.

  492. When a securitization exposure is structured, the originating bank can elect to have the securitization transaction placed in the NRSRO's monitoring/surveillance program that requires a periodic review of the financial performance of the underlying exposures. By placing the securitization exposure in the NRSRO monitoring program, the integrity of the credit rating is maintained for the life of the securitization exposure, and thereby ensures that the credit rating fully reflects the entire amount of credit risk

    [[Page 9148]]

    with regard to all payments owed to the holder of the exposure. Securitization exposures receiving a rating only at origination are not eligible for the RBA. The external rating must take into account and reflect the entire amount of credit risk exposure the bank has with regard to all payments owed to it. If the bank is owed both principal and interest, the rating must fully reflect the credit risk associated with timely repayment of both. With certain securitization exposures, such as combination bonds, which generally are combinations of a subordinated, unrated securitization exposure and a highly rated principal-only strip, the principal component of the bond often receives a higher rating than the interest component. A rating structure such as this does not qualify as a full credit exposure rating, and therefore the RBA is not available. In the event that a rating does not capture the full credit exposure, the bank may use the SFA if applicable, or deduct.

  493. When a bank has used the RBA (or IAA) to calculate its risk- based capital requirement for a securitization exposure whose external or inferred rating (or IAA rating) reflects the credit enhancement of a credit risk mitigation (``CRM'') technique, a bank may not obtain additional risk-based capital recognition of the CRM technique through the securitization CRM rules in section 46 of the NPR.

  494. When a credit risk mitigant is not obtained by the SPE but rather is obtained by a bank separately to protect itself against losses on a specific securitization exposure (e.g., ABS tranche), the bank may use the applicable securitization CRM treatment to recognize the hedge as outlined in section 46 of the NPR.

    S 11-10 Banks should document the factors that support their use of the RBA.

  495. Factors the bank should document include the identification of the NRSROs, type of underlying exposures (e.g., wholesale, retail), seniority of the securitization exposure, pool granularity, and placement of reference tranches in the waterfall for inferred ratings.

  496. Senior securitization exposures supported by granular pools receive special treatment under the RBA. Only one tranche may be considered ``senior'' for each transaction. In a traditional securitization where all tranches above the first-loss piece are rated, the most highly rated position would be treated as the senior tranche. However, when several tranches share the same rating, only the most senior tranche in the cash waterfall, according to security provisions in the indenture, would be treated as the senior position. In a synthetic securitization, a super-senior tranche would be treated as the senior tranche. Eligible servicer cash advances are not considered in the seniority assignment for the RBA.

  497. Pool granularity refers to the number of different underlying exposures. The RBA considers the impact of pool granularity on credit risk by assigning higher risk-weight percentages to non-granular pools. Securitizations of retail exposures contain a significant number of underlying exposures and will be considered granular for risk-weighting purposes.

    1. Internal Assessment Approach

    Overview

  498. A bank's exposures to ABCP conduit programs (i.e., liquidity facilities and credit enhancements) are considered securitization exposures for which the bank must hold risk-based capital. Where ABCP exposures qualify for the RBA approach, the RBA must be used to calculate risk-weighted assets. However, exposures such as ABCP liquidity facilities and credit enhancements are generally unrated. Subject to qualification standards, a bank may use either the IAA or the SFA; however, one approach must be used consistently for all the bank's exposures to ABCP programs.

  499. To qualify for the use of the IAA, a bank must at a minimum demonstrate that its ABCP program meets specific operational requirements set forth in the NPR. A bank may apply the IAA to exposures related to ABCP programs and to exposures to programs that are similarly structured, which could include structured investment vehicles, tender option bonds, and variable note programs, as long as they meet the NPR's definition of an ABCP program. The bank must demonstrate that it has met the qualification standards for each asset class for which it has exposure.

  500. The IAA requires a bank to use an internal credit assessment (``ICA'') framework that maps or corresponds directly to NRSRO rating criteria for a similar asset class. For example, if the pool of assets consists of credit card receivables, the bank's credit assessment for a liquidity facility or credit enhancement extended to the pool should be based on the NRSRO's rating criteria for credit card receivables. In order to use the IAA, the bank's ICA process should at a minimum (a) identify reliable historical loss rates on the underlying exposures, (b) map internal ratings to specific ratings of the NRSRO, as well as validate the mapping process to ensure its integrity and accuracy, and (c) document the criteria used to arrive at the ICA rating. See section 44(a)(1) of the NPR for a complete list of the criteria a bank's ICA process must meet in order for the bank to obtain approval from its supervisor to use the IAA.

  501. After assigning an internal rating based on the appropriate ICA framework, the bank calculates risk-weighted assets by applying the applicable risk weights from the RBA tables to the amounts of the ABCP program exposures. Consistent with the RBA, the applicable risk-weight assignment requires three additional inputs--the seniority of the exposure, an assessment of pool granularity, and whether the ICA is a long- or short-term rating. Pool granularity is based on the number of underlying exposures, with exposures to a single obligor aggregated. ABCP liquidity facilities would be considered senior exposures provided they meet the definition of a senior securitization exposure in the NPR.

  502. For example, the ICA for a $10 million (maximum contractual value) liquidity facility has an ICA that is equivalent to a long-term external rating of ``AA.'' Using the RBA tables, a risk weight of 8 percent is applicable, resulting in risk-weighted assets of $800,000 provided (1) the position is senior exposure, (2) the pool is granular, and (3) there is a long-term rating (e.g., ``AA''). If it is determined that the pool is non-granular, the risk weight is 25 percent, or risk- weighted assets of $2.5 million.

  503. The IAA's reliance on an NRSRO's rating methodology and ratings criteria for the applicable asset class does not reduce the level of analysis, review, and due diligence that the bank should conduct as part of the initial purchase decision, and regularly thereafter.

  504. The systems and processes used by the bank for risk-based capital purposes must be consistent with the bank's internal risk management processes and management information reporting systems. For example, the conduit's ICA ratings process should be linked to the required seller-provided credit enhancement levels, establishment of transaction dynamic trigger levels, tracking of individual obligor exposure levels, and establishment of concentration levels. Also, the risk management systems should capture the market (interest rate mismatch), liquidity (commercial paper maturity laddering, extendable funding products) and operational (integration of servicer and investor reporting) risks associated with the conduit activities.

    [[Page 9149]]

    1. Internal Credit Assessment Process in the IAA

    S 11-11 Banks' internal credit assessment processes should be comprehensive, transparent, independent, well-defined, and fully documented.

  505. The ICA process should address the full range of activities, including pre-purchase analysis of the proposed transaction, verification of the seller's representation of the assets' risk characteristics, the assignment of internal credit assessments, and on- going validation to ensure the integrity of the process and rating accuracy.

  506. The bank must have an effective system of controls and oversight that ensures compliance with these operational requirements and maintains the integrity and accuracy of the internal credit assessments. The bank must have an internal audit function independent from the ABCP program business line and internal credit assessment process that assesses at least annually whether the controls over the internal credit assessment process function as intended.

  507. Banks should be able to demonstrate that these assessments accurately capture and quantify the risk inherent in these exposures. To facilitate transparency, banks should have (1) approved policies and procedures, (2) a written and detailed summary of the processes, including the roles and responsibilities of relevant parties, and (3) management information reports on items such as pool status, usage of liquidity and/or credit enhancement facilities, and other risk management issues (e.g. level of losses relative to seller-provided credit protection or proximity to termination events).

  508. The bank should clearly document its processes for determining the required level of seller-provided credit enhancement, including the level of historical losses and the NRSRO's stress factor used to establish equivalency to a specific external rating. The bank should be able to demonstrate that the pool's loss estimate is empirically based, credible, and predictive of expected losses. Historical and current information on delinquencies, charge-offs, recoveries, dilution,\29\ and obligor and geographic concentrations should be maintained to support these estimates.

    \29\ Dilution is the reduction of the asset receivable due to customer returns of sold goods, warranty claims, disputes between the seller and its customers, and other factors. Sellers are generally required to establish a reserve to cover a multiple of historical dilution. The adequacy of the dilution reserve is reviewed at the inception of the transaction and may or may not be incorporated in the seller-provided credit enhancement for the pool of assets sold to the conduit.

  509. The time horizon for historical losses should be consistent with the number of years used in the NRSRO's external rating criteria. For instance, with respect to the performance of a pool that is comprised of trade receivables, the program administrator should use at least three years of loss data when determining the required level of credit enhancement.

  510. When adjustments are made to an internal credit assessment that are based on factors not included in the NRSRO's rating criteria, written rationale and support should be available. In addition, the bank should be able to provide evidence that the adjustments were subject to an appropriate approval process.

  511. When reviewing the seller's risk profile, the sponsoring bank (or program administrator) should analyze both the credit risks of the underlying assets and the seller's risk profile. The transaction summary provided by the seller should include information on the default risk of the underlying assets, including historical loss characteristics, concentrations, delinquencies, and payment history. In addition, the bank should assess the quality of the seller's underwriting practices as an indicator of the future performance of the underlying assets.

  512. The assessment of the seller's risk profile should include past and expected financial performance and condition (e.g., leverage, cash flow, and interest coverage), the seller's current market position, expected future competitiveness, and debt rating.

  513. Credit and investment policies should include the following: Well-defined underwriting standards for purchased assets; the minimum requirements for a seller's credit quality; limits on transaction size; limits on concentrations for obligors, asset types, or geographic exposure; required structural features; procedures for monitoring and reporting pool performance; and required levels of liquidity and credit support.

  514. The bank should maintain a transaction summary to support each ABCP program exposure. The summary should include the following: The structure of the pool transaction; the type and details of the bank's support for the program or pool; a profile of the seller (asset originator); the criteria used to determine the eligibility of assets; the risk characteristics of the purchased assets (e.g., credit quality and tenor); dilution risk; statistics on the historical performance of the underlying assets and other similar asset pools; and termination events.\30\

    \30\ Termination events, also referred to as ``dynamic'' or wind-down triggers, are used to mitigate the occurrence of losses due to a deteriorating asset pool or an event that may hinder the conduit's ability to repay maturing commercial paper. Pool-specific triggers include the insolvency or bankruptcy of the seller/servicer of assets, a downgrade of the seller's credit rating below a certain rating grade, or the deterioration of the asset pool to the point where charge-offs, delinquencies, or dilution reaches predetermined levels. Program-wide triggers include the conduit's failure to repay maturing commercial paper or draws on the program-wide credit enhancement that exceed a certain amount.

  515. When the liquidity facility and either transaction specific or program-wide credit enhancement overlap, banks are required to hold capital only once for any overlap. However, banks must allocate the program-wide credit enhancement overlap across pools that results in the highest risk-based capital requirement. For example, assume an ABCP program is made up of a pool of credit card receivables, a pool of loan receivables, and a pool of trade receivables. The bank has issued liquidity facilities for $400,000 for each pool and a $120,000 program- wide credit enhancement facility. The liquidity facilities for the credit card and loan pools are internally-rated as ``AAA,'' with the trade receivables' pool rated as ``A+.'' The credit enhancement is rated ``A.'' The appropriate risk-based capital charge for the liquidity facility and credit enhancement is detailed in the table below.

    Pool Summary

    Purchase

    Pool

    LF

    Internal Conduit funding

    authorization balance coverage

    LF tenor

    credit ass. NRSRO equivalent

    Credit Card...........................

    $400,000

    $0 $400,000 366 day..................

    2 ``AAA'' Account Rec...........................

    400,000 250,000 400,000 366 day..................

    2 ``AAA'' Trade Rec.............................

    400,000 300,000 400,000 366 day..................

    3 ``A+''

    [[Page 9150]]

    Total.............................

    1,200,000 550,000 1,200,000 Credit Enhancement....................

    120,000 ........... ........... .........................

    4 ``A''

    Overlap and Risk-Weighted Assets

    LF exposure

    CE exposure amount net of

    amount net of overlap

    LF RWA

    overlap

    CE RWA

    Total RWA adjustment

    adjustment

    Credit Card..............................................

    $0

    $0

    $120,000

    $24,000

    $24,000 Account Rec..............................................

    * 250,000

    ** 17,500

    0

    0

    17,500 Trade Rec................................................

    300,000

    30,000

    0

    0

    30,000

    Total Risk-Weighted Assets........................... .................

    $47,500 .................

    $24,000

    $71,500

    * $250,000 - 0 = $250,000. ** (LF - CE Overlap) x RWA% for respective NRSRO equivalent rating ($250,000 x 7% = $17,500).

  516. Using the same underlying exposures as in the above example, the bank has issued liquidity facilities for $400,000 for each pool and a $120,000 credit enhancement facility. However, the credit enhancement in this example is transaction specific, allocated at $40,000 per transaction. The liquidity facilities for the credit card and loan pools are internally-rated as ``AAA,'' with the trade receivables'' pool rated as ``A+.'' The credit enhancement is rated ``A.'' The appropriate risk-based capital charge for the liquidity facility and credit enhancement is detailed in the table below.

    Pool Summary

    Purchase

    Pool

    LF

    Internal Conduit funding

    authorization balance coverage

    LF tenor

    credit ass. NRSRO equivalent

    Credit Card...........................

    $400,000

    $0 $400,000 366 day..................

    2 ``AAA'' Account Rec...........................

    400,000 250,000 400,000 366 day..................

    2 ``AAA'' Trade Rec.............................

    400,000 300,000 400,000 366 day..................

    3 ``A+''

    Total.............................

    1,200,000 550,000 1,200,000 Credit Enhancement....................

    120,000 ........... ........... .........................

    4 ``A''

    Overlap and Risk-Weighted Assets

    LF exposure amount net of

    CE exposure overlap

    LF RWA amount of overlap

    CE RWA

    Total RWA adjustment

    adjustment

    Credit Card..............................................

    $0

    $0

    $40,000

    $8,000

    $8,000 Account Rec..............................................

    * 210,000

    ** 14,700

    40,000

    *** 8,000

    22,700 Trade Rec................................................

    260,000

    26,000

    40,000

    8,000

    34,000

    Total Risk-Weighted Assets........................... .................

    $40,700 .................

    $24,000

    $64,700

    * $250,000 - 40,000 = $210,000. ** (LF - CE Overlap) x RWA% for respective NRSRO equivalent rating ($210,000 x 7% = $14,700). *** CE x RWA% for respective NRSRO equivalent rating ($40,000 x 20% = $8,000).

    S 11-12 Banks should analyze the servicer's capabilities and document the analysis in the internal assessment.

  517. The analysis should consider the servicer's data systems, data capabilities (or consider the capabilities of the servicer's data systems), excess capacity, collections processes, reliance on vendors or other service bureaus, and backup servicing arrangements. A separate rating for the servicer may also be assigned, and should consider the servicer's financial position, operating capabilities, historical pool performance, and other criteria such as a publicly available NRSRO servicer rating report.

    1. Validation of IAA

    S 11-13 The bank must validate its ICA process on an ongoing basis and at least annually the ICA process and results must be subject to the full range of the bank's IRB validation activities.

  518. The bank should review the relationship between the credit assessment process and the NRSRO's current rating criteria to ensure that internal credit assessments are appropriately aligned to external ratings and reflect the NRSRO's rating criteria.

  519. The robustness of the validation process should be consistent with the complexity and volume of the bank's activities. Validation should consider the relevance and appropriateness of the NRSRO rating methodologies to the purchased assets, the integrity of the mapping process and its application to the bank's ABCP program exposures, and the quality of the bank's risk

    [[Page 9151]]

    management and internal controls in this business line.

  520. Developmental evidence is particularly relevant to the IAA. A bank should be able to provide evidence to support the integrity of its ICA process. Written documentation should include, but is not limited to: (1) How the process is consistent with the NRSRO's rating criteria to which the bank is mapping assessments, (2) the process for verifying the seller's estimates of historical loss for the purchased assets, and (3) the methodology used to assess the risk characteristics of the asset seller, the servicer, and program administrator (when not the bank). The bank should be able to support that its process is complete and that its ICAs are accurate based on their design and implementation.

  521. Process verification should focus on whether the policies and procedures are sufficiently detailed to support transparency and replication of the assessments, as well as the extent to which the process operates as designed. The process review should include (1) quantifying risk across the spectrum of the bank's exposures, and (2) evaluating the completeness, accuracy, and applicability of the data that supports the securitization framework.

  522. The bank should perform backtesting or outcomes analysis on the ICA ratings. This should also include tracking the financial performance of the underlying exposures including the ICA rating for the securitization exposure. At a minimum, the review process should be performed annually, or more frequently when there are significant changes in the NRSRO's rating criteria or the performance of the underlying assets warrants an adjustment to the bank's internal assessment. Performance analysis should cover not only the level of excess spread, but also trends and volatility in excess spread components such as interest and fee revenues, bond coupons, payment rates, loss rates, and other variable components affecting securitization performance.

    1. Supervisory Formula Approach

    Overview

  523. The SFA may be available to determine the risk-based capital requirement for unrated securitization exposures when an external rating is not available or cannot be inferred, or when the bank chooses not to use, or does not qualify to use, the IAA.\31\ The SFA calculation relies, in large part, on the risk-based capital requirement that would be assessed had the exposures underlying the securitization not been securitized. The SFA relies on this calculation as its starting point since securitizing a pool of exposures does not change the overall amount of credit risk, but merely changes how credit risk is distributed to the holders of the securitization exposures. Regulatory overrides, based on supervisory judgment, have been added to this pure model-based assessment of credit risk to ensure that (1) a minimum regulatory capital requirement is assessed on all securitization exposures, (2) tranches with insufficient credit enhancement are assessed a dollar-for-dollar capital requirement, and (3) model discontinuities are minimized. Common Unrated Securitization Exposures Subject to the SFA

  524. The SFA provides banks a means of calculating risk-based capital requirements for unrated securitization exposures. The SFA allows for a more risk sensitive capital requirement for higher quality, unrated securitization positions that lie above the KIRBboundary, provided the bank has access to the information necessary to parameterize the SFA. Regardless of the information the bank has on the underlying securitized exposures and the securitization structure, CEIOs, including any AIRs that meet the definition of a CEIO, will remain subject to deduction.

    \31\ The exposure may be related to a conduit program, but the bank does not meet the operational standards to use the IAA. Under this scenario, banks may use the SFA.

  525. Banks could use the SFA to determine risk-based capital requirements for the following common unrated securitization exposures:

    Unrated credit enhancements, including cash collateral, and spread accounts;

    Unrated CDO equity tranches;

    Other unrated retained or purchased subordinated securities from traditional or synthetic securitizations;

    Loans sold or serviced with recourse when the risk retained is of a different priority than the risk transferred;

    Loan participations and syndications when there is other than a pro-rata form of distribution;

    Unrated securitization exposures resulting from a bank's participation in the FHLB Mortgage Partnership Finance Program or Mortgage Purchase Program;

    Unrated exposures resulting from pool-level mortgage insurance programs;

    Senior synthetic securitization exposures when a rating cannot be inferred;

    MBS/ABS retained by the originator with less than two external ratings; and

    ABCP credit enhancements and liquidity facilities for which the bank has not received approval to use the IAA, or chooses for any reason not to use it.

    The above is intended to provide examples of securitization exposures that would be subject to the SFA; however, there are likely additional securitization exposures that could be evaluated with the SFA. As the securitization market evolves, additional structures may emerge that will be subject to the SFA. Implementation of the SFA

  526. Banks are required to provide seven inputs when implementing the SFA. These inputs include:

    The amount of underlying exposures (UE);

    The sum of the IRB capital requirement and expected loss on the underlying exposures, divided by UE (KIRB);

    The effective number of underlying exposures (N);

    The exposure-weighted average loss given default of the underlying exposures (EWALGD);

    The percentage of the tranche of interest the bank owns (TP);

    The thickness of the tranche of interest (T) in relation to UE; and

    The credit enhancement level for the tranche of interest (L).

  527. To use the SFA the bank must have these inputs to calculate the capital requirement on the underlying exposures. The first four inputs (UE, N, EWALGD, and KIRB) require the bank to have a detailed knowledge of the characteristics of the underlying securitized exposures. The remaining three inputs (TP, T and L) require detailed knowledge of the structural features of the securitization.

  528. Since the calculation of KIRBrequires detailed knowledge of the underlying exposures, the SFA may be difficult for an investor in an unrated securitization exposure to implement. For example, if a bank provides credit enhancement to wholesale exposures originated and securitized by another party, the bank as credit enhancer may not have access to the data to accurately derive the inputs necessary (e.g., and PD, LGD, M and EAD) to calculate KIRB. In this situation, the bank as credit enhancer would not be able to use the SFA to compute regulatory capital requirements on the unrated securitization exposure, and would be required to deduct the exposure from regulatory capital.

  529. Banks must also be prepared to update the SFA inputs quarterly. Because the output of the SFA is

    [[Page 9152]]

    predicated upon KIRB, any changes in the quality of the underlying exposures will result in a change in the SFA capital requirement. For example, deterioration in the collateral values of the underlying exposures would likely result in increased values for EWALGD and KIRB, which would generate a higher SFA capital requirement for each securitization tranche. Additionally, the prepayment of smaller exposures in a pool may lead to a more concentrated, riskier pool as N decreases.

    Calculation of KIRB

  530. KIRBrepresents the ratio of (i) the IRB capital requirement plus the expected credit losses of the underlying exposures had they not been securitized to (ii) UE, which is discussed below. All underlying exposures should be included in the calculation of KIRB, including assets in reserve accounts. The counterparty credit risk charge associated with derivative instruments should also be reflected in the numerator of KIRB, while the EAD of derivatives should be reflected in the denominator. The calculation of KIRBshould also reflect the effects of any credit risk mitigant that is applied on the underlying exposures that benefits all the securitization exposures. CEIOs, including any AIRs that meet the definition of a CEIO, should not be included in the calculation of KIRB.

  531. When banks have established a valuation allowance other than an ALLL or liability reserve on an underlying exposure, both the numerator and denominator of KIRBshould be calculated using the gross amount of the exposure without the specific provision. In this situation, the valuation allowance can be used to reduce the amount of deduction from capital associated with the securitization exposure. A detailed application of this treatment appears in Example 2 of this chapter's Appendix A. Calculation of UE

  532. The amount of underlying exposures (UE) is the EAD of any underlying wholesale and retail exposures (including the amount of any funded spread accounts, cash collateral accounts, and other similar funded credit enhancements) plus the amount of any underlying exposures that are securitization exposures plus the adjusted carrying value of any underlying equity exposures. For purposes of the SFA, the amount of an on-balance sheet securitization exposure is: (i) The bank's carrying value, if the exposure is held-to-maturity or for trading; or (ii) the bank's carrying value minus any unrealized gains and plus any unrealized losses on the exposure, if the exposure is available-for- sale. The amount of an off-balance sheet securitization exposure is the notional amount of the exposure. For a commitment, such as a liquidity facility extended to an ABCP program, the notional amount may be reduced to the maximum potential amount that the bank currently would contractually be required to fund. For an OTC derivative contract that is not a credit derivative, the notional amount is the EAD of the derivative contract as calculated in section 32 of the NPR. Calculation of N and EWALGD

  533. Although the SFA can be used for a pool containing only one asset, the SFA generally yields higher risk-based capital requirements for highly concentrated, non-granular pools. Therefore, the effective number of exposures (N) weights each exposure by its size to account for the higher risk in more highly concentrated, non-granular pools. When calculating N, multiple exposures to the same borrower are considered a single exposure. A sample calculation of N is included in Appendix A.

  534. The exposure-weighted average loss given default (EWALGD) is the LGD of each exposure weighted by the size of each exposure. The weighting process is designed to give the LGD of larger exposures more weight in determining the EWALGD of the overall pool. A sample calculation of exposure-weighted EWALGD is also included in Appendix A.

  535. For retail securitizations, banks are not required to calculate N and EWALGD. The two SFA variables-- h and v --requiring N and EWALGD as inputs, are reduced to 0 for securitizations where all underlying exposures are retail exposures.

  536. A simplified method of calculating N and EWALGD is also available for securitizations as long as the size of the largest exposure is known with certainty and is no larger than 3 percent of the entire pool. In this case, banks may set EWALGD = 50% and N can be calculated as:

    [GRAPHIC] [TIFF OMITTED] TN28FE07.010

    Where:

    C1is the largest exposure in the pool; Cmis the share of the pool composed by the ``m'' largest underlying exposures; and ``m'' is selected by the bank.

    Alternatively, if only C1is available and is no more than .03, a bank may set EWALGD at 50% and N at 1/C1. When determining N and EWALGD for a particular non-retail securitization, banks should document which methodology for calculating N and EWALGD is applied.

  537. The remaining three required inputs necessary to implement the SFA--the percentage of the tranche of interest the bank owns (TP), that tranche's credit enhancement level (L), and that tranche's thickness (T)--require the bank to understand the securitization's structure and loss prioritization. Banks should document the amount of the tranche they own relative to the outstanding issuance of the tranche in order to accurately calculate TP. Additionally, banks should document their understanding of the securitization's structure and loss prioritization in order to accurately calculate L and T.

