[Federal Register Volume 73, Number 148 (Thursday, July 31, 2008)]
[Rules and Regulations]
[Pages 44620-44628]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-17555]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
12 CFR Part 3
[Docket ID OCC-2008-0009]
FEDERAL RESERVE SYSTEM
12 CFR Parts 208 and 225
[Docket No. OP-1322]
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Part 325
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Part 567
[Docket No. 2008-0008]
Supervisory Guidance: Supervisory Review Process of Capital
Adequacy (Pillar 2) Related to the Implementation of the Basel II
Advanced Capital Framework
AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC);
Board of Governors of the Federal Reserve System (Board); Federal
Deposit Insurance Corporation (FDIC); and Office of Thrift Supervision,
Treasury (OTS) (collectively, the agencies).
ACTION: Final supervisory guidance.
-----------------------------------------------------------------------
SUMMARY: The agencies are publishing guidance regarding the supervisory
review process for capital adequacy (Pillar 2) provided in the Basel II
advanced approaches final rule, which was published in the Federal
Register on December 7, 2007 (advanced approaches final rule). The
supervisory review process described in this guidance outlines the
agencies' standards for satisfying the qualification requirements
provided in the advanced approaches final rule; addressing the
limitations of the minimum risk-based capital requirements for credit
risk and operational risk; ensuring that each institution has a
rigorous process for assessing its overall capital adequacy in relation
to its risk profile and a comprehensive strategy for maintaining
appropriate capital levels; and encouraging each institution to improve
its risk identification and measurement techniques. This supervisory
guidance applies to any bank, savings association, or bank holding
company \1\ implementing the advanced approaches final rule.
---------------------------------------------------------------------------
\1\ Collectively referred to in the guidance as ``banks''.
DATES: This guidance is effective September 2, 2008. Comments on the
Paperwork Reduction Act portion of this document may be submitted on or
---------------------------------------------------------------------------
before September 2, 2008.
ADDRESSES: Comments on the Paperwork Reduction Act portion of this
document should be addressed to:
OCC: Communications Division, Office of the Comptroller of the
Currency, Public Information Room, Mailstop 1-5, Attention: 1557-NEW,
250 E Street, SW., Washington, DC 20219. In addition, comments may be
sent by fax to (202) 874-4448, or by electronic mail to
[email protected]. You may personally inspect and photocopy
the comments at the OCC's Public Information Room, 250 E Street, SW.,
Washington, DC 20219. For security reasons, the OCC requires that
visitors make an appointment to inspect comments. You may do so by
calling (202) 874-5043. Upon arrival, visitors will be required to
present valid government-issued photo identification and submit to
security screening in order to inspect and photocopy comments.
Board: You may submit comments, identified by OP-1322, by any of
the following methods:
Agency Web Site: http://www.federalreserve.gov. Follow the
instructions for submitting comments at http://www.federalreserve.gov/.
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
Fax: (202) 452-3819 or (202) 452-3102.
Mail: Jennifer J. Johnson, Secretary, Board of Governors
of the Federal Reserve System, 20th Street and
[[Page 44621]]
Constitution Avenue, NW., Washington, DC 20551.
All public comments are available from the Board's Web site at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as submitted,
unless modified for technical reasons. Accordingly, your comments will
not be edited to remove any identifying or contact information. Public
comments may also be viewed electronically or in paper form in Room MP-
500 of the Board's Martin Building (20th and C Streets, NW.) between 9
a.m. and 5 p.m. on weekdays.
FDIC: You may submit comments by any of the following methods:
Agency Web Site: http://www.fdic.gov/regulations/laws/federal. Follow instructions for submitting comments on the Agency Web
Site.
E-mail: [email protected]. Include ``Basel II Supervisory
Guidance'' in the subject line of the message.
Mail: Robert E. Feldman, Executive Secretary, Attention:
Comments, Federal Deposit Insurance Corporation, 550 17th Street, NW.,
Washington, DC 20429.
Hand Delivery/Courier: Guard station at the rear of the
550 17th Street Building (located on F Street) on business days between
7 a.m. and 5 p.m. (EST).
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
Public Inspection: All comments received will be posted
without change to http://www.fdic.gov/regulations/laws/federal
including any personal information provided. Comments may be inspected
and photocopied in the FDIC Public Information Center, 3501 North
Fairfax Drive, Room E-1002, Arlington, VA 22226, between 9 a.m. and 5
p.m. (EST) on business days. Paper copies of public comments may be
ordered from the Public Information Center by telephone at (877) 275-
3342 or (703) 562-2200.
OTS: Information Collection Comments, Chief Counsel's Office,
Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552;
send a facsimile transmission to (202) 906-6518; or send an e-mail to
[email protected]. OTS will post comments and the
related index on the OTS Internet site at http://www.ots.treas.gov. In
addition, interested persons may inspect the comments at the Public
Reading Room, 1700 G Street, NW., by appointment. To make an
appointment, call (202) 906-5922, send an e-mail to
public.info@ots.treas.gov">public.info@ots.treas.gov, or send a facsimile transmission to (202)
906-7755. A copy of the comments may also be submitted to the OMB desk
officer for the Agencies: By mail to U.S. Office of Management and
Budget, 725 17th Street, NW., Room 10235, Washington, DC 20503 or by
facsimile to 202-395-6974, Attention: Federal Banking Agency Desk
Officer.
FOR FURTHER INFORMATION CONTACT:
OCC: Akhtarur Siddique, Lead Expert, Risk Analysis, (202) 874-4665;
or Ron Shimabukuro, Senior Counsel, Legislative and Regulatory
Activities Division, (202) 874-5090; Office of the Comptroller of the
Currency, 250 E Street, SW., Washington, DC 20219.
Board: David Palmer, Senior Supervisory Financial Analyst, Credit
Risk Section, (202) 452-2904 or Sabeth Siddique, Assistant Director,
Credit Risk Section, (202) 452-3861; Board of Governors of the Federal
Reserve System, 20th Street and Constitution Avenue, NW., Washington,
DC 20551. For the hearing impaired only, Telecommunication Device for
the Deaf (TDD), (202) 263-4869.
