Reset to Today

To access the FCA Handbook Archive choose a date between 1 January 2001 and 31 December 2004.

Content Options:

Content Options

Alternative versions

  1. Point in time
    2024-12-18

Preamble

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012, and in particular the third subparagraph of Article 312(4) thereof,

Whereas:

  1. (1)

    For the purposes of own funds requirements for operational risk, the first subparagraph of Article 312(2) of Regulation (EU) No 575/2013 provides that competent authorities permit institutions to use Advanced Measurement Approaches ("AMA") based on the institutions' own operational risk measurement systems where they meet all of the qualitative and quantitative standards set out in that Article, implying compliance of institutions with these requirements at all times. As a result, such an assessment does not only relate to the initial application of an institution for the permission to use the AMA, but also applies on an on-going basis.

  2. (2)

    The various elements constituting an institution's AMA framework should not be considered in isolation but rather reviewed and assessed as a package of interwoven elements, so that competent authorities are satisfied with an adequate level of compliance in relation to each part of the framework.

  3. (3)

    The assessment by competent authorities of an institution's compliance with the requirements referred to in points (a) and (b) of Article 312(4) of Regulation (EU) No 575/2013 to use Advanced Measurement Approaches should not be conducted in a uniform manner. The nature of the elements to be assessed varies according to the type of assessment conducted which in turn depends on the type of application submitted. Competent authorities are required to assess such compliance where an institution first applies to use AMA, where an institution applies to extend the AMA in accordance with the approved sequential implementation plan, where an institution applies to extend or change the AMA it has been granted permission to use, and where an institution applies to return to the use of less sophisticated approaches in accordance with Article 313 of Regulation (EU) No 575/2013. In addition, competent authorities should conduct an ongoing review of the use of the AMA by institutions. Accordingly, competent authorities should conduct the assessment of an institution's compliance with the requirements to use AMA in accordance with the nature of the elements to be assessed corresponding to the relevant assessment methodology.

  4. (4)

    Article 85(1) of Directive 2013/36/EU of the European Parliament and of the Council requires institutions to articulate what constitutes operational risk for the purposes of implementing policies and processes to evaluate and manage the exposure to operational risk. Regulation (EU) No 575/2013 provides a definition for "operational risk" which includes both legal risk and model risk. In Article 3(1) of Directive 2013/36/EU, model risk refers to potential losses owed to errors in the development, implementation or use of internal models but does not include potential losses owed to valuation adjustments from model risk as referred to in Article 105 of Regulation (EU) No 575/2013 on prudent valuation or in Commission Delegated Regulation (EU) 2016/101 and does not refer to model risk associated with using a possibly incorrect valuation methodology as referred to in Article 105(13) of Regulation (EU) No 575/2013. Equally, Regulation (EU) No 575/2013 does not specify how competent authorities should verify compliance with the requirement to articulate any operational risk that relates to legal risk and model risk. Rules specifying the assessment methodology to be used by competent authorities when assessing whether institutions may use the AMA should therefore include such specification.

  5. (5)

    It is also necessary to harmonise supervisory approaches with regard to the correct articulation of operational risk in financial transactions, including those related to market risk, as the operational risks of these transactions are proved to be sizeable and their drivers, typically of multifaceted nature, may be not consistently detectable and recordable as such throughout the Union.

  6. (6)

    Standards to be respected by an institution's governance and risk management framework are laid down in Article 74 of Directive 2013/36/EU and Article 321 of Regulation (EU) No 575/2013. As a result, the methodology for AMA assessment should provide for verification, by competent authorities, that an institution has a clear organisational structure for the governance and management of operational risk with well-defined, transparent and consistent lines of responsibility taking into account the nature, scale and complexity of the activities of the institution when assessing whether an institution may use the AMA approach. In particular, it should be confirmed that the operational risk management function plays a key role in identifying, measuring and assessing, monitoring, controlling and mitigating the operational risks faced by the institution and that it is sufficiently independent from the institution's business units so as to ensure that its professional judgement and recommendations are both independent and impartial. It should also be determined that senior management is responsible for developing and implementing the operational risk governance and management framework that has been approved by the management body and that such framework is consistently implemented throughout the institution's organisation. Competent authorities should also assess that adequate tools and information are provided at all staff levels so that all staff understand their responsibilities with respect to operational risk management.

  7. (7)

    Effective internal reporting systems are a prerequisite of sound internal governance. Competent authorities should therefore ensure that an institution applying for AMA permission adopts effective risk reporting systems not only to the management body and senior management but also to all the functions responsible for the management of operational risks to which the institution is, or might be, exposed. The reporting system should reflect the up-to-date status of operational risk issues at the institution and should include all material aspects of operational risk management and measurement.

  8. (8)

    In accordance with Article 321(a) of Regulation (EU) No 575/2013, an institution's internal operational risk measurement system has to be closely integrated into its day-to-day risk management processes. As a result, the methodology for AMA assessment should provide for competent authorities to ensure that an institution applying for an AMA permission actually uses its operational risk measurement system for its day-to-day business process and for risk management purposes on an on-going basis and not solely for the purpose of calculating the own funds requirements for operational risk. Rules on the AMA supervisory assessment should therefore include rules on the supervisory expectations to be met by the institution applying for an AMA permission as regards the "use test".

  9. (9)

    In order to provide both institutions and competent authorities with evidence that an institution's operational risk measurement system is reliable and robust and generates more credible operational risk own funds requirements than a simpler operational risk regulatory methodology, competent authorities should verify that the institution has compared the operational risk measurement system against the Basic Indicator Approach or the Standardised Approach for operational risk laid down in Articles 315, 317, and 319 of Regulation (EU) No 575/2013 over a determined period of time. That period of time should be sufficiently long for the competent authority to establish that the institution meets the qualitative and quantitative standards laid down in the Regulation (EU) No 575/2013 for the use of an AMA.

  10. (10)

    According to Article 321(g) of Regulation (EU) No 575/2013, an institution's data flows and processes associated with the AMA measurement system are required to be transparent and accessible. Data relating to operational risk is not immediately available as it first needs to be identified within an institution's books and archives, and then properly gathered and maintained. Furthermore, the measurement system is typically very sophisticated and envisages several logical and computational steps for the generation of the AMA own funds requirements. The methodology for AMA assessment should therefore verify that the data quality and IT systems are properly designed and correctly implemented within an institution so as to serve the purpose for which they are built.

  11. (11)

    The AMA framework of an institution is subject to internal validation and audit reviews in accordance with points (e) and (f) of Article 321 of Regulation (EU) No 575/2013. Although the organisational structure of the internal validation and audit functions can vary depending on an institution's nature, complexity and business, it should be ensured that the methodology for AMA assessment of the reviews undertaken by these functions adheres to common criteria as to the terms and scope of such reviews.

  12. (12)

    Operational risk modelling is a relatively new and evolving discipline. Accordingly, Article 322 of Regulation (EU) No 575/2013 grants significant flexibility to institutions in building the operational risk measurement system for calculating the AMA own funds requirements. Such flexibility, however, should not result in significant differences across institutions with regard to the key components of the measurement system, including the use of internal data, external data, scenario analysis and business environment and internal control factors (known and referred to as "the four elements"), the core modelling assumptions that permit capturing severe tail events and the related risk drivers (the building of the calculation data set, the granularity, the identification of the loss distributions and the determination of aggregated loss distributions and risk measures) or the expected loss, the correlation and the criteria for capital allocation which should ensure a measurement system's internal consistency. Therefore, with the view to ensuring that the risk measurement system is methodologically well founded, comparable across the institutions, effective in capturing the institutions' actual and potential operational risk and reliable and robust in generating AMA regulatory capital requirements, the methodology for AMA assessment should provide that the same criteria and requirements are applied by the competent authorities across the Union. The AMA assessment methodology should also take into consideration the idiosyncratic components of operational risk that are related to the institutions' different size, nature and complexity.

  13. (13)

    With particular regard to the internal data, consideration should be given to the fact that even though an operational risk loss can arise only from an operational risk event, its occurrence may be revealed by different items, including direct charges, expenses, provisions, uncollected revenues. Whilst some operational risk events have a quantifiable impact and are reflected in the institution's financial statements, others are not quantifiable and do not affect the institution's financial statements and are therefore detectable from other sources including managerial archives and incidents dataset. Therefore, rules specifying the assessment methodology for competent authorities in order to permit institutions to use the AMA should specify what constitutes an operational risk loss and the amount to be recorded for AMA purposes and, more generally, all the potential items that could reveal the occurrence of operational risk events.

  14. (14)

    Sometimes, institutions are able to quickly recover emerging operational risk losses. Rapidly recovered losses should not be considered for the purposes of calculating the AMA own funds requirements, although they may be useful for management purposes. Since there are various criteria that institutions use to qualify losses as rapidly recovered, rules on the AMA assessment methodology should include rules specifying the appropriate criteria for qualifying losses as rapidly recovered.