  538. Banks must also update their calculations of TP, L and T on an ongoing basis. For example, payments to senior tranches in a particular structure may result in increases in L for junior tranche holders. Increasing defaults or loss severity in the underlying exposures may reduce L and T. Additionally, a bank's decision to mitigate its exposure through a partial sale of a particular tranche will reduce TP.

    Calculation of T, L, and TP

  539. T is the ratio of the amount of the tranche of interest to UE. L is the sum of (i) T to (ii) UE, for all tranches subordinate to the tranche of interest. The current outstanding principal balance or notional amount of the tranche of interest should be used when calculating T. TP is the ratio of the amount of the bank's securitization exposure to the amount of the tranche that contains the securitization

    [[Page 9153]]

    exposure. L should be measured without any consideration of the effects of tranche-specific credit enhancement (e.g., third party guarantees or collateral that benefit only the tranche of interest).

  540. UE must equal the sum of the individual thickness levels of each tranche. Therefore, credit enhancement based upon future cash flows, such as excess spread, CEIOs, non-credit enhancing IOs, or the subordination of fees in the cash flow waterfall, should be excluded for purposes of calculating L and T. Both L and T should include only funded reserve and spread accounts. Derivatives embedded in securitization structures should be measured based only upon current mark-to-market value, if positive, without regard to potential future exposure.

  541. Cash advances made by a servicer to an SPE to cover delinquent or late payments on the underlying exposures should be included in the calculation of L and T. When a servicer makes a cash advance to an SPE, it puts money into the SPE in order to pay down investor tranches; the pay-down of investor tranches does not bring any corresponding reduction in the principal balance of the underlying exposures. Therefore, in order for the sum of the tranches to equal UE, servicer cash advances should be considered in the calculation of L and T. Servicer cash advances that are not considered credit enhancing can be assumed to be the most senior securitization exposure in a securitization, with L calculated accordingly. For servicer cash advances that are in any way credit enhancing, the calculation of L should reflect the advance's degree of subordination.

  542. Refer to this chapter's Appendix A ``Description of the Supervisory Formula Approach (SFA),'' for further details. Special Considerations for Re-securitizations

  543. Re-securitizations, such as CDO-squared, represent a new securitization in which the underlying exposures are themselves securitization interests and present a unique challenge in the calculation of UE, N, EWALGD and KIRB. As a general rule, banks holding securitization exposures in re-securitizations should not ``look through'' to the exposures underlying the securitized securitization tranches when calculating UE, N, EWALGD and KIRBand must set EWALGD equal to 100 percent for re- securitizations.

  544. For example, if a bank holds an unrated securitization exposure in which the underlying exposures consist entirely of rated securitization interests, the bank first would sum the exposure amounts associated with these rated securitization interests to obtain UE. Next, the bank would use the RBA to determine KIRBfor these rated securitization interests, applying dollar-for-dollar capital to those exposures rated below BB-. Since the RBA risk weights include expected losses, no additional adjustment to KIRBfor expected losses is necessary. After determining KIRB, the bank calculates the effective number of exposures based upon the relative size of the underlying securitization tranches included in the re-securitization pool, without ``looking through'' to the exposures underlying the securitized tranches. Next, the bank would assume that EWALGD equals 100 percent. At this point, the bank would have sufficient information on the underlying exposures to apply the SFA to the unrated re-securitization tranche of interest. Pool Level Mortgage Insurance

  545. Certain transactions may incorporate pool insurance as a form of credit enhancement for a pool of mortgage loans. Pool insurance can take various forms but generally provides insurance coverage for the pool of loans up to a maximum amount (a ``stop loss'' level) and can include loss coverage for each loan within the pool. The extent of coverage is negotiable and may result in 100 percent loss coverage on defaulted loans, or modified pool insurance that results in lower or variable levels of coverage on defaulted loans using loan-to-value limits, for example.

  546. The credit risk mitigation benefits of pool insurance may be recognized in determining the appropriate risk-based capital requirement. Pool insurance that covers all or a pro rata share of all losses in a pool is recognized in the retail segmentation process (see Chapter 4, S 4-4 and accompanying text). Pool insurance that incorporates a tranching of credit risk is addressed in the securitization framework. In circumstances where a securitization structure with external credit ratings benefits from pool level insurance, such ratings incorporate the effects of credit risk mitigation and would, under the securitization framework (RBA), provide a method for the assessment of the appropriate capital requirement. For unrated securitization transactions, the credit risk mitigation effect of the pool insurance would need to be assessed under the SFA framework. The pool insurance and its application to the pool assets should be fully documented. Specifically, the documentation should describe and support the quantification of the credit risk that is being absorbed by the pool insurance, and detail how cash proceeds from the pool insurance are applied within the waterfall structure to effect a reduction in credit risk.

  547. For securitization exposures where the underlying exposures benefit from guarantees such as pool level mortgage insurance, the bank may be able to utilize the synthetic securitization rules to calculate the benefit of the guarantee. The bank should ensure that securitizations for which the SFA or synthetic securitization is applied have reasonably strict contractual loss prioritization rules embedded into the deal. The following example outlines the process for calculating the capital requirement for a securitization that contains a pool level credit risk mitigant with a stop loss level:

    Example

    Pool level insurance covers the first $8 of loss on a $100 retail mortgage loan pool.

    Step Process

  548. Calculate the risk-based capital requirement for the underlying exposures according to the retail IRB rules: EL estimation, retail segmentation, PD and LGD estimation, and the retail risk-weight function;

  549. Use the risk-based capital requirement from step 1 to determine KIRBand then use the SFA to calculate the risk-based capital requirement on the $92 senior position (where the $8 first loss coverage of the insurance is treated as a junior tranche);

  550. Calculate the risk-based capital requirement on the $8 position as if it were a direct exposure to the insurer using the guarantor's PD, the bank's estimate of the guarantor's ELGD and LGD, and the corporate risk-weight function. The PD of the guarantor is subject to the 3 basis point wholesale floor; and

  551. The total risk-weight capital requirement is the sum of the capital requirements in steps 2 and 3. Loss Prioritization

    S 11-14 Banks should document the securitization structure and loss prioritization.

  552. A bank may use the SFA only if it can calculate each of the SFA input parameters on an ongoing basis. For the purpose of calculating L, the credit enhancement level for the tranche of interest, this requirement implies that bank must be able to calculate how the pool's credit losses will be allocated among the deal's various tranches not only at the deal's inception, but over

    [[Page 9154]]

    time. Otherwise, the SFA may not be used.

  553. For some transactions, the allocation of credit losses among tranches may depend on certain contingencies, such as the specific timing of credit losses over the life of the deal, the possibility that subordinated tranches may amortize prior to full retirement of senior tranches, the speed at which reserve accounts will be built up through retained excess spread, or structural features whereby the losses allocated to a particular tranche may depend on how these losses are distributed among the exposures in the underlying pool. The existence of such contingencies does not automatically disqualify a bank from using the SFA to compute the capital charge for an unrated securitization exposure. However, the structure of the transaction should be sufficiently clear cut to enable the bank to determine the loss prioritization associated with each potential contingency. Furthermore, the calculation of L should address contingencies in a manner that is demonstrably conservative, for example, by calculating L to reflect those contingencies that are least favorable to the bank. In all cases, the calculation of L must comply with applicable rules for recognizing credit enhancements (e.g., unfunded reserve accounts may not be recognized).

    1. Early Amortization Provisions

  554. In addition to holding capital against any retained interest in a securitization transaction, originating banks are required to hold capital against the investors' interest (both drawn and undrawn balances) in a securitization that includes one or more underlying exposures in which the borrower is permitted to vary the drawn amount within an agreed limit under a line of credit and that contains an early amortization feature. The likelihood of triggering an early amortization increases as the level of excess spread declines. Accordingly, a bank would be required to hold increasing amounts of risk-based capital as the probability of an early amortization event increases. Total risk-based capital requirements for securitization transactions subject to the early amortization capital requirement continue to be limited by the maximum capital requirement discussed earlier. Policies should also address the use of early amortization clauses, including realistic consideration of contingency funding plans, capital plans, and reporting systems necessary to monitor and assess the risk and likelihood of an early amortization event.

  555. For an originating bank, the risk-weighted asset amount for the investors' interest in the securitization is equal to the product of the following four quantities: (1) The investors' interest EAD; (2) the appropriate conversion factor; (3) KIRB; and 12.5. Under the securitization framework, the investors' interest is made up of the investors' drawn balances and the EAD associated with the investors' undrawn lines. The undrawn balances of the securitized exposures would be allocated between the seller's and investors' interests on a pro rata basis, based on the proportions of the seller's and investors' shares of the securitized drawn balances.

  556. Once the transaction's structure has been determined, the level of excess spread must also be considered in determining the applicable credit conversion factor for uncommitted credit lines. To determine the capital to be held against the investors' interest in a securitization of uncommitted retail exposures, the bank should compare the three- month average excess spread to the point at which the bank is required to trap excess spread as required by the structure. When the transaction does not require excess spread to be trapped, the trapping point is 4.5 percent. For securitization trusts that issue several series with spread capture points that vary (e.g., credit card master trust structures), the trapping point for this provision would be the most conservative series in the trust. The bank should divide the excess spread level by the trapping point, and then reference Table 8 in section 47 of the NPR to determine which conversion factor is applicable.

    1. Data Management Requirements

    1. Data Elements

    S 11-15 Banks should retain the specific data elements necessary to calculate the appropriate securitization risk-based capital requirement.

  557. Reporting systems should produce, at least monthly, information that captures overall securitization activity, as well as specific data elements of individual transactions. Performance tracking should include vintage performance, cash collections, cash flow sensitivity, covenant compliance, and, when applicable, potential for early amortization events. Accounting methods, residual valuation methods, and regulatory reporting requirements should be in writing and consistently applied. The valuation assumptions for retained interests and servicing assets or liabilities should be conservative, fully documented, and reviewed by senior management on a regular basis. Accurate and timely risk-based capital calculations should be maintained that include the recognition and reporting of any recourse obligation resulting from securitization transactions.

  558. Refer to this chapter's Appendix B, ``Data Elements for Securitization Exposures,'' for further details on the data elements that a bank's reporting systems should electronically capture and store.

    Appendix A: Description of the Supervisory Formula Approach (SFA)

    This appendix provides illustrative examples to demonstrate how the framework described in this guidance applies to different securitization exposures. The examples provide insight into the SFA capital calculation and the KIRBboundary, as well as the supervisory capital add-ons, in addition to its application to products which represent tranched cover.

    The supervisory formula capital requirement for a given unrated securitization exposure is calculated as UE * TP multiplied by the greater of: (i) .0056 [middot] T, or (ii) S[L + T]-S[L] where:

    [[Page 9155]]

    [GRAPHIC] [TIFF OMITTED] TN28FE07.011

    RWA are determined when the supervisory formula output is multiplied by 12.5.

    The factor (i) above imposes a 56 basis point minimum or floor IRB risk-based capital requirement per dollar of tranche exposure. Regulators have imposed this floor because the supervisory formula regularly produces a risk-based capital requirement of nearly zero for high quality tranches that, nonetheless, have positive credit risk. The floor is equivalent to the RBA risk-based capital requirement for an externally rated AAA securitization exposure, which lessens the potential regulatory capital arbitrage opportunities that could arise.

    Factor (ii) represents the supervisory formula, which derives capital for the tranche in question by computing capital for the tranche of interest and all tranches beneath it (S[L + T]) and subtracting from that the capital for all tranches beneath the tranche of interest (S[L]). For tranches with credit enhancement levels below KIRB(Y IRB), the supervisory formula assigns a dollar-for-dollar capital requirement.

    For tranches with greater credit enhancement levels (Y > KIRB), the supervisory formula produces a risk-based capital requirement that is a blend of credit risk modeling and supervisory judgment. The function K[Y] represents a pure model-based estimate of the underlying securitized pool's aggregate systematic or non- diversifiable credit risk that is attributable to a first-loss position covering loss up to and including Y. Because the tranche of interest covers losses over a specified range (defined in terms of L and T), its systematic risk can be represented as K[L + T] - K[L].

    Unquestionably, the supervisory formula appears very complex, but actually the mechanics are algebraic in nature and merely require the user to determine certain inputs and solve. To better understand the components of the supervisory formula, it is best to begin with the model-based estimate of credit risk, the K[Y] term. This estimate of risk is given by the following equation:

    [GRAPHIC] [TIFF OMITTED] TN28FE07.012

    [[Page 9156]]

    where [beta][Y;a,b] is shorthand for the Beta distribution. For the purpose of calculating the supervisory formula, it is sufficient to know that the Beta distribution, when suitably transformed and normalized, can be used to model the loss distribution given that the systematic risk factor is at the 99.9th percentile. Even more concretely, the Beta distribution evaluated at the specified parameters is a number which can be readily calculated in Excel using the betadist (L,a,b) function.

    The model used to estimate the non-diversifiable risk in the pool of exposures is developed from the class of credit value-at-risk (CVaR) models known as asymptotic single risk factor models (ASRF models). In essence, ASRF models simplify the many forces that may affect a pool of exposures by assuming that there is only one ``risk factor'' that causes credit losses to be correlated across exposures. Alternatively, one can think of the single risk factor as a random variable encompassing the many possible states of economic activity--from very good to very bad. Under the ASRF assumptions, CVaR for a portfolio is equal to the portfolio's expected credit losses over the modeling horizon given a very bad state of the economy. (The pattern of losses that result when the risk factor takes on a specific value is also known as the conditional loss distribution.) The SFA calculates the capital necessary to cover credit losses over a one-year horizon when the risk factor is at the 99.9th percentile i.e., when economic conditions are as bad as the worst year in 1000 years. This is consistent with the approach applied throughout Basel II and the manner in which KIRBis calculated.

    The techniques commonly used to estimate the potential loss experience in ASRF models depend on the relationship between the risk factor and credit losses. In some cases, it is necessary to simulate the pattern of potential losses that can result when the risk factor takes on high value--also known as Monte Carlo simulation. Monte Carlo techniques, while commonly used, require significant computing resources. In other cases, it may be possible to characterize this pattern of losses with an appropriate functional form. In language that is slightly more rigorous, it is possible to approximate the conditional loss distribution. Gordy and Jones (2003) undertook the task of specifying this ``reasonable functional form,'' which became the basis for the supervisory formula.\32\

    \32\ For those familiar with calculus, Gordy and Jones approximate the marginal amount of credit risk associated with an arbitrarily small slice of a tranche. From this, it is possible to calculate the risk-based capital requirements by integrating an appropriately parameterized approximation, which behaves similarly to a cumulative density function. Note that since integration yields the capital requirement for exposure up to and including the tranche of interest, it is necessary to subtract any subordinate exposures' capital requirements.

    Most of the expressions that comprise the supervisory formula arise due to the effort to describe the shape of the conditional loss function. Expressions (3) through (9), discussed below, are used to parameterize K[Y].

    [GRAPHIC] [TIFF OMITTED] TN28FE07.013

    Note that

    [GRAPHIC] [TIFF OMITTED] TN28FE07.014

    is the probability of default for one exposure in the pool when the risk factor is at the 99.9th percentile. Therefore,

    [GRAPHIC] [TIFF OMITTED] TN28FE07.015

    is the conditional probability that the exposure performs. Assuming that the exposures are conditionally independent, multiplying the probability of performance together N times (the effective number of exposures) yields the cumulative conditional probability that every exposure performs, or h.

    a and b are defined entirely in terms of g and c, defined below. They are used to simplify the notation of the Beta distribution.

    [GRAPHIC] [TIFF OMITTED] TN28FE07.016

    c is the approximation of the mean parameter for the ``fitting function'' and is given by:

    [GRAPHIC] [TIFF OMITTED] TN28FE07.017

    The ``fitting function'' approximates the pool's conditional loss distribution. This approximation is necessary to avoid using simulation or numerical methods to solve for K[Y] as previously mentioned. However, note that h (the cumulative conditional probability that every exposure performs) is likely to be small in most cases. Consequently, C will be approximately equal to KIRBunder normal circumstances.

    g is the precision parameter for the fitting function and is determined by c, f and v. This term arises from the processes through which Gordy and Jones approximate the conditional loss distribution.

    [GRAPHIC] [TIFF OMITTED] TN28FE07.018

    f is an approximation of the variance of the fitting function:

    [GRAPHIC] [TIFF OMITTED] TN28FE07.019

    Each securitization has rules governing how payments are disbursed to the tranches, often called the cash flow ``waterfall.'' These rules can be quite complex and the supervisory formula must handle the spectrum of different arrangements. In the model, the waterfall is represented by the tranche structure with the most junior tranche suffering losses up to its entire position before more senior tranches are affected. This simplification, while useful for modeling purposes, may not accurately describe the structure of a specific securitization.

    v is the variance of the conditional loss distribution:

    [GRAPHIC] [TIFF OMITTED] TN28FE07.020

    [[Page 9157]]

    In the portion of expression (1) related to the supervisory add-on the terms are included to prevent exploitation of inadequacies in the model's stylized representation of a securitization. The add-on applies primarily to positions with credit enhancement just above KIRBand its quantitative effect diminishes rapidly the farther Y is from KIRB. Returning to expression (1) we can extract the supervisory add-on portion:

    [GRAPHIC] [TIFF OMITTED] TN28FE07.021

    where

    [GRAPHIC] [TIFF OMITTED] TN28FE07.022

    Notice that expressions (3) through (10) do not change for a given securitization. In other words, since these expression do not contain information which is tranche-specific, the results from expressions (3) through (10) can be used when calculating S[Y] for any tranche of a given securitization if Y > KIRB.

    Example 1: Comprehensive SFA Calculation

    Because of the complexities associated with applying the SFA, a comprehensive example has been developed to aid in application.

    Transaction Summary

    A six-tranche, privately placed securitization with 10 underlying wholesale exposures will be used to illustrate the basic application of the SFA. Since none of the six tranches are externally rated, and the securitization does not meet the definition of an ABCP conduit, neither the RBA nor the IAA is applicable.

    Table 1 below identifies the characteristics of the ten underlying exposures in the securitized pool.

    Table 1.--Underlying Wholesale Exposure Characteristics

    Principal Exposure

    balance

    PD

    LGD EL percent Maturity IRB capital (EAD) (percent) (percent)

    (M)

    charge

  559. $5.00

    0.75

    35.0

    0.26

    5

    $0.35 2........................

    5.00

    0.75

    35.0

    0.26

    5

    0.35 3........................

    5.00

    0.75

    35.0

    0.26

    5

    0.35 4........................

    5.00

    0.75

    35.0

    0.26

    5

    0.35 5........................

    15.00

    0.50

    25.0

    0.13

    2

    0.43 6........................

    20.00

    1.25

    55.0

    0.69

    10

    2.59 7........................

    30.00

    1.25

    55.0

    0.69

    10

    3.87 8........................

    5.00

    0.75

    35.0

    0.26

    5

    0.35 9........................

    5.00

    0.75

    35.0

    0.26

    5

    0.35 10.......................

    5.00

    0.75

    35.0

    0.26

    5

    0.35 Pool.............................. 100.00

    0.96

    43.5

    0.46

    4.55

    9.34

    Calculation of Bank-Supplied Inputs

    In order to utilize the SFA, banks must supply seven inputs. Based upon the previously provided information regarding the securitization's structure and underlying collateral characteristics, each of the seven bank-supplied inputs can be calculated.

    N is the exposure-weighted number of exposures in the pool. In the stylized example, the wholesale securitization has 10 actual exposures; however, the effective number of exposures is much less than 10 because three larger exposures dominate the pool. To illustrate numerically:

    [GRAPHIC] [TIFF OMITTED] TN28FE07.023

    EWALGD is the exposure-weighted average loss given default for the underlying exposures. To illustrate numerically for our stylized example:

    [GRAPHIC] [TIFF OMITTED] TN28FE07.024

    [[Page 9158]]

    By utilizing the exposure-weighted average expected loss (0.46%) and the sum of the individual exposures' IRB capital requirements ($9.34, calculated using the wholesale IRB risk-weight function) KIRBcan be determined:

    [GRAPHIC] [TIFF OMITTED] TN28FE07.025

    UE is equivalent to the sum of the underlying exposures in the pool, or $100 in this case.

    TP is set to 100 percent in our example, primarily so that the aggregate capital requirement for the entire securitization, as well as individual charges for each tranche, can be illustrated.

    T represents a tranche's thickness or its size relative to the underlying securitized exposures, while L represents the credit enhancement level of the subject tranche. All things being equal, a thicker tranche will generate a higher SFA capital requirement in dollar terms relative to a thinner tranche. Further, a tranche with a higher credit enhancement level, all things being equal, will generate a lower SFA capital requirement than one with a lower credit enhancement level.

    The tranches, in order of seniority from most senior to most junior, have notional values of $60, $15, $10, $8, $5 and $2, which we designate Tranche A through Tranche F, respectively. Table 2 below depicts the calculation of L and T for each tranche of the securitization.

    [GRAPHIC] [TIFF OMITTED] TN28FE07.026

    Calculating the Risk-Based Capital Requirement for Tranches A through F

    Using the seven bank-supplied inputs determined above, the SFA capital requirement can be calculated for each tranche of the securitization. The calculations for each tranche of the sample securitization are illustrated below. The calculations are categorized in three separate groups to display the idiosyncrasies of the SFA: (1) The tranches below KIRB(E and F), (2) the tranche straddling KIRB(D), and (3) the tranches above KIRB(A through C).

    Group 1: Tranches Below the KIRBBoundary

    The methodology for determining the capital requirements for Tranches E and F are equivalent since both L + T and L are below KIRB. Two important results are apparent when using the SFA for tranches below KIRB. First, the capital requirement for each tranche (E and F) is dollar-for-dollar. Put slightly differently, tranches of securitized exposures that absorb losses below KIRBare subject to dollar-for-dollar capital requirements. Second, when L + T IRB, no additional information beyond UE, TP, L and T is required to determine the SFA capital requirement. Since Tranches E and F are subject to dollar-for-dollar (100 percent) charges, they clearly exceed the 56 basis point floor. The capital requirement calculations for Tranches E and F are displayed below to reinforce this concept:

    Tranche E: UE [middot] TP [middot] ((L + T) - L) = $100 [middot] 100%

    [middot] ((2% + 5%) - 2%) = $5 Tranche F: UE [middot] TP [middot] ((L + T) - L) = $100 [middot] 100%

    [middot] ((0% + 2%) - 0%) = $2

    Group 2: Tranche Straddling the KIRBBoundary

    Tranche D straddles KIRBsince L + T > KIRB (15% > 9.80%) and L IRB, (7% KIRB, the bank would have to calculate equations (3) through (10) to determine S[L + T]. As noted previously, only UE, TP and L are necessary to determine S[L] since L IRB.As noted in the ``Mechanics of the SFA'' section of this guidance, equations (3) through (10) do not change

    [[Page 9159]]

    for a given securitization. The calculations for equations (3) through (10) for the sample securitization are included below:

    [GRAPHIC] [TIFF OMITTED] TN28FE07.027

    [GRAPHIC] [TIFF OMITTED] TN28FE07.028

    Next, the supervisory add-on term can be calculated. First the value for K[KIRB] is calculated:

    [GRAPHIC] [TIFF OMITTED] TN28FE07.029

    K[KIRB] is then substituted into the full supervisory add-on term:

    [[Page 9160]]

    [GRAPHIC] [TIFF OMITTED] TN28FE07.030

    Since S[L + T] is a combination of the model-based estimate of non- diversifiable credit risk (K[L + T]) and the supervisory add-on, S[L + T] can be determined as follows:

    S[15%] = 7.96% + 3.87% = 11.83%

    Since L IRB, can easily be determined in the same fashion used for Tranches E and F. S[L + T] - S[L] = 11.83% - 7% = 4.83%. Since 4.83 percent exceeds the 56 basis point floor (.56%

    [middot] 8% = .45%), the SFA capital requirement for Tranche D is: Tranche D: UE [middot] TP [middot] (S[L + T] - S[L]) = $100 [middot] 100% [middot] (4.83%) = $4.83

    Group 3: Tranches Above the KIRBBoundary

    Tranches A through C all lie above the KIRBboundary. The calculations for each of these tranches are given below. Again, the prior calculations for equations (3) through (10) can be used for Tranches A through C since these values are the same for every tranche of a securitization. Further simplifying the task, S[L] equals S[L + T] for the tranche immediately junior. Tranche A

    [GRAPHIC] [TIFF OMITTED] TN28FE07.031

    Tranche B

    [GRAPHIC] [TIFF OMITTED] TN28FE07.032

    Tranche C

    [[Page 9161]]

    [GRAPHIC] [TIFF OMITTED] TN28FE07.033

    The next step is verifying whether any of the above capital calculations for tranches A, B, or C violate the 56 basis point supervisory floor. In dollar terms, the above formulas produce capital requirements for these tranches equal to $0.02, $0.38, and $1.44, respectively, while the corresponding floors are $0.34 (=.56% [middot] $60), $.08 (=.56% [middot] $15), and $0.06 (=.56% [middot] $10). Thus, the floor is binding only for tranche A, whose capital charge is increased to $0.34. The SFA capital requirement for each tranche is presented below:

    Tranche A: UE [middot] TP [middot] (.0056 [middot] T) = $100 [middot] 100% [middot] .34% = $0.34 Tranche B: UE [middot] TP [middot] (S[40%] - S[25%]) = $100 [middot] 100% [middot] .38% = $0.38 Tranche C: UE [middot] TP [middot] (S[25%] - S[15%]) = $100 [middot] 100% [middot] 1.44 = $1.44

    Summary

    Table 3 below summarizes the SFA-produced capital requirements for each tranche of the securitization:

    Table 3.--SFA Capital Requirements for Example 1

    SFA capital Tranche

    Tranche amount requirement

    A.......................................