FDIC: Gloria Ikosi, Senior Quantitative Risk Analyst, (202) 898-
3997, or Ryan Sheller, Capital Markets Specialist, (202) 898-6614;
Capital Markets Policy Section, Division of Supervision and Consumer
Protection; or Mark L. Handzlik, Senior Attorney, (202) 898-3990, or
Michael B. Phillips, Counsel, (202) 898-3581, Supervision Branch, Legal
Division, Federal Deposit Insurance Corporation, 550 17th Street, NW.,
Washington, DC 20429.
OTS: Sonja White, Senior Project Manager, (202) 906-7857, Capital
Policy, or Jonathan Jones, Senior Financial Economist, (202) 906-5729,
Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552.
SUPPLEMENTARY INFORMATION: The agencies issued a notice of proposed
rulemaking (NPR) on September 25, 2006,\2\ seeking comment on a new
risk-based capital adequacy framework that requires some and permits
other qualifying banks to use an internal ratings-based (IRB) approach
to calculate regulatory capital requirements for credit risk and
certain advanced measurement approaches (AMA) to calculate regulatory
capital requirements for operational risk (together, the IRB and the
AMA are referred to as the ``advanced approaches''). On December 7,
2007, the agencies published the advanced approaches final rule.\3\ The
advanced approaches final rule is based largely on a series of
publications by the Basel Committee on Banking Supervision (BCBS) that
culminated in a comprehensive release in June 2006, titled,
``International Convergence of Capital Measurement and Capital
Standards: A Revised Framework'' (New Accord). The New Accord presents
a three-pillar framework for determining risk-based capital
requirements for credit risk, market risk, and operational risk (Pillar
1); supervisory review of capital adequacy (Pillar 2); and market
discipline through enhanced public disclosure (Pillar 3).
---------------------------------------------------------------------------
\2\ 71 FR 55830.
\3\ 72 FR 69288.
---------------------------------------------------------------------------
On February 28, 2007, the agencies published in the Federal
Register three separate documents proposing supervisory guidance
related to the implementation of the advanced approaches.\4\ Two of
those documents provided guidance for certain aspects of Pillar 1, that
is, for the IRB systems for determining the credit risk of retail and
wholesale exposures, and other systems for equity and securitization
exposures, and for the AMA for determining operational risk. The third
document proposed guidance for Pillar 2. This final guidance document
provides supervisory guidance only for Pillar 2, and it does not
provide Pillar 1 guidance on the systems for determining regulatory
capital requirements for credit risk or for determining regulatory
capital requirements for operational risk. This document does not
differ significantly from the proposed Pillar 2 guidance.
---------------------------------------------------------------------------
\4\ 72 FR 9084.
---------------------------------------------------------------------------
The agencies recognize that a number of institutions may need
additional guidance to implement the advanced approaches final rule.
Accordingly, consistent with the proposed guidance for Pillar 2, this
guidance document highlights certain aspects of existing supervisory
review that are being augmented or clarified to support the
implementation of the supervisory assessment of overall capital
adequacy under the advanced approaches final rule. In making this
assessment, the agencies will consider, among other items, whether each
institution (i) has satisfied the qualification requirements for
implementing the advanced approaches; (ii) has a rigorous process for
assessing its overall capital adequacy in relation to its risk profile
and a comprehensive strategy for maintaining appropriate capital levels
(internal capital adequacy assessment process--ICAAP); and (iii)
maintains a satisfactory risk management and control structure,
consistent with its capital position and overall risk profile.
The agencies received ten public comments on the proposed guidance
[[Page 44622]]
from banking organizations, trade associations representing the banking
or financial services industry, and other interested parties. Overall,
the commenters supported the principles-based orientation of the
guidance. However, some commenters recommended revisions to certain
sections of the guidance that they viewed as overly prescriptive. One
commenter expressed concern that the guidance appeared to suggest that
increases in risk should result in greater capital, even if an
institution already maintains a substantial capital buffer. To address
this concern, the agencies have revised the guidance to clarify that an
increase in risk may not necessarily require an increase in capital
where the bank already holds capital at a level exceeding what its
internal processes and supervisors regard as adequate.
Other commenters expressed concern regarding the agencies' position
that liquidity risk should be addressed within the ICAAP. However, the
proposed guidance was consistent with the agencies' view of liquidity
risk as a material risk that can affect capital adequacy. The agencies
clarified this section of the guidance to indicate that, within the
ICAAP, institutions should consider the capital adequacy implications
of liquidity risk. One commenter expressed the concern that each bank's
ICAAP measures would be compared to (and reconciled with) Pillar 1
measures and to other institutions' ICAAP results. The agencies
acknowledge that there may be limited comparability to Pillar 1
measures because a bank's ICAAP under Pillar 2 should be tailored to
its individual risk profile, while Pillar 1 measures are based on
certain common assumptions that may not apply to each individual bank.
Accordingly, there is likely to be some limit to the comparisons that
can be made across institutions.
Some commenters expressed confusion about the stress testing
requirement in Pillar 1 and stress testing discussed in the Pillar 2
guidance. The agencies regard stress testing as a critical component in
the identification and measurement of material risks. Although there
are no prescriptive stress testing requirements in Pillar 2,
institutions should use stress testing or similar exercises in their
ICAAP to consider the consequences of unlikely but severe events and
outcomes as an input to the capital adequacy assessment process.
Finally, one commenter indicated that it might not be practical to
incorporate the ICAAP into bank management's decision-making process.
The agencies believe that for the ICAAP to be meaningful and relevant,
it should be consistent with the bank's other risk management
practices.
Paperwork Reduction Act
A. Request for Comment on Proposed Information Collection
In accordance with the requirements of the Paperwork Reduction Act
of 1995, the Agencies may not conduct or sponsor, and the respondent is
not required to respond to, an information collection unless it
displays a currently valid Office of Management and Budget (OMB)
control number. The Agencies are requesting comment on a proposed
information collection. The Agencies are also giving notice that the
proposed collection of information has been submitted to OMB for review
and approval.