  15. (15)

    Risk mitigation techniques may be recognised by competent authorities within the AMA provided that certain conditions are fulfilled, as referred to in Article 323 of Regulation (EU) No 575/2013. In order to effectively apply the rules relating to these mitigation techniques, specific standards should be followed by competent authorities when assessing the application of these rules by an institution. In particular, where those mitigation techniques are in the form of insurance, it is necessary to ensure that such insurance is provided by insurance firms authorised in the Union or in jurisdictions with equivalent regulatory standards for insurance firms, as those applicable in the Union.

  16. (16)

    Where risk mitigation techniques are in the form of other risk transfer mechanisms than insurance, competent authorities should ensure that such mechanisms are actually transferring risk and are not used to circumvent the AMA own funds requirements. This condition is essential in light of the peculiarities of operational risk, where there are no clear underlying assets of reference and where unexpected losses play a greater role than in other types of risk. This is further exacerbated in light of the lack of an efficient, liquid, and structured market for operational risk "products" which thus far have been traded outside the banking sector, including catastrophe bonds and weather derivatives. Finally, there is often great difficulty in assessing the legal risk of such mechanisms, even where the terms and conditions of these contracts are clearly and carefully spelled out.

  17. (17)

    To ensure a smooth transition for institutions that already have permission to use the AMA or that have applied for a permission to use the AMA before the entry into force of this Regulation, it should be provided that competent authorities apply this Regulation in relation to the assessment of the AMA of these institutions only after a certain transitional period. Given that the regular review of the AMA referred to in Article 101(1) of Directive 2013/36/EU is usually performed on an annual basis, that transitional period should be a year from the date of entry into force of this Regulation.

  18. (18)

    Institutions that use Gaussian or Normal-like distributions for recognising correlation within all or parts of their AMA should no longer use them in the context of their AMA as these assumptions would imply tail independence among operational risk categories, thus excluding the possibility of simultaneous occurrence of large losses of different types, an assumption which is neither prudent nor realistic. Enough time should therefore be granted for the smooth transition of these institutions to a new regime where more conservative assumptions, implying positive tail dependence, are introduced within the operational risk measurement system. Given that the implementation of these assumptions might require the modification of some key elements and the related procedures, of the AMA framework, it would be appropriate to provide two years for that transition.

  19. (19)

    This Regulation is based on the draft regulatory technical standards submitted by the European Banking Authority to the Commission.

  20. (20)

    The European Banking Authority has conducted open public consultations on these draft regulatory technical standards, analysed the potential related costs and benefits and requested the opinion of the Banking Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council,

HAS ADOPTED THIS REGULATION:

CHAPTER 1 GENERAL PROVISIONS

Article 1 Assessment of Advanced Measurement Approaches

  1. (1)

    The assessment under which the competent authorities permit an institution to use Advanced Measurement Approaches (AMA) shall confirm that:

    1. (a)

      the elements in Articles 3 to 6 are fulfilled;

    2. (b)

      Chapters 2 and 3 are fulfilled;

    3. (c)

      Chapter 4 is fulfilled where the institution has adopted the insurance and other risk transfer mechanisms referred to therein.

  2. (2)

    Chapters 1 to 4 shall be taken into account where competent authorities conduct the following:

    1. (a)

      an assessment of the materiality of extensions and changes to the AMA used by an institution;

    2. (b)

      an assessment of the sequential implementation plan to the AMA used by an institution;

    3. (c)

      an assessment of an institution's return to the use of less sophisticated approaches in accordance with Article 313 of Regulation (EU) No 575/2013;

    4. (d)

      the ongoing reviews of an AMA used by an institution.

Article 2 Definitions

For the purposes of this Delegated Act, the following definitions shall apply:

  1. (1)

    "body-tail modelling threshold" means the loss value that separates the body from the tail of the loss distributions;

  2. (2)

    "calculation data set" means the portion of gathered data, either actual or constructed, that fulfils the necessary conditions to serve as input into the operational risk measurement system;

  3. (3)

    "data collection threshold" means the loss value from which an institution identifies and collects operational risk losses for management and measurement purposes;

  4. (4)

    "date of accounting" means the date when a loss or a provision against an operational risk event is first recognized in the Profit and Loss;

  5. (5)

    "minimum modelling threshold" means the loss value from which the frequency and severity distributions, either empirical or parametric, are fitted to the operational risk losses;

  6. (6)

    "gross loss" or "loss" means the loss stemming from an operational risk event before recoveries of any type;

  7. (7)

    "misconduct event" means the operational risk event arising from willful or negligent misconduct, including inappropriate supply of financial services;

  8. (8)

    "operational risk category" means the level, such as the event type and the business line, at which an institution's operational risk measurement system generates separate frequency and severity distributions;

  9. (9)

    "operational risk profile" means the representation in absolute figures at a given point in time of an institution's actual and prospective operational risk;

  10. (10)

    "operational risk tolerance" means an institution's forward looking view, represented in absolute figures, of the aggregate level and types of operational risk that the institution is willing or prepared to incur which will not jeopardise its strategic objectives and business plan;

  11. (11)

    "recovery" means the occurrence related to the original loss that is independent of that loss and that is separate in time, in which funds or inflows of economic benefits are received from first or third parties;

  12. (12)

    "risk measure" means a single statistic on operational risk extracted from the aggregated loss distribution at the desired confidence level, including Value at Risk (VaR), or shortfall measures (e.g. Expected Shortfall, Median Shortfall);

  13. (13)

    "System Development Life Cycle" or "SDLC" means the process for planning, creating, testing, and deploying an IT infrastructure;

  14. (14)

    "timing loss" means the negative economic impact booked in a financial accounting period due to an operational risk event impacting the cash flows or financial statements of previous financial accounting periods.

Article 3 Operational risk events related to legal risk

  1. (1)

    Competent authorities shall confirm that an institution identifies, collects and treats data on operational risk events and losses related to legal risk for the purposes of both management of operational risk and calculation of the AMA own funds requirement by verifying at least all of the following:

    1. (a)

      that the institution clearly identifies and classifies as operational risk losses or other expenses deriving from events that result in legal proceedings, including at least the following;

      1. (i)

        a failure to act where such action is necessary to comply with a legal rule;

      2. (ii)

        action taken to avoid compliance with a legal rule;

      3. (iii)

        misconduct events.

    2. (b)

      that the institution clearly identifies and classifies as operational risk losses or other expenses resulting from voluntary actions intended to avoid or mitigate legal risks arising from operational risk events, including refunds or discounts of future services offered to customers voluntarily where such refunds are not offered as a result of customer complaints;

    3. (c)

      that the institution clearly identifies and classifies as operational risk losses resulting from errors and omissions in contracts and documentation;

    4. (d)

      that the institution does not classify the following as operational risk:

      1. (i)

        refunds to third parties or employees and goodwill payments due to business opportunities, where no breach of any rules or ethical conduct has occurred and where the institution has fulfilled its obligations on a timely basis;

      2. (ii)

        external legal costs where the underlying event is not an operational risk event.

    For the purposes of paragraph (a), legal proceedings shall be considered to be all legal settlements, including both mandated court settlements and out of court settlements.

  2. (2)

    For the purposes of this Article, legal rules shall include at least the following:

    1. (a)

      any requirement derived from national or international statutory or legislative provisions;

    2. (b)

      any requirement derived from contractual arrangements, internal rules and codes of conduct established in accordance with national or international norms and practices.

    3. (c)

      ethical rules.

Article 4 Operational risk events related to model risk

Competent authorities shall confirm the following when assessing that an institution identifies, collects and treats data on operational risk events and losses that are related to model risk, as defined in point (11) of Article 3(1) of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013, for the purposes of both management of operational risk and calculation of the AMA own funds requirement:

  1. (a)

    that at least the following events, and the related losses, resulting from models used for decision-making are classified as operational risk:

    1. (i)

      improper definition of a selected model and its characteristics;

    2. (ii)

      inadequate verification of a selected model's suitability for the financial instrument to be evaluated or the product to be priced, or its suitability for the applicable market conditions;

    3. (iii)

      errors in the implementation of a selected model;

    4. (iv)

      incorrect mark-to-market valuations and risk measurement as a result of a mistake when booking a trade into the trading system;

    5. (v)

      use of a selected model or its outputs for a purpose for which it was not intended or designed, including manipulation of the modelling parameters;

    6. (vi)

      untimely and ineffective monitoring of model performance to confirm whether the model remains fit for purpose.

  2. (b)

    that events related to the under-estimation of own funds requirements by internal models authorized by competent authorities are not included in the identification, collection and treatment of data on operational risk events and losses related to model risk.