    $60

    $0.34 B.......................................

    15

    0.38 C.......................................

    10

    1.44 D.......................................

    8

    4.83 E.......................................

    5

    5.00 F.......................................

    2

    2.00

    Total...............................

    100

    13.98

    The 56 basis point floor, supervisory add-on, and below KIRBdeduction requirements can result, as in the case of this example, with the aggregate capital requirement for a bank exceeding the implied capital requirement for the underling exposures. For this reason, the total capital that an entity must hold is capped at the level implied by KIRB(UE [middot] TP [middot] KIRBalso referred to as the KIRBcap). Whether this bank is subject to the cap depends on which tranches the bank retains. For example, if the bank sold all but Tranches E and F, the KIRBcap would not apply since the aggregate capital requirement ($7) would be less than the charge implied by KIRB($9.80). However, if the bank retained Tranche D in addition to Tranches E and F, then the aggregate SFA capital requirement ($11.83) would exceed the KIRBcap and the risk- based capital requirement would be capped at $9.80.

    Example 2: Sale of a Pool of Mortgages With Partial Recourse

    Transaction Summary

    A bank sells a high-quality mortgage loan pool of $100. As a condition of the sale, the bank agrees to cover the first $10 of losses on mortgages. The bank correctly applies GAAP accounting and removes the sold loans from its books, while establishing a $0.40 recourse liability reserve (valuation allowance) for the estimated fair market value of the recourse liability. Note that this is a specific reserve, not a general reserve. The characteristics of the sold mortgage loan pool are noted below:

    Table 4.--Underlying Mortgage Loan Pool Characteristics

    Principal Exposure

    balance PD LGD EL IRB capital KIRB (EAD)

    requirement

    Retail......................................... $ 100.00 0.50% 10.0% 0.05%

    $ 0.62 0.67%

    The transaction noted above is an example of tranched cover. In this case, the bank has agreed to absorb the first $10 of losses, which results in the selling bank retaining a disproportionate risk position in the transaction. As a result of this contractual sales agreement, two distinct credit risk positions are created: (1) A $90 senior position and (2) a $10 junior position. Since neither position carries an external rating, the SFA is the appropriate method with which to determine the capital requirement, provided the seller and the purchaser are eligible to use it.

    Calculation of Bank-Supplied Inputs

    Table 5 below shows the values for L and T. Because this is a retail securitization, h and v can be set to zero. We continue to assume that TP = 100%.

    [[Page 9162]]

    [GRAPHIC] [TIFF OMITTED] TN28FE07.034

    Calculation of the SFA Capital Requirement for Tranche 1 and 2

    [GRAPHIC] [TIFF OMITTED] TN28FE07.038

    In the case of Tranche 1, S[L + T] - S[L] IRBcap (UE [middot] TP [middot] KIRB= $100

    [middot] 100% [middot] (.67%) = $.67) and is reduced to $.67.

    Summary

    Table 7 below summarizes the SFA capital requirement for each tranche of the securitization. Note, in this example, the originating bank established a $.40 recourse reserve liability with a charge through earnings. However, while such reserves can be used to offset deductions from capital required under the Securitization Framework, they cannot be used to offset a position's risk-based capital requirement. Thus, the risk-based capital requirement for Tranche 2 is not reduced by the valuation allowance and remains $0.67.

    Another interesting feature of this example is that because the investing bank holds Tranche 1 and the originating bank holds Tranche 2, the SFA produces an aggregate capital requirement for the entire transaction ($1.17) that is well above the KIRBcap ($0.67). The capital required in excess of the KIRBcap is the result of the 56 basis point floor capital requirement assessed against Tranche 1. Without the floor, Tranche 1 would not receive a capital requirement. The investing bank is assessed a capital requirement even though the originating bank is subject to the KIRBcap. If the investing bank could not calculate KIRBbecause the bank cannot compute the risk-based capital requirement for all underlying exposures, the entire $90 position would be deducted from capital.

    Table 7.--SFA Capital Requirements for Example 2

    SFA capital Tranche

    Tranche amount requirement

  560. $90

    $0.50 2.......................................

    10

    0.67

    Total...............................

    100

    1.17

    Example 3: Collateralized Loan Obligation--SFA and RBA Interaction

    Transaction Summary

    This example represents a typical cash-funded collateralized loan obligation using corporate loans. The example assumes that the originating bank retains an unrated residual exposure to Class E and that investing banks acquire the externally rated tranches.

    Since the Class E exposure is unrated and is not an ABCP exposure, the originating bank can use the SFA provided it is eligible and can calculate

    [[Page 9163]]

    all the necessary inputs. Table 8 below identifies the characteristics of the aggregated underlying exposures in the securitized pool. We assume for simplicity that the effective number of exposures (N) is set to 100 and TP to 100 percent.

    Table 8.--Underlying Loan Pool Characteristics

    IRB capital Exposure

    Principal balance (EAD)

    EL requirement KIRB

    Wholesale.................................... $ 100.00....................... 1.32%

    $ 7.32 8.64%

    Calculation of Bank-Supplied Inputs

    Table 9 below identifies the other inputs necessary for the originating bank to calculate the SFA for Tranche E (e.g. L and T) and the external ratings necessary for the investing banks to apply the RBA.

    [GRAPHIC] [TIFF OMITTED] TN28FE07.035

    Originating Bank Capital Calculation

    Table 10 below provides the various calculations necessary for the originating bank to apply the SFA to Tranche E.

    [[Page 9164]]

    [GRAPHIC] [TIFF OMITTED] TN28FE07.039

    Using values from Table 10 above, the SFA capital requirement can be determined as follows:

    Tranche E: UE [middot] TP [middot] (S[L + T] - S[L]) =$100 [middot] $100% [middot] (9.59%) = $9.59

    Again we have a case where the capital requirement for Tranche E exceeds the KIRBcap (UE [middot] TP [middot] KIRB= $100 [middot] $100% [middot]8.64% = $8.64) and is reduced accordingly.

    Investing Bank Capital Calculation:

    For an investing bank, Table 11 below illustrates the amount of required capital for each of the rated tranches after applying the RBA. The relevant RBA risk weights in this example depend not only on the external rating, but also on the tranche's seniority.

    Table 11.--RBA Risk Weights Applicable to Rated Tranches

    RBA risk

    Capital as Tranche

    Rating

    Exposure weights Required % of (percent) capital exposure

    A................................... ``AAA''............... $ 67.50

    7

    $0.38

    0.56 B................................... ``AA''................

    7.50

    15

    0.09

    1.20 C................................... ``A''.................

    8.00

    20

    0.13

    1.60 D................................... ``BBB''...............

    5.00

    75

    $0.30

    6.00

    Comparison of RBA and SFA Generated Capital Requirements

    Table 12.--RBA and SFA Capital Requirements for Example 3

    SFA capital Tranche

    Tranche amount requirement

    A.......................................

    $ 67.50

    $ 0.38 B.......................................

    7.50

    0.09 C.......................................

    8.00

    0.13 D.......................................

    5.00

    0.30 E.......................................

    12.00

    8.64

    Total...............................

    100.00

    9.54

    If the other classes of notes were held by the originating bank, the RBA would be used to determine required capital since all of these classes are rated. Notably, regardless of how many classes are held in addition to Class E, the total amount of capital that the originating bank must hold for the transaction will not exceed the KIRB cap ($8.64).

    Appendix B: Examples of Data Elements for Securitization Exposures

    For illustrative purposes, this appendix provides examples of the kinds of data elements banks should collect under an IRB data management framework for securitization exposures.

    For All Securitization Exposures

    The description and amount of each exposure;

    The fundamental characteristics of the exposure (e.g., tenor, fixed or variable rates, call, and early amortization features);

    The exposure's initial rating and effective date;

    The amount of any exposures deducted from risk-based capital under provisions of the framework;

    A description and amount of exposure limits at the aggregate and transaction level;

    A description and amount of concentration limits, for the underlying exposure level and capital;

    The person who authorizes limit and concentration levels, and his or her authority levels; and

    Reports of all policy exceptions.

    For Exposures Subject to the Ratings-Based Approach

    The NRSRO providing the rating;

    Documentation indicating that the exposure is part of the surveillance/monitoring program, is publicly published, and is in transition matrices;

    A description and amount of any rated security supporting an inferred rating;

    Seniority and granularity (for non-retail securitizations) of the exposure;

    Whether the NRSRO rating is a short-term or long-term credit assessment;

    The risk-weight schedule used, and the risk-weight column applied; and

    The date, magnitude, and details of any rating changes.

    [[Page 9165]]

    For Exposures Subject to the Internal Assessment Approach

    The name of the sourced NRSRO, and the rating criteria for the referenced asset class;

    The criteria used for selecting the NRSRO;

    NRSRO stress loss factors used for each ICA;

    Historical loss and dilution estimates used in applying NRSRO criteria;

    Seller-servicer rating assignment, if any;

    Any quantitative adjustments to ratings criteria, stress loss factors, or loss estimates based upon qualitative judgments (e.g., seller-servicer strength, concentration, etc.);

    The external rating for the commercial paper issued by the ABCP program (that is supported by the exposure);

    Seniority and granularity of the exposure;

    Whether the ICA is a short-term or long-term credit assessment;

    The risk-weight schedule used, and the risk-weight column applied;

    The person or model responsible for assigning the rating;

    Any overrides to the rating and the authorizing official (if applicable); and

    The date, magnitude, and details of any rating changes.

    For Exposures Subject to the Supervisory Formula Approach

    The dollar amount of underlying exposures in the transaction (UE);

    The securitization exposure's proportion of the tranche (TP);

    The risk-based capital requirements of the underlying exposures as if they were held on the bank's balance sheet (KIRB);

    The exposure's credit enhancement level (L);

    The exposure tranche's thickness (T);

    The securitization transaction's effective number of underlying exposures (N); and

    The transaction's exposure-weighted loss-given-default (EWALGD).

    For Securitization Transactions With Early-Amortization Provisions (On a Monthly Basis)

    The total amount of the sold (investor's interest) and retained positions in the securitization transaction;

    The IRB risk-based capital requirements of the underlying exposures as if they were held on the originating bank's balance sheet;

    The excess spread-capture schedule for the transaction (or earliest spread capture requirement when multiple series are issued from a trust);

    The three-month average excess spread for the transaction (or the lowest three-month average within the trust);

    The designation of whether the amortization provision is ``controlled'' or ``non-controlled''; and

    The credit-conversion factor schedule (controlled or non- controlled) applied to the exposure, and the row and column applied.

    Attachment A--The NPR Qualification Requirements Related to the IRB Framework

    Part III. Qualification

    Section 22. Qualification Requirements \33\

    \33\ 71 FR 55922 through 55924 (Sept. 25, 2006).

    (a) Process and systems requirements. (1) A [bank] \34\ must have a rigorous process for assessing its overall capital adequacy in relation to its risk profile and a comprehensive strategy for maintaining an appropriate level of capital.

    \34\ For simplicity, and unless otherwise noted, the NPR uses the term [bank] to include banks, savings associations, and bank holding companies. [AGENCY] refers to the primary Federal supervisor of the bank applying the rules.

    (2) The systems and processes used by a [bank] for risk-based capital purposes under this appendix must be consistent with the

    [bank] 's internal risk management processes and management information reporting systems.

    (3) Each [bank] must have an appropriate infrastructure with risk measurement and management processes that meet the qualification requirements of this section and are appropriate given the [bank]'s size and level of complexity. Regardless of whether the systems and models that generate the risk parameters necessary for calculating a

    [bank] 's risk-based capital requirements are located at any affiliate of the [bank], the [bank] itself must ensure that the risk parameters and reference data used to determine its risk-based capital requirements are representative of its own credit risk and operational risk exposures.

    (b) Risk rating and segmentation systems for wholesale and retail exposures. (1) A [bank] must have an internal risk rating and segmentation system that accurately and reliably differentiates among degrees of credit risk for the [bank]'s wholesale and retail exposures.

    (2) For wholesale exposures, a [bank] must have an internal risk rating system that accurately and reliably assigns each obligor to a single rating grade (reflecting the obligor's likelihood of default). The [bank]'s wholesale obligor rating system must have at least seven discrete rating grades for non-defaulted obligors and at least one rating grade for defaulted obligors. Unless the [bank] has chosen to directly assign ELGD and LGD estimates to each wholesale exposure, the

    [bank] must have an internal risk rating system that accurately and reliably assigns each wholesale exposure to loss severity rating grades (reflecting the [bank]'s estimate of the ELGD and LGD of the exposure). A [bank] employing loss severity rating grades must have a sufficiently granular loss severity grading system to avoid grouping together exposures with widely ranging ELGDs or LGDs.

    (3) For retail exposures, a [bank] must have a system that groups exposures into segments with homogeneous risk characteristics and assigns accurate and reliable PD, ELGD, and LGD estimates for each segment on a consistent basis. The [bank]'s system must group retail exposures into the appropriate retail exposure subcategory and must group the retail exposures in each retail exposure subcategory into separate segments. The [bank]'s system must identify all defaulted retail exposures and group them in segments by subcategories separate from non-defaulted retail exposures.

    (4) The [bank]'s internal risk rating policy for wholesale exposures must describe the [bank]'s rating philosophy (that is, must describe how wholesale obligor rating assignments are affected by the

    [bank] 's choice of the range of economic, business, and industry conditions that are considered in the obligor rating process).

    (5) The [bank]'s internal risk rating system for wholesale exposures must provide for the review and update (as appropriate) of each obligor rating and (if applicable) each loss severity rating whenever the [bank] receives new material information, but no less frequently than annually. The [bank]'s retail exposure segmentation system must provide for the review and update (as appropriate) of assignments of retail exposures to segments whenever the [bank] receives new material information, but no less frequently than quarterly.

    (c) Quantification of risk parameters for wholesale and retail exposures. (1) The [bank] must have a comprehensive risk parameter quantification process that produces accurate, timely, and reliable estimates of the risk parameters for the [bank]'s wholesale and retail exposures.

    (2) Data used to estimate the risk parameters must be relevant to the [bank]'s actual wholesale and retail

    [[Page 9166]]

    exposures, and of sufficient quality to support the determination of risk-based capital requirements for the exposures.

    (3) The [bank]'s risk parameter quantification process must produce conservative risk parameter estimates where the [bank] has limited relevant data, and any adjustments that are part of the quantification process must not result in a pattern of bias toward lower risk parameter estimates.

    (4) PD estimates for wholesale and retail exposures must be based on at least 5 years of default data. ELGD and LGD estimates for wholesale exposures must be based on at least 7 years of loss severity data, and ELGD and LGD estimates for retail exposures must be based on at least 5 years of loss severity data. EAD estimates for wholesale exposures must be based on at least 7 years of exposure amount data, and EAD estimates for retail exposures must be based on at least 5 years of exposure amount data.

    (5) Default, loss severity, and exposure amount data must include periods of economic downturn conditions, or the [bank] must adjust its estimates of risk parameters to compensate for the lack of data from periods of economic downturn conditions.

    (6) The [bank]'s PD, ELGD, LGD, and EAD estimates must be based on the definition of default in this appendix.

    (7) The [bank] must review and update (as appropriate) its risk parameters and its risk parameter quantification process at least annually.

    (8) The [bank] must at least annually conduct a comprehensive review and analysis of reference data to determine relevance of reference data to [bank] exposures, quality of reference data to support PD, ELGD, LGD, and EAD estimates, and consistency of reference data to the definition of default contained in this appendix.

    (d) Counterparty credit risk model. A [bank] must obtain the prior written approval of [AGENCY] under section 32 to use the internal models methodology for counterparty credit risk.

    (e) Double default treatment. A [bank] must obtain the prior written approval of [AGENCY] under section 34 to use the double default treatment.

    (f) Securitization exposures. A [bank] must obtain the prior written approval of [AGENCY] under section 44 to use the internal assessment approach for securitization exposures to ABCP programs.

    (g) Equity exposures model. A [bank] must obtain the prior written approval of [AGENCY] under section 53 to use the internal models approach for equity exposures.

    --Text omitted--

    (i) Data management and maintenance. (1) A [bank] must have data management and maintenance systems that adequately support all aspects of its advanced systems and the timely and accurate reporting of risk- based capital requirements.

    (2) A [bank] must retain data using an electronic format that allows timely retrieval of data for analysis, validation, reporting, and disclosure purposes.

    (3) A [bank] must retain sufficient data elements related to key risk drivers to permit adequate monitoring, validation, and refinement of its advanced systems.

    (j) Control, oversight, and validation mechanisms. (1) The [bank]'s senior management must ensure that all components of the [bank]'s advanced systems function effectively and comply with the qualification requirements in this section.

    (2) The [bank]'s board of directors (or a designated committee of the board) must at least annually evaluate the effectiveness of, and approve, the [bank]'s advanced systems.

    (3) A [bank] must have an effective system of controls and oversight that:

    (i) Ensures ongoing compliance with the qualification requirements in this section;

    (ii) Maintains the integrity, reliability, and accuracy of the

    [bank] 's advanced systems; and

    (iii) Includes adequate governance and project management processes.

    (4) The [bank] must validate, on an ongoing basis, its advanced systems. The [bank]'s validation process must be independent of the advanced systems'' development, implementation, and operation, or the validation process must be subjected to an independent review of its adequacy and effectiveness. Validation must include:

    (i) The evaluation of the conceptual soundness of (including developmental evidence supporting) the advanced systems;

    (ii) An on-going monitoring process that includes verification of processes and benchmarking; and

    (iii) An outcomes analysis process that includes back-testing.

    (5) The [bank] must have an internal audit function independent of business-line management that at least annually assesses the effectiveness of the controls supporting the [bank]'s advanced systems and reports its findings to the [bank]'s board of directors (or a committee thereof).

    (6) The [bank] must periodically stress test its advanced systems. The stress testing must include a consideration of how economic cycles, especially downturns, affect risk-based capital requirements (including migration across rating grades and segments and the credit risk mitigation benefits of double default treatment).

    (k) Documentation. The [bank] must adequately document all material aspects of its advanced systems

    Attachment B--Supervisory Standards

    Chapter 1: Advanced Systems for Credit Risk

    S 1-1 An IRB system must have five interdependent components that enable an accurate measurement of credit risk and risk-based capital requirements.

    S 1-2 Senior management must ensure that all of the components of the bank's advanced systems for credit risk function effectively and comply with the qualification requirements in the NPR.

    S 1-3 The board of directors or its designated committee must at least annually evaluate the effectiveness of, and approve, the bank's advanced systems.

    S 1-4 Each bank (including each depository institution) must ensure that the risk parameters and reference data used to determine its risk- based capital requirements are representative of its own credit risk.

    S 1-5 Banks should establish specific accountability for the overall performance of their advanced systems for credit risk.

    S 1-6 A bank's advanced systems should be transparent.

    Chapter 2: Wholesale Risk Rating Systems

    S 2-1 Banks must identify obligor defaults in accordance with the IRB definition of default.

    S 2-2 Banks should demonstrate that their wholesale risk rating processes are sufficiently independent to produce objective ratings.

    S 2-3 IRB risk rating systems must have two dimensions obligor default and loss severity corresponding to PD (obligor default), and ELGD and LGD (loss severity).

    S 2-4 Banks must assign discrete obligor rating grades.

    S 2-5 The obligor rating system must rank obligors by likelihood of default.

    S 2-6 Banks must assign an obligor to only one rating grade.

    S 2-7 A bank's rating policy must describe its ratings philosophy and how quickly obligors are expected to migrate from one rating grade to another in response to economic cycles.

    S 2-8 In assigning an obligor to a rating grade, a bank should assess the risk of obligor default over a period of

    [[Page 9167]]

    at least one year taking into account the possibility of adverse economic conditions.

    S 2-9 Banks must have at least seven discrete obligor rating grades for non-defaulted obligors and at least one rating grade for defaulted obligors.

    S 2-10 Banks should justify the number of obligor rating grades used in its risk rating system and the distribution of obligors across those grades.

    S 2-11 Banks may recognize implied support as a rating criterion subject to specific supervisory considerations; however, banks should not rely upon the possibility of U.S. government financial assistance, except for the financial assistance that the U.S. government has legally committed to provide.

    S 2-12 Banks must have a loss severity rating system that is able to assign loss severity estimates (ELGD and LGD) to each wholesale exposure.

    S 2-13 Banks should have empirical support for their loss severity rating system and the rating system should be capable of supporting the quantification of ELGD estimates (and LGD estimates if approved for internal estimates).

    S 2-14 Banks must have a sufficiently granular loss severity rating system to group exposures with similar estimated loss severities or a process that assigns estimated ELGDs and LGDs to individual exposures.

    S 2-15 Rating criteria should be written, clear, consistently applied, and include the specific qualitative and quantitative factors used in assigning ratings.

    S 2-16 Risk ratings must be updated whenever new material information is received, but in no instance less than annually.

    Chapter 3: Retail Segmentation Systems

    S 3-1 Banks must use the IRB definition of default when identifying defaulted retail exposures.

    S 3-2 Banks must first place exposures into one of the three retail exposure subcategories (residential mortgage, QRE, and other retail). Banks must then separate exposures into segments with homogeneous risk characteristics.

    S 3-3 A retail segmentation system must produce segments that accurately and reliably differentiate risk and produce accurate and reliable estimates of the risk parameters.

    S 3-4 Banks should clearly define and document the criteria for assigning an exposure to a particular retail segment.

    S 3-5 Banks should develop and document their policies to ensure that risk-driver information is sufficiently accurate and timely to track changes in underlying credit quality and that the updated information is used to assign exposures to appropriate segments.

    S 3-6 The bank's retail exposure segmentation system must provide for the review and update (as appropriate) of assignments of retail exposures to segments whenever the bank receives new material information, but no less frequently than quarterly.

    Chapter 4: Quantification

    S 4-1 Banks should have a fully specified process covering all aspects of quantification (reference data, estimation, mapping, and application). The quantification process should be fully documented.

    S 4-2 Risk parameter estimates must be based on the IRB definition of default. At least annually, a bank must conduct a comprehensive review and analysis of reference data to determine the relevance of reference data to the bank's exposures, quality of reference data to support risk parameter estimates, and consistency of reference data to the IRB definition of default.

    S 4-3 Banks must separately quantify wholesale risk parameter estimates before adjusting the estimates for the impact of eligible guarantees and eligible credit derivatives.

    S 4-4 Banks may take into account the risk-reducing effects of guarantees in support of retail exposures when quantifying the PD, ELGD, and LGD of the segment.

    S 4-5 Banks may only reflect the risk-reducing benefits of tranched guarantees of multiple retail exposures by meeting the definition and operational criteria for synthetic securitizations.

    S 4-6 At a minimum, the quantification process and the resulting risk parameters must be reviewed annually and updated as appropriate.

    S 4-7 Quantification should be based upon the best available data for the accurate estimation of the risk parameters.

    S 4-8 The sample period for the reference data must meet the minimum length for each risk parameter by portfolio.

    S 4-9 The reference data must include periods of economic downturn conditions, or the parameter estimates must be adjusted to compensate for the lack of data from such periods.

    S 4-10 Banks should clearly document how they adjust for the absence of significant data elements in either the reference data set or the existing portfolio.

    S 4-11 Judgmental adjustments to risk parameter estimates, either upward or downward, may be an appropriate part of the quantification process, but must not result in an overall bias toward lower risk parameter estimates.

    S 4-12 Risk parameter estimates should incorporate a degree of conservatism that is appropriate for the overall rigor of the quantification process.

    S 4-13 Mapping should be based on a comparison of available data elements that are common to the existing portfolio and each reference data set.

    S 4-14 A mapping process should be established for each reference data set and for each estimation model.

    S 4-15 Banks that combine estimates from internal and external data or that use multiple estimation methods should have a clear policy governing the combination process and should examine the sensitivity of the results to alternative combinations.

    S 4-16 The aggregation of risk parameter estimates from individual exposures within rating grades or segments should be governed by a clear and well-documented policy.

    S 4-17 PD estimates must be empirically based and must represent a long-run average.

    S 4-18 Effects of seasoning, when material, must be considered in the PD estimates for retail portfolios.

    S 4-19 ELGD and LGD estimates must be empirically based and must reflect the concept of ``economic loss.''

    S 4-20 ELGD estimates must reflect the expected default-weighted average economic loss rate over a mix of economic conditions, including economic downturn conditions.

    S 4-21 LGD estimates must reflect expected loss severities for exposures that default during economic downturn conditions, and must be greater than or equal to ELGD estimates.

