Content Options:

Content Options

CHAPTER 1 GENERAL PROVISIONS

Article 1 Assessment of Advanced Measurement Approaches

  1. (1)

    The assessment under which the competent authorities permit an institution to use Advanced Measurement Approaches (AMA) shall confirm that:

    1. (a)

      the elements in Articles 3 to 6 are fulfilled;

    2. (b)

      Chapters 2 and 3 are fulfilled;

    3. (c)

      Chapter 4 is fulfilled where the institution has adopted the insurance and other risk transfer mechanisms referred to therein.

  2. (2)

    Chapters 1 to 4 shall be taken into account where competent authorities conduct the following:

    1. (a)

      an assessment of the materiality of extensions and changes to the AMA used by an institution;

    2. (b)

      an assessment of the sequential implementation plan to the AMA used by an institution;

    3. (c)

      an assessment of an institution's return to the use of less sophisticated approaches in accordance with Article 313 of Regulation (EU) No 575/2013;

    4. (d)

      the ongoing reviews of an AMA used by an institution.

Article 2 Definitions

For the purposes of this Delegated Act, the following definitions shall apply:

  1. (1)

    "body-tail modelling threshold" means the loss value that separates the body from the tail of the loss distributions;

  2. (2)

    "calculation data set" means the portion of gathered data, either actual or constructed, that fulfils the necessary conditions to serve as input into the operational risk measurement system;

  3. (3)

    "data collection threshold" means the loss value from which an institution identifies and collects operational risk losses for management and measurement purposes;

  4. (4)

    "date of accounting" means the date when a loss or a provision against an operational risk event is first recognized in the Profit and Loss;

  5. (5)

    "minimum modelling threshold" means the loss value from which the frequency and severity distributions, either empirical or parametric, are fitted to the operational risk losses;

  6. (6)

    "gross loss" or "loss" means the loss stemming from an operational risk event before recoveries of any type;

  7. (7)

    "misconduct event" means the operational risk event arising from willful or negligent misconduct, including inappropriate supply of financial services;

  8. (8)

    "operational risk category" means the level, such as the event type and the business line, at which an institution's operational risk measurement system generates separate frequency and severity distributions;

  9. (9)

    "operational risk profile" means the representation in absolute figures at a given point in time of an institution's actual and prospective operational risk;

  10. (10)

    "operational risk tolerance" means an institution's forward looking view, represented in absolute figures, of the aggregate level and types of operational risk that the institution is willing or prepared to incur which will not jeopardise its strategic objectives and business plan;

  11. (11)

    "recovery" means the occurrence related to the original loss that is independent of that loss and that is separate in time, in which funds or inflows of economic benefits are received from first or third parties;

  12. (12)

    "risk measure" means a single statistic on operational risk extracted from the aggregated loss distribution at the desired confidence level, including Value at Risk (VaR), or shortfall measures (e.g. Expected Shortfall, Median Shortfall);

  13. (13)

    "System Development Life Cycle" or "SDLC" means the process for planning, creating, testing, and deploying an IT infrastructure;

  14. (14)

    "timing loss" means the negative economic impact booked in a financial accounting period due to an operational risk event impacting the cash flows or financial statements of previous financial accounting periods.

Article 3 Operational risk events related to legal risk

  1. (1)

    Competent authorities shall confirm that an institution identifies, collects and treats data on operational risk events and losses related to legal risk for the purposes of both management of operational risk and calculation of the AMA own funds requirement by verifying at least all of the following:

    1. (a)

      that the institution clearly identifies and classifies as operational risk losses or other expenses deriving from events that result in legal proceedings, including at least the following;

      1. (i)

        a failure to act where such action is necessary to comply with a legal rule;

      2. (ii)

        action taken to avoid compliance with a legal rule;

      3. (iii)

        misconduct events.

    2. (b)

      that the institution clearly identifies and classifies as operational risk losses or other expenses resulting from voluntary actions intended to avoid or mitigate legal risks arising from operational risk events, including refunds or discounts of future services offered to customers voluntarily where such refunds are not offered as a result of customer complaints;

    3. (c)

      that the institution clearly identifies and classifies as operational risk losses resulting from errors and omissions in contracts and documentation;

    4. (d)

      that the institution does not classify the following as operational risk:

      1. (i)

        refunds to third parties or employees and goodwill payments due to business opportunities, where no breach of any rules or ethical conduct has occurred and where the institution has fulfilled its obligations on a timely basis;

      2. (ii)

        external legal costs where the underlying event is not an operational risk event.