Comments are invited on:
(a) Whether the collection of information is necessary for the
proper performance of the Agencies' functions, including whether the
information has practical utility;
(b) The accuracy of the estimates of the burden of the information
collection, including the validity of the methodology and assumptions
used;
(c) Ways to enhance the quality, utility, and clarity of the
information to be collected;
(d) Ways to minimize the burden of the information collection on
respondents, including through the use of automated collection
techniques or other forms of information technology; and
(e) Estimates of capital or start up costs and costs of operation,
maintenance, and purchase of services to provide information.
B. Proposed Information Collection
Title of Information Collection: Basel II Interagency Supervisory
Guidance for the Supervisory Review Process (Pillar 2).
Frequency of Response: Event-generated.
Affected Public:
OCC: National banks.
Board: State member banks and bank holding companies.
FDIC: Insured state nonmember banks and certain subsidiaries of
these entities.
OTS: Savings associations and certain of their subsidiaries.
Abstract: The notice sets forth a supervisory guidance document for
implementing the supervisory review process (Pillar 2). The guidance
was issued for 60 days of comment on February 28, 2007 (72 FR 9084). No
comments were received on the burden estimates provided in that notice.
The Agencies believe that paragraphs 37, 41, 43, and 46 impose new
information collection requirements. Section 37 states that banks
should state clearly the definition of capital used in any aspect of
ICAAP and document any changes in the internal definition of capital.
Under section 41, banks should maintain thorough documentation of
ICAAP. Section 43 specifies that boards of directors should approve the
bank's ICAAP, review it on a regular basis, and approve any changes.
Boards of directors are also required under Section 46 to periodically
review the assessment of overall capital adequacy and to analyze how
measures of internal capital adequacy compare with other capital
measures (such as regulatory or accounting).
The agencies burden estimates for these information collection
requirements are summarized below. Note that the estimated number of
respondents listed below include both institutions for which the Basel
II risk-based capital requirements are mandatory and institutions that
may be considering opting-in to Basel II (despite the lack of any
formal commitment by most of these latter institutions).
Estimated Burden:
OCC
Number of Respondents: 52.
Estimated Burden per Respondent: 140 hours.
Total Estimated Annual Burden: 7,280 hours.
Board
Number of Respondents: 15.
Estimated Burden per Respondent: 420 hours.
Total Estimated Annual Burden: 6,300 hours.
FDIC
Number of Respondents: 19.
Estimated Burden per Respondent: 420 hours.
Total Estimated Annual Burden: 7,980 hours.
OTS
Number of Respondents: 4.
Estimated Burden per Respondent: 420 hours.
Total Estimated Annual Burden: 1,680 hours.
The full text of the guidance follows:
Supervisory Review Process of Capital Adequacy (Pillar 2) Related to
the Implementation of the Advanced Approaches Final Rule
1. This guidance supplements the final rule published jointly by
the U.S.
[[Page 44623]]
Federal banking agencies\1\ in the Federal Register on December 7, 2007
(advanced approaches rule).\2\ The advanced approaches rule implements
a new risk-based capital framework encompassing three pillars:
---------------------------------------------------------------------------
\1\ The Federal banking agencies are the Board of Governors of
the Federal Reserve System; the Federal Deposit Insurance
Corporation; the Office of the Comptroller of the Currency; and the
Office of Thrift Supervision; and are collectively referred to as
``the agencies,'' ``supervisors,'' or ``regulators'' in this
guidance.
\2\ 72 FR 69288. The advanced approaches rule as codified at 12
CFR part 3, Appendix C (national banks); 12 CFR part 208, Appendix F
(state member banks); 12 CFR part 225, Appendix G (bank holding
companies); 12 CFR part 325 Appendix D (state nonmember banks); 12
CFR part 567, Appendix C (savings associations).
---------------------------------------------------------------------------
Minimum risk-based capital requirements (Pillar 1);
Supervisory review (Pillar 2); and
Market discipline through enhanced public disclosures
(Pillar 3).
The minimum risk-based capital requirements in Pillar 1 of the
advanced approaches rule apply to a bank's calculation of minimum risk-
based capital requirements for credit risk and operational risk.\3\ If
the bank is also subject to the market risk rule,\4\ then the minimum
risk-based capital requirements in that rule would apply.\5\
---------------------------------------------------------------------------
\3\ The term ``bank'' as used in this guidance includes banks,
savings associations and bank holding companies. The terms ``bank
holding company'' and ``BHC'' refer only to bank holding companies
regulated by the Federal Reserve Board and do not include savings
and loan holding companies regulated by the Office of Thrift
Supervision.
\4\ 12 CFR part 3, Appendix B (national banks), 12 CFR part 208,
Appendix E (state member banks), 12 CFR part 225, Appendix E (bank
holding companies), 12 CFR part 325, Appendix C (state nonmember
banks). OTS intends to codify a market risk capital rule for savings
associations at 12 CFR part 567, Appendix D.
\5\ If a bank is subject to both the advanced approaches rule
and the market risk rule, then the bank is subject to this guidance.
If a bank is subject only to the market risk rule, it is not subject
to this guidance.
---------------------------------------------------------------------------
2. This document addresses the process for supervisory review in
the advanced approaches rule. As described in this guidance,
supervisory review covers three main areas:
Comprehensive supervisory review of capital adequacy;
Compliance with regulatory capital requirements; and
Internal capital adequacy assessment process (ICAAP).
3. The process of supervisory review described in this guidance
reflects a continuation of the longstanding approach employed by the
agencies in their supervision of banks. However, because implementation
of the advanced approaches rule affects certain aspects of supervisory
review, this guidance highlights areas of existing supervisory review
that are being augmented or more clearly defined to support
implementation of the advanced approaches rule by U.S. banks.
4. The supervisory review process described in this document is
intended to help ensure overall capital adequacy by:
Confirming a bank's compliance with regulatory capital
requirements;
Addressing the limitations of minimum risk-based capital
requirements as a measure of a bank's full risk profile--including
risks not covered or not adequately addressed or quantified in Pillar
1;
Ensuring that each bank is able to assess its own capital
adequacy (beyond minimum risk-based capital requirements) based on its
risk profile and business model; and
Encouraging banks to develop and use better techniques to
identify and measure risk.