    S 4-22 A bank may use internal estimates of LGD only if supervisors have previously determined that the bank has a rigorous and well- documented process for assessing the effects of economic downturn conditions on loss severities and for producing LGD estimates consistent with downturn conditions. The process must appropriately identify downturn conditions, identify the impact of economic downturn conditions on loss rates, identify any material adverse correlations between drivers of default and LGD, and incorporate any identified correlations and/or downturn impact into the quantification of LGD.

    S 4-23 Estimates of additional drawdowns must reflect net additional draws expected during economic downturn periods.

    [[Page 9168]]

    S 4-24 Estimates of additional drawdowns prior to default for individual wholesale exposures or retail segments must not be negative.

    S 4-25 Quantification of the risk parameters should appropriately recognize the risk characteristics of exposures that were removed from reference data sets through loan sales or securitizations.

    Chapter 5: Wholesale Credit Risk Protection

    S 5-1 Risk-based capital benefits are only recognized for credit protection that transfers credit risk to third parties.

    S 5-2 Banks must ensure that credit protection for which risk-based capital benefits are claimed represents unconditional and legally binding commitments to pay on the part of the guarantors or counterparties.

    Chapter 6: Data Management and Maintenance

    S 6-1 Banks must collect and maintain sufficient data to support their IRB systems.

    S 6-2 For wholesale exposures, banks must collect, maintain, and analyze essential data for obligors and exposures. This should be done throughout the life and disposition of the credit exposure.

    S 6-3 Banks must capture and maintain all significant factors used to assign obligor and loss severity ratings.

    S 6-2 For retail exposures, banks must collect and maintain all essential data elements used in segmentation systems and the quantification process. The data must cover a period of at least five years and must include a period of economic downturn conditions, or the bank must adjust its estimates of risk parameters to compensate for the lack of data from periods of economic downturn conditions.

    S 6-5 Banks should ensure that outsourced activities performed by third parties are supported by sufficient data to meet IRB requirements.

    S 6-6 Banks should maintain data to allow for a thorough review of asset sale transactions.

    S 6-7 Banks should develop policies and controls around the integrity of the data maintained both internally and through third parties.

    S 6-8 Banks should document the process for delivering, retaining, and updating inputs to the data warehouse and ensuring data integrity.

    S 6-9 Banks must maintain detailed documentation of changes to the data elements supporting the IRB system.

    S 6-10 Banks must retain data using an electronic format that allows timely retrieval of data for analysis, validation, reporting, and disclosure purposes.

    Chapter 7: Controls and Validation

    S 7-1 Banks must have an effective system of controls that ensures ongoing compliance with the qualification requirements, maintains the integrity, reliability, and accuracy of the IRB system, and includes adequate governance and project management processes.

    S 7-2 Control processes should be independent and transparent to supervisors and auditors.

    S 7-3 The annual assessment of the IRB system presented to the board of directors should be supported by the bank's comprehensive and independent reviews of the IRB system.

    S 7-4 Validation activities must be conducted independently of the advanced systems' development, implementation, and operation, or subjected to an independent assessment of their adequacy and effectiveness.

    S 7-5 The systems and processes used by a bank for risk-based capital purposes must be consistent with the bank's internal risk management processes and management information reporting systems.

    S 7-6 Internal audit must, at least annually, assess the effectiveness of the controls supporting the IRB system and report its findings to the board of directors (or a committee thereof).

    S 7-7 A bank's validation policy should cover the key aspects of risk rating and segmentation systems and the quantification process.

    S 7-8 Validation must assess the accuracy of the risk rating and segmentation systems and the quantification process.

    S 7-9 Validation processes for risk rating and segmentation systems, and the quantification process must include the evaluation of conceptual soundness, ongoing monitoring, and outcomes analysis.

    S 7-10 Banks must evaluate the developmental evidence supporting the risk rating and segmentation systems and the quantification process.

    S 7-11 Banks must conduct ongoing process verification of the risk rating and segmentation systems and the quantification process to ensure proper implementation and operation.

    S 7-12 Banks must benchmark their risk rating and segmentation systems, and their risk parameter estimates.

    S 7-13 Banks must analyze outcomes and must develop statistical methods to backtest their risk rating and segmentation systems and the quantification process.

    S 7-14 Banks should establish ranges around the estimated values of risk parameter estimates and model results in which actual outcomes are expected to fall and have a validation policy that requires them to assess the reasons for differences and that outlines the timing and type of remedial actions taken when results fall outside expected ranges.

    S 7-15 Each of the three activities in the validation process should be conducted often enough to ensure the ongoing integrity, reliability, and accuracy of the IRB risk rating and segmentation systems, and the quantification process.

    S 7-16 Developmental evidence must be updated whenever significant changes in methodology, data, or implementation occur. Other validation activities must be ongoing and must not be limited to a point in time.

    Chapter 8: Stress Testing of Risk-Based Capital Requirements

    S 8-1 Banks must conduct and document stress testing of their advanced systems as part of managing risk-based capital.

    Chapter 9: Counterparty Credit Risk Exposure

    S 9-1 All transactions with a counterparty subject to a qualifying master netting agreement constitute a netting set and may be treated as a single exposure, otherwise each transaction shall have its risk-based capital requirement calculated on a standalone basis.

    S 9-2 Banks should have an appropriately documented process for determining whether transactions are eligible for an EAD adjustment approach if they choose to use an EAD adjustment approach.

    S 9-3 Banks must use the same method for determining risk-based capital requirements for all similar transactions.

    S 9-4 The method for calculating EAD for transactions subject to counterparty credit risk should be appropriate for the risk, extent, and complexity of the bank's activity.

    S 9-5 Banks that use the VaR model approach for single product netting sets of repo-style transactions or eligible margin loans must conduct rigorous and regular backtesting to validate its model.

    S 9-6 Banks must meet certain qualifying criteria that consist of operational requirements, modeling standards, and model validation requirements before receiving their primary Federal supervisor's approval to use the internal models method.

    S 9-7 Banks that use the internal models methodology for counterparty credit risk transactions must establish initial model validation and ongoing model review procedures. The model

    [[Page 9169]]

    review should consider whether the inputs and risk factors as well as the model outputs are appropriate. The review of outputs should include a backtesting regime that compares the model's output with realized exposures.

    Chapter 10: Risk-Weighted Assets for Equity Exposures

    S 10-1 Banks must apply the same methodology to like instruments.

    S 10-2 If a bank chooses to use an internal model, it must produce reliable estimates of the potential loss in the bank's portfolio from equity holdings under stress market conditions.

    S 10-3 Banks must validate internal models used for equity exposures.

    S 10-4 Internal models used to calculate risk-based capital requirements for equity exposures must be consistent with models used in the bank's risk management processes and management information reporting systems.

    Chapter 11: Securitizations

    S 11-1 Banks must use the securitization framework for any exposures that involve the tranching of credit risk (with the exception of a tranched guarantee that applies only to an individual retail exposure).

    S 11-2 Banks should develop written implementation policies and procedures describing the allowed approaches, methods of application, and designated responsibilities for complying with the securitization framework.

    S 11-3 Securitization transactions must transfer credit risk to at least one third party to qualify for treatment under the securitization framework.

    S 11-4 Banks that provide implicit support to securitization transactions must hold risk-based capital as if the underlying assets had not been securitized, and must deduct from Tier 1 capital any after-tax gain-on-sale resulting from the securitization.

    S 11-5 A clean-up call constitutes implicit support if, in exercising the call, the bank provides support in excess of its contractual obligation to provide support to the securitization.

    S 11-6 The maximum risk-based capital requirement for all securitization exposures held by a bank associated with a single securitization transaction is the amount of risk-based capital plus expected losses that would have been required had the underlying exposures not been securitized.

    S 11-7 Banks must follow the specified hierarchy of approaches to determine risk-weighted asset amounts for all securitization exposures.

    S 11-8 In order to use the RBA, the securitization exposure must be externally rated by an NRSRO, or be eligible for an inferred rating.

    S 11-9 The securitization transaction must have an external rating assigned by an NRSRO that fully reflects the credit risk associated with timely repayment of principal and interest.

    S 11-10 Banks should document the factors that support their use of the RBA.

    S 11-11 Banks' internal credit assessment processes should be comprehensive, transparent, independent, well-defined, and fully documented.

    S 11-12 Banks should analyze the servicer's capabilities and document the analysis in the internal assessment.

    S 11-13 The bank must validate its ICA process on an ongoing basis and at least annually the ICA process and results must be subject to the full range of the bank's IRB validation activities.

    S 11-14 Banks should document the securitization structure and loss prioritization.

    S 11-15 Banks should retain the specific data elements necessary to calculate the appropriate securitization risk-based capital requirement.

    Attachment C--Acronym List

    Acronym

    Definition

    ABCP................................... Asset-backed commercial paper. ABS.................................... Asset-backed security. AIR.................................... Accrued interest receivable. ALLL................................... Allowance for loan and lease losses. ANPR................................... Advance notice of proposed rulemaking. AR..................................... Accounts receivable. ARM.................................... Adjustable rate mortgage. ASRF................................... Asymptotic single risk factor model. CCR.................................... Counterparty Credit Risk. CF..................................... Credit conversion factor. CDO.................................... Collateralized debt obligations. CE..................................... Credit enhancement. CEIO................................... Credit-enhancing Interest-Only. CFR.................................... Code of Federal Regulations. CRM.................................... Credit risk mitigation. CUSIP.................................. Committee on Uniform Securities Identification Procedures. CVA.................................... Credit valuation adjustment. CVaR................................... Credit value-at-risk. EAD.................................... Exposure at default. EBITDA................................. Earnings before interest, taxes, depreciation and amortization. EE..................................... Expected exposure. EPE.................................... Expected positive exposure. EL..................................... Expected loss. ELGD................................... Expected loss given default. EWALGD................................. Exposure-weighted average loss given default. FASB................................... Financial Accounting Standards Board. FHLB................................... Federal Home Loan Bank. FIN.................................... Financial Accounting Standards Board interpretation number. FTSE................................... Financial Times Securities Exchange. GAAP................................... Generally accepted accounting principles. GDP.................................... Gross domestic product. GSE.................................... Government sponsored enterprise. HVCRE.................................. High-volatility commercial real estate. IAA.................................... Internal assessment approach. ICA.................................... Internal credit assessment. ID..................................... Identification. IMA.................................... Internal models approach. IRB.................................... Internal ratings-based. KIRB................................... Capital requirement for underlying pool of exposures (securitizations). L...................................... Credit enhancement level for the tranche of interest. LEQ.................................... Loan equivalent exposure. LF..................................... Liquidity facility. LGD.................................... Loss given default. LTV.................................... Loan-to-value ratio. M...................................... Effective maturity. MBS.................................... Mortgage-backed security. MSA.................................... Metropolitan statistical area. N...................................... Effective number of underlying exposures. NPR.................................... Noticed of proposed rulemaking. NRSRO.................................. Nationally recognized statistical rating organization. NSF.................................... Nonsufficient funds. OTC.................................... Over-the-counter. PD..................................... Probability of default. PE..................................... Peak exposure. PFE.................................... Potential future exposure. PMI.................................... Private mortgage insurance. QRE.................................... Qualifying revolving exposure. RBA.................................... Ratings-based approach. RE..................................... Real estate. RWA.................................... Risk-weighted assets. S&P.................................... Standard and Poors. SBIC................................... Small business investment company. SFA.................................... Supervisory formula approach. SPE.................................... Special purpose entity. T...................................... Thickness of the tranche of interest. TFR.................................... Thrift financial report. TP..................................... Percentage of the tranche of interest the bank owns. UE..................................... Underlying exposure. ULBII.................................. Unexpected losses from counterparty credit risk based on the Basel II capital requirement with an alpha of 1.0. ULCCR.................................. Unexpected losses from counterparty credit risk at a one year 99.9% confidence level based on banks internal models. USC.................................... U.S. Code. VaR.................................... Value-at-risk.

    [[Page 9170]]

    Proposed Supervisory Guidance on Advanced Measurement Approaches for Operational Risk

    Table of Contents

    1. Introduction

      1. Purpose

      2. Qualification Requirements, Supervisory Standards, and Operational Risk AMA Systems

      3. Supervisory Objectives and Approach II. Definitions III. Operational Risk Management

      4. Governance

      5. Board of Directors and Management Oversight

      6. Firm-Wide Operational Risk Management Function

      7. Line of Business Management

      8. Reporting IV. Operational Risk Data and Assessment

      9. Capture and Maintenance of Elements

      10. Internal Operational Loss Event Data

      11. External Operational Loss Event Data

      12. Scenario Analysis

      13. Business Environment and Internal Control Factors V. Operational Risk Quantification

      14. Analytical Framework

      15. Eligible Operational Risk Offsets

      16. Unit of Measure

      17. Accounting for Dependence

      18. Risk Mitigation

      19. Alternative Approaches for Depository Institutions

      20. Documentation of Operational Risk Quantification Systems VI. Data Management and Maintenance VII. Verification and Validation VIII. Appendices

      21. The NPR Qualification Requirements, Risk-Weighted Assets for Operational Risk, and Disclosure Requirements

      22. Supervisory Standards

      23. The NPR Qualification Process

      24. Basel II Operational Risk Information Collection Templates

      25. Operational Loss Event Types and Examples

    2. Introduction

      1. Purpose

        This document sets forth the supervisory guidance of the federal banking agencies \1\ (``Agencies'') for U.S. banks, savings associations, and bank holding companies (``banks'') that use Advanced Measurement Approaches (AMA) for calculating the risk-based capital requirement for operational risk under the Basel II capital regulation. The primary Federal supervisor will review a bank's AMA System relative to relevant regulatory requirements and this guidance to determine whether the bank may use Basel II-based rules to determine its risk- based capital requirements. Banks will have considerable flexibility in developing operational risk management, data and assessment, and quantification processes that are appropriate for the nature of their activities, business environment, and internal controls.

        \1\ The Federal banking agencies are: the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.

        This guidance should be considered with the related notice of proposed rulemaking (NPR), published in the Federal Register on September 25, 2006.\2\ The NPR proposes the AMA regulatory framework and the AMA qualification requirements for banks that are required to operate, or seek to operate, under that framework. This supervisory guidance provides additional detail regarding supervisory standards for operational risk management, data and assessment, and quantification processes that will help a bank comply with the qualification requirements in the NPR.

        \2\ 71 FR 55830 (Sept. 25, 2006).

      2. Qualification Requirements, Supervisory Standards, and Operational Risk AMA Systems

        Although operational risk is not a new risk, deregulation and globalization of financial services, together with the growing sophistication of financial technology, and new business activities and delivery channels are making banks' operational risk profiles (i.e., the level of operational risk across banks' activities and risk categories) more complex. As such, banks and supervisors are increasingly viewing operational risk management as a distinct risk discipline. The NPR and this guidance outline a more disciplined approach to operational risk management and measurement.

        The NPR establishes the qualification requirements that a bank must meet in order to use advanced systems for calculating its risk-based capital requirement. The NPR qualification requirements for banks using an AMA System to calculate the operational risk component of the bank's risk-based capital requirement are listed in Appendix A.\3\ This guidance identifies supervisory standards (``S'') that a bank should follow to implement and maintain an AMA System for regulatory capital purposes. Banks meeting these standards should be well positioned to demonstrate that their AMA System meets the qualification requirements of the NPR. The relevant supervisory standards are listed at the beginning of each major section of the guidance, with a full compilation of the standards provided in Appendix B. The standards establish broad regulatory guidelines, while providing each bank the ability to uniquely tailor the framework to its organizational structure and culture. This guidance should not be interpreted as weakening or superseding the safety and soundness principles articulated in existing statutes, or in the regulations or guidance issued by the Agencies.

        \3\ This guidance does not include all of the qualifying criteria contained in the NPR.

        The standards are organized into five major groupings: Operational risk management; operational risk data and assessment; operational risk quantification; data management and maintenance; and verification and validation. Operational risk management includes standards for the governance and organizational structures (including reporting) needed to manage operational risk. Operational risk data and assessment establishes the standards for a consistent and comprehensive capture of the four elements of the AMA.\4\ Operational risk quantification encompasses the standards governing the systems and processes that quantify a bank's operational risk exposure. The sections addressing data management and maintenance, and verification and validation, establish standards to help ensure that a bank's AMA System remains robust and relevant as its operational risk profile changes over time. The objectives of the standards are to help ensure rigor, integrity, and transparency for each bank's AMA System and the resulting operational risk component of the bank's risk-based capital requirement.

        \4\ The four elements of the AMA include internal operational loss event data, external operational loss event data, scenario analysis, and business environment and internal control factors. See Section IV for a detailed discussion of the supervisory standards for each element.

        A bank's AMA System should provide for the consistent application of operational risk policies and procedures throughout the bank, and address the roles of both the independent firm-wide operational risk management function and the lines of business. A sound AMA System will identify operational risk losses, calculate operational risk exposures and associated operational risk regulatory capital, promote risk management processes and procedures to mitigate or control operational risks, and help ensure that management is fully aware of emerging operational risk issues. This framework should also provide for the consistent and comprehensive capture and assessment of data elements needed to identify, measure, monitor, and control the bank's operational risk exposure. This includes identifying the nature, type(s), and underlying cause(s) of the operational loss event(s). Moreover, the

        [[Page 9171]]

        framework must also include independent verification and validation to assess the effectiveness of the controls supporting the bank's AMA System, including compliance with policies, processes, and procedures. Given the importance of these functions, the Agencies believe that a bank's validation and verification functions should begin their work soon after the bank has started to implement its AMA System.

        In practice, a bank's operational risk AMA System should reflect the scope and complexity of the business lines, as well as the corporate organizational structure. Each bank's operational risk profile is unique and requires a tailored risk management approach, appropriate for the scale and materiality of the risks present, and the size of the bank. There is no single framework that suits every bank; the Agencies expect that different banks will develop and implement unique risk management, data and assessment, and quantification systems, consistent with their culture and risk profile.

      3. Supervisory Objectives and Approach

        The supervisory standards in this document apply to banks subject to the Basel II regulation. However, the Agencies will not simply evaluate a bank's qualification using each of the individual supervisory standards. Supervisors will also assess how well the various components of a bank's AMA System complement and reinforce one another to achieve the overall objectives of effective management and measurement of operational risk.

        In performing their evaluation, the Agencies will exercise supervisory judgment in evaluating both the individual components and the overall AMA System. The NPR provides that the primary Federal supervisor may require a bank to assign a different risk-weighted asset amount for operational risk, to change aspects of its operational risk analytical framework (for example, distributional or dependence assumptions), or to make other changes to the bank's operational risk management processes, data and assessment systems, or quantification systems if the supervisor determines that the risk-weighted asset amount for operational risk produced by the bank is not commensurate with the bank's operational risk profile. The primary Federal supervisor may exercise this authority, for example, if it has identified significant changes or weakness within operational risk management processes that have not been appropriately captured in the bank's AMA System.

        A bank's AMA System will be assessed as part of the ongoing supervision process. Some elements of sound operational risk management (for example, internal controls and information technology) have long been subject to examination by supervisors. Where practical, supervisors will make every effort to leverage these examination activities to assess the effectiveness of AMA processes. Substantive weaknesses or changes in a bank's operational risk profile identified in an examination or through other supervisory activities will be factored into the AMA qualification process.\5\

        \5\ For example, mergers and acquisitions potentially change the operational risk profile of the bank, pose challenges in integrating operational risk management, data and assessment, and quantification processes of the affected banks, and consequently raise supervisory issues regarding a bank's AMA System. The Agencies will assess the effects of mergers and acquisitions as a part of the ongoing supervision of operational risk management.

        A part of the supervisory review will include an assessment of the bank's implementation plan.\6\ The implementation plan must address how the bank complies or plans to comply with the AMA qualification requirements. The plan must also address the qualifying standards for the bank and each consolidated subsidiary (U.S. and foreign-based). A comprehensive and sound planning and governance process to oversee the implementation efforts must also be maintained. For a complete description of the NPR's qualification process, please see Appendix C.

        \6\ A bank that becomes subject to the requirements of the rule must adopt a written implementation plan no later than six months after the later of the effective date of the final rule or the date the bank meets one of the applicability criterion of the rule. A bank that chooses to be subject to the requirements of the final rule must adopt a written implementation plan and notify its primary Federal supervisor in writing of its intent at least twelve months before it proposes to be subject to the first floor period.

    3. Definitions

      There are important definitions relevant to an AMA System for the purposes of the Agencies' risk-based capital requirements. They are:

      Advanced Measurement Approach (AMA) System means a bank's advanced operational risk management processes, operational risk data and assessment systems, and operational risk quantification systems.

      Backtesting means the comparison of a bank's internal estimates with actual outcomes during a sample period not used in model development. In this context, backtesting is one form of out-of-sample testing.

      Benchmarking means the comparison of a bank's internal estimates with relevant internal and external data sources or estimation techniques.

      Business environment and internal control factors means the indicators of a bank's operational risk profile that reflect a current and forward-looking assessment of the bank's underlying business risk factors and internal control environment.

      Dependence means a measure of the association among operational losses across and within business lines and operational loss event types.

      Eligible operational risk offsets means amounts, not to exceed expected operational loss, that:

      (1) Are generated by internal business practices to absorb highly predictable and reasonably stable operational losses, including reserves calculated consistent with GAAP; and

      (2) Are available to cover expected operational losses with a high degree of certainty over a one-year horizon.

      Expected operational loss (EOL) means the expected value (mean) of the distribution of potential aggregate operational losses, as generated by the bank's operational risk quantification system using a one-year horizon.

      External operational loss event data, with respect to a bank, means gross operational loss amounts, dates, recoveries, and relevant causal information for operational loss events occurring at organizations other than the bank.

      GAAP means U.S. generally accepted accounting principles.

      Internal operational loss event data, with respect to a bank, means gross operational loss amounts, dates, recoveries, and relevant causal information for operational loss events occurring at the bank.

      Operational loss means a loss (excluding insurance or tax effects) resulting from an operational loss event. Operational loss includes all expenses associated with an operational loss event except for opportunity costs, forgone revenue, and costs related to risk management and control enhancements implemented to prevent future operational losses.

      Operational loss event means an event that results in loss and is associated with internal fraud; external fraud;\7\ employment practices and

      [[Page 9172]]

      workplace safety; clients, products, and business practices; damage to physical assets; business disruption and system failures; or execution, delivery, and process management (see Appendix D for examples of loss event types).

      \7\ Retail credit card losses arising from non-contractual, third-party initiated fraud (for example, identity theft) are to be treated as external fraud operational losses. All other third-party initiated losses are to be treated as credit losses--see discussion under Standard 17 for more details.

      Operational risk means the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events (including legal risk, but excluding strategic and reputational risk).

      Operational risk exposure means the 99.9\th\ percentile of the distribution of potential aggregate operational losses, as generated by the bank's operational risk quantification system using a one-year horizon (and not incorporating eligible operational risk offsets or qualifying operational risk mitigants).

      Parallel run period means a period of at least four consecutive quarters after adoption of the bank's implementation plan before the bank's first floor period during which the bank complies with all the qualification requirements to the satisfaction of the bank's primary Federal supervisor.

      Scenario analysis means a systematic process of obtaining expert opinions from business managers and risk management experts to derive reasoned assessments of the likelihood and loss impact of plausible high-severity operational losses.

      Total risk-weighted assets means:

      (1) The sum of:

      (i) Credit risk-weighted assets; and

      (ii) Risk-weighted assets for operational risk; minus

      (2) The sum of:

      (i) Excess eligible credit reserves not included in Tier 2 capital; and

      (ii) Allocated transfer risk reserves.

      Unexpected operational loss (UOL) means the difference between the bank's operational risk exposure and the bank's expected operational loss.

      Unit of measure means the level (for example, organizational unit or operational loss event type) at which the bank's operational risk quantification system generates a separate distribution of potential operational losses.

    4. Operational Risk Management

      1. Governance

        S 1. The bank's AMA System must include an operational risk management function and audit function that are independent of business line management. The operational risk management function should address operational risk on a firm-wide basis.

        The organizational structure that supports a bank's AMA System may vary across banks, but should reflect the scale and complexity of the bank's operational risk profile. However, within all AMA banks, there are three key components that should be evident: The firm-wide operational risk management function, line of business management, and an independent audit function. These three areas should have functional independence,\8\ but should work in cooperation to ensure that an effective AMA System is in place.

        \8\ For the purposes of this guidance, ``functional independence'' is the ability to carry out work freely and objectively and render impartial and unbiased judgments. Independence is often evidenced through separate reporting lines. Supervisory assessments of independence will rely upon guidelines contained in existing regulatory guidance (for example, audit, internal control systems, and board of directors/management).

        S 2. The bank must have and document a process that clearly describes its AMA System, including how the bank identifies, measures, monitors, and controls operational risk.

        Management should maintain comprehensive documentation on operational risk management policies, processes, and procedures and communicate them to appropriate staff. The documentation should outline all aspects of the bank's AMA System, including the following:

        The roles and responsibilities of the board of directors,\9\ the independent firm-wide operational risk management function, line of business management, and the independent verification and validation functions;

        \9\ For the purposes of this guidance, the ``board of directors'' refers to either the full board or its designated board committee.