Article 5 Operational risk events related to financial transactions including those related to market risk

Competent authorities shall confirm that at least the following events, and the related losses, are classified as operational risk when assessing that an institution identifies, collects and treats data on operational risk events and losses that are related to financial transactions and market risk for the purposes of both management of operational risk and calculation of the AMA own funds requirement:

  1. (a)

    events due to operational and data entry errors, including the following:

    1. (i)

      failures and errors during the introduction or execution of orders;

    2. (ii)

      loss of data or misunderstanding of the data flow from the front to the middle and back offices of the institution;

    3. (iii)

      errors in classification;

    4. (iv)

      incorrect specification of deals in the term-sheet, including errors related to the transaction amount, maturities and financial features.

  2. (b)

    events due to failures in internal controls, including the following:

    1. (i)

      failures in properly executing an order to unwind a market position in case of adverse price movements;

    2. (ii)

      unauthorised positions taken in excess of allocated limits, irrespective of the type of risk they relate to.

  3. (c)

    events due to inadequate data quality and unavailability of IT environment, including technical unavailability of access to the market resulting in an inability to close contracts.

Article 6 Quality and auditability of documentation

  1. (1)

    Competent authorities shall verify the quality of the documentation relating to the AMA used by an institution by confirming at least the following:

    1. (a)

      that the documentation is approved at the appropriate management level of the institution;

    2. (b)

      that the institution has policies in place outlining standards to ensure the high quality of internal documentation including specific accountability for ensuring that the documentation maintained is complete, consistent, accurate, updated, approved and secure;

    3. (c)

      that the layout of the documentation set out in the policies referred to in point (b) identifies at least the following items:

      1. (i)

        type of document;

      2. (ii)

        author;

      3. (iii)

        reviewer;

      4. (iv)

        authorising agent and owner;

      5. (v)

        dates of development and approval;

      6. (vi)

        version number;

      7. (vii)

        history of changes to the document.

    4. (d)

      that the institution thoroughly documents its policies, procedures and methodologies.

  2. (2)

    Competent authorities shall verify the auditability of the documentation relating to the AMA used by an institution by confirming at least the following:

    1. (a)

      that the documentation is sufficiently detailed and accurate to allow examination of the AMA by third parties, including:

      1. (i)

        the understanding of the reasoning and procedures underlying its development;

      2. (ii)

        the understanding of the operational risk measurement system in order to determine how the AMA own funds requirements operates, its limitations and key assumptions and being able to replicate the model development.

CHAPTER 2 QUALITATIVE STANDARDS

SECTION 1 Governance

Article 7 Operational risk management process

  1. (1)

    Competent authorities shall assess the efficacy of an institution's AMA framework for the governance and management of operational risk and that a clear organisational structure with well-defined, transparent and consistent lines of responsibility exists by confirming at least the following:

    1. (a)

      that the institution's management body discusses and approves the governance of operational risk, the operational risk management process and the operational risk measurement system;

    2. (b)

      that the institution's management body clearly defines and determines the following on at least an annual basis:

      1. (i)

        the institution's operational risk tolerance;

      2. (ii)

        the institution's operational risk tolerance written statement on the aggregate level of operational risk loss and event types, containing both qualitative and quantitative measures including thresholds and limits based on operational risk loss metrics that the institution is willing or prepared to incur in order to achieve its strategic objectives and business plan, ensuring that it is available and understood throughout the institution;

    3. (c)

      that the institution's management body monitors the institution's compliance with the operational risk tolerance statement referred to in point (b) (ii) on a continuous basis;

    4. (d)

      that the institution applies an on-going operational risk management process to identify, assess and measure, monitor and report operational risk, including misconduct events, and is able to identify the staff responsible for the management of operational risk process;

    5. (e)

      that the information resulting from the process referred to in point (d) is transmitted to the relevant committees and executive bodies of the institution, and that the decisions arising from those committees are communicated to those responsible within the institution for the collection, control, monitoring and management of operational risk and to those responsible for managing activities that give rise to operational risk;

    6. (f)

      that the institution evaluates the effectiveness of its operational risk governance, operational risk management process and operational risk measurement system on at least an annual basis;

    7. (g)

      that the institution notifies the relevant competent authority of the findings of the evaluation referred to in point (f) on at least an annual basis.

  2. (2)

    For the purposes of the assessment referred to in paragraph 1, competent authorities shall take into account the impact of the operational risk governance structure on the level of engagement in operational risk management and culture by the staff of the institution, including at least the following:

    1. (a)

      the level of awareness, on behalf of the staff of the institution, of operational risk policies and procedures;

    2. (b)

      the institution's internal process for challenging the design and the effectiveness of the AMA framework.

Article 8 Independent operational risk management function

  1. (1)

    Competent authorities shall assess the independence of the operational risk management function from the institution's business units by confirming at least the following:

    1. (a)

      that the operational risk management function undertakes the following tasks separately from the institution's business lines:

      1. (i)

        the design, development, implementation, maintenance and oversight of the operational risk management process and the operational risk measurement system;

      2. (ii)

        the analysis of the operational risk associated with the introduction and development of new products, markets, lines of business, processes, systems and significant changes to existing products;

      3. (iii)

        the oversight of business activities that may give rise to an operational risk exposure that could breach the institution's risk tolerance;

    2. (b)

      that the operational risk management function receives appropriate commitment by the management body and senior management and is of adequate stature within the organization for fulfilling its tasks;

    3. (c)

      that the operational risk management function is not also responsible for the internal audit function;

    4. (d)

      that the head of the operational risk management function meets at least the following requirements:

      1. (i)

        an appropriate level of experience to manage the actual and prospective operational risk, as indicated by the operational risk profile;

      2. (ii)

        regular communication with the management body and its committees as mandated by the risk management structure of the institution;

      3. (iii)

        active involvement in the elaboration of the institution's operational risk tolerance and strategy for its management and mitigation;

      4. (iv)

        independence from the operational units and functions reviewed by the operational risk management function;

      5. (v)

        allocation of a budget for the operational risk management function by the head of risk management referred to in the fourth subparagraph of Article 76(5) of Directive 2013/36/EU or a member of the management body in a supervisory capacity and not by a business unit or executive function.

Article 9 Senior management involvement

Competent authorities shall assess the degree of involvement of senior management of an institution by confirming at least the following:

  1. (a)

    that senior management is responsible for implementing the operational risk governance and management framework approved by the management body;

  2. (b)

    that senior management has been empowered by the management body to develop policies, processes and procedures for managing operational risk;

  3. (c)

    that senior management is implementing the policies, processes and procedures for managing operational risk referred to in point (b).

Article 10 Reporting

Competent authorities shall assess whether the reporting of an institution's operational risk profile and management of operational risk is sufficiently regular, timely and robust by confirming at least the following:

  1. (a)

    that problems relating to the institution's reporting systems and internal controls are identified quickly and accurately;

  2. (b)

    that the institution's operational risk reports are distributed to appropriate levels of management and to areas of the institution which the reports have identified as an area of concern;

  3. (c)

    that the institution's senior management receives at least quarterly reports on the latest status of the institution's operational risk profile and uses these reports in the decision making process;

  4. (d)

    that the institution's operational risk reports contain relevant management information and at least a high-level summary of the top operational risks of the institution and of the relevant subsidiaries as well as business units;

  5. (e)

    that the institution uses ad hoc reports in case of certain deficiencies in the policies, processes and procedures for managing operational risk to promptly detect and address these deficiencies and therefore substantially reduce the potential frequency and severity of a loss event.’

SECTION 2 Use test

Article 11 Use of the AMA

Competent authorities shall assess that an institution uses the AMA for internal purposes by confirming at least the following:

  1. (a)

    that the institution's operational risk measurement system is used to manage operational risks across different business lines, units or legal entities within the organisation structure;

  2. (b)

    that the operational risk measurement system is embedded within the various entities of the group and, where it is used at a consolidated level, that the parent institution's AMA framework is extended to the subsidiaries, and that those subsidiaries' operational risk and business environment and internal control factors (BEICF) referred to in Articles 322(1) and 322(6) of Regulation (EU) No 575/2013 are incorporated in the group-wide AMA calculations;

  3. (c)

    that the operational risk measurement system is used also for the purposes of the institution's internal capital adequacy assessment process referred to in Article 73 of Directive 2013/36/EU.

Article 12 Continuous integration of the AMA

Competent authorities shall assess that an institution ensures the continuous integration of its operational risk management system into its day-to-day risk management processes by confirming at least the following:

  1. (a)

    that the operational risk measurement system is updated on a regular basis and is further developed as more experience and sophistication in management and quantification of operational risk is gained;

  2. (b)

    that the nature and balance of inputs into the operational risk measurement system are relevant and reflect the nature of the institution's business, strategy, organisation and operational risk exposure at all times.

Article 13 AMA used to support the operational risk management of the institution

Competent authorities shall assess that an institution uses the AMA to support its operational risk management, by confirming at least the following:

  1. (a)

    that the operational risk measurement system is effectively used for the regular and prompt reporting of consistent information that accurately reflects the nature of the business and the operational risk profile of the institution;

  2. (b)

    that the institution takes remedial actions to improve internal processes upon receipt of information about findings from the operational risk measurement system.

Article 14 AMA used to enhance the operational risk organization and control of the institution

Competent authorities shall assess that an institution uses the AMA to further enhance its operational risk organization and control, by confirming at least the following:

  1. (a)

    that the institution's definition of operational risk tolerance and its associated operational risk management objectives and activities are clearly communicated within the institution;

  2. (b)

    that the relationship between the institution's business strategy and its operational risk management, including with regard to the approval of new products, systems and processes, is clearly communicated within the institution;

  3. (c)

    that the operational risk measurement system increases transparency, risk awareness and operational risk management expertise and creates incentives to improve the management of operational risk throughout the institution;

  4. (d)

    that the inputs and the outputs of the operational risk measurement system are used in relevant decisions and plans, including in the institution's action plans, business continuity plans, internal audit working plans, capital assignment decisions, insurance plans and budgeting decisions.

Article 15 Comparison of the AMA with the less sophisticated approaches

  1. (1)

    Competent authorities shall assess that an institution demonstrates the stability and robustness of the AMA output by confirming at least the following:

    1. (a)

      that before granting the permission to use the AMA for regulatory purposes, the institution calculated its own funds requirements for operational risk under both the AMA and the less sophisticated approach previously applicable to it, and that it performed that calculation:

      1. (i)

        on a reasonably regular basis, and at least quarterly;

      2. (ii)

        covering all relevant legal entities that would use the AMA at the date of the initial implementation;

      3. (iii)

        covering all the operational risks that would be covered by the AMA at the date of the initial implementation.

    2. (b)

      that the institution complies with at least the following:

      1. (i)

        the operational risk management process and the operational risk measurement system have been developed and tested;

      2. (ii)

        any problems have been resolved and the system and attendant process have been fine-tuned;

      3. (iii)

        it has ensured that the operational risk measurement system generates results which conform to the institution's expectations, including taking account of information from both the institution's existing and previous systems;

      4. (iv)

        it has demonstrated it can quickly vary model parameters to understand the impact of changed assumptions with minimal systems adjustments or manual interventions;

      5. (v)

        it is able to make appropriate capital adjustments to the own funds requirements before the first "live use" of the AMA;

      6. (vi)

        it has demonstrated over a reasonable period that the new systems and reporting processes are robust and generate management information that the institution can use to identify and manage operational risk.

    For the purposes of point (a), the assessment of the calculation performed shall cover at least two consecutive quarters.

  2. (2)

    Competent authorities may grant permission to use the AMA where the institution demonstrates its continuous comparison of the calculation of its own funds requirements for operational risk under the AMA against the less sophisticated approach previously applicable to it, for one year after the permission is granted.

SECTION 3 Audit and internal validation

Article 16 Audit and internal validation functioning

  1. (1)

    Competent authorities shall assess the degree to which an institution's audit and internal validation functions confirm that the operational risk management and measurement processes implemented for AMA purposes are reliable and effective in managing and measuring operational risk within the organization by verifying at least the following:

    1. (a)

      that the internal validation function provides a reasoned and well-informed opinion on whether the operational risk measurement system works as predicted, and that the outcome of the model is suitable for its various internal and supervisory purposes, at least on annual basis;

    2. (b)

      that the audit function verifies the integrity of the operational risk policies, processes and procedures, assessing whether these comply with regulatory requirements as well with established controls, at least on annual basis and in particular, that the audit function assesses the quality of the sources and data used for operational risk management and measurement purposes;

    3. (c)

      that the functions of audit and internal validation have a review program in place that covers the aspects of the AMA included in this Regulation and is regularly updated with regard to:

      1. (i)

        the development of internal processes for identifying, measuring and assessing, monitoring, controlling and mitigating operational risk;

      2. (ii)

        the implementation of new products, processes and systems which expose the institution to material operational risk.

    4. (d)

      that the internal validation is carried out by qualified resources, which are independent of the validated units;

    5. (e)

      that where audit activities are carried out by internal or external audit functions or qualified external parties, these are independent of the process or system being reviewed and, where these are outsourced, that the management body and senior management of the institution remain accountable for ensuring that outsourced functions are performed in accordance with the institutions' approved audit plan;

    6. (f)

      that the audit and internal validation reviews on the AMA framework are properly documented and their output is distributed to the appropriate recipients within the institutions, including, where appropriate, the risk committees, operational risk management function, business line management and other relevant staff;

    7. (g)

      that the results of the audit and internal validation reviews are summarised and reported on at least an annual basis to the institution's management body or to a committee designated by it for approval;

    8. (h)

      that the review and approval of the effectiveness of the institution's AMA framework is undertaken at least on an annual basis.

Article 17 Audit and internal validation governance

Competent authorities shall assess that an institution's audit and internal validation governance is of a high quality by confirming at least the following:

  1. (a)

    that audit programs for reviewing the AMA framework cover all significant activities that could expose the institution to material operational risk, including outsourced activities;

  2. (b)

    that the internal validation techniques are proportionate to changing market and operating conditions, and that their outcomes are subject to audit review.

SECTION 4 Data quality and IT infrastructure

Article 18 Data quality

  1. (1)

    Competent authorities shall assess the degree to which the quality of the data used by an institution's in the AMA framework is maintained, and that the building and maintenance procedures are regularly analysed by that institution, by verifying that the institution has at least the following sets of data at its disposal:

    1. (a)

      data to build and track its operational risk history, made up of internal and external data, scenario analysis, and BEICF;

    2. (b)

      complementary data, including model parameters, model outputs and reports.

  2. (2)

    For the purposes of paragraph 1, competent authorities shall confirm that the institution has defined appropriate data quality dimensions to provide effective support to its operational risk management process and measurement system, and that it complies on a regular basis with the set dimensions.

  3. (3)

    For the purposes of paragraph 1, competent authorities shall confirm that the institution's data quality dimensions meet at least the following conditions:

    1. (a)

      they are of sufficient breadth, depth, and scope for the task at hand;

    2. (b)

      they meet current and potential user needs;

    3. (c)

      they are updated promptly;

    4. (d)

      they are appropriate for, and consistent with, the extent of their usage;

    5. (e)

      they accurately represent the real-life phenomenon that they aim to represent;

    6. (f)

      they do not violate any business rule in a database that has to be statically and dynamically maintained.

  4. (4)

    For the purposes of paragraph 1, competent authorities shall confirm that the institution has appropriate documentation for the design and maintenance of the databases used in the institution's AMA framework, and that the documentation contains at least the following:

    1. (a)

      a global map of databases involved in the operational risk measurement system with their descriptions;

    2. (b)

      a data policy and a statement of responsibility;

    3. (c)

      descriptions of work-flows and procedures related to data collection and data storage;

    4. (d)

      a statement of weaknesses with all the weaknesses identified in the databases of the validation and review processes and a statement on how the institution plans to correct or reduce the weaknesses identified.

  5. (5)

    Competent authorities shall confirm that the policies on the SDLC for AMA are approved by the institution's management body and senior management.

  6. (6)

    Where the institution uses external data sources, the institution shall ensure that the provisions in this Article are satisfied.

Article 19 Supervisory assessment of IT infrastructure

  1. (1)

    Competent authorities shall assess the degree to which an institution ensures the soundness, robustness and performance of the IT infrastructure used for AMA purposes by confirming at least the following:

    1. (a)

      that the IT systems and infrastructure of the institution for AMA purposes are sound and resilient and that these features can be maintained on a continuous basis;

    2. (b)

      that the SDLC for AMA purposes is sound and proper with reference to:

      1. (i)

        project management, risk management, and governance;

      2. (ii)

        engineering, quality assurance and test planning;

      3. (iii)

        systems' modelling and development;

      4. (iv)

        quality assurance in all activities, including code reviews and where appropriate, code verification;

      5. (v)

        testing, including user acceptance.

    3. (c)

      that the institution's IT infrastructure implemented for AMA purposes is subject to configuration management, change management and release management processes;

    4. (d)

      that SDLC and contingency plans for AMA purposes are approved by the institution's management body or senior management and that the management body and senior management are periodically informed about the IT infrastructure performance for AMA purposes.

  2. (2)

    Where the institution outsources parts of the IT infrastructure maintenance for AMA purposes, the institution shall ensure that the provisions in this Article are satisfied.

CHAPTER 3 QUANTITATIVE STANDARDS

SECTION 1 Use of internal data, external data, scenario analysis and BEICF ( the four elements )

Article 20 General principles

Competent authorities shall assess an institution's compliance with the standards relating to the use of internal data, external data, scenario analysis and BEICF ("the four elements"), as referred to in Article 322 of Regulation (EU) No 575/2013, by verifying at least the following:

  1. (a)

    that the institution has internal documentation specifying in detail how the four elements are gathered, combined and/or weighted, including a description of the modelling process that illustrates the use and combination of the four elements and of the rationale for the modelling choices;

  2. (b)

    that the institution has a clear understanding of how each of the four elements influence the AMA own funds requirements;

  3. (c)

    that the combination of the four elements used by the institution is based on a sound statistical methodology, sufficient for estimating high percentiles;

  4. (d)

    that the institution applies at least the following when collecting, generating and treating the four elements:

    1. (i)

      the criteria set out in Articles 21 to 24 relating to internal data;

    2. (ii)

      the criteria set out in Article 25, relating to external data;

    3. (iii)

      the criteria set out in Article 26, relating to scenario analysis;

    4. (iv)

      the criteria set out in Article 27, relating to BEICF.

SUB-SECTION 1 Internal data

Article 21 Internal data features

Competent authorities shall assess an institution's compliance with the standards relating to internal data features, as referred to in point (i) of Article 20(d), by verifying at least the following:

  1. (a)

    that the institution gathers all of the following elements within the group in a clear and consistent manner:

    1. (i)

      the gross loss caused by the occurrence of an operational risk event;

    2. (ii)

      the recovery.

  2. (b)

    that the institution is able to separately identify the gross loss amount, the recovery from insurance and other risk transfer mechanisms (ORTM) and the recovery except from insurance and ORTM following an operational risk event, except for losses that are partly or fully recovered within five working days;

  3. (c)

    that the institution implements a system for defining and justifying appropriate data collection thresholds based on the gross loss amount;

  4. (d)

    that the operational risk category is reasonable and does not omit loss data that is material for effective operational risk measurement and risk management;

  5. (e)

    that for each individual loss, the institution is able to identify and record at least the following elements in the internal database:

    1. (i)

      the date of occurrence or start of occurrence of the operational risk event, where available;

    2. (ii)

      the date of discovery of the operational risk event;

    3. (iii)

      the date of accounting.

Article 22 Scope of operational risk loss

  1. (1)

    Competent authorities shall confirm that an institution identifies, collects and treats the loss items generated by an operational risk event, as referred to in point (i) of Article 20(d), by verifying that the institution includes at least the following within the scope of operational risk loss for the purposes of both management of operational risk and calculation of the AMA own funds requirements:

    1. (a)

      direct charges, including impairments and settlement charges, to the Profit and Loss account and write-downs due to the operational risk event;

    2. (b)

      costs incurred as a consequence of the operational risk event, including the following:

      1. (i)

        external expenses with a direct link to the operational risk event, including legal expenses and fees paid to advisors, attorneys or suppliers;

      2. (ii)

        costs of repair or replacement to restore the position prevailing before the operational risk event, in the form of either precise figures, or, where these are not available, estimates.

    3. (c)

      provisions or reserves accounted for in the Profit and Loss account against probable operational risk losses, including those from misconduct events;

    4. (d)

      pending losses, in the form of losses stemming from an operational risk event, which are temporarily booked in transitory or suspense accounts and are not yet reflected in the Profit and Loss which are planned to be included within a time period commensurate to the size and age of the pending item;

    5. (e)

      material uncollected revenues, related to contractual obligations with third parties, including the decision to compensate a client following the operational risk event, rather than by a reimbursement or direct payment, through a revenue adjustment waiving or reducing contractual fees for a specific future period of time;

    6. (f)

      timing losses, where they span more than one financial accounting year and give rise to legal risk.

  2. (2)

    For the purposes of paragraph 1, competent authorities may, to the extent appropriate, confirm that the institution identifies, collects and treats for the purposes of management of operational risk any additional items where they originate from a material operational risk event, including the following:

    1. (a)

      a near miss in the form of a nil loss caused by an operational risk event, including an IT disruption in the trading room just outside trading hours;

    2. (b)

      a gain caused by an operational risk event;

    3. (c)

      opportunity costs in the form of an increase in costs or a shortfall in revenues due to operational risk events that prevent undetermined future business from being conducted, including unbudgeted staff costs, forgone revenue, and project costs related to improving processes;

    4. (d)

      internal costs including overtime or bonuses.

  3. (3)

    For the purposes of paragraph 1, competent authorities shall also confirm that the institution excludes the following items from the scope of operational risk loss:

    1. (a)

      costs of general maintenance contracts on property, plant or equipment;

    2. (b)

      internal or external expenditures to enhance the business after the occurrence of an operational risk event, including upgrades, improvements, risk assessment initiatives and enhancements;

    3. (c)

      insurance premiums.

Article 23 Recorded loss amount of the operational risk items

  1. (1)

    Competent authorities shall confirm that an institution records the loss amount generated by an operational risk event, as referred to in point (i) of Article 20(d), by verifying at least the following:

    1. (a)

      that the whole amount of the incurred loss or expenses, including provisions, costs of settlement, amounts paid to make good the damage, penalties, interest in arrears and legal fees, is considered as recorded loss amount for the purposes of both management of operational risk and calculation of the AMA own funds requirements, unless otherwise specified;

    2. (b)

      that, where the operational risk event relates to market risk, the institution includes the costs to unwind market positions in the recorded loss amount of the operational risk items; and that, where the position is intentionally kept open after the operational risk event is recognized, any portion of the loss due to adverse market conditions after the decision to keep the position open is not included in the recorded loss amount of the operational risk items;

    3. (c)

      that, where tax payments relate to failures or inadequate processes of the institution, the institution includes in the recorded loss amount of the operational risk items the expenses incurred as a result of the operational risk event, including penalties, interest charges, late-payment charges, and legal fees, with the exclusion of the tax amount originally due;

    4. (d)

      that, where there are timing losses and the operational risk event directly affects third parties, including customers, providers and employees of the institution, the institution includes in the recorded loss amount of the operational risk item also the correction of the financial statement.

  2. (2)

    For the purposes of paragraph 1, where the operational risk event leads to a loss event, which is partly rapidly recovered, competent authorities shall consider appropriate the inclusion, on behalf of the institution, in the recorded loss amount of only that part of the loss which is not rapidly recovered in accordance with point (b) of Article 21.

Article 24 Operational risk losses that are related to credit risk

  1. (1)

    Competent authorities shall confirm that an institution identifies, collects and treats operational risk losses that are related to credit risk, as referred to in point (i) of Article 20(d), by verifying that the institution includes within the scope of operational risk loss, for the purposes of management of operational risk, at least the following:

    1. (a)

      frauds committed by a client of the institution on its own account, occurring in a credit product or credit process at the initial stage of the lifecycle of a credit relationship, including inducement to lending decisions based on counterfeit documents or miss-stated financial statements, such as non-existence or over-estimation of collaterals and counterfeit salary confirmation;

    2. (b)

      frauds committed by means of another, ignorant person's identity, including loan applications through electronic identity fraud using clients' data or fictitious identities or fraudulent use of clients' credit cards.

  2. (2)

    For the purposes of paragraph 1, competent authorities shall confirm that the institution takes at least the following actions:

    1. (a)

      adjusts the data collection threshold relating to the loss events described in paragraph 1 up to comparable levels as those of the other operational risk categories of the AMA framework, where appropriate;

    2. (b)

      includes within the gross loss of the events described in paragraph 1 the total outstanding amount at the time or after the discovery of the fraud, and any related expenses, including interest in arrears and legal fees.

Article 25 External data

Competent authorities shall assess an institution's compliance with the standards relating to external data features, as referred to in point (ii) of Article 20(d), by verifying at least the following:

  1. (a)

    that, where the institution participates in consortia initiatives for the collection of operational risk events and losses, the institution is able to provide data of the same quality, in terms of scope, integrity and comprehensiveness, as internal data meeting the standards referred to in Articles 21, 22, 23, and 24 and that it does so consistently with the type of data requested by the consortia reporting standards;

  2. (b)

    that the institution has a data filtering process in place which allows the selection of relevant external data, based on specific established criteria and that the external data being used is relevant and consistent with the risk profile of the institution;

  3. (c)

    that, in order to avoid bias in parameter estimates, the filtering process results in a consistent selection of data regardless of the loss amount, and that, where the institution permits exceptions to this selection process, it has a policy providing criteria for exceptions and documentation supporting the rationale for those exceptions;

  4. (d)

    that, where the institution adopts a data scaling process involving the adjustment of loss amounts reported in external data, or of the related distributions, to fit the institution's business activities, nature and risk profile, the scaling process is systematic and statistically supported and that it provides outputs that are consistent with the institution's risk profile;

  5. (e)

    that the institution's scaling process is consistent over time and its validity and effectiveness are regularly reviewed.

Article 26 Scenario analysis

  1. (1)

    Competent authorities shall assess an institution's compliance with the standards relating to scenario analysis, as referred to in point (iii) of Article 20(d), by verifying at least the following:

    1. (a)

      that the institution has a robust governance framework in place relating to the scenario process that generates credible and reliable estimates, irrespective of whether the scenario is used for evaluating high severity events or the overall operational risk exposures;

    2. (b)

      that the scenario process is clearly defined, well documented, repeatable and designed to reduce as much as possible subjectivity and biases, including:

      1. (i)

        the underestimation of risk due to the number of observed events being small;

      2. (ii)

        the misrepresentation of information due to scenario assessors' interests in conflict with the goals and consequences of the assessment;

      3. (iii)

        the overestimation of events with temporal proximity to the scenario assessors;

      4. (iv)

        the distortion of assessment due to the categories within which the responses are represented;

      5. (v)

        the bias in the information presented in background materials to survey questions or within the questions themselves.

    3. (c)

      that qualified and experienced facilitators provide consistency in the process;

    4. (d)

      that the assumptions used in the scenario process are based, to the maximum extent, on the relevant internal data and external data with an objective and unbiased selection process;

    5. (e)

      that the chosen number of scenarios, the level at, or units in, which scenarios are studied, are realistic and properly explained, and that the scenario estimates take into account relevant changes in the internal and external environments that can affect the institution's operational risk exposure;

    6. (f)

      that the scenario estimates are generated taking into account potential or probable operational risk events that have not yet, fully or partly, materialised in an operational risk loss;

    7. (g)

      that the scenario process and estimates are subject to a robust independent challenge process and oversight.

Article 27 Business Environment and Internal Control Factors

Competent authorities shall assess an institution's compliance with the standards relating to the BEICF as referred to in point (iv) of Article 20(d) by verifying at least the following

  1. (a)

    that the institution's BEICF are forward looking and reflect potential sources of operational risk, including rapid growth, the introduction of new products, employee turnover and system downtime;

  2. (b)

    that the institution has clear policy guidelines that limit the magnitude of reductions in the AMA own funds requirements resulting from BEICF adjustments;

  3. (c)

    that the BEICF adjustments referred to in point (b) are justified and that the appropriateness of their level is confirmed by comparison, over time, with the direction and magnitude of actual internal loss data, conditions in the business environment and changes in the validated effectiveness of controls.

SECTION 2 Core modelling assumptions of the operational risk measurement system

Article 28 General assessment

Competent authorities shall assess an institution's standards relating to the core modelling assumptions of the operational risk measurement system, as referred to in points (a) and (c) of Article 322(2) of Regulation (EU) No 575/2013, by verifying at least the following:

  1. (a)

    that the institution develops, implements and maintains an operational risk measurement system that is methodologically well founded, effective in capturing the institution's actual and potential operational risk, and reliable and robust in generating AMA own funds requirements;

  2. (b)

    that the institution has appropriate policies on the building of the calculation data set, in accordance with Article 29;

  3. (c)

    that the institution applies the appropriate level of granularity in its model, in accordance with Article 30;

  4. (d)

    that the institution has in place an appropriate process for the identification of loss distributions, in accordance with Article 31;

  5. (e)

    that the institution determines the aggregate loss distributions and risk measures in an appropriate manner, in accordance with Article 32.

Article 29 Building the calculation data set

For the purposes of assessing that an institution has appropriate policies on the building of the calculation data set, as referred to in point (b) of Article 28, competent authorities shall confirm at least the following:

  1. (a)

    that specific criteria and examples for the classification and treatment of operational risk events and losses within the calculation data set are defined by the institution, and that such criteria and examples provide a consistent treatment of loss data across the institution;

  2. (b)

    that the institution does not use loss net of insurance and ORTM recoveries in the calculation data set;

  3. (c)

    that the institution has adopted, for operational risk categories with low frequency of events, an observation period greater than the minimum referred to in point (a) of Article 322(3) of Regulation (EU) No 575/2013;

  4. (d)

    that the institution, in the course of building the calculation data set for the purposes of estimating frequency and severity distributions, uses the date of discovery or the date of accounting only, and uses a date no later than the date of accounting for including losses or provisions related to legal risk into the calculation dataset;

  5. (e)

    that the institution's choice of the minimum modelling threshold does not adversely impact the accuracy of the operational risk measures and that the use of minimum modelling thresholds that are much higher than the data collection thresholds is limited and, where applied, is properly justified by sensitivity analysis of various thresholds performed by the institution;

  6. (f)

    that the institution includes all operational losses above the chosen minimum modelling threshold in the calculation data set and that it uses them, irrespective of their level, for generating the AMA own funds requirements;

  7. (g)

    that the institution applies appropriate adjustment rates on the data where inflation or deflation effects are material;

  8. (h)

    that losses caused by root event in the form of a common operational risk event or by multiple events linked to an initial operational risk event generating events or losses are grouped and entered into the calculation data set as a single loss by the institution;

  9. (i)

    that any possible exceptions to the treatment laid down in point (h) are properly documented and justified to prevent undue reduction of the AMA own funds requirements;

  10. (j)

    that the institution does not discard from the AMA calculation data set material adjustments to operational risk losses of single or linked events, where the reference date of these adjustments falls within the observation period and the reference date of the initial, single event or root event referred to in point (h) falls outside such a period;

  11. (k)

    that the institution is able to distinguish, for each reference year included in the observation period, the loss amounts pertinent to events discovered or accounted for in that year from the loss amounts pertinent to adjustments or grouping of events discovered or accounted for in previous years.

Article 30 Granularity

For the purposes of assessing that an institution applies the appropriate level of granularity in its model, as referred to in point (c) of Article 28, competent authorities shall confirm at least the following:

  1. (a)

    that the institution takes into account the nature, complexity and idiosyncrasies of its business activities and the operational risks which it is exposed to, where grouping together risks sharing common factors and defining the operational risk categories of an AMA;

  2. (b)

    that the institution justifies its choice of level of granularity of its operational risk categories on the basis of qualitative and quantitative means, and that it classifies operational risk categories based on homogeneous, independent and stationary data;

  3. (c)

    that the institution's choice of level of granularity of its operational risk categories is realistic and does not adversely impact the conservatism of the model outcome or of its parts;

  4. (d)

    that the institution reviews the choice of level of granularity of its operational risk categories on a regular basis with the view to ensuring that it remains appropriate.

Article 31 Identification of the loss distributions

For the purposes of assessing that an institution has an appropriate process for the identification of frequency and severity of the distributions of loss, as referred to in point (d) of Article 28, competent authorities shall confirm at least the following:

  1. (a)

    that the institution follows a well specified, documented and traceable process for the selection, update and review of loss distributions and the estimate of their parameters;

  2. (b)

    that the process for the selection of the loss distributions results in consistent and clear choices by the institution, properly captures the risk profile in the tail and includes at least the following elements:

    1. (i)

      a process of using statistical tools, including graphs, measures of centre, variation, skewness and leptokurtosis to investigate the calculation data set for each operational risk category with the view to better understand the statistical profile of the data and selecting the most suitable distribution;

    2. (ii)

      appropriate techniques for the estimation of the distribution parameters;

    3. (iii)

      appropriate diagnostic tools for evaluating the distributions to the data, giving preference to those most sensitive to the tail;

  3. (c)

    that, in the course of selecting a loss distribution, the institution carefully considers the positive skewness and leptokurtosis of the data;

  4. (d)

    that, where the data are much dispersed in the tail, empirical curves are not used to estimate the tail region, but that instead sub-exponential distributions whose tail decays slower than the exponential distributions are used, unless exceptional reasons exist to apply other functions, which are in any case properly addressed and fully justified to prevent undue reduction of AMA own funds requirements;

  5. (e)

    that, where separate loss distributions are used for the body and for the tail, the institution carefully considers the choice of the body-tail modelling threshold;

  6. (f)

    that documented statistical support, supplemented as appropriate by qualitative elements, is provided for the selected body-tail modelling threshold;

  7. (g)

    that, in the course of estimating the parameters of the distribution, the institution either reflects the incompleteness of the calculation data set due to the presence of minimum modelling thresholds in the model or that it justifies the use of an incomplete calculation data set on the basis that it does not adversely impact the accuracy of the parameter estimates and AMA own funds requirements;

  8. (h)

    that the institution has in place methodologies to reduce the variability of estimates of parameters and provides measures of the error around these estimates including confidence intervals and p-values;

  9. (i)

    that, where the institution adopts robust estimators in the form of generalisations of classical estimators, with good statistical properties including high efficiency and low bias for a whole neighbourhood of the unknown underlying distribution of the data, it can demonstrate that their use does not underestimate the risk in the tail of the loss distribution;

  10. (j)

    that the institution assesses the goodness-of-fit between the data and the selected distribution by using diagnostic tools of both a graphical and a quantitative nature, which are more sensitive to the tail than to the body of the data, especially where the data are very dispersed in the tail;

  11. (k)

    that, where appropriate, including where the diagnostic tools do not lead to a clear choice for the best-fitting distribution or to mitigate the effect of the sample size and the number of estimated parameters in the goodness-of-fit tests, the institution uses evaluation methods that compare the relative performance of the loss distributions, including the Likelihood Ratio, the Akaike Information Criterion, and the Schwarz Bayesian Criterion;

  12. (l)

    that the institution has a regular cycle for controlling assumptions underlying the selected loss distributions, and that where assumptions are invalidated, including where they generate values outside established ranges, the institution has tested alternative methods and that it has properly classified any changes made to the assumptions, in accordance with Commission Delegated Regulation (EU) No 529/2014.

Article 32 Determination of aggregated loss distributions and risk measures

For the purposes of assessing that an institution determines the aggregated loss distributions and risk measures in an appropriate manner, as referred to in point (e) of Article 28, competent authorities shall confirm at least the following:

  1. (a)

    that the techniques elaborated by the institution for that purpose ensure appropriate levels of precision and stability of the risk measures;

  2. (b)

    that the risk measures are supplemented with information on their level of accuracy;

  3. (c)

    that, irrespective of the techniques used to aggregate frequency and severity loss distributions, including Monte Carlo simulations, Fourier Transform-related methods, Panjer algorithm and Single Loss Approximations, the institution adopts criteria that mitigate sample and numerical related errors and provides a measure of the magnitude of these errors;

  4. (d)

    that, where Monte Carlo simulations are used, the number of steps to be performed is consistent with the shape of the distributions and with the confidence level to be achieved;

  5. (e)

    that, where the distribution of losses is heavy-tailed and measured at a high confidence level, the number of steps is sufficiently large to reduce sampling variability to an acceptable level;

  6. (f)

    that, where Fourier Transform or other numerical methods are used, algorithm stability and error propagation issues are carefully considered;

  7. (g)

    that the institution's risk measure generated by the operational risk measurement system fulfils the monotonic principle of risk, which can be seen in the generation of higher own fund requirements where the underlying risk profile increases and in the generation of lower own funds requirements where the underlying risk profile decreases;

  8. (h)

    that the institution's risk measure generated by the operational risk measurement system is realistic from a managerial and economical perspective, and more that the institution applies appropriate techniques to avoid capping the maximum single loss, unless it provides a clear objective rationale for the existence of an upper bound, and to avoid implying the non-existence of the first statistical moment of the distribution;

  9. (i)

    that the institution explicitly evaluates the robustness of the outcome of the operational risk measurement system by performing appropriate sensitivity analysis on the input data or its parameters.

SECTION 3 Expected loss and Correlation

Article 33 Expected losses

Competent authorities shall assess an institution's standards relating to expected losses, as referred to in point (a) of Article 322(2) of Regulation (EU) No 575/2013, by confirming that where the institution calculates the AMA own funds requirements only in relation to unexpected losses, it complies with at least the following requirements:

  1. (a)

    that the institution's methodology for the estimate of expected losses is consistent with the operational risk measurement system for the estimate of the AMA own funds requirements that comprises both expected losses and unexpected losses, and that the expected loss estimation process is done by operational risk category and is consistent over time;

  2. (b)

    that the institution defines the expected loss using statistics that are less influenced by extreme losses, including median and trimmed mean, especially in the case of medium- or heavy-tailed data;

  3. (c)

    that the maximum offset for expected loss applied by the institution is bound by the total expected loss and that the maximum offset for expected loss in each operational risk category is bound by the relevant expected loss calculated according to the institution's operational risk measurement system applied to that category;

  4. (d)

    that the offsets the institution allows for expected loss in each operational risk category are capital substitutes or that they are otherwise available to cover expected loss with a high degree of certainty over the one-year period;

  5. (e)

    that where the offset is something other than provisions, the institution limits the availability of the offset to those operations with highly predictable, stable and routine losses;

  6. (f)

    that the institution does not use specific reserves for exceptional operational risk loss events that have already occurred as expected loss offsets;

  7. (g)

    that the institution clearly documents how its expected loss is measured and captured, including how any expected loss offsets meet the conditions outlined in points from (a) to (f).

Article 34 Correlation

Competent authorities shall assess an institution's standards relating to correlation, as referred to in point (d) of Article 322(2) of Regulation (EU) No 575/2013, by confirming that where the institution calculates the AMA own funds requirements by recognising less than full correlation across individual operational risk estimates, it complies with at least the following requirements:

  1. (a)

    that the institution carefully considers any form of linear or non-linear dependence, relating to all the data, either to the body or to the tail, across two or more operational risk categories or within an operational risk category;

  2. (b)

    that the institution supports its correlation assumptions, to the greatest extent possible, on an appropriate combination of empirical data analysis and expert judgement;

  3. (c)

    that losses within each operational risk category are independent of each other;

  4. (d)

    that where the condition of point (c) is not met, dependent losses are aggregated together;

  5. (e)

    that, only where neither of the conditions of points (c) or (d) can be met, dependence within the operational risk categories is appropriately modelled;

  6. (f)

    that the institution carefully considers dependence between tail events;

  7. (g)

    that the institution does not base the dependence structure on Gaussian or Normal-like distributions;

  8. (h)

    that all assumptions regarding dependence used by the institution are conservative given the uncertainties relating to dependence modelling for operational risk, and that the degree of conservatism used by the institution increases as the rigour of the dependence assumptions and the reliability of the resulting own funds requirements decrease;

  9. (i)

    that the institution properly justifies the dependence assumptions it uses and that it regularly performs sensitivity analyses with the view to assessing the effect of the dependence assumptions on its AMA own funds requirements.

SECTION 4 Capital allocation mechanism

Article 35 Consistency of the operational risk measurement system

Competent authorities shall assess an institution's standards relating to the internal consistency of the operational risk measurement system, as referred to in point (e) of Article 322(2) of Regulation (EU) No 575/2013, by confirming at least the following:

  1. (a)

    that the institution's capital allocation mechanism is consistent with the institution's risk profile and with the overall design of the operational risk measurement system;

  2. (b)

    that allocation of the AMA own funds requirements takes into account potential internal differences in risk and quality of operational risk management and internal control between the parts of the group to which the AMA own funds requirements are allocated;

  3. (c)

    that there is no observable current or foreseen practical or legal impediment to the prompt transfer of own funds or repayment of liabilities;

  4. (d)

    that the allocation of the AMA own funds requirements from the consolidated group level downwards to the parts of the group involved in the operational risk measurement system relies on sound and to, the maximum extent, risk sensitive methodologies.

CHAPTER 4 INSURANCE AND OTHER RISK TRANSFER MECHANISMS

Article 36 General principles

Competent authorities shall assess an institution's compliance with the requirements relating to the impact of insurance and ORTM within an AMA, as referred to in the last sentence of point (e) of Article 322(2) and in Article 323 of Regulation (EU) No 575/2013, by confirming at least the following:

  1. (a)

    that the insurance provider meets the authorisation requirements referred to in Article 323(2) of Regulation (EU) No 575/2013, in accordance with Article 37;

  2. (b)

    that the insurance is provided via a third party, as referred to in point (e) of Article 323(3) of Regulation (EU) No 575/2013, in accordance with Article 38;

  3. (c)

    that the institution avoids the multiple counting of risk mitigation techniques, as referred to in point (e) of Article 322(2) of Regulation (EU) No 575/2013, in accordance with Article 39;

  4. (d)

    that the risk mitigation calculation appropriately reflects the insurance coverage, as referred to in point (d) of Article 323(3) of Regulation (EU) No 575/2013, and that the framework for recognising insurance is well reasoned and documented, as referred to in point (f) of Article 323(3) of that Regulation, including the following:

    1. (i)

      the insurance coverage relates to the institution's operational risk profile, in accordance with Article 40;

    2. (ii)

      the institution uses a sophisticated risk mitigation calculation, in accordance with Article 41;

    3. (iii)

      the risk mitigation calculation is aligned to the institution's operational risk profile in a timely fashion, in accordance with Article 42.

  5. (e)

    that the institution's methodology for recognising insurance captures all the relevant elements through discounts or haircuts in the amount of insurance recognition, as referred to in points (a) and (b) of Article 323(3) and in Article 323(4) of Regulation (EU) No 575/2013, in accordance with Article 43;

  6. (f)

    that the institution demonstrates that a noticeable risk mitigating effect is achieved with the introduction of the ORTM, as referred to in the second sentence of Article 323(1) of Regulation (EU) No 575/2013, in accordance with Article 44.

Article 37 Authorisation equivalence of the insurance provider

For the purposes of assessing the authorisation requirements of the insurance provider as referred to in Article 36(a), competent authorities shall consider that an undertaking authorised in a third country fulfils the requirements of authorisation, where that undertaking satisfies prudential requirements that are equivalent to those applied in the Union, including the requirements referred to in Article 323 of Regulation (EU) No 575/2013.

Article 38 Provision of the insurance via a third party

  1. (1)

    For the purposes of assessing that the insurance coverage for the purposes of AMA own funds requirements is provided by a third-party entity, as referred to in Article 36(b), competent authorities shall confirm, on the basis of the comprehensive view of an institution's consolidated situation as referred to in Article 4(1), point (47) of Regulation (EU) No 575/2013, that neither the institution nor any other of the entities included in the scope of consolidation has a participation or a qualifying holding, as referred to in Article 4(1), points (35) and (36) respectively, of Regulation (EU) No 575/2013, in the party providing the insurance.

  2. (2)

    Where the requirements of paragraph 1 are partially met, only that portion of the insurance provided where ultimate liability rests with an eligible third-party entity by virtue of the fact that the risk is effectively transferred outside of the consolidated entities shall be considered as insurance provided via a third party.

Article 39 Multiple counting of risk mitigation techniques

For the purposes of assessing that the insurance coverage for the purposes of AMA own funds requirements avoids the multiple counting of risk mitigation techniques, as referred to in Article 36(c), competent authorities shall confirm that an institution has taken reasonable steps to ensure that neither the institution nor any of the entities included in the scope of the consolidation is knowingly re-insuring contracts that cover operational risk events forming the object of the initial insurance arrangement entered into by the institution.

Article 40 Insurance risk mapping process

  1. (1)

    For the purposes of assessing that the insurance coverage relates to an institution's risk profile, as referred to in point (i) of Article 36(d), competent authorities shall confirm that an institution has carried out a well-documented and well-reasoned insurance risk mapping process whereby the institution develops an insurance coverage consistent with the likelihood and impact of all operational risk losses that it may potentially face.

  2. (2)

    For the purposes of paragraph 1, competent authorities shall confirm that the institution complies with at least the following:

    1. (a)

      estimates the probability of insurance recovery and the possible timeframe for the receipt of payments by insurers, including the likelihood of a claim being litigated, the length of that process and current settlement rates and terms, based on the experience of its insurance risk management team, supported where necessary by appropriate external expertise including claims counsel, brokers and carriers;

    2. (b)

      uses the estimates resulting from point (a) to assess the performance of insurance in the event of an operational risk loss and designs this process with the view to assessing the insurance response for all relevant loss and scenario data being entered into the operational risk measurement system;

    3. (c)

      maps the insurance policies based on their assessment resulting from point (b) to the institution's own operational risks at the maximum level of detail, using all the information sources available, including internal data, external data and scenario estimates;

    4. (d)

      employs the appropriate expertise and conducts this mapping with transparency and consistency;

    5. (e)

      assigns the appropriate weight to the past and expected performance of insurance through an assessment of the components of the insurance policy;

    6. (f)

      obtains formal approval from the appropriate risk body or committee;

    7. (g)

      periodically re-examines the insurance mapping process.

Article 41 Use of a sophisticated risk mitigation calculation

For the purposes of assessing that an institution uses a sophisticated risk mitigation calculation, as referred to in point (ii) of Article 36(d), competent authorities shall confirm that the modelling approach for incorporating the insurance coverage within the AMA meets at least the following:

  1. (a)

    it is consistent with the operational risk measurement system adopted to quantify the gross-of-insurance losses;

  2. (b)

    it is transparent in its relationship with the actual likelihood and impact of losses used in the institution's overall determination of its AMA own funds requirements, and is also consistent with that relationship.

Article 42 Alignment of the risk mitigation calculation with the operational risk profile

For the purposes of assessing that the risk mitigation calculation is aligned with an institution's operational risk profile in a timely fashion, as referred to in point (iii) of Article 36(d), competent authorities shall confirm at least the following:

  1. (a)

    that the institution has reviewed the use of insurance and has recalculated the AMA own funds requirements, as appropriate, where the nature of the insurance has changed significantly or where there is a major change in the institution's operational risk profile;

  2. (b)

    where material losses are incurred, affecting the insurance coverage, that the institution recalculates the AMA own funds requirements with an additional margin of conservatism;

  3. (c)

    where there is an unexpected termination or reduction of the insurance coverage, that the institution is prepared to immediately replace the insurance policy on equivalent or improved terms, conditions and coverage, or to increase its AMA own funds requirements to a gross-of-insurance level;

  4. (d)

    that the institution calculates capital gross- and net-of-insurance, at a level of granularity such that any erosion in the amount of insurance available, including by payment of a material loss, or a change in insurance coverage, can be immediately recognised for its effect on the AMA own funds requirements.

Article 43 Capture of all the relevant elements

  1. (1)

    For the purposes of assessing that an institution's methodology for recognising insurance captures all the relevant elements through discounts or haircuts in the amount of insurance recognition, as referred to in Article 36(e), competent authorities shall confirm at least the following:

    1. (a)

      that the institution investigates the various factors that create the risk that the insurance provider will not make the payments as expected and decrease the effectiveness of the risk transfer, including the ability of the insurer to pay in a timely manner and the ability of the institution to identify, analyse and report the claim in a timely manner;

    2. (b)

      that the institution investigates how the various factors referred to in point (a) have affected the mitigating impact of insurance on the operational risk profile in the past and how they may affect it in the future;

    3. (c)

      that the institution reflects the uncertainties referred to in point (a) in its AMA own funds requirements, through appropriately conservative haircuts;

    4. (d)

      that the institution carefully takes into account the characteristics of the insurance policies, including whether those policies cover only losses that are claimed or notified to the insurer during the policy term, therefore any loss that is discovered after the policy expires is not covered, or whether they cover losses that are incurred during the policy term, even where they are not discovered and the claim is not lodged until after the expiration of the policy, or whether the losses are first-party direct losses or third-party liability losses;

    5. (e)

      that the institution considers and fully documents data on insurance pay-outs by loss type in its loss databases and sets haircuts accordingly;

    6. (f)

      that the institution has in place procedures for loss identification, analysis and claims processing, with the view to verifying the actual coverage protection provided by the insurer or the ability to receive the claim payment funds within a reasonable timeframe;

    7. (g)

      that the institution explicitly quantifies and models separately the haircuts in relation to each of the identified relevant uncertainties instead of applying one single haircut into the calculation covering all uncertainties or an ex post calculation haircut;

    8. (h)

      that the institution takes into account the recognition of the insurer's claims-paying ability risk to the maximum extent, by applying appropriate haircuts in the insurance modelling methodology;

    9. (i)

      that the institution ensures that the claims-paying ability risk for counterparty default is assessed on the basis of the credit quality of the insurance company responsible under the given insurance contract, irrespective of whether the insurance company's parent institution has a better rating or whether the risk is transferred to a third party;

    10. (j)

      that the institution makes conservative assumptions relating to the renewal of insurance policies on the basis of equivalent terms, conditions, and coverage as the original or existing contracts;

    11. (k)

      that the institution has processes in place to ensure that the potential exhaustion of insurance policy limits and the price and availability of reinstatements of cover as well as the cases where the coverage of the insurance contract does not match the operational risk profile of the institution are appropriately reflected in its AMA insurance methodology.

  2. (2)

    For the purposes of paragraph 1, competent authorities may consider that the requirement for the institution to apply haircuts for the time remaining until the expiry of the insurance contract or for the cancellation term is not necessary where the cover will be renewed and continuous and where at least one of the following conditions is met:

    1. (a)

      where the institution can demonstrate the existence of continuous cover on equivalent or improved terms, conditions and coverage for at least 365 days;

    2. (b)

      where the institution has in place a policy that cannot be cancelled by the insurer, other than for non-payment of premium, or which has a cancellation period of more than one year.

Article 44 Other risk transfer mechanisms

For the purposes of assessing that an institution has demonstrated that a noticeable risk mitigating effect is achieved with the introduction of ORTM, as referred to in Article 36(f), competent authorities shall apply at least the following:

  1. (a)

    confirm that the institution has experience in using ORTM instruments and their characteristics, including probability of coverage and timeliness of payment, before these instruments can be recognized in the institution's operational risk measurement system;

  2. (b)

    refuse ORTM as eligible risk mitigation instruments of the AMA own funds requirements where the ORTM are held or used for trading purposes rather than for risk management purposes;

  3. (c)

    verify the eligibility of the protection seller including whether it is a regulated or unregulated entity, and the nature and characteristics of the protection provided, whether it is funded protection, securitization, guarantee mechanism or derivatives;

  4. (d)

    confirm that outsourced activities are not considered part of ORTM;

  5. (e)

    confirm that the institution calculates the AMA own funds requirements gross- and net-of-ORTM for each capital calculation, at a level of granularity such that any erosion in the amount of protection available, can be immediately recognised for its effect on capital requirements;

  6. (f)

    confirm that where material losses are incurred, affecting the coverage provided by the ORTM or where changes in the ORTM contracts create major uncertainty as to their coverage, the institution recalculates its AMA own funds requirements with an additional margin of conservatism.

CHAPTER 5 FINAL PROVISION

Article 45 Transitional provision

With regard to the assessment of the AMA, referred to in Article 1, of an institution which, on the date of entry into force of this Regulation, is already using an AMA for the purpose of calculating its own funds requirements for operational risk, or of an institution which has already applied for a permission to use an AMA for that purpose, both of the following shall apply:

  1. (a)

    this Regulation shall apply from one year after its entry into force;

  2. (b)

    Article 34(g) shall apply from two years after its entry into force.

Article 46 Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

Signature

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 14 March 2018.

For the Commission

The President

Jean-Claude JUNCKER