5. This guidance neither supersedes nor alters the functioning of
the existing Prompt Corrective Action requirements.\6\ Similarly, this
guidance does not affect any other requirements for compliance with
existing regulations and supervisory standards related to risk-
management practices or other areas. The supervisory review process
described in this guidance supports the supervisors' existing ability
to:
---------------------------------------------------------------------------
\6\ See 12 CFR part 6 (national banks); 12 CFR part 208 (state
member banks); 12 CFR 325.103 (state nonmember banks); 12 CFR part
565 (savings associations). In addition, savings associations remain
subject to the tangible capital requirement at 12 CFR 567.2(a)(3)
and 567.9.
---------------------------------------------------------------------------
Require an individual bank to take measures to prevent its
capital from falling below the level needed to adequately support its
risks; or
Otherwise intervene to ensure that the bank's capital
levels are adequate.
Comprehensive Supervisory Review of Capital Adequacy
6. Capital helps protect individual banks from insolvency, thereby
promoting safety and soundness in the overall U.S. banking system.
Minimum risk-based capital requirements establish a threshold below
which a sound bank's risk-based capital must not fall. Risk-based
capital ratios permit some comparative analysis of capital adequacy
across banks because they are based on certain common assumptions.
However, supervisors must perform a more comprehensive review of
capital adequacy that considers the risks that are specific to each
individual bank, including those not incorporated in risk-based capital
requirements. In short, supervisors must ensure that a bank's overall
capital does not fall below the level required to support its entire
risk profile.
7. Supervisors generally expect banks to hold capital above their
minimum risk-based capital levels, commensurate with their individual
risk profiles, to account for all material risks. Going forward under
the advanced approaches rule, supervisors will continue to review the
overall capital adequacy of any bank through a comprehensive evaluation
that considers all relevant available information. In determining the
extent to which banks should hold capital in excess of risk-based
capital minimums, supervisors will consider: The combined implications
of a bank's compliance with qualification requirements for regulatory
capital standards; the quality and results of a bank's own process for
determining whether capital is adequate (the ICAAP); and the bank's
risk-management processes, control structure, and other relevant
information relating to the bank's risk profile and capital level.\7\
This review is consistent with current supervisory practice, under
which the agencies assess a bank's overall capital adequacy through a
comprehensive evaluation of all relevant information.
---------------------------------------------------------------------------
\7\ See Part III, section 22(a)(1)-(3) of the advanced
approaches rule.
---------------------------------------------------------------------------
8. The supervisory review process assesses whether a bank has a
satisfactory process to determine that its overall capital is adequate,
and that the bank maintains adequate capital on an ongoing basis, as
underlying conditions change. For example, changes in a bank's risk
profile or in relevant capital measures are areas of particular focus
that are effectively addressed through the supervisory review process.
Generally, a bank should hold more capital for material increases in
risk that are not otherwise mitigated, unless the bank already holds
capital at a level exceeding what its internal processes and
supervisors would regard as adequate. Conversely, a bank may be able to
reduce overall capital (to a level still above regulatory minimums) if
the supervisory review supports the conclusion that the bank's inherent
risk has materially declined or that it has been appropriately
mitigated.
9. As a result of its comprehensive supervisory review, a bank's
primary Federal supervisor may take action if it is not satisfied that
capital is adequate. The primary Federal supervisor may require the
bank to take actions to address identified supervisory concerns, which
may include requiring the bank to hold additional capital to bring
[[Page 44624]]
capital to levels that the supervisor deems commensurate with the
bank's risk profile. In addition, the primary Federal supervisor may,
under its enforcement authority, require a bank to modify or enhance
risk-management and internal-control processes, reduce its exposure to
risk, or take any action deemed necessary to address identified
supervisory concerns.
Compliance With Regulatory Capital Requirements
10. In order to use the advanced approaches rule to calculate
minimum risk-based capital requirements, a bank must meet certain
process and systems requirements. As part of the supervisory review
process, the agencies will ensure that each bank meets these
requirements. The advanced approaches rule provides an explanation of
these qualification requirements for any systems and processes used.
11. A bank using the advanced approaches rule must comply with the
rule's qualification requirements for both initial and ongoing
qualification. A bank that falls out of compliance with the
qualification requirements would be required to establish a plan to
return to compliance that satisfies its primary Federal supervisor.
12. Supervisors will ensure that each bank using the advanced
approaches rule complies with the qualification requirements both at
the consolidated level and at any subsidiary bank that uses the
advanced approaches rule. Thus, each bank that applies the advanced
approaches rule must have appropriate risk-measurement and risk-
management processes and systems that meet the rule's qualification
requirements.
The ICAAP
13. The qualification requirements in the advanced approaches rule
state that ``a bank must have a rigorous process for assessing its
overall capital adequacy in relation to its risk profile and a
comprehensive strategy for maintaining an appropriate level of
capital.'' \8\ Because minimum risk-based capital requirements are
based on certain assumptions and address only a subset of risks faced
by an individual bank, each bank must conduct an internal assessment of
whether its capital is adequate, given its risk profile. A bank must
conduct this assessment, using the ICAAP, in addition to its
calculation of minimum risk-based capital requirements.\9\ Accordingly,
a bank's capital should exceed the level required by its minimum risk-
based capital requirements, and also should be adequate according to
its own ICAAP.
---------------------------------------------------------------------------
\8\ Part III, section 22(a) (1) of the advanced approaches rule.
\9\ Should the primary Federal supervisor exempt a bank from
application of the advanced approaches rule based upon a written
determination that the application of the rule is not appropriate in
light of the bank's asset size, level of complexity, risk profile,
or scope of operations, such exemption would likewise apply to the
advanced approaches requirement that the bank have an ICAAP, but
would not automatically exempt the bank from other regulatory
requirements or supervisory expectations to maintain a satisfactory
internal process to assess capital adequacy.
---------------------------------------------------------------------------
14. The fundamental objectives of a sound ICAAP are:
Identifying and measuring material risks;
Setting and assessing internal capital adequacy goals that
relate directly to risk; and
Ensuring the integrity of internal capital adequacy
assessments.
15. Assessing overall capital adequacy through the ICAAP requires
thorough identification of all material risks, measurement of those
that can be reliably quantified, and systematic assessment for the
limitations of minimum risk-based capital requirements. The ICAAP
should address the capital implications arising from both on- and off-
balance sheet positions, as well as from provisions of explicit or
implicit support. Material risks include those that in isolation do not
appear to be material at first, but when combined with other risks
could lead to material losses. In this manner, the ICAAP should
contribute broadly to the development of better risk management within
the organization at both the individual entity and consolidated levels.
16. Each bank implementing the advanced approaches rule should have
an ICAAP that is appropriate for its unique risk characteristics and
should not rely solely upon the assessment of capital adequacy at the
parent company level. This does not preclude the use of a consolidated
ICAAP as an important input to a subsidiary bank's own ICAAP, provided
that each entity's board and senior management ensure that the ICAAP is
appropriately modified to address the unique structural and operating
characteristics and risks of the subsidiary bank.
17. In general, the ICAAP will likely go beyond the assumptions
built into minimum risk-based capital requirements. However, in certain
instances a bank's ICAAP--when supported by proper justification and
evidence--may build upon and utilize the methods, practices, and
results it uses to determine minimum risk-based capital requirements.
For example, in developing the ICAAP, a bank may choose to use data,
ratings, or estimates from internal ratings-based approaches for credit
risk; or a bank may choose to use the advanced measurement approaches
as the basis for its internal assessment of operational risk.
Furthermore, although the ICAAP should be a distinct and comprehensive
process that produces its own capital measures, in some cases a bank
may be able to demonstrate that minimum risk-based capital measures
appropriately reflect certain aspects of a bank's risk profile and thus
are appropriate for use in its ICAAP.
18. The design and operation of any systems used to meet the ICAAP
requirements will likely differ, depending on the complexity of each
bank's operations and risk profile. Many banks employ ``economic
capital'' measures for some elements of risk management, such as limit
setting, or for evaluating performance or determining aggregate capital
needs.\10\ In some cases, economic capital measures may relate directly
to a bank's assessment of capital adequacy under the ICAAP; however, in
other cases, a bank may be using economic capital measures that are not
intended for capital adequacy assessments. In the latter case, a bank
does not necessarily need to change its existing process or systems,
but it may need to build upon or adjust its economic capital measures
for use in the ICAAP and the bank would have to demonstrate clearly how
it does so. Notably, economic capital is not the only means to meet the
ICAAP requirement. Regardless of the specific implementation method(s)
chosen, the bank's ICAAP should address the three ICAAP objectives
listed in paragraph 14.
---------------------------------------------------------------------------
\10\ The term ``economic capital'' generally refers to the
capital attributed to cover the economic effects of a bank's risk
taking activities. Within the banking industry, economic capital
takes on a variety of definitions and is applied in a number of ways
at the product, business-line, and consolidated institution level.
---------------------------------------------------------------------------
Identifying and Measuring Material Risks
19. The first objective of the ICAAP is to identify all material
risks. Risks that can be reliably measured and quantified should be
treated as rigorously as data and methods allow. The appropriate means
and methods to measure and quantify those material risks are likely to
vary across banks. The key point is for a bank to be able to identify
all material risks and measure those that can be reliably quantified in
order to determine how those risks affect the bank's overall capital
adequacy.
20. Some of the risks to which a bank may be exposed include credit
risk,
[[Page 44625]]
market risk, operational risk, interest rate risk in the banking book,
and liquidity risk (as outlined below).\11\ Other risks, such as
reputational risk, business or strategic risk, and country risk may
also be material for a bank and, in such cases, should be given equal
consideration to the more formally defined risk types.\12\
Additionally, if a bank employs risk mitigation techniques it should
understand the risk to be mitigated and the potential effects of that
mitigation (including enforceability and effectiveness).
---------------------------------------------------------------------------
\11\ Examination policies and procedures from each agency
provide extensive guidance on the major risk categories. A bank's
risk management processes, including its ICAAP, should be consistent
with each corresponding agency's existing body of guidance, as well
as with relevant interagency guidance.
\12\ For example, a bank may be engaged in businesses for which
periodic fluctuations in activity levels, combined with relatively
high fixed costs, have the potential to create unanticipated losses
that must be supported by adequate capital. Additionally, a bank
might be involved in strategic activities (such as expanding
business lines or engaging in acquisitions) that introduce
significant elements of risk and for which additional capital would
be appropriate.
---------------------------------------------------------------------------
Credit risk: A bank should have the ability to assess
credit risk at the portfolio level in addition to the exposure or
counterparty level. In making this assessment, the bank should be
particularly attentive to identifying any credit risk concentrations
and ensuring that their effects are adequately assessed. The bank
should consider the various types of dependence among exposures, and
the credit risk effects of extreme outcomes, stress events, and shocks
to assumptions about portfolio and exposure behavior. The bank also
should carefully assess concentrations in counterparty credit
exposures, including those that result from trading in less liquid
markets, and determine the effect that these exposures might have on
capital adequacy.
Market risk: A bank should be able to identify risks in
trading and capital markets activities resulting from a movement in
market prices and rates. This determination should consider factors
such as illiquidity of instruments, leverage, concentrated positions,
one-way markets, non-linear or deep out-of-the money option positions
as well as embedded optionality, and the potential for significant
shifts in correlations or other types of dependence structures.
Assessments that incorporate extreme events, idiosyncratic variations,
credit migrations or changes in credit spreads, defaults, and shocks
should also be tailored to capture key portfolio vulnerabilities.
Operational risk: A bank should be able to assess the
potential risks resulting from inadequate or failed internal processes,
people, and systems, as well as from events external to the bank.\13\
This assessment should include the effects of extreme events and shocks
relating to operational risk. Extreme events could include a
substantial or sudden increase in failed processes across business
units or a significant incidence of failed internal controls.
---------------------------------------------------------------------------
\13\ In many cases, a bank may capture legal risk within
operational risk. Regardless of whether it is classified as its own
risk type or included within another risk type, a bank should
understand the impact of legal risk on capital adequacy.
---------------------------------------------------------------------------
Interest rate risk in the banking book: A bank should
incorporate interest rate risk in the banking book into its assessment
of capital adequacy. In making this assessment, the bank should
identify the risks associated with changes in interest rates that
impact both on- and off-balance sheet exposures in the banking book
from a short- and long-term perspective. This might include the impact
of changes due to parallel yield curve shocks, yield curve twists,
yield curve inversions, changes in the adjustment of rates earned and
paid on different financial instruments with otherwise similar
repricing characteristics (basis risk), and other relevant scenarios
including some that incorporate stress events, extreme outcomes, and
shocks to assumptions. The bank should be able to support any
assumptions it has made with respect to the behavioral characteristics
of servicing rights, non-maturity deposits, positions subject to
prepayment risk, and other assets and liabilities, especially for those
exposures characterized by embedded optionality.
Liquidity risk: A bank should incorporate liquidity risk
into the assessment of its capital adequacy. A bank should evaluate
whether capital is adequate given its own funding liquidity profile and
given the liquidity of the markets in which it operates. This
assessment should incorporate various types of liquidity environments
and include an evaluation of the potential for a material disruption in
the sources of liquidity typically relied on by the bank as a result of
bank-specific as well as systemic events. A bank should consider the
capital adequacy implications of lacking a well-diversified funding
base, relying predominantly on wholesale credit markets for its
funding, or relying heavily on volatile funding sources. A bank
involved in securitization activities should consider the capital
adequacy implications of relying on market liquidity to distribute
warehoused assets, including the potential for disruptions that would
cause a bank to bring certain items onto its balance sheet. In its
assessment of the impact of liquidity risk on capital adequacy, the
bank should also challenge assumptions built into its definition of
liquid products.
The risk factors discussed above are not an exhaustive list of
those affecting any given bank. A well-developed ICAAP should include
an assessment of all relevant factors that present a material source of
risk to capital, and should account for concentrations within each risk
type.
21. A bank should assess whether its capital is sufficient to
absorb any losses that may arise from activities that expose the bank
to multiple risks within and across business lines or create
concentrations across risk types.\14\ A bank should recognize that
losses could arise in several risk dimensions at the same time,
stemming from the same event or a common set of factors. For example, a
localized natural disaster could generate losses from credit, market,
and operational risks. Additionally, the ICAAP should focus on any
complex activities that give rise to multiple risks, and to their
interaction. These activities can involve instruments that may be
complex, illiquid, or difficult to value. For example, securitization
activities expose a bank to a variety of risks that can affect capital
adequacy at the same time, including credit, market, liquidity, and
reputational risks; structured products can have multiple embedded
risks that interact in complex ways and can present losses in multiple
risk areas across different business lines at the same time. In
general, the ICAAP should include an assessment of the potential
effects of convergence of risks within and across business lines and
their combined impact on capital adequacy.
---------------------------------------------------------------------------
\14\ Concentrations may include exposures or groups of exposures
that have the potential to produce losses large enough to threaten
an institution's health or materially change its risk profile.
---------------------------------------------------------------------------
22. The ICAAP should take into consideration the linkage between
capital adequacy and damage or potential damage to a bank's reputation.
A bank might incur losses affecting capital adequacy because of damage
to its reputation, or the bank might incur losses trying to prevent or
mitigate damage to its reputation. In assessing the linkage between
reputational risk and capital adequacy, a bank should assess risks
associated with both on-balance sheet and off-balance sheet exposures
and activities, as well as risks associated with affiliates,
subsidiaries,
[[Page 44626]]
counterparties, clients, or other third parties. The assessment should
include activities for which the bank acts as a sponsor or advisor, and
cases in which the bank provides explicit or implicit support. A bank
should also assess the risk of having to assume the losses of a third
party to prevent or mitigate damage to the bank's reputation.
23. The bank's ICAAP should assess risks associated with new
products, markets and activities. In making this assessment, the bank
should account for any uncertainty in the valuation of new products,
whether by the bank or a third party, which could be more challenging
if the new products are particularly complex or do not have liquid
markets. The ICAAP should take into consideration changing dynamics in
markets for new products and uncertainty as to how new markets might
respond to stress conditions. The ICAAP should also assess the
challenges presented by new business lines or strategic acquisitions in
terms of their impact on capital adequacy.
24. All measurements of risk should incorporate both quantitative
and qualitative elements. Generally, a quantitative approach should
form the foundation of a bank's measurement framework. Quantitative
approaches that focus on most likely outcomes for budgeting,
forecasting, or performance measurement purposes may not be fully
applicable for assessing capital adequacy, which also should take less
likely outcomes into account.
25. In some cases, quantitative tools can include the use of large
historical databases. These databases are most applicable when they are
fully reflective of all relevant risk characteristics, incorporate
appropriate variability, and have adequate granularity and history; for
example, they should include data based not just on benign but also
more stressful economic periods or operating environments. When
internal data are not available or do not reflect a bank's risk
profile, a bank may rely on external data for risk measurements, but
should ensure that external data have applicability to the bank's own
activities and risk profile.
26. The confidence a bank places in the results of its ICAAP should
depend on the quality and robustness of the associated risk
assessments. When measuring risks, a bank should understand that
estimation and measurement errors are common, and in many cases are
themselves difficult to quantify. In general, the bank's ICAAP should
reflect an appropriate level of conservatism to account for uncertainty
in risk identification, risk mitigation or control, and risk
quantification. In most cases, appropriate conservatism will result in
greater capital needs.
27. In many cases, risk assessments may rely to a significant
degree on models that use both qualitative and quantitative inputs. The
use of models can enhance the ICAAP, but it can also introduce
challenges. Specifically, models may fail to work as intended or
expected, or they may be used inappropriately for purposes not
considered in their initial design. These concerns apply to models
purchased from third-party vendors, as well as to models that are
internally developed. A bank using models as part of the ICAAP should
recognize these possibilities and ensure that appropriate controls,
such as rigorous initial and ongoing validation and independent review,
are in place to mitigate and manage any risks related to model use. A
bank should apply appropriate conservatism to compensate for any risks
associated with models. Additional conservatism may be necessary to
account for any uncertainties in the use of models to value on- or off-
balance sheet exposures or for imperfections and volatility in market-
based valuations. Additional conservatism may be necessary to
compensate for increased risk, for example, when models or applications
are more complex, or when they have a more significant influence on the
ICAAP's results.
28. To gain a fuller understanding of the risks beyond more typical
quantitative measures--such as those based on certain parameter
behavior or distributional assumptions--a bank should also rely on
other types of quantitative exercises. For example, stress testing,
including scenario analysis and sensitivity analysis, is an additional
quantitative exercise that a bank should regularly apply to complement
more typical quantitative measures. A bank may need to rely more
heavily on such exercises when internal or demonstrably relevant
external data are scarce. These exercises can help gauge the
consequences of outcomes that are unlikely, but would have a
considerable impact on safety and soundness.
29. In addition to quantitative approaches for assessing risk, a
bank should also employ qualitative approaches that incorporate
management experience and judgment. Qualitative measures should be
employed not only for those cases in which scarce data or unproven
quantitative methods limit a full assessment of risk, but also more
generally to complement even sophisticated quantitative estimates based
on extensive and high-quality data.
30. A bank should be cognizant that both quantitative and
qualitative approaches have their own inherent biases and assumptions
that affect risk assessment. Accordingly, a bank should recognize the
biases and assumptions embedded in, and the limitations of, the
approaches used.
31. An effective ICAAP is comprehensive, assessing material risks
across the entire bank. Each bank should have systems capable of
aggregating across risk types. A bank should understand the challenges
presented by risk aggregation and the inherent uncertainty in
quantitative estimates used to aggregate risks (including the
difficulty in estimating concentrations across risk types as noted in
paragraph 21). For example, a bank is encouraged to consider the
various interdependencies among risk types, the different techniques
used to identify such interdependencies, and the channels through which
those interdependencies might arise--across risk types, within the same
business line, and across different business lines. Consistent with
paragraph 26, any associated uncertainty in aggregating capital
estimates across risk types and business lines should translate into
greater capital needs.
32. Management should be systematic and rigorous in considering
possible effects of diversification. Assumptions about diversification
should be identified at each level where diversification is recognized,
supported by analysis and evidence, and remain robust over time and
under different market environments, including stressed market
conditions. For example, a bank calculating the dependence structure
within or among risk types should consider data quality and
consistency, such as the volatility of correlations over time and
during periods of market stress. In general, a bank should consider a
wide range of possible adverse outcomes that have the potential to
affect multiple risks at the same time and to limit expected
diversification benefits. Consistent with paragraph 26, uncertainty in
diversification estimates should translate into greater capital needs.
Setting and Assessing Capital Adequacy Goals That Relate to Risk
33. The second objective of the ICAAP is to set and assess capital
adequacy goals in relation to all material risks. Under this objective,
a bank should have a well-defined process to translate estimates of
risk into an assessment of capital adequacy. In practice, capital
[[Page 44627]]
adequacy goals may be reflected in various ways. A bank may choose to
hold capital in excess of the level internal processes would regard as
adequate for any number of business or strategic reasons. Excess
capital may fluctuate over time. Each bank should recognize that
minimum risk-based capital requirements represent a floor below which
the bank's overall capital level must not fall, even if bank management
believes that there is justification to maintain less capital.
34. A bank may establish its risk-tolerance level to reflect a
desired level of risk coverage and/or a certain degree of
creditworthiness, such as an explicit solvency standard. Accordingly,
assessments of risk and capital adequacy should reflect the chosen risk
tolerance of the bank. Because risk profiles and choices of risk
tolerance may differ across banks, capital targets may also differ.
However, if for internal capital adequacy purposes a bank were to
choose to apply a level of risk coverage or a solvency standard that is
less than that implied by minimum risk-based capital requirements, the
bank would have to be able to: Identify and support the rationale for a
lower solvency standard; demonstrate clearly that its ICAAP adequately
addresses low-probability, high-severity events; and ensure that there
is sufficient capital to absorb losses associated with such extreme
events. Regardless of the solvency standard used, supervisors expect
banks to hold capital at a level above that established by minimum
risk-based capital requirements.
35. A bank should consider external conditions and other factors
that influence its overall capital adequacy, including the potential
impact of contingent exposures and changing economic and financial
environments. The ICAAP should address the potential impact of broader
market or systemic events, which could cause risk to increase beyond
the bank's chosen risk-tolerance level, and have appropriate
contingency plans for such outcomes. Such exercises may include stress
testing, such as scenario and sensitivity analysis; however, in all
cases they should incorporate both quantitative and qualitative
methods.\15\
---------------------------------------------------------------------------
\15\ The use of stress testing in identifying and measuring risk
exposures and assessing capital adequacy in the ICAAP is not the
same as the Pillar 1 stress testing requirement related to minimum
risk-based capital requirements and qualification requirements (as
described in the advanced approaches rule). The stress testing
encouraged in the ICAAP guidance is intended to focus on overall
capital needs and their possible fluctuations, not just fluctuations
in minimum risk-based capital requirements. However, work conducted
to meet the stress testing requirement under Pillar 1 may have
application to or may provide a starting point for any stress
testing banks decide to conduct as part of the ICAAP.
---------------------------------------------------------------------------
36. Through the ICAAP, a bank should ensure that adequate capital
is held against all material risks, and that capital remains adequate
not just at a point in time, but over time, to account for changes in a
bank's strategic direction, evolving economic conditions, and
volatility in the financial environment. A bank should be cognizant of
the impact of market-driven valuations on the volatility of capital.
Moreover, recognizing the sensitivity of capital to economic and
financial cycles should be a critical component of a bank's planning
for current and future capital needs. For example, a bank should
consider the potential effects of a sudden, sustained economic
downturn. The level of capital deemed adequate by a bank given its
ICAAP might also be influenced by the bank's intention to hold
additional capital to mitigate the impact of volatility in capital
requirements, its need to support acquisition plans, or its decision to
accommodate market perceptions of capital adequacy and their impact on
funding costs.
37. In analyzing capital adequacy, a bank should evaluate the
capacity of its capital to absorb losses. Because various definitions
of capital are used within the banking industry, each bank should state
clearly the definition of capital used in any aspect of its ICAAP.