        A definition for operational risk that, at a minimum, encompasses the regulatory definition of operational risk, including the loss event types that will be monitored;

        The capture and use of internal and external operational risk loss event data, including clear documentation of which losses are used in and which are excluded from estimating the bank's operational risk exposure;

        The appropriate use of scenario analysis;

        The development and incorporation of business environment and internal control factor assessments, and risk mitigants;

        A description of the analytical framework that quantifies the operational risk exposure of the bank;

        How eligible operational risk offsets are determined, measured, and accounted for;

        A description of report content, distribution, and frequency for board of directors, line of business, and firm-wide reporting, including escalation of emerging issues and changing trends;

        A description of the verification and validation processes and procedures; and

        Descriptions of the review and approval process for significant policy and procedural changes and exceptions.

        The bank's documentation should clearly differentiate the roles and responsibilities of the independent verification and validation functions. Activities to verify the bank's AMA System are typically included in the bank's internal or external audit programs. More specifically, independent verification includes the work done to test and verify the bank's AMA policies and procedures. Verification activities should be sufficiently broad to confirm that the bank's AMA System is working effectively and in a manner consistent with policies approved by the bank's board of directors. In addition, the verification function ensures that validation of AMA models was completed in accordance with the bank's validation policy. Validation includes processes the bank uses to test and assess the accuracy of models used to quantify the operational risk exposure and the operational risk component of the bank's risk-based capital requirement.

        The documentation need not be contained in a single comprehensive document. Instead, banks may choose to develop and maintain an umbrella document that provides the board of directors with an overview of its AMA System, including how the framework allows for identifying, measuring, monitoring, and controlling operational risk. A bank should consider including the following in this overview document:

        Define the bank's philosophy and strategy for operational risk management and its risk tolerance;

        Define the roles and responsibilities of those involved in the development, implementation, and oversight of the bank's AMA System; and

        Reference additional detailed policies, processes, and procedures.

        S 3. The bank must maintain effective internal controls supporting its AMA System.

        As one of the foundations of safe and sound banking, sound internal controls are essential to a bank's management of operational risk and are an important requirement for AMA qualification. When properly designed and consistently enforced, a sound system of internal controls will help management safeguard the bank's resources, produce reliable financial reports, and comply with laws and regulations. Sound internal controls, assessed annually for

        [[Page 9173]]

        effectiveness by internal audit, should also reduce the possibility of significant human errors and irregularities in internal processes and systems, and should assist in their timely detection when they do occur. The audit function's annual assessment is not required to assess all operational risk controls, but the scope of the assessment should be sufficient to assess the effectiveness of the controls supporting the bank's AMA System (see Section VII).

        The Agencies are not introducing new internal control standards, but rather emphasizing the importance of existing standards.\10\ Internal control systems may differ among banks due to the nature and complexity of a bank's products and services, organizational structure, and risk management culture. The existing regulatory standards allow for these differences, while also establishing regulatory expectations for the scope and quality of the internal control structure.

        \10\ Each Agency has extensive guidance on corporate governance, internal controls, and risk monitoring and reporting in its respective examination policies and procedures. All Agencies have standards for safe and sound operations and for safeguarding customer information. In addition, there are a number of interagency standards that cover topics relevant to the internal control structure.

        The extent to which a bank maintains effective internal controls will be assessed through ongoing supervisory processes. As noted earlier, the Agencies will leverage existing examination processes to avoid duplication in assessing implementation of a bank's AMA System.

      2. Board of Directors and Management Oversight

        S 4. The bank must ensure that an effective framework is in place to identify, measure, monitor, and control operational risk, and to accurately compute the bank's operational risk component of the bank's risk-based capital requirement. The board of directors must at least annually evaluate the effectiveness of, and approve, the bank's AMA System, including the strength of the bank's control infrastructure.

        S 5. The board of directors and management should ensure that the bank's operational risk management, data and assessment, and quantification processes are appropriately integrated into the bank's existing risk management and decision-making processes and that there are adequate resources to support these processes throughout the bank.

        Strong board of directors and management oversight forms the cornerstone of an effective operational risk management process. The board of directors is responsible for overseeing the establishment and ongoing effectiveness of the AMA System. The board of directors must approve the bank's written implementation plan. In addition, the board of directors must at least annually evaluate the effectiveness of, and approve, the bank's AMA System. Information provided to the board of directors for this review should be detailed enough for the bank's board members to understand and evaluate its AMA System.\11\ The board of directors' evaluation should reflect the results of any independent reviews and the findings of the verification and validation functions.\12\

        \11\ Important sources of information about the effectiveness of the AMA System include: (1) Internal audit's annual review of the effectiveness of operational risk controls and the independent verification function's annual assessment of the adequacy of the overall operational risk framework, and (2) the results of the validation function's testing of model results and assessment of quantification processes--see Standards 3 and 32.

        \12\ See Section VII--Verification and Validation for more details regarding independent review requirements.

        Other board of directors' responsibilities with respect to operational risk may include:

        Understanding and approving the bank's tolerance for operational risk; \13\

        \13\ Banks use several approaches to define operational risk tolerance, including establishing expectations for control self assessments, establishing targeted ceilings for operational losses, developing key risk indicators, or establishing other qualitative expectations for operational risk management. These approaches will continue to evolve and banks are encouraged to continue to develop effective metrics to define their operational risk tolerance.

        Ensuring appropriate management responsibility, accountability, and reporting;

        Understanding the major aspects of the bank's operational risk profile through the periodic review of high-level reports that address material risks, capital adequacy, and strategic implications for the bank;

        Ensuring that management demonstrates that it is actively using its AMA System as a basis for assessing and managing operational risk, and that the framework's use is not limited to determining regulatory capital;

        Ensuring that mechanisms exist to allow for the independent verification of the AMA System's implementation and validation activities;

        Ensuring that mechanisms exist to allow for the independent validation of the bank's risk measurement and quantification processes; and

        Ensuring Compliance with regulatory disclosure requirements.

        The board of directors may delegate the responsibility and authority for the design and implementation of the AMA System to management. Management is responsible for translating the bank's AMA System into specific policies, processes, and procedures, implementing them across business lines, and ensuring independent verification and validation of the AMA System. Management is also responsible for communicating the policies, processes, and procedures throughout the bank to ensure consistent understanding and treatment of operational risk.

        While each level of management is responsible for implementing the AMA System in their areas, senior management should clearly assign authority and responsibilities to business managers to encourage and maintain accountability. Moreover, senior management should ensure appropriate implementation of the AMA System within individual business lines.

        Senior management is responsible for ensuring that operational risk is appropriately managed across the bank and that all components of the bank's AMA System function effectively and meet regulatory requirements. Specifically, management should ensure that the bank has qualified staff and sufficient resources to carry out the operational risk functions outlined in its AMA System. Appropriate staff and resources should be available within the lines of business, the firm- wide operational risk management function, and the verification and validation functions to monitor and enforce compliance with the bank's policies and procedures related to the AMA System.

        Other management responsibilities include ensuring that:

        The bank's overall operational risk profile is monitored, maintained at prudent levels, and supported by adequate capital;

        Compensation policies are sufficiently flexible to attract and retain qualified and competent operational risk expertise; and

        Operational risk issues are communicated consistently to staff responsible for managing other risks (for example, credit, market, and liquidity risk), as well as staff responsible for purchasing insurance and overseeing third-party outsourcing arrangements.

      3. Firm-Wide Operational Risk Management Function

        S 6. The bank must have a firm-wide operational risk management function that oversees the AMA System and is independent of business line

        [[Page 9174]]

        management. The operational risk management function is also responsible for the development of operational risk data and assessment systems, operational risk quantification systems, and related processes throughout the bank.

        S 7. The firm-wide operational risk management function should ensure adequate analysis and reporting of operational risk information. The function should also develop and report on the firm-wide operational risk profile.

        The roles and responsibilities of the firm-wide operational risk management function may vary among banks, but should be clearly documented in operational risk policies and procedures. The firm-wide function should have organizational stature commensurate with the bank's operational risk profile. At a minimum, the function should ensure the development of policies, processes, and procedures that explicitly manage operational risk as a distinct risk.

        Responsibilities of the firm-wide operational risk management function may include:

        Assisting in the implementation of the AMA System;

        Reviewing the bank's performance against stated operational risk objectives, goals, and risk tolerances;

        Periodically evaluating the effectiveness of the bank's AMA System;\14\

        \14\ The evaluation of a bank's operational risk framework may consider loss experience; effects of external market changes, other environmental factors, and the potential for new or changing operational risks associated with new products, activities or systems; and the framework's ability to detect or prevent potential operational losses. This evaluation process should include an assessment of leading industry practices.

        Reviewing and analyzing operational loss event data and reports; and

        Ensuring appropriate reporting to senior management and the board of directors.

      4. Line of Business Management

        S 8. Line of business management is responsible for ensuring appropriate day-to-day management of the operational risks within its business unit.

        S 9. Line of business management should ensure that internal controls and practices within its business unit are consistent with firm-wide policies, processes, and procedures.

        Line of business management should ensure that business-specific policies, processes, and procedures are in place, and appropriate staff is available to manage operational risk associated with the products and activities offered. Implementation of the AMA System within each line of business should correspond to the scope of that business and its operational complexity and risk profile. Line of business operational risk reporting should be appropriate in frequency and scope to identify, measure, monitor, and control operational risk. Reporting should also address the condition of the internal control environment for a given line of business.

      5. Reporting

        S 10. The board of directors and senior management must receive reports on operational risk exposure, operational risk loss events, and other relevant operational risk information. The reports should include information regarding firm-wide and business line risk profiles, loss experience, and relevant business environment and internal control factor assessments. These reports should be received quarterly.

        To facilitate monitoring of operational risk, results from the data and assessment, and quantification processes should be summarized and included in reports that can be used by different audiences to understand, manage, and control operational risk and losses. Reports generated by the bank's AMA System \15\ should provide the foundation for reporting to the board of directors and senior management. Comprehensive management reporting, geared toward the firm-wide operational risk management function and line of business management, should include:

        \15\ The firm-wide operational risk management function, lines of business, and the verification and validation functions should be generating reports for their unique needs. These reports should form the basis for aggregating reporting to senior management and the board of directors.

        Operational loss experience, including an overview and assessment of loss experience over time;

        Operational risk exposure;

        Changes in assessments of business environment and internal control factors;

        Changes in factors signaling an increased risk of future losses;

        Trend analysis, allowing line of business and independent firm-wide operational risk management to assess and manage operational risk exposures, systemic line of business risk issues, and other corporate risk issues;

        Policy and risk tolerance reporting; and

        Operational risk causal factors.

    5. Operational Risk Data and Assessment

      The bank must have operational risk data and assessment systems that include credible, transparent, systematic, and verifiable processes that incorporate the following elements on an ongoing basis:

      Internal operational loss event data,

      Relevant external operational loss event data,

      Scenario analysis, and

      Assessments of the bank's business environment and internal control factors.

      In addition, the operational risk data and assessment systems must be structured in a manner consistent with the bank's current business activities, risk profile, technological processes, and risk management processes. The operational risk data and assessment systems should provide for the consistent and comprehensive capture of the four elements needed to measure and verify the bank's operational risk exposure. The four elements should be combined in a manner that most effectively allows the bank to quantify its exposure to operational risk.

      1. Capture and Maintenance of Elements

        S 11. The bank must have a systematic process for incorporating internal loss event data, external loss event data, scenario analyses, and assessments of its business environment and internal controls factors to support both its operational risk management and measurement framework, as well as its calculation of the bank's operational risk component of its risk-based capital requirement.

        S 12. The bank must use the regulatory definition of operational risk when assessing the operational risks to which the bank is exposed in order to calculate its risk-based capital requirement for operational risk. The bank should have clear standards for the collection and modification of all four elements in the operational risk data and assessment systems that support its AMA System.

        The four required elements of a bank's data and assessment systems that support its AMA System aid the bank in identifying the level of and trends in operational risk, determining the effectiveness of risk management and control, highlighting opportunities to better mitigate operational risk, and assessing operational risk on a forward-looking basis. The bank should demonstrate that the four elements jointly cover all significant operational risks to which it is exposed. In the case

        [[Page 9175]]

        where the bank has sustained an operational loss event above its established threshold, but the loss is not yet included in the internal loss database, the bank should be able to demonstrate that the exposure is reasonably captured elsewhere, such as in one of its external loss observations or in one of its scenarios (see Standard 16 regarding the use of thresholds).

        The bank should demonstrate that it has implemented its AMA System appropriately in all lines of business and corporate functions that could generate operational risk. For regulatory capital purposes, a bank must use the definition of operational risk that is provided in Section II--Definitions. A bank may use an expanded definition for risk management and measurement purposes, if it considers it more appropriate for risk management and measurement purposes.

        As part of its AMA System implementation, a bank should demonstrate that it has established a consistent and comprehensive process for the capture and modification of all four required elements. While the primary Federal supervisor will review the quantification processes that combine these elements to determine the operational risk exposure, the supervisor must have the capacity to review the data collection process and the individual elements as well.

        The bank should have a defined process that establishes responsibilities over the systems developed to capture and modify the AMA elements. In particular, the issue of modifying the data capture systems should be addressed in policies or procedures. System and process documentation should be maintained, with any modification tracked separately and reasons for the changes kept in the historical record. Such tracking allows management and supervisors to identify the nature and rationale of the modification. For example, the Agencies are particularly interested when a bank modifies its loss database by excluding a loss event from the quantitative measurement process. Management should have clear standards for addressing modifications and clearly delineate who has authority to override the data systems and under what circumstances. In addition, management should track override decisions.

      2. Internal Operational Loss Event Data

        S 13. The bank must have a historical observation period of at least five years for internal operational loss event data. A shorter period may be approved by the primary Federal supervisor to address transitional situations, such as integrating a new business line. Internal data should be captured across all business lines, corporate functions, events, product types, and geographic locations. The bank must have a systematic process for capturing and using internal operational loss event data in its operational risk data and assessment systems.

        S 14. The bank should be able to map internal operational losses to the seven operational loss-event categories.

        S 15. The bank should have a policy that identifies when an operational loss is recognized and should be added to the loss event database. The policy should provide for consistent treatment across the bank.

        S 16. The bank may establish appropriate internal operational loss event data thresholds and, if so, must demonstrate the appropriateness of such thresholds.

        S 17. The bank should have a clear policy that allows for the consistent treatment of loss event classifications (for example, credit, market, or operational loss events) across the organization.

        Internal data with sufficient integrity is important in identifying the level of and trends in operational risk. A key to internal data integrity is the consistent and complete capture of loss event data across the bank. The bank must have a minimum historical observation period of five years of internal operational loss event data, or such shorter transitional period approved by the bank's primary Federal supervisor. For example, when a bank has recently acquired a firm that does not have comprehensive internal loss event data, the resulting bank should make use of both its internal loss data and the acquired firm's data to properly reflect the risks of the resulting institution. Depending on the quality of the data from the acquired firm, the resulting bank may have to place more weight on relevant external loss event data, results from scenario analysis, and factors reflecting assessments of the business environment and internal controls. Additionally, if a bank exits a business line and can clearly demonstrate that its exposure has been eliminated and that the loss experience does not have relevance to other remaining activities, the bank would likely be able to exclude that business unit's loss experience from subsequent quantification processes.

        The bank should have a policy that identifies when an operational loss is recognized and should be added to the loss event database. Policies and procedures should be communicated to ensure there is satisfactory understanding of operational risk and the data capture requirements by appropriate staff. The independent firm-wide operational risk management function should ensure that the loss data are captured across all business lines, corporate functions, products types, event types, and from all geographic locations that could generate operational risk. The bank's operational loss policies and procedures should consider the effect and treatment of operational loss events that are recovered within a short period of time.

        The bank's data and assessment system should have the ability to aggregate internal losses that are associated with the same loss event. This means the bank should be able to link operational loss events that cross multiple business lines or event types. Institutions should also maintain policies to ensure consistent identification and capture of multiple loss events that occur within one or several time periods, but that result from the same initial operational loss event. When capturing internal losses that span more than one business line, the bank may choose to assign the entire loss to one business line (for example, where the effect is the greatest, where the control breakdown occurred). Alternatively, the bank may choose to apportion the loss across several affected business lines. Regardless of how losses are assigned, the method should be well-reasoned and sufficiently documented. The treatment of related losses will also have an effect on dependence modeling, as discussed under Standard 28. If data are not captured across all business lines or from all geographic locations, the bank should document and explain the exceptions, including why the exceptions will not impair the bank's estimation of its operational risk exposure.

        The description of the loss event, including causal factors, should be collected for internal operational loss events. Examples of additional loss event information to be collected include:

        Gross loss amount;

        Where the loss is reported and expensed;

        Loss event type category;

        Date of the loss;

        Discovery date of the loss;

        Event end date;

        Insurance recoveries;

        Other recoveries; and

        Adjustments to the loss estimate.

        The level of detail describing the loss event and management action should be commensurate with the size of the gross loss amount. The bank may also choose to capture additional data that enhance

        [[Page 9176]]

        its operational risk management, data and assessment, and quantification processes. For example, it may be appropriate to capture data on ``near miss'' events, where no financial loss was incurred. While these near misses may not factor directly into the regulatory capital calculation, they may be useful to inform scenario analysis or for the operational risk management process.

        For regulatory capital purposes, AMA banks should be able to map operational risk losses into the seven operational loss event categories defined in Section II. Banks will not be required to produce reports or perform analysis on the basis of the operational loss event categories for internal purposes, but should use the information to verify the comprehensiveness of the bank's data set.

        The bank may refrain from collecting internal operational loss event data for individual operational losses below established thresholds, if the bank can demonstrate to its primary Federal supervisor that the thresholds are reasonable. There are a number of factors that a bank may use to establish the thresholds. Thresholds may be based on business lines, corporate functions, product types, geographic location, or other appropriate factors. The Agencies will allow flexibility in this area, provided the bank can demonstrate that the thresholds are reasonable, do not exclude important internal operational loss event data, and permit the bank to capture substantially all the dollar value of the bank's operational losses. A bank could demonstrate to its primary Federal supervisor that it has chosen appropriate thresholds by estimating the change in operational risk exposure as a result of using different thresholds.\16\

        \16\ As discussed later in Standard 26, the choice of thresholds may affect the amount of EL offset that a bank can recognize.

        Banks may also find it useful to capture loss events in their operational risk databases that are treated as credit risk for regulatory capital purposes, but have an underlying element of operational risk. These types of events, while not incorporated into the regulatory capital calculation for operational risk, may have implications for operational risk management. For banks that capture loss events differently for regulatory capital and risk management purposes, bank management should demonstrate that (1) loss events are being captured consistently across the bank; (2) the data systems are sufficiently advanced to allow for this differential treatment of loss events; and (3) credit, market, and operational risk losses are being accounted for in the correct manner for regulatory capital purposes.

        The agencies have established a boundary between credit and operational risks for regulatory capital purposes. Losses that arise from events associated with a credit arrangement with a borrower are credit losses with one proposed exception: Retail credit card fraud losses (for example, identity theft) are to be considered external fraud operational losses.

      3. External Operational Loss Event Data

        S 18. The bank must have a systematic process for determining how external loss data will be incorporated into its operational risk data and assessment systems.

        S 19. The bank should systematically review external data to ensure an understanding of industry operational loss experience.

        External data may serve a number of different purposes in an AMA System. For example, where internal loss data are limited, external data may be a useful input in determining the bank's level of operational risk exposure. Even where external loss data are not an explicit input to a bank's database, such data may provide a means for the bank to understand industry experience and assess the adequacy of its internal data. External data may also prove useful to inform scenario analysis, provide additional data for severity distributions, or in model validation and out-of-sample testing.

        The bank must establish a systematic process for determining the methodologies for incorporating external loss data into its operational risk data and assessment systems. To incorporate external loss data into a bank's framework, examples of the type of information a bank should collect include:

        Loss amount;

        Loss description; \17\

        \17\ Loss descriptions should be included to the extent possible, but are not generally available from consortium data sources.

        Loss event type category;

        Loss event date;

        Adjustments to the loss amount (for example, recoveries and insurance settlements) to the extent that they are known; and

        Sufficient information about the reporting institution to facilitate comparison to its own organization.

        Banks may obtain external loss data in any reasonable manner. For example, some banks are using data acquired through membership with industry consortia while other banks are using data obtained from vendor databases or public sources such as court records or media reports. In all cases, management should carefully evaluate the data source to ensure that the information being reported is relevant and accurate. The bank should document its process for and decisions regarding external data selection and scaling.

      4. Scenario Analysis

        S 20. The bank must have a systematic process for determining how scenario analysis will be incorporated into its operational risk data and assessment systems.

        Scenario analysis allows the bank to incorporate forward-looking elements into its operational risk data and assessment systems. More specifically, scenario analysis is a systematic process of obtaining expert opinions from business and risk managers to derive reasoned assessments of the likelihood and loss impact of plausible high- severity operational losses that may occur at a bank. Scenario analysis is especially relevant for business lines or operational loss event types in which internal data, external data, or assessments of business environment and internal control factors do not provide a sufficiently robust estimate of the bank's exposure to operational risk. For example, a bank's scenario analysis should include consideration of high-severity loss events that occur infrequently in the industry. It could also include the effects of mergers or other significant organizational changes that may affect the nature of operational losses in the future. Business line and risk management experts' use of well- reasoned, external data may itself be a form of scenario analysis.

        The bank must have a systematic process for determining the methodologies for incorporating scenario analysis into its operational risk data and assessment systems. The process should cover key elements of scenario analysis, such as the manner in which the scenarios are generated, the frequency with which they are updated, and the scope and coverage of operational loss events they are intended to reflect. The bank should document its process for conducting scenario analysis, as well as the results of the analysis.

      5. Business Environment and Internal Control Factors

        S 21. The bank must incorporate business environment and internal control factors into the bank's operational risk data and assessment systems.

        [[Page 9177]]

        S 22. The bank must periodically compare the results of its business environment and internal control factor assessments against the bank's actual operational risk loss experience.

        Business environment and internal control factors are indicators of the bank's operational risk profile that reflect the underlying business risk factors, an assessment of the current internal control environment, and a forward-looking assessment of the bank's control environment. The framework established to maintain the business environment and internal control factor assessments should be sufficiently flexible to encompass the range and complexity of actual and planned activities, changes in internal control systems, or an increased volume of information. In principle, a bank with strong internal controls in a stable business environment will have, all other things being equal, less exposure to operational risk than a bank with internal control weaknesses, that is experiencing rapid growth, or that is introducing new products. In this regard, banks should identify and assess the level of and trends in operational risk and related control structures across the organization. These assessments should be current and comprehensive across the bank, and should identify the critical operational risks facing the bank.

        The business environment and internal control factor assessments should identify positive and negative trends in operational risk management within the bank. These assessments include reviewing both the control processes relating to current activities, as well as those relating to anticipated changes in a bank's business risk profile. Periodic comparisons must be made between the bank's actual operational loss exposure and the assessment results.

    6. Operational Risk Quantification

      A bank must have a comprehensive operational risk quantification system, using inputs from its data and assessment systems, that provides an estimate of the bank's operational risk exposure, which is defined as the 99.9th percentile of the distribution of potential aggregate operational losses over a one-year horizon. The bank's operational risk exposure is the starting point in determining the risk-based capital requirement for operational risk (see Graph 1).

      A bank's estimate of operational risk exposure includes both EOL and UOL, forming the basis of the bank's risk-based capital requirement for operational risk. The bank's estimate of operational risk exposure should also consider qualitative factors (for example, changes in business environment and internal control factors). Qualitative factors can be incorporated into the bank's quantification methodology in different ways and at different modeling stages. While not prescribing a specific methodology, the Agencies will assess the processes banks use to integrate qualitative factors into the quantification of operational risk exposure.

      [GRAPHIC] [TIFF OMITTED] TN28FE07.036

      Operational risk exposure may be reduced with eligible operational risk offsets, up to the amount of EOL (see Section B below). The bank's primary Federal supervisor will review the bank's use of eligible operational risk offsets for appropriateness. A bank may also adjust its operational risk exposure to reflect reductions from operational risk mitigants (for example, insurance), subject to the qualification requirements and limits (described in Section E below).

      The dollar risk-based capital requirement for operational risk, resulting from the bank's risk quantification system, is the greater of:

      [[Page 9178]]

      The bank's operational risk exposure adjusted for qualifying operational risk mitigants minus eligible operational risk offsets; or

      0.8 multiplied by the difference between the bank's operational risk exposure and eligible operational risk offsets (if any).

      If the bank has no qualifying operational risk mitigants, the dollar risk-based capital requirement for operational risk is equal to its operational risk exposure less any eligible operational risk offsets.

      In recognition of the modeling challenges in legal entities with little internal operational risk loss data, a bank may generate an estimate of its operational risk exposure using an alternative approach to that described above, with the prior written approval of its primary Federal supervisor. Requirements for the use of an alternative approach are provided in Section V.F. below.

      The bank's risk-weighted asset amount for operational risk equals the bank's dollar risk-based capital requirement for operational risk determined as described above multiplied by 12.5.

