[Federal Register Volume 68, Number 149 (Monday, August 4, 2003)]
[Notices]
[Pages 45949-45988]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 03-18976]



  Federal Register / Vol. 68, No. 149 / Monday, August 4, 2003 / 
Notices  

[[Page 45949]]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

[Docket No. 03-15]

FEDERAL RESERVE SYSTEM

[Docket No. OP-1153]

FEDERAL DEPOSIT INSURANCE CORPORATION

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

[No. 2003-28]


Internal Ratings-Based Systems for Corporate Credit and 
Operational Risk Advanced Measurement Approaches for Regulatory Capital

AGENCIES: Office of the Comptroller of the Currency (OCC), Treasury; 
Board of Governors of the Federal Reserve System (Board); Federal 
Deposit Insurance Corporation (FDIC); and Office of Thrift Supervision 
(OTS), Treasury.

ACTION: Draft supervisory guidance with request for comment.

-----------------------------------------------------------------------

SUMMARY: The OCC, Board, FDIC, and OTS (the Agencies) are publishing 
for industry comment two documents that set forth draft supervisory 
guidance for implementing proposed revisions to the risk-based capital 
standards in the United States. These proposed revisions, which would 
implement the New Basel Capital Accord in the United States, are 
published as an advance notice of proposed rulemaking (ANPR) elsewhere 
in today's Federal Register. Under the advanced approaches for credit 
and operational risk described in the ANPR, banking organizations would 
use internal estimates of certain risk components as key inputs in the 
determination of their regulatory capital requirements. The Agencies 
believe that supervisory guidance is necessary to balance the 
flexibility inherent in the advanced approaches with high standards 
that promote safety and soundness and encourage comparability across 
institutions.
    The first document sets forth Draft Supervisory Guidance on 
Internal Ratings-Based Systems for Corporate Credit (corporate IRB 
guidance). This document describes supervisory expectations for 
institutions that intend to adopt the advanced internal ratings-based 
approach (A-IRB) for credit risk as set forth in today's ANPR. The 
corporate IRB guidance is intended to provide supervisors and 
institutions with a clear description of the essential components and 
characteristics of an acceptable A-IRB framework. The guidance focuses 
specifically on corporate credit portfolios; further guidance is 
expected at a later date on other credit portfolios (including, for 
example, retail and commercial real estate portfolios).
    The second document sets forth Draft Supervisory Guidance on 
Operational Risk Advanced Measurement Approaches for Operational Risk 
(AMA guidance). This document outlines supervisory expectations for 
institutions that intend to adopt an advanced measurement approach 
(AMA) for operational risk as set forth in today's ANPR.
    The Agencies are seeking comments on the supervisory standards set 
forth in both documents. In addition to seeking comment on specific 
aspects of the supervisory guidance set forth in the documents, the 
Agencies are seeking comment on the extent to which the supervisory 
guidance strikes the appropriate balance between flexibility and 
specificity. Likewise, the Agencies are seeking comment on whether an 
appropriate balance has been struck between the regulatory requirements 
set forth in the ANPR and the supervisory standards set forth in these 
documents.

DATES: Comments must be received no later than November 3, 2003.

ADDRESSES: Comments should be directed to:
    OCC: Please direct your comments to: Office of the Comptroller of 
the Currency, 250 E Street, SW., Public Information Room, Mailstop 1-5, 
Washington, DC 20219, Attention: Docket No. 03-15; fax number (202) 
874-4448; or Internet address: [email protected]. Due to 
delays in paper mail delivery in the Washington area, we encourage the 
submission of comments by fax or e-mail whenever possible. Comments may 
be inspected and photocopied at the OCC's Public Information Room, 250 
E Street, SW., Washington, DC. You may make an appointment to inspect 
comments by calling (202) 874-5043.
    Board: Comments should refer to Docket No. OP-1153 and may be 
mailed to Ms. Jennifer J. Johnson, Secretary, Board of Governors of the 
Federal Reserve System, 20th Street and Constitution Avenue, NW., 
Washington, DC, 20551. However, because paper mail in the Washington 
area and at the Board of Governors is subject to delay, please consider 
submitting your comments by e-mail to [email protected], 
or faxing them to the Office of the Secretary at 202/452-3819 or 202/
452-3102. Members of the public may inspect comments in Room MP-500 of 
the Martin Building between 9 a.m. and 5 p.m. on weekdays pursuant to 
Sec.  261.12, except as provided in Sec.  261.14, of the Board's Rules 
Regarding Availability of Information, 12 CFR 261.12 and 261.14.
    FDIC: Written comments should be addressed to Robert E. Feldman, 
Executive Secretary, Attention: Comments, Federal Deposit Insurance 
Corporation, 550 17th Street, NW., Washington, DC, 20429. Commenters 
are encouraged to submit comments by facsimile transmission to (202) 
898-3838 or by electronic mail to Comments @FDIC.gov. Comments also may 
be hand-delivered to the guard station at the rear of the 550 17th 
Street Building (located on F Street) on business days between 8:30 
a.m. and 5 p.m. Comments may be inspected and photocopied at the FDIC's 
Public Information Center, Room 100, 801 17th Street, NW., Washington, 
DC between 9 a.m. and 4:30 p.m. on business days.
    OTS: Send comments to Regulation Comments, Chief Counsel's Office, 
Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552, 
Attention: No. 2003-28. Delivery: Hand deliver comments to the Guard's 
desk, east lobby entrance, 1700 G Street, NW., from 9 a.m. to 4 p.m. on 
business days, Attention: Regulation Comments, Chief Counsel's Office, 
Attention: No. 2003-28. Facsimiles: Send facsimile transmissions to FAX 
Number (202) 906-6518, Attention: No 2003-28. e-mail: Send e-mails to 
[email protected], Attention: No. 2003-28, and include your 
name and telephone number. Due to temporary disruptions in mail service 
in the Washington, DC area, commenters are encouraged to send comments 
by fax or e-mail, if possible.

FOR FURTHER INFORMATION CONTACT:
    OCC: Corporate IRB guidance: Jim Vesely, National Bank Examiner, 
Large Bank Supervision (202/874-5170 or [email protected]); 
AMA guidance: Tanya Smith, Senior International Advisor, International 
Banking & Finance (202/874-4735 or [email protected]).
    Board: Corporate IRB guidance: David Palmer, Supervisory Financial 
Analyst, Division of Banking Supervision and Regulation (202/452-2904 
or [email protected]); AMA guidance: T. Kirk Odegard, Supervisory 
Financial Analyst, Division of Banking Supervision and Regulation (202/
530-6225 or [email protected]). For users of Telecommunications 
Device for

[[Page 45950]]

the Deaf (``TDD'') only, contact 202/263-4869.
    FDIC: Corporate IRB guidance and AMA guidance: Pete D. Hirsch, 
Basel Project Manager, Division of Supervision and Consumer Protection 
(202/898-6751 or [email protected]).
    OTS: Corporate IRB guidance and AMA guidance: Michael D. Solomon, 
Senior Program Manager for Capital Policy (202/906-5654); David W. 
Riley, Project Manager (202/906-6669), Supervision Policy; Teresa A. 
Scott, Counsel (Banking and Finance) (202/906-6478); or Eric 
Hirschhorn, Principal Financial Economist (202/906-7350), Regulations 
and Legislation Division, Office of the Chief Counsel, Office of Thrift 
Supervision, 1700 G Street, NW., Washington, DC 20552.

Document 1: Draft Supervisory Guidance on Internal Ratings-Based 
Systems for Corporate Credit

Table of Contents

I. Introduction
    A. Purpose
    B. Overview of Supervisory Expectations
    1. Ratings Assignment
    2. Quantification
    3. Data Maintenance
    4. Control and Oversight Mechanisms
    C. Scope of Guidance
    D. Timing
II. Ratings for IRB Systems
    A. Overview
    B. Credit Ratings
    1. Rating Assignment Techniques
    a. Expert Judgment
    b. Models
    c. Constrained Judgment
    C. IRB Ratings System Architecture
    1. Two-Dimensional Rating System
    a. Definition of Default
    b. Obligor Ratings
    c. Loss Severity Ratings
    2. Other Considerations of IRB Rating System Architecture
    a. Timeliness of Ratings
    b. Multiple Ratings Systems
    c. Recognition of the Risk Mitigation Benefits of Guarantees
    3. Validation Process
    a. Ratings System Developmental Evidence
    b. Ratings System Ongoing Validation
    c. Back Testing
III. Quantification of IRB Systems
    A. Introduction
    1. Stages of the Quantification Process
    2. General Principles for Sound IRB Quantification
    B. Probability of Default (PD)
    1. Data
    2. Estimation
    3. Mapping
    4. Application
    C. Loss Given Default (LGD)
    1. Data
    2. Estimation
    3. Mapping
    4. Application
    D. Exposure at Default (EAD)
    1. Data
    2. Estimation
    3. Mapping
    4. Application
    E. Maturity (M)
    F. Validation
Appendix to Part III: Illustrations of the Quantification Process
IV. Data Maintenance
    A. Overview
    B. Data Maintenance Framework
    1. Life Cycle Tracking
    2. Rating Assignment Data
    3. Example Data Elements
    C. Data Element Functions
    1. Validation and Refinement
    2. Developing Parameter Estimates
    3. Applying Rating System Improvements Historically
    4. Calculating Capital Ratios and Reporting to the Public
    5. Supporting Risk Management
    D. Managing data quality and integrity
    1. Documentation and Definitions
    2. Electronic Storage
    3. Data Gaps
V. Control and Oversight Mechanisms
    A. Overview
    B. Independence in the Rating Approval Process
    C. Transparency
    D. Accountability
    1. Responsibility for Assigning Ratings
    2. Responsibility for Rating System Performance
    E. Use of Ratings
    F. Rating System Review (RSR)
    G. Internal Audit
    1. External Audit
    H. Corporate Oversight

I. Introduction

A. Purpose

    This document describes supervisory expectations for banking 
organizations (institutions) adopting the advanced internal ratings-
based approach (IRB) for the determination of minimum regulatory risk-
based capital requirements. The focus of this guidance is corporate 
credit portfolios. Retail, commercial real estate, securitizations, and 
other portfolios will be the focus of later guidance. This draft 
guidance should be considered with the advance notice of proposed 
rulemaking (ANPR) on revisions to the risk-based capital standard 
published elsewhere in today's Federal Register.
    The primary objective of IRB is to enhance the sensitivity of 
regulatory capital requirements to credit risk. To accomplish that 
objective, IRB harnesses a bank's own risk rating and quantification 
capabilities. In general, the IRB approach reflects and extends recent 
developments in risk management and banking supervision. However, the 
degree to which any individual bank will need to modify its own credit 
risk management practices to deliver accurate and consistent IRB risk 
parameters will vary from institution to institution.
    This guidance is intended to provide supervisors and institutions 
with a clear description of the essential components and 
characteristics of an acceptable IRB framework. Toward that end, this 
document sets forth IRB system supervisory standards that are 
highlighted in bold and designated by the prefix ``S.'' Whenever 
possible, these supervisory standards are principle-based to enable 
institutions to implement the framework flexibly. However, when 
prudential concerns or the need for standardization override the desire 
for flexibility, the supervisory standards are more detailed. 
Ultimately, institutions must have credit risk management practices 
that are consistent with the substance and spirit of the standards in 
this guidance.
    The IRB conceptual framework outlined in this document is intended 
neither to dictate the precise manner by which institutions should seek 
to meet supervisory expectations, nor to provide technical guidance on 
how to develop such a framework. As institutions develop their IRB 
systems in anticipation of adopting them for regulatory capital 
purposes, supervisors will be evaluating, on an individual bank basis, 
the extent to which institutions meet the standards outlined in this 
document. In evaluating institutions, supervisors will rely on this 
supervisory guidance as well as examination procedures, which will be 
developed separately. This document assumes that readers are familiar 
with the proposed IRB approach to calculating minimum regulatory 
capital articulated in the ANPR.

B. Overview of Supervisory Expectations

    Rigorous credit risk measurement is a necessary element of advanced 
risk management. Qualifying institutions will use their internal rating 
systems to associate a probability of default (PD) with each obligor 
grade, as well as a loss given default (LGD) with each credit facility. 
In addition, institutions will estimate exposure at default (EAD) and 
will calculate the effective remaining maturity (M) of credit 
facilities.
    Qualifying institutions will be expected to have an IRB system 
consisting of four interdependent components:
    [sbull] A system that assigns ratings and validates their accuracy 
(Chapter 1),
    [sbull] A quantification process that translates risk ratings into 
IRB parameters (Chapter 2),
    [sbull] A data maintenance system that supports the IRB system 
(Chapter 3), and,

[[Page 45951]]

    [sbull] Oversight and control mechanisms that ensure the system is 
functioning as intended and producing accurate ratings (Chapter 4).
    Together these rating, quantification, data, and oversight 
mechanisms present a framework for defining and improving the 
evaluation of credit risk.
    It is expected that rating systems will operate dynamically. As 
ratings are assigned, quantified and used, estimates will be compared 
with actual results and data will be maintained and updated to support 
oversight and validation efforts and to better inform future estimates. 
The rating system review and internal audit functions will serve as 
control mechanisms that ensure that the process of ratings assignment 
and quantification function according to policy and design and that 
noncompliance and weaknesses are identified, communicated to senior 
management and the board, and addressed. Rating systems with 
appropriate data and oversight feedback mechanisms foster a learning 
environment that promotes integrity in the rating system and continuing 
refinement.
    IRB systems need the support and oversight of the board and senior 
management to ensure that the various components fit together 
seamlessly and that incentives to make the system rigorous extend 
across line, risk management, and other control groups. Without strong 
board and senior management support and involvement, rating systems are 
unlikely to provide accurate and consistent risk estimates during both 
good and bad times.
    The new regulatory minimum capital requirement is predicated on an 
institution's internal systems being sufficiently advanced to allow a 
full and accurate assessment of its risk exposures. Under the new 
framework, an institution could experience a considerable capital 
shortfall in the most difficult of times if its risk estimates are 
materially understated. Consequently, the IRB framework demands a 
greater level of validation work and controls than supervisors have 
required in the past. When properly implemented, the new framework 
holds the potential for better aligning minimum capital requirements 
with the risk taken, pushing capital requirements higher for 
institutions that specialize in riskier types of lending, and lower for 
those that specialize in safer risk exposures.
    Supervisors will evaluate compliance with the supervisory standards 
for each of the four components of an IRB system. However, evaluating 
compliance with each of the standards individually will not be 
sufficient to determine an institution's overall compliance. Rather, 
supervisors and institutions must also evaluate how well the various 
components of an institution's IRB system complement and reinforce one 
another to achieve the overall objective of accurate measures of risk. 
In performing their evaluation, supervisors will need to exercise 
considerable supervisory judgment, both in evaluating the individual 
components and the overall IRB framework. A summary of the key 
supervisory expectations for each of the IRB components follows.
Ratings Assignment
    The first component of an IRB system involves the assignment and 
validation of ratings (see Chapter 1). Ratings must be accurately and 
consistently applied to all corporate credit exposures and be subject 
to initial and ongoing validation. Institutions will have latitude in 
designing and operating IRB rating systems subject to five broad 
standards:
    Two-dimensional risk-rating system--IRB institutions must be able 
to make meaningful and consistent differentiations among credit 
exposures along two dimensions--obligor default risk and loss severity 
in the event of a default.
    Rank order risks--IRB institutions must rank obligors by their 
likelihood of default, and facilities by the loss severity expected in 
default.
    Calibration--IRB obligor ratings must be calibrated to values of 
the probability of default (PD) parameter and loss severity ratings 
must be calibrated to values of the loss given default (LGD) parameter.
    Accuracy--Actual long-run actual default frequencies for obligor 
rating grades must closely approximate the PDs assigned to those grades 
and realized loss rates on loss severity grades must closely 
approximate the LGDs assigned to those grades.
    Validation process--IRB institutions must have ongoing validation 
processes for rating systems that include the evaluation of 
developmental evidence, process verification, benchmarking, and the 
comparison of predicted parameter values to actual outcomes (back-
testing).
Quantification
    The second component of an IRB system is a quantification process 
(see Chapter 2). Since obligor and facility ratings may be assigned 
separately from the quantification of the associated PD and LGD 
parameters, quantification is addressed as a separate process. The 
quantification process must produce values not only for PD and LGD but 
also for EAD and for the effective remaining maturity (M). The 
quantification of those four parameters is expected to be the result of 
a disciplined process. The key considerations for effective 
quantification are as follows:
    Process--IRB institutions must have a fully specified process 
covering all aspects of quantification (reference data, estimation, 
mapping, and application).
    Documentation--The quantification process, including the role and 
scope of expert judgment, must be fully documented and updated 
periodically.
    Updating--Parameter estimates and related documentation must be 
updated regularly.
    Review--A bank must subject all aspects of the quantification 
process, including design and implementation, to an appropriate degree 
of independent review and validation.
    Constraints on Judgment--Judgmental adjustments may be an 
appropriate part of the quantification process, but must not be biased 
toward lower risk estimates.
    Conservatism--Parameter estimates must incorporate a degree of 
conservatism that is appropriate for the overall robustness of the 
quantification process.
Data Maintenance
    The third component of an IRB system is an advanced data management 
system that produces credible and reliable risk estimates (see Chapter 
3). The broad standard governing an IRB data maintenance system is that 
it supports the requirements for the other IRB system components, as 
well as the institution's broader risk management and reporting needs. 
Institutions will have latitude in managing their data, subject to the 
following key data maintenance standards:
    Life Cycle Tracking--Institutions must collect, maintain, and 
analyze essential data for obligors and facilities throughout the life 
and disposition of the credit exposure.
    Rating Assignment Data--Institutions must capture all significant 
quantitative and qualitative factors used to assign the obligor and 
loss severity rating.
    Support of IRB System--Data collected by institutions must be of 
sufficient depth, scope, and reliability to:
    [sbull] Validate IRB system processes,
    [sbull] Validate parameters,
    [sbull] Refine the IRB system,
    [sbull] Develop internal parameter estimates,
    [sbull] Apply improvements historically,
    [sbull] Calculate capital ratios,
    [sbull] Produce internal and public reports, and

[[Page 45952]]

    [sbull] Support risk management.
Control and Oversight Mechanisms
    The fourth component of an IRB system is comprised of control and 
oversight mechanisms that ensure that the various components of the IRB 
system are functioning as intended (see Chapter 4). Given the various 
uses of internal risk ratings, including their direct link to 
regulatory capital requirements, there is enormous, sometimes 
conflicting, pressure on banks' internal rating systems. Control 
structures are subject to the following broad standards:
    Interdependent System of Controls--IRB institutions must implement 
a system of interdependent controls that include the following 
elements:
    [sbull] Independence,
    [sbull] Transparency,
    [sbull] Accountability,
    [sbull] Use of ratings,
    [sbull] Rating system review,
    [sbull] Internal audit, and
    [sbull] Board and senior management oversight.
    Checks and Balances--Institutions must combine the various control 
mechanisms in a way that provides checks and balances for ensuring IRB 
system integrity.
    The system of oversight and controls required for an effective IRB 
system may operate in various ways within individual institutions. This 
guidance does not prescribe any particular organizational structure for 
IRB oversight and control mechanisms. Banks have broad latitude to 
implement structures that are most effective for their individual 
circumstances, as long as those structures support and enhance the 
institution's ability to satisfy the supervisory standards expressed in 
this document.

C. Scope of Guidance

    This draft guidance reflects work performed by supervisors to 
evaluate and compare current practices at institutions with the 
concepts and requirements for an IRB framework. For instances in which 
a range of practice was observable, examples are provided on how 
certain practices may or may not qualify. However, in many other 
instances, practices were at such an early stage of development that it 
was not feasible to describe specific examples. In those cases, 
requirements tend to be principle-based and without examples. Given 
that institutions are still in the early stages of developing 
qualifying IRB systems, it is expected that this guidance will evolve 
over time to more explicitly take into account new and improving 
practices.

D. Timing

    S. An IRB system must be operating fully at least one year prior to 
the institution's intended start date for the advanced approach.
    As noted in the ANPR, the significant challenge of implementing a 
fully complying IRB system requires that institutions and supervisors 
have sufficient time to observe whether the IRB system is delivering 
risk-based capital figures with a high level of integrity. The ability 
to observe the institution's ratings architecture, validation, data 
maintenance and control functions in a fully operating environment 
prior to implementation will help identify how well the IRB system 
design functions in practice. This will be particularly important given 
that in the first year of implementation institutions will not only be 
subject to the new minimum capital requirements, but will also be 
disclosing risk-based capital ratios for the public to rely upon in the 
assessment of the institution's financial health.

II. Ratings for IRB Systems

A. Overview

    This chapter describes the design and operation of risk-rating 
systems that will be acceptable in an internal ratings-based (IRB) 
framework. Banks will have latitude in designing and operating IRB 
rating systems, subject to five broad standards:
    Two-dimensional risk-rating system--IRB institutions must be able 
to make meaningful and consistent differentiations among credit 
exposures along two dimensions--obligor default risk and loss severity 
in the event of a default.
    Rank order risks--IRB institutions must rank obligors by their 
likelihood of default, and facilities by the loss severity expected in 
default.
    Calibration--IRB obligor ratings must be calibrated to values of 
the probability of default (PD) parameter and loss severity ratings 
must be calibrated to values of the loss given default (LGD) parameter.
    Accuracy--Actual long-run actual default frequencies for obligor 
rating grades must closely approximate the PDs assigned to those grades 
and actual loss rates on loss severity grades must closely approximate 
the LGDs assigned to those grades.
    Validation process--IRB institutions must have ongoing validation 
processes for rating systems that include the evaluation of 
developmental evidence, process verification, benchmarking, and the 
comparison of predicted parameter values to actual outcomes (back-
testing).

B. Credit Ratings

    In general, a credit rating is a summary indicator of the relative 
risk on a credit exposure. Credit ratings can take many forms. The most 
widely known credit ratings are the public agency ratings, which are 
expressed as letters; bank internal ratings tend to be expressed as 
whole numbers--for example, 1 through 10. Some rating model outputs are 
expressed in terms of probability of default or expected default 
frequency, in which case they may be more than relative measures of 
risk. Regardless of the form, meaningful credit ratings share two 
characteristics:
    [sbull] They group credits to discriminate among possible outcomes.
    [sbull] They rank the perceived levels of credit risk.
    Banks have used credit ratings of various types for a variety of 
purposes. Some ratings are intended to rank obligors by risk of default 
and some are intended to rank facilities\1\ by expected loss, which 
incorporates risk of default and loss severity. Bank rating systems 
that are geared solely to expected loss will need to be amended to meet 
the two-dimensional requirements of the IRB approach.
Rating Assignment Techniques
    Banks use different techniques, such as expert judgment and models, 
to assign credit risk ratings. For banks using the IRB approach, how 
ratings are assigned is important because different techniques will 
require different validation processes and control mechanisms to ensure 
the integrity of the rating system. To assist the discussion of rating 
architecture requirements, described below are some of the current 
rating assignment techniques. Any of these techniques--expert judgment, 
models, constrained judgment, or a combination thereof--could be 
acceptable within an IRB system, provided the bank meets the standards 
outlined in this document.
---------------------------------------------------------------------------

    \1\ Facilities--loans, lines, or other separate extensions of 
credit to an obligor.
---------------------------------------------------------------------------

Expert Judgment
    Historically, banks have used expert judgment to assign ratings to 
commercial credits. With this technique, an individual weighs relevant 
information and reaches a conclusion about the appropriate risk rating. 
Presumably, the rater makes informed judgments based on knowledge 
gained through experience and training.

[[Page 45953]]

    The key feature of expert-judgment systems is flexibility. The 
prevalence of judgmental rating systems reflects the view that the 
determinants of default are too complicated to be captured by a single 
quantitative model. The quality of management is often cited as an 
example of a risk determinant that is difficult to assess through a 
quantitative model. In order to foster internal consistency, banks 
employing expert judgment rating systems typically provide narrative 
guidelines that set out ratings criteria. However, the expert must 
decide how narrative guidelines apply to a given set of circumstances.
    The flexibility possible in the assignment of judgmental ratings 
has implications for the types of ratings review that are feasible. As 
part of the ratings validation process, banks will attempt to confirm 
that raters follow bank policy. However, two individuals exercising 
judgment can use the same information to support different ratings. 
Thus, the review of an expert judgment rating system will require an 
expert who can identify the impact of policy and the impact of judgment 
on a rating.
Models
    In recent years, models have been developed for use in rating 
commercial credits. In a model-based approach, inputs are numeric and 
provide quantitative and qualitative information about an obligor. The 
inputs are combined using mathematical equations to produce a number 
that is translated into a categorical rating. An important feature of 
models is that the rating is perfectly replicable by another party, 
given the same inputs.
    The models used in credit rating can be distinguished by the 
techniques used to develop them. Some models may rely on statistical 
techniques while others rely on expert-judgment techniques.
    Statistical models. Statistically developed models are the result 
of statistical optimization, in which well-defined mathematical 
criteria are used to choose the model that has the closest fit to the 
observed data. Numerous techniques can be used to build statistical 
models; regression is one widely recognized example. Regardless of the 
specific statistical technique, a knowledgeable independent reviewer 
will have to exercise judgment in evaluating the reasonableness of a 
model's development, including its underlying logic, the techniques 
used to handle the data, and the statistical model building techniques.
    Expert-derived models.\2\ Several banks have built rating models by 
asking their experts to decide what weights to assign to critical 
variables in the models. Drawing on their experience, the experts first 
identify the observable variables that affect the likelihood of 
default. They then reach agreement on the weights to be assigned to 
each of the variables. Unlike statistical optimization, the experts are 
not necessarily using clear, consistent criteria to select the weights 
attached to the variables. Indeed, expert-judgment model building is 
often a practical choice when there is not enough data to support a 
statistical model building. Despite its dependence on expert judgment, 
this method can be called model-based as long as the result--the 
equation, most likely with linear weights--is used as the basis to rate 
the credits. Once the equation is set, the model shares the feature of 
replicability with statistically derived models. Generally, independent 
credit experts use judgment to evaluate the reasonableness of the 
development of these models.
---------------------------------------------------------------------------

    \2\ Some banks have developed credit rating models that they 
refer to as ``scorecards,'' but they have used expert judgment to 
derive the weights. While they are models, they are not scoring 
models in the now conventional use of the term. In its conventional 
use, the term scoring model is reserved for a rating model derived 
using statistical techniques.
---------------------------------------------------------------------------

Constrained Judgment
    The alternatives just described present the extremes, but in 
practice, many banks use rating systems that combine models with 
judgment. Two approaches are common.
    Judgmental systems with quantitative guidelines or model results as 
inputs. Historically, the most common approach to rating has involved 
individuals exercising judgment about risks, subject to policy 
guidelines containing quantitative criteria such as minimum values for 
particular financial ratios. Banks develop quantitative criteria to 
guide individuals in assigning ratings, but often believe that those 
criteria do not adequately reflect the information needed to assign a 
rating.
    One version of this constrained judgment approach features a model 
output as one among several criteria that an individual may consider in 
assigning ratings. The individual assigning the rating is responsible 
for prioritizing the criteria, reconciling conflicts between criteria, 
and if warranted, overriding some criteria. Even if individuals 
incorporate model results as one of the factors in their ratings, they 
will exercise judgment in deciding what weight to attach to the model 
result. The appeal of this approach is that the model combines many 
pieces of information into a single output, which simplifies analysis, 
while the rater retains flexibility regarding the use of the model 
output.
    Model-based ratings with judgmental overrides. When banks use 
rating models, individuals are generally permitted to override the 
results under certain conditions and within tolerance levels for 
frequency. Credit-rating systems in which individuals can override 
models raise many of the same issues presented separately by pure 
judgment and model-based systems. If overrides are rare, the system can 
be evaluated largely as if it is a model-based system. If, however, 
overrides are prevalent, the system will be evaluated more like a 
judgmental system.
    Since constrained judgment systems combine features of both expert 
judgment and model-based systems, their evaluation will require the 
skills required to evaluate both of these other systems.