Since components of capital are not necessarily alike and have varying
capacities to absorb losses, a bank should be able to demonstrate the
relationship between its internal capital definition and its assessment
of capital adequacy. If a bank's definition of capital differs from the
regulatory definition, the bank should reconcile such differences and
provide an analysis to support the inclusion of any capital instruments
that are not recognized under the regulatory definition. Although
common equity is generally the predominant component of a bank's
capital structure, a bank may be able to support the inclusion of other
capital instruments in its internal definition of capital if it can
demonstrate a similar capacity to absorb losses. The bank should
document any changes in its internal definition of capital, and the
reason for those changes.
38. An effective capital plan recognizes a bank's short- and long-
term capital needs and objectives. Accordingly, a bank should evaluate
whether long-run capital targets are consistent with short-run goals,
based on current and planned changes in risk profiles. In developing
its capital plan, the bank also should recognize that accommodating
additional capital needs can require significant lead time, can be
costly, or can be quite difficult, especially during downturns or other
times of stress. A bank should have contingency plans to address
unexpected capital needs.
Ensuring Integrity of Internal Capital Adequacy Assessments
39. A satisfactory ICAAP comprises a complete process with proper
oversight and controls, and not just an ability to carry out certain
capital calculations. The various elements of a bank's ICAAP should
complement and reinforce one another to achieve the overall objective
of assessing capital adequacy, taking into account the bank's risk
profile.
40. A bank should maintain adequate internal controls to ensure the
integrity, objectivity, and consistent application of the ICAAP.
Decisions regarding the design and operation of the ICAAP should
reflect sound risk management, and should not be unduly influenced by
competing business objectives. A bank should identify any deficiencies
in its ICAAP and plan and take remedial actions to address the
deficiencies in a timely manner. The principles underlying a bank's
ICAAP should be incorporated into policies that are reviewed and
approved at appropriate levels within the organization.
41. A bank should maintain thorough documentation of its ICAAP to
ensure transparency. At a minimum, this should include a description of
the bank's overall capital-management process, including the committees
and individuals responsible for the ICAAP; the frequency and
distribution of ICAAP-related reporting; and the procedures for the
periodic evaluation of the appropriateness and adequacy of the ICAAP.
In addition, where applicable, ICAAP documentation should demonstrate
the bank's sound use of quantitative methods (including model selection
and limitations) and data-selection techniques, as well as appropriate
maintenance, controls, and validation. A bank should document and
explain the role of third-party and vendor products, services and
information--including methodologies, model inputs, systems, data, and
ratings--and the extent to which they are used within the ICAAP. A bank
should have a process to regularly evaluate the performance of third-
party and vendor products, services and information. As part of the
ICAAP documentation, a bank should document the assumptions, methods,
[[Page 44628]]
data, information, and judgment used in its quantitative and
qualitative approaches.
42. The ICAAP should be enhanced and refined over time, with
learning and experience (both quantitative and qualitative)
contributing to its improvement. The ICAAP should evolve with changes
in the risk profile and activities of the bank, as well as with
advances in risk measurement and management practices. For example, a
bank should incorporate in its ICAAP the introduction of new products
and business lines and activities to ensure that the bank's capital
plan is responsive to changes in the operational and/or business
environment.
43. The board of directors and senior management have certain
responsibilities in developing, implementing, and overseeing the ICAAP.
The board should approve the ICAAP and its components. The board or its
appropriately delegated agent should review the ICAAP and its
components on a regular basis, and approve any revisions. That review
should encompass the effectiveness of the ICAAP, the appropriateness of
risk tolerance levels and capital planning, and the strength of control
infrastructures. Senior management should continually ensure that the
ICAAP is functioning effectively and as intended, under a formal review
policy that is explicit and well documented. Additionally, a bank's
internal audit function should play a key role in reviewing the
controls and governance surrounding the ICAAP on an ongoing basis.
44. Each bank should ensure that the components of its ICAAP,
including any models and their inputs, are subject to the bank's
validation policies and procedures. Validation should be independent of
the development, implementation, and operation of the ICAAP components,
or the validation process should be subject to an independent review of
its adequacy and effectiveness. Validation is generally defined as an
ongoing process that includes, but is not limited to, the collection
and review of developmental evidence, process verification,
benchmarking, outcomes analysis, and monitoring activities used to
confirm that processes are operating as designed. Validation policies
and procedures should reflect the bank's business, structure, and
sophistication, as well as the relative importance of each component of
the ICAAP. Accordingly, a bank is encouraged to consult the agencies'
existing guidance on validation.
45. A bank's ICAAP should be aligned with and be a part of the
bank's wider internal governance structure and overall risk-management
processes. The ICAAP should not be viewed as simply a compliance
exercise. Rather, it is a dynamic and evolving process that is used by
a bank to provide internal assurance that capital is adequate given the
bank's risk profile. Management is responsible for ensuring that the
ICAAP is fully consistent with the overall risk management framework of
the bank. Information derived through the ICAAP process should
influence decision making at both the consolidated and individual
business-line levels, and be used to inform other management processes
related to risk assessment, business planning and forecasting, pricing
strategies, and performance measurement.
46. As part of the ICAAP, the board or its delegated agent, as well
as appropriate senior management, should periodically review the
resulting assessment of overall capital adequacy. This review, which
should occur at least annually, should include an analysis of how
measures of internal capital adequacy compare with other capital
measures (such as regulatory, accounting-based or market-determined).
Upon completion of this review, the board or its delegated agent should
determine that, consistent with safety and soundness, the bank's
capital takes into account all material risks and is appropriate for
its risk profile. However, in the event a capital deficiency is
uncovered (that is, if capital is not consistent with the bank's risk
profile or risk tolerance) management should consult and adhere to
formal procedures to correct the capital deficiency.
Dated: July 14, 2008.
John C. Dugan,
Comptroller of the Currency.
By order of the Board of Governors of the Federal Reserve
System, July 15, 2008.
Jennifer J. Johnson,
Secretary of the Board.
Dated at Washington, DC, the 15th day of July, 2008.
By order of the Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
Dated: July 14, 2008.
By the Office of Thrift Supervision.
John M. Reich,
Director.
[FR Doc. E8-17555 Filed 7-30-08; 8:45 am]
BILLING CODE 4810-33-P, 6210-01-P, 6714-01-P, 6720-01-P