      1. Analytical Framework

        S 23. The bank must have an operational risk quantification system that provides an estimate of the bank's operational risk exposure.

        S 24. The bank's operational risk quantification system must use a combination of internal operational loss event data, relevant external operational loss event data, business environment and internal control factor assessments, and scenario analysis results. The bank should combine these elements in a manner that most effectively enables it to quantify its operational risk exposure. The bank should choose the analytical framework that is most appropriate to its business model.

        S 25. The bank must review and update its operational risk quantification system whenever it becomes aware of information that may have a material effect on the bank's estimate of operational risk exposure or risk-based capital requirement for operational risk, but no less frequently than annually. A complete review and recalculation of the bank's quantification system, including all modeling inputs and assumptions, must be done at least annually.

        While not specifying the exact methodology, the Agencies have developed regulatory requirements that a bank must use to determine its operational risk exposure. These requirements are intended to help ensure that the regulation can accommodate continued evolution of operational risk quantification techniques, yet remain amenable to consistent application and enforcement across banks. The Agencies expect that there will be significant variation in analytical frameworks across banks, with each bank tailoring its framework to leverage existing technology platforms and risk management procedures. The framework must use the following inputs: Internal operational loss event data, relevant external operational loss event data, assessments of business environment and internal control factors, and scenario analysis. The Agencies expect that there will be some uncertainty in the analytical frameworks because of the evolving nature of operational risk data and assessment systems. Therefore, the analytical frameworks should be conservative and reflect the evolutionary status of operational risk management, measurement and quantification, and its impact on data capture and analytical modeling.

        The Agencies expect there will be variation across banks in the combination and weighting of the four elements. In weighting each element, a bank should consider availability and applicability of each of the four elements within each unit of measure. For example, banks with comprehensive internal data that reflect the full range of their potential loss exposures may choose to place less emphasis on external data or scenario analysis. Conversely, banks with limited internal data would generally rely more heavily on external data and scenario analysis in estimating their operational risk exposure.

        Banks should be able to demonstrate (see Standard 30) the effect of each element on the operational risk exposure estimate. In cases where this is not possible, or where an element is not used as a direct input into the quantitative model, the bank should calculate a benchmark estimate using that element individually.

        A bank must review and update its operational risk quantification system whenever it becomes aware of information that may have a material effect on the bank's estimate of operational risk exposure, but no less frequently than annually. On a quarterly basis, a bank must publicly disclose its total and Tier 1 risk-based capital ratios and their components, including operational risk related data (see Appendix D). As a part of this disclosure process, the bank should consider any material changes in either (1) the qualitative/quantitative inputs and assumptions from the previous quarter or (2) the risk profile of the bank that may affect the estimate of operational risk exposure or the resulting operational risk capital requirement. Specifically, the bank should ensure that all major inputs, elements, and assumptions are reviewed, and adjusted as necessary, to reflect relevant changes in the bank's operational risk profile (for example, changes in loss experience, data inputs, business activity, external factors, assumptions, insurance coverage, and eligible offsets). Senior management should determine and document which components of the quantification system will need to be revised prior to recalculating the bank's operational risk exposure and operational risk capital requirement due to any identified material change in inputs or assumptions. A complete review and recalculation of a bank's estimate of operational risk exposure and its risk-based capital requirement for operational risk, including updating all modeling inputs and assumptions, must be done at least annually.

      2. Eligible Operational Risk Offsets

        S 26. In calculating the risk-based capital requirement for operational risk, management may deduct certain eligible operational risk offsets from its estimate of operational risk exposure. To the extent that these offsets do not fully cover expected operational loss (EOL), the bank's risk-based capital requirement for operational risk must incorporate the shortfall. Eligible operational risk offsets may only be used to offset EOL, not UOL.

        In calculating the risk-based capital requirement for operational risk, a bank may deduct certain eligible operational risk offsets from its estimate of operational risk exposure. As with other aspects of the AMA, the eligible operational risk offset process is intended to be flexible and dynamic in order to accommodate the continuing evolution of underlying business practices and accounting standards. Supervisors will review all offsets to ensure they are eligible as defined by the NPR. The Agencies intend to develop a process of approving eligible operational risk offsets that is practical, clearly articulated, and grounded in prudential bank supervisory principles. Banks should clearly document how eligible operational risk offsets are measured and accounted for, including how they meet the conditions outlined above.

        The maximum offset is bounded by EOL. Furthermore, the losses

        [[Page 9179]]

        corresponding to the eligible operational risk offset must be fully consistent with the EOL-plus-UOL capital requirement calculated using the bank's AMA model. If certain small losses are not modeled (for example, because they are below a collection threshold), an operational risk offset should not be taken for such losses.

        Banks must demonstrate that losses corresponding to the potential eligible operational risk offset are highly predictable and reasonably stable. The bank's estimation process for eligible operational risk offsets should be consistent over time. The Agencies consider balance sheet reserves, established consistent with GAAP to cover such losses, as eligible operational risk offsets. Eligible offsets also must be clear capital substitutes or otherwise available to cover EOL with a high degree of certainty over a one-year horizon. Reserves associated with large, unexpected operational losses (UOL) do not qualify as eligible operational risk offsets. While additional eligible operational risk offsets may be considered in the future, the Agencies' review of the implementation of AMA Systems indicates that banks so far have only been able to demonstrate that losses resulting from external credit card fraud or securities processing errors may meet the test of being highly predictable and reasonably stable.

      3. Unit of Measure

        S 27. The bank must employ a unit of measure that is appropriate for the bank's range of business activities and the variety of operational loss events to which it is exposed, and that does not combine business activities or operational loss events with different risk profiles within the same loss distribution.

        Banks should weigh the advantages and disadvantages of estimating a single loss distribution or very few loss distributions (top-down approach), versus a larger number of loss distributions for specific event types and/or business lines (bottom-up approach). One advantage of the top-down approach is that data sufficiency is less likely to be a limiting factor, whereas with the bottom-up approach there may be pockets of missing or limited data. However, a loss severity distribution may be more difficult to specify with the top-down approach, as it is a statistical mixture of (potentially) heterogeneous business line and event type distributions. Supervisors will consider the conditions necessary for the validity of top-down approaches and evaluate whether these conditions are met in their particular individual circumstances.

      4. Accounting for Dependence

        S 28. The bank may use internal estimates of dependence among operational losses within and across business lines and operational loss events if the bank can demonstrate to the satisfaction of its primary Federal supervisor that the bank's process for estimating dependence is sound, robust to a variety of scenarios, and implemented with integrity, and allows for uncertainty surrounding the estimates. If the bank has not made such a demonstration, it must sum operational risk exposure estimates across units of measures to calculate its total operational risk exposure.

        A bank using internal estimates of dependence, whether explicit or embedded, must demonstrate that its process for estimating dependency is sound, robust to a variety of scenarios, and implemented with integrity, and allows for the uncertainty surrounding the estimates. To the extent a bank cannot support its process for estimating dependence, the bank must sum operational risk exposure estimates across its chosen units of measure to calculate the bank's total operational risk exposure. While dependence modeling for operational risk is an evolving area, banks should consider the following principles and guidelines:

        Assumptions regarding dependence should be supported by empirical analysis (data) where possible. The Agencies expect this analysis will become more feasible over time as data availability increases and greater consensus emerges with regard to dependence modeling.

        Where empirical support is not possible, dependence assumptions should be based on the judgment of business line experts. In such cases, it would be important to express dependence concepts in intuitive terms. For example, business line experts could assess the probability of certain large loss event scenarios occurring simultaneously. For banks that already rely heavily on scenario analysis, using expert judgment to assess dependence in this manner would merely be an extension of the scenario analysis process from a business line perspective to a broader perspective.

        The bank should demonstrate that it has considered the possibility that dependence may not be constant over time and may increase during stress environments.

        The bank should develop a process for assessing on-going improvements to the approach (for example, through out-of-sample testing). Such advances would in turn enhance the ability of the bank to estimate its aggregate operational losses at the 99.9 percent confidence level.

        Banks should perform sensitivity analyses of the effect of alternative dependence assumptions on their operational risk exposure estimate.

        Banks should not restrict dependence structures to those based on normal distributions, as normality may underestimate the amount of dependence between tail events.

        Dependence assumptions should be consistent with the way in which loss events are defined and used. For example, if one underlying factor causes multiple losses, such as an earthquake that results in damage to multiple buildings, recording multiple loss entries in the data set would require the bank to model the dependence between these losses. Judicious aggregation of related losses within the data set (in this example, aggregating all of the losses caused by a single earthquake into one loss entry) could satisfy some of the expectations regarding dependence modeling.

        The choice between a bottom-up or a top-down modeling approach affects how a bank accounts for dependence. A bottom-up approach requires explicit assumptions regarding dependence to estimate operational risk exposure at the bank-wide level. Top-down approaches inherently mask dependence and, under many circumstances, assume statistical independence across business lines and event types. To the extent a top-down approach is used, a bank should ensure that dependence within units of measure is suitably reflected in the operational risk exposure estimate.

        As with other areas of the framework, assumptions regarding dependence should be conservative given the uncertainties surrounding dependence modeling for operational risk. The Agencies will closely review frameworks that assume statistical independence across loss events.

      5. Risk Mitigation

        S 29. The bank may adjust its operational risk exposure results by no more than 20 percent to reflect the impact of operational risk mitigants. In order to recognize the effects of risk mitigants, management must estimate its operational risk exposure with and without their effects.

        There are many mechanisms to manage operational risk, including risk transfer through risk mitigation products. Because risk mitigation can be an important element in limiting or reducing operational risk exposure in a

        [[Page 9180]]

        bank, an adjustment that will directly affect the amount of regulatory capital that is held for operational risk is being permitted. The adjustment is limited to 20 percent of the overall operational risk exposure less any eligible operational risk offsets.

        In order to recognize the effects of risk mitigants, the bank must calculate two estimates of its operational risk exposure. The first estimate should include the effects of risk mitigants, in addition to all other adjustments and effects (for example, expected losses, diversification, and qualitative adjustments) that are to be reflected in the risk-based capital requirement for operational risk. The second estimate should be identical to the first, except that it should not reflect the effects of risk mitigants. The first exposure estimate should be used to calculate risk-weighted assets for operational risk (as described in the introduction to Section V), provided that it is at least 80 percent of the second estimate. If the first exposure estimate is less than 80 percent of the second estimate, then risk weighted assets for operational risk should be calculated as the second exposure estimate multiplied by 0.8 and by 12.5.

        Currently, the primary risk mitigant used for operational risk is insurance. The industry has raised the possibility that some securities products may be developed to provide risk mitigation benefits; however, to date no specific products have emerged that have characteristics sufficient to be considered a capital replacement for operational risk. However, as innovation in this field continues, a bank may be able to realize the benefits of risk mitigation through certain capital markets instruments with the approval of their primary Federal supervisor.

        For a bank that wishes to adjust its regulatory capital requirement as a result of the risk mitigating effect of insurance, management must demonstrate that the insurance policy:

        Has been provided by an unaffiliated company that has a minimum claims paying ability that is rated in one of the three highest ratings categories by a Nationally Recognized Statistical Rating Organization (NRSRO); \18\

        \18\ Rating agencies may use slightly different rating scales. For the purpose of this supervisory guidance, the insurer must have a rating that is at least the equivalent of an ``A'' under Standard and Poor's Insurer Financial Strength Ratings or an ``A2'' under Moody's Insurance Financial Strength Ratings.

        Has an initial term of at least one year and a residual term of more than 90 days;

        Has a minimum notice period for cancellation by the provider of 90 days;

        Has no exclusions or limitations based upon regulatory action or for the receiver or liquidator of a failed bank; and

        Coverage has been explicitly mapped to a potential operational loss event.

        Insurance policies that meet these standards may be incorporated into a bank's adjustment for risk mitigation. A bank should be conservative in its recognition of such policies; for example, the bank should demonstrate that insurance policies used as the basis for the adjustment have a history of timely payouts. Banks must decrease the amount of the adjustment if the remaining term is less than one year. The bank's methodology for incorporating the effects of insurance must also capture, through appropriate discounts to the amount of risk mitigation, the residual term of the policy, if the remaining term is less than one year. In addition, the bank should be able to show that the policy would actually be used in the event of a loss situation; that is, the deductible should not be set so high that no loss would ever conceivably exceed the deductible threshold.

        The Agencies do not specify how banks should calculate the risk mitigation adjustment. Nevertheless, banks should use conservative assumptions when calculating adjustments. As the payout of a particular policy varies over time and depends upon the frequency and severity of covered losses, calculation of the adjustment should be embedded in the analytical framework rather than being an ex-post adjustment to the quantified operational risk exposure number. A bank should discount (i.e., apply its own estimates of haircuts) the impact of insurance coverage to take into account factors that may limit the likelihood or size of claims payouts. Among these factors are the remaining term of a policy (for example, when it is less than a year); the willingness and ability of the insurer to pay on a claim in a timely manner; the legal risk that a claim may be disputed; and the possibility that a policy can be cancelled before the contractual expiration.

      6. Alternative Approaches for Depository Institutions

        The Agencies recognize that in certain limited circumstances, there may not be sufficient data available for a bank to generate an AMA estimate of its own operational risk exposure at the 99.9 percent confidence level. In these circumstances, a bank may propose use of an alternative operational risk quantification system, subject to approval by the bank's primary Federal supervisor. The Agencies are not prescribing any estimation methodologies for the alternative approach. However, the Agencies expect that use of an alternative approach will occur on a very limited basis. Furthermore, such approaches will not be available at the bank holding company level.

        A bank proposing to use an alternative operational risk quantification system must submit a proposal to its primary Federal supervisor. In evaluating a bank's proposal, the primary supervisor will review the bank's justification in light of:

        The bank's size, complexity, and risk profile; and

        Whether the proposed approach can be supported empirically.

        Additional areas that a primary Federal supervisory may consider in its evaluation of a proposal to use an alternative approach include:

        The bank's ability to establish that, for data or other reasons, a stand-alone AMA is not feasible or that it would not result in a credible capital estimate;

        Whether capital levels using the alternative approach are commensurate with the bank's operational risk profile;

        Whether the alternative approach is sensitive to changes in the bank's operational risk profile; and

        Whether the proposed approach allows for the bank's board members to fulfill their fiduciary responsibilities to ensure that the bank is adequately capitalized.

        Furthermore, a bank using an alternative operational risk quantification system must meet the regulatory requirements for the establishment and use of operational risk management, and data and assessment systems.\19\

        \19\ See also Standards 1 through 22 for supervisory guidance on risk management and data and assessment systems.

        A bank proposing an alternative approach that is based on an allocation methodology should be aware of certain limitations associated with the use of such an approach. Specifically, the agencies will not accept an allocation of operational risk capital requirements that includes non-depository institutions or the benefits of diversification across entities. The exclusion of allocations that include non-depository institutions is in recognition that depositors and creditors of a depository institution generally

        [[Page 9181]]

        have no legal recourse to capital funds that are not held by the depository institution or its affiliate depository institutions.\20\

        \20\ The cross-guarantee provision of the Federal Deposit Insurance Act provides that a depository institution is liable for any losses incurred by the FDIC in connection with the failure of commonly-controlled depository institutions. There are no statutory provisions requiring cross-guarantees between a depository institution and its non-depository institution affiliates.

      7. Documentation of Operational Risk Quantification Systems

        S 30. The bank must document all material aspects of its AMA System. This documentation should include the rationale for the development, operation, and assumptions underpinning its chosen analytical framework, including the choice of inputs, distributional assumptions, and the weighting across qualitative and quantitative elements.

        Whatever analytical approach a bank chooses, it must document all material aspects of its AMA System. Generally, the documentation should include: A discussion of the bank's modeling philosophy; a ``how to'' guide that would provide sufficient detail for an independent party to substantially replicate the capital calculation; and an audit trail of any changes to the framework's assumptions. More specifically, this documentation should:

        Provide an overview of the analytical approach (for example, description of the model(s) and/or statistical technique(s) used, model inputs and outputs, and steps taken to ensure the integrity of the data used in the estimation process).

        Identify how the different inputs are combined and weighted to arrive at the overall operational risk exposure so that the analytical framework is transparent.

        Demonstrate that the analytical framework is comprehensive and internally consistent. Comprehensive and consistent means that all required inputs are incorporated and appropriately weighted and that there are not overlaps or double counting.

        Identify the quantitative assumptions embedded in the methodology and provide explanations for the choice and limitations of these assumptions (for example, quantitative assumptions include distributional assumptions, and dependence assumptions between operational losses across and within business lines).

        Include where possible, documentation of quantitative measures of each assumption's validity, based on the relevant data elements (for example, statistical goodness-of-fit tests should be used to evaluate distributional assumptions).

        Identify the qualitative assumptions embedded in the methodology and provide explanations for the choice of these assumptions. (For example, qualitative assumptions could include the use of business environment and internal control factor assessments, scenario analysis, and business judgment to derive dependence assumptions).

        Provide results based on alternative quantitative and qualitative assumptions to gauge the overall model's sensitivity to these assumptions.

        Identify all simplifying or normalizing assumptions. (For example, assumptions could include setting a maximum cap on losses in order to influence the shape of the severity distribution or to normalize results at specific units of measure for internal capital purposes or prior to aggregation. Assumptions should be consistent with relevant loss data from both internal and external sources).

        Provide results to assess the impact of simplifying or normalizing assumptions.

        Compare the operational risk exposure estimate generated by the analytical framework with actual loss experience over time, to assess the framework's performance and the reasonableness of its outputs.

        Identify all limitations of and changes to assumptions, and provide explanations for such changes.

        Include details and rationale for establishing thresholds and their use.

        Include information on the technical process underlying the analytical approach (for example, programming language(s) and software used, logical process flow diagrams, system or source of record for the data elements, how outputs are used in subsequent steps of the approach).

        Include technical change control information relating to the analytical approach (for example, a record of the changes, the associated rationale for the changes and the effects on the analytical approach).

        Provide the results of an independent verification and validation of the analytical framework.

    7. Data Management and Maintenance

      S 31. Banks using the AMA approach for regulatory capital purposes must have data management and maintenance systems that adequately support all aspects of an AMA System.

      AMA data management systems must support the requirements for the operational risk management, data and assessment, and quantification processes, as well as the verification and validation mechanisms described in this guidance. The precise data to be collected will be determined by a bank's specific AMA System methodology.

      A bank should have access to the key data elements needed for operational risk management, data and assessment, and quantification. An important factor in ensuring consistent reporting of the data elements is the development of comprehensive definitions for each data element used by the bank for reporting operational loss events or for the risk assessment inputs. The data must be stored in an electronic format to allow for timely retrieval for analysis, verification, validation, reporting, and disclosure purposes.

      While banks have substantial flexibility in the design of their data maintenance systems, data systems should be of sufficient depth, scope, and reliability to implement and evaluate the AMA System. The systems should be capable of:

      Identifying and tracking operational risk loss events from initial discovery through final resolution across all business lines, including instances where a loss event impacts multiple business lines.

      Producing timely and accurate internal and public reports on operational risk data and assessment, and quantification results, including patterns revealed by loss data, scenario analysis, and business environment and internal control factor assessments. The bank should also have sufficient data to produce exception reports for management (for example, a record of and justification for omitted large loss events).

      Supporting risk management activities and providing access to data management processes for all interested parties, including audit.

      In addition, the systems must be capable of retaining sufficient data elements related to key risk drivers to permit adequate monitoring, validation, and refinement of the bank's AMA System.

      Banks should also be able to use the data to identify patterns, track problem areas and identify emerging risks. Such data should include not only operational loss event information, but also information on business environment and internal control factor assessments, which are incorporated into the operational risk exposure calculation.

      Since data are collected at different stages of the risk management and quantification process, and involve a

      [[Page 9182]]

      variety of groups and individuals, there are potential challenges to ensuring the quality of the data including:

      Retaining data over long timeframes;

      Ensuring that data purchased from, or maintained by, third parties meet the bank's standards; and

      Retaining sufficient data elements and documentation of model methodologies, parameter estimates and assumptions to permit adequate ex-post review of operational risk data.

      Banks' policies and controls should address these potential data challenges. Furthermore, for external data, banks should seek reasonable assurance from third-party providers concerning data quality and integrity and a clear understanding of the sources and limitations of external data.

      Management should identify those responsible for maintaining the bank's data maintenance systems. In particular, policies and processes should be developed for delivering, storing, retaining, and updating the data warehouse. Policies and procedures should also cover the edit checks for data input functions. Like other areas of the AMA System, it is critical that management ensure accountability for ongoing data maintenance, as this will impact operational risk management and measurement efforts.

    8. Verification and Validation

      S 32. The bank must validate, on an ongoing basis, its AMA system. The bank's validation process must be independent of the AMA System's development, implementation, and operation, or the validation process must be subject to an independent review of its adequacy and effectiveness.

      Bank policies and procedures should clearly differentiate the roles and responsibilities of the independent verification and validation functions. Verification of the bank's AMA System typically encompasses internal and external audit activities. More specifically, verification includes the work done to test and verify that the policies, procedures, and processes that make up the bank's AMA System are working effectively and as intended. In addition, the verification function also ensures that validation of AMA models was completed in accordance with the bank's validation policy. Validation, often performed by non-audit staff, includes the processes the bank uses to test and assess the accuracy and integrity of models being used to quantify operational risk exposure and risk-based capital for operational risk. The primary Federal supervisor will consider, whenever possible, the work performed by the bank's verification and validation functions when assessing the bank's AMA System.

      Banks may use independent and qualified internal (for example, internal audit, and quality assurance) or external parties to perform verification and validation. The verification and validation functions should annually assess and report to the board of directors on the adequacy of the overall AMA System. This assessment should include the review of both the accuracy and integrity of the AMA System, control elements, as well as the scope and effectiveness of operational risk reporting. The verification and validation functions should also review reporting processes to ensure the timeliness, accuracy, and comprehensiveness of operational risk reporting systems, both at the firm-wide and the line of business levels. Other areas of assessment include, but are not limited to:

      Organizational structure, governance, and oversight;

      Internal and external data sources, collection processes, and repositories;

      Scenario analysis;

      Reporting and MIS;

      Business environment and internal control factor assessments;

      Quantification methodology and assumptions, including a review of the integrity of the operational risk exposure calculation; and

      Compliance with internal standards for validation of the models used to quantify operational risk exposure.

      Banks should have a formal written validation process that documents the development of risk quantification models and assures model accuracy, whether developed internally or externally. The validation process should address model documentation, data sources, model assumptions, coding and mathematical computations, conceptual soundness of the approach, comparison of estimates to results of alternative quantitative and qualitative models, model performance evaluation, and out-of-sample testing. The validation process must also require the bank to periodically stress test its quantitative and qualitative models. Stress testing must include a consideration of how economic cycles, especially downturns, affect the bank's operational risk-based capital requirement. Technically competent individuals who are independent of the development, implementation, or operation of the model should perform validation. These individuals may or may not be a part of the internal audit function. If validation is done by internal audit, staff performing the validation of bank models should not participate in the verification of the validation process.

      Validation of operational risk models should include review of:

      Adjustments to empirical operational risk capital estimates, including operational risk exposure;

      On-going monitoring processes that include verification of processes and benchmarking;

      Outcome analysis processes that includes model performance evaluation and out-of-sample testing;

      The operational risk models' conceptual soundness and underlying assumptions;

      Assumptions underlying operational risk exposure, data decision models, and the risk-based capital requirement for operational risk;

      Stress testing, robustness, and sensitivity analysis, as appropriate; and

      The sufficiency of the documentation pertaining to the analytical approach and of the change control process, including a review of the historical record of changes and associated rationale.

      Appropriate reports summarizing the results of independent verification and validation of the bank's AMA System, including associated models, should be provided to the board of directors and appropriate management. The board of directors should ensure that senior management initiates timely corrective action where necessary.

      The bank may determine the scope of its annual assessment, and the frequency of specific verification and validation work, based on risk- based auditing principles. The extent of verification of individual components of the bank's AMA System may be based on a risk assessment of the overall system, which identifies key processes, controls, activities, and assumptions. All material components of a bank's AMA System should be assessed and tested (as appropriate) at least annually, with the remaining components tested consistent with risk- based auditing and testing principles. Documentation of the verification and validation program should support the scope and frequency of work performed.

      [[Continued on page 9183]]

      From the Federal Register Online via GPO Access [wais.access.gpo.gov] ]

      [[pp. 9183-9193]] Proposed Supervisory Guidance for Internal Ratings-Based Systems for Credit Risk, Advanced Measurement Approaches for Operational Risk, and the Supervisory Review Process (Pillar 2) Related to Basel II Implementation

      [[Continued from page 9182]]

      [[Page 9183]]

      Appendix A--The NPR Qualification Requirements, Risk-Weighted Assets for Operational Risk, and Disclosure Requirements

      Part III. Qualification

      Section 22. Qualification Requirements \21\

      \21\ 71 FR 55922 through 55924 (Sept. 25, 2006).

      (a) Process and systems requirements. (1) A [bank] \22\ must have a rigorous process for assessing its overall capital adequacy in relation to its risk profile and a comprehensive strategy for maintaining an appropriate level of capital.