C. IRB Ratings System Architecture

Two-Dimensional Rating System
    S. IRB risk rating systems must have two rating dimensions--obligor 
and loss severity ratings.
    S. IRB obligor and loss severity ratings must be calibrated to 
values of the probability of default (PD) and the loss given default 
(LGD), respectively.
    Regardless of the type of rating system(s) used by an institution, 
the IRB approach imposes some specific requirements. The first 
requirement is that an IRB rating system must be two-dimensional. Banks 
will assign obligor ratings, which will be associated with a PD. They 
will also either assign a loss severity rating, which will be 
associated with LGD values, or directly assign LGD values to each 
facility. The process of assigning the obligor and loss severity 
ratings--hereafter referred to as the rating system--is discussed 
below, and the process of calibrating obligor and loss severity ratings 
to PD and LGD parameters is discussed in Chapter 2.
    S. Banks must record obligor defaults in accordance with the IRB 
definition of default.
Definition of Default
    The consistent identification of defaults is fundamental to any IRB 
rating system. For IRB purposes, a default is considered to have 
occurred with regard to a particular obligor when either or both of the 
two following events have taken place:
    [sbull] The obligor is past due more than 90 days on any material 
credit

[[Page 45954]]

obligation to the banking group. Overdrafts will be considered as being 
past due once the customer has breached an advised limit or been 
advised of a limit smaller than current outstandings.
    [sbull] The bank considers that the obligor is unlikely to pay its 
credit obligations to the banking group in full, without recourse by 
the bank to actions such as liquidating collateral (if held).
    Any obligor (or its underlying credit facilities) that meets one or 
more of the following conditions is considered unlikely to pay and 
therefore in default:
    [sbull] The bank puts the credit obligation on non-accrual status.
    [sbull] The bank makes a charge-off or account-specific provision 
resulting from a significant perceived decline in credit quality 
subsequent to the bank taking on the exposure.
    [sbull] The bank sells the credit obligation at a material credit-
related economic loss.
    [sbull] The bank consents to a distressed restructuring of the 
credit obligation where this is likely to result in a diminished 
financial obligation caused by the material forgiveness, or 
postponement, of principal, interest or (where relevant) fees.
    [sbull] The bank has filed for the obligor's bankruptcy or a 
similar order in respect of the obligor's credit obligation to the 
banking group.
    [sbull] The obligor has sought or has been placed in bankruptcy or 
similar protection where this would avoid or delay repayment of the 
credit obligation to the banking group.
    While most conditions of default currently are identified by bank 
reporting systems, institutions will need to augment data capture 
systems to collect those default circumstances that may not have been 
traditionally identified. These include facilities that are current and 
still accruing but where the obligor declared or was placed in 
bankruptcy. They must also capture so called ``silent defaults''--
defaults when the loss on a facility was avoided by liquidating 
collateral.
    Loan sales on which a bank experiences a material loss due to 
credit deterioration are considered a default. Material credit related 
losses are defined as XX. (The agencies seek comment on how to define 
``material'' loss in the case of loans sold at a discount). Banks 
should ensure that they have adequate systems to identify such 
transactions and to maintain adequate records so that reviewers can 
assess the adequacy of the institution's decision-making process in 
this area.
Obligor Ratings
    S. Banks must assign discrete obligor grades.
    While banks may use models to estimate probabilities of default for 
individual obligors, the IRB approach requires banks to group the 
obligors into discrete grades. Each obligor grade, in turn, must be 
associated with a single PD.
    S. The obligor-rating system must result in a ranking of obligors 
by likelihood of default.
    The proper operation of the obligor-rating system will feature a 
ranking of obligors by likelihood of default. For example, if a bank 
uses a rating system based on a 10-point scale, with 1 representing 
obligors of highest financial strength and 10 representing defaulted 
obligors, grades 2 through 9 should represent groups of ever-increasing 
risk. In a rating system in which risk increases with the grade, an 
obligor with a grade 4 is riskier than an obligor with a grade 2, but 
need not be twice as risky.
    S. Separate exposures to the same obligor must be assigned to the 
same obligor rating grade.
    As noted above, the IRB framework requires that the obligor rating 
be distinct from the loss severity rating, which is assigned to the 
facility. Collateral and other facility characteristics should not 
influence the obligor rating. For example, in a 1-to-10 rating system, 
where risk increases with the number grade, a defaulted borrower with a 
fully cash-secured transaction should be rated a 10--defaulted--
regardless of the remote expectation of loss. Likewise, a borrower 
whose financial condition warrants the highest investment grade rating 
should be rated a 1 even if the bank's transactions are subordinate to 
other creditors and unsecured. Since the rating is assigned to the 
obligor and not the facility, separate exposures to the same obligor 
must be assigned to the same obligor rating grade.
    At the bottom of any IRB system rating scale is a default grade. 
Once an obligor is considered to be in default for IRB purposes, that 
obligor must be assigned a default grade until such time as its 
financial condition and performance improve sufficiently to clearly 
meet the bank's internal rating definition for one of its non-default 
grades. Once an obligor is in default on any material credit obligation 
to the subject bank, all of its facilities at that institution are 
considered to be in default.
    S. In assigning an obligor to a rating category, the bank must 
assess the risk of obligor default over a period of at least one year.
    S. Obligor ratings must reflect the impact of financial distress.
    In assigning an obligor to a rating category, the bank must assess 
the risk of obligor default over a period of at least one year. This 
use of a one-year assessment horizon does not mean that a bank should 
limit its consideration to outcomes for that obligor that are most 
likely over that year; the rating must take into account possible 
adverse events that might increase an obligor's likelihood of default.
Rating Philosophy--Decisions Underlying Ratings Architecture
    S. Banks must adopt a ratings philosophy. Policy guidelines should 
describe the ratings philosophy, particularly how quickly ratings are 
expected to migrate in response to economic cycles.
    S. A bank's capital management policy must be consistent with its 
ratings philosophy in order to avoid capital shortfalls in times of 
systematic economic stress.
    In the IRB framework, banks assign obligors to groups that are 
expected to share common default frequencies. That general description, 
however, still leaves open different possible implementations, 
depending on how the bank defines the set of possible adverse events 
that the obligor might face. A bank must decide whether obligors are 
grouped by expected common default frequency over the next year (a so-
called point-in-time rating system) or by an expected common default 
frequency over a wider range of possible stress outcomes (a so-called 
through-the-cycle rating system). Choosing between a point-in-time 
system and a through-the-cycle system yields a rating philosophy.
    In point in time rating systems, obligors are assigned to groups 
that are expected to share a common default frequency in a particular 
year. Point-in-time ratings change from year to year as borrowers' 
circumstances change, including changes due to the economic 
possibilities faced by the borrowers. Since the economic circumstances 
of many borrowers reflect the common impact of the general economic 
environment, the transitions in point-in-time ratings will reflect that 
systematic influence. A Merton-style probability of default prediction 
model is commonly believed to be an example of a point-in-time approach 
to rating (although that may depend on the specific implementation of 
the model).
    Through-the-cycle rating systems do not ask the question, what is 
the probability of default over the next year.

[[Page 45955]]

Instead, they assign obligors to groups that would be expected to share 
a common default frequency if the borrowers in them were to experience 
distress, regardless of whether that distress is in the next year. 
Thus, as the descriptive title suggests, this rating philosophy 
abstracts from the near-term economic possibilities and considers a 
richer assessment of the possibilities. Like point-in-time ratings, 
through the cycle ratings will change from year to year due to changes 
in borrower circumstance. However, since this rating philosophy 
abstracts from the immediate economic circumstance and considers the 
implications of hypothetical stress circumstances, year to year 
transitions in ratings will be less influenced by changes in the actual 
economic environment. The ratings agencies are commonly believed to use 
through-the-cycle rating approaches.
    Current practice in many banks in the U.S. is to rate obligors 
using an approach that combines aspects of both point-in-time and 
through the cycle approaches. The explanation provided by banks that 
combine those approaches is that they want rating transitions to 
reflect the directional impact of changes in the economic environment, 
but that they do not want all of the volatility in ratings associated 
with a point-in-time approach.
    Regardless of which ratings philosophy a bank chooses, an IRB bank 
must articulate clearly its approach and the implications of that 
choice. As part of the choice of rating philosophy, the bank must 
decide whether the same ratings philosophy will be employed for all of 
the bank's portfolios. And management must articulate the implications 
that the bank's ratings philosophy has on the bank's capital planning 
process. If a bank chooses a ratings philosophy that is likely to 
result in ratings transitions that reflect the impact of the economic 
cycle, its capital management policy must be designed to avoid capital 
shortfalls in times of systematic economic stress.
Obligor-Rating Granularity
    S. An institution must have at least seven obligor grades that 
contain only non-defaulted borrowers and at least one grade to which 
only defaulted borrowers are assigned.
    The number of grades used in a rating system should be sufficient 
to reasonably ensure that management can meaningfully differentiate 
risk in the portfolio, without being so large that it limits the 
practical use of the rating system. To determine the appropriate number 
of grades beyond the minimum seven non-default grades, each institution 
must perform its own internal analysis.
    S. An institution must justify the number of obligor grades used in 
its rating system and the distribution of obligors across those grades.
    The mere existence of an exposure concentration in a grade (or 
grades) does not, by itself, reflect weakness in a rating system. For 
example, banks may focus on a particular type of lending, such as 
asset-based lending, in which the borrowers may have similar default 
risk. Banks with such focused lending activities may use close to the 
minimum number of obligor grades, while banks with a broad range of 
lending activities should have more grades. However, banks with a high 
concentration of obligors in a particular grade are expected to perform 
a thorough analysis that supports such a concentration.
    A significant concentration within an obligor grade may be 
suspected if the financial strength of the borrowers within that grade 
varies considerably. If obligors seem unduly concentrated, then 
management should ask themselves the following questions:
    [sbull] Are the criteria for each grade clear? Those rating 
criteria may be too vague to allow raters to make clear distinctions. 
Ambiguity may be an issue throughout the rating scale or it may be 
limited to the most commonly used ratings.
    [sbull] How diverse are the obligors? That is how many market 
segments (for example, large commercial, middle market, private 
banking, small business, geography, etc.) are significantly represented 
in the bank's borrower population? If a bank's commercial loan 
portfolio is not concentrated in one market segment, its risk rating 
distribution is not likely to be concentrated.
    [sbull] How broad are the bank's internal rating categories 
compared to those of other lenders? The bank may be able to learn 
enough from publicly available information to adjust its rating 
criteria.
    Some banks use ``modifiers'' to provide more risk differentiation 
to a given rating system. A risk rating modified with a plus, minus or 
other indicator does not constitute a separate grade unless the bank 
has developed a distinct rating definition and criteria for the 
modified grade. In the absence of such distinctions, grades such as 5, 
5+, and 5- are viewed as a single grade for regulatory capital purposes 
regardless of the existence of the modifiers.
Loss Severity Ratings
    S. Banks must rank facilities by the expected severity of the loss 
upon default.
    The second dimension of an IRB system is the loss severity rating, 
which is calibrated to LGD. A facility's LGD estimate is the loss the 
bank is likely to incur in the event that the obligor defaults, and is 
expressed as a percentage of exposure at the time of default. LGD 
estimates can be assigned either through the use of a loss severity 
rating system or they can be directly assigned to each facility.
    LGD analysis is still in very early stages of development relative 
to default risk modeling. Academic research in this area is relatively 
sparse, data are not abundant, and industry practice is still widely 
varying and evolving. Given the lack of data and the lack of research 
into LGD modeling, some banks are likely, as a first step, to segment 
their portfolios by a handful of available characteristics and 
determine the appropriate LGDs for those segments. Over time, banks' 
LGD methodologies are expected to evolve. Long-standing banking 
experience and existing research on LGD, while preliminary, suggests 
that collateral values, seniority, industry, etc. are predictive of 
loss severity.
    S. Banks must have empirical support for LGD rating systems 
regardless of whether they use an LGD grading system or directly assign 
LGD estimates.
    Whether a bank chooses to assign LGD values directly or, 
alternatively, to rate facilities and then quantify the LGD for the 
rating grades, the key requirement is that it will need to identify 
facility characteristics that influence LGD. Each of the loss severity 
rating categories must be associated with an empirically supported LGD 
estimate. In much the same way an obligor-rating system ranks exposures 
by the probability of default, a facility rating system must rank 
facilities by the likely loss severity.
    Regardless of the method used to assign LGDs (loss severity grades 
or direct LGD estimation), data used to support the methodology must be 
gathered systematically. For many banks, the quality and quantity of 
data available to support the LGD estimation process will have an 
influence on the method they choose.
Stress Condition LGDs
    S. Loss severity ratings must reflect losses expected during 
periods with a relatively high number of defaults.
    Like obligor ratings, which group obligors by expected default 
frequency, loss severity ratings assign facilities to groups that are 
expected to experience a common loss severity. However, the different 
treatment accorded to PD and LGD in the model used to calculate IRB 
capital requirements mandates an

[[Page 45956]]

asymmetric treatment of obligor and loss severity ratings. Obligor 
ratings assign obligors to groups that are expected to experience 
common default frequencies across a number of years, some of which are 
years of general economic stress and some of which are not. In 
contrast, loss severity ratings (or estimates) must pertain to losses 
expected during periods with a high number of defaults--particular 
years that can be called stress conditions. For cases in which loss 
severities do not have a material degree of cyclical variability, use 
of a long-run default weighted average is appropriate, although stress 
condition LGD generally exceeds these averages.
Loss Severity Rating/LGD Granularity
    S. Banks must have a sufficiently fine loss severity grading system 
or prediction model to avoid grouping facilities with widely varying 
LGDs together.
    While there is no stated minimum number of loss severity grades, 
the systems that provide LGD estimates must be flexible enough to 
adequately segment facilities with significantly varying LGDs. Banks 
should have a sufficiently fine LGD grading system or LGD prediction 
model to avoid grouping facilities with widely varying LGDs together. 
For example, a bank using a loss severity rating-scale approach that 
has credit products with a variety of collateral packages or financing 
structures would be expected to have more LGD grades than those 
institutions with fewer options in their credit products.
Other Considerations of IRB Rating System Architecture
Timeliness of Ratings
    S. All risk ratings must be updated whenever new relevant 
information is received, but must be updated at least annually.
    A bank must have a policy that requires a dynamic ratings approach 
ensuring that obligor and loss severity ratings reflect current 
information. That policy must also specify minimum financial reporting 
and collateral valuation requirements. For example, at the time of 
servicing events, banks typically receive updated financial information 
on obligors. For cases in which loss severity grades or estimates are 
dependent on collateral values or other factors that change 
periodically, that policy must take into account the need to update 
these factors.
    Banks' policies may include an alternative rating update timetable 
for exposures below a de minimus amount that is justified by the lack 
of materiality of the potential impact on capital. For example, some 
banks use triggering events to prompt an update of their ratings on de 
minimus exposures rather than adhering to a specific timetable.
Multiple Ratings Systems
    Some banks may develop one risk-rating system that can be used 
across the entire commercial loan portfolio. However, a bank can choose 
to deploy any number of rating systems as long as all exposures are 
assigned PD and LGD values. A different rating system could be used for 
each business line and each rating system could use a different rating 
scale. A bank could also use a different rating system for each 
business line with each system using a common rating scale. Rating 
models could be used for some portfolios and expert judgment systems 
for others. An institution's complexity and sophistication, as well as 
the size and range of products offered, will affect the types and 
numbers of rating systems employed.
    While using a number of rating systems is feasible, such a practice 
might make it more difficult to meet supervisory standards. Each rating 
system must conform to the standards in this guidance and must be 
validated for accuracy and consistency. The requirement that each 
rating systems be calibrated to parameter values imposes the ultimate 
constraint, which is that ratings be applied consistently.
Recognition of the Risk Mitigation Benefits of Guarantees
    S. Banks reflecting the risk-mitigating effect of guarantees must 
do so by either adjusting PDs or LGDs, but not both.
    S. To recognize the risk-mitigating effects of guarantees, 
institutions must ensure that the written guarantee is evidenced by an 
unconditional and legally enforceable commitment to pay that remains in 
force until the debt is satisfied in full.
    Adjustments for guarantees must be made in accordance with specific 
criteria contained in the bank's credit policy. The criteria should be 
plausible and intuitive, and should address the guarantor's ability and 
willingness to meet its obligations. Banks are expected to gather 
evidence that confirms the risk-mitigating effect of guarantees.
    Other forms of written third-party support (for example, comfort 
letters or letters of awareness) that are not legally binding should 
not be used to adjust PD or LGD unless a bank can demonstrate through 
analysis of internal data the risk-mitigating effect of such support. 
Banks may not adjust PDs or LGDs to reflect implied support or verbal 
assurances.
    Regardless of the method used to recognize the risk-mitigating 
effects of guarantees, a bank must adopt an approach that is applied 
consistently over time and across the portfolio. Moreover, the onus is 
on the bank to demonstrate that its approach is supported by logic and 
empirical results. While guarantees may provide grounds for adjusting 
PD or LGD, they cannot result in a lower risk weight than that assigned 
to a similar direct obligation of the guarantor.\3\
---------------------------------------------------------------------------

    \3\ The probability that an obligor and a guarantor (who 
supports the obligor's debt) will both default on a debt is lower 
than the probability that either the obligor or the guarantor will 
default. This favorable risk-mitigation effect is known as the 
reduced likelihood of ``double default.'' In determining their 
rating criteria and procedures, banks are not permitted to consider 
possible favorable effects of imperfect expected correlation between 
default events for the borrower and guarantor for purposes of 
regulatory capital requirements. Thus, the adjusted risk weight 
cannot reflect the risk mitigation of double default. The ANPR 
solicits public comment on the double-default issues.
---------------------------------------------------------------------------

Validation Process
    S. IRB rating system architecture must be designed to ensure rating 
system accuracy.
    As part of their IRB rating system architecture, banks must 
implement a process to ensure the accuracy of their rating systems. 
Rating system accuracy is defined as the combination of the following 
outcomes:
    [sbull] The actual long-run average default frequency for each 
rating grade is not significantly greater than the PD assigned to that 
grade.
    [sbull] The actual stress-condition loss rates experienced on 
defaulted facilities are not significantly greater than the LGD 
estimates assigned to those facilities.
    Some differences across individual grades between observed outcomes 
and the estimated parameter inputs to the IRB equations can be 
expected. But if systematic differences suggest a bias toward lowering 
regulatory capital requirements, the integrity of the rating system (of 
either the PD or LGD dimensions or of both) becomes suspect. Validation 
is the set of activities designed to give the greatest possible 
assurances of ratings system accuracy.
    S. Banks must have ongoing validation processes that include the 
review of developmental evidence, ongoing monitoring, and the 
comparison of predicted parameter values to actual outcomes (back-
testing).
    Validation is an integral part of the rating system architecture. 
Banks must have processes designed to give

[[Page 45957]]

reasonable assurances of their rating systems' accuracy. The ongoing 
process to confirm and ensure rating system accuracy consists of:
    [sbull] The evaluation of developmental evidence,
    [sbull] Ongoing monitoring of system implementation and 
reasonableness (verification and benchmarking), and
    [sbull] Back-testing (comparing actual to predicted outcomes).
    IRB institutions are expected to employ all of the components of 
this process. However, the data to perform comprehensive back-testing 
will not be available in the early stages of implementing an IRB rating 
system. Therefore, banks will have to rely more heavily on 
developmental evidence, quality control tests, and benchmarking to 
assure themselves and other interested parties that their rating 
systems are likely to be accurate. Since the time delay before rating 
systems can be back-tested is likely to be an important issue--because 
of the rarity of defaults in most years and the bunching of defaults in 
a few years--the other parts of the validation process will assume 
greater importance. If rating processes are developed in a learning 
environment in which banks attempt to change and improve ratings, back 
testing may be delayed even further. Validation in its early stages 
will depend on bank management's exercising informed judgment about the 
likelihood of the rating system working--not simply on empirical tests.
Ratings System Developmental Evidence
    The first source of support for the validity of a bank's rating 
system is developmental evidence. Evaluating developmental evidence 
involves making a reasonable assessment of the quality of the rating 
system by analyzing its design and construction. Developmental evidence 
is intended to answer the question, Could the rating system be expected 
to work reasonably if it is implemented as designed? That evidence will 
have to be revisited whenever the bank makes a change to its rating 
system. If a bank adopts a rating system and does not make changes, 
this step will not have to be revisited. However, since rating systems 
are likely to change over time as the bank learns about the 
effectiveness of the system and incorporates the results of those 
analyses, the evaluation of developmental evidence is likely to be an 
ongoing part of the process. The particular steps taken in evaluating 
developmental evidence will depend on the type of rating system.
    Generally, the evaluation of developmental evidence will include a 
body of expert opinion. For example, developmental evidence in support 
of a statistical rating model must include information on the logic 
that supports the model and an analysis of the statistical model-
building techniques. In contrast, developmental evidence in support of 
a constrained-judgment system that features guidance values of 
financial ratios might include a description of the logic and evidence 
relating the values of the ratios to past default and loss outcomes.
    Regardless of the type of rating system, the developmental evidence 
will be more persuasive when it includes empirical evidence on how well 
the ratings might have worked in the past. This evidence should be 
available for a statistical model since such models are chosen to 
maximize the fit to outcomes in the development sample. In addition, 
statistical models should be supported by evidence that they work well 
outside the development sample. Use of ``holdout'' sample evidence is a 
good model-building practice to ensure that the model is not merely a 
statistical quirk of the particular data set used to build the model.
    Empirical developmental evidence of rating effectiveness will be 
more difficult to produce for a judgmental rating system. Such evidence 
would require asking raters how they would have rated past credits for 
which they did not know the outcomes. Those retrospective ratings could 
then be compared to the outcomes to determine whether the ratings were 
correct on average. Conducting such tests, however, will be difficult 
because historical data sets may not include all of the information 
that an individual would have actually used in making a judgment about 
a rating.
    The sufficiency of the developmental evidence will itself be a 
matter of informed expert opinion. Even if the rating system is model-
based, an evaluation of developmental evidence will entail judging the 
merits of the model-building technique. Although no bright line tests 
are feasible because expert judgment is essential to the evaluation of 
rating system development, experts will be able to draw conclusions 
about whether a well-implemented system would be likely to perform 
satisfactorily.
Ratings System Ongoing Validation
    The second source of analytical support for the validity of a bank 
rating system is the ongoing analysis intended to confirm that the 
rating system is being implemented and continues to perform as 
intended. Such analysis involves process verification and benchmarking.
Process Verification
    Verification activities address the question, Are the ratings being 
assigned as intended? Specific verification activities will depend on 
the rating approach. If a model is used for rating, verification 
analysis begins by confirming that the computer code used to deploy the 
model is correct. The computer code can be verified in a number of 
established ways. For example, a qualified expert can duplicate the 
code or check the code line by line. Process verification for a model 
will also include confirmation that the correct data are being used in 
the model.
    For expert-judgment and constrained-judgment systems, verification 
requires other individual reviewers to evaluate whether the rater 
followed rating policy. The primary requirements for verification of 
ratings assigned by individuals are:
    [sbull] A transparent rating process,
    [sbull] A database with information used by the rater, and
    [sbull] Documentation of how the decisions were made.
    The specific steps will depend on how much the process incorporates 
specific guidelines and how much the exercise of judgment is allowed. 
As the dependence on specific guidelines increases, other individuals 
can more easily confirm that guidelines were followed by reference to 
sufficient documentation. As the dependence on judgment rises, the 
ratings review function will have to be staffed increasingly by experts 
with appropriate skills and knowledge about the rating policies of the 
bank.
    Ratings process verification also includes override monitoring. If 
individuals have the ability to override either models or policies in a 
constrained-judgment system, the bank should have both a policy stating 
the tolerance for overrides and a monitoring system for identifying the 
occurrence of overrides. A reporting system capturing data on reasons 
for overrides will facilitate learning about whether overrides improve 
accuracy.
Benchmarking
    S. Banks must benchmark their internal ratings against internal, 
market and other third-party ratings.
    Benchmarking is the set of activities that uses alternative tools 
to draw inferences about the correctness of ratings before outcomes are 
actually

[[Page 45958]]

known. The most important type of benchmarking of a rating system is to 
ask whether another rater or rating method attaches the same rating to 
a particular obligor or facility. Regardless of the rating approach, 
the benchmark can be either a judgmental or a model-based rating. 
Examples of such benchmarking include:
    [sbull] Ratings reviewers who completely re-rate a sample of 
credits rated by individuals in a judgmental system.
    [sbull] An internally developed model is used to rate credits rated 
earlier in a judgmental system.
    [sbull] Individuals rate a sample of credits rated by a model.
    [sbull] Internal ratings are compared against results from external 
agencies or external models.
    Because it will take considerable time before outcomes will be 
available, using alternative ratings as benchmarks will be a very 
important validation device. Such benchmarking must be applied to all 
rating approaches, and the benchmark can be either a model or judgment. 
At a minimum, banks must establish a process in which a representative 
sample of its internal ratings is compared to third-party ratings 
(e.g., independent internal raters, external rating agencies, models, 
or other market data sources) of the same credits.
    Benchmarking also includes activities designed to draw broader 
inferences about whether the rating system--as opposed to individual 
ratings--is working as expected. The bank can look for consistency in 
ranking or consistency in the values of rating characteristics for 
similarly rated credits. Examples of such benchmarking activities 
include:
    [sbull] Analyzing the characteristics of obligors that have 
received common ratings.
    [sbull] Monitoring changes in the distribution of ratings over 
time.
    [sbull] Calculating a transition matrix calculated from changes in 
ratings in a bank's portfolio and comparing it to historical transition 
matrices from internal bank data or publicly available ratings.
    While benchmarking activities allow for inferences about the 
correctness of the ratings system, they are the not same thing as back-
testing. The benchmark itself is a prediction and may be in error. If 
benchmarking evidence suggests a pattern of rating differences, it 
should lead the bank to investigate the source of the differences. 
Thus, the benchmarking process illustrates the possibility of feedback 
from ongoing validation to model development, underscoring the 
characterization of validation as a process.
Back Testing
    S. Banks must develop statistical tests to back-test their IRB 
rating systems.
    S. Banks must establish internal tolerance limits for differences 
between expected and actual outcomes.
    S. Banks must have a policy that requires remedial actions be taken 
when policy tolerances are exceeded.
    The third component of a validation process is back-testing, which 
is the comparison of predictions with actual outcomes. Back-testing of 
IRB systems is the empirical test of the accuracy of the parameter 
values, PD and LGD, associated with obligor and loss severity ratings, 
respectively. For IRB rating systems, back-testing addresses the 
combined effectiveness of the assignment of obligor and loss severity 
ratings and the calibration of the parameters PD and LGD attached to 
those ratings.
    At this time, there is no generally agreed-upon statistical test of 
the accuracy of IRB systems. Banks must develop statistical tests to 
back-test their IRB rating systems. In addition, banks must have a 
policy that specifies internal tolerance limits for comparing back-
testing results. Importantly, that policy must outline the actions that 
would be taken whenever policy limits are exceeded.
    As a combined test of ratings effectiveness, back-testing is a 
conceptual bridge between the ratings system architecture discussed in 
this chapter and the quantification of parameters, discussed in Chapter 
2. The final section of Chapter 2 discusses back-testing as one type of 
quantitative test required to validate the quantification of parameter 
values.

III. Quantification of IRB Systems

    Ratings quantification is the process of assigning numerical values 
to the four key components for internal ratings-based assessments of 
credit-risk capital: probability of default (PD), the expected loss 
given default (LGD), the expected exposure at default (EAD), and 
maturity (M). Section I establishes an organizing framework for 
considering IRB quantification and develops general principles that 
apply to the entire process. Sections II through IV cover specific 
principles or supervisory standards that apply to PD, LGD, and EAD 
respectively. The maturity component, which is much less dependent on 
statistical estimates and the use of data, receives somewhat different 
treatment in section V. Validation of the quantification process is 
covered in section VI.

A. Introduction

Stages of the Quantification Process
    With the exception of maturity, the risk components are 
unobservable and must be estimated. The estimation must be consistent 
with sound practice and supervisory standards. In addition, a bank must 
have processes to ensure that these estimates remain valid.
    Calculation of risk components for IRB involves two sets of data: 
the bank's actual portfolio data, consisting of current credit 
exposures assigned to internal grades, and a ``reference data set,'' 
consisting of a set of defaulted credits (in the case of LGD and EAD 
estimation) or both defaulted and non-defaulted credits (in the case of 
PD estimation). The bank estimates a relationship between the reference 
data set and probability of default, loss severity, or exposure; then 
this estimated relationship is applied to the actual portfolio data for 
which capital is being assessed.
    Quantification proceeds through four logical stages: obtaining 
reference data; estimating the reference data's relationship to the 
parameters; mapping the correspondence between the reference data and 
the portfolio's data; and applying the relationship between reference 
data and parameters to the portfolio's data. (Readers may find it 
helpful to refer to the appendix to this chapter, which illustrates how 
this four-stage framework can be applied to ratings quantification 
approaches in practice.) An evaluation of any bank's IRB quantification 
process focuses on understanding how the bank implements each stage for 
each of the key parameters, and on assessing the adequacy of the bank's 
approach.
    Data--First, the bank constructs a reference data set, or source of 
data, from which parameters can be estimated.
    Reference data sets include internal data, external data, and 
pooled internal/external data. Important considerations include the 
comparability of the reference data to the current credit portfolio, 
whether the sample period ``appropriately'' includes periods of stress, 
and the definition of default used in the reference data. The reference 
data must be described using a set of observed characteristics; 
consequently, the data set must contain variables that can be used for 
this characterization. Relevant characteristics might include external 
debt ratings, financial measures, geographic regions, or any other 
factors that are believed to be

[[Page 45959]]

related in some way to PD, LGD, or EAD. More than one reference data 
set may be used.
    Estimation--Second, the bank applies statistical techniques to the 
reference data to determine a relationship between characteristics of 
the reference data and the parameters (PD, LGD, or EAD).
    The result of this step is a model that ties descriptive 
characteristics of the obligor or facility in the reference data set to 
PD, LGD, or EAD estimates. In this context, the term `models' is used 
in the most general sense; a model may be simple, such as the 
calculation of averages, or more complicated, such as an approach based 
on advanced regression techniques. This step may include adjustments 
for differences between the IRB definition of default and the default 
definition in the reference data set, or adjustments for data 
limitations. More than one estimation technique may be used to generate 
estimates of the risk components, especially if there are multiple sets 
of reference data or multiple sample periods.
    Mapping--Third, the bank creates a link between its portfolio data 
and the reference data based on common characteristics.
    Variables or characteristics that are available for the current 
portfolio must be mapped to the variables used in the default, loss-
severity, or exposure model. (In some cases, the bank constructs the 
link for a representative exposure in each internal grade, and the 
mapping is then applied to all credits within a grade.) An important 
element of mapping is making adjustments for differences between 
reference data sets and the bank's portfolio. The bank must create a 
mapping for each reference data set and for each combination of 
variables used in any estimation model.
    Application--Fourth, the bank applies the relationship estimated 
for the reference data to the actual portfolio data.
    The ultimate aim of quantification is to attribute a PD, LGD, or 
EAD to each exposure within the portfolio, or to each internal grade if 
the mapping was done at the grade level. This step may include 
adjustments to default frequencies or loss rates to ``smooth'' the 
final parameter estimates. If the estimates are applied to individual 
transactions, the bank must in some way aggregate the estimates at the 
grade level. In addition, if multiple data sets or estimation methods 
are used, the bank must adopt a means of combining the various 
estimates.
    A number of examples are given in this chapter to aid exposition 
and interpretation. None of the examples is sufficiently detailed to 
incorporate all the considerations discussed in this chapter. Moreover, 
technical progress in the area of quantification is rapid. Thus, banks 
should not interpret an example that is consistent with the standard 
being discussed, and that resembles the bank's current practice, as 
creation of a ``safe harbor'' or as an indication that the bank's 
practice will be approved as-is. Banks should consider this guidance in 
its entirety when determining whether systems and practices are 
adequate.
General Principles for Sound IRB Quantification
    Several core principles apply to all elements of the overall 
ratings quantification process; those general principles are discussed 
in this introductory section. Each of these principles is, in effect, a 
supervisory standard for IRB systems. Other supervisory standards, 
specific to particular elements or parameters, are discussed in the 
relevant sections.
    Supervisory evaluation of IRB quantification requires consideration 
of all of these principles and standards, both general and specific. 
Particular practical approaches to ratings quantification may be highly 
consistent with some standards, and less so with others. In any 
particular case, an ultimate assessment relies on the judgment of 
supervisors to weigh the strengths and weaknesses of a bank's chosen 
approach, using these supervisory standards as a guide.
    S. IRB institutions must have a fully specified process covering 
all aspects of quantification (reference data, estimation, mapping, and 
application). The quantification process, including the role and scope 
of expert judgment, must be fully documented and updated periodically.
    A fully specified quantification process must describe how all four 
stages (data, estimation, mapping, and application) are implemented for 
each parameter. Documentation promotes consistency and allows third 
parties to review and replicate the entire process. Examples of third 
parties that might use the documentation include rating-system 
reviewers, auditors, and bank supervisors. Periodic updates to the 
process must be conducted to ensure that new data, analytical 
techniques, and evolving industry practice are incorporated into the 
quantification process.
    S. Parameter estimates and related documentation must be updated 
regularly.
    The parameter estimates must be updated at least annually, and the 
process for doing so must be documented in bank policy. The update 
should also evaluate the judgmental adjustments embedded in the 
estimates; new data or techniques may suggest a need to modify those 
adjustments. Particular attention should be given to new business lines 
or portfolios in which the mix of obligors is believed to have changed 
substantially. A material merger, acquisition, divestiture, or exit 
clearly raises questions about the continued applicability of the 
process and should trigger an intensive review and updating.
    The updating process is particularly relevant for the reference 
data stage because new data become available all the time. New data 
must be incorporated, into the PD, LGD, and EAD estimates, using a 
well-defined process.
    S. A bank must subject all aspects of the quantification process, 
including design and implementation, to an appropriate degree of 
independent review and validation.
    An independent review is an assessment conducted by persons not 
accountable for the work being reviewed. The reviewers may be either 
internal or external parties. The review serves as a check that the 
quantification process is sound and works as intended; it should be 
broad-based, and must include all of the elements of the quantification 
process that lead to the ultimate estimates of PD, LGD, and EAD. The 
review must cover the full scope of validation: evaluation of the 
integrity of data inputs, analysis of the internal logic and 
consistency of the process, comparison with relevant benchmarks, and 
appropriate back-testing based on actual outcomes.
    S. Judgmental adjustments may be an appropriate part of the 
quantification process, but must not be biased toward lower estimates 
of risk.
    Judgment will inevitably play a role in the quantification process 
and may materially affect the estimates. Judgmental adjustments to 
estimates are often necessary because of some limitations on available 
reference data or because of inherent differences between the reference 
data and the bank's portfolio data. The bank must ensure that 
adjustments are not biased toward optimistically low parameter 
estimates for PD, LGD, and EAD. Individual assumptions are less 
important than broad patterns; consistent signs of judgmental decisions 
that lower parameter estimates materially may be evidence of bias.

[[Page 45960]]

    The reasoning and empirical support for any adjustments, as well as 
the mechanics of the calculation, must be documented. The bank should 
conduct sensitivity analysis to demonstrate that the adjustment 
procedure is not biased toward reducing capital requirements. The 
analysis must consider the impact of any judgmental adjustments on 
estimates and risk weights, and must be fully documented.
    S. Parameter estimates must incorporate a degree of conservatism 
that is appropriate for the overall robustness of the quantification 
process.
    In estimating values of PD, LGD, and EAD should be as precise and 
accurate as possible. However, estimates of PD, LGD and EAD are 
statistics, and thus inherently subject to uncertainty and potential 
error. It is often possible to be reasonably confident that a risk 
component or other parameter lies within a particular range, but 
greater precision is difficult to achieve. Aspects of the ratings 
quantification process that are apt to introduce uncertainty and 
potential error include the following:
    The estimation of coefficients of particular variables in a 
regression-based statistical default or severity model.
    [sbull] The calculation of average default or loss rates for 
particular categories of credits in external default databases.
    [sbull] The mapping between portfolio obligors or facilities and 
reference data when the set of common characteristics does not align 
exactly.
    A general principle of the IRB approach is that a bank must adjust 
estimates conservatively in the presence of uncertainty or potential 
error. In many cases this corresponds to assigning a final parameter 
estimate that increases required capital relative to the best estimate 
produced through sound-practice estimation techniques. The extent of 
this conservative adjustment should be related to factors such as the 
relevance of the reference data, the quality of the mapping, the 
precision of the statistical estimates, and the amount of judgment used 
throughout the process. Margins of conservatism need not be added at 
each step; indeed, that could produce an excessively conservative 
result. The overall margin of conservatism should adequately account 
for all uncertainties and weaknesses; this is the general 
interpretation of requirements to incorporate appropriate degrees of 
conservatism. Improvements in the quantification process (use of better 
data, estimation techniques, and so on) may reduce the appropriate 
degree of conservatism over time.
    Estimates of PD, LGD, EAD, or other parameters or coefficients 
should be presented with an accompanying sense of the statistical 
precision of the estimates; this facilitates an assessment of the 
appropriate degree of conservatism.

B. Probability of Default (PD)

Data
    To estimate PD accurately, a bank must have a comprehensive 
reference data set with observations that are comparable to the bank's 
current portfolio of obligors. Clearly, the data set used for 
estimation should be similar to the portfolio to which such estimates 
will be applied. The same comparability standard applies to both 
internal and external data sets.
    To ensure ongoing applicability of the reference data, a bank must 
assess the characteristics of its current obligors relative to the 
characteristics of obligors in the reference data. Such variables might 
include qualitative and quantitative obligor information, internal and 
external rating, rating dates, and line of business or geography. To 
this end, a bank must maintain documentation that fully describes all 
explanatory variables in the data set, including any changes to those 
variables over time. A well-defined and documented process must be in 
place to ensure that the reference data are updated as frequently as is 
practical, as fresh data become available or portfolio changes make 
necessary.
    S. The sample for the reference data must be at least five years, 
and must include periods of economic stress during which default rates 
were relatively high.
    To foster more robust estimation, banks should use longer time 
series when more than five years of data are available. However, the 
benefits of using a longer time series (longer than five years) may 
have to be weighed against a possible loss of data comparability. The 
older the reference data, the less similar they are likely to be to the 
bank's current portfolio; striking the correct balance is a matter of 
judgment. Reference obligors must not differ from the current portfolio 
obligors systematically in ways that seem likely to be related to 
obligor default risk. Otherwise, the derived PD estimates may not be 
applicable to the current portfolio.
    Note that this principle does not simply restate the requirement 
for five years of data: periods of stress during which default rates 
are relatively high must be included in the data sample. Exclusion of 
such periods biases PD estimates downward and unjustifiably lowers 
regulatory capital requirements.

    Example. A bank's reference data set covers the years 1987 
through 2001. Each year includes identical data elements, and each 
year is similarly populated. For its grade PD estimates, the bank 
relies upon data from a sub-sample covering 1992 through 2001. The 
bank provides no justification for dropping the years from 1987 
through 1991. The bank contends that it is not necessary to include 
those data, as the reference sample they use for estimation 
satisfies the five-year requirement. This practice is not consistent 
with the standard because the bank has not supported its decision to 
ignore available data. The fact that the excluded years include a 
recession would raise particular concerns.

    S. The definition of default within the reference data must be 
reasonably consistent with the IRB definition of default.
    Regardless of the source of the reference data, a bank must apply 
the same default definition throughout the quantification processes. 
This fosters consistent estimation across parameters and reduces the 
potential for undesired bias. In addition, consistent application of 
the same definition across banks will permit true horizontal analysis 
by supervisors and engaged market participants.
    This standard applies to both internal and external reference data. 
For internal data, a bank's default definition is expected to be 
consistent with the IRB definition going forward. Banks will be 
expected to make appropriate adjustments to their data systems such 
that all defaults as defined for IRB are captured by the time a bank 
fully implements its IRB system. For any historical or external data 
that do not fully comply with the IRB definition of default, a bank 
must make conservative adjustments to reflect such discrepancies. 
Larger discrepancies require larger adjustments for conservatism.

    Example. To identify defaults in its historical data, a bank 
applies a consistent definition of ``placed on nonaccrual.'' This 
definition is used in the bank's quantification exercises to 
estimate PD, LGD, and EAD. The bank recognizes that use of the 
nonaccrual definition fails to capture certain defaults as 
identified in the IRB rules. Specifically, the bank indicates that 
the following kinds of defaulted facilities would not have been 
placed on nonaccrual: (1) Credit obligations that were sold at a 
material credit-related economic loss, and (2) distressed 
restructurings. To be consistent with the standard, the bank must 
make a well-supported adjustment to its grade PD estimates to 
reflect the difference in the default definitions.
Estimation
    Estimation of PD is the process by which characteristics of the 
reference

[[Page 45961]]

data are related to default frequencies.\4\ The relevant 
characteristics that help to determine the likelihood of default are 
referred to as ``drivers of default''. Drivers might include variables 
such as financial ratios, management expertise, industry, and 
geography.
---------------------------------------------------------------------------

    \4\ The New Basel Capital Accord produced by the Basel Committee 
on Banking Supervision discusses three techniques for PD estimation. 
IRB banks are not constrained to select from among these three 
techniques; they have broad flexibility to implement appropriate 
approaches to quantification. The three Basel techniques are best 
regarded not as a complete taxonomy of the possible approaches to PD 
estimation, but rather as illustrations of a few of the many 
possible approaches.
---------------------------------------------------------------------------

    S. Estimates of default rates must be empirically based and must 
represent a long-run average.
    Estimates must capture average default experience over a reasonable 
mix of high-default and low-default years of the economic cycle. The 
average is labeled ``long-run'' because a long observation period would 
span both peaks and valleys of the economic cycle. The emphasis should 
not be on time-span; the long-run average concept captures the breadth, 
not the length, of experience.
    If the reference data are characterized by internal or external 
rating grades, one estimation approach is to calculate the mean of one-
year realized default rates for each grade, giving equal weight to each 
year's realized default rate. PD estimates generally should be 
calculated in this manner.
    Another approach is to pool obligors in a given grade over a number 
of years and then calculate the mean default rate. In this case, each 
year's default rate is weighted by the number of obligors. This 
approach may underestimate default rates. For example, if lending 
declines in recessions so that obligors are fewer in those years than 
in others, weighting by number of obligors would dilute the effect of 
the recession year on the overall mean. The obligor-weighted 
calculation, or another approach, will be allowed only if the bank can 
demonstrate that this approach provides a better estimate of the long-
run average PD. At a minimum, this would involve comparing the results 
of both methods.
    Statistical default prediction models may also play a role in PD 
estimation. For example, the characteristics of the reference data 
might include financial ratios or a distance-to-default measure, as 
defined by a specific implementation of a Merton-style structural 
model.
    For a model-based approach to meet the requirement that ultimate 
grade PD estimates be long-run averages, the reference data used in the 
default model must meet the long-run requirement. For example, a model 
can be used to relate financial ratios to likelihood of default based 
on the outcome for the firms--default or non-default. Such a model must 
be calibrated to capture the default experience over a reasonable mix 
of good and bad years of the economic cycle. The same requirement would 
hold for a structural model; distance to default must be calibrated to 
default frequency using long-run experience. This applies to both 
internal and vendor models, and a bank must verify that this 
requirement is met.

    Example 1. A bank uses external data from a rating agency to 
estimate PD. The PD estimate for each agency grade is calculated as 
the mean of yearly realized default rates over a time period (1980 
through 2001) that includes several recessions and high-default 
years. The bank provides support that this time period adequately 
represents long-run experience. This illustrates an estimation 
method that is consistent with the standard.
    Example 2a. Like the institution in example 1, a bank maps 
internal ratings to agency grades. The estimates for the agency 
grades are set indirectly, using the default probabilities from a 
default prediction model. The bank does so because although it links 
internal and agency grades, the bank views the default model's 
results as more predictive than the historical agency default 
experience. For each agency grade, the bank calculates a PD estimate 
as the mean of the model-based default probabilities for the agency-
rated obligors. In order to meet the long-run requirement, the bank 
calculates the estimates over the seven years from 1995 through 
2001. The bank demonstrates that this time period includes a 
reasonable mix of high-default and low-default experience. This 
estimation method is consistent with the standard.
    Example 2b. In a variant of example 2a, a bank uses the mean 
default frequency per agency rating grade for a single year, such as 
2001. Empirical evidence shows that the mean default frequency for 
agency grades varies substantially from year to year. A single year 
thus does not reflect the full range of experience, because a long-
run average should be relatively stable year to year. Such 
instability makes this estimation method unacceptable.
    Example 2c. Another bank calculates the agency grade PD 
estimates as the median default probability of companies in that 
grade. The bank does so without demonstrating that the median is a 
better statistical estimator than the mean. This estimation method 
is not consistent with the standard. A median gives less weight to 
obligors with high estimated default probabilities than a simple 
mean does. The difference between mean and median can be material 
because distributions of credits within grades often are 
substantially skewed toward higher default probabilities: the 
riskier obligors within a grade tend to have individual default 
probabilities that are substantially worse than the median, while 
the least risky have default probabilities only somewhat better than 
the median.

    S. Judgmental adjustments may play an appropriate role in PD 
estimation, but must not be biased toward lower estimates.
    The following examples illustrate how supervisors will evaluate 
adjustments:

    Example 1. A bank uses the last five years of internal default 
history to estimate grade PDs. However, they recognize that the 
internal experience does not include any high-default years. In 
order to remedy this and still take advantage of its experience, the 
bank uses external agency data to adjust the estimates upward. Using 
the agency data, the bank calculates the ratio between the long-run 
average and the mean default rate per grade over the last five 
years. The bank assumes that the relationship observed in the agency 
data applies to its portfolio, and adjusts the estimates for the 
internal data accordingly. This practice is consistent with the 
standard.
    Example 2. A bank uses internal default experience to estimate 
grade PDs. However, the bank has historically failed to recognize 
defaults when the loss on the default obligation was avoided by 
seizing collateral. The bank makes no adjustment for such missing 
defaults. The realized default rate using the more inclusive 
definition would be higher than that observed by the bank (and loss 
severity rates would be correspondingly lower). This practice would 
not be consistent with the standard, unless the bank demonstrates 
that the necessary adjustment is immaterial.
Mapping
    Mapping is the process of establishing a correspondence between the 
bank's current obligors and the reference obligor data used in the 
default model. Hence, mapping involves identifying how default-related 
characteristics of the current portfolio correspond to the 
characteristics of reference obligors. Such characteristics might 
include financial and nonfinancial variables, and assigned ratings or 
grades.
    Mapping can be thought of as taking each obligor in the bank's 
portfolio and characterizing it as if it were part of the reference 
data. There are two broad approaches to the mapping process:
    Obligor mapping: Each portfolio obligor is mapped to the reference 
data based on its individual characteristics. For example, if a bank 
applies a default model, a default probability will be generated for 
each obligor. That individual default probability is then used to 
assign each obligor to a particular internal grade, based on the bank's 
established criteria. To obtain a final estimate of the grade PD in the 
subsequent application stage, the bank averages the default 
probabilities of individual obligors within each grade.
    Grade mapping: Characteristics of the obligors within an internal 
grade are

[[Page 45962]]

averaged or otherwise summarized to construct a ``typical'' or 
representative obligor for each grade. Then, the bank maps that 
representative obligor to the reference data. For example, if the bank 
uses a default model, the default probability associated with that 
typical obligor will serve as the grade PD in the application stage. 
Alternatively, the bank may map the typical obligor to a particular 
external rating grade based on quantitative and qualitative 
characteristics, and assign the long-run default rate for that rating 
to the internal grade in the application stage.
    Either grade mapping or obligor mapping can be part of the 
quantification process; either method can produce a single PD estimate 
for each grade in the application stage. However, in the absence of 
other compelling considerations, banks should use obligor mapping for 
two reasons:
    [sbull] First, default probabilities are nonlinear under many 
estimation approaches. As a result, the default probability of the 
typical obligor--the result of a grade mapping approach--is often lower 
than the mean of the individual obligor default probabilities from the 
obligor mapping approach. For example, consider a bank that maps to the 
S&P scale and uses historical S&P bond default rates. For ease of 
illustration, suppose that one internal grade contains only three 
obligors that individually map to BB, BB-, and B+. The historical 
default rates for these three grades are 1.07, 1.76, and 3.24 percent, 
respectively (based on 1981-2001 data). Using obligor mapping, those 
rates would be assigned directly to the three obligors, yielding a mean 
PD of 2.02 percent for the grade. Using grade mapping, the grade PD 
would be only 1.76, because the grade's typical obligor is rated BB-.
    [sbull] Second, a hypothetical obligor with a grade's average 
characteristics may not represent well the risks presented by the 
grade's typical obligor. For example, a bank might observe that 
obligors with high leverage and low earnings variability have about the 
same default risk as obligors with low leverage and high earnings 
variability. These two types of obligors might both end up in the same 
grade, for example, Grade 6. If so, the typical obligor in Grade 6 
would have moderate leverage and moderate earnings variability--a 
combination that might fail to reflect any of the individual obligors 
in Grade 6, and that could easily result in a PD for the grade that is 
too low.
    A bank electing to use grade mapping instead of obligor mapping 
should be especially careful in choosing a ``typical'' obligor for each 
grade. Doing so typically requires that the bank examine the actual 
distribution of obligors within each grade, as well as the 
characteristics of those obligors. Banks should be aware that different 
measures of central tendency (such as mean, median, or mode) will give 
different results, and that these different results may have a material 
effect on a grade's PD; they must be able to justify their choice of a 
measure. Banks must have a clear and consistent policy toward the 
calculation.
    S. The mapping must be based on a robust comparison of available 
data elements that are common to the portfolio and the reference data.
    Sound mapping practice uses all common elements that are available 
in the data as the basis for mapping. If a bank chooses to ignore 
certain common variables or to weight some variables more heavily than 
others, those choices must be supported. Mapping should also take into 
account differences in rating philosophy (for example, point-in-time or 
through-the-cycle) between any ratings embedded in the reference data 
set and the bank's own rating regime.
    A mapping should be plausible, and should be consistent with the 
rating philosophy established by the bank as part of its obligor rating 
policy. For a bank that uses grade mapping, levels and ranges of key 
variables within each internal grade should be close to values of 
similar variables for corresponding obligors within the reference data.
    The standard allows for use of a limited set of common variables 
that are predictive of default risk, in part to permit flexibility in 
early years when data may be far from ideal. Nevertheless, banks will 
eventually be expected to use variables that are widely recognized as 
the most reliable predictors of default risk in mapping exercises. In 
the meantime, banks relying on data elements that are weak predictors 
must compensate by making their estimates more conservative. For 
example, leverage and cash flow are widely recognized to be reliable 
predictors of corporate default risk. Borrower size is also predictive, 
but less so. A mapping based solely on size is by nature less reliable 
than one based on leverage, cash flow, and size.

    Example 1. In estimating PD, a bank relies on observed default 
rates on bonds in various agency grades for PD quantification. To 
map its internal grades to the agency grades, the bank identifies 
variables that together explain much of the rating variation in the 
bond sample. The bank then conducts a statistical analysis of those 
same variables within its portfolio of obligors, using a 
multivariate distance calculation to assign each portfolio obligor 
to the external rating whose characteristics it matches most closely 
(for example, assigning obligors to ratings so that the sum of 
squared differences between the external grade averages and the 
obligor's characteristics is minimized). This practice is broadly 
consistent with the standard.
    Example 2. A bank uses grade mapping to link portfolio obligors 
to the reference data set described by agency ratings. The bank 
looks at publicly rated portfolio obligors within an internal grade 
to determine the most common external rating, does the same for all 
grades, and creates a correspondence between internal and external 
ratings. The strength of the correspondence is a function of the 
number of externally rated obligors within each grade, the 
distribution of those external ratings within each grade and the 
similarity of externally rated obligors in the grade to those not 
externally rated. This practice is broadly consistent with this 
standard, but would require a comparison of rating philosophies and 
may require adjustments and the addition of margins of conservatism.
    S. A mapping process must be established for each reference data 
set and for each estimation model.
    Banks should never assume that a mapping is self-evident. Even a 
rating system that has been explicitly designed to replicate external 
agency ratings may or may not be effective in producing a replica; 
formal mapping is still necessary. Indeed, in such a system the kind of 
analysis involved in mapping may help identify inconsistencies in the 
rating process itself.
    A mapping process is needed even where the reference obligors come 
from internal historical experience. Banks must not assume that 
internal data do not require mapping, because changes in bank strategy 
or external economic forces may alter the composition of internal 
grades or the nature of the obligors in those grades over time. 
Mappings must be reaffirmed regardless of whether rating criteria or 
other aspects of the ratings system have undergone explicit changes 
during the period covered by the reference data set.
    Banks often use multiple reference data sets, and then combine the 
resulting estimates to get a grade PD. A bank that does that must 
conduct a rigorous mapping process for each data set.
    Supervisors expect all meaningful characteristics of obligors to be 
factored directly into the rating process; this should include 
characteristics like the obligor's industry or physical location. But 
in some circumstances, certain effects related to industry, geography, 
or other factors are not reflected in rating assignments or default 
estimates. In such cases, it may be appropriate for banks to capture 
the impact of the

[[Page 45963]]

omissions by using different mappings for different business lines or 
types of obligors. Supervisors expect this practice to be transitional; 
banks will eventually be required to incorporate the omitted effects 
into the rating system and the estimation process as they are uncovered 
and documented, rather than adjusting the mapping.

    Example 1. The bank maps its internal grades carefully to one 
rating agency, and then assumes a correspondence to another agency's 
scale despite known differences in the rating methods of the two 
agencies. The bank then applies a mean of the grade default rates 
from these two public debt-rating agencies to its internal grades. 
This practice is not consistent with the standard, because the bank 
should map to each agency's scale separately.
    Example 2. A bank uses internal historical data as its reference 
data. The bank computes a mean default rate for each grade as the 
grade PD for capital purposes, and asserts that mapping is 
unnecessary because ``its strong credit culture ensures that a 4 is 
always a 4.'' This practice is not consistent with the standard, 
because no mapping has been done; there is no assurance that a 
representative obligor in a grade today is comparable to an obligor 
in that same grade in the past.

    S. The mapping must be updated and independently validated 
regularly.
    The appropriate mapping between a bank's portfolio and the 
reference data may change over time. For example, relationships between 
internal grades and external agency grades may change during the 
economic cycle because of differences in rating philosophy. Similarly, 
distance-to-default measures for obligors in a given grade may not be 
constant over time. These likely changes make it imperative that the 
bank update all mappings regularly.
    Sound validation practices may include tests for internal 
consistency such as ``reverse mapping.'' Using this technique, a bank 
evaluates obligors from the reference data set as if they were subject 
to the bank's rating system (that is, part of the bank's current 
portfolio). The bank's mapping is then applied to these reverse-mapped 
obligors to see whether the mapped characterization of the reference 
obligor is consistent with that of the initial evaluation.\5\ Another 
valuable technique is to apply different mapping methods and compare 
the results. For example, mappings based on financial ratio comparisons 
can be rechecked using mappings based on available external ratings.
---------------------------------------------------------------------------

    \5\ For example, suppose a bank asserts that its Grade 3 
corresponds to an S&P rating of A. Applying reverse mapping, the 
bank would take a sample of A-rated obligors from the reference 
data, run them through the bank's rating process (perhaps a 
simplified version), and check to see that those obligors usually 
receive a grade of 3 on the bank's internal scale.

    Example. A bank mapped its internal grades to the rating scale 
of one public debt-rating agency in 1992. Since then, the bank has 
completed a major acquisition of another large bank and 
significantly changed its business mix in other ways. The bank 
continues to use the same mapping, without reassessing its validity. 
This practice is not consistent with the standard.
Application
    In the application stage, the bank applies the PD estimation method 
to the current portfolio of obligors using the mapping process. It 
obtains final PD estimates for each rating grade, which will be used to 
calculate minimum regulatory capital. To arrive at those estimates, a 
bank may adjust the raw results derived from the estimation stage. For 
example, it might aggregate individual obligor default probabilities to 
the rating grade level, or smooth results because a rating grade's PD 
estimate was higher than a lower quality grade. The bank must explain 
and support all adjustments when documenting its quantification 
process.

    Example. A bank uses external data to estimate long-run average 
PDs for each grade. The resulting PD estimate for Grade 2 is 
slightly higher than the estimate for Grade 3, even though Grade 2 
is supposedly of higher credit quality. The bank uses statistics to 
demonstrate that this anomaly occurred because defaults are rare in 
the highest quality rating grades. The bank judgmentally adjusts the 
PD estimates for grades 2 and 3 to preserve the expected 
relationship between obligor grade and PD, but requires that total 
risk-weighted assets across both grades using the adjusted PD 
estimates be no less than total risk-weighted assets based on the 
unadjusted estimates, using a typical distribution of obligors 
across the two grades. Such an adjustment during the application 
stage is consistent with this guidance.

    S. IRB institutions that aggregate the default probabilities of 
individual portfolio obligors when calculating PD estimates for 
internal grades must have a clear policy governing the aggregation 
process.
    As noted above, mapping may be grade-based or obligor-based. Grade-
based mappings naturally provide a single PD per grade, because the 
estimated default model is applied to the representative obligor for 
each grade. In contrast, obligor-based mappings must aggregate in some 
manner the individual PD estimates to the grade level. The expectation 
is that the grade PD estimate will be calculated as the mean. The bank 
will be allowed to calculate this estimate differently only if it can 
demonstrate that the alternative method provides a better estimate of 
the long-run average PD. To obtain this evidence, the bank must at 
least compare the results of both methods.
    S. IRB institutions that combine estimates from multiple sets of 
reference data must have a clear policy governing the combination 
process, and must examine the sensitivity of the results to alternative 
combinations.
    Because a bank should make use of as much information as possible 
when mapping, it will usually use multiple data sets. The manner in 
which the data or the estimates from those multiple data sets are 
combined is extremely important. A bank must document its justification 
for the particular combination methods selected. Those methods must be 
subject to appropriate approval and oversight.
    The data may come from the same basic data source but from 
different time periods or from different data sources altogether. For 
example, banks often combine internal data with external data, use 
external data from different sample periods, or combine results from 
corporate-bond default databases with results from equity-based models 
of obligor default. Different combinations will produce different PD 
estimates. The bank should investigate alternative combinations and 
document the impact on the estimates. When ultimate results are highly 
sensitive to how estimates from different data sources are combined, 
the bank must choose among the alternatives conservatively.

C. Loss Given Default (LGD)

    The LGD estimation process is similar to the PD estimation process. 
The bank identifies a reference data set of defaulted credits and 
relevant descriptive characteristics. Once the bank obtains these data 
sets (with the facility characteristics), it must select a technique to 
estimate the economic loss per dollar of exposure at default, for a 
defaulted exposure with a given array of characteristics. The bank's 
portfolio must then be mapped, so that the model can be applied to 
generate an estimate of LGD for each portfolio transaction or severity 
grade.
Data
    Unlike reference data sets used for PD estimation, data sets for 
severity estimation contain only exposures to defaulting obligors. At 
least two broad categories of data are necessary to produce LGD 
estimates.
    First, data must be available to calculate the actual economic loss 
experienced for each defaulted facility. Such data may include the 
market value of the facility at default, which can be

[[Page 45964]]

used to proxy a recovery rate. Alternatively, economic loss may be 
calculated using the exposure at the time of default, loss of 
principal, interest, and fees, the present value of subsequent 
recoveries and related expenses (or the costs as calculated using an 
approved allocation method), and the appropriate discount rate.
    Second, factors must be available to group the defaulted facilities 
in meaningful ways. Characteristics that are likely to be important in 
predicting loss rates include whether or not the facility is secured 
and the type and coverage of collateral if the facility is secured, 
seniority of the claim, general economic conditions, and obligor's 
industry. Although these factors have been found to be significant in 
existing academic and industry studies, a bank's quantification of LGD 
certainly need not be limited to these variables. For example, a bank 
might expand its loss severity research by examining many other 
potential drivers of severity (characteristics of an obligor that might 
help the bank predict the severity of a loss), including obligor size, 
line of business, geographic location, facility type, obligor ratings 
(internal or external), historical internal severity grade, or tenor of 
the relationship.
    A bank must ensure that the reference data remains applicable to 
its current portfolio of facilities. It must implement established 
processes to ensure that reference data sets are updated when new data 
become available. All data sources, variables, and the overall 
processes concerning data collection and maintenance must be fully 
documented, and that documentation should be readily available for 
review.
    S. The sample period for the reference data must be at least seven 
years, and must include periods of economic stress during which 
defaults were relatively high.
    Seven years is the minimum sample period for the LGD reference 
data. A longer sample period is desirable, because more default 
observations will be available for analysis and may serve to refine 
severity estimates. In any case, a bank must select a sample period 
that includes episodes of economic stress, which are defined as periods 
with a relatively high number of defaults. Inclusion of stress periods 
increases the size and potentially the breadth of the reference data 
set. According to some empirical studies, the average loss rate is 
higher during periods of stress.

    Example. A bank intends to rely primarily on internal data when 
quantifying all parameter estimates, including LGD. Its internal 
data cover the period 1994 through 2000. The bank will continue to 
extend its data set as time progresses. Its current policy mandates 
that credits be resolved within two years of default, and the data 
set contains the most recent data available. Although the current 
data set satisfies the seven-year requirement, the bank is aware 
that it does not include stress periods. In comparing its loss 
estimates with rates published in external studies for similarly 
stratified data, the bank observes that its estimates are 
systematically lower. To be consistent with the standard, the bank 
must take steps to include stress periods in its estimates.

    S. The definition of default within the reference data must be 
reasonably consistent with the IRB definition of default.
    This standard parallels a similar standard in the section on PD. 
The following examples illustrate how it applies in the case of LGD.

    Example 1. For LGD estimation, a bank includes in its default 
data base only defaulted facilities that actually experience a loss, 
and excludes credits for which no loss was recorded because 
liquidated collateral covered the loss (effectively applying a 
``loss given loss'' concept). This practice is not consistent with 
the standard because the bank's default definition for LGD is 
narrower than the IRB definition.
    Example 2. A bank relies on external data sources to estimate 
LGD because it lacks sufficient internal data. One source uses 
``bankruptcy filing'' to indicate default while another uses 
``missed principal or interest payment,'' and the two sources result 
in significantly different loss estimates for the severity grades 
defined by the bank. The bank's practice is not consistent with the 
standard, and the bank should determine whether the definitions used 
in the reference data sets differ substantially from the IRB 
definition. If so, and the differences are difficult to quantify, 
the bank should seek other sources of reference data. For more minor 
differences, the bank may be able to make appropriate adjustments 
during the estimation stage.
Estimation
    Estimation of LGD is the process by which characteristics of the 
reference data are related to loss severity. The relevant 
characteristics that help explain how severe losses tend to be upon 
default might include variables such as seniority, collateral, facility 
type, or business line.
    S. The estimates of loss severity must be empirically based and 
must reflect the concept of ``economic loss.''
    Loss severity is defined as economic loss, which is different from 
accounting measures of loss. Economic loss captures the value of 
recoveries and direct and indirect costs discounted to the time of 
default, and it should be measured for each defaulted facility. The 
scope of the cash flows included in recoveries and costs is meant to be 
broad. Workout costs that can be clearly attributed to certain 
facilities or types of facilities must be reflected in the bank's LGD 
assignments for those exposures. When such allocation is not practical, 
the bank may assign those costs using factors based on broad averages.
    A bank must establish a discount rate that reflects the time value 
of money and the opportunity cost of funds to apply to recoveries and 
costs. The discount rate must be no less than the contract interest 
rate on new originations of a type similar to the transaction in 
question, for the lowest-quality grade in which a bank originates such 
transactions.\6\ Where possible, the rate should reflect the fixed rate 
on newly originated exposures with term corresponding to the average 
resolution period of defaulting assets.
---------------------------------------------------------------------------

    \6\ The appropriate discount rate for IRB purposes may differ 
from the contract rate required under FAS 114 for accounting 
purposes.
---------------------------------------------------------------------------

    Ideally, severity should be measured once all recoveries and costs 
have been realized. However, a bank may not resolve a defaulted 
obligation for many years following default. For practical purposes, 
banks may choose to close the period of observation before this final 
resolution occurs--that is, at a point in time when most costs have 
been incurred and when recoveries are substantially complete. Banks 
that do so should estimate the additional costs and recoveries that 
would likely occur beyond this period and include them in the LGD 
estimates. A bank must document its choice of the period of 
observation, and how it estimated additional costs and recoveries 
beyond this period.
    LGD for each type of exposure must be the loss per default 
(expressed as a percentage of exposure at default) expected during 
periods when default rates are relatively high. This expected loss rate 
is referred to as ``stress-condition LGD.'' For cases in which loss 
severities do not have a material degree of cyclical variability, use 
of the long-run default-weighted average is appropriate, although 
stress-condition LGD generally exceeds this average.
    The drivers of severity can be linked to loss estimates in a number 
of ways. One approach is to segment the reference defaults into groups 
that do not overlap. For example, defaults could be grouped by business 
line, predominant collateral type, and loan-to-value coverage. The LGD 
estimate for each category is the mean loss calculated over the 
category's defaulted facilities. Loss must be calculated as the 
default-weighted average (where individual defaults receive equal 
weight) rather than the average of

[[Page 45965]]

annual loss rates, and must be based on results from periods during 
which default rates were relatively numerous if loss rates are 
materially cyclical.
    Banks can also draw estimates of LGD from a statistical model. For 
example, they can build a regression model of severity using data on 
loss severity and some quantitative measures of the loss drivers. Any 
model must meet the requirements for model validation discussed in 
Chapter 1. Other methods for computing LGD could also be appropriate.

    Example 1. A bank has internal data on defaulted facilities, 
including information on business line, facility type, seniority, 
and predominant collateral type (if the facility is secured). The 
data allow for a reasonable calculation of economic loss. The data 
span eight years and include three years that can be termed high-
default years. After analyzing the economic cycle using internal and 
external data, the bank concludes that the data show no evidence of 
material cyclical variability in loss severities, and that the 
default data span enough experience to allow estimation of a long-
run average. On the basis of preliminary analysis, the bank 
determines that the drivers of loss severity for large corporate 
facilities are similar to those for middle-market loans, and that 
the two groups can be estimated as a pool. Again on the basis of 
preliminary analysis, the bank segments this pool by seniority and 
by six collateral groupings, including unsecured. These groupings 
contain enough defaults to allow reasonably precise estimates. The 
loss severity estimates are then calculated by averaging loss rates 
within each segment. This practice is consistent with the standard.
    Example 2. A bank uses internal data in which information on 
security and seniority is lacking. The bank groups corporate and 
middle-market defaulted facilities into a single pool and calculates 
the LGD estimate as the mean loss rate. No adjustments for the lack 
of data are made in the estimation or application steps. This 
practice is unacceptable because there is ample external evidence 
that security and seniority matter in these segments. A bank with 
such limited internal default data must incorporate external or 
pooled data into the estimation.
    Example 3. A bank determines that a business unit--for example, 
a unit dedicated to a particular type of asset-based lending--forms 
a homogeneous pool for the purposes of estimating loss severity. 
That is, although the facilities in this pool may differ in some 
respects, the bank determines that they share a similar loss 
experience in default. The bank must provide reasonable support for 
this pooling through analysis of lending practices and available 
internal and external data. In this example, the mean of a single 
segment is consistent with the standard.

    S. Judgmental adjustments may play an appropriate role in LGD 
estimation, but must not be biased toward lower estimates.
    It is difficult to make general statements about good and bad 
practices in this area, because adjustments can take many different 
forms. The following examples illustrate how supervisors would be 
likely to evaluate particular adjustments observed in practice.
    Example 1. A bank divides observed defaults into segments 
according to collateral type. One of the segments has too few 
observations to produce a reliable estimate. Relying on external 
data and judgment, the bank determines that the segment's estimated 
severity of loss falls somewhere between the estimates for two other 
categories. This segment's severity is set judgmentally to be the 
mean of the estimates for the other segments. This practice is 
consistent with the standard.
    Example 2. A bank does not know when recoveries (and related 
costs) occurred in a portfolio segment; therefore, it cannot 
properly discount the segment's cash flows. However, the bank has 
sufficient internal data to calculate economic loss for defaulted 
facilities in another portfolio segment. The bank can support the 
assumption that the timing of cash flows for the two segments is 
comparable. Using the available data and informed judgment, the bank 
estimates that the measured loss without discounting should be 
grossed up to account for the time value of money and the 
opportunity cost of funds. This practice is consistent with the 
standard.
    Example 3. A bank segments internal defaults in a business unit 
by some factors, including collateral. Although the available 
internal and external evidence indicates a higher LGD, the bank 
judgmentally assigns a loss estimate of 2 percent for facilities 
secured by cash collateral. The basis for this adjustment is that 
the lower estimate is justified by the expectation that the bank 
would do a better job of following policies for monitoring cash 
collateral in the future. Such an adjustment is generally not 
appropriate because it is based on projections of future performance 
rather than realized experience. This practice is not consistent 
with the standard.
Mapping
    LGD mapping follows the same general principles that PD mapping 
does. A mapping must be plausible and must be based on a comparison of 
severity-related data elements common to both the reference data and 
the current portfolio. The mapping approach is expected to be unbiased, 
such that the exercise of judgment does not consistently lower LGD 
estimates. The default definitions in the reference data and the 
current portfolio of obligors should be comparable. The mapping process 
must be updated regularly, well-documented, and independently reviewed.
    S. A bank must conduct a robust comparison of available common 
elements in the reference data and the portfolio.
    Mapping involves matching facility-specific data elements available 
in the current portfolio to the factors in the reference data set used 
to estimate expected loss severity rates. Examples of factors that 
influence loss rates include collateral type and coverage, seniority, 
industry, and location.
    At least three kinds of mapping challenges may arise. First, even 
if similarly named variables are available in the reference data and 
portfolio data, they may not be directly comparable. For example, the 
definition of particular collateral types, or the meaning of 
``secured,'' may vary from one application to another. Hence, a bank 
must ensure that linked variables are truly similar. Although 
adjustments to enhance comparability can be appropriate, they must be 
rigorously developed and documented. Second, levels of aggregation may 
vary. For example, the reference data may only broadly identify 
collateral types, such as financial and nonfinancial. The bank's 
information systems for its portfolio might supply more detail, with a 
wide variety of collateral type identifiers. To apply the estimates 
derived from the reference data, the internal data must be regrouped to 
match the coarser level of aggregation in the reference data. Third, 
reference data often do not include workout costs and will often use 
different discounting. Judgmental adjustments for such problems must be 
well-documented and, as much as possible, empirically based.
    S. A mapping process must be established for each reference data 
set and for each estimation model.
    Mapping is never self-evident. Even when reference data are drawn 
from internal default experience, a bank must still link the 
characteristics of the reference data with those of the current 
portfolio.
    Different data sets and different approaches to severity estimation 
may be entirely appropriate, especially for different business segments 
or product lines. Each mapping process must be specified and 
documented.
Application
    At the application stage, banks apply the LGD estimation framework 
to their current portfolio of credit exposures. Doing so might require 
them to aggregate individual LGD estimates into broader averages (for 
example, into discrete severity grades) or to combine estimates in 
various ways.
    The inherent variability of recovery, due in part to unanticipated 
circumstances, demonstrates that no facility type is wholly risk-free, 
regardless of structure, collateral type, or collateral coverage. The 
existence of

[[Page 45966]]

recovery risk dictates that application of a zero percent LGD is not 
acceptable.
    S. IRB institutions that aggregate LGD estimates for severity 
grades from individual exposures within those grades must have a clear 
policy governing the aggregation process.
    Banks with discrete severity grades compute a single estimate of 
LGD for a representative exposure within each of those grades. If a 
bank with a discrete scale of severity grades maps those grades to the 
reference data using grade mapping, there will be a single estimate of 
LGD for each grade, and the bank does not need to aggregate further. 
However, if the bank maps at the individual transaction level, the bank 
may then choose to aggregate those individual LGD estimates to the 
grade level and use the grade LGD in capital calculations. Because 
different methods of aggregation are possible, a bank must have a clear 
policy regarding how aggregation should be accomplished; in general, 
simple averaging is preferred. (This standard is irrelevant for banks 
that choose to assign LGD estimates directly to individual exposures 
rather than grades, because aggregation is not required in that case.)
    S. An IRB institution must have a policy describing how it combines 
multiple sets of reference data.
    Multiple data sets may produce superior estimates of loss severity, 
if the results are appropriately combined. Combining such sets 
differently usually produces different estimates of LGD. As a matter of 
internal policy, a bank should investigate alternative combinations, 
and document the impact on the estimates. If the results are highly 
sensitive to the manner in which different data sources are combined, 
the bank must choose conservatively among the alternatives.

D. Exposure at Default (EAD)

    Compared with PD and LGD quantification, EAD quantification is less 
advanced. As such, it is addressed in somewhat less detail in this 
guidance than are PD and LGD quantification. Banks should continue to 
innovate in the area EAD estimation, refining and improving practices 
in EAD measurement and prediction. Additional supervisory guidance will 
be provided as more data become available and estimation techniques 
evolve.
    A bank must provide an estimate of expected EAD for each facility 
in its portfolio. EAD is defined as the bank's expected gross dollar 
exposure of the facility upon the obligor's default. For fixed 
exposures like term loans, EAD is equal to the current amount 
outstanding. For variable exposures such as loan commitments or lines 
of credit, exposure is equal to current outstandings plus an estimate 
of additional drawings up to the time of default. This additional 
drawdown, identified as loan equivalent exposure (LEQ) in many 
institutions, is typically expressed as a percentage of the current 
total committed but undrawn amount. EAD can thus be represented as:

EAD = current outstanding + LEQ x (total committed-current outstanding)

As it is the LEQ that must be estimated, LEQ is the focus of this 
guidance.
    Even though EAD estimation is less sophisticated than PD and LGD 
estimation, a bank still develops EAD estimates by working through the 
four stages that produce the other types of quantification: The bank 
must use a reference data set; it must apply an estimation technique to 
produce an expected total dollar exposure at default for a facility 
with a given array of characteristics; it must map its current 
portfolio to the reference data; and, by applying the estimation model, 
it must generate an EAD estimate for each portfolio facility or 
facility-type, as the case may be.
Data
    Like reference data sets used for LGD estimation, LEQ data sets 
contain only exposures to defaulting obligors. In many cases, the same 
reference data may be used for both LGD and LEQ. In addition to 
relevant descriptive characteristics (referred to as ``drivers'') that 
can be used in estimation, the reference data must include historical 
information on the exposure (both drawn and undrawn amounts) as of some 
date prior to default, as well as the drawn exposure at the date of 
default.
    As discussed below under ``Estimation,'' LEQ estimates may be 
developed using either a cohort method or a fixed-horizon method. The 
bank's reference data set must be structured so that it is consistent 
with the estimation method the bank applies. Thus, the data must 
include information on the total commitment, the undrawn amount, and 
the exposure drivers for each defaulted facility, either at fixed 
calendar dates for the cohort method or at a fixed interval prior to 
the default date for the fixed-horizon method.
    The reference data must contain variables that enable the bank to 
group the exposures to defaulted obligors in meaningful ways. Obligor 
and facility risk ratings are commonly believed to be significant 
characteristics for predicting additional drawdown. Since less 
empirical research has been done on EAD estimation, little is known 
about other potential drivers of EAD. Among the many possibilities, 
banks may consider time from origination, time to expiration or 
renewal, economic conditions, risk rating changes, or certain types of 
covenants. Some potential drivers may be linked to a bank's credit risk 
management skills, while others may be exogenous. Industry practice is 
likely to improve as banks extend their research to identify other 
meaningful drivers of EAD.
    A bank must ensure continued applicability of the reference data to 
its current portfolio of facilities. The reference data must include 
the types of variable exposures found in a bank's current portfolio. 
The definitions of default and exposure in the reference data should be 
consistent with the IRB definition of default, and consistent with the 
definitions used for PD and LGD quantification. Established processes 
must be in place to ensure that reference data sets are updated when 
new data are available. All data sources, variables, and the overall 
processes governing data collection and maintenance must be fully 
documented, and that documentation should be readily available for 
review.
    Seven years of data are required for EAD (or LEQ) estimation. The 
sample should include periods during which default rates were 
relatively high, and ideally cover a complete economic cycle.
Estimation
    To derive LEQ estimates, characteristics of the reference data are 
related to additional drawings preceding a default event. The 
estimation process must be capable of producing a plausible estimate of 
LEQ to support the EAD calculation for each facility. Two broad types 
of estimation methods are used in practice, the cohort method and the 
fixed-horizon method.
    Under the cohort method, a bank groups defaults into discrete 
calendar periods (such as a year or a quarter). The bank then estimates 
the relationship between the drivers as of the start of that calendar 
period, and EAD or LEQ for each exposure to a defaulter. For each 
exposure category (that is, for each combination of exposure drivers 
identified by the bank), the LEQ estimate is calculated as the mean 
additional drawing for facilities in that category. To combine results 
for multiple periods into a single long-run average, the period-by-
period means should be weighted by the proportion of defaults occurring 
in each period.
    Under the fixed-horizon method, for each exposure to a defaulted 
obligor the

[[Page 45967]]

bank compares additional drawdowns to the total commitment but undrawn 
amount that existed at the start of a fixed interval prior to the date 
of the default (the horizon). For example, the bank might base its 
estimates on a reference data set that supplies the actual exposure at 
default along with the drawn and undrawn amounts (as well as relevant 
drivers) at a date a fixed number of months prior to the date of each 
default, regardless of the actual calendar date on which the default 
occurred. Estimates of LEQ are computed from the average drawdowns that 
occur over the fixed-horizon interval, for whatever combinations of the 
driving variables the bank has determined are relevant for explaining 
and predicting exposure at default.
    Evidence may indicate that LEQ estimates are positively correlated 
with economic downturns; that is, it may be that LEQs increase during 
high-default periods. If so, the higher drawdowns that occur during 
high-default periods are denoted ``stress-condition LEQs,'' analogous 
to the ``stress-condition LGDs'' discussed earlier in this chapter. For 
any exposure type whose LEQ estimates exhibit material cyclicality, a 
bank must use the stress-condition LEQ for purposes of calculating EAD.
    In general, all available data should be used; particular 
observations or time periods should not be excluded from the data 
sample. Any adjustments a bank makes to the estimation results should 
be justified and fully documented. The analysis should be refreshed 
periodically as new data become available, and a bank should have a 
process in place to ensure that advances in analytical techniques and 
industry practice are considered as they emerge and are incorporated as 
appropriate. LEQ estimates should be updated at least annually. 
Detailed documentation, ongoing validation, and adequate oversight are 
fundamental controls that support a sound estimation process.
Mapping
    If the same variables that drive exposure in the reference data are 
also available for facilities in the portfolio, mapping may be 
relatively easy. However, the bank must still review the definitions to 
ensure that variables that seem to be the same actually are. If the 
relevant variables are not available in a bank's current portfolio 
information system, the bank will encounter the same mapping 
complexities that it does when mapping for PD and LGD in similar 
circumstances. A bank should have well-documented policies that govern 
the mapping. Any exceptions to mapping policy should be reviewed, 
justified and fully documented. Mapping may be done for each exposure 
or for broad categories of exposure; the latter would be analogous to 
the ``grade mapping'' discussed earlier in this chapter.
Application
    In the application stage, the estimated relationship between 
drivers and LEQ is applied to the bank's actual portfolio. To ensure 
that estimated EAD is at least as large as the currently drawn amount 
for all exposures, LEQs must not be negative. Multiple reference data 
sets may be used for LEQ estimation and combined at the application 
stage; those combinations should be rigorously developed, approved, and 
documented. Any smoothing or use of expert judgment to adjust the 
results should be well-justified and clearly documented. This includes 
any adjustment for definitions of default that do not meet the 
supervisory standards. The less robust the process, the more 
conservative the result should be.
    Some facility types may be treated as exceptions, and assigned an 
LEQ that does not vary with characteristics such as line of business or 
risk rating. Such exceptional treatment should be clearly justified, 
and the justification should be fully documented.
    EAD may be particularly sensitive to changes in the way banks 
manage individual credits. For example, a change in policy regarding 
covenants may have a significant impact on LEQ. When such changes take 
place, the bank should consider them when making its estimates--and it 
should do so from a conservative point of view. Policy changes likely 
to significantly increase LEQ should prompt immediate increases in LEQ 
estimates. If a bank's policy changes seem likely to reduce LEQ, 
estimates should be reduced only after the bank accumulates a 
significant amount of actual experience under the new policy to support 
the reductions.

E. Maturity (M)

    A bank must assign a value of effective remaining maturity (M) to 
each credit exposure in its portfolio. In general, M is the weighted-
average number of years to receipt of the cash flows the bank expects 
under the contractual terms of the exposure, where the weights are 
equal to the fraction of the total undiscounted cash flow to be 
received at each date. Mathematically, M is given by:
[GRAPHIC] [TIFF OMITTED] TN04AU03.008

where wt is the fraction of the total cash flow received at 
time t, that is:
[GRAPHIC] [TIFF OMITTED] TN04AU03.009

Ct is the undiscounted cash flow received at time t, with t 
measured in years from the date of the calculation of M.
    Effective maturity, sometimes referred to as ``average life,'' need 
not be a whole number, and often is not. For example, if 33 percent of 
the cash flow is expected at the end of one year (t=1) and the other 67 
percent two years from today (t=2), then M is calculated as:

M = (1x0.33) + (2x0.67) = 1.67

for an effective maturity of 1.67 years. This value of M would be used 
in the IRB capital calculation.
    The relevant cash flows are the future payments the bank expects to 
receive from the obligor, regardless of form; they may include payments 
of interest or fees, principal repayments, or other types of payments 
depending on the structure of the transaction. For exposures whose cash 
flow schedule is virtually predetermined unless the obligors defaults 
(fixed-rate loans, for example), the calculation of the weighted-
average remaining maturity is straightforward, using the scheduled 
timing and amounts of the individual undiscounted cash flows. These 
cash flows should be the contractually expected payments; the bank 
should not take into account the possibility of delayed or reduced cash 
flows due to potential future default.
    Cash flows associated with other types of credit exposures may be 
somewhat less certain. In such cases, the bank must establish a method 
of projecting expected cash flows. In general, the method used for any 
exposure should be the same as the one used by the bank for purposes of 
valuation or risk management. The method must be well-documented and 
subject to independent review and approval. A bank must demonstrate 
that the method used is standard industry practice, that it is widely 
used within the bank for purposes other than regulatory capital 
calculations, or both.
    To be conservative, a bank may set M equal to the maximum number of 
years the obligor could take to fully discharge the contractual 
obligation (provided that the maximum is not longer than five years, as 
noted below). In many cases, this maximum will correspond to the stated 
or nominal maturity of the instrument. Banks must make this 
conservative choice (maximum nominal maturity) if the timing and 
amounts of

[[Page 45968]]

the cash flows on the exposure cannot be projected with a reasonable 
degree of confidence.
    Certain over-the-counter derivatives contracts and repurchase 
transactions may be subject to master netting agreements. In such 
cases, the bank may compute a single value of M for the transactions as 
a group by weighting each individual transaction's effective maturity 
by that transaction's share of the total notional value subject to the 
netting agreement, and summing the result across all of the 
transactions.
    For IRB capital calculations, the value of M for any exposure is 
subject to certain upper and lower limits, regardless of the actual 
effective maturity of the exposure. In all cases, the value of M should 
be no greater than 5 years. If an exposure clearly has an effective 
maturity that exceeds this upper limit, the bank may simply use a value 
of M=5 rather than calculating the actual effective maturity.
    For most exposures, the value of M must be no less than one year. 
For certain short-term exposures (repo-style transactions, money market 
transactions, trade finance-related transactions, and exposures arising 
from payment and settlement processes) that are not part of a bank's 
ongoing financing of a borrower and that have an original maturity of 
less than three months, M may be set as low as one day. For over-the-
counter derivative and repurchase-style transactions subject to a 
master netting agreement, weighted average maturity must be set at no 
less than five days.

F. Validation

    Values of PD, LGD, and EAD are estimates with implications for 
credit risk and the future performance of a bank's credit portfolio 
under IRB; in essence, they are forecasts. ``Validation'' of these 
estimates describes the full range of activities used to assess their 
quality as forecasts of default rates, loss severity rates, and 
exposures at default. Chapter 1 discusses validation of IRB systems in 
general; this section focuses specifically on ratings quantification, 
which includes the assignment of PD to obligor grades and the 
assignment of LGD, EAD, and M to exposures.
    S. A validation process must cover all aspects of IRB 
quantification.
    Banks must have a process for validating IRB quantification; their 
policies must state who is accountable for validation, and describe the 
actions that will proceed from the different possible results. 
Validation should focus on the three estimated IRB parameters (PD, LGD, 
and EAD). Although the established validation process should result in 
an overall assessment of IRB quantification for each parameter, it also 
must cover each of the four stages of the quantification process as 
described in preceding sections of this chapter (data, estimation, 
mapping, and application). The validation process must be fully 
documented, and must be approved by appropriate levels of the bank's 
senior management. The process must be updated periodically to 
incorporate new developments in validation practices and to ensure that 
validation methods remain appropriate; documentation must be updated 
whenever validation methods change.
    Banks should use a variety of validation approaches or tools; no 
single validation tool can completely and conclusively assess IRB 
quantification. Three broad types of tools that are useful in this 
regard are evaluation of the conceptual soundness of the approach to 
quantification (evaluation of logic), comparison to other sources of 
data or estimates (benchmarking), and comparisons of actual outcomes to 
predictions (back-testing). Each of these types of tools has a role to 
play in validation, although the role varies across the four stages of 
quantification.
    Evaluation of logic is essential in validating all stages of the 
quantification process. The quantification process requires banks to 
adopt methods, choose variables, and make adjustments; each of these 
actions requires an exercise of judgment. Validation should ensure that 
these judgments are plausible and informed.
    A bank should also validate estimates by comparing them with 
relevant external sources, a process broadly described as benchmarking. 
``External'' in this context refers to anything other than the specific 
reference data, estimation approach, or mapping under consideration. 
Reference data can be compared with other data sources; choices of 
variables can be compared with similar choices made by others; 
estimation results can be compared with the results of alternative 
estimation methods using the same reference data. Other data sources 
may show that default and severity rates across the economy or the 
banking system are high or low relative to other periods, or may reveal 
unusual effects in parts of the quality spectrum.
    Effective validation must compare actual results with predictions. 
Such comparisons, often referred to as ``back-testing,'' are valuable 
comprehensive tests of the rating system and its quantification. 
However, they are only one element of the broader validation regime, 
and should not be a bank's only method of validation. Because they test 
the results of the rating system as a whole, they are unlikely to 
identify specific reasons for any divergence between expectations and 
realizations. Rather they will indicate only that further investigation 
is necessary.
    By applying back-testing to the reference data set as it is updated 
with new data, a bank can improve the estimation process. To further 
improve the process, a bank must regularly compare realized default 
rates, loss severities, and exposure-at-default experience from its 
portfolio with the PD, LGD, and EAD estimates on which capital 
calculations are based. Realizations should be compared with expected 
ranges based on the estimates. These expected ranges should take into 
account the bank's rating philosophy (the relative weight given to 
current and stress conditions in assigning ratings). Depending on that 
philosophy, year-by-year realized default rates and loss severities may 
be expected to differ significantly from the long-run average. If a 
bank adjusts final estimates to be conservative, it should likely do 
its back-testing on the unadjusted estimates.
    A bank's quantitative testing methods and other validation 
techniques should be robust to economic cycles. A sound validation 
process should take business cycles into account, and any adjustments 
for stages of the cycle should be clearly specified in advance and 
fully documented as part of the validation policy. The fact that a year 
has been ``unusual'' should not be taken as a reason to abandon the 
bank's standard validation practices.
    S. A bank must comprehensively validate parameter estimates at 
least annually, must document the results, and must report these 
results to senior management.
    A full and comprehensive annual validation is a minimum for 
effective risk management under IRB. More frequent validation may be 
appropriate for certain parts of the IRB system and in certain 
circumstances; for example, during high-default periods, banks should 
compute realized default and loss severity rates more frequently, 
perhaps quarterly. They must document the results of validation, and 
must report them to appropriate levels of senior risk management.
    S. The validation policy must outline appropriate remedial 
responses to the results of parameter validation.
    The goal of validation should be to continually improve the rating 
process and its quantification. To this end, the bank should establish 
thresholds or accuracy tolerances for validation results. Results that 
breach thresholds

[[Page 45969]]

should bring an appropriate response; that response should depend on 
the results and should not necessarily be to adjust the parameter 
estimates. When realized default, severity, or exposures rates diverge 
from expected ranges, those divergences may point to issues in the 
estimation or mapping elements of quantification. They may also 
indicate potential problems in other parts of the ratings assignment 
process. The bank's validation policy must describe (at least in broad 
terms) the types of responses that should be considered when relevant 
action thresholds are crossed.

Appendix to Part III: Illustrations of the Quantification Process

    This appendix provides examples to show how the logical 
framework described in this guidance, with its four stages (data, 
estimation, mapping, and application), applies when analyzing 
typical current bank practices. The framework is broadly 
applicable--for PD or LGD or EAD; using internal, external, or 
pooled reference data; for simple or complex estimation methods--
although the issues and concerns that arise at each stage depend on 
a bank's approach. These examples are intended only to illustrate 
the logic of the four-stage IRB quantification framework, and should 
not be taken to endorse the particular techniques presented in the 
examples. In fact, certain aspects of the examples are not 
consistent with the standards outlined in this guidance.

Example 1: PD Estimation From Bond Data

    [sbull] A bank establishes a correspondence between its internal 
grades and external rating agency grades; the bank has determined 
that its Grade 4 is equivalent to \3/4\ BB and \1/4\ B on the 
Standard and Poor's scale.
    [sbull] The bank regularly obtains published estimates of mean 
default frequencies for publicly rated BB and B obligors in North 
America from 1970 through 2002.
    [sbull] The BB and B historical default frequencies are weighted 
75/25, and the result is a preliminary PD for the bank's internal 
Grade 4 credits.
    [sbull] However, the bank then increases the PD by 10 percent to 
account for the fact that the S&P definition of default is more 
lenient than the IRB definition.
    [sbull] The bank makes a further adjustment to ensure that the 
resulting grade PD is greater than the PD attributed to Grade 3 and 
less than the PD attributed to Grade 5.
    [sbull] The result is the final PD estimate for Grade 4.

Process Analysis for Example 1

    Data--The reference data set consists of issuers of publicly 
rated debt in North America over the period 1970 through 2002. The 
data description is very basic: each issuer in the reference data is 
described only by its rating (such as AAA, AA, A, BBB, and so on).
    Estimation--The bank could have estimated default rates itself 
using a database purchased from Standard and Poor's, but since these 
estimates would just be the mean default rates per year for each 
grade, the bank could just as well (and in this example does) use 
the published historical default rates from S&P in essence, the 
estimation step has been outsourced to S&P. The 10 percent 
adjustment of PD is part of the estimation process in this case 
because the adjustment was made prior to the application of the 
agency default rates to the internal portfolio data.
    Mapping--The bank's mapping is an example of a grade mapping; 
internal Grade 4 is linked to the 75/25 mix of BB and B. Based on 
the limited information presented in the example, this step should 
be explored further. Specifically, how did the bank determine the 
75/25 mix?
    Application--Although the application step is relatively 
straightforward in this case, the bank does make the adjustment of 
the Grade 4 PD estimate to give it the desired relationship to the 
adjacent grades. This adjustment is part of the application stage 
because it is made after the adjusted agency default rates are 
applied to the internal grades.

Example 2: PD Estimation Using a Merton-Type Equity-Based Model

    [sbull] A bank obtains a 20-year database of North American 
firms with publicly traded equity, some of which defaulted during 
the 20-year period.
    [sbull] The bank uses the Merton approach to modeling equity in 
these firms as a contingent claim, constructing an estimate of each 
firm's distance-to-default at the start of each year in the 
database. The bank then ranks the firm-years within the database by 
distance-to-default, divides the ordered observations into 20 equal 
groups or buckets, and computes a mean historical one-year default 
frequency for each bucket. That default frequency is taken as an 
estimate of the applicable PD for any obligor within the range of 
distance-to-default values represented by each of the 20 buckets.
    [sbull] The bank next looks at all obligors with publicly traded 
shares within each of its internal grades, applies the same Merton-
type model to compute distance-to-default at quarter-end, sorts 
these observations into the 20 buckets from the previous step, and 
assigns the corresponding PD estimate.
    [sbull] For each internal grade, the bank computes the mean of 
the individual obligor default probabilities and uses that average 
as the grade PD.

Process Analysis for Example 2

    Data--The reference data set consists of the North American 
firms with publicly traded equity in the acquired database. The 
reference data are described in this case by a single variable, 
specifically an identifier of the specific distance-to-default range 
from the Merton model (one of the 20 possible in this case) into 
which a firm falls in any year.
    Estimation--The estimation step is simple: the average default 
rate is calculated for each distance-to-default bucket. Since the 
data cover 20 years and a wide range of economic conditions, the 
resulting estimates satisfy the long-run average requirement.
    Mapping--The bank maps selected portfolio obligors to the 
reference data set using the distance-to-default generated by the 
Merton model. However, not all obligors can be mapped, since not all 
have traded equity. This introduces an element of uncertainty into 
the mapping that requires additional analysis by the bank: were the 
mapped obligors representative of other obligors in the same grade? 
The bank would need to demonstrate comparability between the 
publicly traded portfolio obligors and those not publicly traded. It 
may be appropriate for the bank to make conservative adjustments to 
its ultimate PD estimates to compensate for the uncertainty in the 
mapping. The bank also would need further analysis to demonstrate 
that the implied distance-to-default for each internal grade 
represented long-run expectations for obligors assigned to that 
grade; this could involve computing the Merton model for portfolio 
obligors over several years of relevant history that span a wide 
range of credit conditions.
    Application--The final step is aggregation of individual 
obligors to the grade level through calculation of the mean for each 
grade, and application of this grade PD to all obligors in the 
grade. The bank might also choose to modify PD assignments further 
at this stage, combining PD estimates derived from other sources, 
applying adjustments for cyclicality, introducing an appropriate 
degree of conservatism, or making other adjustments.

Example 3: LGD Estimation From Internal Default Data

    [sbull] For each loan in its portfolio, a bank records 
collateral coverage as a percentage, as well as which of four types 
of collateral applies.
    [sbull] A bank has retained data on all defaulted loans since 
1995. For each defaulted loan in the database, the bank has a record 
of the collateral type within the same four broad categories. 
However, collateral coverage is only recorded at three levels (low, 
moderate, or high, depending on the ratio of collateral to exposure 
at default).
    [sbull] The bank also records the timing and discounted value of 
recoveries net of workout costs for each defaulted loan in the 
database. Cash flows are tracked from the date of default to a 
``resolution date,'' defined as the point at which the remaining 
balance is less than 5 percent of the exposure at the time of 
default. A recovery percentage is computed, equal to the value of 
recoveries discounted to the date of default, divided by the 
exposure at default.
    [sbull] For each cell (each of the 12 combinations of collateral 
type and coverage), the bank computes a simple mean LGD percentage 
as the mean of one minus the recovery percentage. One of the 
categories has a mean LGD of less than zero (recoveries have 
exceeded exposure on average), so the bank sets the LGD at zero to 
be conservative.
    [sbull] The bank assigns an estimate of expected LGD to each 
loan in the current portfolio by using collateral information to 
slot it into one of the 12 cells. The bank then applies the mean 
historical LGD for that cell and adjusts the result upward by 10 
percent to compensate for the fact that the loss data come from a 
period believed to be unusually good economic performance.

[[Page 45970]]

Process Analysis for Example 3

    Data--The reference data is the collection of historical 
defaults with the loss amounts from the bank's historical portfolio. 
The reference data are described by the two categorical variables 
(levels of collateral coverage and types of collateral). It would be 
important to determine whether the defaults over the past few years 
are comparable to defaults from the current portfolio. One would 
also want to ask why the bank ignores potentially valuable 
information by converting the continuous data on collateral coverage 
into a trimodal categorical variable.
    Estimation--Conceptually, the bank is using a ``loss severity 
model'' in which 12 binary variables, one for each loan coverage/
type combination, explain the percentage loss. The coefficients on 
the variables are just the mean loss figures from the reference 
data.
    Mapping--Mapping in this case is fairly straightforward, since 
all of the relevant characteristics of the reference data are also 
in the loan system for the current portfolio. However, the bank 
should determine whether the variables are being recorded in the 
same way (for example, the same definitions of collateral types), 
otherwise some adjustment might be needed.
    Application--The bank is able to apply the loss model by simply 
plugging in the relevant values for the current portfolio (or what 
amounts to the same thing, looking up the cell mean). The bank's 
assignment of zero LGD for one of the cells merits special 
attention; while the bank represented this assignment as 
conservative, the adjustment does not satisfy the supervisory 
requirement that LGD must exceed zero. A larger upward adjustment is 
necessary. Finally, the upward adjustment of the LGD numbers to 
account for the benign environment in which the reference data were 
generated presents one additional wrinkle. The bank must provide a 
well-documented, empirically based analysis of why a 10 percent 
upward adjustment is sufficient.

IV. Data Maintenance

A. Overview

    Institutions using the IRB approach for regulatory capital purposes 
will need advanced data management practices to produce credible and 
reliable risk estimates. The guiding principle governing an IRB data 
maintenance system is that it must support the requirements for the 
quantification, validation, control and oversight mechanisms described 
in this guidance, as well as the institution's broader risk management 
and reporting needs. The precise data elements to be collected will be 
dictated by the features and methodology of the IRB system employed by 
the institution. The necessary data elements will therefore vary by 
institution and even among business lines within an institution.
    Institutions will have latitude in managing their data, subject to 
the following key data maintenance standards:
    Life Cycle Tracking--institutions must collect, maintain, and 
analyze essential data for obligors and facilities throughout the life 
and disposition of the credit exposure.
    Rating Assignment Data--institutions must capture all significant 
quantitative and qualitative factors used to assign the obligor and 
loss severity ratings.
    Support of IRB System--data collected by institutions must be of 
sufficient depth, scope, and reliability to:
    [sbull] Validate IRB system processes,
    [sbull] Validate parameters,
    [sbull] Refine the IRB system,
    [sbull] Develop internal parameter estimates,
    [sbull] Apply improvements historically,
    [sbull] Calculate capital ratios,
    [sbull] Produce internal and public reports, and
    [sbull] Support risk management.
    This chapter covers the requirements for maintaining internal data. 
Reference data sets used for estimating IRB parameters are discussed in 
Chapter 2.

B. Data Maintenance Framework

Life Cycle Tracking
    S. Institutions must collect, maintain, and analyze essential data 
for obligors and facilities throughout the life and disposition of the 
credit exposure.
    Using a life cycle or ``cradle to grave'' concept for each obligor 
and facility supports front-end validation, back-testing, system 
refinements and risk parameter estimates. A depiction of life-cycle 
tracking follows:
[GRAPHIC] [TIFF OMITTED] TN04AU03.001

    Data elements must be recorded at origination and whenever the 
rating is reviewed, regardless of whether the rating is actually 
changed. Data elements associated with current and past ratings must be 
retained and include the following:
    [sbull] Key borrower and facility characteristics,
    [sbull] Ratings for obligor and loss severity grades,
    [sbull] Key factors used to assign the ratings,
    [sbull] Person or model responsible for assigning the rating,
    [sbull] Date rating assigned, and
    [sbull] Overrides to the rating and authorizing individual.
    At disposition, data elements must include:
    [sbull] Nature of disposition: renewal, repayment, loan sale, 
default, restructuring,
    [sbull] For defaults: exposure, actual recoveries, source of 
recoveries, costs of workouts and timing,
    [sbull] Guarantor support,
    [sbull] Sale price for loans sold, and
    [sbull] Other key elements that the bank deems necessary.

[[Page 45971]]

Rating Assignment Data
    S. Institutions must capture all significant quantitative and 
qualitative factors used to assign the obligor and loss severity 
rating.
    Assigning a rating to an obligor requires the systematic collection 
of various borrower characteristics as these factors are critical to 
validating the rating system. Obligors are rated using various methods, 
as discussed in Chapter 1. Each of these methods presents different 
challenges for input collection. For example, in judgmental rating 
systems, the factors used in the ratings decision have not 
traditionally been explicitly recorded. For purposes of an IRB 
approach, institutions that use expert and constrained judgment must 
record these factors and deliver them to the data warehouse.
    For loss severity estimates, institutions must record the basic 
structural characteristics of facilities and the factors used in 
developing the facility rating or LGD estimate. These often include the 
seniority of the credit, the amount and type of collateral, the most 
recent collateral valuation date and its fair value.
    Institutions must also track any overrides of the obligor or loss 
severity rating. Tracking overrides separately allows risk managers to 
identify whether the outcome of such overrides suggests either problems 
with rating criteria, or an improper level of discretion in adjusting 
the ratings.
Example Data Elements
    For illustrative purposes, the following section provides examples 
of the kinds of data elements institutions will collect under an IRB 
data maintenance framework.
General descriptive obligor and facility data
    The data below could be contained within a loan record or derived 
from various sources within the data warehouse. Guarantor data 
requirements are the same as for the obligor.
Obligor/Guarantor Data
    [sbull] General data: name, address, industry
    [sbull] ID number (unique for all related parent/sub relationships)
    [sbull] Rating, date, and rater
    [sbull] PD percentage corresponding to rating
General Facility Characteristics
    [sbull] Facility amounts: committed, outstanding
    [sbull] Facility type: Term, revolver, bullet, amortizing, etc.
    [sbull] Purpose: acquisition, expansion, liquidity, inventory, 
working capital
    [sbull] Covenants
    [sbull] Facility ID number
    [sbull] Origination and maturity dates
    [sbull] Last renewal date
    [sbull] Obligor ID link
    [sbull] Rating, date and rater
    [sbull] LGD dollar amount or percentage
    [sbull] EAD dollar amount or percentage
Rating Assignment Data
    The data below provide an example of the categories and types of 
data that institutions must retain in order to continually validate and 
improve rating systems. These data items should tie directly to the 
documented criteria that the institution employs in assigning ratings, 
both qualitative and quantitative. For example, rating criteria often 
include ranges of leverage or cash flow for a particular obligor 
rating. In addition, qualitative factors, such as management 
effectiveness can be recorded in numeric form. For example, a 1 may 
equate to exceptionally strong management, and a 5 to very weak. The 
rating data elements collected should be complete enough so that others 
can review the relevant factors driving the rating decisions.
Quantitative Factors in Obligor Ratings
    [sbull] Asset and sale size
    [sbull] Key ratios used within rating criteria:
--profitability,
--cash flow,
--leverage,
--liquidity, and
--other relevant factors.
Qualitative Factors in Obligor Ratings
    [sbull] Quality of earnings and cash flow
    [sbull] Management effectiveness, reliability
    [sbull] Strategic direction, industry outlook, position
    [sbull] Country factors and political risk
    [sbull] Other relevant factors
External Factors in Obligor Ratings
    [sbull] Public debt rating and trend
    [sbull] External credit model score and trend
Rating Notations
    [sbull] Flag for overrides or exceptions
    [sbull] Authorized individual for changing rating
Key Facility Factors in LGD Ratings
    [sbull] Seniority
    [sbull] Collateral type: (cash, marketable securities, AR, stock, 
RE, etc.)
    [sbull] Collateral value and valuation date
    [sbull] Advance rates, LTV
    [sbull] Industry
    [sbull] Geography
Rating Notations
    [sbull] Flag for overrides or exceptions
    [sbull] Authorized individual for changing rating
Final Disposition Data
    Only recently have institutions begun to collect more complete data 
about a loan's disposition. Many institutions maintain subsidiary 
systems for their problem credits with details recorded, at times 
manually, on systems that were not linked with the institution's 
central loan or risk management systems. The unlinked data are a 
significant hindrance in developing reliable PD, LGD, and EAD 
estimates.
    In advanced systems, the ``grave'' portion of obligor and exposure 
tracking is an essential component for producing and validating risk 
estimates and is an important feedback mechanism for adjusting and 
improving risk estimates over time. Essential data elements are 
outlined below.
Obligor/Guarantor
    [sbull] Default date
    [sbull] Circumstances of default (for example, nonaccrual, 
bankruptcy chapters 7-11, nonpayment)
Facility
    [sbull] Outstandings at default
    [sbull] Amounts undrawn and outstanding plus time series prior to 
and through default
Disposition
    [sbull] Amounts recovered and dates (including source: cash, 
collateral, guarantor, etc.)
    [sbull] Collection cost and dates
    [sbull] Discount factors to determine economic cost of collection
    [sbull] Final disposition (for example, restructuring or sale)
    [sbull] Sales price, if applicable
    [sbull] Accounting items (charge-offs to date, purchased discounts)

C. Data Element Functions

    S. Data elements must be of sufficient depth, scope, and 
reliability to:
    [sbull] Validate IRB system processes,
    [sbull] Validate parameters,
    [sbull] Refine the IRB system,
    [sbull] Develop internal parameter estimates,
    [sbull] Apply improvements historically,
    [sbull] Calculate capital ratios,
    [sbull] Produce internal and public reports, and
    [sbull] Support risk management.
Validation and Refinement
    The data elements collected by institutions must be capable of 
meeting

[[Page 45972]]

the validation requirements described in Chapters 1 and 2. These 
requirements include validating the institution's IRB system processes, 
including the ``front end'' aspects such as assigning ratings so that 
any issues can be identified early. The data must support efforts to 
identify whether raters and models are following rating criteria and 
policies and whether ratings are consistent across portfolios. In 
addition, data must support the validation of parameters, particularly 
the comparison of realized outcomes with estimates. Thorough data on 
default and disposition characteristics are of paramount importance for 
parameter back-testing.
    A rich source of data for validation efforts provides insights on 
the performance of the IRB system, and contributes to a learning 
environment in which refinements can be made to the system. These 
potential refinements include enhancements to rating assignment 
controls, processes, criteria or model coefficients, rating system 
architecture and parameter estimates.
Developing Parameter Estimates
    As detailed in Chapter 2, institutions will be developing their PD, 
LGD, and EAD parameter estimates using reference data sets comprised of 
internal, pooled, and external data. Institutions are expected to work 
toward eventually using as much of their own experience as possible in 
their reference data sets.
Applying Rating System Improvements Historically
    For loss severity estimates, institutions must record the basic 
structural characteristics of facilities and the factors used in 
developing the facility rating or LGD estimate. These often include the 
seniority of the credit, the amount and type of collateral, the most 
recent collateral valuation date and its fair value.
    To maintain a consistent series of information for credit risk 
monitoring and validation purposes, institutions need to be able to 
apply historically improvements they make to their rating systems. In 
the example below, a bank experiences unexpected and rapid migrations 
and defaults in its grade 4 category during 2006. Analysis of the 
actual financial condition of borrowers that defaulted compared with 
those that did not suggests the debt-to-EBITDA range for its expert 
judgment criteria of 3.0 to 5.5 is too broad. Research indicates that 
grade 4 should be redefined to include only borrowers with debt-to-
EBITDA ratios of 3.0-4.5 and grade 5 as 4.5-6.5. In 2007, the change is 
initiated, but prior years' numbers are not recast (see Exhibit A). 
Consequently, a break in the series prevents the bank from evaluating 
credit quality changes over several years and from identifying whether 
applying the new rating criteria historically provides reasonable 
results.
[GRAPHIC] [TIFF OMITTED] TN04AU03.007

    Recognizing the need to provide senior managers and board members 
with a consistent risk trend, the new criteria are applied historically 
to obligors in grades 4 and 5 as reflected in Exhibit B. The original 
ratings assigned to the grades are maintained along with notations 
describing what the grade would be under the new rating criteria. If 
the precise weight an expert has given one of the redefined criteria is 
unknown, institutions are expected to make estimates on a best efforts 
basis. After the retroactive reallocation process, the bank observes 
that the mix of obligors in grade 5 declined somewhat over the past 
several years while the mix in grade 4 increased slightly. This 
contrasts with the trend identified before the retroactive 
reallocation. The result is that the multiyear transition statistics 
for grades 4 and 5 provide risk managers a clearer picture of risk.

[[Page 45973]]

[GRAPHIC] [TIFF OMITTED] TN04AU03.002

    This example is based on applying ratings historically using data 
already collected by the bank. However, for some rating system 
refinements, institutions may identify in the future drivers of default 
or loss that might not have been collected for borrowers or facilities 
in the past. That is why institutions are encouraged to collect data 
that they believe may serve as a stronger predictor of default in the 
future. For example, certain elements of a borrower's cash flow might 
currently be suspected to overstate actual operational health for a 
particular industry. In the future, should an institution decide to 
deduct this item from cash flow with a resulting downgrade of many 
obligor ratings, the institution that collected these data could apply 
this rating change for prior years. This would provide the benefit of 
providing a consistent picture of risk over time and also present 
opportunities to validate the new criteria using historical data. 
Recognizing that institutions will not be able to anticipate fully the 
data they might find useful in the future, institutions are expected to 
reallocate grades on a best efforts basis when practical.
Calculating Capital Ratios and Reporting to the Public
    Data retained by the bank will be essential for regulatory risk-
based capital calculations and public reporting under the Pillar 3 
disclosures. These uses underscore the need for a well-defined data 
maintenance framework and strong controls over data integrity. Control 
processes and data elements themselves should also be subject to 
periodic verification and testing by internal and external auditors. 
Supervisors will rely on these processes and also perform testing as 
circumstances warrant.
Supporting Risk Management
    The information that can be gleaned from more extensive data 
collection will support a broad range of risk management activities. 
Risk management functions will rely on accurate and timely data to 
track credit quality, make informed portfolio risk mitigation 
decisions, and perform portfolio stress tests. Trends developed from 
obligor and facility risk rating data will be used to support internal 
capital allocation models, pricing models, ALLL calculations, and 
performance management measures, among others. Summaries of these are 
included in reports to institutions' boards of directors, regulators, 
and in public disclosures.

D. Managing Data Quality and Integrity

    Because data are collected at so many different stages involving a 
variety of groups and individuals, there are numerous challenges to 
ensuring the quality of the data. For example:
    [sbull] Data will be retained over long timeframes,
    [sbull] Qualitative risk-rating variables will have subjective 
elements and will be open to interpretation, and
    [sbull] Exposures will be acquired through mergers and purchases, 
but without an adequate and easily retrievable institutional rating 
history.
Documentation and Definitions
    S. Institutions must document the process for delivering, retaining 
and updating inputs to the data warehouse and ensuring data integrity.
    Given the many challenges presented by data for an IRB system, the 
management of data must be formalized. Fully documenting how the 
institution's flow of data is managed provides a means for evaluating 
whether the data maintenance framework is functioning as intended. 
Moreover, institutions must be able to communicate to individuals 
developing or delivering various data the precise definition of the 
items intended to be collected. Consequently, a ``data dictionary'' is 
necessary to ensure consistent inputs from individuals and data vendors 
and to allow third parties (such as the rating system review function, 
auditors, or bank supervisors) to evaluate data quality and integrity.
    S. Institutions must develop comprehensive definitions for the data 
elements used within each credit group or business line (a ``data 
dictionary'').
Electronic Storage
    S. Institutions must store data in electronic format to allow 
timely retrieval for analysis, validation of risk rating systems, and 
required disclosures.
    To meet the significant data management challenges presented by the 
validation and control features of an IRB system, institutions will 
need to store their data electronically. Institutions will have a 
variety of storage techniques and potentially a variety of systems to 
create their data

[[Page 45974]]

warehouses. IRB data requirements can be achieved by melding together 
existing accounting, servicing, processing, workout and risk management 
systems, provided the linkages among these systems are well documented 
and include sufficient edit and integrity checks to ensure the data can 
be used reliably.
    Institutions without electronic databases would need to resort to 
manual reviews of paper files for ongoing back-testing and ad hoc 
``forensic'' data mining and would be unable to perform that work in 
the timely and comprehensive manner required of IRB systems. Forensic 
mining of paper files to build an initial data warehouse from the 
institution's credit history is encouraged. In some instances, paper 
research may be necessary to identify data elements or factors not 
originally considered significant in estimating the risk of a 
particular class of obligor or facility.
Data Gaps
    Rating histories are often lost or are irretrievable for loans 
acquired through mergers, acquisitions, or portfolio purchases. 
Institutions are encouraged wherever practical to collect any missing 
historical rating assignment driver data and to re-grade the acquired 
obligors and facilities for prior periods. In cases where retrieving 
historical data is not practical, institutions may attempt to create a 
rating history through a careful mapping of the legacy system and the 
new rating structure. Mapped ratings should be reviewed thoroughly for 
accuracy. The level of effort placed on filling data gaps should be 
commensurate with the size of the new exposures to be newly 
incorporated into the institution's IRB system.

V. Control and Oversight Mechanisms

A. Overview

    Banks' internal rating systems are the foundation for credit-risk 
management practices and play an important role in pricing, reserving, 
portfolio management, performance measurement, economic capital 
modeling, and long-term capital planning. Banks adopting the IRB 
approach will also use their credit-risk ratings to determine 
regulatory capital levels. The pivotal and varied uses of such risk 
ratings put enormous, sometimes conflicting, pressure on banks' 
internal rating systems. The consequences of inaccurate ratings and 
their associated estimates are significant, particularly as they affect 
minimum regulatory capital requirements.
    As risk ratings and their related parameters become better 
integrated in institutions' decision making, conflicting incentives 
arise that, if not well managed, can lead to overly optimistic or 
biased ratings. For example, sales and marketing staff (relationship 
managers or RMs) are typically compensated according to the volume of 
business they generate. That may predispose the RMs to assign more 
favorable ratings in order to achieve rate-of-return and sales 
objectives. More favorable ratings may create the appearance of higher 
risk-adjusted returns and business line profitability. Banks need to be 
aware of the full range of incentive conflicts that arise, and must 
develop effective controls to keep these incentive conflicts in check.
    Banks will have latitude in designing and implementing their 
control structures subject to the following principle:
    IRB institutions must implement a system of controls that includes 
the following elements: independence, transparency, accountability, use 
of ratings, rating system review, internal audit, and board and senior 
management oversight. While banks will have flexibility in how these 
elements are combined, they must incorporate sufficient checks and 
balances to ensure that the credit risk management system is 
functioning properly.
    Banks additionally will want to embody the following more generic 
principles in their control system: separation of duties, balancing 
incentives, and layers of review. Table 4.1 lists the key components of 
an IRB control and oversight system. How these control mechanisms can 
best be combined to reinforce one another is a key challenge for banks 
implementing IRB systems:

Table 4.1 Control and Oversight Mechanisms
[GRAPHIC] [TIFF OMITTED] TN04AU03.003


[[Page 45975]]


    As the following examples indicate, how a bank conducts its 
business will influence how it designs its control structure. A bank 
using an expert-judgment system will likely establish a different set 
of controls than a bank using mainly models. Recognizing that its 
expert-judgment system is less than fully transparent, a bank could 
offset this vulnerability by opting for complete independence in the 
rating approval process and an enhanced rating system review.
    Other considerations would influence the choice of controls when 
banks use models to assign ratings. While the ratings produced by 
models are transparent, a model's performance depends on how well the 
model was developed, the model's logic, and the quality of the data 
used to implement the model. Banks that use models to assign ratings 
must implement a system of controls that addresses model development, 
testing and implementation, data integrity and overrides. These 
activities would be covered by a comprehensive and independent rating 
system review and by ongoing spot checks on the accuracy of model 
inputs. Other control mechanisms such as accountability and audit would 
also be required.

B. Independence in the Rating Approval Process

    An independent rating process is one in which the parties 
responsible for approving ratings and transactions are separate from 
sales and marketing and in which the persons approving ratings are 
principally compensated on risk-rating accuracy. As relative 
independence increases, the likelihood of accurate ratings assignments 
grows markedly.
    S. Ratings must be subject to independent approval or review.
    One way institutions can better achieve objective and accurate risk 
ratings is by ensuring that its rating approval process is independent. 
Institutions that firmly separate sales/marketing from credit are 
better able to manage the conflict between the goal of high sales 
volume and the need for good credit quality. An institution whose 
rating process is less independent must compensate by strengthening 
other control and oversight mechanisms. A significant factor in the 
evaluation of the rating system will be the assessment of whether such 
compensating controls are sufficient to offset a less-than-independent 
ratings process. While the overriding objective is to achieve 
independence in the rating approval process, in some instances, the 
relative materiality of a portfolio and cost/benefit trade-offs may 
support a less rigorous control process.
    The degree of independence achieved in the rating process depends 
on how an institution is organized and how it conducts its lending 
activities.
Rating Approval Processes
    Responsibility for recommending and approving ratings varies by 
institution and, quite often, by portfolio.\7\ At some institutions, 
ratings are assigned and approved by relationship managers (RMs); at 
others, deal teams assign ratings that are later approved by credit 
officers. Still other institutions have independent credit officers 
assign and approve ratings. The culture of an institution and its 
business mix generally determine whether the business line or credit 
function is ultimately responsible for ratings.
---------------------------------------------------------------------------

    \7\ Rating processes vary by institution but generally involve 
an ``assignor'' and an ``approver.'' For instance, at many 
organizations the rating assignor is the person who ``owns'' the 
relationship (such as a ``relationship manager'') and the rating 
approver is an individual with credit authority (a ``credit risk 
manager''). In some cases, the rating assignor and approver are the 
same. Banks that separate the rating assignment and approval 
processes do so in order to minimize potential conflicts of interest 
and the potential for rating errors.
---------------------------------------------------------------------------

    The subsections that follow describe various rating assignment and 
approval structures used by banking organizations and the challenges 
that emerge in ensuring objective and consistent ratings. Any of the 
following structures can work as long as ratings are subject to an 
independent approval or review process, and are not unduly influenced 
by the line of business:
    Relationship Managers. As noted earlier, relationship managers are 
primarily responsible for marketing the bank's products and services, 
and their compensation is tied to the volume of business they generate. 
When RMs also have responsibility for assigning and approving ratings, 
there is an inherent conflict of interest. Credit quality and the 
ability to produce timely and accurate risk ratings are generally not 
major factors in an RM's compensation, even when he or she has 
responsibility for assigning and approving ratings. In addition, RMs 
also may become too close to the borrower to maintain their objectivity 
and remain unbiased. When banks delegate rating responsibility to RMs, 
they must offset the lack of independence with rigorous controls to 
prevent bias from affecting the rating process. Such controls must 
operate in practice, not just on paper, and would include, at a 
minimum, a comprehensive, independent post-closing review of ratings by 
a rating system review function.
    Deal Team. Some major banks employ a ``deal-team'' structure for 
credit origination and rating assignment. Using this approach, all 
members of the team--credit officers, investment bankers, underwriters, 
and others--contribute to analyzing creditworthiness, underwriting the 
deal, and assigning ratings.
    On the one hand, deal teams increase the access of credit officers 
to information on obligors and transactions early in the underwriting 
process, enabling them to make more informed credit decisions and to 
influence facility structure to address obligors' weaknesses. On the 
other hand, participation in the deal team could compromise the credit 
officer's objectivity. While credit officers typically report to an 
independent credit-risk-management function, they also have allegiance 
to the deal team that reports to executives within the sales and 
marketing line of business. In addition, credit officers may defer to 
the members of the team whose compensation is based on the revenue and 
sales volume they generate for the bank. Banks that maintain deal teams 
must ensure that the credit officer's independence is safeguarded 
through independent reporting lines and well-defined performance 
measures (e.g., adherence to policy, rating accuracy and timeliness).
    Credit Officers. Some banks give sole responsibility for assigning 
and approving ratings to credit officers who report to an independent 
credit function. In addition to assigning and approving and assigning 
initial ratings, credit officers regularly monitor the condition of 
obligors and refresh ratings as necessary. The potential downside of 
this structure is that these credit officers may have limited access to 
borrower information. Those credit officers that have a separate 
reporting line and whose compensation is principally based on their 
risk-rating accuracy are typically more independent than RMs or deal 
teams.
    Models. At some institutions, models assign ratings directly; at 
other institutions, models and judgment are combined to rate credits. 
Models introduce a high degree of independence to the rating process, 
but they too require human oversight and controls. Banks that use 
models must incorporate an independent judgmental review of the rating 
assignments to ensure that all relevant information is considered and 
to identify potential rating errors. Judgmental reviews are also needed 
when model outputs are

[[Page 45976]]

overridden. In addition, controls are needed to ensure accuracy of data 
inputs. When a bank uses a model to assign risk ratings, an individual 
obligor's rating is ``transparent.'' However, the model itself is not 
``transparent'' without a great deal of effort to document how the 
model functions.

C. Transparency

    Transparency is the ability of a third party, such as rating system 
reviewers, auditors or bank supervisors, to observe how the rating 
system operates and to understand the pertinent characteristics of 
individual ratings.
    S. IRB institutions must have a transparent rating system.
    Transparency in a rating system is achieved through documentation 
that covers the following:
    [sbull] The rating system's design, purpose, performance horizon, 
and performance standards;
    [sbull] The rating assignment process, including procedures for 
adjustments and overrides;
    [sbull] Rating definitions and criteria, scorecard criteria, and 
model specifications;
    [sbull] Parameter estimates and the process for their estimation;
    [sbull] Definition of the data elements to be warehoused to support 
controls, oversight, validation, and parameter estimation; and
    [sbull] Specific responsibilities of, and performance standards 
for, individuals and units involved in the rating system and its 
oversight.
    Transparency allows third parties (such as rating system review, 
auditors, or supervisors) to evaluate whether the rating system is 
performing as intended. Without transparency, it is difficult to hold 
people accountable for ratings errors and to validate the performance 
of the system.
    S. Rating criteria must be clear and specific and must include 
qualitative and quantitative factors.
    To produce transparent individual ratings, a bank's policies must 
contain clear, detailed ratings definitions. Banks should specify 
criteria for each factor that raters must consider, which may require 
unique rating definitions for certain industries. Banks should consider 
criteria for factors such as liquidity, sales and profitability, debt 
service and fixed charge coverage, minimum equity support, position 
within the industry, strength of management. A rating system with vague 
criteria or one merely defined by PDs or LGDs is not transparent. For 
example, the following rating definitions are not transparent because 
they require the rater to do too much interpreting:
    Borrower exhibits satisfactory quality and demonstrates acceptable 
principal and interest repayment capacity in the near term.
    Lower tier company in a cyclical industry. Unbalanced position with 
tight liquidity and high leverage. Declining or erratic profitability 
and marginal debt service capacity. Management is untested.

D. Accountability

    ``Accountability'' is holding people responsible for their actions 
and establishing adverse consequences for inaccurate ratings.
    S. Policies must identify the parties responsible for rating 
accuracy and rating system performance.
    For accountability to be effective, it should be both observable 
and ingrained in the culture. Persons who assign and approve rate 
credits, derive parameter estimates, or oversee rating systems must be 
held accountable for complying with rating system policies and ensuring 
that aspects of the rating system within their control are as unbiased 
and accurate as possible. These persons must have the tools and 
resources necessary to carry out their responsibilities, and their 
performance should be evaluated against clear and specific objectives 
documented in policy.
Responsibility for Assigning Ratings
    S. Individuals must be held accountable for complying with rating 
system policies and for assigning accurate ratings, and their 
performance and compensation must be linked to well-defined measurable 
performance standards.
    Responsibilities of raters should be clear, and performance should 
be measured against specific objectives. Performance evaluation and 
incentive compensation should be tied to performance goals. Examples of 
performance measures include:
    [sbull] Number and frequency of rating errors,
    [sbull] Significance of errors (for example, multiple downgrades), 
and
    [sbull] Proper and consistent application of criteria, including 
override criteria.
Responsibility for Rating System Performance
    Just as individuals will be held accountable for the accuracy of 
ratings, an individual must be held responsible for the overall 
performance of the rating system. This individual must ensure that the 
rating system and all of its component parts--rating assignments, 
parameter estimation, data collection, control and oversight 
mechanisms--are functioning as intended. While these components often 
are housed within separate units of the organization, an individual 
must be responsible for ensuring that the parts work together 
effectively and efficiently.

E. Use of Ratings

    S. Ratings used for regulatory capital must be the same ratings 
used to guide day-to-day credit risk management activities.
    The different uses and applications of the risk-rating system's 
outputs should promote greater accuracy and consistency of credit-risk 
evaluations across an organization. Ratings and the associated default, 
loss, and EAD estimates need to be incorporated within the credit-risk 
management, internal capital allocation, and corporate governance 
functions of IRB banks.
    S. Banks that use parameter estimates for risk management that are 
different from those used for regulatory capital must provide a well-
documented rationale for the differences.
    PD and LGD parameters used for regulatory capital purposes may not 
be appropriate for other uses purposes. For example, PD estimates used 
to estimate reserve needs could reflect current economic conditions 
that are different from the longer term view appropriate to 
calculations of regulatory capital. When banks employ different 
estimates, those parameters must be defensible and supported by the 
following:
    [sbull] Qualitative and quantitative analysis of the logic and 
rationale for the difference(s); and
    [sbull] Senior management approval of the difference(s).

F. Rating System Review (RSR)

    S. Banks must have a comprehensive, coordinated, independent review 
process to ensure that ratings are accurate and that the rating system 
is performing as intended.
    Rating system review (RSR) ensures that the rating system as a 
whole is functioning as intended. A broad range of responsibilities 
come under RSR's purview, as outlined in Table 4.2:

          Table 4.2.--Responsibilities of Rating System Review
------------------------------------------------------------------------
 
-------------------------------------------------------------------------
Scope of Review:
  Design of the rating system.
  Compliance with policies and procedures, including application of
   criteria.
  Check of all risk-rating grades for accuracy.
  Consistency across industries/portfolios/geographies.

[[Page 45977]]

 
  Model development.
  Model use, including inputs and outputs.
  Overrides and policy exceptions.
  Quantification process.
  Back-testing (perform or review).
  Actual and predicted ratings transitions.
  Benchmarking against third-party data sources (perform or review).
  Adequacy of data maintenance.
Analysis and Reporting:
  Identify errors and flaws.
  Recommend corrective action.
------------------------------------------------------------------------

    For each of these responsibilities, RSR is largely checking and 
confirming the work of others and ensuring that the rating system's 
components work well together. RSR's testing and review should identify 
current and potential weaknesses and should lead to recommendations and 
corrective action such as
    [sbull] Adjusting policies and procedures,
    [sbull] Requiring additional training of staff,
    [sbull] Investing in infrastructure improvements,
    [sbull] Adjusting rating criteria, and
    [sbull] Adjusting parameter estimates.
    S. Rating system review must report significant findings to senior 
management and the board quarterly.
    RSR's role is to identify issues and areas of concern and report 
findings to the area that is accountable. When issues are systematic, 
RSR should bring them to the attention of senior management and the 
board.
    The activities of this function could be distributed across 
multiple areas or housed within one unit. Organizations will choose a 
structure that fits within their management and oversight framework. 
These units must always have high standing within the organization and 
should be staffed by individuals possessing the requisite stature, 
skills, and experience.
    Like internal audit, RSR must be independent from all in-house 
designers and developers (that is, system and model designers) and 
raters (that is, ratings and parameter assigners) in the risk-rating 
process. RSR's independence eliminates potential conflicts of interest 
and gives the group credibility when it reports findings and 
conclusions to the board and senior management.

G. Internal Audit

    S. An independent internal audit function must determine whether 
rating system controls function as intended.
    S. Internal audit must evaluate annually whether the bank is in 
compliance with the risk-based capital regulation and supervisory 
guidance.
    Internal audit determines whether the bank's system of controls 
over internal ratings and the related parameters is robust. In its 
evaluation of controls, internal audit must consider any trade-offs 
made between the various mechanisms and confirm their continued 
appropriateness and relevance. As part of its review of control 
mechanisms, audit will evaluate the depth, scope, and quality of RSR's 
work and will conduct limited testing to ensure that their conclusions 
are well founded. The amount of testing will depend on whether audit is 
the primary or secondary reviewer of that work.
    Internal audit will report to the board and management on whether 
the bank is in compliance with the IRB standards. This report will 
allow the board and management to disclose that its rating processes 
and the controls surrounding these processes are in compliance with the 
IRB standards. This will be critical for public disclosure and ongoing 
work of supervisors.
External Audit
    As part of the process of certifying financial statements, external 
auditors will confirm that the institution's capital position is fairly 
presented. To verify that actual capital exceeds regulatory minimums 
and to confirm compliance with the IRB rules, the external auditors 
must ascertain that the IRB system is rating credit risk appropriately 
and linking these ratings to appropriate estimates. Auditors must 
evaluate the bank's internal control functions and its compliance with 
the risk-based capital regulation and supervisory guidance.

H. Corporate Oversight

    S. The full board or a committee of the board must approve key 
elements of the IRB system.
    Consistent with sound practice, bank management must ensure that a 
corporate culture exists in which institutional needs are readily 
identified and appropriate resources are brought to bear to rectify 
shortcomings. In the IRB context, senior management and the board of 
directors must ensure the objectivity and accuracy of the bank's 
credit-risk management systems and approach.
    Either the full board or a committee of the board should approve 
key elements of the risk-rating system. Information provided to the 
board should be sufficiently detailed to allow directors to confirm the 
continuing appropriateness of the institution's rating approach and to 
verify the adequacy of the controls supporting the rating system.
    S. Senior management must ensure that all components of the IRB 
system, including controls, are functioning as intended and comply with 
the risk-based capital regulation and supervisory guidance.
    Senior management's oversight should be even more active than that 
of the board of directors. Senior management should articulate what it 
expects of the technical and operational units of the risk-rating 
system, as well as what it expects of the units that manage the 
system's controls. To oversee the risk-rating system, senior management 
must have an extensive understanding of credit policies, underwriting 
standards, lending practices, and collection and recovery practices, 
and must be able to understand how these factors affect default and 
loss estimates. Senior management should not only oversee the controls 
process (its traditional role) but also should periodically meet with 
raters and validators to discuss the rating system's performance, areas 
needing improvement, and the status of efforts to improve previously 
identified deficiencies.
    The depth and frequency of information provided to the board and 
senior management must be commensurate with their oversight 
responsibilities and the condition of the institution. These reports 
should include the following information:
    [sbull] Risk profile by grade,
    [sbull] Risk rating migration across grades with emphasis on 
unexpected results,
    [sbull] Changes in parameter estimates by grade,
    [sbull] Comparison of realized PD, LGD, and EAD rates against 
expectations,
    [sbull] Reports measuring changes in regulatory and economic 
capital,
    [sbull] Results of capital stress testing, and
    [sbull] Reports generated by rating system review, audit, and other 
control units.
    Although all of an institution's controls must function smoothly, 
independently, and in concert with the others, the direction and 
oversight provided by the board and senior management are perhaps most 
important to ensure that the IRB system is functioning properly.

Document 2: Draft Supervisory Guidance on Operational Risk Advanced 
Measurement Approaches for Regulatory Capital

Table of Contents

I. Purpose
II. Background
III. Definitions
IV. Banking Activities and Operational Risk
V. Corporate Governance
    A. Board and Management Oversight

[[Page 45978]]

    B. Independent Firm-wide Risk Management Function
    C. Line of Business Management
VI. Operational Risk Management Elements
    A. Operational Risk Policies and Procedures
    B. Identification and Measurement of Operational Risk
    C. Monitoring and Reporting
    D. Internal Control Environment
VII. Elements of an AMA Framework
    A. Internal Operational Risk Loss Event Data
    B. External Data
    C. Business Environment and Internal Control Factor Assessments
    D. Scenario Analysis
VIII. Risk Quantification
    A. Analytical Framework
    B. Accounting for Dependence
IX. Risk Mitigation
X. Data Maintenance
XI. Testing and Verification
    Appendix A: Supervisory Standards for the AMA

I. Purpose

    The purpose of this guidance is to set forth the expectations of 
the U.S. banking agencies for banking institutions that use Advanced 
Measurement Approaches (AMA) for calculating the operational risk 
capital charge under the new capital regulation. Institutions using the 
AMA will have considerable flexibility to develop operational risk 
measurement systems appropriate to the nature of their activities, 
business environment, and internal controls. An institution's 
operational risk regulatory capital requirement will be calculated as 
the amount needed to cover its operational risk at a level of 
confidence determined by the supervisors, as discussed below. Use of an 
AMA is subject to supervisory approval.
    This draft guidance should be considered with the advance notice of 
proposed rulemaking (ANPR) on revisions to the risk-based capital 
standard published elsewhere in today's Federal Register. As with the 
ANPR, the Agencies are seeking industry comment on this draft guidance. 
In addition to seeking comment on all specific aspects of this 
supervisory guidance, the Agencies are seeking comment on the extent to 
which the supervisory guidance strikes the appropriate balance between 
flexibility and specificity. Likewise, the Agencies are seeking comment 
on whether an appropriate balance has been struck between the 
regulatory requirements set forth in the ANPR and the supervisory 
standards set forth in this guidance.

II. Background

    Effective management of operational risk is integral to the 
business of banking and to institutions' roles as financial 
intermediaries. Although operational risk is not a new risk, 
deregulation and globalization of financial services, together with the 
growing sophistication of financial technology, new business activities 
and delivery channels, are making institutions' operational risk 
profiles (i.e., the level of operational risk across an institution's 
activities and risk categories) more complex.
    This guidance identifies the supervisory standards (S) that 
institutions must meet and maintain to use an AMA for the regulatory 
capital charge for operational risk. The purpose of the standards is to 
provide the foundation for a sound operational risk framework, while 
allowing institutions to identify the most appropriate mechanisms to 
meet AMA requirements. Each institution will need to consider its 
complexity, range of products and services, organizational structure, 
and risk management culture as it develops its AMA. Operational risk 
governance processes need to be established on a firm-wide basis to 
identify, measure, monitor, and control operational risk in a manner 
comparable with the treatment of credit, interest rate, and market 
risks.
    Institutions will be expected to develop a framework that measures 
and quantifies operational risk for regulatory capital purposes. To do 
this, institutions will need a systematic process for collecting 
operational risk loss data, assessing the risks within the institution, 
and adopting an analytical framework that translates the data and risk 
assessments into an operational risk exposure (see definition below). 
The analytical framework must incorporate a degree of conservatism that 
is appropriate for the overall robustness of the quantification 
process. Because institutions will be permitted to calculate their 
minimum regulatory capital on the basis of internal processes, the 
requirements for data capture, risk assessment, and the analytical 
framework described below are detailed and specific.
    Effective operational risk measurement systems are built on both 
quantitative and qualitative risk assessment techniques. While the 
output of the regulatory framework for operational risk is a measure of 
exposure resulting in a capital number, the integrity of that estimate 
depends not only on the soundness of the measurement model, but also on 
the robustness of the institution's underlying risk management 
processes. In addition, supervisors view the introduction of the AMA as 
an important tool to further promote improvements in operational risk 
management and controls at large banking institutions.
    This document provides both AMA supervisory standards and a 
discussion of how those standards should be incorporated into an 
operational risk framework. The relevant supervisory standards are 
listed at the beginning of each section and a full compilation of the 
standards is provided in Appendix A. Not every section has specific 
supervisory standards. When spanning more than one section, supervisory 
standards are listed only once.
    Institutions will be required to meet, and remain in compliance 
with, all the supervisory standards to use an AMA framework. However, 
evaluating an institution's qualification with each of the individual 
supervisory standards will not be sufficient to determine an 
institution's overall readiness for AMA. Instead, supervisors and 
institutions must also evaluate how well the various components of an 
institution's AMA framework complement and reinforce one another to 
achieve the overall objectives of an accurate measure and effective 
management of operational risk. In performing their evaluation, 
supervisors will exercise considerable supervisory judgment, both in 
evaluating the individual components and the overall operational risk 
framework.
    An institution's AMA methodology will be assessed as part of the 
ongoing supervision process. This will allow supervisors to incorporate 
existing supervisory efforts as much as possible into the AMA 
assessments. Some elements of operational risk (e.g., internal controls 
and information technology) have long been subject to examination by 
supervisors. Where this is the case, supervisors will make every effort 
to leverage off these examination activities to assess the 
effectiveness of the AMA process. Substantive weaknesses identified in 
an examination will be factored into the AMA qualification process.

III. Definitions

    There are important definitions that institutions must incorporate 
into an AMA framework. They are:
    [sbull] Operational risk: The risk of loss resulting from 
inadequate or failed internal processes, people and systems, or from 
external events. The definition includes legal risk, which is the risk 
of loss resulting from failure to comply with laws as well as prudent 
ethical standards and contractual obligations. It also includes the 
exposure to litigation from all aspects of an institution's

[[Page 45979]]

activities. The definition does not include strategic or reputational 
risks.\8\
---------------------------------------------------------------------------

    \8\ An institution's definition of risk may encompass other risk 
elements as long as the supervisory definition is met.
---------------------------------------------------------------------------

    [sbull] Operational risk loss: The financial impact associated with 
an operational event that is recorded in the institution's financial 
statements consistent with Generally Accepted Accounting Principles 
(GAAP). Financial impact includes all out-of-pocket expenses associated 
with an operational event but does not include opportunity costs, 
foregone revenue, or costs related to investment programs implemented 
to prevent subsequent operational risk losses. Operational risk losses 
are characterized by seven event factors associated with:
    i. Internal fraud: An act of a type intended to defraud, 
misappropriate property or circumvent regulations, the law or company 
policy, excluding diversity/discrimination events, which involve at 
least one internal party.
    ii. External fraud: An act of a type intended to defraud, 
misappropriate property or circumvent the law, by a third party.
    iii. Employment practices and workplace safety: An act inconsistent 
with employment, health or safety laws or agreements, from payment of 
personal injury claims, or from diversity/discrimination events.
    iv. Clients, products, and business practices: An unintentional or 
negligent failure to meet a professional obligation to specific clients 
(including fiduciary and suitability requirements), or from the nature 
or design of a product.
    v. Damage to physical assets: The loss or damage to physical assets 
from natural disaster or other events.
    vi. Business disruption and system failures: Disruption of business 
or system failures.
    vii. Execution, delivery, and process management: Failed 
transaction processing or process management, from relations with trade 
counterparties and vendors.
    [sbull] Operational risk exposure: An estimate of the potential 
operational losses that the banking institution faces at a soundness 
standard consistent with a 99.9 per cent confidence level over a one-
year period. The institution will multiply the exposure by 12.5 to 
obtain risk-weighted assets for operational risk; this is added to the 
risk-weighted assets for credit and market risk to arrive at the 
denominator of the regulatory capital ratio.
    [sbull] Business environment and internal control factor 
assessments: The range of tools that provide a meaningful assessment of 
the level and trends in operational risk across the institution. While 
the institution may use multiple tools in an AMA framework, they must 
all have the same objective of identifying key risks. There are a 
number of existing tools, such as audit scores and performance 
indicators that may be acceptable under this definition.

IV. Banking Activities and Operational Risk

    The above definition of operational risk gives a sense of the 
breadth of exposure to operational risk that exists in banking today as 
well as the many interdependencies among risk factors that may result 
in an operational risk loss. Indeed, operational risk can occur in any 
activity, function, or unit of the institution.
    The definition of operational risk incorporates the risks stemming 
from people, processes, systems and external events. People risk refers 
to the risk of management failure, organizational structure or other 
human resource failures. These risks may be exacerbated by poor 
training, inadequate controls, poor staffing resources, or other 
factors. The risk from processes stem from breakdowns in established 
processes, failure to follow processes, or inadequate process mapping 
within business lines. System risk covers instances of both disruption 
and outright system failures in both internal and outsourced 
operations. Finally, external events can include natural disasters, 
terrorism, and vandalism.
    There are a number of areas where operational risks are emerging. 
These include:
    [sbull] Greater use of automated technology has the potential to 
transform risks from manual processing errors to system failure risks, 
as greater reliance is placed on globally integrated systems;
    [sbull] Proliferation of new and highly complex products;
    [sbull] Growth of e-banking transactions and related business 
applications expose an institution to potential new risks (e.g., 
internal and external fraud and system security issues);
    [sbull] Large-scale acquisitions, mergers, and consolidations test 
the viability of new or newly integrated systems;
    [sbull] Emergence of institutions acting as large-volume service 
providers create the need for continual maintenance of high-grade 
internal controls and back-up systems;
    [sbull] Development and use of risk mitigation techniques (e.g., 
collateral, insurance, credit derivatives, netting arrangements and 
asset securitizations) optimize an institution's exposure to market 
risk and credit risk, but potentially create other forms of risk (e.g., 
legal risk); and
    [sbull] Greater use of outsourcing arrangements and participation 
in clearing and settlement systems mitigate some risks while increasing 
others.
    The range of banking activities and areas affected by operational 
risk must be fully identified and considered in the development of the 
institution's risk management and measurement plans. Since operational 
risk is not confined to particular business lines \9\, product types, 
or organizational units, it should be managed in a consistent and 
comprehensive manner across the institution. Consequently, risk 
management mechanisms must encompass the full range of risks, as well 
as strategies that help to identify, measure, monitor and control those 
risks.
---------------------------------------------------------------------------

    \9\ Throughout this guidance, terms such as ``business units'' 
and ``business lines'' are used interchangeably and refer not only 
to an institution's revenue-generating businesses, but also to 
corporate staff functions such as human resources or information 
technology.
---------------------------------------------------------------------------

V. Corporate Governance

Supervisory Standards
    S 1. The institution's operational risk framework must include an 
independent firm-wide operational risk management function, line of 
business management oversight, and independent testing and verification 
functions.
    The management structure underlying an AMA operational risk 
framework may vary between institutions. However, within all AMA 
institutions, there are three key components that must be evident--the 
firm-wide operational risk management function, lines of business 
management, and the testing and verification function. These three 
elements are functionally independent \10\ organizational components, 
but should work in cooperation to ensure a robust operational risk 
framework.
---------------------------------------------------------------------------

    \10\ For the purposes of AMA, ``functional independence'' is 
defined as the ability to carry out work freely and objectively and 
render impartial and unbiased judgments. There should be appropriate 
independence between the firm-wide operational risk management 
functions, line of business management and staff and the testing/
verification functions. Supervisory assessments of independence 
issues will rely upon existing regulatory guidance (e.g. audit, 
internal control systems, board of directors/management, etc.)
---------------------------------------------------------------------------

A. Board and Management Oversight

Supervisory Standards
    S 2. The board of directors must oversee the development of the 
firm-wide operational risk framework, as

[[Page 45980]]

well as major changes to the framework. Management roles and 
accountability must be clearly established.
    S 3. The board of directors and management must ensure that 
appropriate resources are allocated to support the operational risk 
framework.
    The board is responsible for overseeing the establishment of the 
operational risk framework, but may delegate the responsibility for 
implementing the framework to management with the authority necessary 
to allow for its effective implementation. Other key responsibilities 
of the board include:
    [sbull] Ensuring appropriate management responsibility, 
accountability and reporting;
    [sbull] Understanding the major aspects of the institution's 
operational risk as a distinct risk category that should be managed;
    [sbull] Reviewing periodic high-level reports on the institution's 
overall operational risk profile, which identify material risks and 
strategic implications for the institution;
    [sbull] Overseeing significant changes to the operational risk 
framework; and
    [sbull] Ensuring compliance with regulatory disclosure 
requirements.
    Effective board and management oversight forms the cornerstone of 
an effective operational risk management process. The board and 
management have several broad responsibilities with respect to 
operational risk:
    [sbull] To establish a framework for assessing operational risk 
exposure and identify the institution's tolerance for operational risk;
    [sbull] To identify the senior managers who have the authority for 
managing operational risk;
    [sbull] To monitor the institution's performance and overall 
operational risk profile, ensuring that it is maintained at prudent 
levels and is supported by adequate capital;
    [sbull] To implement sound fundamental risk governance principles 
that facilitate the identification, measurement, monitoring, and 
control of operational risk;
    [sbull] To devote adequate human and technical resources to 
operational risk management; and
    [sbull] To institute remuneration policies that are consistent with 
the institution's appetite for risk and are sufficient to attract 
qualified operational risk management and staff.
    Management should translate the operational risk management 
framework into specific policies, processes and procedures that can be 
implemented and verified within the institution's different business 
units. Communication of these elements will be essential to the 
understanding and consistent treatment of operational risk across the 
institution. While each level of management is responsible for 
effectively implementing the policies and procedures within its 
purview, senior management should clearly assign authority, 
responsibilities, and reporting relationships to encourage and maintain 
this accountability and ensure that the necessary resources are 
available to manage operational risk. Moreover, management should 
assess the appropriateness of the operational risk management oversight 
process in light of the risks inherent in a business unit's activities. 
The testing and verification function is responsible for completing 
timely and comprehensive assessments of the effectiveness of 
implementation of the institution's operational risk framework at the 
line of business and firm-wide levels.
    Management collectively is also responsible for ensuring that the 
institution has qualified staff and sufficient resources to carry out 
the operational risk functions outlined in the operational risk 
framework. Additionally, management must communicate operational risk 
issues to appropriate staff that may not be directly involved in its 
management. Key management responsibilities include ensuring that:
    [sbull] Operational risk management activities are conducted by 
qualified staff with the necessary experience, technical capabilities 
and access to adequate resources;
    [sbull] Sufficient resources have been allocated to operational 
risk management, in the business lines as well as the independent firm-
wide operational risk management function and verification areas, so as 
to sufficiently monitor and enforce compliance with the institution's 
operational risk policy and procedures; and
    [sbull] Operational risk issues are effectively communicated with 
staff responsible for managing credit, market and other risks, as well 
as those responsible for purchasing insurance and managing third-party 
outsourcing arrangements.

B. Independent Firm-Wide Risk Management Function

Supervisory Standards
    S 4. The institution must have an independent operational risk 
management function that is responsible for overseeing the operational 
risk framework at the firm level to ensure the development and 
consistent application of operational risk policies, processes, and 
procedures throughout the institution.
    S 5. The firm-wide operational risk management function must ensure 
appropriate reporting of operational risk exposures and loss data to 
the board of directors and senior management.
    The institution must have an independent firm-wide operational risk 
management function. The roles and responsibilities of the function 
will vary between institutions, but must be clearly documented. The 
independent firm-wide operational risk function should have 
organizational stature commensurate with the institution's operational 
risk profile, while remaining independent of the lines of business and 
the testing and verification function. At a minimum, the institution's 
independent firm-wide operational risk management function should 
ensure the development of policies, processes, and procedures that 
explicitly manage operational risk as a distinct risk to the 
institution's safety and soundness. These policies, processes and 
procedures should include principles for how operational risk is to be 
identified, measured, monitored, and controlled across the 
organization. Additionally, they should provide for the collection of 
the data needed to calculate the institution's operational risk 
exposure.
    Additional responsibilities of the independent firm-wide 
operational risk management function include:
    [sbull] Assisting in the implementation of the overall firm-wide 
operational risk framework;
    [sbull] Reviewing the institution's progress towards stated 
operational risk objectives, goals and risk tolerances;
    [sbull] Periodically reviewing the institution's operational risk 
framework to consider the loss experience, effects of external market 
changes, other environmental factors, and the potential for new or 
changing operational risks associated with new products, activities or 
systems. This review process should include an assessment of industry 
best practices for the institution's activities, systems and processes;
    [sbull] Reviewing and analyzing operational risk data and reports; 
and
    [sbull] Ensuring appropriate reporting to senior management and the 
board.

C. Line of Business Management

Supervisory Standards
    S 6. Line of business management is responsible for the day-to-day 
management of operational risk within each business unit.
    S 7. Line of business management must ensure that internal controls 
and

[[Page 45981]]

practices within their line of business are consistent with firm-wide 
policies and procedures to support the management and measurement of 
the institution's operational risk.
    Line of business management is responsible for both managing 
operational risk within the business lines and ensuring that policies 
and procedures are consistent with and support the firm-wide 
operational risk framework. Management should ensure that business-
specific policies, processes, procedures and staff are in place to 
manage operational risk for all material products, activities, and 
processes. Implementation of the operational risk framework within each 
line of business should reflect the scope of that business and its 
inherent operational complexity and operational risk profile. Line of 
business management must be independent of both the firm-wide 
operational risk management and the testing and verification functions.

VI. Operational Risk Management Elements

    The operational risk management framework provides the overall 
operational risk strategic direction and ensures that an effective 
operational risk management and measurement process is adopted 
throughout the institution. The framework should provide for the 
consistent application of operational risk policies and procedures 
throughout the institution and address the roles of both the 
independent firm-wide operational risk management function and the 
lines of business. The framework should also provide for the consistent 
and comprehensive capture of data elements needed to measure and verify 
the institution's operational risk exposure, as well as appropriate 
operational risk analytical frameworks, reporting systems, and 
mitigation strategies. The framework must also include independent 
testing and verification to assess the effectiveness of implementation 
of the institution's operational risk framework, including compliance 
with policies, processes, and procedures.
    In practice, an institution's operational risk framework must 
reflect the scope and complexity of business lines, as well as the 
corporate organizational structure. Each institution's operational risk 
profile is unique and requires a tailored risk management approach 
appropriate for the scale and materiality of the risks present, and the 
size of the institution. There is no single framework that would suit 
every institution; different approaches will be needed for different 
institutions. In fact, many operational risk management techniques 
continue to evolve rapidly to keep pace with new technologies, business 
models and applications.
    The key elements in the operational risk management process 
include:
    [sbull] Appropriate policies and procedures;
    [sbull] Efforts to identify and measure operational risk;
    [sbull] Effective monitoring and reporting;
    [sbull] A sound system of internal controls; and
    [sbull] Appropriate testing and verification of the operational 
risk framework.

A. Operational Risk Policies and Procedures

Supervisory Standards
    S 8. The institution must have policies and procedures that clearly 
describe the major elements of the operational risk management 
framework, including identifying, measuring, monitoring, and 
controlling operational risk.
    Operational risk management policies, processes, and procedures 
should be documented and communicated to appropriate staff. The 
policies and procedures should outline all aspects of the institution's 
operational risk management framework, including:
    [sbull] The roles and responsibilities of the independent firm-wide 
operational risk management function and line of business management;
    [sbull] A definition for operational risk, including the loss event 
types that will be monitored;
    [sbull] The capture and use of internal and external operational 
risk loss data, including large potential events (including the use of 
scenario analysis);
    [sbull] The development and incorporation of business environment 
and internal control factor assessments into the operational risk 
framework;
    [sbull] A description of the internally derived analytical 
framework that quantifies the operational risk exposure of the 
institution;
    [sbull] An outline of the reporting framework and the type of data/
information to be included in line of business and firm-wide reporting;
    [sbull] A discussion of qualitative factors and risk mitigants and 
how they are incorporated into the operational risk framework;
    [sbull] A discussion of the testing and verification processes and 
procedures;
    [sbull] A discussion of other factors that affect the measurement 
of operational risk; and
    [sbull] Provisions for the review and approval of significant 
policy and procedural exceptions.

B. Identification and Measurement of Operational Risk

    The result of a comprehensive program to identify and measure 
operational risk is an assessment of the institution's operational risk 
exposure. Management must establish a process that identifies the 
nature and types of operational risk and their causes and resulting 
effects on the institution. Proper operational risk identification 
supports the reporting and maintenance of capital for operational risk 
exposure and events, facilitates the establishment of mechanisms to 
mitigate or control the risks, and ensures that management is fully 
aware of the sources of emerging operational risk loss events.

C. Monitoring and Reporting

Supervisory Standards
    S 9. Operational risk management reports must address both firm-
wide and line of business results. These reports must summarize 
operational risk exposure, loss experience, relevant business 
environment and internal control assessments, and must be produced no 
less often than quarterly.
    S 10. Operational risk reports must also be provided periodically 
to senior management and the board of directors, summarizing relevant 
firm-wide operational risk information.
    Ongoing monitoring of operational risk exposures is a key aspect of 
an effective operational risk framework. To facilitate monitoring of 
operational risk, results from the measurement system should be 
summarized in reports that can be used by the firm-wide operational 
risk and line of business management functions to understand, manage, 
and control operational risk and losses. These reports should serve as 
a basis for assessing operational risk and related mitigation 
strategies and creating incentives to improve operational risk 
management throughout the institution.
    Operational risk management reports should summarize:
    [sbull] Operational risk loss experience on an institution, line of 
business, and event-type basis;
    [sbull] Operational risk exposure;
    [sbull] Changes in relevant risk and control assessments;
    [sbull] Management assessment of early warning factors signaling an 
increased risk of future losses;
    [sbull] Trend analysis, allowing line of business and independent 
firm-wide operational risk management to assess

[[Page 45982]]

and manage operational risk exposures, systemic line of business risk 
issues, and other corporate risk issues;
    [sbull] Exception reporting; and
    [sbull] To the extent developed, operational risk causal factors.
    High-level operational risk reports must also be produced 
periodically for the board and senior management. These reports must 
provide information regarding the operational risk profile of the 
institution, including the sources of material risk both from a firm-
wide and line of business perspective, versus established management 
expectations.

D. Internal Control Environment

Supervisory Standards
    S 11. An institution's internal control structure must meet or 
exceed minimum regulatory standards established by the Agencies.
    Sound internal controls are essential to an institution's 
management of operational risk and are one of the foundations of safe 
and sound banking. When properly designed and consistently enforced, a 
sound system of internal controls will help management safeguard the 
institution's resources, produce reliable financial reports, and comply 
with laws and regulations. Sound internal controls will also reduce the 
possibility of significant human errors and irregularities in internal 
processes and systems, and will assist in their timely detection when 
they do occur.
    The Agencies are not introducing any new internal control 
standards, but rather emphasizing the importance of meeting existing 
standards. There is a recognition that internal control systems will 
differ among institutions due to the nature and complexity of an 
institution's products and services, organizational structure, and risk 
management culture. The AMA standards allows for these differences, 
while also establishing a baseline standard for the quality of the 
internal control structure. Institutions will be expected to at least 
meet the minimum interagency standards\11\ relating to internal 
controls as a criterion for AMA qualification.
---------------------------------------------------------------------------

    \11\ There are a number of interagency standards that cover 
topics relevant to the internal control structure. These include, 
for example, the Interagency Policy Statement on the Internal Audit 
Function and Its Outsourcing (March 2003), the Federal Financial 
Institution's Examination Council's (FFIEC's) Business Continuity 
Planning Booklet (May 2003), the FFIEC's Information Security 
Booklet (January 2003). In addition, each Agency has extensive 
guidance on corporate governance, internal controls, and monitoring 
and reporting in its respective examination policies and procedures.
---------------------------------------------------------------------------

    The extent to which an institution meets or exceeds the minimum 
standards will primarily be assessed through current and ongoing 
supervisory processes. As noted earlier, the Agencies will leverage off 
existing examination processes, to avoid duplication in assessing an 
institution's implementation of an AMA framework. Assessing the 
internal control environment is clearly an area where the supervisory 
authorities already focus considerable attention.

VII. Elements of an AMA Framework

Supervisory Standards
    S 12. The institution must demonstrate that it has appropriate 
internal loss event data, relevant external loss event data, 
assessments of business environment and internal controls factors, and 
results from scenario analysis to support its operational risk 
management and measurement framework.
    S 13. The institution must include the regulatory definition of 
operational risk as the baseline for capturing the elements of the AMA 
framework and determining its operational risk exposure.
    S 14. The institution must have clear standards for the collection 
and modification of the elements of the operational risk AMA framework.
    Operational risk inputs play a significant role in both the 
management and measurement of operational risk. Necessary elements of 
an institution's AMA framework include internal loss event data, 
relevant external loss event data, results of scenario analysis, and 
assessments of the institution's business environment and internal 
controls. Operational risk inputs aid the institution in identifying 
the level and trend of operational risk, determining the effectiveness 
of risk management and control efforts, highlighting opportunities to 
better mitigate operational risk, and assessing operational risk on a 
forward-looking basis.
    To use its AMA framework, an institution must demonstrate that it 
has established a consistent and comprehensive process for the capture 
of all elements of the AMA framework. The institution must also 
demonstrate that it has clear standards for the collection and 
modification of all AMA inputs. While the analytical framework will 
generally combine these inputs to develop the operational risk 
exposure, supervisors must have the capacity to review the individual 
inputs as well; specifically, supervisors will need to review the loss 
information that is being provided to the analytical framework that 
stems from internal loss event data, versus the loss event information 
provided by external loss event data capture, scenario analysis, or the 
assessments of the business environment and internal control factors.
    The capture systems must cover all material business lines, 
business activities and corporate functions that could generate 
operational risk. The institution must have a defined process that 
establishes responsibilities over the systems developed to capture the 
AMA elements. In particular, the issue of overriding the data capture 
systems must be addressed. Any overrides should be tracked separately 
and documented. Tracking overrides separately allows management and 
supervisors to identify the nature and rationale, including whether 
they stem from simple input errors or, more importantly, from exclusion 
because a loss event was not pertinent for the quantitative 
measurement. Management should have clear standards for addressing 
overrides and should clearly delineate who has authority to override 
the data systems and under what circumstances.
    As noted earlier, for AMA qualification purposes, an institution's 
operational risk framework must, at a minimum, use the definition of 
operational risk that is provided in paragraph 10 when capturing the 
elements of the AMA framework. Institutions may use an expanded 
definition if considered more appropriate for risk management and 
measurement efforts. However, for the quantification of operational 
risk exposure for regulatory capital purposes, an institution must 
demonstrate that the AMA elements are captured so as to meet the 
baseline definition.

A. Internal Operational Risk Loss Event Data

Supervisory Standards
    S 15. The institution must have at least five years of internal 
operational risk loss data \12\ captured across all material business 
lines, events, product types, and geographic locations.
---------------------------------------------------------------------------

    \12\ With supervisory approval, a shorter initial historical 
observation period is acceptable for banks newly authorized to use 
an AMA methodology.
---------------------------------------------------------------------------

    S 16. The institution must be able to map internal operational risk 
losses to the seven loss-event type categories.
    S 17. The institution must have a policy that identifies when an 
operational risk loss becomes a loss event and must be added to the 
loss

[[Page 45983]]

event database. The policy must provide for consistent treatment across 
the institution.
    S 18. The institution must establish appropriate operational risk 
data thresholds.
    S 19. Losses that have any characteristics of credit risk, 
including fraud-related credit losses, must be treated as credit risk 
for regulatory capital purposes. The institution must have a clear 
policy that allows for the consistent treatment of loss event 
classifications (e.g., credit, market, or operational risk) across the 
organization.
    The key to internal data integrity is the consistency and 
completeness with which loss event data capture processes are 
implemented across the institution. Management must ensure that 
operational risk loss event information captured is consistent across 
the business lines and incorporates any corporate functions that may 
also experience operational risk events. Policies and procedures should 
be addressed to the appropriate staff to ensure that there is 
satisfactory understanding of operational risk and the data capture 
requirements under the operational risk framework. Further, the 
independent operational risk management function must ensure that the 
loss data is captured across all material business lines, products 
types, event types, and from all significant geographic locations. The 
institution must be able to capture and aggregate internal losses that 
cross multiple business lines or event types. If data is not captured 
across all business lines or from all geographic locations, the 
institution must document and explain the exceptions.
    AMA institutions must be able to map operational risk losses into 
the seven loss event categories defined in paragraph 10. Institutions 
will not be required to produce reports or perform analysis for 
internal purposes on the basis of the loss event categories, but will 
be expected to use the information about the event-type categories as a 
check on the comprehensiveness of the institution's data set.
    The institution must have five years of internal loss data, 
although a shorter range of historical data may be allowed, subject to 
supervisory approval. The extent to which an institution collects 
operational risk loss event data will, in part, be dependent upon the 
data thresholds that the institution establishes. There are a number of 
standards that an institution may use to establish the thresholds. They 
may be based on product types, business lines, geographic location, or 
other appropriate factors. The Agencies will allow flexibility in this 
area, provided the institution can demonstrate that the thresholds are 
reasonable, do not exclude important loss events, and capture a 
significant proportion of the institution's operational risk losses.
    The institution must capture comprehensive data on all loss events 
above its established threshold level. Aside from information on the 
gross loss amount, the institution should collect information about the 
date of the event, any recoveries, and descriptive information about 
the drivers or causes of the loss event. The level of detail of any 
descriptive information should be commensurate with the size of the 
gross loss amount. Examples of the type of information collected 
include:
    [sbull] Loss amount;
    [sbull] Description of loss event;
    [sbull] Where the loss is reported and expensed;
    [sbull] Loss event type category;
    [sbull] Date of the loss;
    [sbull] Discovery date of the loss;
    [sbull] Event end date;
    [sbull] Management actions;
    [sbull] Insurance recoveries;
    [sbull] Other recoveries; and
    [sbull] Adjustments to the loss estimate.
    There are a number of additional data elements that may be 
captured. It may be appropriate, for example, to capture data on ``near 
miss'' events, where no financial loss was incurred. These near misses 
will not factor into the regulatory capital calculation, but may be 
useful for the operational risk management process.
    Institutions will also be permitted and encouraged to capture loss 
events in their operational risk databases that are treated as credit 
risk for regulatory capital purposes, but have an underlying element of 
operational risk failure. These types of events, while not incorporated 
into the regulatory capital calculation, may have implications for 
operational risk management. It will be essential for institutions that 
capture loss events that are treated differently for regulatory capital 
and management purposes to demonstrate that (1) loss events are being 
captured consistently across the institution; (2) the data systems are 
sufficiently advanced to allow for this differential treatment of loss 
events; and (3) credit, market, and operational risk losses are being 
appropriated in the correct manner for regulatory capital purposes.
    The Agencies have established a clear boundary between credit and 
operational risks for regulatory capital purposes. If a loss event has 
any element of credit risk, it must be treated as credit risk for 
regulatory capital purposes. This would include all credit-related 
fraud losses. In addition, operational risk losses with credit risk 
characteristics that have historically been included in institutions' 
credit risk databases will continue to be treated as credit risk for 
the purposes of calculating minimum regulatory capital.
    The accounting guidance for credit losses provides that creditors 
recognize credit losses when it is probable that they will be unable to 
collect all amounts due according to the contractual terms of a loan 
agreement. Credit losses may result from the creditor's own 
underwriting, processing, servicing or administrative activities along 
with the borrower's failure to pay according to the terms of the loan 
agreement. While the creditor's personnel, systems, policies or 
procedures may affect the timing or magnitude of a credit loss, they do 
not change its character from credit to operational risk loss for 
regulatory capital purposes. Losses that arise from a contractual 
relationship between a creditor and a borrower are credit losses 
whereas losses that arise outside of a relationship between a creditor 
and a borrower are operational losses.

B. External Data

Supervisory Standards
    S 20. The institution must have policies and procedures that 
provide for the use of external loss data in the operational risk 
framework.
    S 21. Management must systematically review external data to ensure 
an understanding of industry experience.
    External data may serve a number of different purposes in the 
operational risk framework. Where internal loss data is limited, 
external data may be a useful input in determining the institution's 
level of operational risk exposure. Even where external loss data is 
not an explicit input to an institution's data set, such data provides 
a means for the institution to understand industry experience, and in 
turn, provides a means for assessing the adequacy of its internal data. 
External data may also prove useful to inform scenario analysis, fit 
severity distributions, or benchmark the overall operational risk 
exposure results.
    To incorporate external loss information into an institution's 
framework, the institution should collect the following information:
    [sbull] External loss amount;
    [sbull] External loss description;
    [sbull] Loss event type category;
    [sbull] External loss event date;
    [sbull] Adjustments to the loss amount (i.e., recoveries, insurance 
settlements,

[[Page 45984]]

etc) to the extent that they are known; and
    [sbull] Sufficient information about the reporting institution to 
facilitate comparison to its own organization.
    Institutions may obtain external loss data in any reasonable 
manner. There are many ways to do so; some institutions are using data 
acquired through membership with industry consortia while other 
institutions are using data obtained from vendor databases or public 
sources such as court records or media reports. In all cases, 
management will need to carefully evaluate the data source to ensure 
that they are comfortable that the information being reported is 
relevant and reasonably accurate.

C. Business Environment and Internal Control Factor Assessments

Supervisory Standards
    S 22. The institution must have a system to identify and assess 
business environment and internal control factors.
    S 23. Management must periodically compare the results of their 
business environment and internal control factor assessments against 
actual operational risk loss experience.
    While internal and external loss data provide a historical 
perspective on operational risk, it is also important that institutions 
incorporate a forward-looking element to the operational risk measure. 
In principle, an institution with strong internal controls in a stable 
business environment will have less exposure to operational risk than 
an institution with internal control weaknesses that is growing rapidly 
or introducing new products. In this regard, institutions will be 
required to identify the level and trends in operational risk in the 
institution. These assessments must be current, comprehensive across 
the institution, and identify the critical operational risks facing the 
institution.
    The business environment and internal control factor assessments 
should reflect both the positive and negative trends in risk management 
within the institution as well as changes in an institution's business 
activities that increase or decrease risk. Because the results of the 
risk assessment are part of the capital methodology, management must 
ensure that the risk assessments are done appropriately and reflect the 
risks of the institution. Periodic comparisons should be made between 
actual loss exposure and the assessment results.
    The framework established to maintain the risk assessments must be 
sufficiently flexible to encompass an institution's increased 
complexity of activities, new activities, changes in internal control 
systems, or an increased volume of information.

D. Scenario Analysis

Supervisory Standards
    S 24. Management must have policies and procedures that identify 
how scenario analysis will be incorporated into the operational risk 
framework.
    Scenario analysis is a systematic process of obtaining expert 
opinions from business managers and risk management experts to derive 
reasoned assessments of the likelihood and impact of plausible 
operational losses consistent with the regulatory soundness standard. 
Within an institution's operational risk framework, scenario analysis 
may be used as an input or may, as discussed below, form the basis of 
an operational risk analytical framework.
    As an input to the institution's framework, scenario analysis is 
especially relevant for business lines or loss event types where 
internal data, external data, and assessments of the business 
environment and internal control factors do not provide a sufficiently 
robust estimate of the institution's exposure to operational risk. In 
some cases, an institution's internal loss history may be sufficient to 
provide a reasonable estimate of exposure to future operational losses. 
In other cases, the use of well-reasoned, scaled external data may 
itself be a form of scenario analysis.
    The institution must have policies and procedures that define 
scenario analysis and identify its role in the operational risk 
framework. The policy should cover key elements of scenario analysis, 
such as the manner in which the scenarios are generated, the frequency 
with which they are updated, and the scope and coverage of operational 
loss events they are intended to reflect.

VIII. Risk Quantification

A. Analytical Framework

Supervisory Standards
    S 25. The institution must have a comprehensive operational risk 
analytical framework that provides an estimate of the institution's 
operational risk exposure, which is the aggregate operational loss that 
it faces over a one-year period at a soundness standard consistent with 
a 99.9 per cent confidence level.
    S 26. Management must document the rationale for all assumptions 
underpinning its chosen analytical framework, including the choice of 
inputs, distributional assumptions, and the weighting across 
qualitative and quantitative elements. Management must also document 
and justify any subsequent changes to these assumptions.
    S 27. The institution's operational risk analytical framework must 
use a combination of internal operational loss event data, relevant 
external operational loss event data, business environment and internal 
control factor assessments, and scenario analysis. The institution must 
combine these elements in a manner that most effectively enables it to 
quantify its operational risk exposure. The institution can choose the 
analytical framework that is most appropriate to its business model.
    S 28. The institution's capital requirement for operational risk 
will be the sum of expected and unexpected losses unless the 
institution can demonstrate, consistent with supervisory standards, the 
expected loss offset.
    The industry has made significant progress in recent years in 
developing analytical frameworks to quantify operational risk. The 
analytical frameworks, which are a part of the overall operational risk 
framework, are based on various combinations of an institution's own 
operational loss experience, the industry's operational loss 
experience, the size and scope of the institution's activities, the 
quality of the institution's control environment, and management's 
expert judgment. Because these models capture specific characteristics 
of each institution, such models yield unique risk-sensitive estimates 
of the institutions' operational risk exposures.
    While the Agencies are not specifying the exact methodology that an 
institution should use to determine its operational risk exposure, 
minimum supervisory standards for acceptable approaches have been 
developed. These standards have been set so as to assure that the 
regulation can accommodate continued evolution of operational risk 
quantification techniques, yet remain amenable to consistent 
application and enforcement across institutions. The Agencies will 
require that the institution have a comprehensive analytical framework 
that provides an estimate of the aggregate operational loss that it 
faces over a one-year period at a soundness standard consistent with a 
99.9 percent confidence level, referred to as the institution's 
operational risk exposure. The institution will multiply the exposure 
estimate by 12.5 to obtain risk weighted assets for operational risk,

[[Page 45985]]

and add this figure to risk-weighted assets for credit and market risk 
to obtain total risk-weighted assets. The final minimum regulatory 
capital number will be 8 percent of total risk-weighted assets.
    The Agencies expect that there will be significant variation in 
analytical frameworks across institutions, with each institution 
tailoring its framework to leverage existing technology platforms and 
risk management procedures. These approaches may only be used, provided 
they meet the supervisory standards and include, as inputs, internal 
operational loss event data, relevant external operational loss event 
data, assessments of business environment and internal control factors, 
and scenario analysis. The Agencies do expect that there will be some 
uncertainty and potential error in the analytical frameworks because of 
the evolving nature of operational risk measurement and data capture. 
Therefore, a degree of conservatism will need to be built into the 
analytical frameworks to reflect the evolutionary status of operational 
risk and its impact on data capture and analytical modeling.
    A diversity of analytical approaches is emerging in the industry, 
combining and weighting these inputs in different ways. Most current 
approaches seek to estimate loss frequency and loss severity to arrive 
at an aggregate loss distribution. Institutions then use the aggregate 
loss distribution to determine the appropriate amount of capital to 
hold for a given soundness standard. Scenario analysis is also being 
used by many institutions, albeit to significantly varying degrees. 
Some institutions are using scenario analysis as the basis for their 
analytical framework, while others are incorporating scenarios as a 
means for considering the possible impact of significant operational 
losses on their overall operational risk exposure.
    The primary differences among approaches being used today relate to 
the weight that institutions place on each input. For example, 
institutions with comprehensive internal data may place less emphasis 
on external data or scenario analysis. Another example is that some 
institutions estimate a unique loss distribution for each business 
line/loss type combination (bottom-up approach) while others estimate a 
loss distribution on a firm-wide basis and then use an allocation 
methodology to assign capital to business lines (top-down approach).
    The Agencies expect internal loss event data to play an important 
role in the institution's analytical framework, hence the requirement 
for five years of internal operational risk loss data. However, as 
footnote 5 makes clear, five years of data is not always required for 
the analytical framework. For example, if a bank exited a business 
line, the institution would not be expected to make use of that 
business unit's loss experience unless it had relevance for other 
activities of the institution. Another example would be where a bank 
has made a recent acquisition where the acquired firm does not have 
internal loss event data. In these cases, the Agencies expect the 
institution to make use of the loss data available at the acquired 
institution and any internal loss data from operations similar to that 
of the acquired firm, but the institution will likely have to place 
more weight relevant external loss event data, results from scenario 
analysis, and factors reflecting assessments of the business 
environment and internal controls.
    Whatever analytical approach an institution chooses, it must 
document and provide the rationale for all assumptions embedded in its 
chosen analytical framework, including the choice of inputs, 
distributional assumptions, and the weighting of qualitative and 
quantitative elements. Management must also document and justify any 
subsequent changes to these assumptions. This documentation should:
    [sbull] Clearly identify how the different inputs are combined and 
weighted to arrive at the overall operational risk exposure so that the 
analytical framework is transparent. The documentation should 
demonstrate that the analytical framework is comprehensive and 
internally consistent. Comprehensiveness means that all required inputs 
are incorporated and appropriately weighted. At the same time, there 
should not be overlaps or double counting.
    [sbull] Clearly identify the quantitative assumptions embedded in 
the methodology and provide explanation for the choice of these 
assumptions. Examples of quantitative assumptions include 
distributional assumptions about frequency and severity, the 
methodology for combining frequency and severity to arrive at the 
overall loss distribution, and dependence assumptions between 
operational losses across and within business lines.
    [sbull] Clearly identify the qualitative assumptions embedded in 
the methodology and provide explanations for the choice of these 
assumptions. Examples of qualitative assumptions include the use of 
business environment and control factors as well as scenario analysis 
in the approach.
    [sbull] Where feasible, provide results based purely on 
quantitative methods separately from results that incorporate 
qualitative factors. This will provide a transparent means of 
determining the relative importance of quantitative versus qualitative 
inputs.
    [sbull] Where feasible, provide results based on alternative 
quantitative and qualitative assumptions to gauge the overall model's 
sensitivity to these assumptions.
    [sbull] Provide a comparison of the operational risk exposure 
estimate generated by the analytical framework with actual loss 
experience over time, to assess the reasonable of the framework's 
outputs.
    [sbull] Clearly identify all changes to assumptions, and provide 
explanations for such changes.
    [sbull] Clearly identify the results of an independent verification 
of the analytical framework.
    The regulatory capital charge for operational risk will include 
both expected losses (EL) and unexpected losses (UL). The Agencies have 
considered two approaches that might allow for some recognition of EL; 
these approaches are reserving and budgeting. However, both approaches 
raise questions about their ability to act as an EL offset for 
regulatory capital purposes. The current U.S. GAAP treatment for 
reserves (or liabilities) is based on an incurred-loss (liability) 
model. Given that EL is looking beyond current losses to losses that 
will be incurred in the future, establishing a reserve for operational 
risk EL is not likely to meet U.S. accounting standards. While reserves 
are specific allocations for incurred losses, budgeting is a process of 
generally allocating future income for loss contingencies, including 
losses resulting from operational risk. Institutions will be required 
to demonstrate that budgeted funds are sufficiently capital-like and 
remain available to cover EL over the next year. In addition, an 
institution will not be permitted to recognize EL offsets on budgeted 
loss contingencies that fall below the established data thresholds; 
this is relevant as many institutions currently budget for low 
severity, high frequency events that are more likely to fall below most 
institutions' thresholds.
    An institution's analytical framework complements but does not 
substitute for prudent controls. Rather, with improved risk 
measurement, institutions are finding that they can make better-
informed strategic decisions regarding enhancements to controls and 
processes, the desired scale and scope of the operations, and how 
insurance and

[[Page 45986]]

other risk mitigation tools can be used to offset operational risk 
exposure.

B. Accounting for Dependence

Supervisory Standards
    S 29. Management must document how its chosen analytical framework 
accounts for dependence (e.g., correlations) among operational losses 
across and within business lines. The institution must demonstrate that 
its explicit and embedded dependence assumptions are appropriate, and 
where dependence assumptions are uncertain, the institution must use 
conservative estimates.
    Management must document how its chosen analytical framework 
accounts for dependence (e.g., correlation) between operational losses 
across and within business lines. The issue of dependence is closely 
related to the choice between a bottom-up or a top-down modeling 
approach. Under a bottom-up approach, explicit assumptions regarding 
cross-event dependence are required to estimate operational risk 
exposure at the firm-wide level. Management must demonstrate that these 
assumptions are appropriate and reflect the institution's current 
environment. If the dependence assumptions are uncertain, the 
institution must choose conservative estimates. In so doing, the 
institution should consider the possibility that cross-event dependence 
may not be constant, and may increase during stress environments.
    Under a top-down approach, an explicit assumption regarding 
dependence is not required. However, a parametric distribution for loss 
severity may be more difficult to specify under the top-down approach, 
as it is a statistical mixture of (potentially) heterogeneous business 
line and event type distributions. Institutions must carefully consider 
the conditions necessary for the validity of top-down approaches, and 
whether these conditions are met in their particular circumstances. 
Similar to bottom-up approaches, institutions using top-down approaches 
must ensure that implicit dependence assumptions are appropriate and 
reflect the institution's current environment. If historic dependence 
assumptions embedded in top-down approaches are uncertain, the 
institution must be conservative and implement a qualitative adjustment 
to the analysis.

IX. Risk Mitigation

Supervisory Standards
    S 30. Institutions may reduce their operational risk exposure 
results by no more than 20% to reflect the impact of risk mitigants. 
Institutions must demonstrate that mitigation products are sufficiently 
capital-like to warrant inclusion in the adjustment to the operational 
risk exposure.
    There are many mechanisms to manage operational risk, including 
risk transfer through risk mitigation products. Because risk mitigation 
can be an important element in limiting or reducing operational risk 
exposure in an institution, an adjustment is being permitted that will 
directly impact the amount of regulatory capital that is held for 
operational risk. The adjustment is limited to 20% of the overall 
operational risk exposure result determined by the institution using 
its loss data, qualitative factors, and quantitative framework.
    Currently, the primary risk mitigant used for operational risk is 
insurance. There has been discussion that some securities products may 
be developed to provide risk mitigation benefits; however, to date, no 
specific products have emerged that have characteristics sufficient to 
be considered capital-replacement for operational risk. As a result, 
securities products and other capital market instruments may not be 
factored in to the regulatory capital risk mitigation adjustment at 
this time.
    For an institution that wishes to adjust its regulatory capital 
requirement as a result of the risk mitigating impact of insurance, 
management must demonstrate that the insurance policy is sufficiently 
capital-like to provide the cushion that is necessary. A product that 
would fall in this category must have the following characteristics:
    [sbull] The policy is provided through a third party \13\ that has 
a minimum claims paying ability rating of A; \14\
---------------------------------------------------------------------------

    \13\ Where operational risk is transferred to a captive or an 
affiliated insurer such that risk is retained within the group 
structure, recognition of such risk transfer will only be allowed 
for regulatory capital purposes where the risk has been transferred 
to a third party (e.g., an unaffiliated reinsurer) that meets the 
standards set forth in this section.
    \14\ Rating agencies may use slightly different rating 
scales.For the purpose of this supervisory guidance, the insurer 
must have a rating that is at least the equivalent of A under 
Standard and Poor's Insurer Financial Strength Ratings or an A2 
under Moody's Insurance Financial Strength Ratings.
---------------------------------------------------------------------------

    [sbull] The policy has an initial term of one year; \15\
---------------------------------------------------------------------------

    \15\ Institutions must decrease the amount of the adjustment if 
the remaining term is less than one year. The institution must have 
a clear policy in place that links the remaining term to the 
adjustment factor.
---------------------------------------------------------------------------

    [sbull] The policy has no exclusions or limitations based upon 
regulatory action or for the receiver or liquidator of a failed bank;
    [sbull] The policy has clear cancellation and non-renewal notice 
periods; and
    [sbull] The policy coverage has been explicitly mapped to actual 
operational risk exposure of the institution.
    Insurance policies that meet these standards may be incorporated 
into an institution's adjustment for risk mitigation. An institution 
should be conservative in its recognition of such policies, for 
example, the institution must also demonstrate that insurance policies 
used as the basis for the adjustment have a history of timely payouts. 
If claims have not been paid on a timely basis, the institution must 
exclude that policy from the operational risk capital adjustment. In 
addition, the institution must be able to show that the policy would 
actually be used in the event of a loss situation; that is, the 
deductible may not be set so high that no loss would ever conceivably 
exceed the deductible threshold.
    The Agencies will not specify how institutions should calculate the 
risk mitigation adjustment. Nevertheless, institutions are expected to 
use conservative assumptions when calculating adjustments. An 
institution should discount (i.e., apply its own estimates of haircuts) 
the impact of insurance coverage to take into account factors, which 
may limit the likelihood or size of claims payouts. Among these factors 
are the remaining terms of a policy, especially when it is less than a 
year, the willingness and ability of the insurer to pay on a claim in a 
timely manner, the legal risk that a claim may be disputed, and the 
possibility that a policy can be cancelled before the contractual 
expiration.

X. Data Maintenance

Supervisory Standards
    S 31. Institutions using the AMA approach for regulatory capital 
purposes must use advanced data management practices to produce 
credible and reliable operational risk estimates.
    Data maintenance is a critical factor in an institution's 
operational risk framework. Institutions with advanced data management 
practices should be able to track operational risk loss events from 
initial discovery through final resolution. These institutions should 
also be able to make appropriate adjustments to the data and use the 
data to identify trends, track problem areas, and identify areas of 
future risk. Such data should include not only operational risk loss 
event information, but also information on risk assessments, which are 
factored into the operational risk exposure calculation. In general, 
institutions using the AMA

[[Page 45987]]

should have the same data maintenance standards for operational risk as 
those set forth for A-IRB institutions under the credit risk guidance.
    Operational risk data elements captured by the institution must be 
of sufficient depth, scope, and reliability to:
    [sbull] Track and identify operational risk loss events across all 
business lines, including when a loss event impacts multiple business 
lines.
    [sbull] Calculate capital ratios based on operational risk exposure 
results. The institution must also be able to factor in adjustments 
related to risk mitigation, correlations, and risk assessments.
    [sbull] Produce internal and public reports on operational risk 
measurement and management results, including trends revealed by loss 
data and/or risk assessments. The institution must also have sufficient 
data to produce exception reports for management.
    [sbull] Support risk management activities.
    The data warehouse \16\ 16 must contain the key data elements 
needed for operational risk measurement, management, and verification. 
The precise data elements may vary by institution and also among 
business lines within an institution. An important element of ensuring 
consistent reporting of the data elements is to develop comprehensive 
definitions for each data element used by the institution for reporting 
operational risk loss events or for the risk assessment inputs. The 
data must be stored in an electronic format to allow for timely 
retrieval for analysis, verification and testing of the operational 
risk framework, and required disclosures.
---------------------------------------------------------------------------

    \16\ In this document, the terms ``database'' and ``data 
warehouse'' are used interchangeably to refer to a collection of 
data arranged for easy retrieval using computer technology.
---------------------------------------------------------------------------

    Management will need to identify those responsible for maintaining 
the data warehouse. In particular, policies and processes will need to 
be developed for delivering, storing, retaining, and updating the data 
warehouse. Policies and procedures must also cover the edit checks for 
data input functions, as well as the requirements for the testing and 
verification function to verify data integrity. Like other areas of the 
operational risk framework, it is critical that management ensure 
accountability for ongoing data maintenance, as this will impact 
operational risk management and measurement efforts.

XI. Testing and Verification

Supervisory Standards
    S 32. The institution must test and verify the accuracy and 
appropriateness of the operational risk framework and results.
    S 33. Testing and verification must be done independently of the 
firm-wide operational risk management function and the institution's 
lines of business.
    The operational risk framework must provide for regular and 
independent testing and verification of operational risk management 
policies, processes and measurement systems, as well as operational 
risk data capture systems. For most institutions, operational risk 
verification and testing will primarily be done by the audit function. 
Internal and external audits can provide an independent assessment of 
the quality and effectiveness of the control systems' design and 
performance. However, institutions may use other independent internal 
units (e.g. quality assurance) or third parties. The testing and 
verification function, whether internally or externally performed, 
should be staffed by qualified individuals who are independent from the 
firm-wide operational risk management function and the institution's 
lines of business.
    The verification of the operational risk measurement system should 
include the testing of:
    [sbull] Key operational risk processes and systems;
    [sbull] Data feeds and processes associated with the operational 
risk measurement system;
    [sbull] Adjustments to empirical operational risk capital 
estimates, including operational risk exposure;
    [sbull] Periodic certification of operational risk models used and 
their underlying assumptions; and
    [sbull] Assumptions underlying operational risk exposure, data 
decision models, and operational risk capital charge.
    The operational risk reporting processes should be periodically 
reviewed for scope and effectiveness. The institution should have 
independent verification processes to ensure the timeliness, accuracy, 
and comprehensiveness of operational risk reporting systems, both at 
the firm-wide and the line of business levels.
    Independent verification and testing should be done to ensure the 
integrity and applicability of the operational risk framework, 
operational risk exposure/loss data, and the underlying assumptions 
driving the regulatory capital measurement process. Appropriate 
reports, summarizing operational risk verification and testing findings 
for both the independent firm-wide risk management function and lines 
of business should be provided to appropriate management and the board 
of directors or a designated board committee.

Appendix A: Supervisory Standards for the AMA

    S 1. The institution's operational risk framework must include 
an independent firm-wide operational risk management function, line 
of business management oversight, and independent testing and 
verification functions.
    S 2. The board of directors must oversee the development of the 
firm-wide operational risk framework, as well as major changes to 
the framework. Management roles and accountability must be clearly 
established.
    S 3. The board of directors and management must ensure that 
appropriate resources are allocated to support the operational risk 
framework.
    S 4. The institution must have an independent operational risk 
management function that is responsible for overseeing the 
operational risk framework at the firm level to ensure the 
development and consistent application of operational risk policies, 
processes, and procedures throughout the institution.
    S 5. The firm-wide operational risk management function must 
ensure appropriate reporting of operational risk exposures and loss 
data to the board of directors and senior management.
    S 6. Line of business management is responsible for the day-to-
day management of operational risk within each business unit.
    S 7. Line of business management must ensure that internal 
controls and practices within their line of business are consistent 
with firm-wide policies and procedures to support the management and 
measurement of the institution's operational risk.
    S 8. The institution must have policies and procedures that 
clearly describe the major elements of the operational risk 
management framework, including identifying, measuring, monitoring, 
and controlling operational risk.
    S 9. Operational risk management reports must address both firm-
wide and line of business results. These reports must summarize 
operational risk exposure, loss experience, relevant business 
environment and internal control assessments, and must be produced 
no less often than quarterly.
    S 10. Operational risk reports must also be provided 
periodically to senior management and the board of directors, 
summarizing relevant firm-wide operational risk information.
    S 11. An institution's internal control structure must meet or 
exceed minimum regulatory standards established by the Agencies.
    S 12. The institution must demonstrate that it has appropriate 
internal loss event data, relevant external loss event data, 
assessments of business environment and internal controls factors, 
and results from scenario analysis to support its operational risk 
management and measurement framework.
    S 13. The institution must include the regulatory definition of 
operational risk as the baseline for capturing the elements of the

[[Page 45988]]

AMA framework and determining its operational risk exposure.
    S 14. The institution must have clear standards for the 
collection and modification of the elements of the operational risk 
AMA framework.
    S 15. The institution must have at least five years of internal 
operational risk loss data \17\ captured across all material 
business lines, events, product types, and geographic locations.
---------------------------------------------------------------------------

    \17\ With supervisory approval, a shorter initial historical 
observation period is acceptable for banks newly authorized to use 
an AMA methodology.
---------------------------------------------------------------------------

    S 16. The institution must be able to map internal operational 
risk losses to the seven loss-event type categories.
    S 17. The institution must have a policy that identifies when an 
operational risk loss becomes a loss event and must be added to the 
loss event database. The policy must provide for consistent 
treatment across the institution.
    S 18. The institution must establish appropriate operational 
risk data thresholds.
    S 19. Losses that have any characteristics of credit risk, 
including fraud-related credit losses, must be treated as credit 
risk for regulatory capital purposes. The institution must have a 
clear policy that allows for the consistent treatment of loss event 
classifications (e.g., credit, market, or operational risk) across 
the organization.
    S 20. The institution must have policies and procedures that 
provide for the use of external loss data in the operational risk 
framework.
    S 21. Management must systematically review external data to 
ensure an understanding of industry experience.
    S 22. The institution must have a system to identify and assess 
business environment and internal control factors.
    S 23. Management must periodically compare the results of their 
business environment and internal control factor assessments against 
actual operational risk loss experience.
    S 24. Management must have policies and procedures that identify 
how scenario analysis will be incorporated into the operational risk 
framework.
    S 25. The institution must have a comprehensive operational risk 
analytical framework that provides an estimate of the institution's 
operational risk exposure, which is the aggregate operational loss 
that it faces over a one-year period at a soundness standard 
consistent with a 99.9 per cent confidence level.
    S 26. Management must document the rationale for all assumptions 
underpinning its chosen analytical framework, including the choice 
of inputs, distributional assumptions, and the weighting across 
qualitative and quantitative elements. Management must also document 
and justify any subsequent changes to these assumptions.
    S 27. The institution's operational risk analytical framework 
must use a combination of internal operational loss event data, 
relevant external operational loss event data, business environment 
and internal control factor assessments, and scenario analysis. The 
institution must combine these elements in a manner that most 
effectively enables it to quantify its operational risk exposure. 
The institution can choose the analytical framework that is most 
appropriate to its business model.
    S 28. The institution's capital requirement for operational risk 
will be the sum of expected and unexpected losses unless the 
institution can demonstrate, consistent with supervisory standards, 
the expected loss offset.
    S 29. Management must document how its chosen analytical 
framework accounts for dependence (e.g., correlations) among 
operational losses across and within business lines. The institution 
must demonstrate that its explicit and embedded dependence 
assumptions are appropriate, and where dependence assumptions are 
uncertain, the institution must use conservative estimates.
    S 30. Institutions may reduce their operational risk exposure 
results by no more than 20% to reflect the impact of risk mitigants. 
Institutions must demonstrate that mitigation products are 
sufficiently capital-like to warrant inclusion in the adjustment to 
the operational risk exposure.
    S 31. Institutions using the AMA approach for regulatory capital 
purposes must use advanced data management practices to produce 
credible and reliable operational risk estimates.
    S 32. The institution must test and verify the accuracy and 
appropriateness of the operational risk framework and results.
    S 33. Testing and verification must be done independently of the 
firm-wide operational risk management function and the institution's 
lines of business.

    Dated: July 17, 2003.
John D. Hawke, Jr.,
Comptroller of the Currency.
    By order of the Board of Governors of the Federal Reserve 
System, July 21, 2003.
Jennifer J. Johnson,
Secretary of the Board.
    Dated at Washington, DC, this 11th day of July, 2003.
    By order of the Board of Directors.

    Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
    Dated: July 18, 2003.

    By the Office of Thrift Supervision.
James E. Gilleran,
Director.

[FR Doc. 03-18976 Filed 8-1-03; 8:45 am]
BILLING CODE 4810-33-P; 6210-01-P; 6714-01-P; 6720-01-P