    For the purposes of paragraph (a), legal proceedings shall be considered to be all legal settlements, including both mandated court settlements and out of court settlements.

  2. (2)

    For the purposes of this Article, legal rules shall include at least the following:

    1. (a)

      any requirement derived from national or international statutory or legislative provisions;

    2. (b)

      any requirement derived from contractual arrangements, internal rules and codes of conduct established in accordance with national or international norms and practices.

    3. (c)

      ethical rules.

Article 4 Operational risk events related to model risk

Competent authorities shall confirm the following when assessing that an institution identifies, collects and treats data on operational risk events and losses that are related to model risk, as defined in point (11) of Article 3(1) of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013, for the purposes of both management of operational risk and calculation of the AMA own funds requirement:

  1. (a)

    that at least the following events, and the related losses, resulting from models used for decision-making are classified as operational risk:

    1. (i)

      improper definition of a selected model and its characteristics;

    2. (ii)

      inadequate verification of a selected model's suitability for the financial instrument to be evaluated or the product to be priced, or its suitability for the applicable market conditions;

    3. (iii)

      errors in the implementation of a selected model;

    4. (iv)

      incorrect mark-to-market valuations and risk measurement as a result of a mistake when booking a trade into the trading system;

    5. (v)

      use of a selected model or its outputs for a purpose for which it was not intended or designed, including manipulation of the modelling parameters;

    6. (vi)

      untimely and ineffective monitoring of model performance to confirm whether the model remains fit for purpose.

  2. (b)

    that events related to the under-estimation of own funds requirements by internal models authorized by competent authorities are not included in the identification, collection and treatment of data on operational risk events and losses related to model risk.

Article 5 Operational risk events related to financial transactions including those related to market risk

Competent authorities shall confirm that at least the following events, and the related losses, are classified as operational risk when assessing that an institution identifies, collects and treats data on operational risk events and losses that are related to financial transactions and market risk for the purposes of both management of operational risk and calculation of the AMA own funds requirement:

  1. (a)

    events due to operational and data entry errors, including the following:

    1. (i)

      failures and errors during the introduction or execution of orders;

    2. (ii)

      loss of data or misunderstanding of the data flow from the front to the middle and back offices of the institution;

    3. (iii)

      errors in classification;

    4. (iv)

      incorrect specification of deals in the term-sheet, including errors related to the transaction amount, maturities and financial features.

  2. (b)

    events due to failures in internal controls, including the following:

    1. (i)

      failures in properly executing an order to unwind a market position in case of adverse price movements;

    2. (ii)

      unauthorised positions taken in excess of allocated limits, irrespective of the type of risk they relate to.

  3. (c)

    events due to inadequate data quality and unavailability of IT environment, including technical unavailability of access to the market resulting in an inability to close contracts.

Article 6 Quality and auditability of documentation

  1. (1)

    Competent authorities shall verify the quality of the documentation relating to the AMA used by an institution by confirming at least the following:

    1. (a)

      that the documentation is approved at the appropriate management level of the institution;

    2. (b)

      that the institution has policies in place outlining standards to ensure the high quality of internal documentation including specific accountability for ensuring that the documentation maintained is complete, consistent, accurate, updated, approved and secure;

    3. (c)

      that the layout of the documentation set out in the policies referred to in point (b) identifies at least the following items:

      1. (i)

        type of document;

      2. (ii)

        author;

      3. (iii)

        reviewer;

      4. (iv)

        authorising agent and owner;

      5. (v)

        dates of development and approval;

      6. (vi)

        version number;

      7. (vii)

        history of changes to the document.

    4. (d)

      that the institution thoroughly documents its policies, procedures and methodologies.

  2. (2)

    Competent authorities shall verify the auditability of the documentation relating to the AMA used by an institution by confirming at least the following:

    1. (a)

      that the documentation is sufficiently detailed and accurate to allow examination of the AMA by third parties, including:

      1. (i)

        the understanding of the reasoning and procedures underlying its development;

      2. (ii)

        the understanding of the operational risk measurement system in order to determine how the AMA own funds requirements operates, its limitations and key assumptions and being able to replicate the model development.