      \22\ For simplicity, and unless otherwise noted, the NPR uses the term [bank] to include banks, savings associations, and bank holding companies. [AGENCY] refers to the primary Federal supervisor of the bank applying the rules.

      (2) The systems and processes used by a [bank] for risk-based capital purposes under this appendix must be consistent with the

      [bank] 's internal risk management processes and management information reporting systems.

      (3) Each [bank] must have an appropriate infrastructure with risk measurement and management processes that meet the qualification requirements of this section and are appropriate given the [bank]'s size and level of complexity. Regardless of whether the systems and models that generate the risk parameters necessary for calculating a

      [bank] 's risk-based capital requirements are located at any affiliate of the [bank], the [bank] itself must ensure that the risk parameters and reference data used to determine its risk-based capital requirements are representative of its own credit risk and operational risk exposures.

      --Text omitted--

      (h) Operational risk--(1) Operational risk management processes. A

      [bank] must:

      (i) Have an operational risk management function that:

      (A) Is independent of business line management; and

      (B) Is responsible for designing, implementing, and overseeing the

      [bank] 's operational risk data and assessment systems, operational risk quantification systems, and related processes;

      (ii) Have and document a process to identify, measure, monitor, and control operational risk in [bank] products, activities, processes, and systems (which process must capture business environment and internal control factors affecting the [bank]'s operational risk profile); and

      (iii) Report operational risk exposures, operational loss events, and other relevant operational risk information to business unit management, senior management, and the board of directors (or a designated committee of the board).

      (2) Operational risk data and assessment systems. A [bank] must have operational risk data and assessment systems that capture operational risks to which the [bank] is exposed. The [bank]'s operational risk data and assessment systems must:

      (i) Be structured in a manner consistent with the [bank]'s current business activities, risk profile, technological processes, and risk management processes; and

      (ii) Include credible, transparent, systematic, and verifiable processes that incorporate the following elements on an ongoing basis:

      (A) Internal operational loss event data. The [bank] must have a systematic process for capturing and using internal operational loss event data in its operational risk data and assessment systems.

      (1) The [bank]'s operational risk data and assessment systems must include a historical observation period of at least five years for internal operational loss event data (or such shorter period approved by [AGENCY] to address transitional situations, such as integrating a new business line).

      (2) The [bank] may refrain from collecting internal operational loss event data for individual operational losses below established dollar threshold amounts if the [bank] can demonstrate to the satisfaction of the [AGENCY] that the thresholds are reasonable, do not exclude important internal operational loss event data, and permit the

      [bank] to capture substantially all the dollar value of the [bank]'s operational losses.

      (B) External operational loss event data. The [bank] must have a systematic process for determining its methodologies for incorporating external operational loss data into its operational risk data and assessment systems.

      (C) Scenario analysis. The [bank] must have a systematic process for determining its methodologies for incorporating scenario analysis into its operational risk data and assessment systems.

      (D) Business environment and internal control factors. The [bank] must incorporate business environment and internal control factors into its operational risk data and assessment systems. The [bank] must also periodically compare the results of its prior business environment and internal control factor assessments against its actual operational losses incurred in the intervening period.

      (3) Operational risk quantification systems. (i) The [bank]'s operational risk quantification systems:

      (A) Must generate estimates of the [bank]'s operational risk exposure using its operational risk data and assessment systems; and

      (B) Must employ a unit of measure that is appropriate for the

      [bank] 's range of business activities and the variety of operational loss events to which it is exposed, and that does not combine business activities or operational loss events with different risk profiles within the same loss distribution.

      (C) May use internal estimates of dependence among operational losses within and across business lines and operational loss events if the [bank] can demonstrate to the satisfaction of [AGENCY] that its process for estimating dependence is sound, robust to a variety of scenarios, and implemented with integrity, and allows for the uncertainty surrounding the estimates. If the [bank] has not made such a demonstration, it must sum operational risk exposure estimates across units of measure to calculate its total operational risk exposure.

      (D) Must be reviewed and updated (as appropriate) whenever the

      [bank] becomes aware of information that may have a material effect on the [bank]'s estimate of operational risk exposure, but no less frequently than annually.

      (ii) With the prior written approval of [AGENCY], a [bank] may generate an estimate of its operational risk exposure using an alternative approach to that specified in paragraph (h)(3)(i) of this section. A [bank] proposing to use such an alternative operational risk quantification system must submit a proposal to [AGENCY]. In considering a [bank]'s proposal to use an alternative operational risk quantification system, [AGENCY] will consider the following principles:

      (A) Use of the alternative operational risk quantification system will be allowed only on an exception basis, considering the size, complexity, and risk profile of a [bank];

      (B) The [bank] must demonstrate that its estimate of its operational risk exposure generated under the alternative operational risk quantification system is appropriate and can be supported empirically; and

      (C) A [bank] must not use an allocation of operational risk capital requirements that includes entities other than depository institutions or the benefits of diversification across entities.

      [[Page 9184]]

      (i) Data management and maintenance. (1) A [bank] must have data management and maintenance systems that adequately support all aspects of its advanced systems and the timely and accurate reporting of risk- based capital requirements.

      (2) A [bank] must retain data using an electronic format that allows timely retrieval of data for analysis, validation, reporting, and disclosure purposes.

      (3) A [bank] must retain sufficient data elements related to key risk drivers to permit adequate monitoring, validation, and refinement of its advanced systems.

      (j) Control, oversight, and validation mechanisms. (1) The [bank]'s senior management must ensure that all components of the [bank]'s advanced systems function effectively and comply with the qualification requirements in this section.

      (2) The [bank]'s board of directors (or a designated committee of the board) must at least annually evaluate the effectiveness of, and approve, the [bank]'s advanced systems.

      (3) A [bank] must have an effective system of controls and oversight that:

      (i) Ensures ongoing compliance with the qualification requirements in this section;

      (ii) Maintains the integrity, reliability, and accuracy of the

      [bank] 's advanced systems; and

      (iii) Includes adequate governance and project management processes.

      (4) The [bank] must validate, on an ongoing basis, its advanced systems. The [bank]'s validation process must be independent of the advanced systems' development, implementation, and operation, or the validation process must be subjected to an independent review of its adequacy and effectiveness. Validation must include:

      (i) The evaluation of the conceptual soundness of (including developmental evidence supporting) the advanced systems;

      (ii) An on-going monitoring process that includes verification of processes and benchmarking; and

      (iii) An outcomes analysis process that includes back-testing.

      (5) The [bank] must have an internal audit function independent of business-line management that at least annually assesses the effectiveness of the controls supporting the [bank]'s advanced systems and reports its findings to the [bank]'s board of directors (or a committee thereof).

      (6) The [bank] must periodically stress test its advanced systems. The stress testing must include a consideration of how economic cycles, especially downturns, affect risk-based capital requirements (including migration across rating grades and segments and the credit risk mitigation benefits of double default treatment).

      (k) Documentation. The [bank] must adequately document all material aspects of its advanced systems.

      --Text omitted--

      Part VII. Risk-Weighted Assets for Operational Risk

      Section 61. Qualification Requirements for Incorporation of Operational Risk Mitigants \23\

      \23\ 71 FR 55946 through 55947 (Sept. 25, 2006).

      (a) Qualification to use operational risk mitigants. A [bank] may adjust its estimate of operational risk exposure to reflect qualifying operational risk mitigants if:

      (1) The [bank]'s operational risk quantification system is able to generate an estimate of the [bank]'s operational risk exposure (which does not incorporate qualifying operational risk mitigants) and an estimate of the [bank]'s operational risk exposure adjusted to incorporate qualifying operational risk mitigants; and

      (2) The [bank]'s methodology for incorporating the effects of insurance, if the [bank] uses insurance as an operational risk mitigant, captures through appropriate discounts to the amount of risk mitigation:

      (i) The residual term of the policy, where less than one year;

      (ii) The cancellation terms of the policy, where less than one year;

      (iii) The policy's timeliness of payment;

      (iv) The uncertainty of payment by the provider of the policy; and

      (v) Mismatches in coverage between the policy and the hedged operational loss event.

      (b) Qualifying operational risk mitigants. Qualifying operational risk mitigants are:

      (1) Insurance that:

      (i) Is provided by an unaffiliated company that has a claims payment ability that is rated in one of the three highest rating categories by a NRSRO;

      (ii) Has an initial term of at least one year and a residual term of more than 90 days;

      (iii) Has a minimum notice period for cancellation by the provider of 90 days;

      (iv) Has no exclusions or limitations based upon regulatory action or for the receiver or liquidator of a failed depository institution; and

      (v) Is explicitly mapped to a potential operational loss event; and

      (2) Operational risk mitigants other than insurance for which the

      [AGENCY] has given prior written approval. In evaluating an operational risk mitigant other than insurance, [AGENCY] will consider whether the operational risk mitigant covers potential operational losses in a manner equivalent to holding regulatory capital.

      Section 62. Mechanics of Risk-Weighted Asset Calculation

      (a) If a [bank] does not qualify to use or does not have qualifying operational risk mitigants, the [bank]'s dollar risk-based capital requirement for operational risk is its operational risk exposure minus eligible operational risk offsets (if any).

      (b) If a [bank] qualifies to use operational risk mitigants and has qualifying operational risk mitigants, the [bank]'s dollar risk-based capital requirement for operational risk is the greater of:

      (1) The [bank]'s operational risk exposure adjusted for qualifying operational risk mitigants minus eligible operational risk offsets (if any); or

      (2) 0.8 multiplied by the difference between:

      (i) The [bank]'s operational risk exposure; and

      (ii) Eligible operational risk offsets (if any).

      (c) The [bank]'s risk-weighted asset amount for operational risk equals the [bank]'s dollar risk-based capital requirement for operational risk determined under paragraph (a) or (b) of this section multiplied by 12.5.

      Part VIII. Disclosure

      Section 71. Disclosure Requirements \24\

      \24\ 71 FR 55947 and 55952 (Sept. 25, 2006).

      (a) Each [bank] must publicly disclose each quarter its total and tier 1 risk-based capital ratios and their components (that is, tier 1 capital, tier 2 capital, total qualifying capital, and total risk- weighted assets).\25\

      \25\ Other public disclosure requirements continue to apply--for example, Federal securities law and regulatory reporting requirements.

      [Disclosure paragraph (b)]

      [Disclosure paragraph (c)]

      --Text omitted--

      [[Page 9185]]

      Table 11.9--Operational Risk

      Qualitative disclosures....... (a).............. The general qualitative disclosure requirement for operational risk. (b).............. Description of the AMA, including a discussion of relevant internal and external factors considered in the bank holding company's measurement approach. (c).............. A description of the use of insurance for the purpose of mitigating operational risk.

      Appendix B--Supervisory Standards

      S 1. The bank's AMA System must include an operational risk management function and audit function that are independent of business line management. The operational risk management function should address operational risk on a firm-wide basis.

      S 2. The bank must have and document a process that clearly describes its AMA System, including how the bank identifies, measures, monitors, and controls operational risk.

      S 3. The bank must maintain effective internal controls supporting its AMA System.

      S 4. The bank must ensure that an effective framework is in place to identify, measure, monitor, and control operational risk, and to accurately compute the bank's operational risk component of the bank's risk-based capital requirement. The board of directors must at least annually evaluate the effectiveness of, and approve, the bank's AMA System, including the strength of the bank's control infrastructure.

      S 5. The board of directors and management should ensure that the bank's operational risk management, data and assessment, and quantification processes are appropriately integrated into the bank's existing risk management and decision-making processes and that there are adequate resources to support these processes throughout the bank.

      S 6. The bank must have a firm-wide operational risk management function that oversees the AMA System and is independent of business line management. The operational risk management function is also responsible for the development of operational risk data and assessment systems, operational risk quantification systems, and related processes throughout the bank.

      S 7. The firm-wide operational risk management function should ensure adequate analysis and reporting of operational risk information. The function should also develop and report on the firm-wide operational risk profile.

      S 8. Line of business management is responsible for ensuring appropriate day-to-day management of the operational risks within its business unit.

      S 9. Line of business management should ensure that internal controls and practices within its business unit are consistent with firm-wide policies, processes, and procedures.

      S 10. The board of directors and senior management must receive reports on operational risk exposure, operational risk loss events, and other relevant operational risk information. The reports should include information regarding firm-wide and business line risk profiles, loss experience, and relevant business environment and internal control factor assessments. These reports should be received quarterly.

      S 11. The bank must have a systematic process for incorporating internal loss event data, external loss event data, scenario analyses, and assessments of its business environment and internal controls factors to support both its operational risk management and measurement framework, as well as its calculation of the bank's operational risk component of its risk-based capital requirement.

      S 12. The bank must use the regulatory definition of operational risk when assessing the operational risks to which the bank is exposed in order to calculate its risk-based capital requirement for operational risk. The bank should have clear standards for the collection and modification of all four elements in the operational risk data and assessment systems that support its AMA System.

      S 13. The bank must have a historical observation period of at least five years for internal operational loss event data. A shorter period may be approved by the primary Federal supervisor to address transitional situations, such as integrating a new business line. Internal data should be captured across all business lines, corporate functions, events, product types, and geographic locations. The bank must have a systematic process for capturing and using internal operational loss event data in its operational risk data and assessment systems.

      S 14. The bank should be able to map internal operational losses to the seven operational loss-event categories.

      S 15. The bank should have a policy that identifies when an operational loss is recognized and should be added to the loss event database. The policy should provide for consistent treatment across the bank.

      S 16. The bank may establish appropriate internal operational loss event data thresholds and, if so, must demonstrate the appropriateness of such thresholds.

      S 17. The bank should have a clear policy that allows for the consistent treatment of loss event classifications (for example, credit, market, or operational loss events) across the organization.

      S 18. The bank must have a systematic process for determining how external loss data will be incorporated into its operational risk data and assessment systems.

      S 19. The bank should systematically review external data to ensure an understanding of industry operational loss experience.

      S 20. The bank must have a systematic process for determining how scenario analysis will be incorporated into its operational risk data and assessment systems. S 21. The bank must incorporate business environment and internal control factors into the bank's operational risk data and assessment systems.

      S 22. The bank must periodically compare the results of its business environment and internal control factor assessments against the bank's actual operational risk loss experience.

      S 23. The bank must have an operational risk quantification system that provides an estimate of the bank's operational risk exposure.

      S 24. The bank's operational risk quantification system must use a combination of internal operational loss event data, relevant external operational loss event data, business environment and internal control factor assessments, and scenario analysis results. The bank should combine these elements in a manner that most effectively enables it to quantify its operational risk exposure. The bank should choose the analytical framework that is most appropriate to its business model.

      S 25. The bank must review and update its operational risk quantification system whenever it

      [[Page 9186]]

      becomes aware of information that may have a material effect on the bank's estimate of operational risk exposure or risk-based capital requirement for operational risk, but no less frequently than annually. A complete review and recalculation of the bank's quantification system, including all modeling inputs and assumptions, must be done at least annually.

      S 26. In calculating the risk-based capital requirement for operational risk, management may deduct certain eligible operational risk offsets from its estimate of operational risk exposure. To the extent that these offsets do not fully cover expected operational loss (EOL), the bank's risk-based capital requirement for operational risk must incorporate the shortfall. Eligible operational risk offsets may only be used to offset EOL, not UOL.

      S 27. The bank must employ a unit of measure that is appropriate for the bank's range of business activities and the variety of operational loss events to which it is exposed, and that does not combine business activities or operational loss events with different risk profiles within the same loss distribution.

      S 28. The bank may use internal estimates of dependence among operational losses within and across business lines and operational loss events if the bank can demonstrate to the satisfaction of its primary Federal supervisor that the bank's process for estimating dependence is sound, robust to a variety of scenarios, and implemented with integrity, and allows for uncertainty surrounding the estimates. If the bank has not made such a demonstration, it must sum operational risk exposure estimates across units of measures to calculate its total operational risk exposure.

      S 29. The bank may adjust its operational risk exposure results by no more than 20 percent to reflect the impact of operational risk mitigants. In order to recognize the effects of risk mitigants, management must estimate its operational risk exposure with and without their effects.

      S 30. The bank must document all material aspects of its AMA System. This documentation should include the rationale for the development, operation, and assumptions underpinning its chosen analytical framework, including the choice of inputs, distributional assumptions, and the weighting across qualitative and quantitative elements.

      S 31. Banks using the AMA approach for regulatory capital purposes must have data management and maintenance systems that adequately support all aspects of an AMA System.

      S 32. The bank must validate, on an ongoing basis, its AMA system. The bank's validation process must be independent of the AMA System's development, implementation, and operation, or the validation process must be subject to an independent review of its adequacy and effectiveness.

      Appendix C--The NPR Qualification Process

      Part III. Qualification

      Section 21. Qualification Process \26\

      \26\ 71 FR 55921 through 55922 (Sept. 25, 2006).

      (a) Timing. (1) A [bank] \27\ that is described in paragraph (b)(1) of section 1 must adopt a written implementation plan no later than six months after the later of the effective date of this appendix or the date the [bank] meets a criterion in that section. The plan must incorporate an explicit first floor period start date no later than 36 months after the later of the effective date of this appendix or the date the [bank] meets at least one criterion under paragraph (b)(1) of section 1. [AGENCY] may extend the first floor period start date.

      \27\ For simplicity, and unless otherwise noted, the NPR uses the term [bank] to include banks, savings associations, and bank holding companies. [AGENCY] refers to the primary Federal supervisor of the bank applying the rules. In addition, the text in Appendix C refers often to an `appendix.' Use of `appendix' within the text refers to where the NPR rule text will be inserted within each Agency's capital adequacy regulation. The `appendix' is titled ``Capital Adequacy Guidelines for [Bank]s: Internal-Ratings-Based and Advanced Measurement Approaches.''

      (2) A [bank] that elects to be subject to this appendix under paragraph (b)(2) of section 1 must adopt a written implementation plan and notify the [AGENCY] in writing of its intent at least 12 months before it proposes to begin its first floor period.

      (b) Implementation plan. The [bank]'s implementation plan must address in detail how the [bank] complies, or plans to comply, with the qualification requirements in section 22. The [bank] also must maintain a comprehensive and sound planning and governance process to oversee the implementation efforts described in the plan. At a minimum, the plan must:

      (1) Comprehensively address the qualification requirements in section 22 for the [bank] and each consolidated subsidiary (U.S. and foreign-based) of the [bank] with respect to all portfolios and exposures of the [bank] and each of its consolidated subsidiaries;

      (2) Justify and support any proposed temporary or permanent exclusion of business lines, portfolios, or exposures from application of the advanced approaches in this appendix (which business lines, portfolios, and exposures must be, in the aggregate, immaterial to the

      [bank] );

      (3) Include the [bank]'s self-assessment of:

      (i) The [bank]'s current status in meeting the qualification requirements in section 22; and

      (ii) The consistency of the [bank]'s current practices with the

      [AGENCY] 's supervisory guidance on the qualification requirements;

      (4) Based on the [bank]'s self-assessment, identify and describe the areas in which the [bank] proposes to undertake additional work to comply with the qualification requirements in section 22 or to improve the consistency of the [bank]'s current practices with the [AGENCY]'s supervisory guidance on the qualification requirements (gap analysis);

      (5) Describe what specific actions the [bank] will take to address the areas identified in the gap analysis required by paragraph (b)(4) of this section;

      (6) Identify objective, measurable milestones, including delivery dates and a date when the [bank]'s implementation of the methodologies described in this appendix will be fully operational;

      (7) Describe resources that have been budgeted and are available to implement the plan; and

      (8) Receive board of directors approval.

      (c) Parallel run. Before determining its risk-based capital requirements under this appendix and following adoption of the implementation plan, the [bank] must conduct a satisfactory parallel run. A satisfactory parallel run is a period of no less than four consecutive calendar quarters during which the [bank] complies with all of the qualification requirements in section 22 to the satisfaction of

      [AGENCY] . During the parallel run, the [bank] must report to the

      [AGENCY] on a calendar quarterly basis its risk-based capital ratios using [the general risk-based capital rules] and the risk-based capital requirements described in this appendix. During this period, the [bank] is subject to [the general risk-based capital rules].

      (d) Approval to calculate risk-based capital requirements under this appendix. The [AGENCY] will notify the [bank] of the date that the

      [bank] may begin its first floor period following a determination by the [AGENCY] that:

      (1) The [bank] fully complies with the qualification requirements in section 22;

      [[Page 9187]]

      (2) The [bank] has conducted a satisfactory parallel run under paragraph (c) of this section; and

      (3) The [bank] has an adequate process to ensure ongoing compliance with the qualification requirements in section 22.

      (e) Transitional floor periods. Following a satisfactory parallel run, a [bank] is subject to three transitional floor periods.

      (1) Risk-based capital ratios during the transitional floor periods--(i) Tier 1 risk-based capital ratio. During a [bank]'s transitional floor periods, a [bank]'s tier 1 risk-based capital ratio is equal to the lower of:

      (A) The [bank]'s floor-adjusted tier 1 risk-based capital ratio; or

      (B) The [bank]'s advanced approaches tier 1 risk-based capital ratio.

      (ii) Total risk-based capital ratio. During a [bank]'s transitional floor periods, a [bank]'s total risk-based capital ratio is equal to the lower of:

      (A) The [bank]'s floor-adjusted total risk-based capital ratio; or

      (B) The [bank]'s advanced approaches total risk-based capital ratio.

      (2) Floor-adjusted risk-based capital ratios. (i) A [bank]'s floor- adjusted tier 1 risk-based capital ratio during a transitional floor period is equal to the [bank]'s tier 1 capital as calculated under [the general risk-based capital rules], divided by the product of:

      (A) The [bank]'s total risk-weighted assets as calculated under

      [the general risk-based capital rules] ; and

      (B) The appropriate transitional floor percentage in Table 1.

      (ii) A [bank]'s floor-adjusted total risk-based capital ratio during a transitional floor period is equal to the sum of the [bank]'s tier 1 and tier 2 capital as calculated under [the general risk-based capital rules], divided by the product of:

      (A) The [bank]'s total risk-weighted assets as calculated under

      [the general risk-based capital rules] ; and

      (B) The appropriate transitional floor percentage in Table 1.

      (iii) A [bank] that meets the criteria in paragraph (b)(1) or (b)(2) of section 1 as of the effective date of this rule must use [the general risk-based capital rules] effective immediately before this rule became effective during the parallel run and as the basis for its transitional floors.

      Table 1.--Transitional Floors

      Transitional Transitional floor period

      floor percentage

      First floor period......................................

      95 Second floor period.....................................

      90 Third floor period......................................

      85

      (3) Advanced approaches risk-based capital ratios. (i) A [bank]'s advanced approaches tier 1 risk-based capital ratio equals the [bank]'s tier 1 risk-based capital ratio as calculated under this appendix (other than this section on transitional floor periods).

      (ii) A [bank]'s advanced approaches total risk-based capital ratio equals the [bank]'s total risk-based capital ratio as calculated under this appendix (other than this section on transitional floor periods).

      (4) Reporting. During the transitional floor periods, a [bank] must report to the [AGENCY] on a calendar quarterly basis both floor- adjusted risk-based capital ratios and both advanced approaches risk- based capital ratios.

      (5) Exiting a transitional floor period. A [bank] may not exit a transitional floor period until the [bank] has spent a minimum of four consecutive calendar quarters in the period and the [AGENCY] has determined that the [bank] may exit the floor period. The [AGENCY]'s determination will be based on an assessment of the [bank]'s ongoing compliance with the qualification requirements in section 22.

      Appendix D--Basel II Operational Risk Information Collection Templates (Schedule V) \28\

      \28\ Notices of Proposed Rulemaking and Proposed Agency Information Collections--Requests for Comments were published in the Federal Register for comment on September 25, 2006 (71 FR 55981 through 55986). The Notices contained Basel II information collection templates, including a template for operational risk that is included in this Appendix.

      BILLING CODES 4810-33-P, 6210-01-P, 6714-01-P, 6720-01-P

      [[Page 9188]]

      [GRAPHIC] [TIFF OMITTED] TN28FE07.037

      BILLING CODES 4810-33-C, 6210-01-C, 6714-01-C, 6720-01-C

      [[Page 9189]]

      Operational Risk--Definitions

      Business environment and internal The indicators of a bank's control factors.

      operational risk profile that reflect a current and forward- looking assessment of the bank's underlying business risk factors and internal control environment. Dependence........................ A measure of the association among operational losses across and within business lines and operational loss event types. Eligible operational risk offsets. Amounts, not to exceed expected operational loss, that: (1) Are generated by internal business practices to absorb highly predictable and reasonably stable operational losses, including reserves calculated consistent with GAAP; and (2) are available to cover expected operational losses with a high degree of certainty over a one-year horizon. Expected operational loss (EOL)... The expected value of the distribution of potential aggregate operational losses, as generated by the bank's operational risk quantification system using a one- year horizon. Frequency distribution............ Statistical distribution used to calculate the frequency of losses. Operational loss event............ An event that results in loss and is associated with internal fraud; external fraud; employment practices and workplace safety; clients, products, and business practices; damage to physical assets; business disruption and system failures; or execution, delivery, and process management. Operational risk.................. The risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events (including legal risk but excluding strategic and reputational risk). Operational risk exposure......... The 99.9th percentile of the distribution of potential aggregate operational losses, as generated by the bank's operational risk quantification system over a one- year horizon (and not incorporating eligible operational risk offsets or qualifying operational risk mitigants). Risk mitigants (e.g., insurance).. A contractual arrangement whose primary purpose is to transfer risk to a third party. Scenario analysis................. A systematic process of obtaining expert opinions from business managers and risk management experts to derive reasoned assessments of the likelihood and loss impact of plausible high- severity operational losses. Severity distribution............. Statistical distribution used to calculate the severity of losses. Unexpected operational loss (UOL). The difference between the bank's operational risk exposure and the bank's expected operational loss. Unit of measure................... The level (for example, organizational unit or operational loss event type) at which the bank's operational risk quantification system generates a separate distribution of potential operational losses.

