Content Options:

Content Options

SUB-SECTION 1 Internal data

Article 21 Internal data features

Competent authorities shall assess an institution's compliance with the standards relating to internal data features, as referred to in point (i) of Article 20(d), by verifying at least the following:

  1. (a)

    that the institution gathers all of the following elements within the group in a clear and consistent manner:

    1. (i)

      the gross loss caused by the occurrence of an operational risk event;

    2. (ii)

      the recovery.

  2. (b)

    that the institution is able to separately identify the gross loss amount, the recovery from insurance and other risk transfer mechanisms (ORTM) and the recovery except from insurance and ORTM following an operational risk event, except for losses that are partly or fully recovered within five working days;

  3. (c)

    that the institution implements a system for defining and justifying appropriate data collection thresholds based on the gross loss amount;

  4. (d)

    that the operational risk category is reasonable and does not omit loss data that is material for effective operational risk measurement and risk management;

  5. (e)

    that for each individual loss, the institution is able to identify and record at least the following elements in the internal database:

    1. (i)

      the date of occurrence or start of occurrence of the operational risk event, where available;

    2. (ii)

      the date of discovery of the operational risk event;

    3. (iii)

      the date of accounting.

Article 22 Scope of operational risk loss

  1. (1)

    Competent authorities shall confirm that an institution identifies, collects and treats the loss items generated by an operational risk event, as referred to in point (i) of Article 20(d), by verifying that the institution includes at least the following within the scope of operational risk loss for the purposes of both management of operational risk and calculation of the AMA own funds requirements:

    1. (a)

      direct charges, including impairments and settlement charges, to the Profit and Loss account and write-downs due to the operational risk event;

    2. (b)

      costs incurred as a consequence of the operational risk event, including the following:

      1. (i)

        external expenses with a direct link to the operational risk event, including legal expenses and fees paid to advisors, attorneys or suppliers;

      2. (ii)

        costs of repair or replacement to restore the position prevailing before the operational risk event, in the form of either precise figures, or, where these are not available, estimates.

    3. (c)

      provisions or reserves accounted for in the Profit and Loss account against probable operational risk losses, including those from misconduct events;

    4. (d)

      pending losses, in the form of losses stemming from an operational risk event, which are temporarily booked in transitory or suspense accounts and are not yet reflected in the Profit and Loss which are planned to be included within a time period commensurate to the size and age of the pending item;

    5. (e)

      material uncollected revenues, related to contractual obligations with third parties, including the decision to compensate a client following the operational risk event, rather than by a reimbursement or direct payment, through a revenue adjustment waiving or reducing contractual fees for a specific future period of time;

    6. (f)

      timing losses, where they span more than one financial accounting year and give rise to legal risk.

  2. (2)

    For the purposes of paragraph 1, competent authorities may, to the extent appropriate, confirm that the institution identifies, collects and treats for the purposes of management of operational risk any additional items where they originate from a material operational risk event, including the following:

    1. (a)

      a near miss in the form of a nil loss caused by an operational risk event, including an IT disruption in the trading room just outside trading hours;

    2. (b)

      a gain caused by an operational risk event;

    3. (c)

      opportunity costs in the form of an increase in costs or a shortfall in revenues due to operational risk events that prevent undetermined future business from being conducted, including unbudgeted staff costs, forgone revenue, and project costs related to improving processes;

    4. (d)

      internal costs including overtime or bonuses.

  3. (3)

    For the purposes of paragraph 1, competent authorities shall also confirm that the institution excludes the following items from the scope of operational risk loss:

    1. (a)

      costs of general maintenance contracts on property, plant or equipment;

    2. (b)

      internal or external expenditures to enhance the business after the occurrence of an operational risk event, including upgrades, improvements, risk assessment initiatives and enhancements;

    3. (c)

      insurance premiums.

Article 23 Recorded loss amount of the operational risk items

  1. (1)

    Competent authorities shall confirm that an institution records the loss amount generated by an operational risk event, as referred to in point (i) of Article 20(d), by verifying at least the following:

    1. (a)

      that the whole amount of the incurred loss or expenses, including provisions, costs of settlement, amounts paid to make good the damage, penalties, interest in arrears and legal fees, is considered as recorded loss amount for the purposes of both management of operational risk and calculation of the AMA own funds requirements, unless otherwise specified;

    2. (b)

      that, where the operational risk event relates to market risk, the institution includes the costs to unwind market positions in the recorded loss amount of the operational risk items; and that, where the position is intentionally kept open after the operational risk event is recognized, any portion of the loss due to adverse market conditions after the decision to keep the position open is not included in the recorded loss amount of the operational risk items;

    3. (c)

      that, where tax payments relate to failures or inadequate processes of the institution, the institution includes in the recorded loss amount of the operational risk items the expenses incurred as a result of the operational risk event, including penalties, interest charges, late-payment charges, and legal fees, with the exclusion of the tax amount originally due;

    4. (d)

      that, where there are timing losses and the operational risk event directly affects third parties, including customers, providers and employees of the institution, the institution includes in the recorded loss amount of the operational risk item also the correction of the financial statement.

  2. (2)

    For the purposes of paragraph 1, where the operational risk event leads to a loss event, which is partly rapidly recovered, competent authorities shall consider appropriate the inclusion, on behalf of the institution, in the recorded loss amount of only that part of the loss which is not rapidly recovered in accordance with point (b) of Article 21.

Article 24 Operational risk losses that are related to credit risk

  1. (1)

    Competent authorities shall confirm that an institution identifies, collects and treats operational risk losses that are related to credit risk, as referred to in point (i) of Article 20(d), by verifying that the institution includes within the scope of operational risk loss, for the purposes of management of operational risk, at least the following:

    1. (a)

      frauds committed by a client of the institution on its own account, occurring in a credit product or credit process at the initial stage of the lifecycle of a credit relationship, including inducement to lending decisions based on counterfeit documents or miss-stated financial statements, such as non-existence or over-estimation of collaterals and counterfeit salary confirmation;

    2. (b)

      frauds committed by means of another, ignorant person's identity, including loan applications through electronic identity fraud using clients' data or fictitious identities or fraudulent use of clients' credit cards.

  2. (2)

    For the purposes of paragraph 1, competent authorities shall confirm that the institution takes at least the following actions:

    1. (a)

      adjusts the data collection threshold relating to the loss events described in paragraph 1 up to comparable levels as those of the other operational risk categories of the AMA framework, where appropriate;

    2. (b)

      includes within the gross loss of the events described in paragraph 1 the total outstanding amount at the time or after the discovery of the fraud, and any related expenses, including interest in arrears and legal fees.

Article 25 External data

Competent authorities shall assess an institution's compliance with the standards relating to external data features, as referred to in point (ii) of Article 20(d), by verifying at least the following:

  1. (a)

    that, where the institution participates in consortia initiatives for the collection of operational risk events and losses, the institution is able to provide data of the same quality, in terms of scope, integrity and comprehensiveness, as internal data meeting the standards referred to in Articles 21, 22, 23, and 24 and that it does so consistently with the type of data requested by the consortia reporting standards;

  2. (b)

    that the institution has a data filtering process in place which allows the selection of relevant external data, based on specific established criteria and that the external data being used is relevant and consistent with the risk profile of the institution;

  3. (c)

    that, in order to avoid bias in parameter estimates, the filtering process results in a consistent selection of data regardless of the loss amount, and that, where the institution permits exceptions to this selection process, it has a policy providing criteria for exceptions and documentation supporting the rationale for those exceptions;

  4. (d)

    that, where the institution adopts a data scaling process involving the adjustment of loss amounts reported in external data, or of the related distributions, to fit the institution's business activities, nature and risk profile, the scaling process is systematic and statistically supported and that it provides outputs that are consistent with the institution's risk profile;

  5. (e)

    that the institution's scaling process is consistent over time and its validity and effectiveness are regularly reviewed.

Article 26 Scenario analysis

  1. (1)

    Competent authorities shall assess an institution's compliance with the standards relating to scenario analysis, as referred to in point (iii) of Article 20(d), by verifying at least the following:

    1. (a)

      that the institution has a robust governance framework in place relating to the scenario process that generates credible and reliable estimates, irrespective of whether the scenario is used for evaluating high severity events or the overall operational risk exposures;

    2. (b)

      that the scenario process is clearly defined, well documented, repeatable and designed to reduce as much as possible subjectivity and biases, including:

      1. (i)

        the underestimation of risk due to the number of observed events being small;

      2. (ii)

        the misrepresentation of information due to scenario assessors' interests in conflict with the goals and consequences of the assessment;

      3. (iii)

        the overestimation of events with temporal proximity to the scenario assessors;

      4. (iv)

        the distortion of assessment due to the categories within which the responses are represented;

      5. (v)

        the bias in the information presented in background materials to survey questions or within the questions themselves.

    3. (c)

      that qualified and experienced facilitators provide consistency in the process;

    4. (d)

      that the assumptions used in the scenario process are based, to the maximum extent, on the relevant internal data and external data with an objective and unbiased selection process;

    5. (e)

      that the chosen number of scenarios, the level at, or units in, which scenarios are studied, are realistic and properly explained, and that the scenario estimates take into account relevant changes in the internal and external environments that can affect the institution's operational risk exposure;

    6. (f)

      that the scenario estimates are generated taking into account potential or probable operational risk events that have not yet, fully or partly, materialised in an operational risk loss;

    7. (g)

      that the scenario process and estimates are subject to a robust independent challenge process and oversight.

Article 27 Business Environment and Internal Control Factors

Competent authorities shall assess an institution's compliance with the standards relating to the BEICF as referred to in point (iv) of Article 20(d) by verifying at least the following

  1. (a)

    that the institution's BEICF are forward looking and reflect potential sources of operational risk, including rapid growth, the introduction of new products, employee turnover and system downtime;

  2. (b)

    that the institution has clear policy guidelines that limit the magnitude of reductions in the AMA own funds requirements resulting from BEICF adjustments;

  3. (c)

    that the BEICF adjustments referred to in point (b) are justified and that the appropriateness of their level is confirmed by comparison, over time, with the direction and magnitude of actual internal loss data, conditions in the business environment and changes in the validated effectiveness of controls.