      Appendix E--Operational Loss Event Types and Examples

      Examples (not intended to be Event Type

      inclusive)

      Internal fraud.................... Employee theft, intentional misreporting of positions, and insider trading on an employee's own account. External fraud................... Robbery, forgery, and check kiting. Employment practices and workplace Workers' compensation and safety.

      discrimination claims, violation of employee health and safety rules, and general liability. Clients, products, and business Fiduciary breaches, misuse of practices.

      confidential customer information, money laundering, and sale of unauthorized products. Damage to physical assets......... Terrorism, vandalism, earthquakes, fires, and floods. Business disruption and system Hardware and software failures, failures.

      telecommunication problems, and utility outages. Execution, delivery, and process Data entry errors, collateral management.

      management failures, incomplete legal documentation, and vendor disputes.

      Proposed Supervisory Guidance on the Supervisory Review Process (PILLAR 2).

  561. This guidance supplements the notice of proposed rulemaking (NPR) published jointly by the U.S. Federal banking agencies \1\ in the Federal Register on September 25, 2006.\2\ The NPR proposes the implementation of a New Advanced Capital Adequacy Framework (U.S. Advanced Framework) encompassing three pillars:

    \1\ The Federal banking agencies are: The Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Office of the Comptroller of the Currency; and the Office of Thrift Supervision; and will collectively be referred to as ``the agencies,'' ``supervisors,'' or ``regulators'' in this guidance.

    \2\ 71 FR 55830 (Sept. 25, 2006).

    Minimum risk-based regulatory capital requirements (Pillar 1);

    Supervisory review (Pillar 2); and

    Market discipline through enhanced public disclosures (Pillar 3).

    The regulatory capital requirements in Pillar 1 of the U.S. Advanced Framework would apply to credit risk and operational risk.\3\

    \3\ Some banks may be subject to both the U.S. Advanced Framework and the revised Market Risk Capital Rule, as published in the Federal Register on September 25, 2006 (71 FR 55958). If so, the requirement for banks to conduct an internal assessment of capital adequacy for market risk in the revised Market Risk Capital Rule could be satisfied by the requirement for banks to have a comprehensive internal capital adequacy assessment (covering all risk types) under the U.S. Advanced Framework. Additionally, banks subject only to the revised Market Risk Capital Rule would not need to conduct a comprehensive internal capital adequacy assessment covering all risk types, but only an internal assessment for market risk of covered positions as defined in the revised Market Risk Capital Rule.

  562. This document addresses the process for supervisory review in the proposed U.S. Advanced Framework. Supervisory review as described in this guidance covers three main areas:

    Comprehensive supervisory assessment of capital adequacy;

    compliance with regulatory capital requirements;

    Internal capital adequacy assessment process (ICAAP).

    [[Page 9190]]

  563. The process of supervisory review described in this document reflects a continuation of the longstanding approach employed by the agencies in their supervision of banking institutions. However, the new methods proposed for calculating regulatory capital requirements in the U.S. Advanced Framework affect certain aspects of supervisory review. Thus, this guidance highlights areas of existing supervisory review that are being augmented or more clearly defined to support implementation of the U.S. Advanced Framework. It applies only to those banks calculating U.S. regulatory capital requirements under that framework, and not to banks calculating U.S. regulatory capital requirements by other means.\4\

    \4\ The term ``bank'' as used in this guidance includes banks, savings associations and bank holding companies. The terms ``bank holding company'' and ``BHC'' refer only to bank holding companies regulated by the Federal Reserve Board and do not include savings and loan holding companies regulated by the Office of Thrift Supervision.

  564. The supervisory review process described in this document is intended to help ensure overall capital adequacy by:

    Confirming a bank's compliance with regulatory capital requirements;

    Addressing the limitations of regulatory capital requirements as a measure of a bank's full risk profile--including risks not covered or not adequately quantified;

    Encouraging banks to develop and use better techniques in identifying and measuring the risks they face; and

    Ensuring that each bank is able to assess its own individual capital adequacy (beyond regulatory capital requirements), based on its risk profile and business mix.

  565. This guidance does not supersede or alter the functioning of the existing U.S. Prompt Corrective Action requirements.\5\ This guidance also does not change requirements for compliance with existing regulations and supervisory standards related to risk management practices or other areas. The supervisory review process described in this guidance helps to support supervisors' ability to intervene when necessary to prevent an individual bank's capital from falling below the level required to support its risk profile.

    \5\ See section 38 of the Federal Deposit Insurance Act (12 U.S.c. 1831o).

    Comprehensive Supervisory Assessment of Capital Adequacy

  566. Capital helps protect individual banks from insolvency, thereby promoting safety and soundness in the overall U.S. banking system. Minimum regulatory capital requirements (Pillar 1 in the U.S. Advanced Framework) establish a threshold below which a sound bank's regulatory capital must not fall. Regulatory capital ratios permit some comparative analysis of capital adequacy across regulated institutions because they are based on certain common assumptions. However, supervisors must perform a more comprehensive assessment of capital adequacy that considers risks specific to the bank, conducting analyses that go beyond minimum regulatory capital requirements.

  567. Supervisors generally expect banks to hold capital above their minimum regulatory capital levels, commensurate with their individual risk profiles, to account for all material risks. Going forward, supervisors will continue to assess the overall capital adequacy of any bank through a comprehensive evaluation that considers all relevant available information. In determining the extent to which banks should hold capital in excess of regulatory minimums, supervisors would consider the combined implications of a bank's compliance with qualification requirements for regulatory capital standards, the quality and results of a bank's ICAAP, and supervisory assessment of the bank's risk management processes, control structure, and other relevant information relating to the bank's risk profile and capital position. This supervisory assessment process is consistent with current supervisory practice, under which supervisors assess the overall capital adequacy of a bank through a comprehensive evaluation of all relevant information.

  568. On an ongoing basis, the supervisory assessment process determines whether a bank's overall capital remains adequate as underlying conditions change. Changes in a bank's risk profile or in relevant capital measures are areas of particular focus that are effectively addressed through the supervisory review process. Generally, material increases in risk that are not otherwise mitigated should be accompanied by commensurate increases in capital. Conversely, reductions in overall capital (to a level still above regulatory minimums) may be appropriate if the supervisory assessment provides support to conclude that risk has materially declined or that it has been appropriately mitigated.

  569. As a result of its comprehensive supervisory assessment, a bank's primary Federal supervisor may take action if it is not satisfied that capital is adequate. The primary supervisor may require the bank to take actions designed to address identified supervisory concerns, which may include holding an amount of capital greater than otherwise would be required. In addition, a primary supervisor may, under its enforcement authority, require a bank to modify or enhance risk management and internal control processes, or reduce risk exposures, or take any other action as deemed necessary to address identified supervisory concerns.

    Compliance With Regulatory Capital Requirements

  570. In order to qualify under the U.S. Advanced Framework to use new methods for calculating regulatory capital requirements, banks must meet certain process and systems requirements. Supervisors must ensure that banks are indeed meeting these requirements. Thus, one aspect of supervisory review pertains to the evaluation of a bank's compliance with the qualification requirements for the systems and processes to be used in the calculation of regulatory capital under the U.S. Advanced Framework. The supervisory guidance regarding the U.S. Advanced Framework provides a detailed explanation of these qualification requirements for the systems and processes for the calculation of regulatory capital.

  571. Banks adopting the U.S. Advanced Framework must comply with the qualification requirements not just for initial qualification, but also for ongoing use. A bank that falls out of compliance with the qualification requirements would be required to establish a plan satisfactory to its primary Federal supervisor to return to compliance, as discussed in the U.S. Advanced Framework.

  572. Supervisors will ensure that each bank using the U.S. Advanced Framework complies with the qualifying requirements for calculating regulatory capital, both at the consolidated level and at any U.S. subsidiary banks also subject to the U.S. Advanced Framework. Thus, each bank applying the U.S. Advanced Framework must have appropriate risk measurement and management processes and systems that meet the rule's qualification requirements for calculating regulatory capital.

    ICAAP

  573. The qualification requirements in the U.S. Advanced Framework state that ``a bank must have a rigorous process for assessing its overall capital adequacy in relation to its risk profile and a

    [[Page 9191]]

    comprehensive strategy for maintaining an appropriate level of capital.'' \6\ A bank's internal process for assessing its overall capital adequacy, the ICAAP, must be conducted by a bank in addition to its calculation of regulatory capital requirements.\7\

    \6\ Part III, section 22 (a) (1) of the U.S. Advanced Framework.

    \7\ Should the primary Federal supervisor exempt a bank from the application of the U.S. Advanced Framework based upon a written determination that the application of the rule is not appropriate in light of the bank's asset size, level of complexity, risk profile, or scope of operations, such exemption would likewise apply to the requirement that the bank have an ICAAP in the U.S. Advanced Framework.

  574. The fundamental objectives of a sound ICAAP are:

    Identifying and measuring material risks;

    Setting and assessing internal capital adequacy goals that relate directly to risk;

    Ensuring the integrity of internal capital adequacy assessments.

  575. Assessing overall capital adequacy through the ICAAP requires thorough identification of all material risks, measurement of those that can be reliably quantified, and systematic assessment of all risks and their implications for capital adequacy. In this manner, an ICAAP should contribute broadly to the development of better risk management within the organization at both the individual entity and consolidated levels.

  576. Each bank that uses the U.S. Advanced Framework should have an ICAAP appropriate for its unique risk characteristics and should not rely solely upon the assessment of capital adequacy at the parent company level. This does not preclude the use of a consolidated ICAAP as an important input to a subsidiary bank's own ICAAP, provided that each entity's board and senior management ensure that such processes are appropriately modified from the consolidated ICAAP to address the unique structural and operating characteristics and risks of their bank.

  577. In general, the ICAAP will likely go beyond the restrictive or simplifying assumptions in regulatory requirements. However, in certain instances the ICAAP may build on and utilize methods, practices, and results from a bank's work for determining regulatory capital requirements. For example, an ICAAP may use data, ratings, or estimates from internal ratings-based approaches to credit risk. Furthermore, while an ICAAP should generally be a distinct and comprehensive process that produces its own capital measures, in some cases banks may be able to justify that regulatory capital measures are appropriate for internal use and reflect the bank's risk profile.

  578. The design and operation of systems to meet the ICAAP requirement will necessarily differ based upon the complexity of each bank's operations and risk profile. Many banks currently employ ``economic capital'' measures for some elements of risk management, such as, limit setting, or for evaluating performance and determining aggregate capital adequacy needs.\8\ In some cases, economic capital measures may relate directly to ICAAP requirements; in other cases, banks may be using economic capital measures that do not relate directly to ICAAP requirements. For the latter, a bank does not necessarily need to change its existing process or systems, but may build upon or reconcile its economic capital process in relation to the ICAAP requirement to demonstrate how the two are generally related. Regardless of the specific implementation method(s) chosen, a bank's overall ICAAP should address the three ICAAP objectives stated in paragraph 14.

    \8\ The term ``economic capital'' generally refers to the capital attributed to cover the economic effects of an institution's risk taking activities. In practice, economic capital takes on a variety of definitions and is applied in a number of ways at the product, business-line, and consolidated institution level.

    Identifying and Measuring Material Risks in ICAAP

  579. The first objective of an ICAAP is to identify all material risks. Risks that can be reliably measured and quantified should be treated as rigorously as data and methods allow. The appropriate means and methods to measure and quantify those material risks are likely to vary across banks.

  580. Some of the risks to which banks are exposed include credit risk, market risk, operational risk, interest rate risk in the banking book, and liquidity risk (as outlined below).\9\ However, other risks, such as reputational risk, business or strategic risk, and country risk may be as important for a bank and, in such cases, should be given equal consideration to the more formally defined risk types.\10\ Additionally, if banks employ risk mitigation techniques, they should understand the risk to be mitigated and the potential effects of that mitigation (including its enforceability and effectiveness).

    \9\ Examination policies and procedures from each agency provide extensive guidance on the major risk categories. A bank's risk management processes, including its ICAAP, should be consistent with this existing body of guidance, as well as with relevant interagency guidance.

    \10\ For example, a bank may be engaged in businesses for which periodic fluctuations in activity levels, combined with relatively high fixed costs, have the potential to create unanticipated losses that must be supported by adequate capital. Additionally, a bank might be involved in strategic activities (such as expanding business lines or engaging in acquisitions) that introduce significant elements of risk and for which additional capital would be appropriate.

    Credit risk: A bank should have the ability to assess credit risk at the portfolio level as well as at the exposure or counterparty level. Banks should be particularly attentive to identifying credit risk concentrations and ensuring that their effects are adequately assessed. This should include consideration of various types of dependence among exposures, incorporating the credit risk effects of extreme outcomes, stress events, and shocks to assumptions about portfolio and exposure behavior. Banks should also carefully assess concentrations in counterparty credit exposures, including counterparty credit risk exposures emanating from trading in less liquid markets, and determine the effect that these might have on capital adequacy.

    Market risk: A bank should be able to identify risks in trading activities resulting from a movement in market prices. This determination should consider factors such as illiquidity of instruments, concentrated positions, one-way markets, non-linear/deep out-of-the money positions, and the potential for significant shifts in correlations. Exercises that incorporate extreme events and shocks should also be tailored to capture key portfolio vulnerabilities.

    Operational risk: A bank should be able to assess the potential risks resulting from inadequate or failed internal processes, people, and systems, as well as from events external to the bank. This assessment should include the effects of extreme events and shocks relating to operational risk. Events could include a sudden increase in failed processes across business units or a significant incidence of failed internal controls.

    Interest rate risk in the banking book: A bank should identify the risks associated with changing interest rates on balance sheet and off-balance sheet exposures in the banking book from both a short-term and long-term perspective. This might include the impact of changes due to parallel shocks, yield curve twists, yield curve inversions, changes in the relationships of rates (basis risk), and other relevant scenarios. The bank should be able to support its assumptions about the behavioral characteristics of servicing rights, non-maturity deposits and other

    [[Page 9192]]

    assets and liabilities, especially those exposures characterized by embedded optionality. Given uncertainty in such assumptions, stress testing and scenario analysis should be used in the analysis of interest rate risks.

    Liquidity risk: A bank should understand risks resulting from its inability to meet its obligations as they come due, because of difficulty in liquidating assets or in obtaining adequate funding. This assessment should include analysis of sources and uses of funds, an understanding of the funding markets in which the bank operates, and an assessment of the efficacy of a contingency funding plan for events that could arise.

    The risk factors discussed above should not be considered an exhaustive list of those affecting any given bank. All relevant factors that present a material source of risk to capital should be incorporated in a well-developed ICAAP. Furthermore, banks should be mindful of the capital adequacy effects of concentrations that may arise within each risk type.

  581. All measurements of risk incorporate both quantitative and qualitative elements, but generally a quantitative approach should form the foundation of a bank's measurement framework. In some cases, quantitative tools can include the use of large historical databases; when data are more scarce, a bank may choose to rely more heavily on the use of stress testing and scenario analyses. Banks should understand when measuring risks that measurement error always exists, and in many cases is, itself, difficult to quantify. In general, an increase in uncertainty related to modeling and business complexity should result in a larger capital cushion.

  582. Quantitative approaches that focus on most likely outcomes for budgeting, forecasting, or performance measurement purposes may not be fully applicable for capital adequacy because the ICAAP should also take less likely events into account. Stress testing and scenario analysis can be effective in gauging the consequences of outcomes that are unlikely but would have a considerable impact on safety and soundness.

  583. To the extent that risks cannot be reliably measured with quantitative tools--for example, where measurements of risk are based on scarce data or unproven quantitative methods--qualitative tools, including experience and judgment, may be more heavily utilized. Banks should be cognizant that qualitative approaches have their own inherent biases and assumptions that affect risk assessment; accordingly, banks should recognize the biases and assumptions embedded in, and the limitations of, the qualitative approaches used.

  584. An effective ICAAP should assess risks across the entire bank. A bank choosing to conduct risk aggregation among various risk types or business lines should understand the challenges in such aggregation. In addition, when aggregating risks, banks should be sure to address any potential concentrations across more than one risk dimension, recognizing that losses could arise in several risk dimensions at the same time, stemming from the same event or a common set of factors. For example, a localized natural disaster could generate losses from credit, market, and operational risks at the same time.

  585. In considering possible effects of diversification, management should be systematic and rigorous in documenting decisions, and in identifying assumptions used in each level of risk aggregation. Assumptions about diversification should be supported by analysis and evidence. The bank should have systems capable of aggregating risks based on the bank's selected framework. For example, a bank calculating correlations within or among risk types should consider data quality and consistency, and the volatility of correlations over time and under stressed market conditions.

    Setting and Assessing Capital Adequacy Goals That Relate to Risk

  586. The second objective of an ICAAP is to set and assess capital adequacy goals in relation to all material risks. Importantly, banks should recognize that regulatory capital requirements represent a floor below which a bank's overall capital level must not fall, even if bank management believes that there is justification for a lower overall level.

  587. Assessments of risk and capital adequacy should reflect the risk appetite of the bank. This appetite may be expressed through an established risk tolerance that generally reflects a desired level of risk coverage and/or a certain degree of creditworthiness, such as an explicit solvency standard. Because risk profiles and choices of risk tolerance may differ across banks, chosen capital targets may also differ.

  588. Actual capital held should reflect not only the measured amount of risk, but also potential uncertainties related to the measurement of risk. In addressing concerns about how limitations of risk measurement affect capital adequacy, banks should pay particular attention to the relative importance to the bank of the activities producing the risk. In their assessment of capital adequacy, banks should challenge fundamental assumptions embedded in the measurement of risks; in certain cases, assumptions that were accurate during one historical time period may no longer be valid and may lead to mismeasurement or misunderstanding of risks and/or the capital needed to support them. Banks should be explicitly aware of how sensitive their risk measurements are to various input assumptions.

  589. A bank should consider external conditions and other factors that influence overall capital adequacy. The potential impact of contingent exposures and changing economic and financial environments should be addressed; such analysis can include stress testing or scenario analysis, but in all cases should incorporate both quantitative and qualitative methods.\11\

    \11\ The use of stress testing and scenario analysis in identifying and measuring risk exposures and assessing capital adequacy in an ICAAP is not the same as the stress testing requirement related to minimum regulatory capital requirements (as described in the U.S. Advanced Framework and supervisory guidance relating to qualification requirements). The stress testing and scenario analysis encouraged in the ICAAP guidance is intended to focus on overall capital needs and their possible fluctuations--not just fluctuations in minimum regulatory capital requirements.

  590. A bank's ICAAP should ensure adequate capital is held against all material risks not just at a point in time, but over time, in order to account for inevitable changes in a bank's strategic direction, evolving economic conditions, and volatility in the financial environment. Indeed, sensitivity of capital to economic and financial cycles is an important feature to be included in a bank's planning for current and future capital needs. For example, a bank's ICAAP should consider the potential effects of a sudden, sustained downturn. The level of capital deemed adequate by an ICAAP might also be influenced by a bank's intention to hold additional capital to mitigate the impact of volatility in capital requirements, the need to accommodate acquisition plans, or the decision to accommodate market perceptions of capital adequacy and their impact on funding costs.

  591. Various definitions of bank capital are used within banking. A bank should state clearly the definition of capital used in any aspect of its ICAAP. For example, the definition used in models to measure capital adequacy relative to risk may not correspond to capital actually held (available capital resources), and the bank should understand such differences. For internal purposes, some banks may choose a narrow capital definition, such

    [[Page 9193]]

    as only common equity, while others may define capital more broadly. Banks should also state explicitly the impact that retained earnings have on capital positions. Since components of capital are not necessarily alike and have varying ability to absorb losses, a bank should thoroughly understand the relationship between its internal capital definition and its assessment of capital adequacy. The bank should document any changes in its internal definition of capital, and the reason for those changes.

  592. For effective capital planning, banks should identify the time horizon over which they are assessing capital adequacy. Banks should evaluate whether long-run capital targets are consistent with short-run goals, based on current and planned changes in risk profiles and the recognition that accommodating additional capital needs can require significant lead time. Capital planning should factor in the potential difficulties of raising additional capital during downturns or other times of stress. Banks should have contingency plans to address unexpected capital needs or liquidity/funding issues.

    Ensuring Integrity of Internal Capital Adequacy Assessments

  593. A satisfactory ICAAP comprises a complete process with proper oversight and controls, not just an ability to carry out certain capital calculations. The various elements of a bank's ICAAP should supplement and reinforce one another to achieve the overall objective of assessing the adequacy of the bank's actual capital resources, taking into account the full risk profile.

  594. Adequate internal controls and documentation should be in place to ensure transparency, objectivity, and consistency in an ICAAP. Decisions regarding the design and operation of the ICAAP should reflect sound risk management objectives, and should not be unduly influenced by competing business objectives. Principles underlying a bank's ICAAP should be incorporated in policies that are reviewed and approved at appropriate levels within the organization.

  595. Banks should have complete documentation covering the ICAAP. At a minimum, such documentation should include a description of the overall process, including committees and individuals responsible for the ICAAP, the frequency of ICAAP-related reporting, and procedures for the periodic evaluation of the appropriateness and adequacy of ICAAP. In addition, where applicable, documentation should cover all aspects ordinarily expected for sound use of quantitative methods, including model selection, limitations, data selection and maintenance, controls, and validation.

  596. An ICAAP should be enhanced and refined over time, with learning and experience (both quantitative and qualitative) contributing to its improvement. It should evolve with changes in the risk profile and activities of the bank as well as advances in risk measurement and management practices. Special attention may be necessary for areas where the operational or business environment has changed, such as the introduction of new products and activities.

  597. The board of directors and senior management have certain responsibilities in developing, implementing, and overseeing an ICAAP. The board or its appropriately delegated agent should approve the ICAAP and its components, review them on a regular basis, and approve any revisions. That review should encompass the effectiveness of the ICAAP, the appropriateness of risk tolerance levels and capital planning, and the strength of control infrastructures. Senior management should continually ensure that the ICAAP is functioning effectively and as intended; considerations by senior management should be explicit, formal, and documented. Additionally, internal audit should play a key role in the controls and governance surrounding an ICAAP on an ongoing basis.

  598. Each bank should ensure that the components of its ICAAP, including any models and their inputs, are subject to validation policies and procedures. Validation is generally defined as an ongoing process that encompasses, but is not limited to, the collection and review of developmental evidence, process verification, benchmarking, outcomes analysis, and monitoring activities used to confirm that processes are operating as designed. The sophistication of validation policies and procedures should be appropriate to the bank's business, structure, and sophistication, as well as the relative importance of each component of ICAAP. In conducting validation, banks should adhere to the existing body of supervisory guidance on the subject.

  599. The primary use of an ICAAP is to provide an assessment of internal capital adequacy. Beyond that, management should be able to demonstrate that the ICAAP influences business decisions and overall risk management, and is not simply a compliance exercise. An ICAAP should influence decision-making at both the consolidated and individual business-line levels.

  600. An ICAAP should, to the extent possible, be integrated with other management processes related to risk assessment, business planning and forecasting, pricing strategies and performance measurement. Additionally, the components of an ICAAP, including models and their inputs, should be used in (or at the very least be consistent with elements used in) regular business and risk management decisions.

  601. As part of the ICAAP, the board or its delegated agent, as well as appropriate senior management, should periodically review the resulting assessment of overall capital adequacy and determine that actual capital held is consistent with the risk appetite of the bank, taking into account all material risks. This review should include an analysis of how measures of internal capital adequacy compare with other capital measures (such as regulatory, accounting-based or market- determined). The review should also result in formal procedures to correct any deficiencies uncovered in the assessment process, especially if capital is not consistent with the risk profile or risk appetite of the bank.

    Dated: February 12, 2007. John C. Dugan, Comptroller of the Currency.

    By order of the Board of Governors of the Federal Reserve System.

    Dated: February 13, 2007. Jennifer J. Johnson, Secretary of the Board.

    Dated at Washington, DC, the 15th day of February, 2007.

    By order of the Federal Deposit Insurance Corporation. Robert E. Feldman, Executive Secretary.

    Dated: February 15, 2007.

    By the Office of Thrift Supervision, John M. Reich, Director.

    [FR Doc. 07-811 Filed 2-27-07; 8:45 am]

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT