[Federal Register Volume 72, Number 39 (Wednesday, February 28, 2007)]
[Notices]
[Pages 9084-9193]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 07-811]



[[Page 9083]]

  
  
  
  
  
  
-----------------------------------------------------------------------


Part II





Department of the Treasury





-----------------------------------------------------------------------



Office of the Comptroller of the Currency



Office of Thrift Supervision



-----------------------------------------------------------------------





Federal Reserve System





-----------------------------------------------------------------------





Federal Deposit Insurance Corporation





-----------------------------------------------------------------------



Proposed Supervisory Guidance for Internal Ratings-Based Systems for 
Credit Risk, Advanced Measurement Approaches for Operational Risk, and 
the Supervisory Review Process (Pillar 2) Related to Basel II 
Implementation; Notice

Federal Register / Vol. 72, No. 39 / Wednesday, February 28, 2007 / 
Notices

[[Page 9084]]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

[Docket No. OCC-2007-0004]

FEDERAL RESERVE SYSTEM

[Docket No. OP-1277]

FEDERAL DEPOSIT INSURANCE CORPORATION

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

[No. 2007-06]


Proposed Supervisory Guidance for Internal Ratings-Based Systems 
for Credit Risk, Advanced Measurement Approaches for Operational Risk, 
and the Supervisory Review Process (Pillar 2) Related to Basel II 
Implementation

AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC); 
Board of Governors of the Federal Reserve System (Board); Federal 
Deposit Insurance Corporation (FDIC); and Office of Thrift Supervision, 
Treasury (OTS) (collectively, the Agencies).

ACTION: Proposed supervisory guidance with request for public comment.

-----------------------------------------------------------------------

SUMMARY: The Agencies are publishing for comment three documents that 
set forth proposed supervisory guidance for implementing proposed 
revisions to the risk-based capital standards in the United States (New 
Advanced Capital Adequacy Framework or proposed framework). These 
proposed revisions, which would implement the ``International 
Convergence of Capital Measurement and Capital Standards: A Revised 
Framework,'' published in June 2004 by the Basel Committee on Banking 
Supervision (Basel II), in the United States, were published in the 
Federal Register on September 25, 2006 as a notice of proposed 
rulemaking (NPR or proposed rule). The proposed framework outlined in 
the NPR would require some and permit other qualifying banks to 
calculate their regulatory risk-based capital requirements using an 
internal ratings-based (IRB) approach for credit risk and the advanced 
measurement approaches (AMA) for operational risk (together, the 
advanced approaches); it also provides guidelines for the supervisory 
review process (Pillar 2). The proposed supervisory guidance documents 
provide additional detail for the advanced approaches and the 
supervisory review process that should help banks satisfy the 
qualification requirements in the NPR.

DATES: Comments on the three proposed supervisory guidance documents 
must be submitted on or before May 29, 2007.

ADDRESSES:
    OCC: You must include OCC and Docket Number OCC-2007-0004 in your 
comment. You may submit comments by any of the following methods:
     Agency Web site: http://www.occ.treas.gov. Click on 
``Contact the OCC,'' scroll down and click on ``Comments on Proposed 
Regulations.''
     E-mail address: [email protected].
     Fax: (202) 874-4448.
     Mail: Office of the Comptroller of the Currency, 250 E 
Street, SW., Mail Stop 1-5, Washington, DC 20219.
     Hand Delivery/Courier: 250 E Street, SW., Attn: Public 
Information Room, Maila Stop 1-5, Washington, DC 20219.
    Instructions: All submissions received must include the agency name 
(OCC) and docket number for this proposed notice. In general, OCC will 
enter all comments received into the docket without change, including 
any business or personal information that you provide.
    You may review comments and other related materials by any of the 
following methods:
     Viewing Comments Personally: You may personally inspect 
and photocopy comments at the OCC's Public Information Room, 250 E 
Street, SW., Washington, DC. You can make an appointment to inspect 
comments by calling (202) 874-5043.
     Viewing Comments Electronically: You may request e-mail or 
CD-ROM copies of comments that the OCC has received by contacting the 
OCC's Public Information Room at: [email protected].
     Docket: You may also request available background 
documents and project summaries using the methods described above.
    Board: You may submit comments, identified by Docket No. OP-1277, 
by any of the following methods:
     Agency Web site: http://www.federalreserve.gov. Follow the 
instructions for submitting comments at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm.
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     E-mail: regs.comments@ federalreserve.gov. Include the 
docket number in the subject line of the message.
     Fax: (202) 452-3819 or (202) 452-3102.
     Mail: Jennifer J. Johnson, Secretary, Board of Governors 
of the Federal Reserve System, 20th Street and Constitution Avenue, 
NW., Washington, DC 20551.
    All public comments are available from the Board's Web site at 
http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as 
submitted, unless modified for technical reasons. Accordingly, your 
comments will not be edited to remove any identifying or contact 
information. Public comments also may be viewed electronically or in 
paper form in Room MP-500 of the Board's Martin Building (20th and C 
Streets, NW.) between 9 a.m. and 5 p.m. on weekdays.
    FDIC: You may submit comments by any of the following methods:
     Agency Web Site: http://www.fdic.gov/regulations/laws/federal. Follow instructions for submitting comments on the Agency Web 
Site.
     E-mail: [email protected]. Include ``Basel II Supervisory 
Guidance'' in the subject line of the message.
     Mail: Robert E. Feldman, Executive Secretary, Attention: 
Comments, Federal Deposit Insurance Corporation, 550 17th Street, NW., 
Washington, DC 20429.
     Hand Delivery/Courier: Guard station at the rear of the 
550 17th Street Building (located on F Street) on business days between 
7 a.m. and 5 p.m. (EST).
      Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
    Public Inspection: All comments received will be posted without 
change to http://www.fdic.gov/regulations/laws/federal including any 
personal information provided. Comments may be inspected and 
photocopied in the FDIC Public Information Center, 3501 North Fairfax 
Drive, Room E-1002, Arlington, VA 22226, between 9 a.m. and 5 p.m. 
(EST) on business days. Paper copies of public comments may be ordered 
from the Public Information Center by telephone at (877) 275-3342 or 
(703) 562-2200.
    OTS: You may submit comments, identified by No. 2007-06 by any of 
the following methods:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     E-mail: regs.comments@ ots.treas.gov. Please include No. 
2007-06 in the subject line of the message, and include your name and 
telephone number in the message.
     Fax: (202) 906-6518.

[[Page 9085]]

     Mail: Regulation Comments, Chief Counsel's Office, Office 
of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552, 
Attention: No. 2007-06.
     Hand Delivery/Courier: Guard's Desk, East Lobby Entrance, 
1700 G Street, NW., from 9 a.m. to 4 p.m. on business days, Attention: 
Regulation Comments, Chief Counsel's Office, Attention: No. 2007-06.
    Instructions: All submissions received must include the agency name 
and document number. All comments received will be posted without 
change to http://www.ots.treas.gov/pagehtml.cfm?catNumber=67&an=1, 
including any personal information provided.
    Docket: For access to the docket to read background documents or 
comments received, go to http://www.ots.treas.gov/pagehtml.cfm?catNumber=67&an=1. In addition, you may inspect comments 
at the Public Reading Room, 1700 G Street, NW., by appointment. To make 
an appointment for access, call (202) 906-5922, send an e-mail to 
public.info@ots.treas.gov">public.info@ots.treas.gov, or send a facsimile transmission to (202) 
906-7755. (Prior notice identifying the materials you will be 
requesting will assist us in serving you.) We schedule appointments on 
business days between 10 a.m. and 4 p.m. In most cases, appointments 
will be available the next business day following the date we receive a 
request.

FOR FURTHER INFORMATION CONTACT:
    OCC: IRB guidance: Fred Finke, Senior Basel Policy Liaison (202-
874-4468 or [email protected]); AMA guidance: Mark O'Dell, 
Deputy Comptroller for Operational Risk (202-874-4316 or 
[email protected]); or guidance on supervisory review: Akhtarur 
Siddique, Lead Expert (202-874-4665 or 
[email protected]); Office of the Comptroller of the 
Currency, 250 E Street, SW., Washington, DC 20219.
    Board: IRB guidance: Sabeth Siddique, Assistant Director, Credit 
Risk Section (202-452-3861); AMA guidance: Stacy Coleman, Assistant 
Director, Operational Risk Section (202-452-2934) or Connie Horsley, 
Senior Supervisory Financial Analyst, Operational Risk Section (202-
452-5239); or guidance on supervisory review: David Palmer, Senior 
Supervisory Financial Analyst, Credit Risk Section (202-452-2904); 
Board of Governors of the Federal Reserve System, 20th Street and 
Constitution Avenue, NW., Washington, DC 20551. Users of 
Telecommunication Device for Deaf (TTD) only, call (202) 263-4869.
    FDIC: IRB guidance: Pete Hirsch, Chief, Large Bank Supervision 
(202-898-6751 or [email protected]), Curtis Wong, Senior Examination 
Specialist, Planning and Program Development Section (202-898-7327 or 
[email protected]); AMA guidance: Mark S. Schmidt, Regional Director (678-
916-2189 or [email protected]), Alfred Seivold, Senior Examination 
Specialist, Large Bank Supervision (415-808-8248 or [email protected]); 
or guidance on supervisory review: Bobby Bean, Chief, Capital Markets 
Policy Section (202-898-3575 or [email protected]), Gloria Ikosi, Senior 
Quantitative Risk Analyst, Capital Markets Policy Section (202-898-3997 
or [email protected]); Federal Deposit Insurance Corporation, 550 17th 
Street, NW., Washington, DC 20429.
    OTS: IRB guidance: David Tate, Manager, Examination Quality Review 
(202-906-5717); AMA guidance: Eric Hirschhorn, Senior Financial 
Economist, Credit Policy (202-906-7350); or guidance on supervisory 
review: Sonja White, Senior Project Manager, Capital Policy (202-906-
7857); Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 
20552.

SUPPLEMENTARY INFORMATION: The Agencies issued an NPR on September 25, 
2006,\ 1\ which seeks comment on the New Advanced Capital Adequacy 
Framework that revises the existing general risk-based capital 
standards as applied to large, internationally active U.S. banks.\2\ 
The public comment period on the NPR closes on March 26, 2007.\3\ The 
proposed framework would implement Basel II in the United States.
---------------------------------------------------------------------------

    \1\ See 71 FR 55830 (Sept. 25, 2006).
    \2\ For simplicity, and unless otherwise noted, the term 
``banks'' is used here to refer to banks, savings associations, and 
bank holding companies. The terms ``bank holding company'' and 
``BHC'' refer only to bank holding companies regulated by the Board 
and do not include savings and loan holding companies regulated by 
the OTS. For a detailed description of the institutions covered by 
this notice, refer to part I, section 1, of the NPR.
    \3\ See 71 FR 77518 (Dec. 26, 2006).
---------------------------------------------------------------------------

    As described in the NPR, Basel II sets forth a three-pillar 
framework encompassing regulatory risk-based capital requirements 
(Pillar 1); supervisory review of capital adequacy (Pillar 2); and 
market discipline through enhanced public disclosures (Pillar 3). The 
proposed framework outlined in the NPR for Pillar 1 would require some 
and permit other qualifying banks to calculate their regulatory risk-
based capital requirements using the IRB approach for credit risk and 
the AMA for operational risk.\4\ The NPR also requires a process for 
the supervisory review of capital adequacy under Pillar 2, and outlines 
requirements for enhanced public disclosures under Pillar 3.\5\ The NPR 
describes the qualification process and provides qualification 
requirements for obtaining supervisory approval for use of the advanced 
approaches.\6\ The qualification requirements are written broadly to 
accommodate the many ways a bank may design and implement robust credit 
and operational risk measurement and management systems, and to permit 
industry practice to evolve.
---------------------------------------------------------------------------

    \4\ While Basel II provides several approaches for calculating 
regulatory risk-based capital requirements under Pillara1, only the 
advanced approaches are proposed for implementation in the United 
States.
    \5\ Supervisory expectations pertaining to a bank's public 
disclosures are not part of this notice.
    \6\ See part III, section 22 of the NPR.
---------------------------------------------------------------------------

    The proposed supervisory guidance documents are companion guidance 
to the September 2006 NPR and, as such, are designed to be consistent 
with the proposed rule and do not address any public comments since the 
NPR was issued. They provide additional detail that should help banks 
satisfy the qualification requirements in the NPR. However, the 
publication of these guidance documents for comment does not imply that 
the outcome of the NPR has already been determined. As part of the 
regulatory rulemaking process, the proposed guidance documents are 
subject to change as needed based on, among other things, the public 
comments on the guidance and the Agencies' decisions regarding any 
final rule.
    The Agencies believe that the proposed supervisory guidance 
documents are necessary to supplement the proposed framework with 
standards to promote safety and soundness and encourage comparability 
across banks. A bank's primary Federal supervisor will review the 
bank's framework relative to the qualification requirements in the NPR 
to determine whether the bank may apply the advanced approaches and has 
complied with the proposed rule in determining its regulatory capital 
requirements.
    In August 2003, the Agencies issued an advance notice of proposed 
rulemaking (ANPR), which described the proposed revisions to the 
existing risk-based capital framework in general terms and sought 
public comment.\7\ The content of the ANPR was based, in large part, on 
the April 2003 version of the Basel II framework.\8\ Contemporaneously 
with the ANPR, the Agencies also issued for public

[[Page 9086]]

comment two proposed supervisory guidance documents relating to the 
proposed framework.\9\ The first proposed 2003 guidance document 
described supervisory views on the credit risk measurement and 
management systems that should be implemented by banks that adopt the 
IRB approach for computing risk-based capital requirements for 
corporate credit risk exposures. The second proposed 2003 guidance 
document provided supervisory views on the operational risk measurement 
and management systems that should be implemented by banks that adopt 
the AMA for computing risk-based capital requirements for operational 
risk, including their operational risk management, data elements, and 
quantification processes. In October 2004, the Agencies also issued for 
public comment proposed supervisory guidance on IRB systems for retail 
credit risk exposures.\10\
---------------------------------------------------------------------------

    \7\ See 68 FR 45900 (Aug. 4, 2003).
    \8\ See The New Basel Capital Accord (April 2003) (available at 
http://www.bis.org).
    \9\ See 68 FR 45949 (Aug. 4, 2003).
    \10\ See 69 FR 62748 (Oct. 27, 2004), and 70 FR 423 (Jan. 4, 
2005) (correction).
---------------------------------------------------------------------------

    The first guidance document presented in this notice sets forth 
proposed supervisory guidance on IRB systems for credit risk covering 
the wholesale and retail exposure categories, as well as guidance on 
the equity and securitization exposure categories (IRB Guidance). Under 
the IRB framework, banks would use internal estimates of certain risk 
components as key inputs in the determination of their regulatory risk-
based capital requirement for credit risk. As mentioned above, the 
Agencies previously published proposed supervisory guidance on a bank's 
IRB systems for corporate and retail exposures in 2003 and 2004, 
respectively. Since the release of those documents, the Agencies have 
continued to refine the proposals based on insights gained from public 
comment and the collective efforts of the interagency IRB working 
groups. The IRB Guidance updates and consolidates the previously 
proposed supervisory guidance on corporate and retail exposures. It 
also provides new guidance on systems a bank may need to differentiate 
the risk of other credit exposure types, such as equity and 
securitization exposures, as well as to recognize the benefits of 
financial collateral in mitigating counterparty credit risk in certain 
transactions or to use the double default treatment for certain 
wholesale exposures.
    The IRB Guidance is structured somewhat differently from the 
proposed supervisory guidance issued in 2003 and 2004. Those guidance 
documents contained four chapters covering corporate ratings and retail 
segmentation systems, quantification, data management and maintenance, 
and controls, with discussion of validation and stress testing 
contained within the rating and segmentation and quantification 
chapters. The structure of the IRB Guidance generally follows the key 
components of a bank's advanced systems for credit risk outlined in the 
NPR. Chapter 1 provides guidance on governance of a bank's overall 
advanced systems for credit risk. Chapters 2 through 5 cover the 
components of a bank's IRB systems for wholesale and retail exposures. 
Chapters 6 and 7 provide guidance on data management and maintenance 
and the control and validation framework. Chapter 8 provides guidance 
on stress testing. Chapters 9 through 11 provide guidance on the other 
systems a bank may need to differentiate risk in certain transactions 
subject to counterparty credit risk, equity exposures, and 
securitization exposures.
    The IRB Guidance supplements the NPR and provides additional 
context and detail to help banks meet the qualification requirements in 
the NPR relevant to a bank's systems and processes for credit risk. 
Thus, the guidance should be read alongside the NPR to obtain a full 
perspective of the underlying requirements in the proposed rule. The 
guidance does not contain additional proposed requirements that are not 
in the NPR. Chapters 5, 9, 10, and 11, are being issued for the first 
time and supplement the detailed discussion of those topics in the NPR. 
Similar to the previously proposed corporate and retail guidance, the 
IRB Guidance contains supervisory standards (designated with an ``S'') 
that highlight important elements of a bank's advanced systems for 
credit risk. The supervisory standards contained in the previously 
proposed corporate and retail guidance documents have been consolidated 
and updated and new supervisory standards are proposed.
    The second guidance document in this notice sets forth proposed 
supervisory guidance on the AMA for operational risk (AMA Guidance), 
updating the proposed AMA Guidance published in 2003. Since the 
issuance of that proposed AMA Guidance, the Agencies have revised the 
guidance to clarify issues and simplify, wherever possible, supervisory 
standards. The revisions are based on insights gained from public 
comment and the collective efforts of the interagency AMA working 
group. Under the AMA framework, a bank would rely on internal estimates 
of its operational risk exposure to generate its regulatory risk-based 
capital requirement for operational risk. The AMA Guidance provides 
additional context and detail to help a bank meet the qualification 
requirements outlined in the NPR relevant to operational risk.
    Some of the specific revisions to the AMA Guidance include: (1) 
Clarifying the roles of a bank's board of directors and management in 
developing and overseeing the implementation of the bank's AMA 
framework; (2) expanding standard 5 to address the integration of the 
bank's operational risk management, data and assessment, and 
quantification processes into the bank's existing risk management 
decision-making processes; (3) expanding and clarifying operational 
risk quantification standards both to reflect the evolution of industry 
practices, as well as to address supervisory concerns; (4) clarifying 
supervisory expectations regarding the use of scenario analysis, the 
key elements used to support operational risk management and 
measurement, and eligible operational risk offsets (see standards 20, 
24, and 26, respectively); (5) adding standard 25 that discusses how 
frequently a bank must recalculate its estimate of operational risk 
exposure and its risk-based capital requirement for operational risk; 
(6) adding standard 27 that a bank must employ a unit of measure that 
is appropriate for its range of business activities and the variety of 
operational loss events to which it is exposed; (7) expanding the 
discussion on dependence modeling in standard 28; and (8) adding a 
section that discusses a bank's use, in certain limited circumstances, 
of an alternative quantification system to estimate its operational 
risk exposure.
    The Agencies recognize that a bank required to adopt an AMA 
framework may have developed an implementation plan using the proposed 
supervisory standards in the 2003 proposed AMA Guidance to assess its 
status in meeting the requirements proposed in the ANPR and to 
determine additional work needed to comply with those requirements. The 
table below maps the current proposed supervisory standards to those in 
the 2003 proposed AMA Guidance.

  Comparison of Current Proposed AMA Supervisory Standards to the 2003
                   Proposed AMA Supervisory Standards
------------------------------------------------------------------------
                                                           2003 Proposed
            Current Proposed Standard Number                 Standard
                                                              Number
------------------------------------------------------------------------
1.......................................................               1

[[Page 9087]]

 
2.......................................................               8
3.......................................................              11
4.......................................................               2
5.......................................................               3
6.......................................................               4
7.......................................................               5
8.......................................................               6
9.......................................................               7
10......................................................           9, 10
11......................................................              12
12......................................................          13, 14
13......................................................              15
14......................................................              16
15......................................................              17
16......................................................              18
17......................................................              19
18......................................................              20
19......................................................              21
20......................................................              24
21......................................................              22
22......................................................              23
23......................................................              25
24......................................................              27
25......................................................             New
26......................................................              28
27......................................................             New
28......................................................              29
29......................................................              30
30......................................................              26
31......................................................              31
32......................................................          32, 33
------------------------------------------------------------------------

    The third document sets forth proposed supervisory guidance on the 
supervisory review process (Pillar 2) in the New Advanced Capital 
Adequacy Framework. The process of supervisory review described in this 
proposed guidance document reflects a continuation of the longstanding 
approach employed by the Agencies in their supervision of banks. 
However, new methods for calculating regulatory risk-based capital 
requirements--such as those in the proposed framework--and development 
of improved risk monitoring and management tools within the industry 
often bring changes in the relative emphasis placed on the various 
aspects of supervisory review. This proposed guidance document 
highlights aspects of existing supervisory review that are being 
augmented or more clearly defined to support the proposed framework. 
Under the framework, in determining the extent to which banks should 
hold capital in excess of regulatory minimums, supervisors would 
consider the combined implications of a bank's compliance with 
qualification requirements for regulatory risk-based capital standards, 
the quality and results of its internal capital adequacy assessment 
process (ICAAP), and supervisory assessment of its risk management 
processes, control structure, and other relevant information relating 
to its risk profile and capital position. The ICAAP (while not 
mandating the determination of economic capital) should, to the extent 
possible, identify and measure material risks, which may include (but 
should not necessarily be limited to) credit risk, market risk, 
operational risk, interest rate risk, and liquidity risk, and account 
for concentrations within and among risk types.
    The Agencies solicit comment on all aspects of the supervisory 
guidance documents. In addition, the Agencies believe an important goal 
for any regulatory capital system is to achieve a measure of 
consistency in the capital requirements assigned to exposures with 
similar risk profiles held by different banks. The Agencies seek 
comment on the extent to which this proposed supervisory guidance will 
promote that objective.

Paperwork Reduction Act

A. Request for Comment on Proposed Information Collection

    In accordance with the requirements of the Paperwork Reduction Act 
of 1995, the Agencies may not conduct or sponsor, and the respondent is 
not required to respond to, an information collection unless it 
displays a currently valid Office of Management and Budget (OMB) 
control number. The Agencies are requesting comment on a proposed 
information collection. The Agencies are also giving notice that the 
proposed collection of information has been submitted to OMB for review 
and approval.
    Comments are invited on:
    (a) Whether the collection of information is necessary for the 
proper performance of the Agencies' functions, including whether the 
information has practical utility;
    (b) The accuracy of the estimates of the burden of the information 
collection, including the validity of the methodology and assumptions 
used;
    (c) Ways to enhance the quality, utility, and clarity of the 
information to be collected;
    (d) Ways to minimize the burden of the information collection on 
respondents, including through the use of automated collection 
techniques or other forms of information technology; and
    (e) Estimates of capital or start up costs and costs of operation, 
maintenance, and purchase of services to provide information.
    Comments should be addressed to:
    OCC: Communications Division, Office of the Comptroller of the 
Currency, Public Information Room, Mail stop 1-5, Attention: 1557-NEW, 
250 E Street, SW., Washington, DC 20219. In addition, comments may be 
sent by fax to (202) 874-4448, or by electronic mail to 
[email protected]. You can inspect and photocopy the comments 
at the OCC's Public Information Room, 250 E Street, SW., Washington, DC 
20219. You can make an appointment to inspect the comments by calling 
(202) 874-5043.
    Board: You may submit comments, identified by FR 4199, by any of 
the following methods:
     Agency Web Site: http://www.federalreserve.gov. Follow the 
instructions for submitting comments at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm.
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     E-mail: regs.comments@ federalreserve.gov.
     Fax: (202) 452-3819 or (202) 452-3102.
     Mail: Jennifer J. Johnson, Secretary, Board of Governors 
of the Federal Reserve System, 20th Street and Constitution Avenue, 
NW., Washington, DC 20551.
    All public comments are available from the Board's Web site at 
http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as 
submitted, except as necessary for technical reasons. Accordingly, your 
comments will not be edited to remove any identifying or contact 
information. Public comments may also be viewed electronically or in 
paper form in Room MP-500 of the Board's Martin Building (20th and C 
Streets, NW.) between 9 a.m. and 5 p.m. on weekdays.
    FDIC: You may submit comments by any of the following methods:
     Agency Web Site: http://www.fdic.gov/regulations/laws/federal. Follow instructions for submitting comments on the Agency Web 
Site.
     E-mail: [email protected]. Include ``Basel II Supervisory 
Guidance'' in the subject line of the message.
     Mail: Robert E. Feldman, Executive Secretary, Attention: 
Comments, Federal Deposit Insurance Corporation, 550 17th Street, NW., 
Washington, DC 20429.
     Hand Delivery/Courier: Guard station at the rear of the 
550 17th Street Building (located on F Street) on business days between 
7 a.m. and 5 p.m. (EST).

[[Page 9088]]

     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
    Public Inspection: All comments received will be posted without 
change to http://www.fdic.gov/regulations/laws/federal including any 
personal information provided. Comments may be inspected and 
photocopied in the FDIC Public Information Center, 3501 North Fairfax 
Drive, Room E-1002, Arlington, VA 22226, between 9 a.m. and 5 p.m. 
(EST) on business days. Paper copies of public comments may be ordered 
from the Public Information Center by telephone at (877) 275-3342 or 
(703) 562-2200.
    A copy of the comments may also be submitted to the OMB desk 
officer for the Agencies: By mail to U.S. Office of Management and 
Budget, 725 17th Street, NW., 10235, Washington, DC 20503 or 
by facsimile to 202-395-6974, Attention: Federal Banking Agency Desk 
Officer.
    OTS: Information Collection Comments, Chief Counsel's Office, 
Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552; 
send a facsimile transmission to (202) 906-6518; or send an e-mail to 
ots.treas.gov">infocollection.comments@ots.treas.gov. OTS will post comments and the 
related index on the OTS Internet site at http://www.ots.treas.gov. In 
addition, interested persons may inspect the comments at the Public 
Reading Room, 1700 G Street, NW., by appointment. To make an 
appointment, call (202) 906-5922, send an e-mail to 
public.info@ots.treas.gov">public.info@ots.treas.gov, or send a facsimile transmission to (202) 
906-7755.

B. Proposed Information Collection

    Title of Information Collection: Proposed Basel II Interagency 
Supervisory Guidance for IRB, AMA, and the Supervisory Review Process.
    Frequency of Response: Event-generated.
    Affected Public:
    OCC: National banks.
    Board: State member banks, bank holding companies, affiliates and 
certain non-bank subsidiaries of bank holding companies, commercial 
lending companies owned or controlled by foreign banks, and Edge and 
agreement corporations.
    FDIC: Insured nonmember banks and certain subsidiaries of these 
entities.
    OTS: Savings associations and certain of their subsidiaries.
    Abstract: The notice sets forth three proposed supervisory guidance 
documents for implementing proposed revisions to the risk-based capital 
standards in the United States (New Advanced Capital Adequacy 
Framework). The proposed guidance documents concern (1) the internal 
ratings-based systems for credit risk (IRB), (2) the advanced 
measurement approaches for operational risk (AMA), and (3) the 
supervisory review process (Pillar II).
    The Agencies believe that the documentation, prior approvals, and 
disclosures included in the proposed IRB and AMA guidance are directly 
related to the information collection requirements found in the Basel 
II notice of proposed rulemaking (NPR) published in the Federal 
Register on September 25, 2006 (71 FR 55830). More specifically, the 
information collection aspects of the proposed IRB and AMA guidance tie 
to the following sections of the NPR: 21, 22, 44, 53, and 71. The 
Agencies believe that the burden estimates developed for the NPR 
adequately cover the additional specificity contained in the proposed 
IRB and AMA guidance.
    For the proposed Pillar II portion of the guidance, the Agencies 
believe that paragraphs 25, 31, 35, 37, and 42 impose new information 
collection requirements that were beyond the scope of the burden 
estimates developed for the NPR. The agencies burden estimates for 
these additional information collection requirements are summarized 
below. Note that the estimated number of respondents listed below 
include both institutions for which the Basel II risk-based capital 
requirements are mandatory and institutions that may be considering 
opting-in to Basel II (despite the lack of any formal commitment by 
most of these latter institutions).
    Estimated Burden:

OCC

    Number of Respondents: 52.
    Estimated Burden per Respondent: 140 hours.
    Total Estimated Annual Burden: 7,280 hours.

Board

    Number of Respondents: 15.
    Estimated Burden per Respondent: 420 hours.
    Total Estimated Annual Burden: 6,300 hours.

FDIC

    Number of Respondents: 19.
    Estimated Burden per Respondent: 420 hours.
    Total Estimated Annual Burden: 7,980 hours.

OTS

    Number of Respondents: 4.
    Estimated Burden per Respondent: 420 hours.
    Total Estimated Annual Burden: 1,680 hours.
    The proposed supervisory guidance documents follow:

Proposed Supervisory Guidance on Internal Ratings-Based Systems for 
Credit Risk

Table of Contents

Introduction

I. Purpose
II. Scope of Guidance

Chapter 1: Advanced Systems for Credit Risk

Rule Requirements

I. Overview
II. Governance of Advanced Systems

Chapter 2: Wholesale Risk Rating Systems

Rule Requirements

I. Overview
II. Credit Rating Assignment Techniques
    A. Expert Judgment
    B. Models
    C. Constrained Judgment
    D. Rating Overrides
III. Definition of Default
IV. Independence of the Wholesale Risk Rating Process
V. IRB Risk Rating System Architecture
    A. Two-Dimensional Risk-Rating System
    B. Other Considerations

Chapter 3: Retail Segmentation Systems

Rule Requirements

I. Overview
II. Definition of Default
III. Retail Segmentation Architecture
    A. Criteria for Retail Segmentation
    B. Assignment of Exposures to Retail Segments

Chapter 4: Quantification

Rule Requirements

I. Overview
    A. Stages of the Quantification Process
    B. General Standards for Sound Quantification
II. Probability of Default (PD)
    A. Data
    B. Estimation
    C. Mapping
    D. Application
III. Expected Loss Given Default (ELGD) and Loss Given Default (LGD)
    A. Data
    B. Estimation
    C. Mapping
    D. Application
IV. Exposure at Default (EAD)
    A. Data
    B. Estimation
    C. Mapping
    D. Application
V. Maturity (M)
VI. Special Cases and Applications
    A. Loan Sales
    B. Multiple Legal Entities
Appendix A: Illustrations of the Quantification Process for 
Wholesale

[[Page 9089]]

Portfolios
Appendix B: Illustrations of the Quantification Process for Retail 
Portfolios

Chapter 5: Wholesale Credit Risk Protection

Rule Requirements

Chapter 6: Data Management and Maintenance

Rule Requirements

I. Overview
II. General Data Requirements
    A. Life Cycle Tracking for Wholesale Exposures
    B. Rating Assignment Data for Wholesale Exposures
    C. Segmentation Data for Retail Exposures
    D. Outsourced Activities
    E. Asset Sales
III. Data Applications
    A. Validation and Refinement
    B. Applying IRB System Improvements Historically
    C. Calculating Risk-Based Capital Ratios and Reporting to the 
Public
    D. Supporting Risk Management
IV. Managing Data Quality and Integrity
    A. Documentation and Definitions
    B. Electronic Storage and Access
Appendix A: Data Elements for Wholesale and Retail Exposures
    A. Examples of Data Elements for Wholesale Exposures
    B. Examples of Data Elements for Retail Exposures
Appendix B: Applying Risk Rating System Improvements Historically

Chapter 7: Controls and Validation

Rule Requirements

I. Overview
II. Reviews of the IRB System
III. Consistency Between IRB Systems and Risk Management Processes
IV. Internal Audit
V. Validation Activities
    A. General Validation Requirements
    B. Validation Activities
    C. Minimum Frequency of Validation

Chapter 8: Stress Testing of Risk-Based Capital Requirements

Rule Requirements

Chapter 9: Counterparty Credit Risk Exposure

Rule Requirements

I. Overview
II. Transactions with Counterparty Credit Risk
III. Definitions
IV. Netting
V. Determination of Eligibility for EAD Adjustment
VI. Methods for Determining EAD
    A. Methodologies for Repo-style Transactions and Eligible Margin 
Loans
    B. EAD for OTC Derivative Contracts
    C. Internal Models Methodology
VII. Defaulted Counterparties

Chapter 10: Risk-Weighted Assets for Equity Exposures

Rule Requirements

I. Overview
II. Definition of Banking Book Equities
III. Applying the Framework
IV. Using Internal Models for Equity Exposures
V. Quantification of Equity Exposures
    A. Reference Data
    B. External Data
    C. Estimation
VI. Validation of Internal Models for Equity Exposures
VII. Consistency Between Internal Models Used for Equity Exposures 
and Risk Management Processes

Chapter 11: Securitizations

Rule Requirements

I. Overview
II. Scope of Application
III. General Principles of the Securitization Framework
    A. Risk Transference
    B. Implicit Support
    C. Servicer Cash Advances
    D. Clean-up Calls
    E. Maximum Capital Requirements for Securitization Exposures
IV. Hierarchy of Approaches
V. IRB Approaches for Securitization Exposures
    A. Ratings-Based Approach
    B. Internal Assessment Approach
VI. Internal Credit Assessment Process in the IAA
VII. Validation of IAA
    A. Supervisory Formula Approach
VIII. Early Amortization Provisions
IX. Data Management Requirements
    A. Data Elements
Appendix A: Description of the Supervisory Formula Approach (SFA).
Appendix B: Examples of Data Elements for Securitization Exposures
Attachment A: The NPR Qualification Requirements Related to the IRB 
Framework
Attachment B: Supervisory Standards
Attachment C: Acronym List

Introduction

I. Purpose

    1. This proposed guidance (``guidance''), published jointly by the 
U.S. Federal banking agencies \1\ provides supervisory guidance for 
U.S. banks, thrifts, and bank holding companies (``banks'') that adopt 
the Advanced Internal Ratings-Based Approach (``IRB'' or ``IRB 
framework'') for calculating minimum regulatory risk-based capital 
(``risk-based capital'') requirements for credit risk under the Basel 
II capital regulation.
---------------------------------------------------------------------------

    \1\ The Federal banking agencies are: The Board of Governors of 
the Federal Reserve System; the Federal Deposit Insurance 
Corporation; the Office of the Comptroller of the Currency; and the 
Office of Thrift Supervision; and will collectively be referred to 
as ``the Agencies,'' ``supervisors,'' or ``regulators'' in this 
guidance.
---------------------------------------------------------------------------

    2. This guidance supplements the notice of proposed rulemaking 
(``NPR'' or ``proposed rule'') published in the Federal Register on 
September 25, 2006.\2\ The NPR proposes a regulatory framework within 
which all banks subject to the proposed rule must develop their IRB 
systems. The NPR contains qualification requirements that each bank 
subject to the proposed rule must meet to the satisfaction of its 
primary Federal supervisor before using its IRB systems to calculate 
risk-based capital requirements. As stated in the preamble to the NPR, 
the qualification requirements for these systems are written in broad 
terms to accommodate the many ways a bank may design and implement a 
robust internal risk measurement and management system and to permit 
industry practice to evolve. As a supplement to the NPR, this guidance 
provides supervisory standards and additional detail on credit risk 
measurement and management systems that will assist banks in satisfying 
the requirements in the NPR.
---------------------------------------------------------------------------

    \2\ 71 FR 55830 (Sept. 25, 2006).
---------------------------------------------------------------------------

II. Scope of Guidance

    3. The focus of this guidance is on wholesale, retail, equity, and 
securitization exposures. A bank subject to the IRB framework for 
credit risk in the NPR is required to have systems for determining 
risk-based capital requirements for its wholesale and retail exposures. 
The wholesale category includes corporate exposures (for example, 
exposures to companies and banks, as well as commercial real estate 
exposures and other types of specialized lending), sovereign exposures, 
and other non-retail exposures. The retail category includes 
residential mortgage exposures, qualifying revolving exposures (QRE), 
and other retail exposures.
    4. A bank may also need systems to differentiate the risk of other 
exposure types, such as equity and securitization exposures, as well as 
to recognize the benefits of financial collateral in mitigating 
counterparty credit risk in certain transactions or to use double 
default treatment for certain wholesale exposures.
    5. In aggregation, the IRB systems and other systems for 
differentiating credit risk are defined in the NPR and in this guidance 
as a bank's ``advanced systems.'' This guidance covers advanced systems 
for all of a bank's credit-related exposure types. A bank's advanced 
systems also include its systems for determining risk-based capital 
requirements for its operational risk exposures under the proposed 
Advanced Measurement Approaches (``AMA'') framework, which is the 
subject of a separate supervisory

[[Page 9090]]

guidance document. Certain banks subject to the proposed rule may also 
be required to calculate risk-based capital requirements for their 
market risk exposures.
    6. As described in separate guidance relating to supervisory review 
(Pillar 2), in addition to meeting qualification requirements for 
regulatory risk-based capital standards, a bank must have a rigorous 
process for assessing its overall capital adequacy in relation to its 
risk profile and a comprehensive strategy for maintaining an 
appropriate level of capital. This process (while not mandating the 
determination of economic capital) should, to the extent possible, 
identify and measure material risks, which may include (but should not 
necessarily be limited to) credit risk, market risk, operational risk, 
interest rate risk, and liquidity risk, and account for concentrations 
within and among risk types. One of the main objectives of the internal 
capital adequacy assessment process is to identify the extent to which 
banks need to hold capital above regulatory minimums, in order to 
address risks not adequately captured by minimum regulatory capital 
requirements.
    7. A primary objective of the IRB framework is to make the risk-
based capital requirements more sensitive to credit risk. In general, 
the IRB framework incorporates recent developments in risk management 
and banking supervision. Under this framework, banks use their own 
internal risk rating and segmentation systems, as well as their 
quantification processes, to generate estimates of risk parameters that 
are inputs to the calculation of the risk-based capital requirements. 
Data that support accurate and reliable credit risk measurements, as 
well as rigorous management oversight and controls, including 
continuous monitoring and validation, are crucial to the prudent 
application of the IRB framework.
    8. This guidance, which is written for supervisors and bankers, 
describes the important elements and characteristics of a bank's 
advanced systems for credit risk. Toward this end, this guidance 
designates certain of those elements as supervisory standards denoted 
by the prefix ``S.'' These supervisory standards generally implement or 
clarify the requirements in the NPR and, whenever possible, are 
principle-based to provide banks with flexibility in implementing the 
framework. However, when prudential concerns or the need for 
standardization outweigh the benefits of flexibility, the supervisory 
standards are specified in greater detail. Furthermore, nothing in this 
guidance should be interpreted as weakening, modifying, or superseding 
the safety and soundness principles articulated in the Agencies'' 
existing statutes, regulations, or guidance. The standards are 
contained within each chapter with a full compilation of the standards 
provided in Attachment B.
    9. Supervisors will consider this guidance in evaluating banks' 
advanced systems for credit risk. This guidance assumes that readers 
are familiar with the proposed framework for calculating risk-based 
capital requirements for credit risk articulated in the NPR.
    10. The conceptual framework outlined in this guidance is not 
intended to dictate the precise manner by which banks should meet the 
qualification and other requirements in the NPR. Supervisors will 
determine compliance with the qualification requirements by evaluating, 
on an individual bank basis, the extent to which banks meet the 
substance and spirit of those requirements as they relate to each of 
the components of a bank's advanced systems for credit risk. However, 
evaluating each qualification requirement individually is not 
sufficient to determine a bank's overall compliance. The components of 
a bank's advanced systems for credit risk should complement and 
reinforce one another to ensure the accuracy of risk measurements. As 
part of the supervisory review of a bank's advanced systems, 
supervisors will analyze the extent to which a bank's advanced systems 
incorporate the substance and spirit of the standards outlined in this 
guidance.
    11. The structure of this guidance generally follows the key 
components of the advanced systems for credit risk. Chapter 1 provides 
guidance on governance of a bank's overall advanced systems. Chapters 2 
through 7 cover the components of a bank's IRB systems for wholesale 
and retail exposures. Chapter 8 provides guidance on stress testing. 
Chapters 9 through 11 provide guidance on the other systems a bank may 
need to differentiate risk for certain transactions subject to 
counterparty credit risk, equity exposures, and securitization 
exposures and supplements the detailed discussion of these exposure 
types in the NPR. The data standards and control framework provided in 
Chapters 6 and 7, respectively, of this guidance generally apply to 
these other systems as well.
    12. To aid the reader, the applicable NPR qualification 
requirements are listed at the front of each chapter, as well as listed 
together in Attachment A. Also, certain NPR requirements, such as 
definitions, are either repeated in this guidance or paraphrased to 
provide context. However, readers must look to the NPR for the exact 
proposed rule requirements.
    13. What follows is a brief description of each chapter:

Chapter 1: Advanced Systems for Credit Risk

    The chapter provides a discussion of the governance and system and 
process requirements for a bank's advanced systems for credit risk. It 
also outlines the key components of a bank's advanced systems for 
credit risk.

Chapter 2: Wholesale Risk Rating Systems

    A key component of an IRB system for wholesale exposures is the 
risk rating system. This chapter describes the design and operation of 
wholesale risk rating systems. Banks should use the principles outlined 
in this chapter when designing and operating wholesale risk rating 
systems.

Chapter 3: Retail Segmentation Systems

    A key component of an IRB system for retail credit exposures is the 
segmentation system, which groups retail exposures into segments 
according to risk characteristics. This segmentation is the retail 
portfolio analogue of assigning ratings to exposures in wholesale 
portfolios. This chapter describes the design and operation of an IRB 
segmentation system. The retail framework provides banks with 
substantial flexibility to use the retail segmentation that is most 
appropriate for their activities.

Chapter 4: Quantification

    Another key component of an IRB system is a quantification process 
that assigns numerical values to the key risk parameters that are used 
as inputs to the IRB risk-based capital formulas. This chapter provides 
guidance on the quantification process for wholesale and retail 
exposures. These risk parameters are probability of default (``PD''), 
expected loss given default (``ELGD''), loss given default (``LGD''), 
and exposure at default (``EAD''), and for wholesale exposures only, 
the effective remaining maturity (``M''). The quantification of these 
risk parameters should be the result of a disciplined process as 
described in this chapter. The chapter also includes specific examples 
for both wholesale rating systems and retail segmentation systems in 
the two appendices.

Chapter 5: Wholesale Credit Risk Protection

    This chapter supplements the detailed discussion of credit risk 
mitigation in

[[Page 9091]]

the NPR by providing guidance on how banks may recognize contractual 
arrangements for exposure-level credit protection (eligible guarantees 
and eligible credit derivatives) that transfer risk to one or more 
third parties. Each of these forms of credit protection must meet 
certain specific standards of eligibility, as articulated in the NPR, 
for recognition of the associated risk mitigation.

Chapter 6: Data Management and Maintenance

    A bank must have advanced data management and maintenance systems 
that support credible and reliable risk parameter estimates. This 
chapter describes how a bank should collect, maintain, and manage the 
data needed to support the other IRB system components for wholesale 
and retail exposures (e.g., risk rating and segmentation systems, the 
quantification process, and validation and other control processes), as 
well as the bank's broader risk management and reporting needs.

Chapter 7: Controls and Validation

    A bank must have a system of controls that ensures that the 
components of the IRB system are functioning effectively. This chapter 
provides guidance on the important elements of an effective control 
environment, including independent review processes, a comprehensive 
validation process (evaluation of developmental evidence, ongoing 
monitoring, and outcomes analysis), and an internal audit review and 
reporting process.

Chapter 8: Stress Testing of Risk-Based Capital Requirements

    Banks must conduct stress testing analysis of their advanced 
systems for credit risk as part of the risk-based capital management 
process. Stress testing analysis is a means of understanding how 
economic downturns, as described by stress scenarios, cause migration 
across ratings or segments and the concomitant change in required risk-
based capital. This chapter discusses considerations for conducting 
stress testing analyses.

Chapter 9: Counterparty Credit Risk Exposure

    For certain transactions subject to counterparty credit risk, banks 
may be allowed to recognize the risk mitigating effect of financial 
collateral through an adjustment to EAD. This chapter supplements the 
detailed discussion of counterparty credit risk in the NPR by 
describing some of the elements of counterparty credit risk mitigation, 
providing information to aid banks in choosing among the alternative 
methods to calculate EAD for these transactions, and providing some 
descriptions and illustrative examples of acceptable modeling practices 
for the estimation of EAD under the alternative methods.

Chapter 10: Risk-Weighted Assets for Equity Exposures

    This chapter supplements the detailed discussion of equity 
exposures provided in the NPR. It provides guidance on determining 
risk-based capital requirements for equity exposures held in the 
banking book for banks subject to the Market Risk Rule and for all 
equity exposures for banks not subject to the Market Risk Rule.

Chapter 11: Securitization Exposures

    A securitization exposure is any exposure whose credit risk 
reflects the tranching of risk of one or more underlying exposures. 
This chapter describes the concepts, eligibility, and mechanics 
associated with applying the three approaches for calculating risk-
based capital requirements for securitization exposures.

Chapter 1: Advanced Systems for Credit Risk

Rule Requirements

    Part III, Section 22(a)(2): The systems and processes used by a 
bank for risk-based capital purposes [in the NPR] must be consistent 
with the bank's internal risk management processes and management 
information reporting systems.
    Part III, Section 22(a)(3): Each bank must have an appropriate 
infrastructure with risk measurement and management processes that meet 
the qualification requirements [in the NPR] and are appropriate given 
the bank's size and level of complexity. Regardless of whether the 
systems and models that generate the risk parameters necessary for 
calculating a bank's risk-based capital requirements are located at any 
affiliate of the bank, the bank itself must ensure that the risk 
parameters and reference data used to determine its risk-based capital 
requirements are representative of its own credit risk and operational 
risk exposures.
    Part III, Section 22(j)(1): The bank's senior management must 
ensure that all components of the bank's advanced systems function 
effectively and comply with the qualification requirements [in the 
NPR].
    Part III, Section 22(j)(2): The bank's board of directors (or a 
designated committee of the board) must at least annually evaluate the 
effectiveness of, and approve, the bank's advanced systems.
    Part III, Section 22(k): Documentation. The bank must adequately 
document all material aspects of its advanced systems.

I. Overview

    1. This chapter provides a discussion of the governance and system 
and process requirements for a bank's advanced systems for credit risk. 
Board of directors and senior management oversight is critical to 
ensure that the design and function of the advanced systems are 
appropriate. Regardless of the specifics of a bank's advanced systems 
for credit risk, a bank should have a rigorous credit risk management 
infrastructure that complements these systems.
    2. A bank subject to the framework for credit risk in the NPR is 
required to have an internal ratings-based system (``IRB system'') for 
determining risk-based capital requirements for its wholesale and 
retail exposures.
    S 1-1 An IRB system must have five interdependent components that 
enable an accurate measurement of credit risk and risk-based capital 
requirements.
    3. The components of an IRB system are:
     A risk rating and segmentation system that differentiates 
risk by assigning ratings to individual wholesale obligors and 
exposures and individual retail exposures to segments;
     A quantification process that translates the risk 
characteristics of wholesale obligors and exposures and segments of 
retail exposures into numerical risk parameters that are used as inputs 
to the IRB risk-based capital formulas. These risk parameters are 
probability of default (``PD''), expected loss given default 
(``ELGD''), loss given default (``LGD''), and exposure at default 
(``EAD''), and for certain wholesale exposures only, the effective 
remaining maturity (``M'');
     A data management and maintenance system that supports the 
IRB system;
     Oversight and control mechanisms that ensure the IRB 
system is functioning effectively and producing accurate results; and
     An ongoing process that validates the accuracy of the risk 
rating assignments, segmentations, and the risk parameters.
    4. If applicable, a bank will also need systems to differentiate 
risk for other credit exposure types, such as for equity and 
securitization exposures, as well as to recognize the benefits of 
financial collateral in mitigating counterparty credit risk in certain 
transactions or to

[[Page 9092]]

use double default treatment for certain wholesale exposures.
    5. In aggregation, the IRB system and other systems for 
differentiating credit risk are defined in the NPR and in this guidance 
as a bank's ``advanced systems'' for credit risk. Chapters 2 through 7 
of this guidance provide supplemental guidance on IRB systems for 
wholesale and retail exposures. Chapter 8 provides banks with guidance 
on conducting stress testing analyses of their advanced systems for 
credit risk. Chapters 9 through 11 cover additional systems a bank may 
need to have for other credit exposure types.

II. Governance of Advanced Systems

    S 1-2 Senior management must ensure that all of the components of 
the bank's advanced systems for credit risk function effectively and 
comply with the qualification requirements in the NPR.
    6. Senior management should provide ongoing, active oversight of 
the advanced systems outlined in this supervisory guidance, and 
articulate the expectations for the technical and operational 
performance of the advanced systems, including the control framework. 
To provide effective oversight of the advanced systems, senior 
management should have extensive knowledge of the advanced systems' 
policies, underwriting standards, lending practices, account management 
activities, and collection and recovery practices. Senior management 
should understand how these factors affect all of the components of the 
advanced systems.
    7. The scope and depth of risk management reports should be 
sufficient for senior management to monitor the performance of the 
components of the advanced systems. Detailed reports should include, 
but are not limited to, the following topics:
     Risk profile by rating for wholesale exposures and by 
segment for retail exposures;
     Migration across ratings and segments with emphasis on 
unexpected results;
     Updates to the quantification performance results;
     Validation results;
     Comparative analysis of risk-based and internal capital 
assessments; and
     Control process assessments.
    S 1-3 The board of directors or its designated committee must at 
least annually evaluate the effectiveness of, and approve, the bank's 
advanced systems.
    8. The board of directors or its designated committee should at 
least annually ensure that management has appropriate processes and 
controls in place that support effective advanced systems for credit 
risk. The board should be provided with information that will enable it 
to conclude, with reasonable assurance, that management has appropriate 
processes and controls in place that support effective advanced systems 
for credit risk. To allow for ongoing monitoring, the board should be 
provided with reports summarizing the design and performance of the 
advanced systems. The board's strategic direction and oversight is 
essential to effective advanced systems.
    S 1-4 Each bank (including each depository institution) must ensure 
that the risk parameters and reference data used to determine its risk-
based capital requirements are representative of its own credit risk.
    9. Each bank must have an appropriate infrastructure with risk 
measurement and management processes that meet the qualification 
requirements in the NPR. Each bank's advanced systems for credit risk 
should also incorporate the supervisory standards in this guidance. 
This infrastructure must be appropriate given the bank's size and level 
of complexity. Regardless of whether the systems and models that 
generate the risk parameters necessary for calculating a bank's risk-
based capital requirements are located at any affiliate of the bank, 
the bank must ensure that the risk parameters and reference data used 
to determine its risk-based capital requirements are representative of 
the bank's credit risk profile.
    10. While some organizations may conduct rating, segmentation, 
quantification, and validation activities on a consolidated basis, each 
bank subject to the capital requirements for advanced systems must 
determine its risk-based capital requirements for credit risk on a 
stand-alone basis and hold its own separate risk-based capital in 
proportion to the risk exposure of its portfolios. Specifically, the 
PD, ELGD, LGD, and EAD estimates used to determine risk-based capital 
levels must be applied to exposures at the exposure or segment level, 
and risk-based capital requirements for each relevant bank should be 
based on the proportionate share of each exposure or segment owned by 
such bank.
    11. The board of directors should ensure that senior management at 
each bank confirm, through periodic evaluations, that risk parameters 
assigned to its credit exposures are appropriate on a stand-alone 
basis, and that the control and validation standards in Chapter 7 of 
this guidance are met.
    S 1-5 Banks should establish specific accountability for the 
overall performance of their advanced systems for credit risk.
    12. An individual or group of individuals should be responsible for 
the design and operation of the overall advanced systems. This 
accountability includes oversight for all of the components of the 
advanced systems for credit risk, regardless of which organizational 
units perform those processes. Authority and key responsibilities 
should be thoroughly documented and responsible individuals should be 
held accountable for the performance of the advanced systems.
    S 1-6 A bank's advanced systems should be transparent.
    13. Banks must adequately document all material aspects of their 
advanced systems. Adequate documentation will ensure transparency of a 
bank's advanced systems. A bank demonstrates the transparency of its 
advanced systems by comprehensively documenting all the systems'' 
components. Transparency through documentation is important so that 
third parties, such as a bank's supervisors and auditors, are able to 
understand, evaluate, and assess the effectiveness of the bank's 
advanced systems.
    14. Documentation should encompass, but is not limited to, the 
internal risk rating and segmentation systems, risk parameter 
quantification processes, data collection and maintenance processes, 
and model design, assumptions, and validation results. The guiding 
principle governing documentation is that it should support the 
requirements for the quantification, validation, and control and 
oversight mechanisms as well as the bank's broader credit risk 
management and reporting needs. Documentation is critical to the 
supervisory oversight process.

Chapter 2: Wholesale Risk Rating Systems

Rule Requirements

    Part III, Section 22(b)(1): A bank must have an internal risk 
rating and segmentation system that accurately and reliably 
differentiates among degrees of credit risk for the bank's wholesale 
and retail exposures.
    Part III, Section 22(b)(2): For wholesale exposures, a bank must 
have an internal risk rating system that accurately and reliably 
assigns each obligor to a single rating grade (reflecting the obligor's 
likelihood of default). The bank's wholesale obligor

[[Page 9093]]

rating system must have at least seven discrete rating grades for non-
defaulted obligors and at least one rating grade for defaulted 
obligors. Unless the bank has chosen to directly assign ELGD and LGD 
estimates to each wholesale exposure, the bank must have an internal 
risk rating system that accurately and reliably assigns each wholesale 
exposure to loss severity rating grades (reflecting the bank's estimate 
of the ELGD and LGD of the exposure). A bank employing loss severity 
rating grades must have a sufficiently granular loss severity grading 
system to avoid grouping together exposures with widely ranging ELGDs 
or LGDs.
    Part III, Section 22(b)(4): The bank's internal risk rating policy 
for wholesale exposures must describe the bank's rating philosophy 
(that is, must describe how wholesale obligor rating assignments are 
affected by the bank's choice of the range of economic, business, and 
industry conditions that are considered in the obligor rating process).
    Part III, Section 22(b)(5): The bank's internal risk rating system 
for wholesale exposures must provide for the review and update (as 
appropriate) of each obligor rating and (if applicable) each loss 
severity rating whenever the bank receives new material information, 
but no less frequently than annually.

I. Overview

    1. This chapter describes the design and operation of IRB risk 
rating systems for wholesale exposures. Banks will have latitude in 
designing and operating wholesale risk rating systems, subject to four 
broad principles:
    Two-dimensional risk rating system--Banks must be able to make 
meaningful and consistent differentiations among credit exposures along 
two dimensions--obligor default risk and loss severity in the event of 
a default.
    Rank order risks--Banks must rank obligors by their likelihood of 
default, and wholesale exposures (e.g., loans, facilities) by the loss 
severity expected in the event of default.
    Quantification--The risk rating system must be designed to 
facilitate quantification of obligor ratings in terms of PD and loss 
severity in terms of ELGD and LGD.
    Accuracy--The risk rating system must be designed to ensure that 
ratings are accurate, so that obligors within a rating grade have 
similar default risk and wholesale exposures within a loss severity 
rating grade have similar risk of loss in the event of default.

II. Credit Rating Assignment Techniques

    2. In general, a credit rating is a summary indicator of the 
relative risk of a credit exposure. Credit ratings can take many forms. 
Regardless of the form, meaningful credit ratings share two 
characteristics:
     They group exposures to discriminate among possible 
outcomes.
     They rank the perceived level of credit risk.
    3. Banks have used credit ratings of various types for a variety of 
purposes. Some ratings are intended to rank obligors by risk of default 
and some are intended to rank wholesale exposures by expected loss, 
which incorporates risk of default and loss severity. Only risk rating 
systems that distinguish probability of default from loss given default 
meet the two-dimensional requirements for the IRB framework.
    4. Banks use different techniques, such as expert judgment and 
models, to assign credit risk ratings. How ratings are assigned is 
important because different techniques will require different 
validation processes and control mechanisms to ensure the integrity of 
the rating system. Validation and controls are discussed in Chapter 7 
of this guidance. Some rating assignment techniques are described 
below; any of these techniques--expert judgment, models, constrained 
judgment, or a combination thereof--could be acceptable in an IRB 
system, provided the bank meets the qualification requirements in the 
NPR and the substance and spirit of the standards outlined in this 
guidance.

A. Expert Judgment

    5. Historically, banks have used expert judgment to assign ratings 
to wholesale exposures. With this technique, an individual weighs 
relevant information and reaches a conclusion about the appropriate 
risk rating. The rater makes informed judgments based on knowledge 
gained through experience and training.
    6. The key feature of expert-judgment systems is flexibility. The 
prevalence of judgmental rating systems reflects the view that the 
determinants of default are too complicated to be captured by a single 
quantitative model. The quality of management is often cited as an 
example of a risk determinant that is difficult to assess using a 
quantitative model. In order to foster internal consistency, banks 
employing expert judgment rating systems should provide narrative 
guidelines that set out specific quantitative and qualitative rating 
criteria for each rating grade. However, the expert should decide how 
much weight to give to each of these criteria in assigning a risk 
rating grade to an obligor.
    7. The flexibility possible in the assignment of judgmental ratings 
has implications for how the accuracy of the ratings is reviewed. One 
goal of the ratings review validation process is to confirm that raters 
followed policy. However, two individuals exercising judgment can use 
the same information to support different ratings. Thus, individuals 
reviewing an expert judgment rating system should have sufficient 
credit expertise and a thorough knowledge of how the bank's rating 
methodology and policies should be applied.

B. Models

    8. In recent years, models have been developed to assign ratings to 
wholesale exposures. In a model-based approach, inputs are numeric and 
provide quantitative and qualitative information about an obligor. The 
inputs are combined using mathematical equations to produce a number 
that is translated into a categorical rating. An important feature of 
models is that the rating is perfectly replicable by another party, 
given the same inputs.
    9. Models to assign wholesale ratings typically are statistically 
derived or based on expert-judgment techniques.
    10. Some models are the result of statistical optimization, in 
which well-defined mathematical criteria are used to choose the model 
that has the closest fit to the observed data. Numerous techniques can 
be used to build statistical models; regression is one widely 
recognized example. Such models are often referred to as scoring models 
or scorecards, because they produce a single number, or ``score,'' as 
an output that may be related, for example, to the estimated 
probability of default of each individual obligor in a portfolio. 
Regardless of the specific statistical technique used, a knowledgeable 
independent reviewer should exercise judgment in evaluating the 
reasonableness of a model's development, including its underlying 
logic, and the methods used to handle the data.
    11. In other cases, banks have built rating models by asking their 
experts to decide what weights to assign to critical variables in the 
models. Drawing on their experience, the experts first identify the 
observable variables that affect the likelihood of default. They then 
reach agreement on the weights to be assigned to each of the variables. 
Unlike statistical optimization, the experts are not necessarily using 
clear,

[[Page 9094]]

consistent criteria to select the weights attached to the variables. 
Indeed, expert-judgment model building is often a practical choice when 
there is not enough data to support a statistical model building. 
Despite its dependence on expert judgment, this method can be called 
model-based as long as the resulting equation, most likely with linear 
weights, is used to rate the credits. Once the equation is set, the 
model can be replicated, a feature shared with statistically derived 
models. However, while some banks refer to these types of expert-
derived models as ``scorecards,'' they are not scoring models in the 
conventional use of the term. The term scoring model or scorecard is 
customarily reserved for a rating model derived using strictly 
statistical techniques, as described in the preceding paragraph. 
Generally, independent credit experts use judgment to evaluate the 
reasonableness of the development of these expert-derived models.

C. Constrained Judgment

    12. The alternatives described above present the extremes; in 
practice, banks use risk rating systems that combine models with 
judgment. Two approaches are common.
    Judgmental systems with quantitative guidelines or model results as 
inputs. Individuals exercise judgment about risks subject to policy 
guidelines containing quantitative criteria such as minimum values for 
particular financial ratios. Banks develop quantitative criteria to 
guide individuals in assigning ratings, but the criteria may need to be 
augmented with additional information.
    One version of this constrained judgment approach features a model 
output as one among several criteria that an individual may consider 
when assigning ratings. The individual assigning the rating is 
responsible for prioritizing the criteria, reconciling conflicts 
between criteria, and, if warranted, overriding some criteria. Even if 
individuals incorporate model results as one of the factors in their 
ratings, they will exercise judgment in deciding what weight to attach 
to the model result. The appeal of this approach is that the model 
combines many pieces of information into a single output, which 
simplifies analysis, while the rater retains flexibility regarding the 
use of the model output.
    Model-based ratings with judgmental overrides. When banks use 
rating models, individuals are permitted to override the results under 
certain conditions and within tolerance levels for frequency. Credit-
rating systems in which individuals can override models raise many of 
the same issues presented separately by pure judgment and model-based 
systems. If overrides are rare, the system can be evaluated largely as 
if it is a model-based system. If, however, overrides are prevalent, 
the system will be evaluated more like a judgmental system.

D. Rating Overrides

    13. Regardless of the rating assignment technique in use, banks 
should define, within their IRB rating system documentation, what 
constitutes a ratings override. A judgmental override occurs when 
judgment is used to reject a rating suggested by an objective rating 
process, such as a model or scorecard. A policy override occurs 
whenever a rating is assigned in a manner that deviates from the bank's 
approved rating policy and procedures. Overrides should be specifically 
identified, monitored, and analyzed to evaluate their impact on the 
bank's IRB rating system.

III. Definition of Default

    S 2-1 Banks must identify obligor defaults in accordance with the 
IRB definition of default.
    14. The consistent identification of defaults is fundamental to any 
IRB risk rating system. For IRB purposes, a bank's wholesale obligor is 
in default if, for any wholesale exposure of the bank to the obligor, 
the bank has:
     Placed the exposure on non-accrual status consistent with 
the Call Report Instructions or the Thrift Financial Report (``TFR'') 
and the TFR Instruction Manual;
     Taken a full or partial charge-off or write-down on the 
exposure due to the distressed financial condition of the obligor; or
     Incurred a credit-related loss of 5 percent or more of the 
exposure's initial carrying value in connection with the sale of the 
exposure or the transfer of the exposure to the held-for-sale, 
available-for-sale, trading account, or other reporting category.
    15. Partial charge-offs or write-downs for reasons not related to 
the distressed financial condition of the obligor do not trigger the 
default definition. For example, taking a write-down or charge-off to 
reflect forgiveness of a minor fee for relationship purposes unrelated 
to financial distress does not trigger the default definition.
    16. An obligor in default remains in default until the bank has 
reasonable assurance of repayment and performance for all contractual 
principal and interest payments on all exposures of the bank to the 
obligor (other than exposures that have been fully written-down or 
charged-off).

IV. Independence of the Wholesale Risk Rating Process

    S 2-2 Banks should demonstrate that their wholesale risk rating 
processes are sufficiently independent to produce objective ratings.
    17. Independence in the rating process helps to ensure the 
integrity of ratings. Banks can promote more independence by 
implementing a variety of controls and reporting structures. For 
example, a bank could structure its organizational reporting lines so 
that the credit approval and the rating assignment decisions are 
separate from each other. Banks that separate the credit approval 
process from the rating assignment/review functions are often better 
able to manage the conflicts that arise between loan volume and credit 
quality goals. Banks should be aware of the full range of potential 
conflicts and should develop effective controls to mitigate any 
conflicts that might arise.
    18. However, banks that choose to maintain less separation in 
organizational reporting lines between credit approval and rating 
assignment should strengthen controls and consider conducting a post-
closing review process. A post-closing review provides an independent 
review of a rating that has been assigned by those who are not fully 
independent of the approval process. Any post-closing review, which 
serves to ensure that the initial rating is appropriate, should be 
conducted shortly after a credit is originated. The less independent 
the rating process is, the more rigorous the post-closing review should 
be.
    19. Whether ratings integrity is achieved by creating structural 
independence in reporting lines or through a combination of other 
control processes, a bank should demonstrate that its rating processes 
ensure integrity in ratings throughout the economic cycle.

V. IRB Risk Rating System Architecture

A. Two-Dimensional Risk-Rating System

    S 2-3 IRB risk rating systems must have two dimensions obligor 
default and loss severity corresponding to PD (obligor default), and 
ELGD and LGD (loss severity).
    20. Regardless of the type of rating system(s) used by a bank, the 
IRB framework imposes some specific requirements. The first requirement 
is that an IRB risk rating system must be two-dimensional. Banks will 
assign obligor ratings, which will be associated with a PD. They will 
also assign either

[[Page 9095]]

a loss severity rating(s), which will be associated with ELGD and LGD 
estimates, or ELGD and LGD estimates directly to each wholesale 
exposure.
    21. The process of assigning the obligor rating and either loss 
severity ratings or ELGD/LGD values--hereafter referred to as the 
rating system--is discussed below, and the process of quantifying the 
PD, ELGD and LGD risk parameters is discussed in Chapter 4.
Obligor Ratings
    S 2-4 Banks must assign discrete obligor rating grades.
    22. While banks may use models to estimate probabilities of default 
for individual obligors, the IRB framework requires banks to group the 
obligors into discrete rating grades. Each obligor rating grade, in 
turn, must be associated with a single PD.
    S 2-5 The obligor rating system must rank obligors by likelihood of 
default.
    23. For example, if a bank uses a rating system based on a 10-point 
scale, with 1 representing obligors of highest financial strength and 
10 representing defaulted obligors, rating grades 2 through 9 should 
represent groups of ever-increasing risk. In a rating system in which 
risk increases with the rating grade, an obligor with a rating grade 4 
is riskier than an obligor with a rating grade 2, but need not be twice 
as risky.
    S 2-6 Banks must assign an obligor to only one rating grade.
    24. As noted above, the IRB framework requires that the obligor 
rating be distinct from the loss severity rating, which is assigned to 
the wholesale exposure. The obligor rating should focus on the 
obligor's ability and willingness to service any obligation and to 
follow through on any commitments it has with the bank to avoid 
default. For example, in a 1-to-10 rating system, where risk increases 
with the number rating grade, an otherwise defaulted obligor with a 
fully cash-secured transaction should be rated 10--defaulted--
regardless of the remote expectation of loss on a specific exposure. 
Conversely, a nondefaulted obligor whose financial condition warrants 
the highest investment grade rating should be rated 1, even if the 
bank's transactions are subordinate to other creditors and unsecured. 
Since the obligor rating is assigned to the obligor and not to its 
individual exposures, the bank must ensure that all the exposures to 
the same obligor bear the obligor's rating grade.
    25. At the bottom of any IRB rating scale is at least one default 
rating grade. Once an obligor is in default on any exposure to the 
subject bank, the obligor rating grade associated with all of its 
exposures to that bank will be the default rating grade--even for those 
exposures of the obligor that have not triggered any element of the 
definition of default.
Ratings Philosophy and Expected Ratings Migration
    S 2-7 A bank's rating policy must describe its ratings philosophy 
and how quickly obligors are expected to migrate from one rating grade 
to another in response to economic cycles.
    S 2-8 In assigning an obligor to a rating grade, a bank should 
assess the risk of obligor default over a period of at least one year 
taking into account the possibility of adverse economic conditions.
    26. The term rating philosophy is used to describe how obligor 
rating assignments are affected by a bank's choice of the range of 
economic, business, and industry conditions that are considered in the 
rating process. It establishes the bank's philosophy on the manner in 
which it rates credits and the scenarios under which ratings would be 
expected to change. In assigning an obligor rating grade, banks must 
consider both the current risk characteristics of the obligor and the 
impact that adverse economic, business, and industry conditions could 
have on the obligor's ability to repay; however, nothing in this 
guidance requires any specific rating philosophy be employed.
    27. Rating grades should group obligors that are expected to share 
similar default frequencies. The rating assignment for an obligor may 
be based upon a combination of obligor-specific (idiosyncratic) risk 
characteristics and the general economic, business, and industry 
(systematic) risk characteristics or conditions that obligors in the 
rating may experience.
    28. The time horizon used for the assignment of obligors to rating 
grades should be one year or longer. The obligor rating should reflect 
the obligor's ability as evidenced by its financial capacity, as well 
as its willingness to service any obligation and to follow through on 
any commitments it has with the bank to avoid default. The time horizon 
chosen for the rating assignment process should be appropriate to the 
business line or geography for which the respective obligor rating 
system will be used.
    29. That general description, however, still leaves open different 
possible implementations, depending upon what range of future 
systematic risk conditions the bank considers when making a rating 
assignment and the weight given to those conditions. In practice, it 
appears that most banks have adopted a rating philosophy where an 
obligor's rating would have some sensitivity to changes in economic 
conditions. Regardless of the approach taken, banks should document 
their choice of economic, business, and industry conditions considered 
in each risk rating system and the expected frequency of rating changes 
over economic cycles. Such differences have important implications for 
validation and other aspects of the operation of rating systems, and 
therefore should be clearly articulated and well understood. A bank 
should also understand the effects of ratings migration on its risk-
based capital requirements and ensure that sufficient capital is 
maintained during all phases of the economic cycle.
    30. A bank's ratings philosophy can be empirically demonstrated 
through an analysis of how its obligors migrate across rating grades as 
economic and industry conditions change. While individual obligor 
ratings may change due to changes in obligor-specific risk 
characteristics, the average migration observed through time is likely 
to reveal how sensitive rating assignments are to systematic risk 
changes. Rating systems in which obligor ratings are more closely 
linked at a given point in time to particular economic conditions are 
more likely to be associated with higher overall average rates of 
rating migration than are other systems. Ratings that respond primarily 
to obligor-specific (idiosyncratic) changes may be less sensitive to 
changes in economic and industry conditions, and be more stable 
throughout the economic cycle.
Obligor-Rating Granularity
    S 2-9 Banks must have at least seven discrete obligor rating grades 
for non-defaulted obligors and at least one rating grade for defaulted 
obligors.
    31. A risk rating system's grades should be sufficiently numerous 
to ensure that management can meaningfully differentiate risk in the 
portfolio, without being so numerous that they limit the system's 
practical use. To determine the appropriate number of rating grades 
beyond the minimum seven non-default rating grades, each bank should 
perform its own internal analysis.
    S 2-10 Banks should justify the number of obligor rating grades 
used in its risk rating system and the distribution of obligors across 
those grades.
    32. Some portfolios may have a majority of obligors assigned to 
only a few of the available rating grades. The mere existence of a 
concentration of exposures in a rating grade (or rating

[[Page 9096]]

grades) does not, by itself, reflect weakness in a rating system. For 
example, banks focused on a particular type of lending, such as asset-
based lending, may lend to obligors having similar default risk. Banks 
with focused lending activities may use the minimum number of obligor 
rating grades, while banks with a broad range of lending activities 
should have more rating grades. However, banks with a high 
concentration of obligors in a particular rating grade should perform a 
thorough analysis that supports such a concentration.
    33. A concentration of obligors in a rating grade is inappropriate 
when the financial strength of those obligors varies considerably. If 
such is the case, the following questions should be answered:
     Are the criteria for each rating grade clear? Are rating 
criteria too vague to allow raters to make clear distinctions? 
Ambiguity may be an issue throughout the rating scale or it may be 
limited to the most commonly used ratings.
     How diverse are the obligors? Is the bank targeting a 
narrow segment of obligors with homogeneous risk characteristics?
     Are the bank's internal rating categories considerably 
broader than those of other lenders?
Recognition of Implied Support
    S 2-11 Banks may recognize implied support as a rating criterion 
subject to specific supervisory considerations; however, banks should 
not rely upon the possibility of U.S. government financial assistance, 
except for the financial assistance that the U.S. government has 
legally committed to provide.
    34. Implied support is support from a third party that is less than 
a legally enforceable guarantee. Banks that use implied support as a 
ratings criterion typically rely on a wide range of policies and 
procedures for its use. As the impact of implied support arrangements 
has typically been difficult to quantify, the circumstances under which 
banks use such arrangements as a ratings criterion should be limited.
    35. Supervisors will assess the appropriateness of a bank's usage 
of implied support as a ratings criterion. A bank should recognize 
implied support only if the following are true:
     The support is from a parent corporation or sovereign; 
however, banks should not rely upon the possibility of U.S. government 
financial assistance, except for the financial assistance that the U.S. 
government has legally committed to provide;
     The implied support provider is rated investment grade by 
an NRSRO;
     The implied support is a factor only in assigning an 
obligor rating, not a loss severity rating;
     The final rating assigned to the obligor reflects greater 
credit risk than the rating assigned to the implied support provider 
(the parent corporation or sovereign);
     The bank has considered the magnitude of the rating 
benefit accorded from the recognition of implied support and the bank 
has performed and documented comprehensive due diligence to assess the 
parent corporation or sovereign's willingness and capacity to support 
the obligor. To assess the willingness to support the obligor, a bank 
may consider prior situations where the support provider has supported 
the obligor or other obligors under similar circumstances, extended 
credit to the obligor at beneficial rates, or made large scale 
investments of cash or resources in the obligor. To assess capacity, a 
bank should conduct a thorough analysis of the financial position of 
the support provider and its ability to provide support including 
during periods of financial stress;
     There is broad market recognition of the implied support. 
This can be evidenced through a number of market indicators including 
situations where the external ratings of the parent corporation and 
subsidiary are closely linked or the ratings of the parent or sovereign 
reflect an expectation of support. It could also include evidence 
derived from traded credit spreads of the parent and subsidiary;
     For a bank whose rating system design incorporates 
external ratings as a tool in assigning an internal rating, the 
internal rating does not additionally incorporate implied support when 
there is evidence that the external rating has already benefited from 
the assumption of support;
     The bank has established a stand-alone rating for the 
obligor and continues to monitor the stand-alone rating throughout the 
term of the exposure;
     The bank's internal tracking processes monitor the dollar 
volume of credit exposures where implied support is a material 
consideration in the rating assignment; and
     The provision of significant implied support to a 
subsidiary or subsidiaries is incorporated into the parent 
corporation's obligor rating.
Loss Severity Ratings
    S 2-12 Banks must have a loss severity rating system that is able 
to assign loss severity estimates (ELGD and LGD) to each wholesale 
exposure.
    36. The term loss severity rating system refers to the method by 
which a bank assigns loss severity estimates to wholesale exposures. 
This assignment can be accomplished through a loss severity rating 
process or via direct assignment to each wholesale exposure. A 
wholesale exposure's ELGD and LGD estimates are expressed as a 
percentage of the estimated EAD of the exposure. Both the ELGD and the 
LGD are required inputs into the IRB risk-based capital formulas.
    S 2-13 Banks should have empirical support for their loss severity 
rating system and the rating system should be capable of supporting the 
quantification of ELGD estimates (and LGD estimates if approved for 
internal estimates).
    37. ELGD and LGD analysis is in the early stages of development 
compared to default risk modeling. Over time, banks' methodologies are 
expected to evolve. Longstanding banking experience and existing 
research on ELGD and LGD, while preliminary, suggests that type of 
collateral (in terms of liquidity and marketability), collateral 
values, seniority, industry position and whether an exposure is secured 
or unsecured are the most commonly used predictors of loss severity.
    38. Whether a bank assigns ELGD and LGD values directly or, 
alternatively, rates wholesale exposures and then quantifies ELGD and 
LGD for the rating grades, the bank should conscientiously identify 
characteristics that influence ELGD and LGD. Each of the loss severity 
rating categories should be associated with empirically supported ELGD 
and LGD estimates. (Even though the grouped exposures have common 
characteristics and a common expected ELGD and LGD, realized loss 
severity for individual exposures may vary).
Loss Severity Rating/LGD Granularity
    S 2-14 Banks must have a sufficiently granular loss severity rating 
system to group exposures with similar estimated loss severities or a 
process that assigns estimated ELGDs and LGDs to individual exposures.
    39. While there is no stated minimum number of loss severity 
ratings, the systems that provide ELGD and LGD estimates must be 
granular enough to separate wholesale exposures with significantly 
varying estimated LGDs. For example, a bank using a loss severity 
rating-scale approach that has credit products with a variety of 
collateral packages or financing structures should have more ELGD and

[[Page 9097]]

LGD rating grades than those banks with fewer options in their credit 
products.
    40. Like obligor rating grades, the mere existence of an exposure 
concentration in an ELGD or LGD rating grade (or rating grades) does 
not, by itself, signify a rating system's weakness. However, banks with 
a high concentration within ELGD and LGD rating grades should perform a 
thorough analysis that supports such a concentration.

B. Other Considerations

Rating Criteria
    S 2-15 Rating criteria should be written, clear, consistently 
applied, and include the specific qualitative and quantitative factors 
used in assigning ratings.
    41. Each obligor and loss severity rating (including ratings with 
modifiers such as + or -) should be defined. The definitions should 
describe all significant quantitative and qualitative ratings criteria 
used to promote consistent application of risk ratings. The ratings 
should be sufficiently transparent to allow replication by a third 
party. This is particularly important in expert-judgment rating systems 
where establishing the transparency of rating assignments is more 
challenging. Without clearly defined rating criteria, expert-judgment 
rating systems are not sufficiently transparent. A risk rating system 
with vague criteria or one defined only by PDs, ELGDs, or LGDs is 
neither replicable nor transparent. Transparent criteria promote 
accurate and consistent ratings within and across business lines and 
geographies, and permit the rating process to be refined over time.
Use of External Rating Tools
    42. Banks may use results from external rating tools, such as 
vendor default models or agency ratings, as inputs into their internal 
rating processes for obligors and wholesale exposures. The validation 
standards in this guidance apply to a bank's use of external rating 
tools as well as internal ones. Therefore, banks should apply the same 
level of rigor to their external tools as to their internal tools. In 
addition, any external rating tool employed should be consistent with 
the architecture of the bank's IRB rating systems. To verify this 
consistency, a bank should analyze and understand:
     The predictive ability of the external rating tool;
     The factors and criteria used by the external rating tools 
to assign ratings; and
     The expected effect of using the external rating tool on 
the migration of internal ratings.
    43. Sole reliance on external rating tools is not appropriate. 
Every rating tool has limitations, and banks should have a process to 
ensure that accurate ratings are assigned despite such limitations. How 
much additional analysis is required will depend on the exposure's 
rating, relative size and complexity. Banks should maintain data on the 
critical factors underpinning an external rating tool's obligor or loss 
severity ratings (as the banks would for any rating assignment 
process).
Timeliness of Ratings
    S 2-16 Risk ratings must be updated whenever new material 
information is received, but in no instance less than annually.
    44. A bank should have a policy that ensures that obligor and loss 
severity ratings reflect current information. That policy should also 
specify minimum financial reporting and collateral valuation 
requirements. When loss severity ratings or estimates depend on 
collateral values or other factors that change periodically, that 
policy should take into account the need to update these factors.
    45. Banks' policies may include an alternative timetable for 
updating ratings of exposures below a de minimis amount that the bank 
determines has no material impact on risk-based capital levels. For 
example, some banks use triggering events to prompt them to update 
their ratings on de minimis exposures rather than adhering to a 
specific timetable.
Multiple Ratings Systems
    46. A bank's complexity and sophistication, as well as the size and 
range of products offered, will affect the types and number of rating 
systems employed. However, each risk rating system should conform to 
the standards in this guidance, must be validated for accuracy and 
consistency, and should be used consistently. Validation exercises 
should produce evidence that the ratings have been applied 
consistently.

Chapter 3: Retail Segmentation Systems

Rule Requirements

    Part III, Section 22(b)(1): A bank must have an internal risk 
rating and segmentation system that accurately and reliably 
differentiates among degrees of credit risk for the bank's wholesale 
and retail exposures.
    Part III, Section 22(b)(3): For retail exposures, a bank must have 
a system that groups exposures into segments with homogeneous risk 
characteristics and assigns accurate and reliable PD, ELGD, and LGD 
estimates for each segment on a consistent basis. The bank's system 
must group retail exposures into the appropriate retail exposure 
subcategory and must group the retail exposures in each retail exposure 
subcategory into separate segments. The bank's system must identify all 
defaulted retail exposures and group them in segments by subcategories 
separate from non-defaulted retail exposures.
    Part III, Section 22(b)(5): The bank's retail exposure segmentation 
system must provide for the review and update (as appropriate) of 
assignments of retail exposures to segments whenever the bank receives 
new material information, but no less frequently than quarterly.

I. Overview

    1. This chapter describes the design and operation of an IRB retail 
segmentation system. An IRB retail segmentation system groups retail 
exposures into segments with homogeneous risk characteristics within 
each of the three retail exposure subcategories (residential mortgage 
exposures, qualifying revolving exposures (QRE), other retail 
exposures). Examples of segmentation techniques include the use of 
obligor (such as income and past credit performance) and exposure (such 
as product type and loan-to-value) characteristics; or grouping loans 
by similar estimated default rates and estimated loss severities. The 
segmentation system used for IRB will often differ from segmentation 
used for other purposes, such as for marketing and scorecards. The 
retail risk parameter estimates that determine risk-based capital 
requirements are assigned at the segment level.
    2. The retail IRB framework provides banks substantial flexibility 
to use the retail segmentation that is most appropriate for their 
activities, subject to the following broad principles:
     Differentiation of risk--Segmentation should provide 
meaningful differentiation of risk. Accordingly, in developing the 
segmentation system, banks should select risk drivers that separate 
risk distinctly and consistently over time.
     Reliable risk characteristics--Segmentation uses borrower 
risk characteristics and loan-related risk characteristics that 
reliably differentiate a segment's risk from that of other segments and 
that perform consistently over time.

[[Page 9098]]

     Consistency--The risk drivers used to segment exposures 
must be consistent with the predominant risk characteristics the bank 
uses to measure and manage credit risk.
     Accuracy--The segmentation process should generate 
segments that separate exposures by realized performance. It should be 
designed so that actual long-run outcomes closely approximate the 
retail risk parameters estimated by the bank.
    3. Defaulted retail exposures must be segmented separately from 
non-defaulted exposures. In addition, retail segments should not cross 
national jurisdictions unless the bank can demonstrate that the 
exposures in the different jurisdictions have homogeneous risk 
characteristics.

II. Definition of Default

    S 3-1 Banks must use the IRB definition of default when identifying 
defaulted retail exposures.
    4. For retail exposures, banks must use the following definition of 
default for its IRB system: A retail exposure of a bank is in default 
if:
     The exposure is 180 days past due, in the case of a 
residential mortgage exposure or revolving exposure;
     The exposure is 120 days past due, in the case of all 
other retail exposures; or
     The bank has taken a full or partial charge-off or write-
down of principal on the exposure for credit related reasons.
    5. The exposure remains in default until the bank has reasonable 
assurance of repayment and performance for all contractual principal 
and interest payments on the exposure.
    6. For retail exposures, the definition of default is applied to a 
particular exposure rather than to the obligor. That is, default by an 
obligor on one obligation would not require a bank to consider all 
other obligations of the same obligor in default.

III. Retail Segmentation Architecture

A. Criteria for Retail Segmentation

    S 3-2 Banks must first place exposures into one of the three retail 
exposure subcategories (residential mortgage, QRE, and other retail). 
Banks must then separate exposures into segments with homogeneous risk 
characteristics.
    S 3-3 A retail segmentation system must produce segments that 
accurately and reliably differentiate risk and produce accurate and 
reliable estimates of the risk parameters.
    7. While banks have considerable flexibility in determining retail 
segments, they should consider factors affecting the risk 
characteristics of both borrowers and loans when determining 
segmentation criteria. Statistical modeling, expert judgment, or some 
combination of the two may determine the most relevant risk drivers.
    8. Examples of acceptable approaches to segmentation include:
     Segmenting exposures by common risk drivers that are 
relevant and material in determining the loss characteristics of a 
particular retail product. For example, a bank may segment mortgage 
loans by LTV band, age from origination, geography, and/or origination 
channel.
     Segmenting exposures by common risk drivers that are 
relevant and material in determining the loss characteristics of a 
particular borrower population. For example, a bank may segment by 
credit bureau score bands, behavior score bands, and/or delinquency 
status. In the case of mortgage products, more borrower information may 
be available and a bank could include the debt-to-income ratio, current 
income, and/or years at present location.
     Segmenting by grouping exposures with similar estimated 
loss characteristics, such as expected average loss rates, expected 
default rates, or expected loss severity rates. Some banks have 
developed models that rank order default risk or generate an estimated 
default rate, loss severity, and/or exposure at default for individual 
exposures. A bank could use such estimates as criteria in their 
segmentation system.
    9. Each retail segment will have an estimated PD, ELGD, LGD, and 
EAD. In some cases, it may be reasonable to use the same risk parameter 
estimates for multiple segments. This may occur more frequently for 
bank estimates of ELGD and LGD as banks may have less robust historical 
data for estimating these IRB risk parameters. In such cases, the bank 
should demonstrate that there are no material differences in ELGD or 
LGD among those segments. Over time, supervisors expect banks to 
develop more precise data and methodologies for determining ELGD and 
LGD.
    10. Data for certain retail loans are sometimes missing or 
incomplete, such as data for purchased loans or loans originated with 
policy exceptions. The overall segmentation system should adequately 
capture the risk associated with these loans based on the data 
available. In some cases, missing or incomplete data itself may be a 
significant risk factor used for segmentation purposes.
    11. A bank should substantiate the degree of granularity in its 
segmentation system and the distribution of exposures across segments. 
(Here, ``granularity'' is how finely the portfolio is segmented.)
    12. Banks have flexibility in determining the granularity of their 
segmentation system. Each bank should perform internal analysis to 
determine how granular segments must be to group homogeneous exposures. 
For example, a bank using credit score ranges to segment its portfolio 
should provide the rationale for the ranges chosen.
    13. A concentration of exposures in a segment (or segments) does 
not, by itself, reflect a deficiency in the segmentation system. For 
example, a bank may lend within a narrow risk range and, therefore, 
have a smaller number of segments than a bank that lends across a wider 
spectrum of risk. However, a bank with a high concentration of 
exposures in a particular segment will be expected to show that the 
bank's segmentation criteria are carefully delineated and well-
documented. The bank should be able to demonstrate that there is little 
risk differentiation among the exposures within the segment, and that 
the segmentation method produces reliable estimates for each of the 
risk parameters. A bank should not artificially group exposures into 
segments specifically to avoid the 10 percent LGD floor for mortgage 
products. A bank should use consistent risk drivers to determine its 
retail exposure segmentations and not artificially segment low LGD 
loans with higher LGD loans to avoid the floor.
    S 3-4 Banks should clearly define and document the criteria for 
assigning an exposure to a particular retail segment.
    14. Banks should choose risk drivers that accurately reflect an 
exposure's risk. Risk drivers selected must be consistent with risk 
measures used for credit risk management.
    15. The method of segmentation will help determine the risk 
parameters, as well as which techniques should be used for validation 
and which control mechanisms will best ensure the integrity of the 
segmentation system. Described below are some techniques for 
determining whether the segmentation was done appropriately:
     Statistical Models--Banks may incorporate results of 
statistical underwriting models or scoring models directly into their 
segmentation process. For example, a bank may use a custom or bureau 
credit score as a segmenting criterion. In that case, the bank should 
support the choice of the score, and should demonstrate that it has 
adequate controls for the credit scoring system.

[[Page 9099]]

     Inputs to Models--Banks may incorporate the variables from 
a statistical model into their segmentation processes. For example, a 
bank that uses a statistical model to predict losses for its mortgage 
portfolio could select some or all of the major inputs to that model, 
such as debt-to-income and LTV, as segmentation criteria. As part of 
its validation and controls for the segmentation system, the bank 
should provide an appropriate rationale and empirical evidence for its 
choice of the particular set of risk drivers from the loss prediction 
model.
     Expert Judgment--Banks may combine expert judgment with 
statistical analysis in determining segmentation criteria. However, 
expert judgment must be well-documented and supported by empirical 
evidence demonstrating that the chosen risk factors are reliable 
predictors of risk.
    16. A bank should be able to demonstrate a strong relationship 
between IRB risk drivers and comparable measures used for credit risk 
management. Specifically, a bank should demonstrate that the 
segmentation system differentiates credit risk across the portfolio and 
captures changes in the level and direction of credit risk using 
measures that are similar to those used in credit risk management. For 
example, even if a bank uses custom scores for underwriting or account 
management, generic bureau scores may be used for IRB segmentation 
purposes if the bank can demonstrate a relationship between these 
measures.
    17. Banks should have clear policies to define the criteria for 
modifying the segmentation system. Changes in the segmentation system 
should be documented and supported to ensure consistency and 
historically comparable measurements.

B. Assignment of Exposures to Retail Segments

    S 3-5 Banks should develop and document their policies to ensure 
that risk-driver information is sufficiently accurate and timely to 
track changes in underlying credit quality and that the updated 
information is used to assign exposures to appropriate segments.
    18. Under the IRB framework, a bank initially assigns retail 
exposures to segments based on the risk-driver information available at 
the time of origination or acquisition. The bank should then continue 
to monitor the risk characteristics of the exposures and assign 
exposures to appropriate segments based on refreshed information 
gathered by the bank as part of its monitoring process.
    19. In accordance with industry practices in retail credit risk 
management, a bank should have a well-documented policy on monitoring 
and updating information about exposure risk characteristics. The 
policy should specify the risk characteristics to be updated and the 
frequency of updates for each product type or sub-portfolio within its 
retail portfolio. Updating of relevant information on these risk 
drivers should be consistent with sound risk management.
    S 3-6 The bank's retail exposure segmentation system must provide 
for the review and update (as appropriate) of assignments of retail 
exposures to segments whenever the bank receives new material 
information, but no less frequently than quarterly.
    20. Decisions regarding the frequency of obtaining refreshed 
information should reflect the specific risk characteristics of 
individual segments and/or the potential impact on risk-based capital 
levels. The frequency of updates will generally vary for different risk 
drivers and for different products. The underlying principle is that, 
in every estimation period, retail exposures are assigned to segments 
that accurately reflect their risk profile and produce accurate risk 
parameters.
    21. Banks should assess their approach to updating information and 
migrating exposures when validating the segmentation process.

Chapter 4: Quantification

Rule Requirements

    Part III, Section 22(c)(1): The bank must have a comprehensive risk 
parameter quantification process that produces accurate, timely, and 
reliable estimates of the risk parameters for the bank's wholesale and 
retail exposures.
    Part III, Section 22(c)(2): Data used to estimate the risk 
parameters must be relevant to the bank's actual wholesale and retail 
exposures, and of sufficient quality to support the determination of 
risk-based capital requirements for the exposures.
    Part III, Section 22(c)(3): The bank's risk parameter 
quantification process must produce conservative risk parameter 
estimates where the bank has limited relevant data, and any adjustments 
that are part of the quantification process must not result in a 
pattern of bias toward lower risk parameter estimates.
    Part III, Section 22(c)(4): PD estimates for wholesale and retail 
exposures must be based on at least 5 years of default data. ELGD and 
LGD estimates for wholesale exposures must be based on at least 7 years 
of loss severity data, and ELGD and LGD estimates for retail exposures 
must be based on at least 5[aacute]years of loss severity data. EAD 
estimates for wholesale exposures must be based on at least 7 years of 
exposure amount data, and EAD estimates for retail exposures must be 
based on at least 5 years of exposure amount data.
    Part III, Section 22(c)(5): Default, loss severity, and exposure 
amount data must include periods of economic downturn conditions, or 
the bank must adjust its estimates of risk parameters to compensate for 
the lack of data from periods of economic downturn conditions.
    Part III, Section 22(c)(6): The bank's PD, ELGD, LGD, and EAD 
estimates must be based on the definition of default [in the NPR].
    Part III, Section 22(c)(7): The bank must review and update (as 
appropriate) its risk parameters and its risk parameter quantification 
process at least annually.
    Part III, Section 22(c)(8): The bank must at least annually conduct 
a comprehensive review and analysis of reference data to determine 
relevance of reference data to bank exposures, quality of reference 
data to support PD, ELGD, LGD, and EAD estimates, and consistency of 
reference data to the definition of default contained [in the NPR].

I. Overview

    1. Quantification is the process of assigning numerical values to 
the key risk parameters that are used as inputs to the IRB risk-based 
capital formulas. This chapter provides guidance on the quantification 
process for wholesale and retail exposures. For both wholesale and 
retail portfolios these risk parameters are the probability of default 
(``PD''), expected loss given default (``ELGD''), loss given default 
(``LGD''), and exposure at default (``EAD''). Wholesale exposures also 
require determination of the exposure's maturity (``M''). Risk 
parameters are assigned to each exposure for wholesale portfolios and 
to each segment for retail portfolios. Specific quantification issues 
related to counterparty credit risk transactions, equity exposures, and 
securitization exposures are described in Chapters 9, 10, and 11, 
respectively.
    2. In any discussions of the IRB system, the risk rating or 
segmentation system design and the quantification process should be 
considered together. This chapter focuses on quantification given an 
existing risk rating or segmentation system design, as covered in 
Chapters 2 and 3, respectively.
    3. Section I establishes an organizing framework for considering

[[Page 9100]]

quantification and develops general standards that apply to the entire 
process. Sections II, III, and IV cover specific supervisory standards 
that apply to PD, ELGD and LGD, and EAD respectively. The maturity risk 
parameter receives somewhat different treatment in section V, since it 
is much less dependent on statistical estimates from historical data. 
Special cases and applications for quantification are covered in 
section VI.

A. Stages of the Quantification Process

    4. For each risk parameter, quantification may be broken down into 
four stages: obtaining historical reference data; estimating the 
relationship between risk characteristics and the risk parameters in 
the reference data; mapping the correspondence between risk 
characteristics in the reference data and those in the existing 
portfolio; and applying the relationship between risk characteristics 
and risk parameters to the existing portfolio. An evaluation of a 
bank's quantification process focuses on the overall adequacy of the 
bank's approach, including an understanding of how the bank breaks down 
the quantification process where applicable into the four stages.
    5. Banks are not required to separate the quantification process 
into four stages. The four stages are a conceptual framework, and may 
serve as a useful analytical and implementation guide. Readers may find 
it helpful to refer to the appendices to this chapter, which illustrate 
how this four-stage framework can be applied to quantification 
approaches in practice. The four stages of quantification are described 
below.

Data--First, the bank constructs a reference data set, or source of 
data, from which risk parameters can be estimated.

    A ``reference data set'' consists of a set of exposures and their 
associated identifying information and risk characteristics. Reference 
data sets may include internal data, external data, or pooled data from 
different internal and external sources. Internal data refers to any 
data on exposures held in a bank's existing or historical portfolios, 
including data elements or information provided by third parties (e.g., 
data from a credit bureau about one's own customers would be considered 
internal data). External data refers to information on exposures held 
outside the bank's portfolio, including aggregate industry trends or 
economic data.
    The reference data is described using a set of observed 
characteristics; consequently, the data set contains variables that can 
be used for this characterization. For example, risk characteristics 
for wholesale exposures include obligor and exposure characteristics 
related to the risk parameters, such as agency debt ratings, risk 
ratings, financial measures, geographic regions, and the economic 
environment and industry/sector trends during the time period of the 
reference data. Risk characteristics for retail exposures include 
borrower and loan characteristics, such as loan terms, loan-to-value, 
credit score, income, debt-to-income, or payment history. A bank may 
use more than one reference data set to improve the robustness or 
accuracy of the risk parameter estimates.

Estimation--Second, the bank applies statistical techniques to the 
reference data to determine the relationship between risk 
characteristics and the estimated risk parameter.

    The result of this step is a model that ties descriptive risk 
characteristics, or drivers, to the risk parameter estimates. In this 
context, the term ``model'' is used in the most general sense; a model 
may be a simple calculation of historical averages or a more 
sophisticated approach based on advanced statistical techniques (e.g., 
regression). This step may include adjustments for differences between 
the IRB definition of default and the default definition in the 
reference data set, as well as adjustments for data limitations.
    More than one estimation technique may be used to generate 
estimates of the risk parameters, especially if there are multiple sets 
of reference data or multiple sample periods. If multiple estimates are 
generated, the bank should have a clear and consistent policy for 
reconciling and combining them into a single estimate at the 
application stage.

Mapping--Third, the bank creates a link between its portfolio data and 
the reference data based on corresponding characteristics.

    Variables or characteristics used in the estimation model are 
mapped, or linked, to the variables that are available for the existing 
portfolio. In order to map effectively, a bank should have reference 
data characteristics that allow the construction of rating and 
segmentation criteria that are consistent with those used on the bank's 
portfolio.
    An important element of mapping is making adjustments for 
differences between reference data sets and the bank's exposures. The 
bank should map each reference data set and each combination of risk 
characteristics used in any estimation model.

Application--Fourth, the bank applies the relationship estimated for 
the reference data to the actual portfolio data.

    The ultimate aim of quantification is to attribute a PD, ELGD, LGD, 
and EAD to each exposure within the wholesale portfolio and to each 
segment of exposures in the retail portfolio. If multiple data sets or 
estimation methods are used, the bank should adopt a means of combining 
the various estimates at this stage.
    For wholesale portfolios, this step may include adjustments to 
default rates or loss rates to ``smooth'' the final risk parameter 
estimates. If the estimates are applied to individual transactions, the 
bank must in some way aggregate the estimates at the rating level.
    For retail portfolios, the bank may simply apply the risk parameter 
estimates derived for each segment to the corresponding segment in the 
existing portfolio. However the application stage could be more complex 
if multiple data sets or estimation methods were used or if the mapping 
stage required adjustments.
    6. The four-stage quantification process described above outlines a 
framework that a bank may use for assigning numerical values to the IRB 
key risk parameters. Whether the quantification process explicitly 
delineates each aspect of the four stages of quantification for PD, 
ELGD, LGD, and EAD, or the quantification process is more integrated, 
each aspect of the quantification process for the key risk parameters 
should be justified, documented, and subject to monitoring and follow-
up.
    7. A number of examples are given in this chapter to aid exposition 
and interpretation of specific quantification issues. None of the 
examples is sufficiently detailed to incorporate all of the 
considerations discussed in this chapter. Moreover, technical progress 
in the area of quantification is rapid. Thus, banks should not 
interpret a specific example that is consistent with the standard being 
discussed, and that resembles the bank's current practice, as being a 
``safe harbor.'' Banks should consider this guidance in its entirety 
when determining whether systems and practices are adequate.

B. General Standards for Sound Quantification

    8. Several core principles apply to the overall quantification 
process of risk rating and segmentation systems. Those principles and 
the general standards that reflect them are discussed in this 
introductory section. Other supervisory

[[Page 9101]]

standards specific to particular stages or risk parameters are 
discussed in later sections.
    9. The risk parameters should be estimated in a manner consistent 
with sound credit risk management practices and the IRB standards. In 
addition, a bank should have processes to ensure that these estimates 
are independently and thoroughly validated and the results reported to 
senior management.
    10. Supervisory evaluation of the quantification process requires 
consideration of all the standards in this chapter, both general and 
specific. Particular practical approaches to quantification may be 
highly consistent with some standards, and less so with others. In 
assessing a bank's approach, supervisors will weigh the approach's 
strengths and weaknesses using all the supervisory standards in this 
chapter as a guide.
    S 4-1 Banks should have a fully specified process covering all 
aspects of quantification (reference data, estimation, mapping, and 
application). The quantification process should be fully documented.
    11. A fully specified quantification process should describe how 
all four stages (data, estimation, mapping, and application) are 
addressed for each parameter. The linkages between the bank's 
quantification and validation processes should also be explicit.
    12. An important aspect of the quantification process is the 
appropriate capture and analysis of developmental evidence in support 
of techniques applied by the bank. A few examples of such developmental 
evidence are:
     For reference data--a discussion of how the best available 
data are chosen from various sources so that the data include periods 
of economic downturn conditions and the portfolio in the reference data 
is comparable to the existing portfolio;
     For estimation--discussions of why the bank uses various 
averaging methods on historical data, how it specifies downturn 
estimates, or how it develops predictive models;
     For mapping--discussions of how risk characteristics in 
the reference data compare with those in the existing portfolio; and
     For application--a discussion of the combination of 
multiple estimates, aggregations of estimates across exposures, or any 
judgmental adjustments.
    13. Major decisions in the design and implementation of the 
quantification process should be justified and fully documented. 
Documentation promotes consistency and allows third parties to review 
and replicate the entire process.
    S 4-2 Risk parameter estimates must be based on the IRB definition 
of default. At least annually, a bank must conduct a comprehensive 
review and analysis of reference data to determine the relevance of 
reference data to the bank's exposures, quality of reference data to 
support risk parameter estimates, and consistency of reference data to 
the IRB definition of default.
    14. Many different sources of data might be appropriately used in 
an estimation model or the quantification process. Regardless of the 
data used to derive the risk parameter estimates, such estimates must 
reflect the IRB definition of default.
    15. As part of its annual review of its reference data, a bank must 
assess the consistency of the reference data with the IRB definition of 
default. In the early stages of IRB implementation, a bank's internal 
historical reference data might not include an element that fully 
conforms to the IRB definition of default. In addition, a bank may 
change its policies regarding charge-offs or non-accrual. For any 
internal or external historical data that are not fully consistent with 
the IRB definition of default, a bank must still ensure that the 
derived risk parameter estimates are based on the IRB definition of 
default. This will likely entail making conservative adjustments to 
reflect data discrepancies; larger discrepancies require greater 
conservatism.
    16. To support quantification and validation of the risk parameter 
estimates, one of the elements in a bank's internal data should conform 
to the IRB definition of default. The collection of internal data is 
discussed in Chapter 6 (Data Management and Maintenance) of this 
guidance and validation is discussed in Chapter 7 (Controls and 
Validation).
    S 4-3 Banks must separately quantify wholesale risk parameter 
estimates before adjusting the estimates for the impact of eligible 
guarantees and eligible credit derivatives.
    17. As discussed in Chapter 5, the benefits of wholesale credit 
risk mitigation from eligible guarantees and eligible credit 
derivatives are recognized through adjustments to ratings and risk 
parameter estimates. However, banks must perform the basic 
quantification of the risk parameters separately from the process of 
determining an adjustment to an exposure's risk rating assignment 
resulting from the credit protection or any adjustments to the risk 
parameters for recognition of the credit protection. In quantifying the 
impact of the credit protection, banks may make necessary adjustments 
to the reference data or mapping process, or may estimate the impact of 
the credit protection on the bank's existing portfolio. Chapter 5 deals 
with recognized types of contractual arrangements and instruments that 
transfer all or part of an exposure's credit risk from the bank to one 
or more third parties.
    S 4-4 Banks may take into account the risk-reducing effects of 
guarantees in support of retail exposures when quantifying the PD, 
ELGD, and LGD of the segment.
    18. A bank may take into account the risk reducing effects of 
guarantees in support of retail exposures in a segment when quantifying 
the PD, ELGD, and LGD of the segment, but only for guarantees of 
individual retail exposures, or guarantees covering all or a pro rata 
portion of all contractual payments due on a group of retail exposures. 
(See Example 5 in Appendix B of this chapter.) Insurance in support of 
retail exposures, for example private mortgage insurance (``PMI''), 
generally would be considered a guarantee.
    19. The risk parameters for exposures covered by retail guarantees 
should be based on historical experience of exposures with similar 
coverage and the expected benefits of the guarantees on future 
performance. Segments benefiting from retail guarantees are still 
subject to applicable regulatory floors, such as the 10 percent LGD 
floor for residential mortgages.
    20. Retail guarantees may affect PD or ELGD and LGD. In most cases, 
and in particular for PMI, banks reflect the effects of retail 
guarantees primarily through the quantification of ELGD and LGD. For 
retail exposures, banks may directly reflect the expected benefit of 
retail guarantees in the risk parameters, in contrast to the two-step 
process that is required for guarantees of wholesale exposures.
    21. Banks should monitor and assess potential counterparty risk for 
guarantees of retail exposures through tracking and analyzing the 
financial strength of each guarantor. When reflecting guarantees of 
retail exposures in PD or ELGD and LGD estimates banks should take into 
account the credit quality of the guarantor. Other things equal, PD or 
ELGD and LGD estimates should be increased if the credit quality of the 
guarantor deteriorates. In addition, banks should consider the 
potential for additional counterparty risk during economic downturn 
conditions.
    22. Banks may also choose to incorporate retail guarantee coverage 
into their segmentation systems. For example, mortgage loans without 
PMI could be placed into different segments than those with PMI.

[[Page 9102]]

    23. Since there are a variety of programs for retail guarantees 
that provide differing types and levels of coverage, banks 
incorporating retail guarantees into the IRB risk parameters should 
ensure that their systems are sufficient to estimate the expected 
benefits based on the actual amount of coverage within the existing 
portfolio, regardless of whether or not they segment by coverage. This 
may require exposure-by-exposure tracking over the life of the exposure 
to accurately reflect the expected benefits for different forms of 
retail guarantees. Banks also should develop appropriate reference data 
sets that can be used to estimate the effect on PDs or ELGDs and LGDs 
for exposures that are covered by retail guarantees.
    S 4-5 Banks may only reflect the risk-reducing benefits of tranched 
guarantees of multiple retail exposures by meeting the definition and 
operational criteria for synthetic securitizations.
    24. Guarantees of multiple retail exposures that do not cover all 
or a pro rata portion of all contractual payments due on the underlying 
exposures are considered to be tranched. (See Example 5 in Appendix B 
of this chapter.)
    25. A bank may obtain a reduction in risk-based capital 
requirements in the case of such tranched guarantees of multiple retail 
exposures, but only through applying the rules for securitization 
exposures provided in the NPR. To obtain any benefits, tranched 
guarantees of multiple retail exposures must satisfy all aspects of the 
definition of synthetic securitization and comply with all requirements 
for securitization treatment in the NPR. (Also see Chapter 11 
(Securitizations) for additional guidance.)
    26. In some cases, the determination of the risk-based capital 
benefit for a qualifying tranched guarantee will be relatively 
straightforward. For example, the securitization framework provides 
three general approaches for determining risk-weighted assets: The 
ratings-based approach, the internal assessment approach, and the 
supervisory formula approach (``SFA''). A bank can use the RBA if its 
exposure is externally rated or has an inferred rating. The SFA may be 
employed when external or inferred ratings are not available for 
tranching structures. (See Chapter 11 for a more detailed discussion of 
the applicability of the various approaches in different 
circumstances.)
    S 4-6 At a minimum, the quantification process and the resulting 
risk parameters must be reviewed annually and updated as appropriate.
    27. All material aspects of the quantification process should be 
reviewed annually, with adjustments and enhancements made as needed. A 
bank should have a well-defined policy for reviewing and updating the 
quantification design. New analytical techniques and evolving industry 
practice should be taken into account in considering changes to 
quantification techniques. The review should evaluate the judgmental 
adjustments embedded in the estimates; new data or evolving industry 
practice may suggest a need to modify those adjustments. Particular 
attention should be given to any changes that may have resulted in a 
significant change in the composition of exposures, such as new 
business lines, material mergers or acquisitions, and material 
divestitures, loan sales or securitizations. Such changes, which raise 
questions about the appropriateness of risk ratings, the segmentation 
system, and the quantification process, should trigger a review and 
revisions as needed.
    28. The review process is particularly relevant for the reference 
data stage because new data become available frequently. A bank must 
ensure continued applicability of the reference data to its existing 
exposures, and the reference data should reflect the types of exposures 
found in the bank's existing portfolio. Reference data must be of 
sufficient quality to support PD, ELGD, LGD, and EAD estimates. A well-
defined and documented process should be in place to ensure that the 
reference data are updated as frequently as needed, as fresh data 
become available or as portfolio changes make necessary. All data 
sources, characteristics, and the overall processes governing data 
collection should be fully documented, and that documentation should be 
readily available for review.
    29. At a minimum, risk parameter estimates must be reviewed at 
least annually, and the process for doing so should be documented in 
the bank's policy. If the review reveals that risk parameter estimates 
should be updated, the updates should be performed promptly and 
documented clearly. New data should be incorporated into the risk 
parameter estimates using a well-defined process to correctly merge 
data sets over time, and the frequency of risk parameter updates and 
the process for doing so should be justified and documented in bank 
policy.
    30. The risk parameter estimates may be particularly sensitive to 
changes in the way banks manage exposures. When such changes take 
place, the bank should consider them in all steps of the quantification 
process. Changes likely to significantly increase a risk parameter 
value should prompt increases in the risk parameter estimates. When 
changes seem likely to reduce the risk parameter value, estimates 
should be reduced only after the bank accumulates a significant amount 
of actual experience under the new policy to support the reductions.
    31. The mappings of the existing portfolio to the reference data 
used in estimation should also be reviewed with sufficient frequency to 
ensure that the mappings continue to be appropriate. Mappings should be 
reaffirmed at least annually for both internal and external reference 
data, regardless of whether the risk rating or segmentation systems 
have undergone explicit changes during the period covered by the 
reference data set, because the relationship between a bank's existing 
exposures and the reference data may change over time. For example, in 
wholesale portfolios the relationships between internal rating grades 
and external agency ratings may change during the economic cycle 
because of differences in expected rating migration. When significant 
characteristics have been changed, added, or dropped, the 
characteristics of the existing exposures should be newly mapped to the 
characteristics of the reference data.
    S 4-7 Quantification should be based upon the best available data 
for the accurate estimation of the risk parameters.
    32. Banks should always use the best available data when 
quantifying the risk parameters. In order to derive accurate risk 
parameter estimates, banks should incorporate relevant data, whether 
such data are internal or external. One objective of the IRB framework 
is to encourage further development of credit risk quantification 
techniques. Improving the quality, capture, and retention of internal 
data is an essential prerequisite for such advances.
    33. Internal data refers to any data on exposures existing or 
historically held in a bank's own portfolio, including historical 
exposure and risk characteristics as well as exposure performance--even 
if some data components are purchased from outside sources. For 
example, property appraisals purchased from a third-party appraiser for 
updating the LTVs of a bank's mortgage exposures are considered 
internal data. However, if a bank purchases data on risk 
characteristics or performance for exposures outside of its own 
portfolio, these data would be considered external.
    34. A bank should incorporate relevant external data for 
quantifying risk parameters if internal data are

[[Page 9103]]

insufficient to produce accurate and appropriate estimates. For 
example, the use of external data may be necessary when internal data 
do not provide adequate coverage of economic downturns or when there 
are significant data gaps, either for periods of time or for the types 
of exposures in the bank's existing portfolio. Banks should demonstrate 
that all data used to quantify risk parameters are relevant.
    35. A bank should have a process for vetting potential reference 
data, whether the data are internal or external. The vetting should 
assess whether the data are sufficiently accurate, sufficiently 
complete, sufficiently representative, and sufficiently informative of 
the bank's existing exposures.
    36. Furthermore, a bank should have adequate data to estimate risk 
parameters for all exposures on the books, even if some are likely to 
be sold or securitized before their long-term credit performance can be 
observed.
    S 4-8 The sample period for the reference data must meet the 
minimum length for each risk parameter by portfolio.
    S 4-9 The reference data must include periods of economic downturn 
conditions, or the parameter estimates must be adjusted to compensate 
for the lack of data from such periods.
    37. For PD estimation, a minimum of five years of data are required 
for all portfolios. For ELGD, LGD and EAD estimation, a minimum of 
seven years of data are required for wholesale portfolios, and five 
years of data are required for retail portfolios.
    38. This requirement for a minimum of five or seven years of data 
should not be taken to imply that reference data sets of this length 
are optimal. The range of conditions covered by the sample period may 
be as important as its length. Specifically, lack of inclusion of 
periods of economic downturn conditions could bias PD, ELGD, LGD, or 
EAD estimates downward and lead to unjustifiably lower risk-based 
capital requirements.
    39. If a bank's reference data do not include periods of economic 
downturn conditions, the bank must adjust its risk parameter estimates 
to compensate for the lack of these data. Given the particular 
importance of periods of economic downturn, a bank may choose to 
augment an existing reference data set with additional data from such a 
period without including all of the intervening years, if the overall 
data set satisfies required minimums, otherwise covers the appropriate 
range of economic conditions and is appropriate for the bank's existing 
portfolio. Alternatively, a bank may draw more heavily on sub-samples 
of its internal portfolio (for example, particular MSAs or geographic 
regions) that experienced economic downturn periods, or use appropriate 
external data. However, the bank should justify the exclusion of 
available internal data for portions of its portfolio and any inclusion 
of alternative internal or external data sources, as well as its 
weighting assumptions.
    40. The minimum data requirement may be met using internal data, 
external data, or pooled data combining internal data with similar data 
from other sources. However, as noted above, the minimum sample period 
for reference data should not be construed as generally providing 
optimum results. A longer sample period usually fosters more robust 
estimation; for example, a longer sample will include more default 
observations for ELGD, LGD or EAD estimation. Banks should consider the 
use of additional data when more than the minimum length of historical 
data is available. However, the potential increase in precision 
afforded by a larger sample should be weighed against the potential for 
diminished comparability of older data to the existing portfolio; 
striking the correct balance is a matter of judgment. Reference data 
must not differ systematically from the existing portfolio in ways that 
seem likely to be related to default risk, loss severity, or exposure 
at default.
    S 4-10 Banks should clearly document how they adjust for the 
absence of significant data elements in either the reference data set 
or the existing portfolio.
    41. Some exposures in the reference data set and the existing 
portfolio will have missing data elements, some of which are important 
factors for measuring risk. Banks may use a variety of statistical 
methods to impute values for the missing factors--provided these 
factors are sufficiently correlated to known information about the 
exposure. Expertise is required to judge whether such correlations can 
be established. Regardless of the approach and level of sophistication, 
the bank should have a clear and well-documented process describing how 
it treats missing data elements in the estimation and mapping stages.
    42. For example, in the development of a default model, missing 
data elements can be imputed and the estimates of the missing data 
elements input to the model. However, if particular data elements are 
missing on significant portions of the population, this may justify the 
estimation of separate models where data elements are missing.
    S 4-11 Judgmental adjustments to risk parameter estimates, either 
upward or downward, may be an appropriate part of the quantification 
process, but must not result in an overall bias toward lower risk 
parameter estimates.
    43. Judgment will inevitably play a role in the quantification 
process and may materially affect the estimates. Judgmental adjustments 
to estimates are often necessary because of some limitations on 
available reference data or because of inherent differences between the 
reference data and the bank's existing exposures. The bank must ensure 
that adjustments are not biased toward optimistically low risk 
parameter estimates. This standard does not prohibit individual 
adjustments that result in lower estimates of risk, because both upward 
and downward adjustments are expected. Individual adjustments are less 
important than broad patterns; consistent signs of judgmental decisions 
that lower parameter estimates materially may be evidence of bias. The 
bank should also ensure that large judgmental adjustments are well 
justified and infrequent, as frequent large adjustments could indicate 
a problem with the rating methodology.
    44. The reasoning and empirical support for any adjustments, as 
well as the mechanics of the process, should be documented. The bank 
should conduct sensitivity analysis to demonstrate that the adjustment 
procedure is not biased toward reducing risk-based capital 
requirements. The analysis should consider the impact of any judgmental 
adjustments on estimates and risk-based capital requirements, and 
should be fully documented.
    S 4-12 Risk parameter estimates should incorporate a degree of 
conservatism that is appropriate for the overall rigor of the 
quantification process.
    45. Estimated values of the risk parameters should be as precise 
and accurate as possible. However, estimates are inherently subject to 
uncertainty and potential error. Aspects of the quantification process 
that are apt to induce uncertainty and error include model error, 
differences in default definitions, errors in judgment, and data 
deficiencies. A general principle of the IRB framework is that the 
assumptions and adjustments embedded in the quantification process 
should reflect the degree of uncertainty or potential error inherent in 
the process.
    46. In practice, a reasonable estimation approach likely will 
result in a range of defensible risk parameter values. The choices of 
the particular

[[Page 9104]]

assumptions and adjustments that determine the final estimate, within 
the defensible range, should reflect the uncertainty in the 
quantification process. That is, the more uncertainty in the process, 
the more risk-based capital should be required.
    47. The degree of conservatism should be related to factors such as 
the relevance and depth of the reference data, the quality of the 
mapping, the precision of the statistical estimates, and the amount of 
judgment used throughout the process. Conservative methodologies should 
also be considered for new products, such as new residential mortgage 
products. Margins of conservatism need not be added at each step, as 
that could produce an excessively conservative result. Instead, the 
overall margin of conservatism should adequately account for all 
uncertainties and weaknesses. Improvements in the quantification 
process (use of better data, estimation techniques, and so on) may 
allow risk parameter estimates to become less conservative over time.
    S 4-13 Mapping should be based on a comparison of available data 
elements that are common to the existing portfolio and each reference 
data set.
    48. Sound mapping practice uses elements that are available in both 
the existing portfolio and the reference data. If a bank chooses to 
ignore certain variables or to weight some variables more heavily than 
others, those choices should be supported. At least two kinds of 
mapping challenges may arise:
     First, even if similarly named variables are available in 
the historical reference data and the existing portfolio data, they may 
not be directly comparable. Hence, a bank should ensure that linked 
variables are truly similar. Although adjustments to enhance 
comparability can be appropriate, they should be rigorously developed 
and documented.
     Second, levels of aggregation may vary. The bank's 
information systems for its existing exposures might supply more 
detail. For example, to apply the estimates derived from the reference 
data, the portfolio data could be regrouped to match the coarser 
aggregation of the reference data.
    49. Mapping should be consistent with the risk rating and 
segmentation systems. Levels and ranges of key characteristics for each 
rating or segment of the bank's existing exposures should approximate 
the values of similar characteristics for the reference data.
    50. The standard allows for use of a limited set of common 
variables that are predictive of default, loss or exposure risk, in 
part to permit flexibility in early years when data may be far from 
ideal for some portfolios. Nevertheless, mapping exercises should aim 
to provide the greatest possible assurance that it is appropriate to 
apply the bank's estimation framework to the existing portfolio of 
exposures. In instances where banks rely on a limited set of common 
variables, or where those variables are not clearly identical, banks 
should compensate by being more conservative in other stages of the 
quantification process.
    S 4-14 A mapping process should be established for each reference 
data set and for each estimation model.
    51. Banks should never assume that the rationale for a mapping is 
self-evident. Even when reference data are drawn from internal default 
and loss experience, a bank should still link the characteristics of 
the reference data with those of the existing portfolio. The use of 
internal data for reference data purposes does not eliminate the need 
for a mapping requirement because changes in bank strategy or external 
economic forces may alter the risk characteristics or composition of 
the portfolio over time, even within the same wholesale obligor/loss 
severity ratings or within the same retail segments.
     For example, a wholesale rating system that has been 
explicitly designed to replicate external agency ratings may or may not 
be effective in producing a replica; formal mapping would be performed. 
Indeed, in such a system the kind of analysis involved in mapping may 
help identify inconsistencies in the rating process itself.
     Similarly for retail portfolios, even if the bank uses the 
same segmentation system over time, it should verify that the risk 
factors behind the segmentation capture the same types of borrowers in 
today's portfolio as they did in the reference data. For example, a 
given product offering may attract types of customers that differ over 
time in ways that affect risk but are not fully reflected in the risk 
factors used for segmentation.
    52. Banks often use multiple reference data sets, and then combine 
the resulting estimates to get a risk parameter estimate for a 
wholesale obligor/loss severity rating or for a retail segment. A bank 
that does so should conduct a rigorous mapping process for each data 
set.
    S 4-15 Banks that combine estimates from internal and external data 
or that use multiple estimation methods should have a clear policy 
governing the combination process and should examine the sensitivity of 
the results to alternative combinations.
    53. To ensure that the best available data are used to produce 
accurate risk estimates a bank might combine data from multiple sources 
and may use multiple estimation methods. Banks often combine internal 
data with external data and use data from different sample periods. For 
example, for a wholesale portfolio a bank may combine results from 
corporate-bond default databases with results from equity-based models 
of obligor default.
    54. The manner in which the estimates from multiple data sets or 
estimation methods are combined is extremely important, since different 
combinations will produce different risk parameter estimates. A bank 
should investigate risk parameter estimates' sensitivity to different 
ways of combining data sets or combining estimation methods. When 
results are highly sensitive to how data or estimates are combined, a 
bank should make every effort to understand the nature (reasons and 
implications) of the instability (including use of statistical tests) 
and choose among the alternatives conservatively. A bank should 
document why it selected the combination techniques it did, and these 
techniques should be subject to appropriate approval and oversight by 
management.
    S 4-16 The aggregation of risk parameter estimates from individual 
exposures within rating grades or segments should be governed by a 
clear and well-documented policy.
    55. Because different methods of aggregation are possible, a bank 
should have a clear and well-supported policy regarding how aggregation 
should be accomplished. Banks are required to have a quantification 
system in which the rating grades or segments are homogeneous with 
regard to risk; in this case, each obligor or exposure within 
homogeneous grades or segments would receive equal emphasis in 
quantification.
    56. For wholesale exposures, rating grade-based mapping naturally 
produces an average risk parameter estimate by rating grade. 
Conversely, obligor-based or loss severity-based mappings require the 
aggregation of the individual risk parameter estimates to the rating 
grade level. The bank should document this aggregation and compare the 
results of alternative mappings. These mappings are discussed in the 
relevant PD and ELGD and LGD sections.
    57. If a bank uses a prediction model for a retail portfolio that 
assigns a risk parameter estimate to each exposure, it

[[Page 9105]]

should specify and document the process by which it aggregates the 
exposure-level risk parameters to assign segment-level estimates.

II. Probability of Default (PD)

A. Data

    58. For PD quantification, a minimum of five years of data that 
include periods of economic downturn conditions is required; in the 
event that such data are not available, a bank must adjust its PD 
estimates to compensate for the lack of data from periods of economic 
downturn conditions. The data for PD quantification should include 
relevant characteristics of both defaulted and non-defaulted exposures 
such as information on the exposures at different points in time, 
payment history and ultimate disposition.
    59. To estimate PD accurately and support the determination of 
risk-based capital requirements, a bank must have a comprehensive 
reference data set with observations that should be representative of 
the bank's existing exposures. For wholesale portfolios the reference 
data should map to obligors, and for retail portfolios the reference 
data should map to segments of the existing portfolio. Clearly, the 
data set used for estimation should be similar to the portfolio to 
which such estimates will be applied. The same comparability standard 
applies to both internal and external data sets.
    60. To ensure ongoing applicability of the reference data, a bank 
should assess the characteristics of its existing exposures relative to 
the characteristics of exposures in the reference data. Such variables 
might include qualitative and quantitative information on the exposure, 
internal and external wholesale ratings and rating dates, updated 
retail credit scores, corporate lending relationships, retail product 
type and loan terms, or geography. A bank should maintain documentation 
that fully describes all explanatory variables in the data set, 
including any changes to those variables over time. A well-defined and 
documented process should be in place to ensure that the reference data 
are updated as frequently as is practical, as fresh data become 
available or portfolio changes make necessary.
Example
    A bank determines that the aggregate national retail mortgage 
portfolio has not experienced downturn conditions during the time 
horizon for which internal reference data are available. However, 
regional sub-portfolios did experience default rates that were 
significantly higher than average during the available data history. 
Data are available from regional recessions in New England (late 1980s 
and 1990 -1995), Texas (1983-1989), and California (1991-1995). The 
bank demonstrates that the drivers of significantly higher default 
rates in these regional recessions can be extrapolated to the national 
portfolio, and the bank justifies and documents the resulting 
adjustments that would be necessary in the mapping and application 
stages.

B. Estimation

    61. Estimation of PD is the process by which risk characteristics 
of the reference data are related to default rates for each wholesale 
obligor or for each retail segment in the reference portfolio. The 
relevant risk characteristics that are predictive of the likelihood of 
default are referred to as ``drivers of default.'' Drivers for 
wholesale obligors might include financial ratios, management expertise 
and industry. Drivers for retail segments might include product, loan 
and borrower characteristics such as loan-to-value, credit line 
utilization, credit score, or delinquency status. Also, a portfolio 
separator such as geographic region, while not a direct driver of 
default, might indicate separate relationships of the PD to these 
drivers by geographic region.
    S 4-17 PD estimates must be empirically based and must represent a 
long-run average.
    62. The PD is an estimate of the long-run average of one-year 
default rates for wholesale rating grades, for segments of non-
defaulted retail exposures where seasoning is not material, or for a 
segment of non-defaulted retail exposures in a retail exposure 
subcategory for which seasoning effects are not material.
    63. PD estimates should represent averages of one-year default 
rates over a mix of economic conditions (including economic downturn 
conditions) sufficient to provide a reasonable estimate of the one-year 
default rate over the economic cycle for the rating grade or retail 
segment as specified above. If a bank uses the best available 
historical data to estimate PD as the mean of yearly realized default 
rates over at least five years, and the bank can empirically support 
that this period includes economic downturn conditions, then this is 
likely to adequately represent long-run experience. The emphasis should 
not solely be on time span; the long-run average concept captures the 
breadth, as well as the length, of experience.
    64. Estimation generally should treat data from different time 
periods similarly. A bank choosing instead to place greater relative 
weight on data from particular time periods should empirically 
demonstrate that doing so produces a more accurate estimate of future 
default behavior for each wholesale rating grade and retail segment in 
its existing portfolio. For example, more recent data might be given 
more weight in the estimation process if the bank demonstrates that 
doing so is more predictive of future default behavior.
    65. For a statistical model to satisfactorily produce long-run PD 
estimates, the reference data used in the default model must meet the 
long-run requirement. A model can be used to relate risk drivers to the 
outcome--default or non-default. Drivers might include wholesale 
financial ratios, retail borrower credit scores, loan terms, economic 
conditions or industry variables. Such a model must be calibrated to 
capture the default experience over a reasonable mix of economic 
conditions. For example, a Merton-style model's estimate of distance to 
default must be calibrated to the default rate using long-run 
experience. Whether a PD model is developed internally or by a vendor, 
a bank should verify that the model's results have been calibrated to a 
long-run average PD.
    66. Adjustments that are part of the PD estimation process must not 
result in an overall bias toward lower risk parameter estimates. The 
bank should rigorously validate, justify, and document such 
adjustments.
Example 1
    If the bank's internal data history does not include any periods of 
economic downturn, the bank may use external data sources that include 
an economic downturn period to adjust PD estimates upward. The bank 
should justify the assumption that the relationship between the long-
run average PD and the risk drivers observed in the external data 
applies to its portfolio. This practice is consistent with this 
guidance.
Example 2
    A bank uses internal default experience to estimate PDs for its 
wholesale portfolio. However, the bank has historically failed to 
recognize defaults under the IRB default definition. For example, 
exposures sold at a material credit loss were not captured as defaults. 
The realized PD using the IRB definition would be higher than that 
observed by the bank

[[Page 9106]]

(and LGD rates might differ as well). If the bank made no adjustment 
for the missing defaults, its practice would not be acceptable.
    S 4-18 Effects of seasoning, when material, must be considered in 
the PD estimates for retail portfolios.
    67. A bank should determine whether age since origination is a 
significant risk factor for its retail exposures on the balance sheet. 
If so, then seasoning may be a material risk factor.
    68. Material seasoning effects are generally indicated when default 
rates of a segment of retail exposures follow a characteristic age 
profile, rising for the first several periods following origination. 
Seasoning of this type is often significant for longer-maturity 
consumer products such as residential mortgages, but may also be 
important for shorter-lived portfolios.
    69. Additional common indicators of material seasoning effects are 
large or rapidly growing portfolio concentrations of unseasoned 
exposures where age is a significant risk factor. Such concentrations 
could result from a high growth rate of originations, unusually high 
prepayment or attrition rates, or high rates of sales or securitization 
of seasoned exposures.
    70. Even when age is a significant risk factor and default rates 
follow a characteristic age profile, seasoning effects may not be 
material if a retail exposure subcategory's age distribution is stable 
and the age distribution of the portfolio is not concentrated in 
unseasoned exposures.
    71. The operational definition of material seasoning effects for a 
segment of retail exposures is that the annualized cumulative default 
rate for that segment materially exceeds the long-run average of one 
year default rates.
    72. If seasoning effects are material for the retail exposure 
subcategory, banks must use a PD that reflects a longer-run horizon and 
provides adequate risk-based capital to cover potential credit losses 
for its unseasoned segments in that subcategory. Specifically, rather 
than the best estimate of the long-run average of 1-year default rates, 
the higher PD that must be used is defined as the estimated annualized 
cumulative default rate of the segment over the expected remaining life 
of the exposures in the segment.\3\
---------------------------------------------------------------------------

    \3\ Expected remaining life is the average period from today 
until an exposure of a particular type will prepay, pay in full 
through normal amortization, or default.
---------------------------------------------------------------------------

    73. Estimates of expected remaining life should reflect a long-run 
average for exposures in the segment; banks should avoid undue 
volatility in their estimates caused by short-term fluctuations in 
market factors (such as interest rates). Also, banks may incorporate 
discounting of cash flows into their estimates of expected remaining 
life if they so choose.
    74. Even if the exposures are potentially subject to material 
seasoning effects, a bank may use the definition of PD specified in 
Paragraph 62 of this chapter for certain exposures that are originated 
for sale or securitization, provided that:
     The bank credibly demonstrates its ability and intent to 
sell or securitize the exposures within a 90-day time frame. It can do 
so by:
    --An established historical track record of sales or 
securitizations for similar exposures; or
    --Commitments in the form of forward sales agreements or other 
contractual pipeline arrangements that provide reasonable assurances 
that the exposures will be sold within 90 days.
     The exposures are specifically identified at origination.
     The bank monitors sales or securitization market 
indicators, including an assessment of counterparty risk, to ensure its 
continuing ability to sell or securitize these exposures in a variety 
of market conditions.
    Exposures that are not sold or securitized within 90 days should be 
assigned to segments that fully reflect their risk profile based on 
their updated risk characteristics.
    75. Banks should note that under the rules for securitization 
exposures in the NPR, a bank may need to quantify the IRB risk 
parameters for some securitized exposures. For that quantification 
process, a bank must meet the quantification requirements for 
estimating PDs for retail exposures held on balance sheet, including 
the requirements for estimating PD when seasoning effects are material.
    76. The account age profile may be tracked by using account age as 
a criterion in the segmentation system for the retail exposures or as a 
predictive variable in a PD quantification model. Several methods can 
be used to account for seasoning in the PD estimates. See example 4 in 
Appendix B of this chapter.

C. Mapping

    77. Mapping is establishing a linkage between the bank's existing 
exposures and the reference obligor data used in the default model. 
Hence, mapping involves identifying how drivers of default for the 
existing exposures correspond to the reference data's drivers. 
Wholesale drivers include financial and nonfinancial variables, and 
assigned rating grades; retail segment drivers include exposure and 
borrower risk characteristics.
    78. Key drivers of default should be factored directly into the 
obligor rating or segmentation process. But in some circumstances, 
certain effects related to industry, geography, or other factors are 
not reflected in wholesale obligor risk rating assignments, retail 
segmentation, or default estimation models. In such cases, it may be 
appropriate for banks to capture the impact of the omissions by using 
different mappings for different business lines or types of exposures. 
Supervisors expect this practice to be transitional, and that banks 
eventually will incorporate the omitted effects into the wholesale 
obligor risk rating, the retail segmentation system or the PD 
estimation process as they are uncovered and documented, rather than 
adjusting the mapping.
    79. Banks may use multiple reference data sets or estimation 
methods, and then combine the resulting estimates to get an obligor 
rating grade or segment PD. A bank that does so should conduct a 
rigorous mapping process for each data set and estimation method. For 
example, when using data from a number of wholesale rating agencies, 
the mapping should take into consideration differences in the agencies' 
rating methods by mapping each agency's obligor rating scale 
separately. Similarly, when combining the results from internal 
historical data and a default prediction model over a retail portfolio, 
the bank should map both the historical long-run PD and the model's 
output to the existing portfolio.
Retail Mapping
    80. For retail portfolios, mapping involves linking segments in the 
reference data to segments in the existing portfolio. If the bank's 
segmentation process has been in place for a long time, the mapping 
between internal historical data and the existing portfolio data may be 
straightforward. However, if the bank's retail segmentation system has 
varied over time, the bank should demonstrate a mapping between its 
existing segmentation system and the segments in the reference data. In 
either case, the bank should demonstrate that the mapping is 
appropriate and conduct periodic assessments to verify this.
Example
    2ven if similarly named characteristics are available in the 
reference data and the existing portfolio data, they may not be 
directly comparable. For example, in a retail portfolio of auto loans, 
the particular

[[Page 9107]]

types of auto loans (for example, new or used, direct or indirect) may 
vary from one application to another. Hence, a bank should ensure that 
linked drivers are truly similar in PD estimation. Although adjustments 
to enhance comparability can be appropriate, they should be rigorously 
developed and documented.
Wholesale Mapping
    81. There are two broad approaches to the mapping process for 
wholesale portfolios, obligor mapping and rating grade mapping.
    82. In obligor mapping, each existing obligor is mapped to the 
reference data based on its individual characteristics. For example, if 
a bank applies a default model to estimate an obligor-level default 
probability, that model uses certain obligor-level variables as inputs. 
The values of these variables for each obligor are used as inputs to 
the obligor-level default probability estimation model.

Example

    In estimating rating grade PDs, a bank relies on observed default 
rates on bonds in various agency ratings. To map its internal rating 
grades to the agency ratings, the bank identifies variables that 
together explain much of the rating variation in the bond sample. The 
bank then conducts a statistical analysis of those same variables 
within its portfolio of obligors, using a multivariate distance 
calculation to assign each portfolio obligor to the external rating 
whose characteristics it matches most closely (for example, assigning 
obligors to ratings so that the sum of squared differences between the 
external rating averages and the obligor's characteristics is 
minimized). This practice is broadly consistent with sound mapping 
practices.
    83. In rating grade mapping, characteristics of the obligors within 
an internal rating grade are averaged or otherwise summarized to 
construct a ``typical'' or representative obligor for each rating 
grade. Then, the bank maps that representative obligor to the reference 
data. For example, if the bank uses a model that takes certain 
variables as inputs to produce an obligor-level default probability 
estimate, a representative value for each input variable would be 
determined for each internal rating grade, creating in effect a 
``typical obligor'' for a rating grade; the default probability 
associated with that typical obligor will serve as the rating grade PD 
in the application stage. As an alternative example, a bank maps the 
typical obligor from each internal rating grade to a particular 
external NRSRO rating based on quantitative and qualitative 
characteristics and assigns the realized long-run average one-year 
default rate for that external rating to the internal rating grade in 
the application stage.

Example

    A bank uses rating grade mapping to link portfolio obligors to the 
reference data set described by agency ratings. The bank reviews 
publicly-rated portfolio obligors within an internal rating grade to 
determine the most common agency rating, does the same for all rating 
grades, and creates a linkage between internal and agency ratings. The 
strength of the linkage is a function of the number of externally rated 
obligors within each rating grade, the distribution of those agency 
ratings within each rating grade and the similarity of externally rated 
obligors in the grade to those not externally rated. This practice is 
broadly consistent with sound mapping practices, and, for the reasons 
discussed below, may require adjustments and the addition of margins of 
conservatism.
    84. An acceptable quantification process could include the use of 
either a rating grade mapping or obligor mapping approach. However, in 
the absence of other compelling considerations, banks should use 
obligor mapping because rating grade mapping has the following 
drawbacks:
     First, default probabilities are nonlinear using many 
estimation approaches. As a result, the typical obligor's default 
probability using the rating grade mapping approach is often lower than 
the mean of the individual obligor default probabilities using the 
obligor mapping approach.
     Second, a hypothetical obligor with a rating grade's 
average characteristics may not represent well the risks presented by 
the rating grade's typical obligor, since different types of obligors 
might end up in the same grade.
    85. A bank electing to use rating grade mapping instead of obligor 
mapping should be especially careful in choosing a ``typical'' obligor 
for each grade. Doing so generally requires that the bank examine the 
actual distribution of obligors within each rating grade, as well as 
the characteristics of those obligors. Banks should be aware that 
different statistical measures (such as mean, median, or mode) will 
produce different results, and may result in materially different PDs 
for a particular rating grade. The bank should justify its choice and 
should have a clear and consistent policy toward the calculation.
    86. In addition to the general requirement to compare elements that 
the reference data and portfolio have in common, both obligor and 
rating grade mappings should also take into account differences in 
rating philosophy (as commonly revealed through analysis of rating 
migration) between any ratings embedded in the reference data set and 
the bank's own rating regime.

D. Application

    87. The application stage produces final PD estimates that will be 
used in the determination of risk-based capital requirements. This 
stage is expected to be relatively mechanical for most retail 
portfolios, except when the bank uses multiple reference data sets or 
multiple estimation methods or significantly changes its segmentation 
system over time. Judgmental adjustments to the risk parameter 
estimates should be rare for retail portfolios.
    88. This stage may be somewhat more involved for wholesale 
portfolios. After the bank applies the PD estimation method to its 
existing exposures using the mapping process, adjustments to the raw 
results derived from the estimation stage may be appropriate to obtain 
final rating grade PD estimates. For example, the bank might aggregate 
individual obligor default probabilities to the rating grade level or 
otherwise produce a rating grade PD estimate, or might smooth results 
because a rating grade's PD estimate was higher than a lower quality 
grade. The bank should explain and support all such adjustments when 
documenting its quantification process.
    89. The bank must ensure that the PD applied in the determination 
of risk-based capital requirements for each wholesale exposure or 
retail segment is not less than the regulatory floor of 0.03 percent, 
except for exposures to or directly and unconditionally guaranteed by a 
sovereign entity, the Bank for International Settlements, the 
International Monetary Fund, the European Commission, the European 
Central Bank, or a multi-lateral development bank, to which the bank 
assigns a rating grade associated with a PD of less than 0.03 percent.

Example

    A bank uses external data to estimate long-run average PDs for each 
wholesale rating grade. The resulting PD estimate for Grade 2 is 
slightly higher than the estimate for Grade 3, even though Grade 2 is 
supposedly of higher credit quality. The bank uses statistics to 
demonstrate that this anomaly occurred because defaults are rare in the 
highest quality rating grades. The bank judgmentally adjusts the PD 
estimates for Grades 2

[[Page 9108]]

and 3 to preserve the expected relationship between obligor rating 
grade and PD, but demonstrates that total risk-weighted assets across 
both rating grades using the adjusted PD estimates are no less than 
total risk-weighted assets based on the unadjusted estimates, using a 
typical distribution of obligors across the two rating grades. An 
adjustment such as given in this example is consistent with this 
guidance.

III. Expected Loss Given Default (ELGD) and Loss Given Default (LGD)

    90. The ELGD and LGD quantification process is similar to the PD 
quantification process. Once a bank identifies and obtains a reference 
data set of defaulted exposures and relevant descriptive 
characteristics, it selects a technique to estimate the credit-related 
economic loss per dollar of EAD for a defaulted wholesale exposure with 
a given array of characteristics or for all defaulted exposures in a 
reference retail segment. The reference data should then be mapped to 
the bank's existing exposures so that the bank can estimate ELGD and 
LGD for each wholesale exposure, loss severity rating, or retail 
segment, as the case may be. Finally, application adjustments may be 
made to obtain final risk parameter estimates.
    91. The ELGD is an estimate of the default-weighted average 
economic loss (where individual defaults receive equal weight), per 
dollar of EAD, the bank expects to incur in the event that the obligor 
were to default within a one-year horizon over a mix of economic 
conditions, including economic downturn conditions. LGD estimates 
reflect the estimate of the economic loss per dollar of EAD that the 
bank expects to incur if the obligor were to default within a one-year 
horizon during economic downturn conditions. Accordingly, ELGD 
estimates incorporate a mix of economic conditions (including economic 
downturn conditions) while LGD estimates reflect losses that would 
occur during economic downturn conditions (i.e., conditions in which 
aggregate default rates are significantly higher than average). LGD 
estimates cannot be less than ELGD estimates for a particular wholesale 
exposure or retail segment.

A. Data

    92. Unlike reference data sets used for PD estimation, data sets 
for ELGD and LGD estimation contain only exposures to defaulted 
obligors. At least two broad categories of data are necessary to 
produce ELGD and LGD estimates.
    93. First, factors must be available to group the defaulted 
exposures in meaningful ways. Wholesale exposures are grouped by 
characteristics that are likely to be important in predicting loss 
rates--for example, whether an exposure is secured and the type and 
coverage of collateral, the seniority of a claim, economic conditions, 
and the obligor's industry. The retail segmentation system may separate 
exposures by borrower and exposure risk characteristics predictive of 
loss severity or by an ELGD or LGD score--for example, credit score, 
business line, credit line utilization for unsecured credit lines, or 
loan-to-value for mortgage loans.
    94. Although the characteristics identified above have been found 
to be significant in academic and industry studies, a bank's 
quantification of ELGD and LGD certainly need not be limited to these 
variables. For example, a bank might examine many other potential 
drivers of loss severity, including geographic location, exposure type, 
tenor of the relationship, wholesale obligor size, or retail borrower 
wealth.
    95. Second, data must be available to calculate the realized 
economic loss of each defaulted exposure. Such data may include the 
market value of the wholesale exposure at default or the market value 
for a pool of charged-off retail exposures, which can be used to proxy 
a recovery rate. Alternatively, economic loss may be calculated for 
wholesale exposures and retail segments using the EAD (including 
principal and accrued but unpaid interest or fees), losses on the sale 
of repossessed collateral, direct workout costs, an appropriate 
allocation of indirect workout costs, the timing and amount of 
subsequent recoveries, and the discount rate appropriate to the risk of 
the exposure.
    96. Data should be comprehensive. All cash flow data should include 
dollar amounts and dates. For example, roll to charge-off or non-
accrual, number of days past due, or bankruptcy status should be 
captured if these factors are expected to be significant for ELGD and 
LGD. Recovery data should include direct payments from the obligor/
borrower, the sale of the collateral or realized income from the sale 
of defaulted exposures. Supportable net realizable value of defaulted 
exposures and collateral acquired in default that has yet to be 
disposed of can be included as part of the reference data. Cost data 
comprise the material direct and indirect costs associated with 
workouts and collections.
    97. Ideally, loss severity should be measured once all recoveries 
and costs have been realized. However, a bank may not resolve a 
defaulted wholesale obligation for many years following default. For 
practical purposes, banks relying on actual recovery data may choose to 
close the period of observation before this final resolution occurs--
that is, at a point in time when most costs have been incurred and when 
recoveries are substantially complete. Banks that do so should estimate 
the additional costs and recoveries that would likely occur beyond this 
period and include them in ELGD and LGD estimates. A bank should 
document its choice of the period of observation, and how it estimated 
additional costs and recoveries beyond this period.
    98. Reference data sets may contain individual loss observations 
that are less than 0 percent or greater than 100 percent. However, 
extra diligence is required for loss realizations reported to be less 
than 0 percent to ensure that economic loss is being measured.\4\
---------------------------------------------------------------------------

    \4\ Banks are not required to truncate the loss severity data 
used to derive ELGD and LGD parameter estimates. Nonetheless, final 
ELGD and LGD estimates should not be negative or zero. Readers are 
directed to the discussion of the application stage for ELGD and LGD 
in a later section of this guidance for elaboration of related 
supervisory expectations regarding ELGD and LGD quantification.
---------------------------------------------------------------------------

Example 1
    A bank with internal wholesale data covering the period 1997 
through 2003 relies primarily on these data for quantifying its 
wholesale risk parameter estimates. The bank will continue to extend 
this internal data set as time progresses. Its current policy mandates 
that credits be resolved within two years of default, so the data set 
contains the most recent data available. Although the existing data set 
satisfies the seven-year requirement for ELGD quantification, the bank 
is aware that it does not include appropriate economic downturn 
conditions for certain portfolios. In comparing its loss estimates with 
rates published in external studies that cover longer time periods and 
include economic downturn periods for similarly stratified data, the 
bank observes that its estimates are systematically lower. To be 
consistent with the NPR, the bank must reflect economic downturn 
conditions in its ELGD estimates, as such estimates represent the loss 
the bank expects to incur in the event that the obligor of the exposure 
defaults within a one-year horizon over a mix of economic conditions, 
including economic downturn conditions.
Example 2
    A bank develops evidence that during the 2001 to 2003 period of 
highly

[[Page 9109]]

elevated mortgage prepayments owing to record-low interest rates, 
losses were likely deferred in mortgage portfolios because of readily 
available refinancing options. The bank also concludes that losses on 
foreclosures during this period were limited because housing prices 
generally increased throughout the United States despite a recession. 
However, the bank notes that a similar (though not as substantial) drop 
in interest rates occurred in the early 1990s, during a recession that 
was characterized by a sharp drop in property values in many parts of 
the country. Because the recent period may have been atypical, the bank 
chooses to weigh older data (perhaps from external sources) more 
heavily than recent data for ELGD quantification. Such an approach to 
weighting the data would be consistent with this guidance.
    99. The following examples illustrate how definitions of default in 
the reference data that are different from the IRB definition 
complicate ELGD estimation.
Example 1
    For ELGD estimation, a bank includes in its default database only 
exposures that actually experience a loss and excludes exposures for 
which no loss was recorded (effectively applying a ``loss given loss'' 
concept). This practice is not consistent with the NPR because the 
bank's default definition is narrower than the IRB definition.
Example 2
    A bank relies on two external data sources to estimate ELGD because 
it lacks sufficient internal data. Both sources use definitions that 
deviate from the IRB definition; one uses ``bankruptcy filing'' to 
indicate default while another uses ``missed principal or interest 
payment.'' Although the different definitions result in significantly 
different loss estimates for the loss severity ratings defined by the 
bank, the bank simply combines the external data sources in deriving 
its ELGD estimates. The bank's practice is not consistent with the 
guidance. The bank should determine the impact on the parameter 
estimates of the different definitions used in the reference data sets. 
For minor definitional differences, the bank may be able to make 
appropriate adjustments during the estimation stage. If the differences 
are difficult to quantify, an appropriate level of conservatism should 
be applied or the bank should seek other sources of reference data.

B. Estimation

    100. Estimation of ELGD and LGD is the process by which 
characteristics of the reference data are related to loss severity. 
Relevant characteristics for wholesale exposures might include 
variables such as seniority, collateral, exposure type, or business 
line. For retail portfolios, as discussed in Chapter 3, a common ELGD 
or LGD might be applied so long as the estimate is accurate for each 
segment and exposures within those segments have homogenous risk 
characteristics.
    101. In estimating ELGD and LGD, banks should identify drivers of 
loss. One estimation approach is to separate the reference defaults 
into groups that do not overlap, for example, by business line, 
predominant collateral type, or loan-to-value coverage. The ELGD 
estimate for each category could then be based on the default-weighted 
average economic loss per dollar of EAD, and LGD could be similarly 
derived using data from periods of economic downturn conditions. In 
most cases, it will not be acceptable to calculate ELGD as the average 
of annual loss rates (where loss severity for each year receives equal 
weight). Years with a relatively large number of defaults generally 
provide richer data for measuring loss severity compared to years when 
there are relatively few defaults. Thus, in general, years with a 
relatively large number of defaults contribute more information and 
should be appropriately weighted when estimating ELGD. In addition, if 
years of relatively low default rates typically have relatively low 
loss severity rates, then using the average of annual loss rates will 
tend to understate ELGD.
    102. A statistical model, for example a regression model using data 
on loss severity and some quantitative measures of the loss drivers, 
could be applied to estimate ELGD or LGD. Any model must meet the 
requirements for validation discussed in Chapter 7. Other methods for 
estimating ELGD or LGD could also be appropriate.
Example 1
    To estimate ELGD, a bank uses only internal data. Although 
information on security and seniority is lacking, no adjustments for 
the lack of data are made in the estimation or application steps. This 
practice is not consistent with the guidance because there is ample 
external evidence that security and seniority are relevant in 
estimating ELGD. A bank with such limited internal default data must 
incorporate external or pooled data.
Example 2
    A bank groups observed defaults in the reference data according to 
geographic region and collateral. One of the pools has too few 
observations to produce a reliable estimate. By augmenting the loss 
data with data from similar geographic regions with the same 
collateralization, the bank derives an ELGD estimate. Provided the bank 
can adequately support the process used to establish the relevance of 
the data from other regions, this approach would be consistent with the 
guidance.
    103. Banks should evaluate adjustments in the ELGD and LGD 
estimation process to ensure that they do not result in an overall bias 
toward lower estimates of risk.
Example 1
    A bank is unable to properly discount a segment's cash flows 
because the reference data do not include the dates of recoveries (and 
related costs). However, the bank has sufficient internal data to 
calculate economic loss for defaulted exposures in another portfolio 
segment. The bank can support the assumption that the timing of cash 
flows for the two segments is comparable. Using the available data and 
informed judgment, the bank adjusts the estimates for the data-poor 
segment to reflect how much the measured loss without discounting 
should be grossed up to account for the time value of money and the 
distressed nature of the assets. This practice is consistent with the 
guidance.
Example 2
    Collateral is one factor used by a bank to estimate ELGD. Although 
the available internal and external data indicate a higher ELGD, the 
bank judgmentally assigns a loss estimate of 2 percent for exposures 
secured by cash collateral. The bank contends that the lower estimate 
is justified because it expects to do a better job of following 
policies for monitoring cash collateral in the future. Such an 
adjustment is generally not appropriate because it is based on 
projections of future performance rather than realized experience. This 
practice generally is not consistent with the guidance.
    S 4-19 ELGD and LGD estimates must be empirically based and must 
reflect the concept of ``economic loss.''
    104. ELGD and LGD are based on the concept of economic loss, which 
is a broader, more inclusive concept than accounting measures of loss. 
Broadly speaking, economic loss incorporates the mark-to-market loss of 
value of a defaulted exposure and collateral,

[[Page 9110]]

including material accrued but unpaid interest or fees, and all 
material direct and indirect costs of workout and collections, net of 
recoveries. Losses, recoveries, and costs should all be discounted to 
the time of default. See the fourth paragraph of the LGD definition in 
section 2 of the NPR for the definition of economic loss.
    105. Banks often estimate loss using data on costs and recoveries 
from workouts of defaulted exposures; however, appropriate estimates 
may sometimes be developed using market data on defaulted exposures.
    106. The scope of cash flows included in recoveries and costs is 
meant to be broad. Material recovery costs that can be clearly 
attributed to certain exposures, plus material indirect cost items, 
must be reflected in the bank's ELGD and LGD assignments for those 
exposures. Recovery costs include the costs of running the bank's 
collection and workout departments and the cost of outsourced 
collection services directly attributable to recoveries during a 
particular time or for a particular segment or portfolio, at as 
granular a level as possible. Recovery costs also include an 
appropriate percentage of other ongoing costs, such as overhead.
    107. Recovery costs can be allocated using the same principles and 
techniques of cost accounting that are usually used to determine the 
profit and loss of activities within any large enterprise. Collection 
and workout departments, however, may cover services not 100 percent 
attributable to defaulted exposures. For example, the same call center 
may manage reminder calls to delinquent retail accounts, many of which 
will never default, as well as collection calls. The expenses for these 
functions should be differentiated to allocate only collection expenses 
attributable to defaulted exposures.
    108. When costs cannot be allocated because of data limitations, 
the bank may assign those costs using broad averages. For example, the 
bank could allocate costs by outstanding dollar amounts of loans, 
including accrued but unpaid interest or fees at the time of default, 
within each rating grade or segment.
    109. All costs, and recoveries should be discounted to the time of 
default using the time interval between the date of default and the 
date of the realized loss, incurred cost, or recovery; this calculation 
should be on a pooled basis for retail exposures. The discount rate 
should reflect the costs of holding defaulted assets over the workout 
period, including an appropriate risk premium.\5\ As such, an 
appropriate discount rate will reflect the uncertainty of recovery cash 
flows and the presence of undiversifiable risk.
---------------------------------------------------------------------------

    \5\ This implies that the appropriate discount rate for IRB 
purposes likely will differ from the interest rate required under 
FAS 114 for accounting purposes.
---------------------------------------------------------------------------

    S 4-20 ELGD estimates must reflect the expected default-weighted 
average economic loss rate over a mix of economic conditions, including 
economic downturn conditions.
    110. For wholesale exposures, ELGD is the best estimate of the 
economic loss per dollar of EAD that would be incurred in the event 
that the obligor (or a typical obligor in the applicable loss severity 
rating) defaults within a one-year horizon. For retail segments, ELGD 
is the best estimate of the economic loss per dollar of EAD that would 
be incurred on the segment from exposures that default within a one-
year horizon.
    111. ELGD estimates should reflect expected long-run loss 
severities and should represent an estimate of the default-weighted 
average economic loss as observed over a complete credit cycle. Similar 
to PD quantification, loss severity data must include periods of 
economic downturn conditions or the bank must adjust its estimates to 
compensate for the lack of data from economic downturn conditions.
Economic Downturn LGD
    S 4-21 LGD estimates must reflect expected loss severities for 
exposures that default during economic downturn conditions, and must be 
greater than or equal to ELGD estimates.
    112. In addition to ELGD, banks must quantify LGD in a way that 
appropriately reflects downturn conditions for each wholesale exposure 
and for each retail segment. LGD is an estimate of the percentage of 
EAD that would be lost in the event of a default during the one-year 
horizon, if that default were to occur during a period of economic 
downturn. Under economic downturn conditions default rates are higher 
than under more neutral conditions, and LGD estimates must reflect 
expected loss rates resulting from downturn conditions.
    113. If a bank obtains supervisory approval to use its own 
estimates of LGD for an exposure subcategory, it must use internal 
estimates of LGD for all exposures within that subcategory. Within 
retail, the three subcategories are residential mortgage, QRE, and 
other retail, while within wholesale credit the two subcategories are 
high-volatility commercial real estate (``HVCRE'') and all other 
wholesale.
    114. If a bank has not received prior written approval from its 
primary Federal supervisor to use internal LGD estimates, the bank must 
use the supervisory mapping function. The supervisory mapping function 
calculates LGD by taking 92 percent of the ELGD and adding eight 
percentage points to that result.
    115. The LGD estimate for an exposure or segment may never be less 
than the ELGD assigned to that exposure or segment, and must be higher 
than ELGD if a higher estimate is appropriate based on robust analysis 
of the impact of economic downturn conditions on loss severity. The LGD 
for some exposures or segments may be substantially higher than ELGD, 
while for others it may not.
    S 4-22 A bank may use internal estimates of LGD only if supervisors 
have previously determined that the bank has a rigorous and well-
documented process for assessing the effects of economic downturn 
conditions on loss severities and for producing LGD estimates 
consistent with downturn conditions. The process must appropriately 
identify downturn conditions, identify the impact of economic downturn 
conditions on loss rates, identify any material adverse correlations 
between drivers of default and LGD, and incorporate any identified 
correlations and/or downturn impact into the quantification of LGD.
    116. In determining whether to approve a bank's use of internal 
estimates of LGD for a subcategory of exposure, supervisors will 
consider whether the process for generating LGD estimates is consistent 
with the supervisory standard above and produces internal estimates of 
LGD that are reliable and sufficiently reflective of economic downturn 
conditions.
    117. To meet the requirements for internal estimates, a bank should 
satisfy the following conditions:
     The bank should establish policies to govern the process 
for identifying downturn conditions and generating LGD estimates. The 
policy should address:
    --Criteria for identifying downturn conditions;
    --The level of product and geographic scope to be used for 
identification of economic downturn conditions;
    --Data requirements;
    --Methods to determine the impact of downturn conditions on loss 
severities; and
    --Quantification methodologies to produce LGD estimates.
     The bank must have a rigorous quantification process 
(covering all stages of quantification, including

[[Page 9111]]

reference data, estimation, mapping, and application) for estimating 
LGD. The bank must be able to identify economic downturns, determine 
the impact of downturn conditions on loss severities, and appropriately 
quantify LGD.
    118. In principle, quantification of LGD is no different from 
quantification of any other IRB risk parameter. The target of the 
quantification process is different, but the stages of quantification 
(data, estimation, mapping, and application) apply to LGD just as they 
do to other risk parameters such as PD and ELGD. However, the details 
necessarily differ; the remainder of this section discusses supervisory 
standards related to quantification of own-estimates of LGD to reflect 
economic downturn conditions.

Identifying Economic Downturn Conditions

    119. To identify periods of downturn conditions, the bank should 
first articulate both product and geographic scope, since default rates 
for different types of exposures in different areas are themselves 
likely to differ. At the product level, the highest level of 
aggregation is a given IRB subcategory of exposure (i.e., residential 
mortgage, QRE, other retail, HVCRE, and all other wholesale). Thus, for 
example, downturn conditions for wholesale exposures other than HVCRE 
are defined as periods of high default rates for non-HVCRE wholesale 
exposures in general. A bank may choose to use lower levels of 
aggregation in order to achieve better measurement of actual credit 
risk and greater risk sensitivity. For example, a bank with an industry 
concentration in a subcategory of exposures (such as corporate 
exposures to technology companies) may find that information relating 
to a downturn in that industry sector may be more relevant for the bank 
than a general downturn affecting many regions or industries.
    120. The geographic scope for identification of economic downturn 
conditions is the geographic ``footprint'' of the bank within an 
exposure subcategory, that is, the geographic area from which exposures 
of each type are drawn (or can be expected to be drawn customarily). 
This ``footprint'' need not be the same for each subcategory of 
exposures. Banks are not required to further subdivide with regard to 
geography; for example, if a bank's HVCRE exposures are drawn from two 
distinct regions such as the Southeast and the Northeast, they may 
define a downturn in HVCRE as a period of significantly above-average 
default rates in HVCRE for the two regions jointly, rather than 
considering each separately. Nonetheless, as is the case with product 
scope, banks are permitted to further subdivide geographically if they 
choose to do so.
    121. The exception to the ``footprint'' scope is that separate 
countries must be treated separately. For example, a bank with 
residential mortgage exposures in the United States and Japan must 
separately identify the conditions under which residential mortgage 
default rates would be significantly higher than average in each 
national jurisdiction.
    122. Given these requirements for product and geographic scope, 
downturn conditions with respect to a wholesale exposure or retail 
segment are defined as those conditions under which the aggregate 
default rate for the exposure's wholesale or retail exposure 
subcategory (or subdivision of such subcategory selected by the bank) 
within the related geographic footprint and/or jurisdiction (or finer 
subdivision selected by the bank) would be significantly higher than 
average.
    123. It may be useful to distinguish this definition of economic 
downturn from other definitions that might seem reasonable. For 
example, an economic downturn for purposes of LGD estimation is not 
defined as a period of high loss severity, that is, a period in which 
realized losses given default are high. Loss severities may be high 
during an economic downturn--indeed, that is the primary motivation for 
the separate estimation of economic downturn LGD--but this is not the 
defining characteristic; high realized loss severity rates do not 
define a downturn. Similarly, economic downturns are not defined as 
periods of depressed collateral values, although collateral values may 
be low when default rates are high. Finally, economic downturn 
conditions for purposes of LGD estimation are not defined as periods of 
poor economic performance as determined by other measures such as GDP 
growth or other traditional measures of business conditions and 
economic climate. Traditional measures of economic activity may indeed 
show weakness during periods corresponding to ``economic downturn 
conditions'' as defined for purposes of LGD estimation, but a period of 
weak economic activity does not in and of itself indicate the existence 
of economic downturn conditions as defined in the NPR. Economic 
downturn conditions are identified only through reference to default 
rates for exposure subcategories within relevant geographic regions.

Estimation of LGD

    124. Once relevant downturn conditions are identified, a bank must 
determine the impact of such conditions on loss severities and 
construct appropriate estimates of LGD under economic downturn 
conditions for each wholesale loss severity rating grade or exposure 
and each retail segment. LGD should be the empirically based best 
estimate of the loss severity as a percentage of exposure if the 
obligor were to default during economic downturn conditions. Note that 
although estimates are empirically based, the purpose of quantification 
is not to measure past patterns and dependencies, but to generate 
predictions of likely future outcomes.
    125. Banks may choose to focus the quantification process on LGD 
directly. However, in many cases it may be more practical to estimate 
the extent to which loss rates can be expected to exceed ELGD under 
economic downturn conditions, through estimation of the difference 
(LGD-ELGD) or estimation of the percentage increase in the loss rate, 
or perhaps through some other translation of ELGD into LGD. In that 
case, the result of one estimation process--that for ELGD--is used an 
input to the LGD estimation process, and any evaluation of the 
robustness of LGD estimates would have to adequately consider the 
potential modeling error and estimation error introduced by their 
reliance on ELGD as a key input.
    126. Identification of the impact of economic downturn conditions 
on LGD, and incorporation of that impact into LGD estimates, requires 
suitable design of all stages of the quantification process. No single 
approach is presumed to be correct, and there are many alternative 
approaches that, if properly carried out, could satisfy the supervisory 
requirements for use of internal estimates of LGD. Several examples, 
while not intended to be exhaustive, can serve to illustrate the point.
Example 1
    A bank estimates a relationship between loss rates and a set of 
independent variables or risk drivers that is robust over periods 
covering a wide range of conditions, including economic downturns. The 
bank determines that the main impact of an economic downturn on LGD 
arises through changes in certain risk drivers (such as collateral 
values) under economic downturn conditions. The bank quantifies LGD 
through a process similar to a stress test, with the

[[Page 9112]]

identified drivers of loss severity stressed to the values they would 
assume under economic downturn conditions, based on historical 
observations.
Example 2
    A bank conducts rigorous analysis to construct a model linking risk 
drivers for LGD to variables that characterize economic downturn 
conditions, including underlying economic variables and the way those 
variables tend to change in a downturn. The bank uses that model to 
directly simulate the impact of downturn conditions on LGD rather than 
using downturn values for the variables that tend to determine loss 
severity rates under more normal conditions.
Example 3
    A bank determines that the impact of economic downturn conditions 
on LGD arises from a fundamental change in the relationship between 
risk drivers and LGD during a downturn. That is, the bank finds that 
loss severities rise in a downturn because certain risk drivers or 
variables that have an impact on losses, such as collateral type or 
seniority, have a different quantitative influence on loss severity 
during a downturn than during other periods. The bank estimates a 
relationship between loss severity rates and risk driving variables 
using data from periods of economic downturn conditions.
    The approaches briefly described in the examples above also require 
careful consideration of appropriate mapping, since use of an estimated 
relationship between LGD and any other variables or risk drivers would 
require mapping of currently observed values of those variables for 
exposures, rating grades, or segments to the corresponding values of 
those drivers during economic downturn conditions.
Example 4
    A bank conducts a rigorous comparison of average recovery rates 
with recovery rates observed during appropriately identified downturn 
periods, finding that the impact of economic downturn conditions can be 
characterized as a fixed, across-the-board reduction in recovery rates. 
The bank is able to provide evidence that this relationship is 
statistically robust, and superior to other approaches to LGD 
quantification. The bank uses the implied, empirically based 
adjustments in the application stage of the LGD quantification process 
to reflect the impact of economic downturns.

C. Mapping

    127. ELGD and LGD mapping follows the same general standards as PD 
mapping. A mapping should be plausible and should be based on a 
comparison of loss severity-related data elements common to both the 
reference data and the existing portfolio. The mapping approach is 
expected to be unbiased, such that the exercise of judgment does not 
consistently lower ELGD and LGD estimates. The default definitions in 
the reference data and the existing portfolio of exposures should be 
comparable, as should be the methods of recovery. The mapping process 
should be updated regularly, well-documented, and independently 
reviewed.
    128. Mapping involves matching exposure-specific data elements 
available in the existing portfolio to the factors in the reference 
data set used to estimate expected loss severity rates. Examples of 
factors that influence loss rates include collateral type and coverage, 
seniority, industry, and location. Reference data often do not include 
workout costs and will often use different discount rates. Judgmental 
adjustments for such differences should be well-documented and 
empirically based to the extent possible.
    129. Different data sets and different approaches to ELGD and LGD 
estimation may be appropriate, especially for different business 
segments or product lines. Each mapping process must be specified and 
documented.

D. Application

    130. At the application stage, banks apply the ELGD and LGD 
estimation framework to their existing portfolio of credit exposures. 
This step might require banks to aggregate retail segment-level ELGD 
and LGD estimates derived from more granular reference data into 
estimates applicable to broader segments in the existing portfolio, to 
aggregate individual wholesale ELGD and LGD estimates into discrete 
loss severity ratings, or to combine estimates.
    131. The inherent variability of recovery, due in part to 
unanticipated circumstances, demonstrates that no exposure type is 
risk-free, regardless of structure, collateral type, or collateral 
coverage. The existence of recovery risk dictates that the application 
stage should result in an ELGD and LGD above 0 percent. As was 
discussed in the data section, a data set may include observations with 
negative realized loss rates. Although these transactions may be 
included in the ELGD and LGD estimation process, no exposure or rating 
grade should be assigned an ELGD or LGD estimate that is less than or 
equal to zero percent for purposes of risk-based capital calculations.
    132. The LGD (i.e., the economic downturn loss estimate) for each 
segment of residential mortgage exposures (other than segments of 
residential mortgage exposures for which all or substantially all of 
the principal of each exposure is directly and unconditionally 
guaranteed by the full faith and credit of a sovereign entity) may not 
be less than 10 percent.

IV. Exposure at Default (EAD)

    133. As EAD quantification is somewhat less advanced than other 
areas of quantification, it is addressed in somewhat less detail in 
this guidance. Banks should continue to innovate in the area of EAD 
estimation, refining and improving practices in EAD measurement.
    134. A bank must provide an estimate of EAD for each exposure in 
its wholesale portfolio and for each segment in its retail portfolio. 
For fixed exposures like term loans, EAD is equal to the carrying value 
unless there is an allocated transfer risk reserve for the exposure or 
the exposure is held available-for-sale. For variable exposures such as 
loan commitments, revolving exposures and other lines of credit, EAD 
for each exposure includes the outstanding balance at the point of 
capital measurement plus an estimate of net additions to the total 
balance due, including estimated future additional advances of funds, 
including principal and accrued but unpaid interest and fees that are 
likely to occur before and after default assuming that the exposure 
were to default within a one-year horizon. The estimate of net 
additions must reflect what would be expected during a period of 
economic downturn conditions.
    135. Refer to Chapter 9 of this guidance and the NPR for guidance 
on quantifying EAD for OTC derivative contracts, repo-style 
transactions, and eligible margin loans.
    136. For retail and wholesale exposures in which only the drawn 
balance has been securitized (e.g., a typical credit card 
securitization), the bank must reflect its share of the exposures' 
undrawn balances in EAD. The undrawn balances of exposures for which 
the drawn balances have been securitized must be allocated between the 
seller's and investors' interests on a pro rata basis, based on the 
proportions of the seller's and investors' shares of the securitized 
drawn balances.

[[Page 9113]]

    137. A number of methods can be used to estimate EAD. One common 
approach is based on loan equivalent exposure (``LEQ''), which is 
typically expressed as a percentage of the current total committed but 
undrawn amount.\6\ EAD can thus be represented as:
---------------------------------------------------------------------------

    \6\ This is frequently referred to as the credit conversion 
factor (CCF).
---------------------------------------------------------------------------

    EAD = current outstanding + LEQ x (total committed - current 
outstanding)

A. Data

    138. Like reference data sets used for ELGD and LGD estimation, EAD 
data sets typically contain only exposures to defaulted obligors, 
although data on troubled non-defaulted obligors also could be 
informative in estimation of these parameters. The same reference data 
are often used for ELGD, LGD and EAD quantification. In addition to 
relevant descriptive characteristics (referred to as ``drivers'') that 
can be used in estimation, the reference data must include historical 
information on the exposure (both drawn and undrawn amounts) as of some 
date prior to default, as well as the drawn exposure at the date of 
default.
    139. As discussed below under ``Estimation,'' EAD estimates may be 
developed using either a cohort method or a fixed-horizon method. The 
bank's reference data set should be structured so that it is consistent 
with the estimation method the bank applies. Thus, the data should 
include information on the total commitment, the undrawn amount, and 
the exposure drivers for each defaulted exposure, either at fixed 
calendar dates for the cohort method or at a fixed interval prior to 
the default date for the fixed-horizon method.
    140. The reference data should contain variables that enable the 
bank to group the exposures to defaulted obligors in meaningful ways. 
Banks should consider how a wide range of obligor and exposure 
characteristics affect EAD. Examples include time from origination, 
time to expiration or renewal, economic conditions, risk rating 
changes, or certain types of covenants. Some potential drivers may be 
linked to a bank's credit risk management skills, while others may be 
external to the bank.

B. Estimation

    141. To derive EAD estimates for lines of credit and loan 
commitments, characteristics of the reference data are related to 
additional drawings on an exposure up to and after the time a default 
event is triggered. Estimates of any additional extensions of credit 
expected by a bank subsequent to realization of a default event should 
be factored into the quantification of EAD. The estimation process 
should be capable of producing a plausible average estimate of draws on 
unused available credit (e.g., LEQ) to support the EAD calculation for 
each exposure or retail segment.
Example
    A bank determines that a business unit forms a homogeneous pool for 
the purposes of estimating EAD. That is, although the exposures in this 
pool may differ in some respects, the bank determines that the credit 
lines share a similar drawdown experience in default. The bank should 
provide reasonable support for this pooling through analysis of lending 
practices and available internal and external data.
    142. Two broad types of estimation methods are used in practice, 
the cohort method and the fixed-horizon method.
    143. Under the cohort method, a bank groups defaults into discrete 
calendar periods, such as a year. A bank may use a longer period if it 
provides a more accurate estimate of future gross losses arising from 
undrawn exposures. For retail exposures, the bank estimates the 
relationship between the balances for defaulted exposures at the start 
of the calendar period and at the time at default. For wholesale 
exposures, the bank estimates the relationship between the drivers as 
of the start of that calendar period and LEQ for each exposure to a 
defaulter. For each exposure category or retail segment (that is, for 
each combination of exposure drivers identified by the bank), an LEQ 
estimate could be based on the mean additional drawing for exposures in 
that category or segment as a proportion of the undrawn lines. One 
approach to combine results for multiple periods into a single long-run 
average would be weighting the period-by-period means by the proportion 
of defaults occurring in each period, so that each default receives 
equal weight.
    144. Under the fixed-horizon method, for each defaulted exposure 
the bank compares additional drawdowns to the gross committed but 
undrawn amount that existed at a fixed date prior to the date of the 
default (the horizon). For example, the bank might base its estimates 
on a reference data set that supplies the actual amount outstanding and 
any additional extensions along with the drawn and undrawn amounts (as 
well as relevant drivers) at a date a fixed number of months prior to 
the date of each default, regardless of the actual calendar date on 
which the default occurred. Estimates of LEQ for wholesale exposures 
are computed from the average drawdown proportions that occur over the 
fixed-horizon interval, for whatever combinations of the driving 
variables the bank has determined are relevant for explaining and 
predicting EAD. LEQs estimated for retail segments are computed from 
the increase in balances that occur over the fixed-horizon interval for 
the defaults in the segment relative to their credit limits. The time 
interval used for the fixed-horizon method should be sufficiently long 
to capture the additional drawdowns generated by exposures that default 
during the year for which the risk parameters are being estimated. In 
particular, the appropriate fixed interval will be influenced by 
charge-off policies. For example, using a six-month time interval for 
credit card loans would underestimate EAD.
Special Considerations for Retail EAD Estimation
    145. Different methods are used to estimate EAD for open credit 
lines. The LEQ method outlined in this guidance is one technique 
observed in practice. Other methods directly estimate the defaulted 
balances for a segment over a one-year window without taking the 
committed line limit into account. These other methods may be 
acceptable if the bank could show that the size of the line is not 
relevant given the other risk factors used in the analysis.
    146. EAD for a segment should accurately estimate the total 
exposure at default for the segment. Poor segmentation may result in 
inaccurate EADs. For example, if loans within a segment do not have 
homogenous risk characteristics because larger exposures are more 
likely to default than smaller exposures, then estimated EADs may be 
biased downward.
    S 4-23 Estimates of additional drawdowns must reflect net 
additional draws expected during economic downturn periods.
    147. Conceptually, banks should approach EAD quantification in a 
fashion parallel to LGD quantification with respect to the potential 
for volatility over the economic cycle. Specifically, estimates of net 
additional drawdowns should reflect what would be expected during 
economic downturn periods. Certain exposure types may not exhibit 
cyclical EAD variability; in these cases, use of a long-run default-
weighted average draw proportion used to derive EAD in the IRB risk-
based capital calculation is appropriate. But for exposure types for 
which drawdowns are expected to be larger when default rates are 
significantly higher than average EAD--estimates

[[Page 9114]]

should take into account this cyclical variability. In such cases, the 
estimated draw proportion used to derive the EAD input to the risk-
based capital calculation should exceed the long-run default-weighted 
average, and should be the bank's estimate of the net additional 
drawdown proportion per default expected during economic downturn 
conditions. For this purpose, banks may use averages of EADs observed 
during economic downturn periods, forecasts based on appropriately 
conservative assumptions, or other similar methods.

C. Mapping

    148. If the characteristics that drive EAD in the reference data 
are the same as those used for the risk rating or segmentation system 
of the bank's existing portfolio, mapping may be relatively 
straightforward. However, if the relevant characteristics are not 
available in a bank's existing portfolio, the bank will encounter the 
same mapping complexities that it does when mapping PD, ELGD, and LGD 
in similar circumstances.

D. Application

    149. In the application stage, the estimated relationship between 
risk drivers and EAD is applied to the bank's existing portfolio. 
Multiple reference data sets may be used for EAD estimation and 
combined at the application stage, subject to the general standards for 
using multiple data sets.
    S 4-24 Estimates of additional drawdowns prior to default for 
individual wholesale exposures or retail segments must not be negative.
    150. Analogous to the prior discussion of ELGD and LGD 
quantification, reference data sets used for estimation of additional 
drawdowns may contain individual negative drawdown observations and 
observations that exceed 100 percent of the undrawn line amount. 
Regardless, final estimates of additional drawdowns prior to default 
for individual wholesale exposures or retail segments must not be 
negative.

V. Maturity (M)

    151. A bank must assign an effective maturity (``M'') to each 
wholesale exposure in its portfolio; this measure is also referred to 
as ``average life.'' In general, M is the weighted-average remaining 
maturity, measured in years, of the cash flows that the bank expects 
under the contractual terms of the exposure, using the undiscounted 
amounts of the cash flows as weights. Alternatively, a bank may apply 
the nominal remaining maturity, measured in years, of the exposure. M 
is a direct calculation; as such it is not subject to the four stages 
of the quantification process.
    152. The data required to calculate M are the undiscounted amount 
and timing of each remaining contractual cash flow, measured in years 
from the date of the calculation. Specifically, M is calculated as the 
sum of all time-weighted cash flows, where the weights are equal to the 
fraction of the total undiscounted cash flow to be received at each 
date.
Example
    A bank holds an asset with two remaining contractual cash flows. 33 
percent of the total remaining contractual cash flow is expected at the 
end of one year and the other 67 percent is expected two years from 
today. For risk-based capital purposes, M for this asset could be 
calculated as: M = (1 x 0.33) + (2 x 0.67) = 1.67; or simply M = 2, 
applying the nominal remaining contractual maturity.
    153. The relevant cash flows are the future payments the bank 
expects to receive from the obligor, regardless of form; they may 
include payments of principal, interest, fees, or other types of 
payments depending on the structure of the transaction.
    154. For exposures with pre-determined cash flow schedules (fixed-
rate loans, for example), the calculation of the weighted-average 
remaining maturity is straightforward, using the scheduled timing and 
amounts of the individual undiscounted cash flows. Cash flows 
associated with other types of credit exposures may be less certain. In 
such cases, the bank should establish a method of projecting expected 
cash flows. In general, the method used for any exposure should be the 
same as the one used by the bank for purposes of valuation or risk 
management. The method should be well-documented and subject to 
independent review and approval. A bank should demonstrate either that 
the method used is standard industry practice, or that it is widely 
used within the bank for purposes other than risk-based capital 
calculations. A bank may use its best estimate of future interest rates 
to compute expected contractual interest payments on a floating-rate 
exposure, but it may not consider expected but non-contractually 
required returns of principal when estimating M.\7\
---------------------------------------------------------------------------

    \7\ Question 31 in the NPR requests comment on the 
appropriateness of permitting a bank to consider prepayments when 
estimating M, and on the feasibility and advisability of using 
discounted (rather than undiscounted) cash flows as the basis for 
estimating M.
---------------------------------------------------------------------------

    155. To be conservative, a bank may set M equal to the maximum 
number of years the obligor could take to fully discharge the 
contractual obligation (provided that the maximum is not longer than 
five years, as noted below). This maximum will often correspond to the 
stated or nominal maturity of the instrument. Banks should make this 
conservative choice (maximum nominal maturity) if the timing and 
amounts of the cash flows on the exposure cannot be projected with a 
reasonable degree of confidence.
    156. For repo-style transactions, eligible margin loans and over-
the-counter derivatives contracts subject to qualifying master netting 
agreements, the bank may compute a single value of M for the 
transactions as a group by weighting each individual transaction's 
effective maturity by that transaction's share of the total notional 
value subject to the netting agreement, and summing the result across 
all of the transactions.
    157. For risk-based capital calculations, the value of M for any 
exposure is subject to certain upper and lower limits, regardless of 
the exposure's actual effective maturity. The value of M should never 
exceed 5 years. If an exposure clearly has a greater effective 
maturity, the bank may simply use a value of M = 5 rather than 
calculating the actual effective maturity.
    158. For most exposures, the value of M should be no less than one 
year. For certain short-term exposures that are not part of a bank's 
ongoing financing of a borrower and that have an original maturity of 
less than one year, M must be greater than or equal to one day or to 
the nominal or effective remaining maturity.\8\
---------------------------------------------------------------------------

    \8\ Section 31(d)(7) of the NPR defines an exposure that is not 
part of a bank's ongoing financing of the obligor as one where the 
bank (1) has a legal and practical ability not to renew or roll over 
the exposure in the event of credit deterioration of the obligor, 
(2) makes an independent credit decision at the inception of the 
exposure and at every renewal or rollover, and (3) has no 
substantial commercial incentive to continue its credit relationship 
with the obligor in the event of credit deterioration of the 
obligor.
---------------------------------------------------------------------------

VI. Special Cases and Applications

A. Loan Sales

    S 4-25 Quantification of the risk parameters should appropriately 
recognize the risk characteristics of exposures that were removed from 
reference data sets through loan sales or securitizations.
    159. Loan sales and securitizations can pose substantial 
difficulties for quantification. For example, PDs might appear 
disproportionately low if loans are sold before their inherent long-
term

[[Page 9115]]

risk becomes manifest. Upwardly adjusting risk parameter estimates to 
account for sales or securitization would be particularly important for 
a bank that sells off primarily exposures that are performing poorly 
(for example, delinquent loans).
    160. When risk parameter estimates use internal historical data as 
reference data sets and the potential bias created by loan sales and 
securitizations is material, the bank should identify, by detailed risk 
characteristics, the loans sold out of the pool or portfolio. Any 
potential bias caused by removing these loans should be corrected.
    161. For banks with a history of regularly selling or securitizing 
loans of particular types, long-run performance data may be available 
from the servicers or trustees. Alternatively, banks may be able to 
estimate the performance of the loans sold or securitized by 
constructing comparable reference data sets with similar risk drivers 
using internal historical data from retained pools or external data.

B. Multiple Legal Entities

    162. Some banks have various portfolios that are centrally managed, 
even though the exposures are held by multiple legal entities. Certain 
activities, including ratings activities, segmentation and 
quantification, can be conducted across multiple legal entities. 
However, each bank member of the consolidated group must separately 
ensure that risk parameters assigned to its credit exposures are 
appropriate on a standalone basis. For example, if a particular bank 
within the banking group holds exposures with characteristics not 
representative of the broader consolidated organization (such as credit 
card loans originated through a specific marketing channel or mortgage 
loans in a certain location), the bank must ensure the quantification 
process produces PDs, ELGDs, LGDs, and EADs that reflect the risk 
associated with the exposures within that legal entity.
    163. Each bank (including each depository institution) within a 
banking group that has centrally managed quantification processes 
should perform periodic evaluations to confirm that its risk-based 
capital requirements accurately reflect its risk profile.

Appendix A: Illustrations of the Quantification Process for Wholesale 
Portfolios

    This appendix provides examples to show how the logical framework 
described in this guidance, with its four stages (data, estimation, 
mapping, and application), applies when analyzing quantification 
practices. The framework is broadly applicable--for PD, ELGD, LGD or 
EAD; using internal, external, or pooled reference data; for simple or 
complex estimation methods--although the issues and concerns that arise 
at each stage depend on a bank's approach. These examples are intended 
only to illustrate the logic of the four-stage IRB quantification 
framework, and should not be taken to endorse the particular techniques 
presented in the examples.

Example 1: PD Quantification From Bond Data

     A bank establishes a correspondence between its internal 
rating grades and external rating agency grades; the bank has 
determined that its Grade 4 is equivalent to \3\4\Ba and \1\4\B on the 
Moody's scale.
     The bank regularly obtains published estimates of mean 
default rates for publicly rated Ba and B obligors in North America 
from 1970 through 2002.
     The Ba and B historical default rates are weighted 75/25, 
and the result is a preliminary PD for the bank's internal Grade 4 
exposures.
     However, the bank then increases the PD by 10 percent to 
account for the fact that the Moody's definition of default differs 
from the IRB definition.
     The bank makes a further adjustment to ensure that the 
resulting rating grade PD is greater than the PD attributed to Grade 3 
and less than the PD attributed to Grade 5.
     The result is the final PD estimate for Grade 4.
Process Analysis for Example 1:
    Data--The reference data set consists of issuers of publicly rated 
debt in North America over the period 1970 through 2002. The data 
description is very basic: Each issuer in the reference data is 
described only by its rating (such as Aaa, Aa, A, Baa, and so on).
    Estimation--The bank could have estimated default rates itself 
using a database purchased from Moody's, but since these estimates 
would just be the mean default rates per year for each rating grade, 
the bank could just as well (and in this example does) use the 
published historical default rates from Moody's; in essence, the 
estimation step has been outsourced to Moody's. The 10 percent 
adjustment of PD is part of the estimation process in this case because 
the adjustment was made prior to the application of the agency default 
rates to the internal portfolio data.
    Mapping--The bank's mapping is an example of a rating grade 
mapping; internal Grade 4 is linked to the 75/25 mix of Ba and B. Based 
on the limited information presented in the example, this step should 
be explored further. Specifically, the bank should justify the 
appropriateness of the 75/25 mix.
    Application--Although the application step is relatively 
straightforward in this case, the bank does make the adjustment of the 
Grade 4 PD estimate to give it the desired relationship to the adjacent 
rating grades. This adjustment is part of the application stage because 
it is made after the adjusted agency default rates are applied to the 
internal rating grades.

Example 2: PD Quantification Using a Merton-Type Equity-Based Model

     A bank obtains a 20-year database of North American firms 
with publicly-traded equity, some of which defaulted during the 20-year 
period.
     The bank uses the Merton approach to modeling equity in 
these firms as a contingent claim, constructing an estimate of each 
firm's distance-to-default at the start of each year in the 
database.\9\ The bank then ranks the firm-years within the database by 
distance-to-default, divides the ordered observations into 15 equal 
groups or buckets, and computes a mean historical one-year default rate 
for each bucket. That default rate is taken as an estimate of the 
applicable PD for any obligor within the range of distance-to-default 
values represented by each of the 15 buckets.
---------------------------------------------------------------------------

    \9\ The term ``Merton approach'' is meant to include any 
structural credit risk model that values equity as a contingent 
claim, as promulgated in the seminal work of Merton and Black and 
Scholes.
---------------------------------------------------------------------------

     The bank next looks at all obligors with publicly-traded 
shares within each of its internal rating grades, applies the same 
Merton-type model to compute distance-to-default at quarter-end, sorts 
these observations into the 15 buckets from the previous step, and 
assigns the corresponding PD estimate.
     For each internal rating grade, the bank computes the mean 
of the individual obligor default probabilities and uses that average 
as the rating grade PD.
Process Analysis for Example 2
    Data--The reference data set consists of the North American firms 
with publicly-traded equity in the acquired database. The reference 
data are described in this case by a single variable, specifically an 
identifier of the specific distance-to-default range from the Merton 
model (one of the 15 possible in this case) into which a firm falls in 
any year.
    Estimation--The estimation step is simple: The average default rate 
is calculated for each distance-to-default

[[Page 9116]]

bucket. Since the data cover 20 years and a wide range of economic 
conditions, including downturn conditions, the resulting estimates 
satisfy the long-run average requirement.
    Mapping--The bank maps selected portfolio obligors to the reference 
data set using the distance-to-default generated by the Merton model. 
However, not all obligors can be mapped, since not all have traded 
equity. This introduces an element of uncertainty into the mapping that 
requires additional analysis by the bank: Were the mapped obligors 
representative of other obligors in the same rating grade? The bank 
should demonstrate comparability between the publicly-traded portfolio 
obligors and those not publicly traded. It may be appropriate for the 
bank to make conservative adjustments to its ultimate PD estimates to 
compensate for the uncertainty in the mapping. The bank also should 
perform further analysis to demonstrate that the implied distance-to-
default for each internal rating grade represented long-run 
expectations for obligors assigned to that rating grade; this could 
involve computing the Merton model for portfolio obligors over several 
years of relevant history that span a wide range of economic 
conditions.
    Application--The final step is aggregation of individual obligors 
to the rating grade level through calculation of the mean for each 
rating grade, and application of this rating grade PD to all obligors 
in the grade. The bank might also choose to modify PD assignments 
further at this stage, combining PD estimates derived from other 
sources, introducing an appropriate degree of conservatism, or making 
other adjustments.

Example 3: ELGD Quantification From Internal Default Data

     For each wholesale exposure in its portfolio, a bank 
records collateral coverage as a percentage, as well as which of four 
types of collateral applies.
     A bank has retained data on all defaulted exposures since 
1995. For each defaulted exposure in the database, the bank has a 
record of the collateral type within the same four broad categories. 
However, collateral coverage is only recorded at three levels (low, 
moderate, or high) depending on the ratio of collateral to EAD.
     The bank also records the timing and discounted value of 
recoveries net of workout costs for each defaulted exposure in the 
database.Cash flows are tracked from the date of default to a 
``resolution date,'' defined as the point at which the remaining 
balance is less than 5 percent of the EAD. A recovery percentage is 
computed, equal to the value of recoveries discounted to the date of 
default, divided by the exposure at default.
     For each cell (each of the 12 combinations of collateral 
type and coverage), the bank computes a simple arithmetic mean realized 
loss severity percentage as the mean of one minus the recovery 
percentage. One of the categories has a mean realized loss severity 
percentage of less than zero (recoveries have exceeded exposure on 
average), so the bank sets the loss rate at zero.
     The bank assigns each exposure in the existing portfolio 
to one of the 12 cells based on collateral type and coverage. As its 
ELGD, the bank applies the mean historical realized loss severity 
percentage for that cell plus an additional five percentage points to 
account for the bank's relatively small number of default 
observations--in relation to the total number of defaults in the 
reference data--from years with the largest default rates.
Process Analysis for Example 3
    Data--The reference data is the collection of defaults and 
associated loss amounts from the bank's historical portfolio. The 
reference data are described by the two categorical variables (level of 
collateral coverage and type of collateral). It would be important to 
determine whether the defaults over the past few years are comparable 
to defaults from the existing portfolio. One would also want to ask why 
the bank ignores potentially valuable information by converting the 
continuous data on collateral coverage into a categorical variable.
    Estimation--Conceptually, the bank is using a loss severity model 
in which 12 binary variables--one for each loan coverage/type 
combination--explain the percentage loss. The coefficients on the 
variables are just the arithmetic mean realized loss figures from the 
reference data.
    Mapping--Mapping in this case is fairly straightforward, since all 
the relevant characteristics of the reference data are also in the data 
system for the existing portfolio. However, the bank should determine 
whether the variables are being recorded in the same way (for example, 
using the same definitions of collateral types), otherwise some 
adjustment might be appropriate.
    Application--The bank is able to apply the loss severity model by 
simply plugging in the relevant values for the existing portfolio (or 
what amounts to the same thing, looking up the cell mean). The bank's 
assignment of zero ELGD for one of the cells merits special attention; 
while the bank represented this assignment as conservative, the 
adjustment does not satisfy the supervisory requirement that ELGD must 
exceed zero. A larger upward adjustment is necessary. Finally, the 
upward adjustment of the mean historical realized loss severity 
percentages to account for the relatively small influence of downturn 
conditions on the realizations may be appropriate but should be the 
outcome of a well-documented decision process supported by empirical 
analysis.

Appendix B: Illustrations of the Quantification Process for Retail 
Portfolios

Example 1: Quantification of Segment PD

    A bank that has been making indirect installment loans through 
furniture stores for a number of years. Seven years of internal data 
history are available, over a period that includes economic downturn 
conditions. The bank has segmented this portfolio over the entire 
period in a consistent manner: By bureau score, internal behavioral 
score and monthly disposable income. In addition, realized loss 
severities for this portfolio have demonstrated significant cyclical 
variability over the period covered by the bank's data history.
    The bank can empirically show that the participating furniture 
retailers, underwriting criteria, and collection practices have 
remained reasonably stable over the seven-year period, and the 
definition of default has been consistent with the IRB definition. 
However, there are frequent changes in the bank's products and in the 
borrowing population that affect the risk characteristics of its loans. 
Therefore, in quantifying PD the bank assigns more weight to recent 
data within the seven-year history. The segment PD is calculated as a 
weighted-average of the seven annual realized historical default rates 
with the assigned weights progressively lower for the earlier years of 
the sample.
Process Analysis for Example 1
    As discussed in the main chapter text, quantification processes 
need not be explicitly structured as four stages. The four-stage 
structure is a conceptual framework, and an analytical and 
implementation guide. However, as in other wholesale and retail 
examples, this bank's quantification process for PD can be interpreted 
in terms of the four-stage framework:

[[Page 9117]]

    Data--The bank's own seven-year historical data serve as the 
reference data.
    Estimation--Estimation consists of calculating a weighted-average 
of the annual default rates for each segment in the reference data.
    Mapping--Mapping consists primarily of ensuring that the 
segmentation schemes and the definition of default are consistent for 
the reference data and the bank's existing portfolio.
    Application--Application is a matter of using the PD estimate 
derived from the reference data for each segment of the existing 
portfolio in the risk-based capital formulas.

Example 2: Quantification of PD for First-lien Mortgages

     For the past four years, a mortgage lender has begun 
making loans in a geographic region that has experienced relatively 
lower default rates than the bank had experienced previously. The bank 
has fourteen years of internal data history. The bank has analyzed 
external mortgage data over the same time period and has identified 
risk characteristics that vary by geographic region (e.g., volatility 
of house prices in a region). Analysis of the internal reference data 
also indicates the importance of these geographic risk factors.
     The recent four-year period does not include economic 
downturn conditions, so the bank uses its full fourteen years of data 
history to reflect downturn conditions. To estimate the PD parameter 
over a long run of data history that is also comparable to the current 
portfolio, the bank develops a statistical model of the PD based on the 
combined internal and external performance history. The variables used 
as PD predictors include geographic risk factors such as the volatility 
of employment and house prices in the region. The model also includes 
borrower risk characteristics (credit score, debt-to-income ratio) and 
loan risk characteristics (loan-to-value ratio and tenor). Models are 
built for each major product type, such as fixed-rate and adjustable-
rate mortgages (FRM and ARM). The model results are robust according to 
standard statistical diagnostic tests, and the models have continued to 
perform satisfactorily in validations outside the development sample.
Process Analysis for Example 2
    Data--The existing portfolio of first-lien mortgages is segmented 
by region, LTV, credit score, tenor, mortgage type (fixed-rate or ARM), 
and debt-to-income ratio. For a given segment, the bank has historical 
data from its own portfolio. The reference data consist of fourteen 
years of internal performance history for loans originated between 1990 
and 2003. However, only four years of those internal data cover loans 
for the region of the country where the bank currently has a 
substantial mortgage portfolio. The internal data are supplemented by 
external mortgage data over the full fourteen year history (1990-2003).
    Estimation--The bank builds a set of statistical models for 
different product types in the portfolio (e.g., FRM and ARM). The 
models estimate segment PD as a function of the loan-to-value ratio, 
credit score, debt-to-income ratio, loan tenor, and measures the 
volatility of regional employment and house prices. The model is 
estimated on both the internal and external data.
    Mapping--Since the bank shifted a significant amount of its first-
lien mortgage business to a different region of the country with 
generally lower default rates starting only in 2000, the bank has only 
four years of internal historical data (2000-2003) reflecting the 
performance of its mortgage business in the new region. Its older 
internal data from 1990 to 1999 represent credit performance in higher-
risk regions. Therefore, the bank does not have sufficient historical 
data representing its current mortgage business to map directly, 
segment by segment, to estimate the PDs of the existing portfolio on 
the basis of the long-run average of the annual default rates of the 
comparable segments in the reference data.
    Instead, the bank has adopted the technique of building default 
prediction statistical models, based on internal and external data from 
the entire fourteen year history (before and since the change in the 
regional focus of the business in 2000) and using as causal, or 
independent, variables the risk drivers of mortgage default, including 
regional risk factors.
    In this framework, mapping consists of ensuring that the 
segmentation systems and definition of default for the two data 
historical data sets and the existing portfolio are all consistently 
applied in the process of deriving the values of the risk drivers used 
as inputs to the statistical models for each segment of the existing 
portfolio.
    Application--Application consists of using the estimated segment 
PDs produced by the statistical models as inputs into the residential 
mortgage formula for risk-based capital.

Example 3A: PD Estimation in Dollar Terms

    The text defines both the historical default rate and estimated PD 
in unit, or account, terms. That is, the number of defaults in a 
segment as a proportion of the number of exposures on the balance sheet 
at the beginning of the time period under analysis.
     Many banks, however, prefer to, or have historically 
calculated the default rate in terms of dollar losses. This example 
shows that it is possible to derive PDs from dollar loss rates that 
will equal the required unit-or account-based default rates. However, a 
bank choosing to derive a default rate or PD in this manner must 
segment its portfolio properly and in a sufficiently granular manner, 
and must ensure that its estimates of EAD are accurate. A credit card 
bank directly measures its average dollars of economic loss for each 
segment and uses the percentage of dollars defaulted, rather than the 
percentage of loans defaulted, to derive the estimate of PD. 
Specifically, the ratio employed is the gross dollar loss divided by 
the exposure at default (EAD) over a one-year time horizon. The bank 
estimates EAD for a segment as the current outstanding balances plus 
the expected drawdowns on open lines (including accrued but unpaid 
interest and fees at the time of default) if all accounts in the 
segment default.
     The bank uses the appropriate IRB definition of default.
     The bank segments exposures by size of credit line and 
credit line utilization as well as by credit score.
     The bank regularly validates the accuracy of the EAD 
estimates and the consistency of the percentage-of-dollars-defaulted 
measure with the account-based default rate.
Process Analysis for Example 3A
    Data--The historical reference data consist of measurements of the 
outstanding dollar balances and open credit lines for each segment at 
the beginning of the year. For accounts that defaulted over the 
following year, the gross defaulted balances (including accrued 
interest and fees) are also measured. The bank also tracks the number 
of accounts open at the beginning of the year in each segment and the 
number that default.
    Estimation--The bank's PD parameter is estimated as the long-run 
average of the one-year realized default rates in dollar terms, that is 
the gross balances of defaulted loans divided by the estimated EAD.
    The following table shows two segments of card exposures, both with

[[Page 9118]]

estimated default rates of 1 percent as measured from a single year of 
the historical reference data in the required manner in terms of 
numbers of accounts. In this case, the portfolio was segmented by 
average outstanding dollar balance and by average credit line per 
account. In addition, the EADs were estimated separately and accurately 
\10\ at the segment level, with the result that the dollar-denominated 
default rate (gross dollar loss / EAD) is equal to the unit-or account-
measured PD.
---------------------------------------------------------------------------

    \10\ In this example, EADs are estimated by way of the LEQ 
ratio. As discussed in the main chapter text, this is only one 
method of estimating EAD currently in use.
[GRAPHIC] [TIFF OMITTED] TN28FE07.000

    However, banks that attempt to estimate default rates or PDs in 
dollar terms from their historical reference data are often not as 
accurate as the example above, and they arrive at incorrect values. 
Most often, this results from insufficiently granular segmentation and 
consequent inaccuracy in the estimation of EADs.
    Because of the difficulties often encountered in dollar-denominated 
default and PD estimates, banks that choose this method should 
periodically demonstrate, as part of the validation of their PD 
quantification, that the dollar-derived PDs are essentially equal to 
those derived using an account-based definition.
    Mapping--Mapping involves linking segments in the reference data to 
segments in the existing portfolio based on the same drivers of default 
risk and drawdowns.
    Application--Application is generally a straightforward process, 
linking the estimates from segments in the reference data to segments 
in the existing portfolio.

Example 3B: Another Case of Dollar Estimates of PD

    Once again, a bank prefers to calculate default rates or PDs in 
dollar terms. However, this example is based on fixed loans rather than 
revolving lines of credit such as the credit cards in the previous 
example. Because of a critical segmentation factor, the dollar-based 
default rates will rarely if ever equal the correct unit- or account-
based rates.
     Using the cohort method for EAD discussed in the main 
chapter text, a bank calculates default rates or PDs as the accumulated 
gross dollar losses for each segment over the course of a year divided 
by the total outstanding dollar balances of the segment at the 
beginning of the year.\11\
---------------------------------------------------------------------------

    \11\ For simplicity, we assume no amortization of principal over 
the course of the year.
---------------------------------------------------------------------------

     The bank uses the appropriate IRB definition of default.
     The bank's segmentation is not particularly granular and 
uses few risk drivers, such that the average balance for those accounts 
defaulting tended to be much greater than those that did not.
Process Analysis for Example 3B
    Data--The bank has 5 years of internal data history for this 
particular portfolio, including numbers and dollar balances of accounts 
at the beginning of each year and the number and dollar balances of 
defaulted accounts in the course of each year. The data include 
economic downturn conditions.
    Estimation--Because of the inadequate degree of granularity, the 
average January 1 dollar balances of accounts that ultimately defaulted 
at any time within the following year typically exceeded the beginning 
balances of accounts that did not default. In this case, the dollar-
denominated PD (gross dollar losses divided by total beginning 
outstanding balances) consistently overestimated the correct (unit-
based) PD. (See first line of table below, representing a single year 
in the historical reference data.) Conversely, if the beginning 
balances of accounts that ultimately defaulted were smaller than those 
that did not default within the following year, an unusual situation, 
this measure consistently underestimated PD. (See second line of 
table.)
[GRAPHIC] [TIFF OMITTED] TN28FE07.001

    Mapping and Application--Since the estimation stage using this 
approach is very likely to be flawed, the quantification should not 
proceed to the mapping and application stages. Rather, the bank should 
revise its estimation to employ the required unit-or account-based 
methods of calculating historical default rates and of estimating PDs 
before proceeding to mapping and application.

Example 4: PD Quantification With Adjustments for Seasoning

     Realized default rates for a bank's credit card portfolio 
exhibit a characteristic time profile by age--a seasoning curve.'' 
Using data from the past five years, including economic downturn 
conditions, the bank estimates the shapes of a family of ``seasoning 
curves for specific products, loan characteristics, and borrower credit 
quality at origination.
     The bank presents analyses indicating that the seasoning 
curves can be reasonably specified by borrower credit quality at 
origination, and the bank regularly analyzes new cohorts to capture any 
changes in the curves over changing economic and market environments. 
Systematic changes are incorporated into new seasoning curves.

[[Page 9119]]

     The portfolio is segmented by borrower, product, and loan 
characteristics, including account age, or ``time on books.''
Process Analysis for Example 4
    Data--The reference data consists of five years of portfolio 
history, including economic downturn conditions. Supplemental data from 
earlier periods for similar products, borrower credit quality at 
origination, and loan type permit the estimation of annualized default 
rates over the remaining expected life of the loans.
    Estimation--It is necessary to calculate two different PDs for each 
segment of the portfolio: (1) The long-run average of one-year default 
rates from the historical reference data, in the same manner as for 
wholesale PDs, and (2) the estimated annualized cumulative default rate 
(``ACDR'') over the remaining expected life of the loans in the 
segment.
    If the ACDR is larger than the long-run average of one-year rates, 
then seasoning effects for this segment are deemed to be material, and 
the ACDR must be used as the estimated segment PD. \12\
---------------------------------------------------------------------------

    \12\ If the bank intends to sell or securitize the exposures in 
the segment within a 90-day time frame, the ``wholesale'' PD can be 
used even if the ACDR is greater than the long-run average. See the 
main chapter text for more details.
---------------------------------------------------------------------------

    For example, if the expected remaining life for a segment of cards 
that has been on the books for one year, based on historical data for 
defaults and attrition, is six years, and the estimated cumulative 
default rate over that period is five percent, the ACDR = 5/6 = 0.833. 
If, for the same segment, the five-year average of annual default rates 
from the historical reference data set is 0.75, then seasoning effects 
are deemed to be material and the bank must use 0.833 as the PD 
estimate for the coming (2nd) year.
    Mapping--The segmentation of the existing portfolio is the same as 
that employed for the reference data. This makes the mapping 
straightforward along the lines of product and loan characteristics and 
borrower credit quality.
    Application--At the application stage, either the ACDR or the long-
run average default rate estimated from the reference data is applied 
as the estimated PD to the segments in the existing portfolio 
respectively, depending on whether or not seasoning effects are deemed 
to be material.

Example 5: Guarantees for retail exposures

Guarantees on individual retail exposures

    The following are examples of retail guarantees that would qualify 
under Standard 4-4:
     Consider an exposure of $85,000 secured by property valued 
at $100,000. The guarantee covers all losses up to $85,000.
     The guarantee covers a pre-specified dollar amount of 
losses less than $85,000, for example a first loss position of $20,000.
     The guarantee covers a pre-specified pro rata (or 
proportional) share of all losses, for example up to 20 percent of the 
$85,000 exposure, or $17,000.
     The guarantee covers a pre-specified pro-rata or 
proportional share of losses, but the pre-specified pro rata share is 
defined in terms of the value of the property that secures the 
exposure. For example, in the case of the exposure cited above, the 
guarantee covers losses up to 12 per cent of the value of the 
collateral, or $12,000. (This case represents traditional Private 
Mortgage Insurance (PMI) for first lien residential mortgages, where 
insurance is typically required for loan-to-value (``LTV'') ratios 
above 80 percent; for LTVs up to 85 percent, the typical requirement is 
for PMI in an amount equal to 12 percent of the value of the property.)

Guarantees of Multiple Retail Exposures

    Guarantees of multiple retail exposures that involve tranching of 
the aggregate credit risk of the underlying exposures do not qualify 
under Standard 4-4. Such guarantees may qualify for treatment as 
synthetic securitizations (provided they meet all other requirements 
for securitization treatment) as specified in Standard 4-5 and 
succeeding paragraphs. Other guarantees of multiple retail exposures 
where there is no tranching of the aggregate credit risk, such as those 
in the following examples, may qualify under Standard 4-4:
     In some cases, a guarantee covers multiple retail 
exposures; however, coverage for each individual exposure meets all the 
requirements of Standard 4-4 and succeeding paragraphs and is 
consistent with any one of the four examples above. Furthermore, there 
are no additional limits, caps, or restrictions of any kind pertaining 
to the aggregate coverage. Such guarantees would meet the requirements 
as guarantees of individual retail exposures.
    --Consider a guarantee that covers multiple retail exposures, with 
a total exposure amount of $9.5 million secured by 100 residential 
properties each with a value of $100,000, thus an aggregate value of 
$10 million. The guarantee covers losses on each exposure up to an 
amount that will reduce the LTV on each exposure considered separately 
to 90 percent.
     Other guarantees on multiple retail exposures qualify 
under Standard 4-4, but only if they cover all or a pro rata, or 
proportional, share of all payments due on the aggregate exposure 
amount.
    --Consider the same multiple-exposure retail pool as before. There 
are 100 retail exposures with an aggregate exposure amount of $9.5 
million. The guarantee covers all losses on the underlying exposures up 
to the full $9.5 million aggregate exposure amount.
    --Once again, consider the pool of multiple retail exposures above. 
In this case, the guarantee covers a pro rata share of losses, for 
example 20 percent of the $9.5 million aggregate exposure, or $1.9 
million. (Alternatively, if the guarantee coverage had been pre-
specified as a dollar amount, say the first $1.9 million of losses, 
rather than a pro rata share of the aggregate losses, that guarantee 
would not reflect the benefits of retail credit risk mitigation 
treatment. Such guarantees of multiple retail exposures would need to 
meet the requirements set forth in Standard 4-5 in order to qualify for 
securitization treatment.)

Chapter 5: Wholesale Credit Risk Protection

Rule Requirements

    Part III, Section 22(e): Double default treatment. A bank must 
obtain the prior written approval of [AGENCY] under section 34 [of the 
NPR] to use the double default treatment.
    Part IV, Section 33: Guarantees and Credit Derivatives: PD 
Substitution and LGD Adjustment Treatments
    Part IV, Section 34: Guarantees and Credit Derivatives: Double 
Default Treatment
    1. This chapter supplements the detailed discussion of credit risk 
mitigation in the NPR by providing guidance on how banks may recognize 
contractual arrangements for exposure-level credit protection--eligible 
guarantees and eligible credit derivatives--that transfer risk to one 
or more third parties. Each of these forms of credit protection must 
meet certain specific standards of eligibility, as articulated in the 
NPR, for recognition of the associated risk mitigation.
    2. An important aspect of either of these types of credit 
protection is that they are implemented at the exposure-

[[Page 9120]]

level, reducing credit risk faced by the bank due to a specific 
exposure to an individual obligor. Banks may use similar mitigants--for 
example, portfolio credit derivatives--to transfer credit risk 
associated with groups of exposures or whole portfolios. While such 
contracts may make a valuable contribution to broader risk management 
within the bank, and may be appropriately considered in an assessment 
of overall capital adequacy, their effects are not recognized for IRB 
calculations of risk-based capital requirements except in limited 
circumstances.
    3. Exceptions are made for certain types of basket credit 
derivatives and securitization exposures. In addition, banks may 
recognize the benefits in IRB calculations of pool-level guarantees (or 
credit derivatives) that are the functional equivalent of an exposure-
by-exposure guarantee provided the following minimum conditions are 
met:
     The guarantee is an eligible guarantee.
     The contractual provisions of the guarantee must identify 
the specific exposures in the pool to which the guarantee applies.
     The guarantee must cover all or a pro-rata share of the 
pool's aggregate credit losses in a manner that ensures each individual 
exposure is provided the same level of loss protection under the 
guarantee.
     The guarantee must not contain cap provisions, 
deductibles, or other payout limitations that would effectively limit 
coverage.
    Once a bank demonstrates that the pool-level guarantee is the 
functional equivalent of an exposure-by-exposure guarantee, the 
benefits may be recognized in the IRB calculations using the credit 
risk mitigation framework as provided in the NPR and this document. 
This requires that the bank calculate its risk-based capital 
requirement for the pool on an exposure-by-exposure basis, as if the 
guarantee were applied at the level of each individual exposure.
    S 5-1 Risk-based capital benefits are only recognized for credit 
protection that transfers credit risk to third parties.
    4. Banks may recognize the risk-based capital benefits of credit 
protection associated with eligible guarantees and eligible credit 
derivatives from third parties. A bank may recognize the benefits of 
credit protection from a parent or sister company only if (a) the 
credit protection provider has the ability to fulfill its obligations 
to the bank independent of the financial support of the bank, and (b) 
the internal risk rating assigned to the affiliate fully excludes any 
support that is or may be derived from bank operations. Under no 
circumstances may a bank receive a risk-based capital benefit from 
credit protection from an internal department of the bank or from the 
bank's own subsidiary. Banks often manage credit risk through internal 
transactions that, while possibly structured in ways similar to 
guarantees or credit derivatives, do not in themselves result in a 
reduction of credit risk at the consolidated level. Such credit 
protection purchased internally may not be recognized for IRB purposes. 
Once the bank reliably demonstrates that the credit risk is ultimately 
transferred to a third party, for example through a matched offsetting 
contract, credit protection may be realized from the third party 
provider. However, if this protection provider is an affiliate, all of 
the above limitations apply.
    5. For wholesale exposures, credit risk mitigation from eligible 
guarantees and eligible credit derivatives is recognized through one of 
three mutually exclusive approaches. The approaches are identified by 
the primary mechanism through which risk mitigation is recognized: PD 
substitution, LGD adjustment, or the recognition of double-default 
benefits. Recognition is at the exposure level, so a bank may select 
among the three alternative approaches for each wholesale exposure, 
subject to the NPR and to relevant elements of the bank's internal 
policies and procedures.
    6. If a bank chooses to recognize credit protection through PD 
substitution, it substitutes the PD associated with the internal rating 
grade assigned to the protection provider in place of the PD of the 
obligor in the capital calculation. However, if the bank determines 
that this substitution overstates the degree of risk mitigation, a 
lesser adjustment may be made by using a PD associated with any 
internal rating grade inferior to that of the protection provider. Note 
that in either case, the PD applied is one that is associated with one 
of the bank's internal rating grades, determined in accordance with the 
bank's established processes for quantifying the default risk of those 
grades. Similar considerations apply in the case of double-default 
treatment; the PD for the protection provider used in the capital 
calculation should be the PD for an internal rating grade assigned to 
the protection provider.
    7. Under the LGD adjustment approach, the bank modifies the LGD 
assigned to the hedged exposure to reflect the risk mitigating effects 
of the credit protection, subject to limitations on the resulting risk 
weight as specified in the NPR. In determining the magnitude of any LGD 
adjustment, the bank should apply the general approach to IRB 
quantification developed elsewhere in this guidance; quantification of 
LGD adjustments for credit protection should reflect a rigorous 
application of standards no different from those that apply to LGD 
quantification generally.
    8. The NPR specifies various criteria that must be met in order for 
a bank to apply the double default treatment. Among those requirements 
are that a bank must have policies and processes to detect excessive 
correlation between the creditworthiness of the protection provider and 
the obligor for the hedged exposure. For example, the creditworthiness 
of a protection provider and an obligor would be excessively correlated 
if the obligor derives a high proportion of its income or revenue from 
transactions with the protection provider. Similarly, excessive 
correlation could arise from exposure to a common risk factor or set of 
risk factors, such as industry or region; in some cases a bank may be 
able to leverage other components of the bank's internal credit risk 
management processes to identify such dependence on common risk 
factors.
    9. A bank's choice among these approaches for reflecting the impact 
of credit protection for a given exposure should be made in accordance 
with specific criteria contained in a bank's credit policy. In addition 
to the specific eligibility requirements in the NPR and general 
consideration of the credit protection provider's ability and 
willingness to perform under the agreement, the criteria should include 
an assessment of the effect of the payout structure of the credit 
protection on the level and timing of recoveries. In some cases, the 
nature of the contractual arrangement reduces the likelihood that the 
bank will experience an obligor default (as defined within the IRB 
framework); in such cases, PD substitution (or double-default 
treatment, if applicable) is often more appropriate. In other cases, 
notably those in which the protection is likely to come into effect 
only after a default has occurred, it is more likely that the 
appropriate adjustment should be made through LGD.
    10. A bank recognizing risk mitigation from eligible guarantees or 
eligible credit derivatives should also have policies that ensure 
adequate control of any residual risks related to the use of such forms 
of credit protection.
    S 5-2 Banks must ensure that credit protection for which risk-based 
capital

[[Page 9121]]

benefits are claimed represents unconditional and legally binding 
commitments to pay on the part of the guarantors or counterparties.
    11. As specified in the NPR, forms of written third-party support 
that are conditional or are not legally binding are not recognized as 
credit risk mitigation. Refer to Standard 2-11 in the Wholesale Risk 
Rating Systems chapter of this guidance regarding the use of implied 
support as a rating criterion.
    12. In some instances, an eligible credit derivative may 
incorporate a reference asset that differs from the underlying asset 
for which a bank has acquired credit protection. A bank may recognize 
an eligible credit derivative that hedges an exposure that is different 
from the credit derivative's reference exposure used for determining 
the derivative's cash settlement value, deliverable obligation, or 
occurrence of a credit event only if:
     The reference exposure ranks pari passu (that is, equal) 
or junior to the hedged exposure; and
     The reference exposure and the hedged exposure share the 
same obligor (that is, the same legal entity) and legally enforceable 
cross-default or cross-acceleration clauses are in place.
    13. In such cases, a bank should evaluate and document the 
relationship between the reference asset and the hedged exposure to 
ensure that the reference asset is a reasonable proxy for the hedged 
exposure and is likely to behave in a similar manner upon the 
occurrence of a credit event.

Chapter 6: Data Management and Maintenance

Rule Requirements

    Part III, Section 22(i)(1): A bank must have data management and 
maintenance systems that adequately support all aspects of its advanced 
systems and the timely and accurate reporting of risk-based capital 
requirements.
    Part III, Section 22(i)(2): A bank must retain data using an 
electronic format that allows timely retrieval of data for analysis, 
validation, reporting, and disclosure purposes.
    Part III, Section 22(i)(3): A bank must retain sufficient data 
elements related to key risk drivers to permit adequate monitoring, 
validation, and refinement of its advanced systems.

I. Overview

    1. Banks using the IRB framework for risk-based capital purposes 
must have advanced data management and maintenance systems that support 
credible and reliable risk parameter estimates. This chapter describes 
how a bank should collect, maintain, and manage the data needed to 
support the other IRB system components for wholesale and retail 
exposures (e.g., risk rating and segmentation systems, the 
quantification process, and validation and other control processes), as 
well as the bank's broader risk management and reporting needs. 
Additional detail specific to wholesale and retail exposures is 
provided in the appendices to this chapter.
    2. While this chapter specifically addresses data management and 
maintenance systems for wholesale and retail exposures, the framework 
outlined in this chapter generally applies to all of a bank's advanced 
systems for credit risk as described in Chapter 1 of this guidance. In 
addition, specific data requirements for securitizations are described 
in Chapter 11.
    3. Banks may implement different data management and maintenance 
systems for wholesale and retail exposures. Within a bank, moreover, 
such data systems and processes may differ across business lines and 
countries. Therefore, the data structures and practices, and the 
precise data elements to be collected will be dictated by the features 
and methodology of the IRB system employed by each bank.
    4. Reference data requirements related to IRB quantification, which 
are discussed in Chapter 4 of this guidance, describe the minimum 
requirements for historical default and loss reference data using the 
best available data for quantification, inclusive of internal, external 
or pooled data sets. Best available data should include historical 
performance information necessary to accurately estimate risk 
parameters for exposures in the bank's existing portfolio. Reference 
data for quantification are likely to comprise a smaller subset of the 
internal data elements cited in this chapter because the objectives of 
ongoing internal data management cover a wider range of purposes, such 
as the development of risk ratings or segmentation and the validation 
of the IRB system. Data histories built from the internal data 
maintenance framework described in this chapter will gain growing 
significance in the risk parameter estimation process over time.

II. General Data Requirements

    S 6-1 Banks must collect and maintain sufficient data to support 
their IRB systems.
    5. While banks have substantial flexibility in designing their data 
management systems, the underlying principle in this guidance is that 
the data systems should be of sufficient depth, scope, and reliability 
to implement and evaluate the IRB system. The systems should be able to 
support the bank's ability to:
     Track obligors of wholesale exposures and to track 
wholesale exposures throughout their life cycle from origination to 
disposition;
     Capture all rating assignment data for wholesale 
portfolios, which include the significant quantitative and qualitative 
factors used to assign the obligor and loss severity ratings;
     Capture exposure and borrower characteristics and 
performance history for retail exposures over a historical time period;
     Capture all data for retail exposures necessary to develop 
the segmentation system and to assign exposures to segments;
     Develop internal risk parameter estimates;
     Validate risk parameter estimates;
     Validate the IRB system and processes;
     Refine the IRB system;
     Calculate risk-based capital ratios; and
     Produce internal and public reports.
    6. Data management and maintenance systems should enable banks to 
undertake necessary changes in their IRB systems and improve methods of 
credit risk management over time. Systems should be capable of 
providing detailed historical data and capturing new data elements for 
enhancing an IRB system. Given the importance of developing robust data 
histories in this process and the costs associated with collecting 
additional data at a later date, banks should err on the side of 
collecting not only data that they are currently using but also data 
that may potentially be useful to their IRB models or in validation 
processes.

A. Life Cycle Tracking for Wholesale Exposures

    S 6-4 For wholesale exposures, banks must collect, maintain, and 
analyze essential data for obligors and exposures. This should be done 
throughout the life and disposition of the credit exposure.
    7. Using a life cycle or ``cradle to grave'' concept for each 
obligor and exposure supports front-end validation, backtesting, system 
refinements, and risk parameter estimates. A depiction of life-cycle 
tracking follows:

[[Page 9122]]

[GRAPHIC] [TIFF OMITTED] TN28FE07.002

    8. Data elements must be recorded at origination and whenever the 
rating is reviewed, regardless of whether the rating is changed. Data 
elements associated with current and past ratings must be retained. 
These elements include:
     Key borrower and exposure characteristics;
     Ratings for obligors and exposures;
     Key factors used to assign the ratings;
     Person responsible for assigning the rating and model(s) 
used in that assignment;
     Date rating assigned; and
     Overrides to the rating and authorizing individual.
    At disposition, data elements should include:
     Nature of disposition: Renewal, repayment, loan sale, 
default, restructuring;
     For defaults: Exposure, actual recoveries, source of 
recoveries, costs of workouts and timing of recoveries and costs;
     Guarantor support;
     Sale price for loans sold; and
     Other key elements that the bank deems necessary.
    See Appendix A for examples of data elements that banks should 
collect and maintain under an IRB data management framework for 
wholesale exposures.

B. Rating Assignment Data for Wholesale Exposures

    S 6-3 Banks must capture and maintain all significant factors used 
to assign obligor and loss severity ratings.
    9. Assigning a rating to an obligor requires the systematic 
collection of various borrower characteristics, both quantitative and 
qualitative, because these factors are critical to validating the 
rating system. Obligors are rated using various methods, as discussed 
in Chapter 2. Each of these methods presents different challenges for 
input collection. For example, in judgmental rating systems, the 
qualitative factors used in the rating decision have not traditionally 
been explicitly recorded. For purposes of the IRB framework, to the 
extent qualitative factors play an important role in assigning ratings, 
banks should maintain these factors in a readily available database for 
validation purposes and to facilitate analysis to help banks improve 
the rating system over time.
    10. For loss severity estimates, banks should record the basic 
structural characteristics of exposures and the factors used in 
developing the loss severity rating or LGD estimate. These often 
include the seniority of the credit, the amount and type of collateral, 
the most recent collateral valuation date and the collateral's fair 
value.
    11. Banks should also track any overrides of the obligor or loss 
severity rating. Tracking overrides separately allows banks to identify 
whether the outcome of such overrides suggests either problems with 
rating criteria or too much discretion to adjust the ratings.
    12. Historical data, including rating histories on wholesale 
exposures, may be lost or irretrievable; for example, when exposures 
are acquired through mergers, acquisitions, or portfolio purchases. 
Banks are encouraged, whenever practical, to collect any missing 
historical data on rating assignment drivers and to re-rate the 
acquired obligors and exposures for prior periods. When retrieving 
historical data is not practical, banks may attempt to create a rating 
history by carefully mapping the legacy system and the new rating 
structure. Mapped ratings should be reviewed for accuracy. The level of 
effort placed on filling gaps in data should be commensurate with the 
size and significance of the exposures to be incorporated into the 
bank's IRB system.

C. Segmentation Data for Retail Exposures

    S 6-4 For retail exposures, banks must collect and maintain all 
essential data elements used in segmentation systems and the 
quantification process. The data must cover a period of at least five 
years and must include a period of economic downturn conditions, or the 
bank must adjust its estimates of risk parameters to compensate for the 
lack of data from periods of economic downturn conditions.
    13. Banks should maintain a minimum five-year exposure-level 
history of the entire retail portfolio, including all exposures and 
lines that were open at any time during this period. The standard above 
establishes key risk drivers used in the segmentation system and in the 
quantification of the risk parameters. However, banks should retain 
additional data elements that are used in their internal credit risk 
management systems. (See Appendix A of this chapter for examples of 
retail data elements.)
    14. For retail exposures, if the most recent period of economic 
downturn conditions occurred more than five years ago, banks should 
retain additional data to cover the downturn period. These data need 
not cover the period between the downturn period and the most recent 
five-year period. These data may be in the form of representative 
statistical samples of the portfolio rather than data from all 
exposures. The method of any sampling should be statistically sound and 
well-documented.
    15. Banks should gather and retain disposition data, including 
recovery data on defaulted exposures (e.g., date and dollar value of 
recoveries and collection expenses) sufficient to develop ELGD, LGD, 
and EAD estimates for retail exposures. For many banks, information 
related to recoveries and

[[Page 9123]]

collection expenses currently exists only at an aggregate level. These 
banks should develop interim solutions and a plan to improve exposure-
level data availability.
    16. For retail exposures, historical segmentation data can be lost 
or irretrievable; for example, when exposures are acquired through 
mergers, acquisitions, or portfolio purchases. In these cases, as an 
interim measure, banks should seek to obtain data from external sources 
to supplement internal data shortfalls. Alternatively, the reference 
data sometimes may be drawn from other sections of the portfolio, but 
only when the business lines, and exposure and borrower characteristics 
are sufficiently similar (for examples, see Chapter 3).

D. Outsourced Activities

    S 6-5 Banks should ensure that outsourced activities performed by 
third parties are supported by sufficient data to meet IRB 
requirements.
    17. Certain processes, such as loan servicing, broker and 
correspondent origination, collection, and asset management, may be 
outsourced to or otherwise involve third parties. The necessary data 
capture and oversight of risk management standards for these portfolios 
and processes should be carried out as if they were conducted 
internally.

E. Asset Sales

    S 6-6 Banks should maintain data to allow for a thorough review of 
asset sale transactions.
    18. It is important that banks be able to quantify the impact of 
asset sale activity on its IRB system. Documentation for these 
transactions should be sufficient for supervisors to determine how 
asset sale activity affects the integrity of the IRB system and the 
resulting risk-based capital calculation. For retail, asset sales may 
involve exposures from a variety of portfolio segments, and sale 
pricing may not be available at a granular level. A bank should be able 
to quantify the effect of removing a portion of the loans or other 
exposures from segments and the effect of such asset sale activity on 
risk parameter estimation.

III. Data Applications

A. Validation and Refinement

    19. The data elements collected by banks should facilitate meeting 
the validation standards described in Chapter 7. These standards 
include validating the bank's IRB system processes, including the 
``front end'' aspects, such as assigning ratings or risk drivers used 
for segmentation, so that issues can be identified early. The data 
should support efforts to identify whether raters and models are 
following rating criteria and policies and whether ratings are 
consistent across portfolios. In addition, data should support the 
validation of risk parameters, particularly the comparison of realized 
outcomes with estimates. For backtesting risk parameters, data on 
default and disposition characteristics should be thorough.
    20. Data for validation should be rich in scope and depth in order 
to provide insights on the performance of the IRB system. This can 
contribute to a learning environment in which refinements can be made 
to the systems. These potential refinements include enhancements to 
rating assignment controls, segmentation design, processes, criteria or 
models, IRB system architecture, and risk parameter estimates.

B. Applying IRB System Improvements Historically

    21. To maintain a consistent series of information for credit risk 
monitoring and validation purposes, banks should be able to take 
improvements they make to their risk rating systems for wholesale 
exposures and segmentation systems for retail exposures and apply them 
historically. Moreover, banks are encouraged to retain data beyond the 
minimum requirements because they should have robust historical 
databases containing key risk drivers and performance components over 
as long a historical period and as many variables as possible to 
facilitate the development and validation of better models and methods.
    See Appendix B for an example as to how a bank could apply new 
information to improve its risk rating system.

C. Calculating Risk-Based Capital Ratios and Reporting to the Public

    22. Data retained by the bank will be essential for risk-based 
capital calculations and public reporting under the Pillar 3 
disclosures. These uses underscore the need for a well-defined data 
management framework and strong controls over data integrity. Total 
exposures should be tied to systems of record and documentation should 
be maintained for this process for all reporting periods. Control 
processes and data elements themselves should also be subject to 
periodic verification and testing by internal auditors. Supervisors 
should rely on these processes and should also perform testing as 
circumstances warrant.
    23. This guidance should also be considered with the Proposed 
Agency Information Collections published by the Agencies on September 
25, 2006 for public comment along with the NPR. The notice contained 
information collection templates (FFIEC 101) and information about the 
components of reporting entities' risk-based capital, risk-weighted 
assets by type of credit risk exposure under the IRB framework, 
including templates for credit risk and definitions of the data 
elements contained therein. These templates will assist banks in 
determining their data retention needs related to the risk-based 
capital requirements for credit risk under the IRB framework.

D. Supporting Risk Management

    24. The information that can be gleaned from more extensive data 
collection will support a broad range of risk management activities. 
Risk management functions will rely on accurate and timely data to 
track credit quality, make informed portfolio risk mitigation 
decisions, and perform portfolio stress tests. Obligor and loss 
severity risk rating and segmentation data will be used to support such 
operations as internal capital allocation models, pricing models, ALLL 
calculations, and performance management measures. Summaries of these 
are included in reports to banks' boards of directors, regulators, and 
in public disclosures.

IV. Managing Data Quality and Integrity

    S 6-7 Banks should develop policies and controls around the 
integrity of the data maintained both internally and through third 
parties.
    25. Because data are collected at so many different stages 
involving a variety of groups and individuals, ensuring the quality of 
the data poses numerous challenges. For example:
     Qualitative risk-rating variables will have subjective 
elements and will be open to interpretation;
     Exposures will be acquired through mergers and purchases, 
but without an adequate and easily retrievable institutional rating 
history; and
     Data purchased from or maintained through third parties 
may not have controls similar to the bank's controls.
    Bank policies and controls should address these potential 
challenges. Specifically, banks should have policies employing change 
control management processes and practices to ensure the integrity of 
the data. In addition, banks should seek reasonable assurances from 
significant third-party providers concerning the integrity of the data.

[[Page 9124]]

A. Documentation and Definitions

    S 6-8 Banks should document the process for delivering, retaining, 
and updating inputs to the data warehouse and ensuring data integrity.
    S 6-9 Banks must maintain detailed documentation of changes to the 
data elements supporting the IRB system.
    26. Given the many challenges presented by data for an IRB system, 
the management of data should be formalized and banks should develop 
comprehensive definitions for their data elements. Fully documenting 
how the bank's flow of data is managed provides a means of evaluating 
whether the data management framework is functioning as intended. 
Moreover, banks should be able to communicate to persons developing or 
delivering various data the precise definition of the items intended to 
be collected. Consequently, a ``data dictionary'' and/or a ``data 
standards manual'' would ensure consistent inputs from business units 
and data vendors and would allow third parties (e.g., IRB system review 
process, auditors, or banking supervisors) to evaluate data quality and 
integrity.
    27. When changes are made to the IRB system and the supporting data 
elements, the source of any significant changes in the risk-based 
capital requirements should be documented. Therefore, it would be 
desirable to use change control management processes.

B. Electronic Storage and Access

    S 6-10 Banks must retain data using an electronic format that 
allows timely retrieval of data for analysis, validation, reporting, 
and disclosure purposes.
    28. To meet the significant data management challenges presented by 
the validation and control features of the IRB system, banks must store 
their data electronically. Banks will have a variety of storage 
techniques and potentially a variety of systems to create their data 
warehouses and data marts. The data architecture should be designed to 
be scalable to allow for growth in portfolios, data elements, history, 
and product scope. IRB data requirements can be achieved by melding 
together existing accounting, servicing, processing, workout and risk 
management systems, provided the linkages between these systems are 
well-documented and include sufficient edit and integrity checks to 
ensure that the data can be used reliably.
    29. Banks lacking electronic databases for wholesale exposures 
would be forced to resort to manual reviews of paper files for ongoing 
backtesting and ad hoc ``forensic'' data mining and would be unable to 
perform that work in the timely and comprehensive manner required of 
the IRB system. Forensic mining of paper files to build an initial data 
warehouse from the bank's credit history is encouraged. Paper research 
may sometimes be necessary to identify data elements or factors not 
originally considered significant in estimating the risk of a 
particular class of obligor or exposure. The time and expense of this 
recovery effort highlights the importance of collecting a broad array 
of variables during the initial design of the IRB data system.

Appendix A: Data Elements for Wholesale and Retail Exposures

    For illustrative purposes, the following section provides examples 
of the kinds of data elements banks should collect under an IRB data 
management and maintenance framework first for wholesale exposures and 
second for retail exposures.

A. Examples of Data Elements for Wholesale Exposures

General Descriptive Obligor and Exposure Data
    The data below could be from an exposure record or from various 
sources within the data warehouse. Data maintained for guarantors would 
be the same as that maintained for obligors.
Obligor/Guarantor Data
     General data: name, address, industry;
     ID number (unique for all related parent/sub 
relationships);
     Rating, date, and rater; and
     PD corresponding to rating.
General Exposure Characteristics
     Exposure amounts: committed, outstanding;
     Exposure type: term, revolver, bullet, amortizing, etc.;
     Purpose: acquisition, expansion, liquidity, inventory, 
working capital etc.;
     Covenants;
     Exposure ID number;
     Origination and maturity dates;
     Last renewal date;
     Obligor ID link;
     Rating, date and rater;
     ELGD;
     LGD; and
     EAD.
Rating Assignment Data
    The data below provide an example of the categories and types of 
data that banks should retain in order to continually validate and 
improve rating systems. These data items should tie directly to the 
documented criteria that the bank employs when assigning ratings. For 
example, rating criteria often include ranges of leverage or cash flow 
for a particular obligor rating. In addition, banks are encouraged to 
develop and record quantitative representations of qualitative factors 
(such as management effectiveness) in numeric form. For example, a 1 
may signify exceptionally strong management and a 5 very weak 
management. The rating data elements should be sufficient for 
evaluating the factors driving the rating decisions.
Quantitative factors in obligor ratings
     Asset and sale size; and
     Key ratios used in rating criteria:
    --Profitability;
    --Cash flow;
    --Leverage;
    --Liquidity; and
    --Other relevant factors.
Qualitative factors in obligor ratings
     Quality of earnings and cash flow;
     Management effectiveness, reliability;
     Strategic direction, industry outlook, position;
     Country factors and political risk; and
     Other relevant factors.
Third-party obligor ratings
     Public debt rating and trend; and
     External credit model score and trend.

Rating Notations

     Flag for overrides or exceptions; and
     Authorized individual who can change rating.
Key exposure factors in ELGD and LGD ratings
     Seniority;
     Collateral type (cash, marketable securities, AR, stock, 
RE, etc.);
     Collateral value and valuation date;
     Advance rates, LTV;
     Industry; and
     Geography.

Rating Notations

     Flag for overrides or exceptions; and
     Authorized individual who can change rating.
Final disposition data
    Many banks maintain subsidiary systems for their problem exposures 
with details recorded, at times manually, on systems that are not 
linked to the bank's central exposure or risk management systems. The 
unlinked

[[Page 9125]]

data are a significant hindrance in developing reliable risk parameter 
estimates.
    In advanced systems, the ``grave'' portion of obligor and exposure 
tracking is essential for producing and validating risk parameter 
estimates and is an important feedback mechanism for adjusting and 
improving these estimates over time. Essential data elements are 
outlined below.
Obligor/guarantor
     Default date; and
     Circumstances of default (e.g., nonaccrual, bankruptcy 
chapters 7-11, nonpayment).
Exposure
     Outstandings at default; and
     Amounts undrawn and outstanding plus time series prior to 
and through default.
Disposition
     Amounts recovered and dates (including source: cash, 
collateral, guarantor, etc.);
     Collection cost and dates;
     Discount factors to determine economic cost of collection;
     Final disposition (e.g., restructuring or sale);
     Sales price, if applicable; and
     Accounting items (charge-offs to date, purchased 
discounts).

B. Examples of Data Elements for Retail Exposures

Data Elements at Origination
     Customer identifiers, such as borrower name;
     External credit bureau attributes;
     Application attributes, such as income and financial 
information;
     Credit scores, including custom scores or generic scores;
     Other underwriting data used in the origination process;
     Score overrides and policy exceptions;
     Origination channel, such as a third-party vendor, 
telemarketing, direct mail, or Internet;
     Product type and loan terms, such as line amount, interest 
rate, payment terms, balance transfer amount, and reward programs;
     Collateral characteristics, such as appraised value, 
geographic location, and loan-to-value; and
     Guarantees or other credit risk mitigants, such as PMI.
Ongoing Data Elements
     Refreshed credit bureau attributes;
     Payment history and performance characteristics, including 
payments, draws, fees, NSF checks, delinquency, overlimit status, and 
utilization;
     Collections activity, including workout or forbearance 
programs, restructurings, payment deferrals, re-aging and other similar 
programs;
     Behavior scores;
     Transaction-level information;
     Account management activities, such as line increase or 
decrease programs, pricing adjustments, changes in payment requirements 
or fee structures, and reward programs;
     Updated borrower information; and
     Updated collateral information.
Collection and recovery information
     Default date;
     Loss severity information;
     Circumstances of default (e.g., nonaccrual, bankruptcy 
chapters 7-11, nonpayment);
     Outstandings at default;
     Amounts undrawn and outstanding plus time series prior to 
and through default;
     Amounts recovered and dates (including source: cash, 
collateral, guarantor, etc.);
     Collection cost and timing;
     Discount factors to determine economic cost of collection;
     Final disposition (e.g., restructuring or sale);
     Sales price, if applicable; and
     Accounting items (charge-offs to date, purchased 
discounts).

Appendix B: Applying Risk Rating System Improvements Historically

    In the example below for wholesale exposures, a bank experiences 
unexpected and rapid migrations and defaults in its rating grade 4 
category during 2006. Analysis of the actual financial condition of 
borrowers that defaulted compared with those that did not suggests that 
the debt-to-EBITDA range for its expert judgment criteria of 3.0 to 5.5 
is too broad. Research indicates that rating grade 4 should be 
redefined to include only borrowers with debt-to-EBITDA ratios of 3.0-
4.5 and that rating grade 5 should be 4.5-6.5. In 2007, the change is 
initiated, but prior years' numbers are not recast (see Exhibit A). 
Consequently, a break in the series prevents the bank from evaluating 
credit quality changes over several years and from identifying whether 
applying the new rating criteria historically provides reasonable 
results.
[GRAPHIC] [TIFF OMITTED] TN28FE07.003


[[Page 9126]]


    Recognizing the need to provide senior managers and board members 
with a consistent risk trend, the new criteria are applied historically 
to obligors in rating grades 4 and 5 (see Exhibit B). The original 
ratings assigned to the rating grades are maintained along with 
notations describing what the grade would be under the new rating 
criteria. If the precise weight an expert has given one of the 
redefined criteria is unknown, banks are expected to make estimates on 
a best efforts basis. After the retroactive reassignment process, the 
bank observes that the mix of obligors in rating grade 5 declined 
somewhat over the past several years while the mix in rating grade 4 
increased slightly. This contrasts with the trend identified before the 
retroactive reassignment. The result is that the multiyear transition 
statistics for rating grades 4 and 5 provide risk managers a clearer 
picture of risk.
[GRAPHIC] [TIFF OMITTED] TN28FE07.004

    This example is based on applying ratings historically using data 
already collected by the bank. However, for some risk rating system 
refinements, banks may in the future identify drivers of default or 
loss that might not have been collected for borrowers or exposures in 
the past. That is why banks are encouraged to collect data that they 
believe may serve as stronger predictors of default in the future. For 
example, certain elements of a borrower's cash flow might currently be 
suspected of overstating the operational health of a particular 
industry. In the future, should a bank decide to reduce the weight 
given to cash flow for this overstatement, resulting in a downgrade of 
many obligor ratings, the bank that collected these data could apply 
this rating change to prior years. This would provide a consistent 
picture of risk over time and also present opportunities to validate 
the new criteria using historical data. Recognizing that banks will not 
be able to anticipate fully the data they might find useful in the 
future, banks are expected to reassign rating grades on a best efforts 
basis when practical.

Chapter 7: Controls and Validation

Rule Requirements

    Part III, Section 22(a)(2): The systems and processes used by a 
bank for risk-based capital purposes under [the NPR] must be consistent 
with the bank's internal risk management processes and management 
information reporting systems.
    Part III, Section 22(j)(2): The bank's board of directors (or a 
designated committee of the board) must at least annually evaluate the 
effectiveness of, and approve, the bank's advanced systems.
    Part III, Section 22(j)(3): A bank must have an effective system of 
controls and oversight that:
    (i) Ensures ongoing compliance with the qualification requirements 
[in the NPR];
    (ii) Maintains the integrity, reliability, and accuracy of the 
bank's advanced systems; and
    (iii) Includes adequate governance and project management 
processes.
    Part III, Section 22(j)(4): The bank must validate, on an ongoing 
basis, its advanced systems. The bank's validation process must be 
independent of the advanced systems' development, implementation, and 
operation, or the validation process must be subjected to an 
independent review of its adequacy and effectiveness. Validation must 
include:
    (i) The evaluation of the conceptual soundness of (including 
developmental evidence supporting) the advanced systems;
    (ii) An on-going monitoring process that includes verification of 
processes and benchmarking; and
    (iii) An outcomes analysis process that includes backtesting.
    Part III, Section 22(j)(5): The bank must have an internal audit 
function independent of business-line management that at least annually 
assesses the effectiveness of the controls supporting the bank's 
advanced systems and reports its findings to the bank's board of 
directors (or a committee thereof).

I. Overview

    1. A bank must have a system of controls that ensures that the 
components of the IRB system are functioning effectively. This chapter 
provides guidance on the essential elements of an effective control 
environment for an IRB system for wholesale and retail exposures, 
including independent review processes, a comprehensive validation 
process, and an internal audit review and reporting process.
    2. While this chapter specifically addresses the control framework 
supporting a bank's IRB systems for wholesale and retail exposures, the 
framework outlined in this chapter generally applies to all of a bank's 
advanced systems for credit risk as described in Chapter 1 of this 
guidance.

[[Page 9127]]

In addition, specific validation requirements for certain counterparty 
credit risk transactions, equity exposures, and securitization 
exposures are provided in Chapters 9, 10, and 11, respectively.
    S 7-1 Banks must have an effective system of controls that ensures 
ongoing compliance with the qualification requirements, maintains the 
integrity, reliability, and accuracy of the IRB system, and includes 
adequate governance and project management processes.
    3. An accurate and reliable IRB system will allow bank management 
to make informed risk management and capital management decisions. 
While banks have flexibility in determining how integrity in the IRB 
system is achieved, the control framework that supports the IRB system 
should be constructed to ensure that the IRB system's design and 
performance are effective and that it continues to operate as intended.
    4. The specific IRB-system controls, as outlined in this chapter as 
well as in Chapter 1 of this guidance, should be part of a broader 
control infrastructure that embodies more generic control principles 
such as dual controls, separation of duties, and appropriateness of 
incentives that enable prudential corporate oversight.
    S 7-2 Control processes should be independent and transparent to 
supervisors and auditors.
    5. The objective of independence is to ensure the integrity of the 
IRB system. When independence is not fully achieved, there should be 
compensating controls to confirm that actions and conclusions are not 
compromised.
    6. Independence can be achieved structurally with organizational 
separation, or functionally, through policy and/or incentive based 
separation. For example, reviews performed by individuals who are not 
structurally independent could be acceptable as functionally 
independent reviews if the structure does not inhibit an objective 
evaluation. In these cases, job responsibilities and reporting 
relationships should be assessed to determine if they present any 
inherent conflicts that could impede conducting an effective review. 
Banks should consider a variety of factors when designing a control 
structure to adequately address independence, including:
     Expertise and experience of individuals conducting control 
activities;
     Potential for conflicts of interest and influence that 
could compromise the effectiveness of controls;
     Incentives for individuals that perform critical reviews;
     Separation of duties (individuals should not review their 
own work); and
     Fully documenting all aspects of the control structure to 
ensure it can be understood and evaluated by supervisors and auditors.

II. Reviews of the IRB System

    S 7-3 The annual assessment of the IRB system presented to the 
board of directors should be supported by the bank's comprehensive and 
independent reviews of the IRB system.
    7. As discussed in Chapter 1, the bank's board of directors must at 
least annually evaluate the effectiveness of, and approve, the bank's 
advanced systems for credit risk. To do so, the board should be 
provided with information that would enable it to conclude, with 
reasonable assurance, that management has appropriate processes and 
controls in place that support an effective IRB system. This 
information should include results from the bank's comprehensive and 
independent reviews of the IRB system.
    8. The bank's independent review process may be tailored to the 
bank's management and oversight framework. The objective of these 
reviews should be to evaluate compliance with the requirements in the 
NPR and this supervisory guidance and to measure the effectiveness of 
the IRB system's design and operation. The review should include all 
components of the IRB system:
     Risk rating and segmentation systems;
     Quantification process, particularly the selection of 
reference data sets and risk parameter estimation techniques;
     Ongoing validation process;
     Data management and maintenance system that supports the 
IRB system; and
     Control infrastructure supporting the IRB system.
    9. Responsibility for the review process could be distributed 
across multiple areas or housed within one unit, so long as the bank 
can demonstrate that the review process provides a comprehensive and 
objective assessment of the areas reviewed. Individuals performing the 
reviews should possess the requisite technical skills and expertise.
    10. Validation will encompass some of the IRB system review 
standards described above. However, to the extent that validation or 
other control functions do not address a component of the IRB system or 
if they do not meet the independence requirements, a separate 
independent review of business-line management, risk management, and 
internal audit should be conducted as applicable. The validation 
activities, which are the evaluation of conceptual soundness (including 
developmental evidence), ongoing monitoring (i.e., process verification 
and benchmarking), and outcomes analysis (backtesting), are described 
in more detail later in this chapter.
    S 7-4 Validation activities must be conducted independently of the 
advanced systems' development, implementation, and operation, or 
subjected to an independent assessment of their adequacy and 
effectiveness.
    11. The developmental evidence supporting risk rating and 
segmentation systems' design and quantification is generally compiled 
by the systems' designers. This evidence should be subject to an 
ongoing substantive independent assessment by qualified staff. This 
independent review should be conducted at the time of system 
development and then updated whenever significant changes in 
methodology, data, or implementation occur.
    12. Furthermore, when process verification, benchmarking, or 
outcomes analysis (backtesting) activities are not completed by 
individuals independent of the risk rating and segmentation systems' 
design or use, these activities must be the focus of an ongoing 
substantive independent assessment. Responsibility for the assessment 
of developmental evidence and ongoing validation may be drawn from a 
variety of organizational structures provided functional independence 
and sufficient expertise are demonstrated.

III. Consistency Between IRB Systems and Risk Management Processes

    S 7-5 The systems and processes used by a bank for risk-based 
capital purposes must be consistent with the bank's internal risk 
management processes and management information reporting systems.
    13. The systems and processes a bank uses for risk-based capital 
purposes must be consistent with the bank's internal credit risk 
management processes and management information reporting systems such 
that data from the latter system and processes can be used to verify 
the reasonableness of the risk parameter inputs the bank uses for risk-
based capital purposes.
    14. The wholesale risk ratings used for risk-based capital purposes 
should be consistent with those used to guide day-to-day wholesale 
credit risk management activities. Wholesale risk ratings for IRB 
purposes should be

[[Page 9128]]

incorporated into and be consistent with a bank's credit risk 
management, internal capital assessment and planning, and corporate 
governance processes. The different uses and applications of the risk 
rating systems' outputs should promote greater accuracy and consistency 
of ratings across an organization. Banks should demonstrate that 
ratings used for IRB purposes are consistent with the bank's internal 
credit risk management processes.
    15. The risk drivers used for IRB retail segmentation should be 
consistent with those used to guide day-to-day retail credit risk 
management activities. Risk drivers for IRB segmentation purposes 
should correspond to risk drivers used as part of the overall credit 
risk management of business lines. Banks should demonstrate that the 
risk drivers used for IRB segmentation purposes are consistent with 
those used in its day-to-day planning, execution, and monitoring of 
retail lending activities. However, the IRB segmentation criteria do 
not have to be identical to those used in credit risk management.
    16. Risk parameters used for credit risk management should be 
consistent with the IRB risk parameters. Banks will be afforded some 
flexibility in their use of estimated risk parameters, since the 
estimates prescribed for risk-based capital purposes may not be 
appropriate for other uses. For example, the PDs used to estimate loan 
loss allowances could reflect current economic conditions that are 
different from the long-term averages appropriate for risk-based 
capital calculations. While risk parameters used for internal risk 
management purposes could be different from those used for risk-based 
capital purposes, banks should be able to demonstrate that the IRB 
measures of credit risk are consistent with similar measures used in 
internal credit risk management.

IV. Internal Audit

    S 7-6 Internal audit must, at least annually, assess the 
effectiveness of the controls supporting the IRB system and report its 
findings to the board of directors (or a committee thereof).
    17. A bank must have an internal audit function that is independent 
of business line management and that assesses at least annually the 
effectiveness of the controls supporting the IRB system and reports its 
findings to the board of directors (or its designated committee). At 
least annually, internal audit should review the validation process 
including procedures, responsibilities, appropriateness of results, 
timeliness, and responsiveness to findings. Further, internal audit 
should evaluate the depth, scope, and quality of the independent review 
processes and conduct appropriate testing to ensure that the 
conclusions of these reviews are well founded.

V. Validation Activities

    18. Validation is an ongoing process that includes the review and 
monitoring activities that verify the accuracy of the risk rating and 
segmentation systems and the quantification process. The components of 
validation include evaluation of conceptual soundness (including 
developmental evidence), ongoing monitoring, and outcomes analysis.

A. General Validation Requirements

    S 7-7 A bank's validation policy should cover the key aspects of 
risk rating and segmentation systems and the quantification process.
    19. The validation policy should be approved by the bank's senior 
management, and should:
     Describe the validation process;
     Outline the documentation requirements;
     Assign responsibilities;
     Outline the process for corrective actions; and
     Be updated periodically to incorporate new developments in 
validation practices and to ensure that validation methods remain 
appropriate.
    S 7-8 Validation must assess the accuracy of the risk rating and 
segmentation systems and the quantification process.
    20. The accuracy of risk rating and segmentation systems and the 
quantification process is measured by determining whether the:
     Assignment of exposures to risk ratings or segments has 
been implemented as designed;
     Performance data show that the risk rating or segmentation 
systems adequately differentiate risk over time;
     Migration of wholesale risk ratings is consistent with the 
bank's rating philosophy;
     Retail segmentation system separates exposures into stable 
and homogeneous segments; and
     Actual default, loss severity, and exposure experience of 
each rating grade or segment is consistent with risk parameter 
estimates.
    21. Some differences between observed outcomes for individual 
ratings or specific retail segments and the estimated risk parameters 
are expected. Risk parameter estimates should reflect a degree of 
conservatism appropriate for the inherent uncertainty in the bank's 
quantification process. As such, observed outcomes should not 
consistently or significantly exceed risk parameter estimates. This 
applies to each of the following:
     Actual long-run average default rates for each rating 
grade or segment and the assigned PD estimates;
     Actual long-run average economic loss rates on defaulted 
exposures and the assigned ELGD estimates;
     The economic loss rates on defaulted exposures during 
actual economic downturn conditions and the assigned LGD estimates; and
     The exposure size of defaulted exposures during actual 
economic downturn conditions and the assigned EAD estimates.
    Bias that results in a reduction of risk-based capital requirements 
should receive immediate attention from management.
    S 7-9 Validation processes for risk rating and segmentation 
systems, and the quantification process must include the evaluation of 
conceptual soundness, ongoing monitoring, and outcomes analysis.
    22. Validation should be designed to give the greatest possible 
assurances of the accuracy of the risk rating and segmentation systems 
and the quantification process. Three activities must be carried out:
     Evaluating conceptual soundness using developmental 
evidence--determining whether the approach is sound;
     Ongoing monitoring--verifying the process and comparing 
results to other sources of data or estimates (benchmarking); and
     Outcomes analysis--comparing actual outcomes with 
estimates by backtesting and other methods.
    These integral, ongoing activities must evaluate both internally 
and externally developed risk rating and segmentation systems, models, 
and the quantification process.
    23. Validation processes, especially outcomes analysis, should 
recognize that realized outcomes for default, loss severity, and 
additional drawdowns can vary in a systematic fashion with the economic 
cycle. Thus, realized outcomes for a given risk parameter can vary 
around the estimate of long run average. A bank's validation policy 
should specify how realized outcomes are expected to vary with the 
economic cycle given the design of the IRB system. For example, given a 
bank's obligor rating system design, a bank might expect realized 
defaults to be systematically below the PD estimate during good states 
of the economic cycle and systematically above the PD

[[Page 9129]]

estimate during bad states of the economic cycle. This should be 
specified in the policy documentation. Realized outcomes for loss 
severity are not directly comparable with LGD estimates unless an 
economic downturn is experienced. Nonetheless, outcomes analysis for 
conditions less severe than an economic downturn can shed light on the 
validity of the LGD quantification process.

B. Validation Activities

Evaluating Conceptual Soundness using Developmental Evidence
    24. Developmental evidence is the primary mechanism used to 
evaluate the conceptual soundness of the IRB system. The developmental 
evidence for risk rating and segmentation systems, and the 
quantification process should include documentation and empirical 
evidence supporting the methods used and the variables selected in the 
design and quantification of the IRB system. Where models are used, the 
evidence should include documentation and a description of the logic 
that supports the model and an analysis of any statistical model-
building techniques.
    25. Developmental evidence supporting the risk rating system should 
include the reasons the system was selected over other systems. Other 
developmental evidence should at a minimum describe the bank's obligor 
ratings approach and ratings philosophy, the mapping methodology, and 
the use and design of facility ratings or loss severity estimates.
    26. In supporting the segmentation system, developmental evidence 
should describe the statistical design of the segmentation system and 
the selection of risk drivers. Additionally, it should explain why the 
system was selected over other segmentation approaches.
    27. Developmental evidence supporting a bank's quantification 
process should address each aspect of the quantification process, 
whether the process explicitly delineates the four stages of 
quantification or implicitly incorporates the stages.
    28. Developmental evidence is more persuasive when it includes 
empirical evidence. Developmental evidence in support of any model used 
in the risk rating and segmentation systems or the quantification 
process should include documentation and a discussion of the logic that 
supports the model, an analysis of any model-building techniques, 
sensitivity analysis (analysis of outcome sensitivity with respect to 
model input changes and model breakdown points), and an assessment of 
forecast quality. Models should be supported by evidence that they work 
well across reference data sets. Use of a ``holdout'' sample is a good 
model-building practice to ensure that a model is robust. It is 
possible to perform several out-of-sample tests by varying the holdout 
samples.
    29. Empirical developmental evidence for a judgmental rating system 
will likely be derived differently than such evidence for a model-
driven system. One approach to capture empirical developmental evidence 
for analysis might entail having qualified, independent raters rate 
credits from prior periods. Ideally, the raters would not be familiar 
with the circumstances of the disposition of the credits (e.g., 
default, downgrade, upgrade, paid as agreed, etc.) and would only use 
information available to the original rater(s) at the time the credits 
were underwritten and subsequently reviewed. These retrospective 
ratings could then be compared to the outcomes to determine whether the 
ratings adequately differentiate risk. Conducting such tests may be 
difficult if historical data sets do not include a sufficient amount of 
the information actually used when a rating was assigned. Careful 
consideration should be given to future data needs and anticipated uses 
for validation, even if some variables are not used in the current 
model.
    S 7-10 Banks must evaluate the developmental evidence supporting 
the risk rating and segmentation systems and the quantification 
process.
    30. Evaluating developmental evidence involves assessing how well 
the risk rating and segmentation systems and the quantification process 
are designed and constructed. The review of developmental evidence 
should determine whether:
     Risk rating systems can be expected to accurately assess 
obligor and facility risk;
     Segmentation systems can be expected to separate exposures 
into segments with homogenous risk characteristics and to allow for the 
accurate measurements of risk within segments over time; and
     The quantification process can be expected to accurately 
estimate PDs, ELGDs, LGDs, and EADs.
    31. Developmental evidence should be reviewed whenever the bank 
makes material changes in its risk rating and segmentation systems or 
quantification process.
    32. Evaluation of developmental evidence includes comparisons of a 
bank's implemented framework with alternatives considered in the 
development process and the reason the bank selected the chosen 
framework. For retail portfolios, data may be available on alternative 
risk drivers for segmentation, and developmental evidence should 
include the empirical analysis conducted to choose between risk 
drivers.
    33. The development of risk rating and segmentation systems and the 
quantification process requires developers to exercise informed 
judgment. Whether the developmental evidence is sufficient will itself 
be a matter of expert opinion. Even if a system is model-based, an 
evaluation of developmental evidence will entail judging the merits of 
the model-building technique. Expert judgment is essential to the 
evaluation of the risk rating and segmentation systems and the 
quantification process development. Experts should be able to draw 
conclusions about the likelihood of the satisfactory performance of an 
implemented system.
Ongoing Monitoring: Process Verification and Benchmarking
    34. The second component of the validation process for risk rating 
and segmentation systems and the quantification process is ongoing 
monitoring. The objective of ongoing monitoring is to confirm that the 
processes were implemented appropriately and continue to perform as 
intended. Such analysis involves process verification and benchmarking.
    S 7-11 Banks must conduct ongoing process verification of the risk 
rating and segmentation systems and the quantification process to 
ensure proper implementation and operation.
    35. Process verification encompasses a range of activities that are 
used to assess whether all internal risk rating and segmentation 
processes, as well as all quantification processes, are being used, 
monitored, and updated as designed and intended. It includes 
determining that data essential to these processes have appropriate 
integrity, and that all elements of these processes continue to be 
appropriate to the nature of the bank's exposures. Process verification 
should also ensure that identified deficiencies are corrected.
    36. Verification activities will vary depending on the risk rating 
and segmentation systems and quantification approaches and their 
related guidelines. Verification that data are accurate and complete is 
important for all IRB systems and applies to both internal and external 
data, including the data provided by a third party.
    37. For models-based risk rating and segmentation, verification 
includes an evaluation of the automated assignment

[[Page 9130]]

processes, such as verification of the correct computer coding of the 
model and data inputs. For expert-judgment and constrained-judgment 
risk rating systems, verification includes an evaluation of whether the 
rater adhered to the rating policy and criteria, given the information 
available to the rater and the documented rationale for the rating 
decisions.
    38. Process verification of risk rating and segmentation systems 
includes monitoring and analysis of overrides. An override is a generic 
term that may have different meanings in different contexts. Two types 
of overrides are discussed below.
     ``Judgmental overrides'' occur when judgments are made to 
reject the decision of an objective process, such as a model or 
scorecard, which rates a wholesale obligor, assigns an exposure to 
loss-severity rating grade, or assigns an exposure to a retail segment; 
judgmental overrides are an explicit component of such a rating 
system's design. As a matter of policy in a constrained judgment rating 
system for wholesale lending, a rater is generally allowed to adjust or 
override the results of a statistical rating model. For retail lending, 
the assignment of an exposure to a segment could be overridden, but 
such overrides generally are rare.
     ``Policy overrides'' refer to exceptions to bank policy 
with regard to risk rating assignment or segmentation. In the case of 
pure models-based rating and segmentation systems, an override would be 
considered to override policy. In a constrained judgment model, a 
policy override would occur when a rating is assigned by judgmental 
decision that does not conform to the bank's rating criteria. Overrides 
outside of policy are expected to be rare.\13\
---------------------------------------------------------------------------

    \13\ Another common use of overrides in retail lending, not 
included in this context, relates to underwriting decisions. ``Low 
side'' overrides approve applications that would normally be 
rejected and ``high side'' overrides reject applications that would 
normally be approved.
---------------------------------------------------------------------------

    39. Frequent overrides may call into question aspects of the risk 
rating or segmentation system. Overrides and adjustments should be 
monitored and the performance of ratings that have been adjusted or 
overridden should be tracked for both the validation of rating and 
segmentation systems and the IRB system as a whole. Banks should have a 
policy addressing criteria for judgmental overrides and tolerance 
levels for policy overrides. The frequency of overrides will depend 
upon the portfolio, the risk rating and segmentation design, and a 
bank's practices.
    S 7-12 Banks must benchmark their risk rating and segmentation 
systems, and their risk parameter estimates.
    40. Benchmarking is using alternative methods or alternative data 
to draw inferences about the appropriateness of ratings, segments, risk 
parameter estimates or model outputs before outcomes are actually 
known. Benchmarking is a useful validation method that can be applied 
to all rating, segmentation, and quantification processes.
    41. Benchmarking allows a bank to compare the consistency of its 
risk parameter estimates with those of other estimation techniques and 
data sources. Benchmarking can be a valuable diagnostic tool for 
uncovering potential weaknesses in a bank's quantification process. 
While benchmarking allows for inferences about the accuracy of the risk 
rating and segmentation systems, and the risk parameter estimates, it 
does not substitute for backtesting. When differences are observed in 
the benchmarking exercise, this does not necessarily indicate that the 
risk rating and segmentation systems, or the risk parameter estimates, 
are in error. A benchmark is merely an alternative measure, and the 
difference may be due to different data or methods. Nevertheless, when 
differences are revealed, proper benchmarking requires the bank to 
investigate the source of the differences and whether the extent of the 
difference is appropriate. This investigative process may identify ways 
in which a bank can improve its risk rating and segmentation systems, 
and the quantification process.
    42. To benchmark risk ratings and segmentation, a bank must at a 
minimum establish a process in which a representative sample of its 
internal ratings, portfolio segmentation, and risk parameters are 
compared to results from another source for the same exposures. 
Examples of other sources include independent internal raters such as 
loan review, external corporate rating agencies, or retail credit 
bureau models, and alternative internally developed credit risk models 
(``challenger models'').
    43. Benchmarking of a risk rating, regardless of the rating 
approach, customarily asks whether another rater or rating method 
attaches a comparable rating to a particular obligor or exposure. 
Benchmarking of a segmentation system customarily asks whether other 
risk drivers or other segmentation methods provide similar risk 
separation and assessments of the portfolio risk distribution.
    44. Benchmarking of quantification generally involves comparing 
different choices made in the four stages of quantification. Such 
benchmarking compares:
     Reference data with data from other data sources;
     Estimates of risk parameters with estimates developed by 
alternative methods using the same reference data;
     Mappings with alternative mappings that would be expected 
to provide similar results; and
     Adjustments at the application stage with alternatives.
    45. Benchmarking activities can be accomplished in a number of ways 
and at different levels of aggregation. Some benchmarking activities 
are conducted more frequently than others; for example, a bank 
benchmarks a system to evaluate its performance more frequently than it 
benchmarks the system to determine whether to renovate it completely, 
an activity that must be considerably more thorough. Examples of 
benchmarking activities for risk rating and segmentation systems, and 
the quantification process are listed below:
Risk Ratings or Segmentation Benchmarking
     On an ongoing basis, analyzing the characteristics of 
obligors or exposures that have been assigned the same wholesale risk 
rating or retail segment, and comparing the distribution of the 
portfolio by these ratings or segments between different time periods.
     Periodically re-rating a sample of wholesale credits 
previously rated under the bank's standard method; examples of 
benchmark ratings include alternate individual raters in a judgmental 
system, an alternative internally developed rating model, or third-
party credit or debt ratings.
     Periodically comparing the separation power of the IRB 
retail segmentation to alternative segmentations used in credit risk 
management and comparing the risk parameter estimates derived from the 
IRB retail segmentation with an alternative segmentation.
Quantification Benchmarking
     On an ongoing basis, comparing a bank's PD, ELGD, LGD, and 
EAD estimates with available alternative risk estimates, such as 
business line loss forecasts or allowance methodologies. Within retail 
portfolios, vintage analyses (tracking loss rates over the life of the 
loan, given the same origination time and borrower characteristics) can 
be compared between different origination periods.
     Periodically comparing a bank's PD, ELGD, LGD, and EAD 
estimates with

[[Page 9131]]

risk parameter estimates derived from alternative choices at some 
step(s) of the quantification process, such as different reference data 
sources, different estimation models, etc.
Outcomes Analysis
    S 7-13 Banks must analyze outcomes and must develop statistical 
methods to backtest their risk rating and segmentation systems and the 
quantification process.
    46. The third component of the validation process is outcomes 
analysis, which is the comparison of risk parameter estimates and model 
results with actual outcomes. Although banks are expected to employ all 
the components of the validation process, the data to perform 
comprehensive outcomes analysis on the existing portfolio may not be 
available in the early stages of implementation and may be difficult 
when a bank's process for assessing risks changes significantly. 
Therefore, banks may at times need to rely more heavily on other 
validation activities such as developmental evidence, process 
verification, and benchmarking.\14\
---------------------------------------------------------------------------

    \14\ For wholesale risk rating systems, banks face the challenge 
of how to measure the system's performance when backtesting is not 
conclusive. Because of the rarity of defaults in most years and the 
bunching of defaults in a few years, the other parts of the 
validation process will assume greater importance. If risk rating 
and segmentation processes are developed in a learning environment 
in which banks attempt to change and improve them, backtesting may 
be delayed even further. In its early stages, the validation of risk 
rating and segmentation systems will depend on bank management's 
exercising informed judgment about the strength of the systems, not 
simply on empirical tests.
---------------------------------------------------------------------------

    47. Backtesting is the statistical comparison of estimates to 
realized outcomes. Banks must back-test their risk parameter estimates 
by regularly comparing actual portfolio or rating grade/segment-level 
default rates, loss severities, and exposure-at-default experience with 
the PD, ELGD, LGD, and EAD estimates on which risk-based capital 
calculations are based. Backtesting indicates the combined 
effectiveness of the assignment of exposures to wholesale obligor and 
loss severity ratings or to retail segments and the quantification of 
the risk parameters attached to those ratings or segments.
    S 7-14 Banks should establish ranges around the estimated values of 
risk parameter estimates and model results in which actual outcomes are 
expected to fall and have a validation policy that requires them to 
assess the reasons for differences and that outlines the timing and 
type of remedial actions taken when results fall outside expected 
ranges.
    48. Banks have considerable flexibility in developing statistical 
tests to back-test the performance of their risk rating and 
segmentation systems and the accuracy of their quantification process. 
Regardless of the backtesting method used, the bank should establish 
expected ranges for validation results. Backtesting often will not 
identify the specific reasons for discrepancies between expectations 
and outcomes. Rather, it will indicate only that further investigation 
is necessary.
    49. When establishing expected ranges, banks should consider 
relevant elements of a bank's risk rating or segmentation systems that 
may affect outcomes, for example whether the system is designed to 
measure risk parameter estimates at a point in time, through the cycle, 
or at stressed periods. Also, changes in economic or market conditions 
and portfolio composition between the historical data and data from the 
present period can lead to differences between outcomes and risk 
parameter estimates.
    50. In establishing expected ranges, a bank should consider which 
elements of its risk rating or segmentation system, and the 
quantification process, are most likely to affect outcomes of the risk 
parameter estimates. However, determining expected ranges can be 
difficult if a bank has changed its method of quantifying risk 
parameters and the estimates were calculated by a different method than 
the outcomes. If so, it may be appropriate to recalculate historical 
estimates in a manner consistent with the new method. If a bank adjusts 
final risk parameter estimates to be conservative, it may be 
appropriate to do its backtesting on the unadjusted estimates.
    51. Differences in realized default, loss severity, or exposure 
rates from expected ranges may point to issues in the reference data, 
estimation, mapping or application elements of quantification. They may 
also indicate potential problems in other parts of the risk rating or 
segmentation system. The bank's validation policy should describe (at 
least in broad terms) the types of responses that should be considered 
when actual outcomes fall outside the expected ranges. If the 
discrepancies demonstrate a systematic tendency to decrease risk-based 
capital requirements, the nature and source of the bias requires even 
more detailed scrutiny.

C. Minimum Frequency of Validation

    S 7-15 Each of the three activities in the validation process 
should be conducted often enough to ensure the ongoing integrity, 
reliability, and accuracy of the IRB risk rating and segmentation 
systems, and the quantification process.
    S 7-16 Developmental evidence must be updated whenever significant 
changes in methodology, data, or implementation occur. Other validation 
activities must be ongoing and must not be limited to a point in time.
    52. Process verification, benchmarking, and backtesting activities 
should be conducted often enough to ensure ongoing integrity of the 
risk rating and segmentation systems, and the quantification process. 
For example, during high-default periods, banks should analyze realized 
default and loss severity rates more frequently, perhaps quarterly. 
They should document the results of validation, report them to 
appropriate levels of senior risk management, and take action as 
appropriate.

Chapter 8: Stress Testing of Risk-Based Capital Requirements

Rule Requirements

    Part III, Section 22(j)(6): The bank must periodically stress test 
its advanced systems. The stress testing must include a consideration 
of how economic cycles, especially downturns, affect risk-based capital 
requirements (including migration across rating grades and segments and 
the credit risk mitigation benefits of double default treatment).
    1. Under the IRB framework, changes in borrower credit quality will 
lead to changes in the risk-based capital requirements. Because credit 
quality typically improves or deteriorates in conjunction with economic 
conditions, risk-based capital requirements may also vary with the 
economic cycle. During an economic downturn, risk-based capital 
requirements typically increase as obligors or exposures migrate toward 
lower credit quality risk ratings or segments.
    2. Stress testing analysis is a means of understanding how economic 
cycles, especially downturns, as represented by stress scenarios, will 
affect risk-based capital requirements through migration across risk 
ratings or segments, effects on double default treatment, and through 
effects on other relevant aspects of a bank's advanced systems.\15\
---------------------------------------------------------------------------

    \15\ Stress testing is a general term that can be applied to 
different types of analysis, depending on the purpose of the 
exercise. Examples of stress testing that have a different purpose 
than contemplated here include a stress test of bank solvency and a 
stress test of an individual obligor.
---------------------------------------------------------------------------

    S 8-1 Banks must conduct and document stress testing of their 
advanced systems as part of managing risk-based capital.

[[Page 9132]]

    3. Supervisors expect that banks will manage their risk-based 
capital position so that they remain at least adequately capitalized 
during all phases of the economic cycle. A bank that is able to 
accurately estimate risk-based capital levels during a downturn can be 
more confident of appropriately managing risk-based capital. Stress 
testing analysis consists of identifying a stress scenario and then 
translating that scenario into its effect on the levels of key 
performance measures, including risk-based capital ratios.
    4. Banks should use a range of scenarios and methods when stress 
testing to manage risk-based capital. Scenarios may be historical, 
hypothetical, or model-based. Key variables specified in a scenario 
could include, for example, interest rates, transition matrices 
(ratings and score-band segments), asset values, credit spreads, market 
liquidity, economic growth rates, inflation rates, exchange rates, or 
unemployment rates. A single scenario may apply to the entire 
portfolio, or a number of scenarios may apply to various sub-
portfolios. The severity of the stress scenario should be consistent 
with the periodic economic downturns experienced in the bank's market 
areas. Such scenarios may be less severe than those used for other 
purposes, such as testing a bank's solvency.
    5. Given a scenario, a bank then estimates the effect of the 
scenario on risk-weighted assets and its future capital ratios relative 
to the risk-based capital minimums. Estimating capital ratios includes 
estimating levels of capital (the numerator of the ratio) as well as 
measures of risk-weighted assets (the denominator).
    6. For example, suppose the scenario for both a retail and a 
wholesale portfolio is a specific historical recession. For the retail 
portfolio, score-band transition matrices observed during the recession 
could be used to quantify migration between segments and thus supply 
the new distribution of segments expected for the current portfolio, 
given the scenario. For the wholesale portfolio, internal or rating 
agency ratings transition matrices observed during the recession could 
be used to quantify ratings migration, and thus supply the distribution 
of rating grades. The distribution of segments and rating grades would 
allow the calculation of risk-weighted assets that would be expected 
during the recession scenario. Transitions into default would allow 
banks to estimate the effects of credit losses on income and capital. 
As part of this analysis, the bank should ensure that the rating 
philosophy (as revealed by rating migration patterns) of the rating 
agency, or any other source of ratings, associated with the recession 
transition matrix is consistent with the bank's rating system, or 
appropriate adjustments should be made for differences in rating 
philosophy.
    7. The scope of this estimation exercise should be broad and 
include all material portfolios under the framework for advanced 
systems. The time horizon of the stress testing analysis should be 
consistent with the specifics of the scenario and should be long enough 
to measure the material effects of the scenario on key performance 
measures. For example, if a scenario such as a historical recession 
materially affected income and segment or ratings migration over two 
years, the appropriate time horizon is at least two years.
    8. The bank's management of risk-based capital should also take 
into account the effect of a bank's discretionary actions on risk-based 
capital levels. For example, a bank's plan to reduce dividends in the 
face of lowered income would, if implemented, affect retained earnings 
and the capital accounts. Such discretionary actions should be 
consistent with the bank's documented risk-based capital management 
policy. Because discretionary plans may or may not be implemented, a 
bank should estimate the relevant capital ratios both with and without 
these actions.

Chapter 9: Counterparty Credit Risk Exposure

Rule Requirements

    Part III, Section 22(d): Counterparty credit risk model. A bank 
must obtain the prior written approval of [AGENCY] under section 32 [of 
the NPR] to use the internal models methodology for counterparty credit 
risk.
    Part IV, Section 32: Counterparty Credit Risk

I. Overview

    1. This chapter supplements the detailed discussion of counterparty 
credit risk in the NPR by describing some of the elements of 
counterparty credit risk mitigation, providing information that may aid 
banks in choosing among the alternative methods to calculate EAD for 
these transactions, and providing some descriptions and illustrative 
examples of acceptable modeling practices for estimation of EAD under 
the alternative methods.

II. Transactions With Counterparty Credit Risk

    2. Transactions with counterparty credit risk are those where the 
credit risk exposure varies with a market variable such as an interest 
rate or security price. For certain transactions subject to 
counterparty credit risk where there is financial collateral, a bank 
may be allowed to recognize the risk mitigating effect of that 
collateral through an adjustment to EAD.
    3. As provided in the NPR, transactions with counterparty credit 
risk for which a bank may adjust EAD rather than LGD include:
     Repo-style transactions including repurchase and reverse 
repurchase agreements, and securities lending and securities borrowing 
transactions;
     Eligible margin loans; and
     Over-the-counter (``OTC'') derivatives transactions.
    4. Several methods are available to calculate EAD depending on the 
type of transaction, presence of eligible collateral, legal agreements 
surrounding a transaction, the operational capability of a bank, and 
the modeling capability of a bank:
     A collateral haircut approach that includes standard 
supervisory haircuts or the bank's own estimates of the haircuts--
applied to individual repo-style transactions, eligible margin loans, 
and single-product groups of such transactions subject to a qualifying 
master netting agreement (netting set). Additionally, the haircut 
approach is available to recognize financial collateral in the current 
exposure methodology for OTC derivatives;
     A simple VaR methodology--applied to single-product 
netting sets of repo-style transactions and eligible margin loans;
     A current exposure methodology for OTC derivatives; and
     An internal models methodology available for all three 
transaction types.
    5. Supervisor approval is required for all methods except the 
collateral haircut approach using standard supervisory haircuts and the 
current exposure methodology for OTC derivatives. To receive approval, 
a bank should demonstrate to its primary Federal supervisor:
     Internal operational processes used to determine the 
eligibility of transactions for the method chosen;
     Internal processes used to determine the regulatory and 
legal ability to net transactions in bankruptcy;
     Appropriate model validation and backtesting procedures;
     Appropriate internal controls for counterparty credit 
risk;
     Appropriate collateral management processes, which, at a 
minimum, determine whether collateral meets the definition of financial 
collateral; and

[[Page 9133]]

     Adequacy of the modeling techniques used and how the 
models meet qualification requirements.
    6. If a transaction qualifies for one of the EAD adjustment 
approaches and the bank elects to use one of the EAD adjustment methods 
for the transaction, collateral may only be taken into account in the 
estimation of EAD and may not also affect the other parameters, such as 
LGD. For eligible transactions, the capital requirement is based on an 
estimate of the PD of the counterparty and LGD for an unsecured 
exposure to the counterparty. The EAD is adjusted to reflect a net 
exposure amount. Credit exposures that do not qualify for the EAD 
adjustment approach as discussed in this section must follow the IRB 
approach described elsewhere in this guidance. For those transactions, 
(i) the LGD for each individual transaction can be adjusted, based on 
the collateral for the transaction; and (ii) except for the current 
exposure methodology for OTC derivatives, netting cannot be considered 
in determining either EAD or PD.

III. Definitions

    7. A repo-style transaction is a repurchase or reverse repurchase 
transaction, or a securities borrowing or securities lending 
transaction, including a transaction in which the bank acts as agent 
for a customer and indemnifies the customer against loss, provided 
that:
     The transaction is based solely on liquid and readily 
marketable securities or cash;
     The transaction is marked to market daily and subject to 
daily margin maintenance requirements;
     The transaction is executed under an agreement that 
provides the bank the right to accelerate, terminate, and close-out the 
transaction on a net basis and to liquidate or set off collateral 
promptly upon an event of default (including upon an event of 
bankruptcy, insolvency, or similar proceeding) of the counterparty, 
provided that, in any such case, any exercise of rights under the 
agreement will not be stayed or avoided under applicable law in the 
relevant jurisdictions; \16\ and
---------------------------------------------------------------------------

    \16\ Where all transactions under the agreement are (i) executed 
under U.S. law and (ii) constitute ``securities contracts'' or 
``repurchase agreements '' under section 555 or 559, respectively, 
of the Bankruptcy Code (11 U.S.C. 555 or 559), qualified financial 
contracts under section 11(e)(8) of the Federal Deposit Insurance 
Act (12 U.S.C. 1821(e)(8)), or netting contracts between or among 
financial institutions under sections 401-407 of the Federal Deposit 
Insurance Corporation Improvement Act of 1991 (12 U.S.C. 4401-4407) 
or the Federal Reserve Board's Regulation EE (12 CFR Part 231), this 
requirement is deemed to be met.
---------------------------------------------------------------------------

     The bank has conducted and documented sufficient legal 
review to conclude with a well-founded basis that the agreement 
mentioned above meets these requirements and is legal, valid, binding, 
and enforceable under applicable law in the relevant jurisdictions.
    8. An eligible margin loan is an extension of credit where:
     The credit extension is collateralized exclusively by debt 
or equity securities that are liquid and readily marketable;
     The collateral is marked to market daily and the 
transaction is subject to daily margin maintenance requirements;
     The extension of credit is conducted under an agreement 
that provides the bank the right to accelerate and terminate the 
extension of credit and to liquidate or set off collateral promptly 
upon an event of default (including upon an event of bankruptcy, 
insolvency, or similar proceeding) of the counterparty, provided that, 
in any such case, any exercise of rights under the agreement will not 
be stayed or avoided under applicable law in the relevant 
jurisdictions; and
     The bank has conducted and documented sufficient legal 
review to conclude with a well-founded basis that the agreement 
mentioned above meets these requirements and is legal, valid, binding, 
and enforceable under applicable law in the relevant jurisdictions.
    9. An OTC derivative contract is a derivative contract that is not 
traded on an exchange that requires the daily receipt and payment of 
cash-variation margin.
     A derivative contract means a financial contract whose 
value is derived from the values of one or more underlying assets, 
reference rates, or indices of asset values or reference rates. 
Derivative contracts include interest rate derivative contracts, 
exchange rate derivative contracts, equity derivative contracts, 
commodity derivative contracts, credit derivatives, and any other 
instrument that poses similar counterparty credit risk.
     Derivative contracts also include unsettled securities, 
commodities, and foreign exchange transactions with a contractual 
settlement or delivery lag that is longer than the lesser of the market 
standard for the particular instrument or 5 business days. This would 
include, for example, agency mortgage-backed securities transactions 
conducted in the To-Be-Announced market.
    10. Financial collateral is the following set of financial 
instruments in which the bank has a perfected, first priority security 
interest or the legal equivalent:
     Cash on deposit with the bank (including cash held for the 
bank by a third-party custodian or trustee);
     Gold bullion;
     Long-term debt securities that have an applicable external 
rating of one category below investment grade or higher (e.g., at least 
BB-);
     Short-term debt instruments that have an applicable 
external rating of at least investment grade (e.g., at least A-3);
     Equity securities that are publicly traded;
     Convertible bonds that are publicly traded; and
     Money market mutual fund shares and other mutual fund 
shares if a price for the shares is publicly quoted daily.

IV. Netting

    S 9-1 All transactions with a counterparty subject to a qualifying 
master netting agreement constitute a netting set and may be treated as 
a single exposure, otherwise each transaction shall have its risk-based 
capital requirement calculated on a standalone basis.
    11. Counterparty credit risk may be calculated at the level of a 
netting set. Consistent with the industry's general practice for 
computing exposures to counterparty credit risk, a bank can estimate 
the exposure amount or EAD, and calculate the associated capital 
requirement on the basis of one or more defined bilateral ``netting 
sets.'' A ``netting set'' is a group of transactions with a single 
counterparty that are subject to a legally enforceable bilateral 
netting agreement that meets the requirements to be a qualifying master 
netting agreement or qualifying cross product master netting agreement 
under the terms of the NPR. If a transaction with a counterparty is not 
subject to a qualifying master netting agreement, it comprises its own 
netting set and the EAD will need to be calculated for that transaction 
on its own. The total exposure amount or EAD for a given counterparty 
is the sum of the exposure amounts or EADs of the individual netting 
sets with that counterparty.
    12. Cross-product netting allows for banks using the internal 
models methodology to recognize bilateral netting arrangements across 
repo-style transactions, eligible margin loans, and OTC derivatives. To 
recognize cross-product netting for risk-based capital purposes:
     Transactions must be conducted under a qualifying master 
netting agreement;
     A bank must be able to effectively integrate the risk-
mitigating effects of cross-product netting into its risk

[[Page 9134]]

management and other information technology systems; and
     The bank must obtain the prior written approval of its 
primary Federal supervisor.
    13. Netting other than on a bilateral basis, such as netting across 
transactions entered into by affiliates (known as cross-affiliate 
netting), is not recognized for the purposes of calculating risk-based 
capital requirements.

V. Determination of Eligibility for EAD Adjustment

    S 9-2 Banks should have an appropriately documented process for 
determining whether transactions are eligible for an EAD adjustment 
approach if they choose to use an EAD adjustment approach.
    14. The process for determining if a transaction is eligible for an 
EAD adjustment approach should consider whether the transaction meets 
the definition of a repo-style transaction, eligible margin loan, or 
OTC derivative. In addition, it must consider the operational 
requirements for tracking the exposures of such transactions. To 
determine which EAD adjustment approach to apply, the bank should 
consider the treatment for similar transactions, the need for 
regulatory approval, operational and legal requirements, and the scope 
and complexity of the bank's business in each of the areas. In 
addition, banks should consider whether transactions otherwise eligible 
for the EAD adjustment approach are subject to the automatic stay under 
the U.S. Bankruptcy Code or similar provisions under other applicable 
bankruptcy law.

VI. Methods for Determining EAD

    15. There are three EAD-based methodologies--a collateral haircut 
approach, a simple VaR methodology, and an internal model methodology--
that a bank may use instead of an ELGD/LGD estimation methodology to 
recognize the benefits of financial collateral in mitigating the 
counterparty credit risk associated with repo-style transactions and 
eligible margin loans. For OTC derivative contracts, there are two EAD-
based methodologies--the current exposure methodology and an internal 
models methodology. The current exposure methodology for calculating 
EAD for an OTC derivative contract or set of OTC derivative contracts 
subject to a qualifying master netting agreement is similar to the 
methodology in the general risk-based capital rules.\17\ If the OTC 
derivative is collateralized and the internal models methodology is 
used, the collateral is recognized within that approach. If the OTC 
derivative contract is collateralized and the current exposure 
methodology is used, the bank may use either the ELGD/LGD estimation 
methodology to recognize the benefits of financial collateral or the 
collateral haircut approach. Table 1 illustrates which EAD estimation 
methodologies may be applied to particular types of exposure.
---------------------------------------------------------------------------

    \17\ The general risk-based capital rules are in 12 CFR part 3, 
Appendix A (national banks), 12 CFR part 208, Appendix A (state 
member banks), 12 CFR part 225, Appendix A (bank holding companies), 
12 CFR part 325, Appendix A (state non-member banks), and 12 CFR 
part 567 (savings associations).
    \18\ Only repo-style transactions and eligible margin loans 
subject to a single-product qualifying master netting agreement are 
eligible for the simple VaR methodology.
    \19\ In conjunction with the current exposure methodology.

                                                     Table 1
----------------------------------------------------------------------------------------------------------------
                                                                                      Models approach
                                   Current exposure   Collateral haircut ---------------------------------------
                                      methodology          approach         Simple VaR \18\     Internal models
                                                                              methodology         methodology
----------------------------------------------------------------------------------------------------------------
OTC derivative..................  Yes...............  No................  No................  Yes.
Recognition of collateral for     No................  Yes \19\..........  No................  Yes.
 OTC derivatives.
Repo-style transaction..........  No................  Yes...............  Yes...............  Yes.
Eligible margin loan............  No................  Yes...............  Yes...............  Yes.
Cross-product netting set.......  No................  No................  No................  Yes.
----------------------------------------------------------------------------------------------------------------

    S 9-3 Banks must use the same method for determining risk-based 
capital requirements for all similar transactions.
    16. Banks must use the same method for similar transactions, but 
may use different methods for different transaction types. A bank may 
use a separate methodology for agency securities lending transactions--
that is, repo-style transactions in which the bank, acting as agent for 
a customer, lends the customer's securities and indemnifies the 
customer against loss--and all other repo-style transactions.
    S 9-4 The method for calculating EAD for transactions subject to 
counterparty credit risk should be appropriate for the risk, extent, 
and complexity of the bank's activity.
    17. Banks that are engaged in prime brokerage, market making, and 
other sophisticated securities financing and repurchase activities 
should consider using the VaR model approach or the internal models 
approach. Banks that do not engage in such activities but are 
principally using repurchase agreements and other financial contracts 
for liquidity, cash management, and other risk management purposes may 
use a collateral haircut approach for eligible margin loans and repo-
style transactions, and the current exposure methodology for OTC 
derivatives.

A. Methodologies for Repo-Style Transactions and Eligible Margin Loans

    18. Under any of the available methodologies for repo-style 
transactions and eligible margin loans, a bank can recognize the risk 
mitigating effect of financial collateral that secures a repo-style 
transaction, eligible margin loan, or single-product netting set of 
such transactions subject to a qualifying master netting agreement 
through an adjustment to EAD rather than ELGD and LGD. The bank may use 
a collateral haircut approach or one of two models approaches: A simple 
VaR methodology (for single-product netting sets of repo-style 
transactions or eligible margin loans) or an internal models 
methodology (the internal models methodology is described under the 
methods for OTC derivatives, but may be applied to repo-style 
transactions and margin loans as well). Figure 1 illustrates the 
methodologies available for eligible margin loans and repo-style 
transactions.

[[Page 9135]]

[GRAPHIC] [TIFF OMITTED] TN28FE07.005

Collateral Haircut Approach
    19. Under the collateral haircut approach, a bank would set EAD 
equal to the sum of three quantities:
     The value of the exposure less the value of the 
collateral;
     The sum across all securities of (i) the absolute value of 
the net position in a given security (where the net position in a given 
security equals the sum of the current market values of the particular 
security the bank has lent, sold subject to repurchase, or posted as 
collateral to the counterparty minus the sum of the current market 
values of that same security the bank has borrowed, purchased subject 
to resale, or taken as collateral from the counterparty); multiplied by 
(ii) the market price volatility haircut appropriate to that security; 
and
     The sum across all currencies different from the 
settlement currency of (i) the absolute value of the net position of 
both cash and securities in a given currency; multiplied by (ii) the 
haircut appropriate to that currency mismatch.
    To determine the appropriate haircuts, a bank could choose to use 
standard supervisory haircuts or its own estimates of haircuts.
    20. For purposes of the collateral haircut approach, a ``given 
security'' would include, for example, all securities with a single 
Committee on Uniform Securities Identification Procedures (``CUSIP'') 
number and would not include securities with different CUSIP numbers, 
even if issued by the same issuer with the same maturity date.

Standard Supervisory Haircuts

    21. If a bank chooses to use standard supervisory haircuts, it 
would use an eight percent haircut for each currency mismatch and the 
haircut appropriate to each security in Table 2 below. The haircuts in 
the table assume a 10 business-day holding period (appropriate for 
eligible margin loans). These haircuts must be multiplied by the square 
root of \1/2\ to convert the standard supervisory haircuts from the 10 
business-day holding period to the 5 business-day holding period 
appropriate for repo-style transactions. A bank would be required to 
adjust the supervisory haircuts upward to a holding period longer than 
10 business days for eligible margin loans or 5 business days for repo-
style transactions to take into account collateral illiquidity. To 
convert the haircut to a holding period longer than 10 business days, 
the haircut should be multiplied by the square root of the ratio of the 
actual holding period to the 10 business day minimum holding period. As 
an example, assume a bank that uses standard supervisory haircuts has 
extended an eligible margin loan of $100 that is collateralized by 5-
year U.S. Treasury notes with a market value of $100. The value of the 
exposure less the value of the collateral would be zero, and the net 
position in the security ($100) times the supervisory haircut (.02) 
would be $2. There is no currency

[[Page 9136]]

mismatch. Therefore, the EAD of the exposure would be $0 + $2 = $2.
---------------------------------------------------------------------------

    \20\ The market price volatility haircuts in Table 2 are based 
on a 10-business-day holding period.
    \21\ Residual maturity refers to the residual contractual 
maturity of the debt security. For example, the remaining maturity 
to call dates or reset dates for floating rate notes should not be 
used for the residual maturity.
    \22\ The proposed rule defines a ``main index'' as the S&P 500 
Index, the FTSE All-World Index, and any other index approved by the 
bank's primary Federal supervisor for purposes of the rule.

                      Table 2.--Standard Supervisory Market Price Volatility Haircuts \20\
----------------------------------------------------------------------------------------------------------------
                                                                                 Issuers exempt
   External rating grade category for debt        Residual maturity for debt    from the 3 b.p.   Other issuers
                  securities                            securities\21\               floor
----------------------------------------------------------------------------------------------------------------
Two highest investment grade rating            <=1 year.......................            .005              .01
 categories for long-term ratings/highest
 investment grade rating category for short-
 term ratings.
                                               >1 year, <=5 years.............             .02              .04
                                               >5 years.......................             .04              .08
Two lowest investment grade rating categories  <=1 year.......................             .01              .02
 for both short- and long-term ratings.
                                               >1 year, <=5 years.............             .03              .06
                                               >5 years.......................             .06              .12
One rating category below investment grade...  All............................             .15             .25
Main index equities \22\ (including convertible bonds) and gold.......15 .....
Other publicly-traded equities (including convertible bonds)..........25 .....
Mutual funds.....................................Highest haircut applicable to any security in
                                                           which the fund can invest
Cash on deposit with the bank (including a certificate of deposit issue0 by
 the bank).
----------------------------------------------------------------------------------------------------------------

Own Estimates of Haircuts

    22. With the prior written approval of the bank's primary Federal 
supervisor, a bank may calculate security type and currency mismatch 
haircuts using its own internal estimates of market price volatility 
and foreign exchange volatility. When a bank calculates its own 
estimates haircut on a TN-day holding period, which is 
different from the minimum holding period for the transaction type, the 
applicable haircut (HM) is calculated using the following 
square root of time formula:
[GRAPHIC] [TIFF OMITTED] TN28FE07.006

where

(i) TM = 5 for repo-style transactions and 10 for 
eligible margin loans;
(ii) TN = holding period used by the bank to derive 
HN and
(iii) HN = haircut based on the holding period 
TN.

Requirements for the Use of Internally Estimated Haircuts

    23. A bank must meet the following eligibility requirements to use 
internal estimates of collateral haircuts:
     The bank must use a 99th percentile one-tailed confidence 
interval, a minimum five-business-day holding period for repo-style 
transactions, and a minimum 10-business-day holding period for eligible 
margin loans;
     The bank must adjust holding periods upward where and as 
appropriate to take into account the illiquidity of an instrument;
     The bank must select a historical observation period for 
calculating haircuts of at least one year;
     The bank must update its data sets and re-compute haircuts 
no less frequently than quarterly and must reassess its data sets and 
haircuts whenever market prices change materially; and
     The bank generally must estimate individually the 
volatilities of each security and foreign exchange rate separately, and 
may not take into account the correlations between them.
Simple VaR Methodology
    24. With the prior written approval of its primary Federal 
supervisor, a bank may estimate EAD for repo-style transactions and 
eligible margin loans subject to a qualifying master netting agreement 
using a VaR model. Under the simple VaR methodology, a bank's EAD for 
the transactions subject to such a netting agreement would be equal to 
the value of the exposures minus the value of the collateral plus a 
VaR-based estimate of the potential future exposure (``PFE'').
    25. The VaR model must estimate the PFE as the bank's empirically-
based, best estimate of the 99th percentile, one-tailed confidence 
interval for an increase in the value of the net collateralized 
exposure ([Sigma]E-[Sigma]C) over a 5-business-day holding period for 
repo-style transactions or over a 10-business-day holding period for 
eligible margin loans using a minimum one-year historical observation 
period of price data on the instruments that the bank has lent, sold 
subject to repurchase, posted as collateral, borrowed, purchased 
subject to resale, or taken as collateral. In cases where the 
underlying collateral is less liquid, a longer time period may be 
appropriate.
    S 9-5 Banks that use the VaR model approach for single product 
netting sets of repo-style transactions or eligible margin loans must 
conduct rigorous and regular backtesting to validate its model.
    26. The qualifying requirements for the use of such a model are 
less stringent than the qualification requirements for the internal 
model methodology described below. In principle, the VaR model 
generally should meet the quantitative and qualitative criteria for 
recognition of internal market risk models set out in the Market Risk 
Amendment (``MRA''). The main ongoing qualification requirement for 
using the simple VaR model is that the bank must validate its VaR model 
by establishing and maintaining a rigorous and regular backtesting 
regime to ensure the validity of the model the bank uses. A backtesting 
regime that is conducted once every quarter to compare values of one, 
five, and/or ten day 99 percent VaRs with changes in market values of 
representative portfolios would be appropriate and generally would be a 
part of a regular program of backtesting.

[[Page 9137]]

    27. In general, the repo-style backtest should include the 
backtesting of several representative portfolios that compares the one 
day 99 percent VaR figure with the change in market value for each 
portfolio tested. The representative portfolios could be based on 
actual counterparty portfolios, hypothetical portfolios, or a 
combination of real and hypothetical portfolios that are designed to 
test specific aspects of the model, or specific risk factors.

B. EAD for OTC Derivative Contracts

    28. A bank may use either the current exposure methodology or the 
internal models methodology to determine the EAD for OTC derivative 
contracts. Figure 2 illustrates the possible methodologies for the 
calculation of EAD for OTC derivatives.
[GRAPHIC] [TIFF OMITTED] TN28FE07.007

Current Exposure Methodology
    29. The current exposure methodology for determining EAD for OTC 
derivative contracts is similar to the methodology set forth in the 
general risk-based capital rules, in that the EAD for an OTC derivative 
contract would be equal to the sum of the bank's current credit 
exposure and potential future exposure (``PFE'') on the derivative 
contract. The proposal's conversion factor (``CF'') matrix used to 
compute PFE is based on the matrices in the general risk-based capital 
rules, with two exceptions:
     The CF for credit derivatives that are not used to hedge 
the credit risk of exposures subject to an IRB risk-based capital 
requirement is specified to be 5.0 percent for contracts with 
investment grade reference obligors and 10.0 percent for contracts with 
non-investment grade obligors. The CFs for credit derivative contracts 
do not depend on the remaining maturity of the contract; and
     Floating/floating basis swaps are not exempt from the CF 
for interest rate derivative contracts.
    30. A bank may reflect the credit risk mitigating effects of 
financial collateral by adjusting the ELGD and LGD of the contract or 
exposure. Alternatively, if the transaction is subject to daily 
marking-to-market and re-margining, the bank may adjust the EAD of the 
contract using the collateral haircut approach for repo-style 
transactions and eligible margin loans. A bank applying the collateral 
haircut approach to OTC derivatives must use a 10-business-day minimum 
holding period.

[[Page 9138]]

C. Internal Models Methodology

    31. The internal models methodology for the calculation of EAD can 
be applied to repo-style transactions, eligible margin loans, and OTC 
derivatives. The internal models methodology requires a risk model that 
captures counterparty credit risk and estimates EAD at the level of a 
``netting set,'' that is, transactions with a single counterparty that 
are subject to a qualifying master netting agreement. A transaction not 
subject to a qualifying master netting agreement is considered to be 
its own netting set and EAD must be calculated for each such 
transaction individually. A bank may use the internal model methodology 
for OTC derivatives (collateralized or uncollateralized) and single-
product netting sets thereof, for eligible margin loans and single-
product netting sets thereof, or for repo-style transactions and 
single-product netting sets thereof. A bank may choose to use the 
internal models methodology for one or two of these three types of 
exposures and not the other types. As described in paragraph 12 of this 
chapter, in cases where a bank has been approved by its primary Federal 
supervisor to incorporate the effects of cross-product netting 
agreements in their internal models methodology, the bank may use the 
internal models methodology for combinations of repo-style 
transactions, eligible margin loans, and OTC derivatives conducted 
under a qualifying cross-product netting agreement.
    32. Banks use several measures to manage their exposure to 
counterparty credit risk, including peak exposure (``PE''), expected 
exposure (``EE''), and expected positive exposure (``EPE''). PE is the 
maximum exposure estimated to occur on a future date at a high level of 
statistical confidence. Banks often use PE when measuring counterparty 
credit risk exposure against counterparty credit limits. EE is the 
probability-weighted average exposure to a counterparty estimated to 
exist at any specified future date, whereas EPE is the time-weighted 
average of individual expected exposures to a counterparty where the 
weights are the proportion of the time interval that an individual 
exposure represents.
    33. Effective EPE, described below, is to be used in the 
calculation of EAD under the internal models methodology. EAD is 
calculated as a multiple of effective EPE.
    34. EE and EPE may not capture additional risk arising from the 
replacement of existing short-term positions over the one year horizon 
used for risk-based capital requirements (that is, rollover risk) or 
may underestimate the exposures of eligible margin loans, repo-style 
transactions, and OTC derivatives with short maturities. For this 
reason, a netting set's ``effective EPE'' will be used as the basis for 
calculating EAD for counterparty credit risk. Effective EPE is the 
time-weighted average of effective EE over one year where the weights 
are the proportion that an individual effective EE represents in a one-
year time interval. If all contracts in a netting set mature before one 
year, effective EPE is the average of effective EE until all contracts 
in the netting set mature. Effective EE is defined as:

Effective EEtk = max (Effective EEtk-1, 
EEtk)

where exposure is measured at future dates t1, t2, t3, * * * and 
effective EEt0 equals current exposure. Under the internal 
models methodology, a measure that is more conservative than effective 
EPE for every counterparty (for example, a measure based on peak 
exposure) can be used in place of effective EPE with prior approval of 
the primary Federal supervisor.
    35. The internal model methodology scales effective EPE using a 
multiplier, termed ``alpha.'' Alpha is set at 1.4; a bank's primary 
Federal supervisor has the flexibility to raise this value in 
appropriate situations. With approval of the primary Federal 
supervisor, a bank may use its own estimate of alpha as described 
below, subject to a floor of 1.2.
    36. The maturity adjustment for transactions under the internal 
models methodology is described in the NPR. This maturity formula for M 
is based on the effective credit duration of the counterparty exposure. 
A bank that uses an internal model to calculate a one-sided credit 
valuation adjustment can use the effective credit duration estimated by 
such a model for maturity, M, if the bank can demonstrate to its 
primary Federal supervisor that the effective credit duration used by 
the bank gives the same value for M as the maturity formula for 
Counterparty Credit Risk (``CCR'') described in the NPR.
A Description of the Modeling Process for Effective Expected Positive 
Exposure
    37. The basis of the calculation is to forecast, based on observed 
price movements, the range of possible values that a portfolio of 
transactions with a counterparty that constitute a netting set can take 
in the future and assign probabilities to those possible values. This 
is the statistical probability distribution of the market values for 
the portfolio. There are many possible methods for making this forecast 
ranging from Monte Carlo simulation to using an analytic formula.
    38. The process generally starts with a calculation of the current 
market value of the transactions with a counterparty that are in a 
netting set. Cases where the current market value of the netting set is 
positive represent an exposure to the counterparty (the counterparty 
owes the bank money). Cases where the current market value is negative 
do not represent exposures to the counterparty since the bank owes the 
counterparty money. To determine the current exposure, the market value 
of collateral posted by the counterparty is subtracted from the current 
market value of the netting set. If this difference is negative the 
current exposure is zero.
    39. The distribution of exposures on a future date can also include 
the exposure reducing effect of financial collateral. In cases where 
financial collateral is held, the distribution of market values of the 
positions and the collateral held against the netting set is calculated 
together and cases of negative combined market values of transactions 
and collateral are set to zero since they do not represent a credit 
exposure if the counterparty were to default (the counterparty has 
posted more collateral than it owes the bank, or the bank owes the 
counterparty).
    40. The bank will have to determine for which future dates to 
calculate probability distributions of the market value of transactions 
in the netting set. These should be chosen to accurately reflect the 
cashflows of transactions in a netting set.
    41. For these future dates (e.g., 1, 3, 5, and 10 days in the 
future and every month out to one year \23\) the bank will calculate 
the distribution of market values for the netting set.
---------------------------------------------------------------------------

    \23\ These example dates are given to clarify the meaning of 
future dates, they do not represent a requirement. As described in 
paragraph 47 of this chapter, as well as in the NPR, a large number 
of future dates may be computationally burdensome, and the number of 
future dates will depend explicitly on a trade off between the 
ability to calculate effective EPE in an expeditious manner and the 
accuracy of the computation.
---------------------------------------------------------------------------

    42. Expected exposure (``EE'') is defined as the expected value of 
the probability distribution of credit risk exposures to a counterparty 
at any specified future date before the maturity date of the longest 
term transaction in the netting set. Banks will need to convert from 
market values of transactions to credit risk exposures to make this 
calculation. When the transactions in a netting set have a

[[Page 9139]]

positive value, the counterparty owes money to the bank and there is a 
credit risk exposure equal to the positive market value of the 
transactions. When the transactions have a negative market value, the 
bank owes the counterparty money and there is no credit risk exposure. 
Generally, banks will start by calculating the probability distribution 
of the market value of the transactions in a netting set with a 
counterparty on a future date. To convert from a probability 
distribution of market values to a probability distribution of credit 
risk exposures, cases where the market value is negative should 
correspond to a credit risk exposure of zero, and cases where the 
market value is positive should correspond to a credit risk exposure 
equal to the market value of the transactions. This means that expected 
exposure includes in the probability weighted average a value of zero 
for all cases where the market value, including the effect of 
collateral, is negative.
    43. Effective expected exposure on a future date is the greater of 
expected exposure on that date or effective expected exposure on the 
previous future date. Effective expected exposure is calculated 
recursively, and the value for the first future date should be the 
greater of the expected exposure calculated on that date or the current 
exposure. This means that effective expected exposure is not allowed to 
decline as one moves to future dates that are further in the future, 
and that effective expected exposure will always be greater than or 
equal to current exposure.
    44. Effective expected positive exposure then takes the time-
weighted average of effective expected exposures. For example, if 
effective expected exposure is calculated each month for the first six 
months as 5, 6, 6, 6, 7 and 7 in order, and each quarter for the second 
half of the year as 7 and 7, respectively, then those first six monthly 
values would each get a weight of 1/12 and the quarterly observations 
in the second half of the year would each get a weight of 1/4 in the 
average. Effective expected positive exposure using these values at 
these dates would be 6.583.
    45. If the longest maturity contract in the netting set was less 
than a year then the effective expected positive exposure only includes 
the effective expected exposures out to the longest maturity and the 
time-weighted average only goes out to the longest maturity. For 
example, if the longest maturity contract in the netting set is 5 
months and the effective expected exposures are calculated for each 
month for those five months as (3, 3, 4, 4, 6), each monthly 
calculation would get a weight of 1/5 and the effective expected 
positive exposure would be 4. The zero exposure values for months six 
through twelve would not be included in the average nor would the 
average be computed over a full year.
Requirements for the Internal Models Methodology
    S 9-6 Banks must meet certain qualifying criteria that consist of 
operational requirements, modeling standards, and model validation 
requirements before receiving their primary Federal supervisor's 
approval to use the internal models method.
    46. Banks must have the systems capability to estimate EE on a 
daily basis. While this does not require the bank to report EE daily, 
or even to estimate EE daily, the bank must be able to demonstrate that 
it is capable of performing the estimation daily.
    47. Banks must estimate EE at enough future time points to 
accurately reflect all future cash flows of contracts in the netting 
set. In order to accurately reflect the exposure arising from a 
transaction, the model should incorporate those contractual provisions, 
such as reset dates, that can materially affect the timing, 
probability, or amount of any payment. The requirement reflects the 
need for an accurate estimate of effective EPE. However, in order to 
balance the ability to calculate exposures with the need for 
information on a timely basis, the number of time points is not 
specified. Supervisors will assess the tradeoff between the computation 
requirements of more future time points against the need for the 
ability to perform timely assessments of counterparty credit risk in 
determining the number of time points that banks should use in 
establishing a counterparty's EE profile. EE should be calculated for 
enough future dates to accurately reflect the timing of cash flows. 
This accuracy should be subject to the bank's internal review process.
    48. Banks must have been using an internal model that broadly meets 
the minimum standards to calculate the distributions of exposures upon 
which the EAD calculation is based for a period of at least one year 
prior to approval. This requirement is to ensure that the bank has 
integrated the modeling into its counterparty credit risk management 
process.
    49. Bank models must account for the non-normality of exposure 
distribution where appropriate. Non-normality of exposures means that 
high loss events occur more frequently than would be expected on the 
basis of a normal distribution, the statistical term for which is 
leptokurtosis. In many instances, there may not be a need to account 
for this. The characteristics of leptokurtosis will have a greater 
proportional effect on the measures of peak exposure (or some high 
threshold percentile measure) than on the measure of expected exposure 
used here. However, the bank should adjust its EAD measure 
appropriately when the underlying distribution of the market risk 
factors displays a significant degree of leptokurtosis.
    50. Banks must measure, monitor, and control both current exposure 
to counterparties and counterparty credit risk over the whole life of 
the contracts in a netting set with a counterparty. The bank should 
exercise active management of both existing exposure and exposure that 
could change in the future due to market moves.
    51. Banks must measure and manage current exposures gross and net 
of collateral held, where appropriate. The bank must estimate expected 
exposure for OTC derivatives contracts both with and without the 
effects of collateral agreements.
    52. Banks must have procedures to identify, monitor, and control 
specific wrong way risk throughout the life of an exposure. Wrong way 
risk in this context is the risk that future exposure to a counterparty 
will be high when the counterparty's probability of default is also 
high.
    53. The data used by banks should be adequate for the measurement 
and modeling of the exposures. In particular, current exposures must be 
calculated on the basis of current and accurate market data. When 
historical data are used to estimate model parameters, at least three 
years of data that cover a wide range of economic conditions must be 
used. This requirement reflects the longer horizon for counterparty 
credit risk exposures compared to market risk exposures. The data 
should be updated at least quarterly or more frequently when conditions 
warrant. Banks are also encouraged to incorporate model parameters 
based on forward-looking measures.
    S 9-7 Banks that use the internal models methodology for 
counterparty credit risk transactions must establish initial model 
validation and ongoing model review procedures. The model review should 
consider whether the inputs and risk factors as well as the model 
outputs are appropriate. The review of outputs should include a 
backtesting regime that compares the model's output with realized 
exposures.

[[Page 9140]]

    54. Because counterparty exposures are driven by movements in 
market variables, the validation of an EPE model is similar to the 
validation of a VaR model that is used to measure market risk. A 
validation of either type of model compares forecasted changes in value 
to realized changes. However, the EPE simulation model forms an average 
of credit exposures over a 1-year time horizon, whereas a market risk 
VaR typically forms an estimate of value changes. These differences 
make backtesting internal models used to measure counterparty credit 
risk more difficult to conduct and reliably interpret than backtesting 
VaR models used to measure market risk.
    55. The pricing models used to calculate counterparty credit risk 
exposure for a given scenario of future shocks to market risk factors 
should be tested as part of the model validation process. These pricing 
models may be different from those used to calculate VaR over a short 
horizon. Pricing models should account for the nonlinearity of option 
value with respect to market risk factors where appropriate.
    56. Historical backtesting on representative counterparty 
portfolios should be part of the model validation process. The 
representative portfolio should be held fixed over the backtesting 
interval. A bank should conduct such backtesting on a number of 
representative counterparty portfolios (actual or hypothetical) looking 
back an appropriate time period. These representative portfolios should 
be chosen based on their sensitivity to the material risk factors and 
correlations to which the firm is exposed. It would appropriate to 
conduct such backtests once each quarter.
    57. Starting at a particular historical date, the backtest would 
use the internal model to forecast each portfolio's probability 
distribution of exposure at various time horizons. Using historical 
data on movements in market risk factors, the backtest then computes 
the actual exposures that would have occurred on each portfolio at each 
time horizon assuming no change in the portfolio's composition. These 
realized exposures would then be compared with the model's forecast 
distribution at various time horizons. The above should be repeated for 
several historical dates covering a wide range of market conditions 
(e.g., rising rates, falling rates, quiet markets, volatile markets). 
Significant differences between the realized exposures and the model's 
forecast distribution could indicate a problem with the model or the 
underlying data.

Modeling Requirements for the Internal Models Method

Time Horizon
    58. The time horizon over which the time-weighted average of 
effective expected exposures is taken for the calculation of effective 
expected positive exposure is one year or the longest maturity of any 
transaction in a netting set, whichever is shorter. Examples are 
provided in paragraphs 44 and 45. Banks which receive approval to 
incorporate the effect of collateral agreements using the shortcut 
method described below may also use a shorter time horizon than one 
year.
Recognition of Collateral
    59. With the prior written approval of its primary Federal 
supervisor, a bank may fully incorporate into its internal model the 
effect of a collateral agreement that requires receipt of collateral 
when exposure to the counterparty increases. Banks may not capture the 
effects of agreements that require receipt of collateral when 
counterparty credit quality deteriorates. A bank may use a shortcut 
method where the effective EPE is equal to the lesser of:
     The threshold, defined as the exposure amount at which the 
counterparty is required to post collateral under the collateral 
agreement, if the threshold is positive, plus an add-on that reflects 
the potential increase in exposure over the margin period of risk. The 
add-on is computed as the expected increase in the netting set's 
exposure beginning from current exposure of zero over the margin period 
of risk. The margin period of risk is defined in the NPR. The minimum 
margin period of risk is 5 business days for repo-style transactions 
and 10 business days for other transactions when liquid collateral is 
posted under a daily margin maintenance requirement. This period should 
be extended to cover any additional time between margin calls, any 
potential close out difficulties, and the time to sell out collateral, 
particularly if it is illiquid; or
     Effective EPE without a collateral agreement.

Risk Management and Modeling

    60. The modeling approval requirements reflect the need for 
accurate and timely estimates of EAD, secure contractual rights for 
collateral and netting, sound management of counterparty credit risk 
using appropriate risk measures, consideration of risks that are 
outside of models when managing risk, and an operational system that 
facilitates the management of counterparty credit risk using the 
appropriate models and tools.
    61. The use of effective EPE for determining risk-based capital 
requirements does not necessitate the use of effective EPE for setting 
counterparty exposure limits. Peak exposure may be, and often is, a 
more appropriate measure to limit counterparty exposures. However, the 
probability distributions of future exposures that are used for the 
effective EPE calculation should be the same as those used for risk 
management and limit setting. This underlying distribution of future 
exposures should be used for one year at the bank prior to the bank 
being approved to use internal models for its risk-based capital 
calculation, but not necessarily to calculate EPE or Effective EPE.
    62. Banks should estimate the probability distribution of future 
exposures out to the longest remaining maturity of any contract with a 
counterparty, even though Effective EPE for risk-based capital purposes 
is calculated over one year. The exposures beyond one year must be 
monitored and controlled by the bank.
    63. The bank should exercise active management of both existing 
exposure and exposure that could change in the future due to market 
moves. The bank should measure, monitor, and control the exposure to a 
counterparty over the whole life of all contracts in the netting set, 
in addition to accurately measuring and actively monitoring the current 
exposure to counterparties.
Alternative Models for Counterparty Credit Risk
    64. Banks that opt to use the internal models method can choose to 
model EAD for some transactions using a model different than an alpha 
(of 1.4 or higher) times effective EPE. The bank must receive approval 
of its primary Federal supervisor in such cases, and must demonstrate 
to its supervisor that the alternative model is more conservative than 
effective EPE multiplied by an alpha of 1.4 for each counterparty. This 
demonstration is necessary to receive initial approval, and should be 
demonstrated to the primary Federal supervisor whenever circumstances 
change. For example, banks may already have a peak exposure model for 
some transactions that is more conservative than effective EPE 
multiplied by 1.4. Rather than develop an Effective EPE model, the bank 
may choose to continue to use the peak exposure model for these 
transactions for a period of time, while adopting an effective EPE 
model for other transactions. The bank would have to

[[Page 9141]]

demonstrate that it meets the qualification requirements to use an 
internal model for the peak exposure model and that the model results 
in a conservative EAD.
    65. Cases where a bank might opt to use a more conservative model 
than alpha times effective EPE include transactions for which the bank 
has legacy models, new business lines, and structured transactions that 
are not expected to comprise an ongoing business and the conservative 
model is less computationally intensive.
    66. Alternative models for counterparty credit risk should be 
applied to all similar transactions.
Own Estimates of Alpha
    67. The value of alpha for a bank using internal models of EPE is 
1.4 unless (i) the primary Federal supervisor raises the value of alpha 
in appropriate circumstances based on the bank's specific 
characteristics of counterparty credit risk or (ii) the bank meets the 
requirements outlined in the NPR and has supervisory approval to use 
its own estimate of alpha. A bank with sufficiently sophisticated 
models that can perform the necessary credit and market risk 
simulations and that has supervisory approval to do its own estimate of 
alpha may use the greater of that estimated alpha or 1.2.
    68. For banks that receive supervisory approval to model alpha,
    [GRAPHIC] [TIFF OMITTED] TN28FE07.008
    
Where:

ULCCR = the bank's own internal estimate of the 99.9 
percentile unexpected losses from CCR over a one-year time horizon, 
and
ULBII = the measure of unexpected losses from CCR using 
the Basel II risk-based capital requirement, but with the EAD 
component of that requirement calculated using an alpha set equal to 
1.0.

    69. The estimate of alpha is calculated as the ratio of the bank's 
internal measure of unexpected losses due to counterparty credit risk 
at a one-year 99.9 percent confidence level (numerator) to the estimate 
of losses using the internal model method in the NPR, but with alpha 
set equal to one (denominator). This ratio must be run at least 
quarterly, and evidence of the stability of this estimate over a 
quarter should be presented to the bank's primary Federal supervisor.
    70. The numerator is determined considering the PD, EAD, and LGD 
together to determine unexpected losses. A simulation, or other model, 
which considers the variation of PD and EAD together should be used to 
determine the distribution of counterparty credit losses. The estimate 
of unexpected losses at a one-year 99.9 percent confidence level should 
capture the correlation of a counterparty's PD with exposure, the 
effect of concentrated exposures, the proportion of a counterparty 
exposure that is accounted for by a market risk factor, and the 
correlation of exposures across counterparties.
    71. The bank should provide a description of the sources of model 
risk for the calculation of the numerator. The primary Federal 
supervisor will review the models to determine if the internally 
estimated alpha is acceptable, if any adjustment to the internally 
estimated alpha is necessary, or if the models used to estimate alpha 
need to be adjusted.
    72. If a bank uses a conservative internal model to determine EAD 
for some transactions, the primary Federal supervisor may require the 
bank to remove these transactions from both the numerator and 
denominator for the purposes of estimating alpha.
Counterparty Credit Risk Mitigation Using Credit Derivatives
    73. Under the internal models method, the reference instrument 
underlying a credit derivative that pays the bank on the default of a 
counterparty may be entered as a short exposure into a netting set of 
the counterparty that credit protection is purchased on. The reference 
instrument underlying the credit derivative should also be entered as a 
long exposure into the netting set of the seller of the credit 
protection. The purchase of a credit derivative on a counterparty 
exposure transfers the risk of the instrument referenced in the credit 
derivative contract from the counterparty to the seller of the credit 
derivative.
    74. Banks may apply the PD substitution approach, the LGD 
adjustment approach, or (if applicable) the double default treatment to 
a CCR exposure hedged by an eligible guarantee or eligible credit 
derivative.

VII. Defaulted Counterparties

    75. Operational or settlement errors do not necessarily trigger a 
default event for PD assignment purposes. However, if a credit-related 
charge-off occurs as the result of a counterparty's failure to perform 
on a financial contract, this would constitute a default event for 
risk-based capital purposes and the PDs for all exposures to that 
obligor should be adjusted to the value of one.

Chapter 10: Risk-Weighted Assets for Equity Exposures

Rule Requirements

    Part III, section 22(g): Equity exposures model. A bank must obtain 
the prior written approval of [AGENCY] under section 53 [of the NPR] to 
use the internal models approach for equity exposures.
    Part VI: Risk-Weighted Assets for Equity Exposures

I. Overview

    1. This chapter supplements the detailed discussion of equity 
exposures in the NPR. It describes supervisory guidance for determining 
risk-based capital requirements for equity exposures held in the 
banking book for banks subject to the Market Risk Rule and for all 
equity exposures for banks not subject to the Market Risk Rule.

II. Definition of Banking Book Equities

    2. Equity exposure means:
     A security or instrument (whether voting or non-voting) 
that represents a direct or indirect ownership interest in, and a 
residual claim on, the assets and income of a company, unless:
    --The issuing company is consolidated with the bank under Generally 
Accepted Accounting Principles (``GAAP'');
    --The bank is required to deduct the ownership interest from Tier 1 
or Tier 2 capital under the NPR;
    --The ownership interest is redeemable;
    --The ownership interest incorporates a payment or other similar 
obligation on the part of the issuing company (such as an obligation to 
pay periodic interest); or
    --The ownership interest is a securitization exposure.
     A security or instrument that is mandatorily convertible 
into a security or instrument described in the first bullet of this 
definition;
     An option or warrant that is exercisable for a security or 
instrument described in the first bullet of this definition; or
     Any other security or instrument (other than a 
securitization exposure) to the extent the return on the security or 
instrument is based on the performance of a security or instrument 
described in the first bullet of this definition.

III. Applying the Framework

    3. Under the proposed framework for equity exposures in the NPR, a 
bank would have the option to use either a simple risk-weight approach 
(``SRWA'') or an internal models approach (``IMA'') for equity 
exposures that are not

[[Page 9142]]

exposures to an investment fund. A bank would use a look-through 
approach for equity exposures to an investment fund. Under the SRWA, a 
bank would generally assign a 300 percent risk weight to publicly-
traded equity exposures and a 400 percent risk weight to non-publicly-
traded equity exposures. Certain equity exposures to sovereigns, 
multilateral institutions, and public sector enterprises would have a 
risk weight of 0 percent, 20 percent, or 100 percent. Also, community 
development equity exposures, as well as hedged equity exposures that 
meet specified conditions are risk weighted at 100 percent. Non-
significant equity exposures (i.e., exposures that aggregate to an 
amount that is less than or equal to 10 percent of the bank's Tier 1 
plus Tier 2 capital) are also risk weighted at 100 percent.
    4. The ``adjusted carrying value'' of an equity exposure is:
     For the on-balance sheet component of an equity exposure, 
the bank's carrying value of the exposure reduced by any unrealized 
gains on the exposure that are reflected in such carrying value but 
excluded from the bank's Tier 1 and Tier 2 capital; and
     For the off-balance sheet component of an equity exposure, 
the effective notional principal amount of the exposure, the size of 
which is equivalent to a hypothetical on-balance sheet position in the 
underlying equity instrument that would evidence the same change in 
fair value (measured in dollars) for a given small change in the price 
of the underlying equity instrument, minus the adjusted carrying value 
of the on-balance sheet component of the exposure as calculated in the 
previous bullet.
    5. Publicly-traded equity exposures can be hedged to reduce their 
risk-based capital requirement. However, private equities cannot be 
hedged to reduce their risk-based capital requirement.
    S 10-1 Banks must apply the same methodology to like instruments.
    6. A bank may apply (i) the SRWA to private equity exposures and 
the IMA to public equities, or (ii) the IMA to all equity exposures, or 
(iii) the SRWA to all equity exposures. As described further in the 
NPR, the IMA provides for the application of SRWA risk weights for 
those equity exposures that would qualify for a risk weight between 
zero and 100 percent.
    7. Equity exposures in investment funds must use one of three look-
through approaches (where the fund holdings are treated as if 
proportionally held directly by the bank) to determine risk-based 
capital requirements under this framework. The three approaches are:
     The full look-through approach;
     The simple modified look-through approach; or
     The alternative modified look-through approach.
    8. There is a risk-weighted asset floor of 7 percent of the 
adjusted carrying value of a bank's exposure to an investment fund. A 
zero percent risk weight can still be applied to a particular exposure 
class within an investment fund; the 7 percent floor applies to an 
investment fund, not its constituents.
    9. A bank may use the full look-through approach only if the bank 
is able to compute a risk-weighted asset amount for each of the 
exposures held by the investment fund (calculated under the proposed 
rule as if the exposures were held directly by the bank). Under this 
approach, a bank would set the risk-weighted asset amount of the bank's 
equity exposure to the investment fund equal to the greater of:
    (i) The product of
    (A) the aggregate risk-weighted asset amounts of the exposures held 
by the fund as if they were held directly by the bank and
    (B) the bank's proportional ownership share of the fund; and
    (ii) 7 percent of the adjusted carrying value of the bank's equity 
exposure to the investment fund.
    10. Under the simple modified look-through approach, a bank may set 
the risk-weighted asset amount for its equity exposure to an investment 
fund equal to the adjusted carrying value of the equity exposure 
multiplied by the highest risk weight in Table L of the NPR that 
applies to any exposure the fund is permitted to hold under its 
prospectus, partnership agreement, or similar contract that defines the 
fund's permissible investments. The bank may exclude derivative 
contracts that are used for hedging, not speculative purposes, and do 
not constitute a material portion of the fund's exposures. A bank may 
not assign an equity exposure to an investment fund to an aggregate 
risk weight of less than 7 percent under this approach.
    11. Under the alternative modified look-through approach, a bank 
may assign the adjusted carrying value of an equity exposure to an 
investment fund on a pro rata basis to different risk-weight categories 
in Table L of the NPR according to the investment limits in the fund's 
prospectus, partnership agreement, or similar contract that defines the 
fund's permissible investments. If the sum of the investment limits for 
all exposure classes within the fund exceeds 100 percent, the bank must 
assume that the fund invests to the maximum extent permitted under its 
investment limits in the exposure class with the highest risk weight 
under Table L, and continues to make investments in the order of the 
exposure class with the next highest risk-weight under Table L until 
the maximum total investment level is reached. If more than one 
exposure class applies to an exposure, the bank must use the highest 
applicable risk weight. A bank may exclude derivative contracts held by 
the fund that are used for hedging, not speculative, purposes and do 
not constitute a material portion of the fund's exposures. The overall 
risk weight assigned to an equity exposure to an investment fund under 
this approach may not be less than 7 percent.

IV. Using Internal Models for Equity Exposures

    S 10-2 If a bank chooses to use an internal model, it must produce 
reliable estimates of the potential loss in the bank's portfolio from 
equity holdings under stress market conditions.
    12. To qualify to use the IMA to calculate risk-based capital 
requirements for equity exposures, a bank must receive prior written 
approval from its primary Federal supervisor. To receive such approval, 
the bank must demonstrate to its primary Federal supervisor's 
satisfaction that the bank meets the following criteria:
     The bank must have a model that:
    --Assesses the potential decline in value of its modeled equity 
exposures;
    --Is commensurate with the size, complexity, and composition of the 
bank's modeled equity exposures; and
    --Adequately captures both general market risk and idiosyncratic 
risk.
     The bank's model must produce an estimate of potential 
losses for its modeled equity exposures that is no less than the 
estimate of potential losses produced by a VaR methodology employing a 
99.0 percent, one-tailed confidence interval of the distribution of 
quarterly returns for a benchmark portfolio of equity exposures 
comparable to the bank's modeled equity exposures using a long-term 
sample period.
     The number of risk factors and exposures in the sample and 
the data period used for quantification in the bank's model and 
benchmarking exercise must be sufficient to provide confidence in the 
accuracy and robustness of the bank's estimates.
     The bank's model and benchmarking process must incorporate

[[Page 9143]]

data that are relevant in representing the risk profile of the bank's 
modeled equity exposures, and must include data from at least one 
equity market cycle containing adverse market movements relevant to the 
risk profile of the bank's modeled equity exposures. If the bank's 
model uses a scenario methodology, the bank must demonstrate that the 
model produces a conservative estimate of potential losses on the 
bank's modeled equity exposures over a relevant long-term market cycle. 
If the bank employs risk factor models, the bank must demonstrate 
through empirical analysis the appropriateness of the risk factors 
used.
     Daily market prices must be available for all modeled 
equity exposures, either direct holdings or proxies.
     The bank must be able to demonstrate, using theoretical 
arguments and empirical evidence, that any proxies used in the modeling 
process are comparable to the bank's modeled equity exposures and that 
the bank has made appropriate adjustments for differences. The bank 
must derive any proxies for its modeled equity exposures and benchmark 
portfolio using historical market data that are relevant to the bank's 
modeled equity exposures and benchmark portfolio (or, where not, must 
use appropriately adjusted data), and such proxies must be robust 
estimates of the risk of the bank's modeled equity exposures.
    13. No one particular type of model is preferred or required. 
Appropriate internal models may include either traditional VaR models 
(e.g., historical simulation, variance/covariance, or Monte Carlo 
simulation) or scenario analysis ``stress tests.'' These models are 
subject to the validation framework outlined in Chapter 7 of this 
guidance.
    14. The use of either single or multi-factor models is permitted, 
provided that the factors are sufficient to capture all material risks 
of a bank's equity holdings. Risk factors should correspond to the 
appropriate equity market characteristics (e.g., public, private, large 
cap, small cap, industry sectors) in which the bank holds significant 
positions.

V. Quantification of Equity Exposures

A. Reference Data

    15. The data used to represent return distributions or depict 
stress scenarios should reflect as long a sample period for which data 
are available and meaningful in representing the risk profile of equity 
holdings. In the case of VaR models, the data used should be sufficient 
to provide statistically reliable and robust loss estimates and should 
include at least one equity market cycle containing adverse market 
movements relevant to the risk profile of the bank's specific holdings. 
In the case where the internal model uses a scenario or stress test 
methodology, the bank should demonstrate that the shock employed 
provides a conservative estimate of potential losses over a relevant 
long-term market or business cycle.
    16. In constructing VaR models estimating potential quarterly 
losses, banks should use quarterly data to the extent practicable. 
Where estimates based on shorter time periods are converted to a 
quarterly equivalent, the conversion should be made through the use of 
an analytically appropriate method supported by empirical evidence, and 
should be applied through a well-developed and well-documented thought 
process and analysis. In general, time horizon conversions should be 
applied conservatively and consistently over time. Furthermore, where 
only limited data are available or where technical limitations are such 
that estimates from any single method will be of uncertain quality, 
banks should add appropriate margins of conservatism.

B. External Data

    17. It is recognized that there are significant challenges 
associated with deriving market-based measures of risk for both 
privately-held and publicly-traded equities where objectively-
determined market prices may not be readily available. Accordingly, 
banks with significant equity holdings with these characteristics may 
need to use external data in modeling the risks associated with these 
holdings.
    18. Banks should be able to demonstrate that the external data 
adequately capture the risks of the underlying equity portfolio. 
Documentation should identify the relevant factors (e.g., business 
lines, balance sheet characteristics, geographic location, company age, 
industry sector and subsector, operating characteristics) used in 
mapping the external data to the bank's individual equity exposures.

C. Estimation

    19. Banks will have discretion to recognize and estimate empirical 
correlations, provided that the bank's system for measuring 
correlations is sound and empirically supported. When calculating 
correlations, consideration should be given to data consistency, 
relevant time period, and the volatility of correlations under stressed 
market conditions. The appropriateness of correlation assumptions and 
estimation techniques should be discussed in model documentation.
    20. Survivorship bias is a particularly important issue in cases 
where banks choose to use databases of actual returns of equity 
exposures. Internal data on private equity exposure returns may reflect 
only those private equity exposures that have experienced positive 
returns and were exited successfully (i.e., where a true market price 
has been revealed). In short, the returns on investments that have 
achieved success measure only the winners--as opposed to the entire 
population of relevant private equities (including those that failed). 
This imparts an upward bias on the ex-ante returns expected by banks. 
Accordingly, banks that choose to use actual return statistics for 
individual private equity exposures or private equity funds, whether 
provided by external vendors or internally generated databases, should 
fully understand how these statistics are computed and, where 
necessary, should make adjustments to account for any selection biases 
that may be present.

VI. Validation of Internal Models for Equity Exposures

    S 10-3 Banks must validate internal models used for equity 
exposures. 
    21. The developmental evidence provided for a VaR model should 
include a discussion of the results from a rigorous and comprehensive 
stress testing of the model and estimation procedure. This stress test 
should be applied to volatility computations and make use of either 
hypothetical or historical scenarios that reflect worst-case losses 
given underlying positions. Stress tests should provide information 
about the effect of tail events beyond the level of confidence assumed 
in the internal models approach.
    22. For purposes of evaluating the capital requirements produced by 
a bank's internal model methodology, banks should demonstrate that non-
VaR based internal models for equity exposures (e.g., a stress scenario 
analysis) provide risk estimates and capital requirements that are at 
least as conservative as those produced by a 99 percent VaR over one 
quarter for a benchmark portfolio. The benchmark portfolio should have 
sufficient data to calculate a one quarter 99 percent VaR. To 
demonstrate this, the bank should run their internal model on the 
benchmark portfolio and show that the internal model produces a capital 
amount for the benchmark portfolio that is at least as great as the one 
quarter 99 percent VaR for the benchmark portfolio. Banks that choose a 
scenario

[[Page 9144]]

analysis ``stress-test''-type model or some other form of non-VaR-based 
model do not have to run a VaR model in parallel, but banks should be 
able to compare their internal model to the VaR for the benchmark 
portfolio.
    23. For VaR models, model validation through backtesting must be 
conducted on a regular basis. Banks using such models should construct 
and maintain appropriate databases on the actual quarterly performance 
of their equity exposures, as well as on the estimates derived using 
their internal models. Banks should also backtest the volatility 
estimates used within their internal models and the appropriateness of 
any external data used in the model. Banks will have data available on 
different equity exposures at different frequencies. For example, price 
data for public equities may be available daily, and price data for 
private equities may be available on a monthly or quarterly basis. 
Banks can divide their equity portfolio into several smaller portfolios 
based on data availability and conduct backtesting on the smaller 
portfolios. When sufficient data are available, banks should employ 
statistical-based measures of the accuracy of their VaR models.

VII. Consistency Between Internal Models Used for Equity Exposures and 
Risk Management Processes

    S 10-4 Internal models used to calculate risk-based capital 
requirements for equity exposures must be consistent with models used 
in the bank's risk management processes and management information 
reporting systems.
    24. The internal model should be fully integrated into the bank's 
risk management infrastructure. It should, when appropriate, be used to 
establish equity price risk limits, to evaluate alternative 
investments, and to measure and assess equity portfolio performance 
(including the risk-adjusted performance). The bank should demonstrate 
the internal model's role in risk management (using investment 
committee minutes, for example).

Chapter 11: Securitizations

Rule Requirements

    Part III, Section 22(f): Securitization exposures. A bank must 
obtain the prior written approval of [AGENCY] under section 44 [of the 
NPR] to use the internal assessment approach for securitization 
exposures to ABCP programs.
Part V: Risk-Weighted Assets for Securitization Exposures

I. Overview

    1. This chapter supplements the detailed discussion of the 
framework for securitization exposures in the NPR. It describes the 
concepts, eligibility criteria, and mechanics associated with applying 
each of the three allowed approaches--the ratings-based approach 
(``RBA''), the internal assessment approach (``IAA''), and the 
supervisory formula approach (``SFA''). It also discusses related 
topics, such as risk transference, implicit support, early amortization 
provisions, and control and validation. This guidance applies to a bank 
regardless of its role in the securitization--investor or originator.
    S 11-1 Banks must use the securitization framework for any 
exposures that involve the tranching of credit risk (with the exception 
of a tranched guarantee that applies only to an individual retail 
exposure).
    2. The securitization framework relies principally on one of two 
sources of information, where available: (1) An assessment of the 
securitization exposure's external credit risk ratings or (2) the IRB 
risk-based capital requirement and expected loss of the underlying 
exposures as if the exposures had not been securitized. See section 2 
of the NPR for the definition of a securitization exposure.
    3. To determine risk-weighted assets for securitization exposures, 
a bank must: (1) Identify all securitization exposures subject to the 
framework, (2) assign each exposure to an approach according to the 
specified hierarchy, and (3) calculate risk-weighted assets (or 
required deductions from capital) according to the requirements for the 
applicable approach.
    S 11-2 Banks should develop written implementation policies and 
procedures describing the allowed approaches, methods of application, 
and designated responsibilities for complying with the securitization 
framework.
    4. In addition to the IRB requirements, originating banks should 
maintain specific securitization policies and procedures including the 
appropriate accounting treatment for the securitization exposure (FASB 
140, FIN 46R), pooling and servicing agreements for each securitization 
exposure (to assess compliance with risk transference and recourse 
requirements, waterfall structure, trigger requirements for early 
amortization structures), and contractual arrangements related to risk 
mitigation of the securitization exposure (net interest margin 
transactions, mitigating residual interest exposure).
    5. Certain basic risk management practices are also important to 
the framework's implementation. The central component is a full written 
description, or implementation guide, detailing each step in the 
process. The guide should include all key processes, such as methods of 
identifying exposures, selecting approaches, documenting approvals and 
data elements, and establishing responsibility for oversight and 
quality control. The remainder of this chapter expands on how to apply 
the various approaches, as well as supervisory guidance regarding 
eligibility and sound risk management practices.

II. Scope of Application

    6. Tranching of credit risk is the structuring of cash flows and 
credit exposure so that an investor's share of the credit losses differ 
from its pro rata interest in the underlying exposures. Another 
characteristic of a securitization exposure is that payments to the 
various parties depend on performance of the underlying exposures, as 
opposed to an obligation of the entity originating those exposures.
    7. Examples of securitization exposures include asset-backed 
securities, mortgage-backed securities (including those issued by 
Fannie Mae and Freddie Mac),\24\ stripped mortgage-backed securities, 
credit enhancements and liquidity facilities to asset-backed commercial 
paper (``ABCP'') programs, collateralized debt obligations (``CDO''), 
loan participation agreements that include a tranching of payments such 
as last-in and first-out, guarantees and credit derivatives that 
provide tranched (i.e., non-proportional) credit protection against a 
pool of credit exposures, reserve accounts, and other retained residual 
interests.
---------------------------------------------------------------------------

    \24\ Fannie Mae and Freddie Mac mortgage-backed pass-through 
securities are to be treated as securitization transactions even 
though the risk of the securitized mortgage pool has not been 
tranched among investors.
---------------------------------------------------------------------------

    8. Since securitization transactions may be structured in a variety 
of ways, the economic substance of the transaction rather than its 
legal form should guide both the designation of exposures and the 
calculation of risk-based capital requirements.

III. General Principles of the Securitization Framework

A. Risk Transference

    S 11-3 Securitization transactions must transfer credit risk to at 
least one

[[Page 9145]]

third party to qualify for treatment under the securitization 
framework.
    9. Securitization exposures must meet all of the risk transference 
requirements imposed by Generally Accepted Accounting Principles 
(``GAAP'') and regulatory requirements. In this regard, banks should 
continue to use published supervisory guidance related to risk 
transference, recourse, and other activities that constitute implicit 
recourse.
    10. For an exposure to qualify for treatment under the 
securitization framework, the transaction must meet the requirements 
outlined in Statement of Financial Accounting Standards No. 140 and 
must transfer credit risk from the originator of the underlying 
exposures to at least one third party. In synthetic securitizations, 
credit risk mitigants are often used to transfer the credit risk of the 
underlying exposures, which generally remain on the bank's balance 
sheet. In order to exclude the underlying exposures from risk-based 
capital requirements, banks must comply with the operational 
requirements for recognition of credit risk mitigants in synthetic 
securitizations set forth in section 41 of the NPR. When the 
transaction does not qualify for GAAP sales treatment, does not satisfy 
the risk transference requirement, contains an ineligible clean-up 
call, or the bank has tainted the transaction by providing implicit 
support to the transaction,\25\ the bank must include the underlying 
exposures in the calculation of risk-based capital requirements as if 
the securitization transaction did not occur. For example, transactions 
reported as GAAP sales that do not transfer credit risk to third 
parties, such as transfers of assets subject to credit-enhancing 
representations and warranties, require the bank to include the 
underlying exposures in the calculation of risk-based capital as if the 
transfer had not occurred.
---------------------------------------------------------------------------

    \25\ In addition, as discussed in the NPR, if a bank provides 
implicit support to any securitization, the bank's primary Federal 
supervisor may require the bank to hold risk-based capital against 
the underlying exposures of some or all of the bank's other 
securitizations.
---------------------------------------------------------------------------

B. Implicit Support

    S 11-4 Banks that provide implicit support to securitization 
transactions must hold risk-based capital as if the underlying assets 
had not been securitized, and must deduct from Tier 1 capital any 
after-tax gain-on-sale resulting from the securitization.
    11. Implicit support is credit support provided by a bank in excess 
of its contractual obligation under the original terms of the 
transaction. The issuer provides such support often to maintain access 
to funding and/or to protect its reputation in the market. Providing 
implicit support violates the risk transference principles inherent in 
a securitization transaction and, for risk-based capital purposes, 
requires that the bank treat the underlying securitized assets as if 
the securitization transaction had not occurred.\26\ For example, banks 
are considered to have provided implicit support when they either:
---------------------------------------------------------------------------

    \26\ A bank that provides implicit support is also subject to 
related disclosure requirements in section 42(h) of the NPR.
---------------------------------------------------------------------------

     Sell assets to a securitization trust or other special-
purpose entity (SPE) at a discount from the price specified in the 
securitization documents (typically par value);
     Purchase assets from a securitization trust or other SPE 
at an amount greater than fair value;
     Exchange performing assets for nonperforming assets; or
     Provide credit enhancements beyond contractual 
requirements.
    12. Policies governing securitization activities should explicitly 
refer to the issue of implicit support, and include criteria for 
identifying and reporting instances of implicit support. An independent 
risk management or review group should systematically monitor 
securitization transactions to identify actions that constitute implied 
support and ensure appropriate regulatory capital treatment is applied.

C. Servicer Cash Advances

    13. The risk-based capital requirement for servicer cash advances 
generally will be calculated using either the RBA or SFA. The RBA can 
be used if the bank can assign an inferred rating to the servicer cash 
advance based upon a rated subordinated tranche. If the RBA is not 
available, and the bank can compute the risk parameter estimates for 
the SFA, the bank can apply the SFA.
    14. A bank is not required to hold risk-based capital against the 
undrawn portion of an eligible servicer cash advance facility. An 
eligible servicer cash advance is a servicer cash advance facility in 
which:
     The servicer is entitled to full reimbursement of advances 
(except that a servicer may be obligated to make non-reimbursable 
advances if any such advance with respect to any underlying exposure is 
limited to an insignificant amount of the outstanding principal balance 
of the underlying exposure);
     The servicer's right to reimbursement is senior in right 
of payment to all other claims on the cash flows from the underlying 
exposures of the securitization; and
     The servicer has no legal obligation to, and does not, 
make advances to the securitization if the servicer concludes that the 
advances are unlikely to be repaid. The advance is made only after 
expected repayment is supported by a credit assessment that is 
consistent with prudent lending standards.
    15. If these conditions are not satisfied, a bank that provides a 
servicer cash advance facility must determine its risk-based capital 
requirement for the undrawn portion of the facility in the same manner 
as the bank would determine its risk-based capital requirement for any 
other undrawn securitization exposure.

D. Clean-Up Calls

    16. A clean-up call is a contractual provision that permits a bank 
to call securitization exposures before their stated maturity date. In 
a traditional securitization, a clean-up call is generally accomplished 
by repurchasing the remaining securitization exposures once the amount 
of underlying exposures or outstanding securitization exposures fall 
below a specified level and it becomes uneconomical to maintain the 
transaction. In the case of a synthetic securitization, the clean-up 
call may take the form of a clause that extinguishes the credit 
protection once the amount of underlying exposures has fallen below a 
specified level. An originating bank may exclude securitized exposures 
from its risk-weighted assets calculated in connection with a 
securitization that has a clean-up call only if the clean-up call is an 
eligible clean-up call as defined in the NPR. The following are 
required criteria for an eligible clean-up call:
     The exercise of the clean-up call is solely at the 
discretion of the servicer;
     The clean-up call is not structured to avoid allocating 
losses to securitization positions held by investors, or otherwise 
structured to provide credit enhancements to the securitization; and
     The clean-up call is only exercisable for traditional 
securitizations when 10 percent or less of the principal amount of 
underlying exposures or securitization exposures are outstanding, or 
for synthetic securitization transactions, when 10 percent or less of 
the principal amount of the original reference portfolio is 
outstanding.
    S 11-5 A clean-up call constitutes implicit support if, in 
exercising the call, the bank provides support in

[[Page 9146]]

excess of its contractual obligation to provide support to the 
securitization.
    17. The ultimate determination of whether the exercise of a clean-
up call constitutes implicit support depends on the facts. If the bank 
affects a clean-up call on terms that differ from contractual 
provisions, the following actions will point to a finding of implicit 
support:
     Exercising a clean-up call that serves as the functional 
equivalent of a credit enhancement; or
     Purchasing assets from a trust or other SPE at an amount 
greater than fair value.

E. Maximum Capital Requirements for Securitization Exposures

    S 11-6 The maximum risk-based capital requirement for all 
securitization exposures held by a bank associated with a single 
securitization transaction is the amount of risk-based capital plus 
expected losses that would have been required had the underlying 
exposures not been securitized.
    18. Unless one or more of the underlying exposures does not meet 
the definition of a wholesale, retail, securitization, or equity 
exposure, the total risk-based capital requirement for all 
securitization exposures held by a single bank associated with a single 
securitization--including any risk-based capital requirement that 
relates to an early amortization provision, but excluding any capital 
requirements that relate to the bank's gain-on-sale or CEIOs (and any 
accrued interest receivables (``AIR'') that meet the definition of a 
CEIO) associated with the securitization--cannot exceed the sum of (i) 
the bank's total risk-based capital requirement for the underlying 
exposures as if the bank directly held the underlying exposures; and 
(ii) the bank's total expected credit loss for the underlying 
exposures.
    19. If a bank has multiple securitization exposures to an ABCP 
program that provide overlapping coverage of the underlying exposures, 
such as when a bank provides a program-wide credit enhancement and 
multiple pool-specific liquidity facilities, the bank is not required 
to hold duplicative risk-based capital against the overlapping 
position. Instead, the bank may limit its capital requirement for the 
overlapping positions to the single applicable treatment that results 
in the highest capital requirement. However, if different banks have 
overlapping exposures to an ABCP program, each bank must hold capital 
against the entire amount of its exposure.
    20. When a bank sponsors an ABCP program and is required to 
consolidate the program as a variable interest entity under GAAP solely 
because it qualifies as a primary beneficiary, it may exclude the 
consolidated ABCP program assets from risk-weighted assets. However, 
the decision to exclude the consolidated program from risk-weighted 
assets does not exempt the bank from holding risk-based capital against 
any exposures to that program in accordance with the overall 
securitization framework.

IV. Hierarchy of Approaches

    S 11-7 Banks must follow the specified hierarchy of approaches to 
determine risk-weighted asset amounts for all securitization exposures.
    21. The first step in determining the risk-weighted asset amount 
for a securitization exposure for either an investing or originating 
bank is to deduct entirely from Tier 1 capital all increases in capital 
due to after tax gain-on-sale income from the transaction. In addition, 
any CEIOs, including any AIRs that meet the definition of a CEIO, must 
be deducted 50 percent from Tier 1 capital and 50 percent from Tier 2 
capital.\27\ If the amount deductible from Tier 2 capital exceeds the 
amount of actual Tier 2 capital, the excess must be deducted from Tier 
1 capital.
---------------------------------------------------------------------------

    \27\ For specific guidance on the treatment of AIRs see the 
Interagency Advisory on the Regulatory Capital Treatment of Accrued 
Interest Receivable Related to Credit Card Securitizations, dated 
May 17, 2002, and the Interagency Advisory on the Accounting 
Treatment of Accrued Interest Receivable Related to Credit Card 
Securitizations, dated December 4, 2002.
---------------------------------------------------------------------------

    22. Next, the bank applies one of the three approaches for 
determining risk-weighted assets: The RBA, the IAA, or the SFA. The RBA 
and the IAA calculate risk-weighted assets using supervisory tables 
based on external or inferred ratings. Subject to specific conditions, 
the SFA may be used for securitization exposures when the IAA or RBA is 
not available. Securitization exposures that do not qualify for one of 
these three approaches are deducted from regulatory capital.
    23. Banks must apply the three approaches according to the 
following hierarchy:
    1. RBA--If the securitization exposure is not required to be 
deducted and qualifies for the RBA, the bank must apply the RBA.\28\ In 
general, an originating bank qualifies to use the RBA if its retained 
securitization exposure has at least two external ratings or an 
inferred rating based on at least two external ratings, while an 
investing bank qualifies to use the RBA if its securitization exposure 
has one or more external or inferred ratings.
---------------------------------------------------------------------------

    \28\ Regardless of any other provision, the risk weight for a 
non-credit enhancing interest-only residential mortgage backed 
security (e.g., FNMA IO Strip), may not be less than 100 percent.
---------------------------------------------------------------------------

    2. IAA or SFA--If a securitization exposure is not required to be 
deducted, does not qualify for the RBA, and is an exposure to an ABCP 
program, the bank may apply either the IAA or the SFA. However, the 
bank must consistently use either the IAA or the SFA when this type of 
exposure would be eligible for both approaches.
    3. SFA--If the securitization exposure is not required to be 
deducted, does not qualify for the RBA, and is not an exposure to an 
ABCP program, the bank may apply the SFA if it is able to calculate, on 
an ongoing basis, the SFA risk parameters.
    24. When a securitization exposure does not qualify for the RBA, 
IAA, or SFA, a bank is required to deduct the exposure 50 percent from 
Tier 1 capital and 50 percent from Tier 2 capital. If the amount 
deductible from Tier 2 capital exceeds the bank's actual Tier 2 
capital, however, the bank must deduct the shortfall amount from Tier 1 
capital.
    25. The following diagram illustrates the hierarchy for the 
treatment of a securitization exposure for either an investing or 
originating bank:

[[Page 9147]]

[GRAPHIC] [TIFF OMITTED] TN28FE07.009

V. IRB Approaches for Securitization Exposures

A. Ratings-Based Approach

    26. Banks may use the RBA to determine the appropriate risk weight 
for a securitization exposure if the exposure is externally rated, or 
for a non-rated exposure for which a rating can be inferred. The 
appropriate risk weight is multiplied by the securitization exposure 
amount to arrive at the appropriate risk-weighted asset amount.
    S 11-8 In order to use the RBA, the securitization exposure must be 
externally rated by an NRSRO, or be eligible for an inferred rating.
    27. For a bank to utilize the RBA, the securitization exposure must 
be rated by an NRSRO as defined in the NPR.
    28. A rating may be inferred if the subject securitization exposure 
is senior to another securitization exposure in the transaction (that 
is backed by the same underlying obligations and is issued by the same 
issuer) that has an external rating from an NRSRO. The applicable 
rating to be applied for an inferred rating is the current rating of 
the subordinate rated tranche. Inferred ratings should be updated at 
least annually, or more frequently when warranted, so that any changes 
in the external rating or characteristics of the rated exposure are 
reflected in a timely manner. An inferred rating cannot be derived from 
a proxy securitization exposure (e.g., a similarly structured but 
separate securitization exposure).
    S 11-9 The securitization transaction must have an external rating 
assigned by an NRSRO that fully reflects the credit risk associated 
with timely repayment of principal and interest.
    29. When a securitization exposure is structured, the originating 
bank can elect to have the securitization transaction placed in the 
NRSRO's monitoring/surveillance program that requires a periodic review 
of the financial performance of the underlying exposures. By placing 
the securitization exposure in the NRSRO monitoring program, the 
integrity of the credit rating is maintained for the life of the 
securitization exposure, and thereby ensures that the credit rating 
fully reflects the entire amount of credit risk

[[Page 9148]]

with regard to all payments owed to the holder of the exposure. 
Securitization exposures receiving a rating only at origination are not 
eligible for the RBA. The external rating must take into account and 
reflect the entire amount of credit risk exposure the bank has with 
regard to all payments owed to it. If the bank is owed both principal 
and interest, the rating must fully reflect the credit risk associated 
with timely repayment of both. With certain securitization exposures, 
such as combination bonds, which generally are combinations of a 
subordinated, unrated securitization exposure and a highly rated 
principal-only strip, the principal component of the bond often 
receives a higher rating than the interest component. A rating 
structure such as this does not qualify as a full credit exposure 
rating, and therefore the RBA is not available. In the event that a 
rating does not capture the full credit exposure, the bank may use the 
SFA if applicable, or deduct.
    30. When a bank has used the RBA (or IAA) to calculate its risk-
based capital requirement for a securitization exposure whose external 
or inferred rating (or IAA rating) reflects the credit enhancement of a 
credit risk mitigation (``CRM'') technique, a bank may not obtain 
additional risk-based capital recognition of the CRM technique through 
the securitization CRM rules in section 46 of the NPR.
    31. When a credit risk mitigant is not obtained by the SPE but 
rather is obtained by a bank separately to protect itself against 
losses on a specific securitization exposure (e.g., ABS tranche), the 
bank may use the applicable securitization CRM treatment to recognize 
the hedge as outlined in section 46 of the NPR.
    S 11-10 Banks should document the factors that support their use of 
the RBA.
    32. Factors the bank should document include the identification of 
the NRSROs, type of underlying exposures (e.g., wholesale, retail), 
seniority of the securitization exposure, pool granularity, and 
placement of reference tranches in the waterfall for inferred ratings.
    33. Senior securitization exposures supported by granular pools 
receive special treatment under the RBA. Only one tranche may be 
considered ``senior'' for each transaction. In a traditional 
securitization where all tranches above the first-loss piece are rated, 
the most highly rated position would be treated as the senior tranche. 
However, when several tranches share the same rating, only the most 
senior tranche in the cash waterfall, according to security provisions 
in the indenture, would be treated as the senior position. In a 
synthetic securitization, a super-senior tranche would be treated as 
the senior tranche. Eligible servicer cash advances are not considered 
in the seniority assignment for the RBA.
    34. Pool granularity refers to the number of different underlying 
exposures. The RBA considers the impact of pool granularity on credit 
risk by assigning higher risk-weight percentages to non-granular pools. 
Securitizations of retail exposures contain a significant number of 
underlying exposures and will be considered granular for risk-weighting 
purposes.

B. Internal Assessment Approach

Overview
    35. A bank's exposures to ABCP conduit programs (i.e., liquidity 
facilities and credit enhancements) are considered securitization 
exposures for which the bank must hold risk-based capital. Where ABCP 
exposures qualify for the RBA approach, the RBA must be used to 
calculate risk-weighted assets. However, exposures such as ABCP 
liquidity facilities and credit enhancements are generally unrated. 
Subject to qualification standards, a bank may use either the IAA or 
the SFA; however, one approach must be used consistently for all the 
bank's exposures to ABCP programs.
    36. To qualify for the use of the IAA, a bank must at a minimum 
demonstrate that its ABCP program meets specific operational 
requirements set forth in the NPR. A bank may apply the IAA to 
exposures related to ABCP programs and to exposures to programs that 
are similarly structured, which could include structured investment 
vehicles, tender option bonds, and variable note programs, as long as 
they meet the NPR's definition of an ABCP program. The bank must 
demonstrate that it has met the qualification standards for each asset 
class for which it has exposure.
    37. The IAA requires a bank to use an internal credit assessment 
(``ICA'') framework that maps or corresponds directly to NRSRO rating 
criteria for a similar asset class. For example, if the pool of assets 
consists of credit card receivables, the bank's credit assessment for a 
liquidity facility or credit enhancement extended to the pool should be 
based on the NRSRO's rating criteria for credit card receivables. In 
order to use the IAA, the bank's ICA process should at a minimum (a) 
identify reliable historical loss rates on the underlying exposures, 
(b) map internal ratings to specific ratings of the NRSRO, as well as 
validate the mapping process to ensure its integrity and accuracy, and 
(c) document the criteria used to arrive at the ICA rating. See section 
44(a)(1) of the NPR for a complete list of the criteria a bank's ICA 
process must meet in order for the bank to obtain approval from its 
supervisor to use the IAA.
    38. After assigning an internal rating based on the appropriate ICA 
framework, the bank calculates risk-weighted assets by applying the 
applicable risk weights from the RBA tables to the amounts of the ABCP 
program exposures. Consistent with the RBA, the applicable risk-weight 
assignment requires three additional inputs--the seniority of the 
exposure, an assessment of pool granularity, and whether the ICA is a 
long- or short-term rating. Pool granularity is based on the number of 
underlying exposures, with exposures to a single obligor aggregated. 
ABCP liquidity facilities would be considered senior exposures provided 
they meet the definition of a senior securitization exposure in the 
NPR.
    39. For example, the ICA for a $10 million (maximum contractual 
value) liquidity facility has an ICA that is equivalent to a long-term 
external rating of ``AA.'' Using the RBA tables, a risk weight of 8 
percent is applicable, resulting in risk-weighted assets of $800,000 
provided (1) the position is senior exposure, (2) the pool is granular, 
and (3) there is a long-term rating (e.g., ``AA''). If it is determined 
that the pool is non-granular, the risk weight is 25 percent, or risk-
weighted assets of $2.5 million.
    40. The IAA's reliance on an NRSRO's rating methodology and ratings 
criteria for the applicable asset class does not reduce the level of 
analysis, review, and due diligence that the bank should conduct as 
part of the initial purchase decision, and regularly thereafter.
    41. The systems and processes used by the bank for risk-based 
capital purposes must be consistent with the bank's internal risk 
management processes and management information reporting systems. For 
example, the conduit's ICA ratings process should be linked to the 
required seller-provided credit enhancement levels, establishment of 
transaction dynamic trigger levels, tracking of individual obligor 
exposure levels, and establishment of concentration levels. Also, the 
risk management systems should capture the market (interest rate 
mismatch), liquidity (commercial paper maturity laddering, extendable 
funding products) and operational (integration of servicer and investor 
reporting) risks associated with the conduit activities.

[[Page 9149]]

VI. Internal Credit Assessment Process in the IAA

    S 11-11 Banks' internal credit assessment processes should be 
comprehensive, transparent, independent, well-defined, and fully 
documented.
    42. The ICA process should address the full range of activities, 
including pre-purchase analysis of the proposed transaction, 
verification of the seller's representation of the assets' risk 
characteristics, the assignment of internal credit assessments, and on-
going validation to ensure the integrity of the process and rating 
accuracy.
    43. The bank must have an effective system of controls and 
oversight that ensures compliance with these operational requirements 
and maintains the integrity and accuracy of the internal credit 
assessments. The bank must have an internal audit function independent 
from the ABCP program business line and internal credit assessment 
process that assesses at least annually whether the controls over the 
internal credit assessment process function as intended.
    44. Banks should be able to demonstrate that these assessments 
accurately capture and quantify the risk inherent in these exposures. 
To facilitate transparency, banks should have (1) approved policies and 
procedures, (2) a written and detailed summary of the processes, 
including the roles and responsibilities of relevant parties, and (3) 
management information reports on items such as pool status, usage of 
liquidity and/or credit enhancement facilities, and other risk 
management issues (e.g. level of losses relative to seller-provided 
credit protection or proximity to termination events).
    45. The bank should clearly document its processes for determining 
the required level of seller-provided credit enhancement, including the 
level of historical losses and the NRSRO's stress factor used to 
establish equivalency to a specific external rating. The bank should be 
able to demonstrate that the pool's loss estimate is empirically based, 
credible, and predictive of expected losses. Historical and current 
information on delinquencies, charge-offs, recoveries, dilution,\29\ 
and obligor and geographic concentrations should be maintained to 
support these estimates.
---------------------------------------------------------------------------

    \29\ Dilution is the reduction of the asset receivable due to 
customer returns of sold goods, warranty claims, disputes between 
the seller and its customers, and other factors. Sellers are 
generally required to establish a reserve to cover a multiple of 
historical dilution. The adequacy of the dilution reserve is 
reviewed at the inception of the transaction and may or may not be 
incorporated in the seller-provided credit enhancement for the pool 
of assets sold to the conduit.
---------------------------------------------------------------------------

    46. The time horizon for historical losses should be consistent 
with the number of years used in the NRSRO's external rating criteria. 
For instance, with respect to the performance of a pool that is 
comprised of trade receivables, the program administrator should use at 
least three years of loss data when determining the required level of 
credit enhancement.
    47. When adjustments are made to an internal credit assessment that 
are based on factors not included in the NRSRO's rating criteria, 
written rationale and support should be available. In addition, the 
bank should be able to provide evidence that the adjustments were 
subject to an appropriate approval process.
    48. When reviewing the seller's risk profile, the sponsoring bank 
(or program administrator) should analyze both the credit risks of the 
underlying assets and the seller's risk profile. The transaction 
summary provided by the seller should include information on the 
default risk of the underlying assets, including historical loss 
characteristics, concentrations, delinquencies, and payment history. In 
addition, the bank should assess the quality of the seller's 
underwriting practices as an indicator of the future performance of the 
underlying assets.
    49. The assessment of the seller's risk profile should include past 
and expected financial performance and condition (e.g., leverage, cash 
flow, and interest coverage), the seller's current market position, 
expected future competitiveness, and debt rating.
    50. Credit and investment policies should include the following: 
Well-defined underwriting standards for purchased assets; the minimum 
requirements for a seller's credit quality; limits on transaction size; 
limits on concentrations for obligors, asset types, or geographic 
exposure; required structural features; procedures for monitoring and 
reporting pool performance; and required levels of liquidity and credit 
support.
    51. The bank should maintain a transaction summary to support each 
ABCP program exposure. The summary should include the following: The 
structure of the pool transaction; the type and details of the bank's 
support for the program or pool; a profile of the seller (asset 
originator); the criteria used to determine the eligibility of assets; 
the risk characteristics of the purchased assets (e.g., credit quality 
and tenor); dilution risk; statistics on the historical performance of 
the underlying assets and other similar asset pools; and termination 
events.\30\
---------------------------------------------------------------------------

    \30\ Termination events, also referred to as ``dynamic'' or 
wind-down triggers, are used to mitigate the occurrence of losses 
due to a deteriorating asset pool or an event that may hinder the 
conduit's ability to repay maturing commercial paper. Pool-specific 
triggers include the insolvency or bankruptcy of the seller/servicer 
of assets, a downgrade of the seller's credit rating below a certain 
rating grade, or the deterioration of the asset pool to the point 
where charge-offs, delinquencies, or dilution reaches predetermined 
levels. Program-wide triggers include the conduit's failure to repay 
maturing commercial paper or draws on the program-wide credit 
enhancement that exceed a certain amount.
---------------------------------------------------------------------------

    52. When the liquidity facility and either transaction specific or 
program-wide credit enhancement overlap, banks are required to hold 
capital only once for any overlap. However, banks must allocate the 
program-wide credit enhancement overlap across pools that results in 
the highest risk-based capital requirement. For example, assume an ABCP 
program is made up of a pool of credit card receivables, a pool of loan 
receivables, and a pool of trade receivables. The bank has issued 
liquidity facilities for $400,000 for each pool and a $120,000 program-
wide credit enhancement facility. The liquidity facilities for the 
credit card and loan pools are internally-rated as ``AAA,'' with the 
trade receivables' pool rated as ``A+.'' The credit enhancement is 
rated ``A.'' The appropriate risk-based capital charge for the 
liquidity facility and credit enhancement is detailed in the table 
below.

Pool Summary

--------------------------------------------------------------------------------------------------------------------------------------------------------
                                             Purchase          Pool          LF                                    Internal
            Conduit funding               authorization      balance      coverage           LF  tenor            credit ass.       NRSRO  equivalent
--------------------------------------------------------------------------------------------------------------------------------------------------------
Credit Card...........................           $400,000           $0     $400,000  366 day..................               2  ``AAA''
Account Rec...........................            400,000      250,000      400,000  366 day..................               2  ``AAA''
Trade Rec.............................            400,000      300,000      400,000  366 day..................               3  ``A+''
                                       -----------------------------------------------------------------------------------------------------------------

[[Page 9150]]

 
    Total.............................          1,200,000      550,000    1,200,000
Credit Enhancement....................            120,000  ...........  ...........  .........................               4  ``A''
--------------------------------------------------------------------------------------------------------------------------------------------------------

Overlap and Risk-Weighted Assets

--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                              LF exposure                           CE exposure
                                                             amount net of                         amount net of
                                                                overlap             LF RWA            overlap             CE RWA           Total RWA
                                                               adjustment                            adjustment
--------------------------------------------------------------------------------------------------------------------------------------------------------
Credit Card..............................................                 $0                 $0           $120,000            $24,000            $24,000
Account Rec..............................................          * 250,000          ** 17,500                  0                  0             17,500
Trade Rec................................................            300,000             30,000                  0                  0             30,000
                                                          ----------------------------------------------------------------------------------------------
    Total Risk-Weighted Assets...........................  .................            $47,500  .................            $24,000           $71,500
--------------------------------------------------------------------------------------------------------------------------------------------------------
* $250,000 - 0 = $250,000.
** (LF - CE Overlap) x RWA% for respective NRSRO equivalent rating ($250,000 x 7% = $17,500).

    53. Using the same underlying exposures as in the above example, 
the bank has issued liquidity facilities for $400,000 for each pool and 
a $120,000 credit enhancement facility. However, the credit enhancement 
in this example is transaction specific, allocated at $40,000 per 
transaction. The liquidity facilities for the credit card and loan 
pools are internally-rated as ``AAA,'' with the trade receivables'' 
pool rated as ``A+.'' The credit enhancement is rated ``A.'' The 
appropriate risk-based capital charge for the liquidity facility and 
credit enhancement is detailed in the table below.

Pool Summary

--------------------------------------------------------------------------------------------------------------------------------------------------------
                                             Purchase          Pool          LF                                    Internal
            Conduit funding               authorization      balance      coverage           LF  tenor            credit ass.       NRSRO  equivalent
--------------------------------------------------------------------------------------------------------------------------------------------------------
Credit Card...........................           $400,000           $0     $400,000  366 day..................               2  ``AAA''
Account Rec...........................            400,000      250,000      400,000  366 day..................               2  ``AAA''
Trade Rec.............................            400,000      300,000      400,000  366 day..................               3  ``A+''
                                       -----------------------------------------------------------------------------------------------------------------
    Total.............................          1,200,000      550,000    1,200,000
Credit Enhancement....................            120,000  ...........  ...........  .........................               4  ``A''
--------------------------------------------------------------------------------------------------------------------------------------------------------

Overlap and Risk-Weighted Assets

--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                              LF exposure
                                                             amount net of                          CE exposure
                                                                overlap             LF RWA       amount of overlap        CE RWA           Total RWA
                                                               adjustment                            adjustment
--------------------------------------------------------------------------------------------------------------------------------------------------------
Credit Card..............................................                 $0                 $0            $40,000             $8,000             $8,000
Account Rec..............................................          * 210,000          ** 14,700             40,000          *** 8,000             22,700
Trade Rec................................................            260,000             26,000             40,000              8,000             34,000
                                                          ----------------------------------------------------------------------------------------------
    Total Risk-Weighted Assets...........................  .................            $40,700  .................            $24,000           $64,700
--------------------------------------------------------------------------------------------------------------------------------------------------------
* $250,000 - 40,000 = $210,000.
** (LF - CE Overlap) x RWA% for respective NRSRO equivalent rating ($210,000 x 7% = $14,700).
*** CE x RWA% for respective NRSRO equivalent rating ($40,000 x 20% = $8,000).

    S 11-12 Banks should analyze the servicer's capabilities and 
document the analysis in the internal assessment.
    54. The analysis should consider the servicer's data systems, data 
capabilities (or consider the capabilities of the servicer's data 
systems), excess capacity, collections processes, reliance on vendors 
or other service bureaus, and backup servicing arrangements. A separate 
rating for the servicer may also be assigned, and should consider the 
servicer's financial position, operating capabilities, historical pool 
performance, and other criteria such as a publicly available NRSRO 
servicer rating report.

VII. Validation of IAA

    S 11-13 The bank must validate its ICA process on an ongoing basis 
and at least annually the ICA process and results must be subject to 
the full range of the bank's IRB validation activities.
    55. The bank should review the relationship between the credit 
assessment process and the NRSRO's current rating criteria to ensure 
that internal credit assessments are appropriately aligned to external 
ratings and reflect the NRSRO's rating criteria.
    56. The robustness of the validation process should be consistent 
with the complexity and volume of the bank's activities. Validation 
should consider the relevance and appropriateness of the NRSRO rating 
methodologies to the purchased assets, the integrity of the mapping 
process and its application to the bank's ABCP program exposures, and 
the quality of the bank's risk

[[Page 9151]]

management and internal controls in this business line.
    57. Developmental evidence is particularly relevant to the IAA. A 
bank should be able to provide evidence to support the integrity of its 
ICA process. Written documentation should include, but is not limited 
to: (1) How the process is consistent with the NRSRO's rating criteria 
to which the bank is mapping assessments, (2) the process for verifying 
the seller's estimates of historical loss for the purchased assets, and 
(3) the methodology used to assess the risk characteristics of the 
asset seller, the servicer, and program administrator (when not the 
bank). The bank should be able to support that its process is complete 
and that its ICAs are accurate based on their design and 
implementation.
    58. Process verification should focus on whether the policies and 
procedures are sufficiently detailed to support transparency and 
replication of the assessments, as well as the extent to which the 
process operates as designed. The process review should include (1) 
quantifying risk across the spectrum of the bank's exposures, and (2) 
evaluating the completeness, accuracy, and applicability of the data 
that supports the securitization framework.
    59. The bank should perform backtesting or outcomes analysis on the 
ICA ratings. This should also include tracking the financial 
performance of the underlying exposures including the ICA rating for 
the securitization exposure. At a minimum, the review process should be 
performed annually, or more frequently when there are significant 
changes in the NRSRO's rating criteria or the performance of the 
underlying assets warrants an adjustment to the bank's internal 
assessment. Performance analysis should cover not only the level of 
excess spread, but also trends and volatility in excess spread 
components such as interest and fee revenues, bond coupons, payment 
rates, loss rates, and other variable components affecting 
securitization performance.

A. Supervisory Formula Approach

Overview
    60. The SFA may be available to determine the risk-based capital 
requirement for unrated securitization exposures when an external 
rating is not available or cannot be inferred, or when the bank chooses 
not to use, or does not qualify to use, the IAA.\31\ The SFA 
calculation relies, in large part, on the risk-based capital 
requirement that would be assessed had the exposures underlying the 
securitization not been securitized. The SFA relies on this calculation 
as its starting point since securitizing a pool of exposures does not 
change the overall amount of credit risk, but merely changes how credit 
risk is distributed to the holders of the securitization exposures. 
Regulatory overrides, based on supervisory judgment, have been added to 
this pure model-based assessment of credit risk to ensure that (1) a 
minimum regulatory capital requirement is assessed on all 
securitization exposures, (2) tranches with insufficient credit 
enhancement are assessed a dollar-for-dollar capital requirement, and 
(3) model discontinuities are minimized.
Common Unrated Securitization Exposures Subject to the SFA
    61. The SFA provides banks a means of calculating risk-based 
capital requirements for unrated securitization exposures. The SFA 
allows for a more risk sensitive capital requirement for higher 
quality, unrated securitization positions that lie above the 
KIRB boundary, provided the bank has access to the 
information necessary to parameterize the SFA. Regardless of the 
information the bank has on the underlying securitized exposures and 
the securitization structure, CEIOs, including any AIRs that meet the 
definition of a CEIO, will remain subject to deduction.
---------------------------------------------------------------------------

    \31\ The exposure may be related to a conduit program, but the 
bank does not meet the operational standards to use the IAA. Under 
this scenario, banks may use the SFA.
---------------------------------------------------------------------------

    62. Banks could use the SFA to determine risk-based capital 
requirements for the following common unrated securitization exposures:
     Unrated credit enhancements, including cash collateral, 
and spread accounts;
     Unrated CDO equity tranches;
     Other unrated retained or purchased subordinated 
securities from traditional or synthetic securitizations;
     Loans sold or serviced with recourse when the risk 
retained is of a different priority than the risk transferred;
     Loan participations and syndications when there is other 
than a pro-rata form of distribution;
     Unrated securitization exposures resulting from a bank's 
participation in the FHLB Mortgage Partnership Finance Program or 
Mortgage Purchase Program;
     Unrated exposures resulting from pool-level mortgage 
insurance programs;
     Senior synthetic securitization exposures when a rating 
cannot be inferred;
     MBS/ABS retained by the originator with less than two 
external ratings; and
     ABCP credit enhancements and liquidity facilities for 
which the bank has not received approval to use the IAA, or chooses for 
any reason not to use it.
    The above is intended to provide examples of securitization 
exposures that would be subject to the SFA; however, there are likely 
additional securitization exposures that could be evaluated with the 
SFA. As the securitization market evolves, additional structures may 
emerge that will be subject to the SFA.
Implementation of the SFA
    63. Banks are required to provide seven inputs when implementing 
the SFA. These inputs include:
     The amount of underlying exposures (UE);
     The sum of the IRB capital requirement and expected loss 
on the underlying exposures, divided by UE (KIRB);
     The effective number of underlying exposures (N);
     The exposure-weighted average loss given default of the 
underlying exposures (EWALGD);
     The percentage of the tranche of interest the bank owns 
(TP);
     The thickness of the tranche of interest (T) in relation 
to UE; and
     The credit enhancement level for the tranche of interest 
(L).
    64. To use the SFA the bank must have these inputs to calculate the 
capital requirement on the underlying exposures. The first four inputs 
(UE, N, EWALGD, and KIRB) require the bank to have a 
detailed knowledge of the characteristics of the underlying securitized 
exposures. The remaining three inputs (TP, T and L) require detailed 
knowledge of the structural features of the securitization.
    65. Since the calculation of KIRB requires detailed 
knowledge of the underlying exposures, the SFA may be difficult for an 
investor in an unrated securitization exposure to implement. For 
example, if a bank provides credit enhancement to wholesale exposures 
originated and securitized by another party, the bank as credit 
enhancer may not have access to the data to accurately derive the 
inputs necessary (e.g., and PD, LGD, M and EAD) to calculate 
KIRB. In this situation, the bank as credit enhancer would 
not be able to use the SFA to compute regulatory capital requirements 
on the unrated securitization exposure, and would be required to deduct 
the exposure from regulatory capital.
    66. Banks must also be prepared to update the SFA inputs quarterly. 
Because the output of the SFA is

[[Page 9152]]

predicated upon KIRB, any changes in the quality of the 
underlying exposures will result in a change in the SFA capital 
requirement. For example, deterioration in the collateral values of the 
underlying exposures would likely result in increased values for EWALGD 
and KIRB, which would generate a higher SFA capital 
requirement for each securitization tranche. Additionally, the 
prepayment of smaller exposures in a pool may lead to a more 
concentrated, riskier pool as N decreases.

Calculation of KIRB

    67. KIRB represents the ratio of (i) the IRB capital 
requirement plus the expected credit losses of the underlying exposures 
had they not been securitized to (ii) UE, which is discussed below. All 
underlying exposures should be included in the calculation of 
KIRB, including assets in reserve accounts. The counterparty 
credit risk charge associated with derivative instruments should also 
be reflected in the numerator of KIRB, while the EAD of 
derivatives should be reflected in the denominator. The calculation of 
KIRB should also reflect the effects of any credit risk 
mitigant that is applied on the underlying exposures that benefits all 
the securitization exposures. CEIOs, including any AIRs that meet the 
definition of a CEIO, should not be included in the calculation of 
KIRB.
    68. When banks have established a valuation allowance other than an 
ALLL or liability reserve on an underlying exposure, both the numerator 
and denominator of KIRB should be calculated using the gross 
amount of the exposure without the specific provision. In this 
situation, the valuation allowance can be used to reduce the amount of 
deduction from capital associated with the securitization exposure. A 
detailed application of this treatment appears in Example 2 of this 
chapter's Appendix A.
Calculation of UE
    69. The amount of underlying exposures (UE) is the EAD of any 
underlying wholesale and retail exposures (including the amount of any 
funded spread accounts, cash collateral accounts, and other similar 
funded credit enhancements) plus the amount of any underlying exposures 
that are securitization exposures plus the adjusted carrying value of 
any underlying equity exposures. For purposes of the SFA, the amount of 
an on-balance sheet securitization exposure is: (i) The bank's carrying 
value, if the exposure is held-to-maturity or for trading; or (ii) the 
bank's carrying value minus any unrealized gains and plus any 
unrealized losses on the exposure, if the exposure is available-for-
sale. The amount of an off-balance sheet securitization exposure is the 
notional amount of the exposure. For a commitment, such as a liquidity 
facility extended to an ABCP program, the notional amount may be 
reduced to the maximum potential amount that the bank currently would 
contractually be required to fund. For an OTC derivative contract that 
is not a credit derivative, the notional amount is the EAD of the 
derivative contract as calculated in section 32 of the NPR.
Calculation of N and EWALGD
    70. Although the SFA can be used for a pool containing only one 
asset, the SFA generally yields higher risk-based capital requirements 
for highly concentrated, non-granular pools. Therefore, the effective 
number of exposures (N) weights each exposure by its size to account 
for the higher risk in more highly concentrated, non-granular pools. 
When calculating N, multiple exposures to the same borrower are 
considered a single exposure. A sample calculation of N is included in 
Appendix A.
    71. The exposure-weighted average loss given default (EWALGD) is 
the LGD of each exposure weighted by the size of each exposure. The 
weighting process is designed to give the LGD of larger exposures more 
weight in determining the EWALGD of the overall pool. A sample 
calculation of exposure-weighted EWALGD is also included in Appendix A.
    72. For retail securitizations, banks are not required to calculate 
N and EWALGD. The two SFA variables-- h and v --requiring N and EWALGD 
as inputs, are reduced to 0 for securitizations where all underlying 
exposures are retail exposures.
    73. A simplified method of calculating N and EWALGD is also 
available for securitizations as long as the size of the largest 
exposure is known with certainty and is no larger than 3 percent of the 
entire pool. In this case, banks may set EWALGD = 50% and N can be 
calculated as:
[GRAPHIC] [TIFF OMITTED] TN28FE07.010

Where:

 C1 is the largest exposure in the pool;
 Cm is the share of the pool composed by the 
``m'' largest underlying exposures; and
 ``m'' is selected by the bank.

    Alternatively, if only C1 is available and is no more 
than .03, a bank may set EWALGD at 50% and N at 1/C1. When 
determining N and EWALGD for a particular non-retail securitization, 
banks should document which methodology for calculating N and EWALGD is 
applied.
    74. The remaining three required inputs necessary to implement the 
SFA--the percentage of the tranche of interest the bank owns (TP), that 
tranche's credit enhancement level (L), and that tranche's thickness 
(T)--require the bank to understand the securitization's structure and 
loss prioritization. Banks should document the amount of the tranche 
they own relative to the outstanding issuance of the tranche in order 
to accurately calculate TP. Additionally, banks should document their 
understanding of the securitization's structure and loss prioritization 
in order to accurately calculate L and T.
    75. Banks must also update their calculations of TP, L and T on an 
ongoing basis. For example, payments to senior tranches in a particular 
structure may result in increases in L for junior tranche holders. 
Increasing defaults or loss severity in the underlying exposures may 
reduce L and T. Additionally, a bank's decision to mitigate its 
exposure through a partial sale of a particular tranche will reduce TP.

Calculation of T, L, and TP

    76. T is the ratio of the amount of the tranche of interest to UE. 
L is the sum of (i) T to (ii) UE, for all tranches subordinate to the 
tranche of interest. The current outstanding principal balance or 
notional amount of the tranche of interest should be used when 
calculating T. TP is the ratio of the amount of the bank's 
securitization exposure to the amount of the tranche that contains the 
securitization

[[Page 9153]]

exposure. L should be measured without any consideration of the effects 
of tranche-specific credit enhancement (e.g., third party guarantees or 
collateral that benefit only the tranche of interest).
    77. UE must equal the sum of the individual thickness levels of 
each tranche. Therefore, credit enhancement based upon future cash 
flows, such as excess spread, CEIOs, non-credit enhancing IOs, or the 
subordination of fees in the cash flow waterfall, should be excluded 
for purposes of calculating L and T. Both L and T should include only 
funded reserve and spread accounts. Derivatives embedded in 
securitization structures should be measured based only upon current 
mark-to-market value, if positive, without regard to potential future 
exposure.
    78. Cash advances made by a servicer to an SPE to cover delinquent 
or late payments on the underlying exposures should be included in the 
calculation of L and T. When a servicer makes a cash advance to an SPE, 
it puts money into the SPE in order to pay down investor tranches; the 
pay-down of investor tranches does not bring any corresponding 
reduction in the principal balance of the underlying exposures. 
Therefore, in order for the sum of the tranches to equal UE, servicer 
cash advances should be considered in the calculation of L and T. 
Servicer cash advances that are not considered credit enhancing can be 
assumed to be the most senior securitization exposure in a 
securitization, with L calculated accordingly. For servicer cash 
advances that are in any way credit enhancing, the calculation of L 
should reflect the advance's degree of subordination.
    79. Refer to this chapter's Appendix A ``Description of the 
Supervisory Formula Approach (SFA),'' for further details.
Special Considerations for Re-securitizations
    80. Re-securitizations, such as CDO-squared, represent a new 
securitization in which the underlying exposures are themselves 
securitization interests and present a unique challenge in the 
calculation of UE, N, EWALGD and KIRB. As a general rule, 
banks holding securitization exposures in re-securitizations should not 
``look through'' to the exposures underlying the securitized 
securitization tranches when calculating UE, N, EWALGD and 
KIRB and must set EWALGD equal to 100 percent for re-
securitizations.
    81. For example, if a bank holds an unrated securitization exposure 
in which the underlying exposures consist entirely of rated 
securitization interests, the bank first would sum the exposure amounts 
associated with these rated securitization interests to obtain UE. 
Next, the bank would use the RBA to determine KIRB for these 
rated securitization interests, applying dollar-for-dollar capital to 
those exposures rated below BB-. Since the RBA risk weights include 
expected losses, no additional adjustment to KIRB for 
expected losses is necessary. After determining KIRB, the 
bank calculates the effective number of exposures based upon the 
relative size of the underlying securitization tranches included in the 
re-securitization pool, without ``looking through'' to the exposures 
underlying the securitized tranches. Next, the bank would assume that 
EWALGD equals 100 percent. At this point, the bank would have 
sufficient information on the underlying exposures to apply the SFA to 
the unrated re-securitization tranche of interest.
Pool Level Mortgage Insurance
    82. Certain transactions may incorporate pool insurance as a form 
of credit enhancement for a pool of mortgage loans. Pool insurance can 
take various forms but generally provides insurance coverage for the 
pool of loans up to a maximum amount (a ``stop loss'' level) and can 
include loss coverage for each loan within the pool. The extent of 
coverage is negotiable and may result in 100 percent loss coverage on 
defaulted loans, or modified pool insurance that results in lower or 
variable levels of coverage on defaulted loans using loan-to-value 
limits, for example.
    83. The credit risk mitigation benefits of pool insurance may be 
recognized in determining the appropriate risk-based capital 
requirement. Pool insurance that covers all or a pro rata share of all 
losses in a pool is recognized in the retail segmentation process (see 
Chapter 4, S 4-4 and accompanying text). Pool insurance that 
incorporates a tranching of credit risk is addressed in the 
securitization framework. In circumstances where a securitization 
structure with external credit ratings benefits from pool level 
insurance, such ratings incorporate the effects of credit risk 
mitigation and would, under the securitization framework (RBA), provide 
a method for the assessment of the appropriate capital requirement. For 
unrated securitization transactions, the credit risk mitigation effect 
of the pool insurance would need to be assessed under the SFA 
framework. The pool insurance and its application to the pool assets 
should be fully documented. Specifically, the documentation should 
describe and support the quantification of the credit risk that is 
being absorbed by the pool insurance, and detail how cash proceeds from 
the pool insurance are applied within the waterfall structure to effect 
a reduction in credit risk.
    84. For securitization exposures where the underlying exposures 
benefit from guarantees such as pool level mortgage insurance, the bank 
may be able to utilize the synthetic securitization rules to calculate 
the benefit of the guarantee. The bank should ensure that 
securitizations for which the SFA or synthetic securitization is 
applied have reasonably strict contractual loss prioritization rules 
embedded into the deal. The following example outlines the process for 
calculating the capital requirement for a securitization that contains 
a pool level credit risk mitigant with a stop loss level:
    Example
    Pool level insurance covers the first $8 of loss on a $100 retail 
mortgage loan pool.

Step Process

    1. Calculate the risk-based capital requirement for the underlying 
exposures according to the retail IRB rules: EL estimation, retail 
segmentation, PD and LGD estimation, and the retail risk-weight 
function;
    2. Use the risk-based capital requirement from step 1 to determine 
KIRB and then use the SFA to calculate the risk-based 
capital requirement on the $92 senior position (where the $8 first loss 
coverage of the insurance is treated as a junior tranche);
    3. Calculate the risk-based capital requirement on the $8 position 
as if it were a direct exposure to the insurer using the guarantor's 
PD, the bank's estimate of the guarantor's ELGD and LGD, and the 
corporate risk-weight function. The PD of the guarantor is subject to 
the 3 basis point wholesale floor; and
    4. The total risk-weight capital requirement is the sum of the 
capital requirements in steps 2 and 3.
Loss Prioritization
    S 11-14 Banks should document the securitization structure and loss 
prioritization.
    85. A bank may use the SFA only if it can calculate each of the SFA 
input parameters on an ongoing basis. For the purpose of calculating L, 
the credit enhancement level for the tranche of interest, this 
requirement implies that bank must be able to calculate how the pool's 
credit losses will be allocated among the deal's various tranches not 
only at the deal's inception, but over

[[Page 9154]]

time. Otherwise, the SFA may not be used.
    86. For some transactions, the allocation of credit losses among 
tranches may depend on certain contingencies, such as the specific 
timing of credit losses over the life of the deal, the possibility that 
subordinated tranches may amortize prior to full retirement of senior 
tranches, the speed at which reserve accounts will be built up through 
retained excess spread, or structural features whereby the losses 
allocated to a particular tranche may depend on how these losses are 
distributed among the exposures in the underlying pool. The existence 
of such contingencies does not automatically disqualify a bank from 
using the SFA to compute the capital charge for an unrated 
securitization exposure. However, the structure of the transaction 
should be sufficiently clear cut to enable the bank to determine the 
loss prioritization associated with each potential contingency. 
Furthermore, the calculation of L should address contingencies in a 
manner that is demonstrably conservative, for example, by calculating L 
to reflect those contingencies that are least favorable to the bank. In 
all cases, the calculation of L must comply with applicable rules for 
recognizing credit enhancements (e.g., unfunded reserve accounts may 
not be recognized).

VIII. Early Amortization Provisions

    87. In addition to holding capital against any retained interest in 
a securitization transaction, originating banks are required to hold 
capital against the investors' interest (both drawn and undrawn 
balances) in a securitization that includes one or more underlying 
exposures in which the borrower is permitted to vary the drawn amount 
within an agreed limit under a line of credit and that contains an 
early amortization feature. The likelihood of triggering an early 
amortization increases as the level of excess spread declines. 
Accordingly, a bank would be required to hold increasing amounts of 
risk-based capital as the probability of an early amortization event 
increases. Total risk-based capital requirements for securitization 
transactions subject to the early amortization capital requirement 
continue to be limited by the maximum capital requirement discussed 
earlier. Policies should also address the use of early amortization 
clauses, including realistic consideration of contingency funding 
plans, capital plans, and reporting systems necessary to monitor and 
assess the risk and likelihood of an early amortization event.
    88. For an originating bank, the risk-weighted asset amount for the 
investors' interest in the securitization is equal to the product of 
the following four quantities: (1) The investors' interest EAD; (2) the 
appropriate conversion factor; (3) KIRB; and 12.5. Under the 
securitization framework, the investors' interest is made up of the 
investors' drawn balances and the EAD associated with the investors' 
undrawn lines. The undrawn balances of the securitized exposures would 
be allocated between the seller's and investors' interests on a pro 
rata basis, based on the proportions of the seller's and investors' 
shares of the securitized drawn balances.
    89. Once the transaction's structure has been determined, the level 
of excess spread must also be considered in determining the applicable 
credit conversion factor for uncommitted credit lines. To determine the 
capital to be held against the investors' interest in a securitization 
of uncommitted retail exposures, the bank should compare the three-
month average excess spread to the point at which the bank is required 
to trap excess spread as required by the structure. When the 
transaction does not require excess spread to be trapped, the trapping 
point is 4.5 percent. For securitization trusts that issue several 
series with spread capture points that vary (e.g., credit card master 
trust structures), the trapping point for this provision would be the 
most conservative series in the trust. The bank should divide the 
excess spread level by the trapping point, and then reference Table 8 
in section 47 of the NPR to determine which conversion factor is 
applicable.

IX. Data Management Requirements

A. Data Elements

    S 11-15 Banks should retain the specific data elements necessary to 
calculate the appropriate securitization risk-based capital 
requirement.
    90. Reporting systems should produce, at least monthly, information 
that captures overall securitization activity, as well as specific data 
elements of individual transactions. Performance tracking should 
include vintage performance, cash collections, cash flow sensitivity, 
covenant compliance, and, when applicable, potential for early 
amortization events. Accounting methods, residual valuation methods, 
and regulatory reporting requirements should be in writing and 
consistently applied. The valuation assumptions for retained interests 
and servicing assets or liabilities should be conservative, fully 
documented, and reviewed by senior management on a regular basis. 
Accurate and timely risk-based capital calculations should be 
maintained that include the recognition and reporting of any recourse 
obligation resulting from securitization transactions.
    91. Refer to this chapter's Appendix B, ``Data Elements for 
Securitization Exposures,'' for further details on the data elements 
that a bank's reporting systems should electronically capture and 
store.

Appendix A: Description of the Supervisory Formula Approach (SFA)

    This appendix provides illustrative examples to demonstrate how the 
framework described in this guidance applies to different 
securitization exposures. The examples provide insight into the SFA 
capital calculation and the KIRB boundary, as well as the 
supervisory capital add-ons, in addition to its application to products 
which represent tranched cover.
    The supervisory formula capital requirement for a given unrated 
securitization exposure is calculated as UE * TP multiplied by the 
greater of: (i) .0056 [middot] T, or (ii) S[L + T]-S[L] where:

[[Page 9155]]

[GRAPHIC] [TIFF OMITTED] TN28FE07.011

    RWA are determined when the supervisory formula output is 
multiplied by 12.5.
    The factor (i) above imposes a 56 basis point minimum or floor IRB 
risk-based capital requirement per dollar of tranche exposure. 
Regulators have imposed this floor because the supervisory formula 
regularly produces a risk-based capital requirement of nearly zero for 
high quality tranches that, nonetheless, have positive credit risk. The 
floor is equivalent to the RBA risk-based capital requirement for an 
externally rated AAA securitization exposure, which lessens the 
potential regulatory capital arbitrage opportunities that could arise.
    Factor (ii) represents the supervisory formula, which derives 
capital for the tranche in question by computing capital for the 
tranche of interest and all tranches beneath it (S[L + T]) and 
subtracting from that the capital for all tranches beneath the tranche 
of interest (S[L]). For tranches with credit enhancement levels below 
KIRB (Y <= KIRB), the supervisory formula assigns 
a dollar-for-dollar capital requirement.
    For tranches with greater credit enhancement levels (Y > 
KIRB), the supervisory formula produces a risk-based capital 
requirement that is a blend of credit risk modeling and supervisory 
judgment. The function K[Y] represents a pure model-based estimate of 
the underlying securitized pool's aggregate systematic or non-
diversifiable credit risk that is attributable to a first-loss position 
covering loss up to and including Y. Because the tranche of interest 
covers losses over a specified range (defined in terms of L and T), its 
systematic risk can be represented as K[L + T] - K[L].
    Unquestionably, the supervisory formula appears very complex, but 
actually the mechanics are algebraic in nature and merely require the 
user to determine certain inputs and solve. To better understand the 
components of the supervisory formula, it is best to begin with the 
model-based estimate of credit risk, the K[Y] term. This estimate of 
risk is given by the following equation:
[GRAPHIC] [TIFF OMITTED] TN28FE07.012


[[Page 9156]]


    where [beta][Y;a,b] is shorthand for the Beta distribution. For the 
purpose of calculating the supervisory formula, it is sufficient to 
know that the Beta distribution, when suitably transformed and 
normalized, can be used to model the loss distribution given that the 
systematic risk factor is at the 99.9th percentile. Even more 
concretely, the Beta distribution evaluated at the specified parameters 
is a number which can be readily calculated in Excel using the betadist 
(L,a,b) function.
    The model used to estimate the non-diversifiable risk in the pool 
of exposures is developed from the class of credit value-at-risk (CVaR) 
models known as asymptotic single risk factor models (ASRF models). In 
essence, ASRF models simplify the many forces that may affect a pool of 
exposures by assuming that there is only one ``risk factor'' that 
causes credit losses to be correlated across exposures. Alternatively, 
one can think of the single risk factor as a random variable 
encompassing the many possible states of economic activity--from very 
good to very bad. Under the ASRF assumptions, CVaR for a portfolio is 
equal to the portfolio's expected credit losses over the modeling 
horizon given a very bad state of the economy. (The pattern of losses 
that result when the risk factor takes on a specific value is also 
known as the conditional loss distribution.) The SFA calculates the 
capital necessary to cover credit losses over a one-year horizon when 
the risk factor is at the 99.9th percentile i.e., when economic 
conditions are as bad as the worst year in 1000 years. This is 
consistent with the approach applied throughout Basel II and the manner 
in which KIRB is calculated.
    The techniques commonly used to estimate the potential loss 
experience in ASRF models depend on the relationship between the risk 
factor and credit losses. In some cases, it is necessary to simulate 
the pattern of potential losses that can result when the risk factor 
takes on high value--also known as Monte Carlo simulation. Monte Carlo 
techniques, while commonly used, require significant computing 
resources. In other cases, it may be possible to characterize this 
pattern of losses with an appropriate functional form. In language that 
is slightly more rigorous, it is possible to approximate the 
conditional loss distribution. Gordy and Jones (2003) undertook the 
task of specifying this ``reasonable functional form,'' which became 
the basis for the supervisory formula.\32\
---------------------------------------------------------------------------

    \32\ For those familiar with calculus, Gordy and Jones 
approximate the marginal amount of credit risk associated with an 
arbitrarily small slice of a tranche. From this, it is possible to 
calculate the risk-based capital requirements by integrating an 
appropriately parameterized approximation, which behaves similarly 
to a cumulative density function. Note that since integration yields 
the capital requirement for exposure up to and including the tranche 
of interest, it is necessary to subtract any subordinate exposures' 
capital requirements.
---------------------------------------------------------------------------

    Most of the expressions that comprise the supervisory formula arise 
due to the effort to describe the shape of the conditional loss 
function. Expressions (3) through (9), discussed below, are used to 
parameterize K[Y].
[GRAPHIC] [TIFF OMITTED] TN28FE07.013

    Note that
    [GRAPHIC] [TIFF OMITTED] TN28FE07.014
    
is the probability of default for one exposure in the pool when the 
risk factor is at the 99.9th percentile. Therefore,
[GRAPHIC] [TIFF OMITTED] TN28FE07.015

is the conditional probability that the exposure performs. Assuming 
that the exposures are conditionally independent, multiplying the 
probability of performance together N times (the effective number of 
exposures) yields the cumulative conditional probability that every 
exposure performs, or h.
    a and b are defined entirely in terms of g and c, defined below. 
They are used to simplify the notation of the Beta distribution.
[GRAPHIC] [TIFF OMITTED] TN28FE07.016

    c is the approximation of the mean parameter for the ``fitting 
function'' and is given by:
[GRAPHIC] [TIFF OMITTED] TN28FE07.017

    The ``fitting function'' approximates the pool's conditional loss 
distribution. This approximation is necessary to avoid using simulation 
or numerical methods to solve for K[Y] as previously mentioned. 
However, note that h (the cumulative conditional probability that every 
exposure performs) is likely to be small in most cases. Consequently, C 
will be approximately equal to KIRB under normal 
circumstances.
    g is the precision parameter for the fitting function and is 
determined by c, f and v. This term arises from the processes through 
which Gordy and Jones approximate the conditional loss distribution.
[GRAPHIC] [TIFF OMITTED] TN28FE07.018

    f is an approximation of the variance of the fitting function:
    [GRAPHIC] [TIFF OMITTED] TN28FE07.019
    
    Each securitization has rules governing how payments are disbursed 
to the tranches, often called the cash flow ``waterfall.'' These rules 
can be quite complex and the supervisory formula must handle the 
spectrum of different arrangements. In the model, the waterfall is 
represented by the tranche structure with the most junior tranche 
suffering losses up to its entire position before more senior tranches 
are affected. This simplification, while useful for modeling purposes, 
may not accurately describe the structure of a specific securitization.
    v is the variance of the conditional loss distribution:
    [GRAPHIC] [TIFF OMITTED] TN28FE07.020
    

[[Page 9157]]


    In the portion of expression (1) related to the supervisory add-on 
the terms are included to prevent exploitation of inadequacies in the 
model's stylized representation of a securitization. The add-on applies 
primarily to positions with credit enhancement just above 
KIRB and its quantitative effect diminishes rapidly the 
farther Y is from KIRB. Returning to expression (1) we can 
extract the supervisory add-on portion:
[GRAPHIC] [TIFF OMITTED] TN28FE07.021

where
[GRAPHIC] [TIFF OMITTED] TN28FE07.022

    Notice that expressions (3) through (10) do not change for a given 
securitization. In other words, since these expression do not contain 
information which is tranche-specific, the results from expressions (3) 
through (10) can be used when calculating S[Y] for any tranche of a 
given securitization if Y > KIRB.

Example 1: Comprehensive SFA Calculation

    Because of the complexities associated with applying the SFA, a 
comprehensive example has been developed to aid in application.

Transaction Summary

    A six-tranche, privately placed securitization with 10 underlying 
wholesale exposures will be used to illustrate the basic application of 
the SFA. Since none of the six tranches are externally rated, and the 
securitization does not meet the definition of an ABCP conduit, neither 
the RBA nor the IAA is applicable.
    Table 1 below identifies the characteristics of the ten underlying 
exposures in the securitized pool.

                             Table 1.--Underlying Wholesale Exposure Characteristics
----------------------------------------------------------------------------------------------------------------
                                     Principal
             Exposure                 balance         PD          LGD       EL percent    Maturity   IRB capital
                                       (EAD)      (percent)    (percent)                    (M)         charge
----------------------------------------------------------------------------------------------------------------
1........................        $5.00         0.75         35.0         0.26            5        $0.35
2........................         5.00         0.75         35.0         0.26            5         0.35
3........................         5.00         0.75         35.0         0.26            5         0.35
4........................         5.00         0.75         35.0         0.26            5         0.35
5........................        15.00         0.50         25.0         0.13            2         0.43
6........................        20.00         1.25         55.0         0.69           10         2.59
7........................        30.00         1.25         55.0         0.69           10         3.87
8........................         5.00         0.75         35.0         0.26            5         0.35
9........................         5.00         0.75         35.0         0.26            5         0.35
10.......................         5.00         0.75         35.0         0.26            5         0.35
�����������������������������������
Pool..............................       100.00         0.96         43.5         0.46         4.55         9.34
----------------------------------------------------------------------------------------------------------------

Calculation of Bank-Supplied Inputs

    In order to utilize the SFA, banks must supply seven inputs. Based 
upon the previously provided information regarding the securitization's 
structure and underlying collateral characteristics, each of the seven 
bank-supplied inputs can be calculated.
    N is the exposure-weighted number of exposures in the pool. In the 
stylized example, the wholesale securitization has 10 actual exposures; 
however, the effective number of exposures is much less than 10 because 
three larger exposures dominate the pool. To illustrate numerically:
[GRAPHIC] [TIFF OMITTED] TN28FE07.023

    EWALGD is the exposure-weighted average loss given default for the 
underlying exposures. To illustrate numerically for our stylized 
example:
[GRAPHIC] [TIFF OMITTED] TN28FE07.024


[[Page 9158]]


    By utilizing the exposure-weighted average expected loss (0.46%) 
and the sum of the individual exposures' IRB capital requirements 
($9.34, calculated using the wholesale IRB risk-weight function) 
KIRB can be determined:
[GRAPHIC] [TIFF OMITTED] TN28FE07.025

    UE is equivalent to the sum of the underlying exposures in the 
pool, or $100 in this case.
    TP is set to 100 percent in our example, primarily so that the 
aggregate capital requirement for the entire securitization, as well as 
individual charges for each tranche, can be illustrated.
    T represents a tranche's thickness or its size relative to the 
underlying securitized exposures, while L represents the credit 
enhancement level of the subject tranche. All things being equal, a 
thicker tranche will generate a higher SFA capital requirement in 
dollar terms relative to a thinner tranche. Further, a tranche with a 
higher credit enhancement level, all things being equal, will generate 
a lower SFA capital requirement than one with a lower credit 
enhancement level.
    The tranches, in order of seniority from most senior to most 
junior, have notional values of $60, $15, $10, $8, $5 and $2, which we 
designate Tranche A through Tranche F, respectively. Table 2 below 
depicts the calculation of L and T for each tranche of the 
securitization.
[GRAPHIC] [TIFF OMITTED] TN28FE07.026

Calculating the Risk-Based Capital Requirement for Tranches A through F

    Using the seven bank-supplied inputs determined above, the SFA 
capital requirement can be calculated for each tranche of the 
securitization. The calculations for each tranche of the sample 
securitization are illustrated below. The calculations are categorized 
in three separate groups to display the idiosyncrasies of the SFA: (1) 
The tranches below KIRB (E and F), (2) the tranche 
straddling KIRB (D), and (3) the tranches above 
KIRB (A through C).

Group 1: Tranches Below the KIRB Boundary

    The methodology for determining the capital requirements for 
Tranches E and F are equivalent since both L + T and L are below 
KIRB. Two important results are apparent when using the SFA 
for tranches below KIRB. First, the capital requirement for 
each tranche (E and F) is dollar-for-dollar. Put slightly differently, 
tranches of securitized exposures that absorb losses below 
KIRB are subject to dollar-for-dollar capital requirements. 
Second, when L + T < KIRB, no additional information beyond 
UE, TP, L and T is required to determine the SFA capital requirement. 
Since Tranches E and F are subject to dollar-for-dollar (100 percent) 
charges, they clearly exceed the 56 basis point floor. The capital 
requirement calculations for Tranches E and F are displayed below to 
reinforce this concept:

Tranche E: UE [middot] TP [middot] ((L + T) - L) = $100 [middot] 100% 
[middot] ((2% + 5%) - 2%) = $5
Tranche F: UE [middot] TP [middot] ((L + T) - L) = $100 [middot] 100% 
[middot] ((0% + 2%) - 0%) = $2

Group 2: Tranche Straddling the KIRB Boundary

    Tranche D straddles KIRB since L + T > KIRB 
(15% > 9.80%) and L < KIRB, (7% < 9.80%). Since L + T > 
KIRB, the bank would have to calculate equations (3) through 
(10) to determine S[L + T]. As noted previously, only UE, TP and L are 
necessary to determine S[L] since L < KIRB. As noted in the 
``Mechanics of the SFA'' section of this guidance, equations (3) 
through (10) do not change

[[Page 9159]]

for a given securitization. The calculations for equations (3) through 
(10) for the sample securitization are included below:
[GRAPHIC] [TIFF OMITTED] TN28FE07.027

[GRAPHIC] [TIFF OMITTED] TN28FE07.028

    Next, the supervisory add-on term can be calculated. First the 
value for K[KIRB] is calculated:
[GRAPHIC] [TIFF OMITTED] TN28FE07.029

    K[KIRB] is then substituted into the full supervisory 
add-on term:

[[Page 9160]]

[GRAPHIC] [TIFF OMITTED] TN28FE07.030

    Since S[L + T] is a combination of the model-based estimate of non-
diversifiable credit risk (K[L + T]) and the supervisory add-on, S[L + 
T] can be determined as follows:

S[15%] = 7.96% + 3.87% = 11.83%

    Since L < KIRB, can easily be determined in the same 
fashion used for Tranches E and F. S[L + T] - S[L] = 11.83% - 7% = 
4.83%. Since 4.83 percent exceeds the 56 basis point floor (.56% 
[middot] 8% = .45%), the SFA capital requirement for Tranche D is: 
Tranche D: UE [middot] TP [middot] (S[L + T] - S[L]) = $100 [middot] 
100% [middot] (4.83%) = $4.83

Group 3: Tranches Above the KIRB Boundary

    Tranches A through C all lie above the KIRB boundary. 
The calculations for each of these tranches are given below. Again, the 
prior calculations for equations (3) through (10) can be used for 
Tranches A through C since these values are the same for every tranche 
of a securitization. Further simplifying the task, S[L] equals S[L + T] 
for the tranche immediately junior.
Tranche A
[GRAPHIC] [TIFF OMITTED] TN28FE07.031

Tranche B
[GRAPHIC] [TIFF OMITTED] TN28FE07.032

Tranche C

[[Page 9161]]

[GRAPHIC] [TIFF OMITTED] TN28FE07.033

    The next step is verifying whether any of the above capital 
calculations for tranches A, B, or C violate the 56 basis point 
supervisory floor. In dollar terms, the above formulas produce capital 
requirements for these tranches equal to $0.02, $0.38, and $1.44, 
respectively, while the corresponding floors are $0.34 (=.56% [middot] 
$60), $.08 (=.56% [middot] $15), and $0.06 (=.56% [middot] $10). Thus, 
the floor is binding only for tranche A, whose capital charge is 
increased to $0.34. The SFA capital requirement for each tranche is 
presented below:

Tranche A: UE [middot] TP [middot] (.0056 [middot] T) = $100 [middot] 
100% [middot] .34% = $0.34
Tranche B: UE [middot] TP [middot] (S[40%] - S[25%]) = $100 [middot] 
100% [middot] .38% = $0.38
Tranche C: UE [middot] TP [middot] (S[25%] - S[15%]) = $100 [middot] 
100% [middot] 1.44 = $1.44

Summary

    Table 3 below summarizes the SFA-produced capital requirements for 
each tranche of the securitization:

            Table 3.--SFA Capital Requirements for Example 1
------------------------------------------------------------------------
                                                            SFA capital
                 Tranche                  Tranche amount    requirement
------------------------------------------------------------------------
A.......................................             $60           $0.34
B.......................................              15            0.38
C.......................................              10            1.44
D.......................................               8            4.83
E.......................................               5            5.00
F.......................................               2            2.00
                                         -------------------------------
    Total...............................             100           13.98
------------------------------------------------------------------------

    The 56 basis point floor, supervisory add-on, and below 
KIRB deduction requirements can result, as in the case of 
this example, with the aggregate capital requirement for a bank 
exceeding the implied capital requirement for the underling exposures. 
For this reason, the total capital that an entity must hold is capped 
at the level implied by KIRB (UE [middot] TP [middot] 
KIRB also referred to as the KIRB cap). Whether 
this bank is subject to the cap depends on which tranches the bank 
retains. For example, if the bank sold all but Tranches E and F, the 
KIRB cap would not apply since the aggregate capital 
requirement ($7) would be less than the charge implied by 
KIRB ($9.80). However, if the bank retained Tranche D in 
addition to Tranches E and F, then the aggregate SFA capital 
requirement ($11.83) would exceed the KIRB cap and the risk-
based capital requirement would be capped at $9.80.

Example 2: Sale of a Pool of Mortgages With Partial Recourse

Transaction Summary

    A bank sells a high-quality mortgage loan pool of $100. As a 
condition of the sale, the bank agrees to cover the first $10 of losses 
on mortgages. The bank correctly applies GAAP accounting and removes 
the sold loans from its books, while establishing a $0.40 recourse 
liability reserve (valuation allowance) for the estimated fair market 
value of the recourse liability. Note that this is a specific reserve, 
not a general reserve. The characteristics of the sold mortgage loan 
pool are noted below:

                             Table 4.--Underlying Mortgage Loan Pool Characteristics
----------------------------------------------------------------------------------------------------------------
                                                  Principal
                    Exposure                       balance       PD      LGD       EL      IRB capital     KIRB
                                                    (EAD)                                  requirement
----------------------------------------------------------------------------------------------------------------
Retail.........................................     $ 100.00    0.50%    10.0%    0.05%          $ 0.62    0.67%
----------------------------------------------------------------------------------------------------------------

    The transaction noted above is an example of tranched cover. In 
this case, the bank has agreed to absorb the first $10 of losses, which 
results in the selling bank retaining a disproportionate risk position 
in the transaction. As a result of this contractual sales agreement, 
two distinct credit risk positions are created: (1) A $90 senior 
position and (2) a $10 junior position. Since neither position carries 
an external rating, the SFA is the appropriate method with which to 
determine the capital requirement, provided the seller and the 
purchaser are eligible to use it.

Calculation of Bank-Supplied Inputs

    Table 5 below shows the values for L and T. Because this is a 
retail securitization, h and v can be set to zero. We continue to 
assume that TP = 100%.

[[Page 9162]]

[GRAPHIC] [TIFF OMITTED] TN28FE07.034

Calculation of the SFA Capital Requirement for Tranche 1 and 2
[GRAPHIC] [TIFF OMITTED] TN28FE07.038

    In the case of Tranche 1, S[L + T] - S[L] <.0056 [middot] T = .0056 
[middot] 90% = 0.50% and is subject to the supervisory floor. Using 
this and values from Table 6 above, the SFA capital requirement for 
Tranches 1 and 2 can be determined as follows:

Tranche 1: UE [middot] TP [middot] (.0056 [middot] T) = $100 [middot] 
100% [middot] (.50%) = $.50
Tranche 2: UE [middot] TP [middot] (S[L + T] - S[L]) = $100 [middot] 
100% [middot] (.79%) = $.79
    Notice that the capital requirement for Tranche 2 exceeds the 
KIRB cap (UE [middot] TP [middot] KIRB = $100 
[middot] 100% [middot] (.67%) = $.67) and is reduced to $.67.

Summary

    Table 7 below summarizes the SFA capital requirement for each 
tranche of the securitization. Note, in this example, the originating 
bank established a $.40 recourse reserve liability with a charge 
through earnings. However, while such reserves can be used to offset 
deductions from capital required under the Securitization Framework, 
they cannot be used to offset a position's risk-based capital 
requirement. Thus, the risk-based capital requirement for Tranche 2 is 
not reduced by the valuation allowance and remains $0.67.
    Another interesting feature of this example is that because the 
investing bank holds Tranche 1 and the originating bank holds Tranche 
2, the SFA produces an aggregate capital requirement for the entire 
transaction ($1.17) that is well above the KIRB cap ($0.67). 
The capital required in excess of the KIRB cap is the result 
of the 56 basis point floor capital requirement assessed against 
Tranche 1. Without the floor, Tranche 1 would not receive a capital 
requirement. The investing bank is assessed a capital requirement even 
though the originating bank is subject to the KIRB cap. If 
the investing bank could not calculate KIRB because the bank 
cannot compute the risk-based capital requirement for all underlying 
exposures, the entire $90 position would be deducted from capital.

            Table 7.--SFA Capital Requirements for Example 2
------------------------------------------------------------------------
                                                            SFA capital
                 Tranche                  Tranche amount    requirement
------------------------------------------------------------------------
1.......................................             $90           $0.50
2.......................................              10            0.67
�����������������������������������������
    Total...............................             100            1.17
------------------------------------------------------------------------

Example 3: Collateralized Loan Obligation--SFA and RBA Interaction

Transaction Summary

    This example represents a typical cash-funded collateralized loan 
obligation using corporate loans. The example assumes that the 
originating bank retains an unrated residual exposure to Class E and 
that investing banks acquire the externally rated tranches.
    Since the Class E exposure is unrated and is not an ABCP exposure, 
the originating bank can use the SFA provided it is eligible and can 
calculate

[[Page 9163]]

all the necessary inputs. Table 8 below identifies the characteristics 
of the aggregated underlying exposures in the securitized pool. We 
assume for simplicity that the effective number of exposures (N) is set 
to 100 and TP to 100 percent.

                                 Table 8.--Underlying Loan Pool Characteristics
----------------------------------------------------------------------------------------------------------------
                                                                                           IRB capital
                   Exposure                        Principal balance (EAD)         EL      requirement     KIRB
----------------------------------------------------------------------------------------------------------------
Wholesale....................................  $ 100.00.......................    1.32%          $ 7.32    8.64%
----------------------------------------------------------------------------------------------------------------

Calculation of Bank-Supplied Inputs

    Table 9 below identifies the other inputs necessary for the 
originating bank to calculate the SFA for Tranche E (e.g. L and T) and 
the external ratings necessary for the investing banks to apply the 
RBA.
[GRAPHIC] [TIFF OMITTED] TN28FE07.035

Originating Bank Capital Calculation

    Table 10 below provides the various calculations necessary for the 
originating bank to apply the SFA to Tranche E.

[[Page 9164]]

[GRAPHIC] [TIFF OMITTED] TN28FE07.039

    Using values from Table 10 above, the SFA capital requirement can 
be determined as follows:

Tranche E: UE [middot] TP [middot] (S[L + T] - S[L]) =$100 [middot] 
$100% [middot] (9.59%) = $9.59

    Again we have a case where the capital requirement for Tranche E 
exceeds the KIRB cap (UE [middot] TP [middot] 
KIRB = $100 [middot] $100% [middot]8.64% = $8.64) and is 
reduced accordingly.

Investing Bank Capital Calculation:

    For an investing bank, Table 11 below illustrates the amount of 
required capital for each of the rated tranches after applying the RBA. 
The relevant RBA risk weights in this example depend not only on the 
external rating, but also on the tranche's seniority.

                            Table 11.--RBA Risk Weights Applicable to Rated Tranches
----------------------------------------------------------------------------------------------------------------
                                                                             RBA risk                 Capital as
               Tranche                        Rating            Exposure     weights      Required       % of
                                                                            (percent)     capital      exposure
----------------------------------------------------------------------------------------------------------------
A...................................  ``AAA''...............      $ 67.50            7        $0.38         0.56
B...................................  ``AA''................         7.50           15         0.09         1.20
C...................................  ``A''.................         8.00           20         0.13         1.60
D...................................  ``BBB''...............         5.00           75        $0.30         6.00
----------------------------------------------------------------------------------------------------------------

Comparison of RBA and SFA Generated Capital Requirements

        Table 12.--RBA and SFA Capital Requirements for Example 3
------------------------------------------------------------------------
                                                            SFA capital
                 Tranche                  Tranche amount    requirement
------------------------------------------------------------------------
A.......................................         $ 67.50          $ 0.38
B.......................................            7.50            0.09
C.......................................            8.00            0.13
D.......................................            5.00            0.30
E.......................................           12.00            8.64
�����������������������������������������
    Total...............................          100.00            9.54
------------------------------------------------------------------------

    If the other classes of notes were held by the originating bank, 
the RBA would be used to determine required capital since all of these 
classes are rated. Notably, regardless of how many classes are held in 
addition to Class E, the total amount of capital that the originating 
bank must hold for the transaction will not exceed the KIRB 
cap ($8.64).

Appendix B: Examples of Data Elements for Securitization Exposures

    For illustrative purposes, this appendix provides examples of the 
kinds of data elements banks should collect under an IRB data 
management framework for securitization exposures.

For All Securitization Exposures

     The description and amount of each exposure;
     The fundamental characteristics of the exposure (e.g., 
tenor, fixed or variable rates, call, and early amortization features);
     The exposure's initial rating and effective date;
     The amount of any exposures deducted from risk-based 
capital under provisions of the framework;
     A description and amount of exposure limits at the 
aggregate and transaction level;
     A description and amount of concentration limits, for the 
underlying exposure level and capital;
     The person who authorizes limit and concentration levels, 
and his or her authority levels; and
     Reports of all policy exceptions.

For Exposures Subject to the Ratings-Based Approach

     The NRSRO providing the rating;
     Documentation indicating that the exposure is part of the 
surveillance/monitoring program, is publicly published, and is in 
transition matrices;
     A description and amount of any rated security supporting 
an inferred rating;
     Seniority and granularity (for non-retail securitizations) 
of the exposure;
     Whether the NRSRO rating is a short-term or long-term 
credit assessment;
     The risk-weight schedule used, and the risk-weight column 
applied; and
     The date, magnitude, and details of any rating changes.

[[Page 9165]]

For Exposures Subject to the Internal Assessment Approach

     The name of the sourced NRSRO, and the rating criteria for 
the referenced asset class;
     The criteria used for selecting the NRSRO;
     NRSRO stress loss factors used for each ICA;
     Historical loss and dilution estimates used in applying 
NRSRO criteria;
     Seller-servicer rating assignment, if any;
     Any quantitative adjustments to ratings criteria, stress 
loss factors, or loss estimates based upon qualitative judgments (e.g., 
seller-servicer strength, concentration, etc.);
     The external rating for the commercial paper issued by the 
ABCP program (that is supported by the exposure);
     Seniority and granularity of the exposure;
     Whether the ICA is a short-term or long-term credit 
assessment;
     The risk-weight schedule used, and the risk-weight column 
applied;
     The person or model responsible for assigning the rating;
     Any overrides to the rating and the authorizing official 
(if applicable); and
     The date, magnitude, and details of any rating changes.

For Exposures Subject to the Supervisory Formula Approach

     The dollar amount of underlying exposures in the 
transaction (UE);
     The securitization exposure's proportion of the tranche 
(TP);
     The risk-based capital requirements of the underlying 
exposures as if they were held on the bank's balance sheet 
(KIRB);
     The exposure's credit enhancement level (L);
     The exposure tranche's thickness (T);
     The securitization transaction's effective number of 
underlying exposures (N); and
     The transaction's exposure-weighted loss-given-default 
(EWALGD).

For Securitization Transactions With Early-Amortization Provisions (On 
a Monthly Basis)

     The total amount of the sold (investor's interest) and 
retained positions in the securitization transaction;
     The IRB risk-based capital requirements of the underlying 
exposures as if they were held on the originating bank's balance sheet;
     The excess spread-capture schedule for the transaction (or 
earliest spread capture requirement when multiple series are issued 
from a trust);
     The three-month average excess spread for the transaction 
(or the lowest three-month average within the trust);
     The designation of whether the amortization provision is 
``controlled'' or ``non-controlled''; and
     The credit-conversion factor schedule (controlled or non-
controlled) applied to the exposure, and the row and column applied.

Attachment A--The NPR Qualification Requirements Related to the IRB 
Framework

Part III. Qualification

Section 22. Qualification Requirements \33\
---------------------------------------------------------------------------

    \33\ 71 FR 55922 through 55924 (Sept. 25, 2006).
---------------------------------------------------------------------------

    (a) Process and systems requirements. (1) A [bank] \34\ must have a 
rigorous process for assessing its overall capital adequacy in relation 
to its risk profile and a comprehensive strategy for maintaining an 
appropriate level of capital.
---------------------------------------------------------------------------

    \34\ For simplicity, and unless otherwise noted, the NPR uses 
the term [bank] to include banks, savings associations, and bank 
holding companies. [AGENCY] refers to the primary Federal supervisor 
of the bank applying the rules.
---------------------------------------------------------------------------

    (2) The systems and processes used by a [bank] for risk-based 
capital purposes under this appendix must be consistent with the 
[bank]'s internal risk management processes and management information 
reporting systems.
    (3) Each [bank] must have an appropriate infrastructure with risk 
measurement and management processes that meet the qualification 
requirements of this section and are appropriate given the [bank]'s 
size and level of complexity. Regardless of whether the systems and 
models that generate the risk parameters necessary for calculating a 
[bank]'s risk-based capital requirements are located at any affiliate 
of the [bank], the [bank] itself must ensure that the risk parameters 
and reference data used to determine its risk-based capital 
requirements are representative of its own credit risk and operational 
risk exposures.
    (b) Risk rating and segmentation systems for wholesale and retail 
exposures. (1) A [bank] must have an internal risk rating and 
segmentation system that accurately and reliably differentiates among 
degrees of credit risk for the [bank]'s wholesale and retail exposures.
    (2) For wholesale exposures, a [bank] must have an internal risk 
rating system that accurately and reliably assigns each obligor to a 
single rating grade (reflecting the obligor's likelihood of default). 
The [bank]'s wholesale obligor rating system must have at least seven 
discrete rating grades for non-defaulted obligors and at least one 
rating grade for defaulted obligors. Unless the [bank] has chosen to 
directly assign ELGD and LGD estimates to each wholesale exposure, the 
[bank] must have an internal risk rating system that accurately and 
reliably assigns each wholesale exposure to loss severity rating grades 
(reflecting the [bank]'s estimate of the ELGD and LGD of the exposure). 
A [bank] employing loss severity rating grades must have a sufficiently 
granular loss severity grading system to avoid grouping together 
exposures with widely ranging ELGDs or LGDs.
    (3) For retail exposures, a [bank] must have a system that groups 
exposures into segments with homogeneous risk characteristics and 
assigns accurate and reliable PD, ELGD, and LGD estimates for each 
segment on a consistent basis. The [bank]'s system must group retail 
exposures into the appropriate retail exposure subcategory and must 
group the retail exposures in each retail exposure subcategory into 
separate segments. The [bank]'s system must identify all defaulted 
retail exposures and group them in segments by subcategories separate 
from non-defaulted retail exposures.
    (4) The [bank]'s internal risk rating policy for wholesale 
exposures must describe the [bank]'s rating philosophy (that is, must 
describe how wholesale obligor rating assignments are affected by the 
[bank]'s choice of the range of economic, business, and industry 
conditions that are considered in the obligor rating process).
    (5) The [bank]'s internal risk rating system for wholesale 
exposures must provide for the review and update (as appropriate) of 
each obligor rating and (if applicable) each loss severity rating 
whenever the [bank] receives new material information, but no less 
frequently than annually. The [bank]'s retail exposure segmentation 
system must provide for the review and update (as appropriate) of 
assignments of retail exposures to segments whenever the [bank] 
receives new material information, but no less frequently than 
quarterly.
    (c) Quantification of risk parameters for wholesale and retail 
exposures. (1) The [bank] must have a comprehensive risk parameter 
quantification process that produces accurate, timely, and reliable 
estimates of the risk parameters for the [bank]'s wholesale and retail 
exposures.
    (2) Data used to estimate the risk parameters must be relevant to 
the [bank]'s actual wholesale and retail

[[Page 9166]]

exposures, and of sufficient quality to support the determination of 
risk-based capital requirements for the exposures.
    (3) The [bank]'s risk parameter quantification process must produce 
conservative risk parameter estimates where the [bank] has limited 
relevant data, and any adjustments that are part of the quantification 
process must not result in a pattern of bias toward lower risk 
parameter estimates.
    (4) PD estimates for wholesale and retail exposures must be based 
on at least 5 years of default data. ELGD and LGD estimates for 
wholesale exposures must be based on at least 7 years of loss severity 
data, and ELGD and LGD estimates for retail exposures must be based on 
at least 5 years of loss severity data. EAD estimates for wholesale 
exposures must be based on at least 7 years of exposure amount data, 
and EAD estimates for retail exposures must be based on at least 5 
years of exposure amount data.
    (5) Default, loss severity, and exposure amount data must include 
periods of economic downturn conditions, or the [bank] must adjust its 
estimates of risk parameters to compensate for the lack of data from 
periods of economic downturn conditions.
    (6) The [bank]'s PD, ELGD, LGD, and EAD estimates must be based on 
the definition of default in this appendix.
    (7) The [bank] must review and update (as appropriate) its risk 
parameters and its risk parameter quantification process at least 
annually.
    (8) The [bank] must at least annually conduct a comprehensive 
review and analysis of reference data to determine relevance of 
reference data to [bank] exposures, quality of reference data to 
support PD, ELGD, LGD, and EAD estimates, and consistency of reference 
data to the definition of default contained in this appendix.
    (d) Counterparty credit risk model. A [bank] must obtain the prior 
written approval of [AGENCY] under section 32 to use the internal 
models methodology for counterparty credit risk.
    (e) Double default treatment. A [bank] must obtain the prior 
written approval of [AGENCY] under section 34 to use the double default 
treatment.
    (f) Securitization exposures. A [bank] must obtain the prior 
written approval of [AGENCY] under section 44 to use the internal 
assessment approach for securitization exposures to ABCP programs.
    (g) Equity exposures model. A [bank] must obtain the prior written 
approval of [AGENCY] under section 53 to use the internal models 
approach for equity exposures.
    --Text omitted--
    (i) Data management and maintenance. (1) A [bank] must have data 
management and maintenance systems that adequately support all aspects 
of its advanced systems and the timely and accurate reporting of risk-
based capital requirements.
    (2) A [bank] must retain data using an electronic format that 
allows timely retrieval of data for analysis, validation, reporting, 
and disclosure purposes.
    (3) A [bank] must retain sufficient data elements related to key 
risk drivers to permit adequate monitoring, validation, and refinement 
of its advanced systems.
    (j) Control, oversight, and validation mechanisms. (1) The [bank]'s 
senior management must ensure that all components of the [bank]'s 
advanced systems function effectively and comply with the qualification 
requirements in this section.
    (2) The [bank]'s board of directors (or a designated committee of 
the board) must at least annually evaluate the effectiveness of, and 
approve, the [bank]'s advanced systems.
    (3) A [bank] must have an effective system of controls and 
oversight that:
    (i) Ensures ongoing compliance with the qualification requirements 
in this section;
    (ii) Maintains the integrity, reliability, and accuracy of the 
[bank]'s advanced systems; and
    (iii) Includes adequate governance and project management 
processes.
    (4) The [bank] must validate, on an ongoing basis, its advanced 
systems. The [bank]'s validation process must be independent of the 
advanced systems'' development, implementation, and operation, or the 
validation process must be subjected to an independent review of its 
adequacy and effectiveness. Validation must include:
    (i) The evaluation of the conceptual soundness of (including 
developmental evidence supporting) the advanced systems;
    (ii) An on-going monitoring process that includes verification of 
processes and benchmarking; and
    (iii) An outcomes analysis process that includes back-testing.
    (5) The [bank] must have an internal audit function independent of 
business-line management that at least annually assesses the 
effectiveness of the controls supporting the [bank]'s advanced systems 
and reports its findings to the [bank]'s board of directors (or a 
committee thereof).
    (6) The [bank] must periodically stress test its advanced systems. 
The stress testing must include a consideration of how economic cycles, 
especially downturns, affect risk-based capital requirements (including 
migration across rating grades and segments and the credit risk 
mitigation benefits of double default treatment).
    (k) Documentation. The [bank] must adequately document all material 
aspects of its advanced systems

Attachment B--Supervisory Standards

Chapter 1: Advanced Systems for Credit Risk

    S 1-1 An IRB system must have five interdependent components that 
enable an accurate measurement of credit risk and risk-based capital 
requirements.
    S 1-2 Senior management must ensure that all of the components of 
the bank's advanced systems for credit risk function effectively and 
comply with the qualification requirements in the NPR.
    S 1-3 The board of directors or its designated committee must at 
least annually evaluate the effectiveness of, and approve, the bank's 
advanced systems.
    S 1-4 Each bank (including each depository institution) must ensure 
that the risk parameters and reference data used to determine its risk-
based capital requirements are representative of its own credit risk.
    S 1-5 Banks should establish specific accountability for the 
overall performance of their advanced systems for credit risk.
    S 1-6 A bank's advanced systems should be transparent.

Chapter 2: Wholesale Risk Rating Systems

    S 2-1 Banks must identify obligor defaults in accordance with the 
IRB definition of default.
    S 2-2 Banks should demonstrate that their wholesale risk rating 
processes are sufficiently independent to produce objective ratings.
    S 2-3 IRB risk rating systems must have two dimensions obligor 
default and loss severity corresponding to PD (obligor default), and 
ELGD and LGD (loss severity).
    S 2-4 Banks must assign discrete obligor rating grades.
    S 2-5 The obligor rating system must rank obligors by likelihood of 
default.
    S 2-6 Banks must assign an obligor to only one rating grade.
    S 2-7 A bank's rating policy must describe its ratings philosophy 
and how quickly obligors are expected to migrate from one rating grade 
to another in response to economic cycles.
    S 2-8 In assigning an obligor to a rating grade, a bank should 
assess the risk of obligor default over a period of

[[Page 9167]]

at least one year taking into account the possibility of adverse 
economic conditions.
    S 2-9 Banks must have at least seven discrete obligor rating grades 
for non-defaulted obligors and at least one rating grade for defaulted 
obligors.
    S 2-10 Banks should justify the number of obligor rating grades 
used in its risk rating system and the distribution of obligors across 
those grades.
    S 2-11 Banks may recognize implied support as a rating criterion 
subject to specific supervisory considerations; however, banks should 
not rely upon the possibility of U.S. government financial assistance, 
except for the financial assistance that the U.S. government has 
legally committed to provide.
    S 2-12 Banks must have a loss severity rating system that is able 
to assign loss severity estimates (ELGD and LGD) to each wholesale 
exposure.
    S 2-13 Banks should have empirical support for their loss severity 
rating system and the rating system should be capable of supporting the 
quantification of ELGD estimates (and LGD estimates if approved for 
internal estimates).
    S 2-14 Banks must have a sufficiently granular loss severity rating 
system to group exposures with similar estimated loss severities or a 
process that assigns estimated ELGDs and LGDs to individual exposures.
    S 2-15 Rating criteria should be written, clear, consistently 
applied, and include the specific qualitative and quantitative factors 
used in assigning ratings.
    S 2-16 Risk ratings must be updated whenever new material 
information is received, but in no instance less than annually.

Chapter 3: Retail Segmentation Systems

    S 3-1 Banks must use the IRB definition of default when identifying 
defaulted retail exposures.
    S 3-2 Banks must first place exposures into one of the three retail 
exposure subcategories (residential mortgage, QRE, and other retail). 
Banks must then separate exposures into segments with homogeneous risk 
characteristics.
    S 3-3 A retail segmentation system must produce segments that 
accurately and reliably differentiate risk and produce accurate and 
reliable estimates of the risk parameters.
    S 3-4 Banks should clearly define and document the criteria for 
assigning an exposure to a particular retail segment.
    S 3-5 Banks should develop and document their policies to ensure 
that risk-driver information is sufficiently accurate and timely to 
track changes in underlying credit quality and that the updated 
information is used to assign exposures to appropriate segments.
    S 3-6 The bank's retail exposure segmentation system must provide 
for the review and update (as appropriate) of assignments of retail 
exposures to segments whenever the bank receives new material 
information, but no less frequently than quarterly.

Chapter 4: Quantification

    S 4-1 Banks should have a fully specified process covering all 
aspects of quantification (reference data, estimation, mapping, and 
application). The quantification process should be fully documented.
    S 4-2 Risk parameter estimates must be based on the IRB definition 
of default. At least annually, a bank must conduct a comprehensive 
review and analysis of reference data to determine the relevance of 
reference data to the bank's exposures, quality of reference data to 
support risk parameter estimates, and consistency of reference data to 
the IRB definition of default.
    S 4-3 Banks must separately quantify wholesale risk parameter 
estimates before adjusting the estimates for the impact of eligible 
guarantees and eligible credit derivatives.
    S 4-4 Banks may take into account the risk-reducing effects of 
guarantees in support of retail exposures when quantifying the PD, 
ELGD, and LGD of the segment.
    S 4-5 Banks may only reflect the risk-reducing benefits of tranched 
guarantees of multiple retail exposures by meeting the definition and 
operational criteria for synthetic securitizations.
    S 4-6 At a minimum, the quantification process and the resulting 
risk parameters must be reviewed annually and updated as appropriate.
    S 4-7 Quantification should be based upon the best available data 
for the accurate estimation of the risk parameters.
    S 4-8 The sample period for the reference data must meet the 
minimum length for each risk parameter by portfolio.
    S 4-9 The reference data must include periods of economic downturn 
conditions, or the parameter estimates must be adjusted to compensate 
for the lack of data from such periods.
    S 4-10 Banks should clearly document how they adjust for the 
absence of significant data elements in either the reference data set 
or the existing portfolio.
    S 4-11 Judgmental adjustments to risk parameter estimates, either 
upward or downward, may be an appropriate part of the quantification 
process, but must not result in an overall bias toward lower risk 
parameter estimates.
    S 4-12 Risk parameter estimates should incorporate a degree of 
conservatism that is appropriate for the overall rigor of the 
quantification process.
    S 4-13 Mapping should be based on a comparison of available data 
elements that are common to the existing portfolio and each reference 
data set.
    S 4-14 A mapping process should be established for each reference 
data set and for each estimation model.
    S 4-15 Banks that combine estimates from internal and external data 
or that use multiple estimation methods should have a clear policy 
governing the combination process and should examine the sensitivity of 
the results to alternative combinations.
    S 4-16 The aggregation of risk parameter estimates from individual 
exposures within rating grades or segments should be governed by a 
clear and well-documented policy.
    S 4-17 PD estimates must be empirically based and must represent a 
long-run average.
    S 4-18 Effects of seasoning, when material, must be considered in 
the PD estimates for retail portfolios.
    S 4-19 ELGD and LGD estimates must be empirically based and must 
reflect the concept of ``economic loss.''
    S 4-20 ELGD estimates must reflect the expected default-weighted 
average economic loss rate over a mix of economic conditions, including 
economic downturn conditions.
    S 4-21 LGD estimates must reflect expected loss severities for 
exposures that default during economic downturn conditions, and must be 
greater than or equal to ELGD estimates.
    S 4-22 A bank may use internal estimates of LGD only if supervisors 
have previously determined that the bank has a rigorous and well-
documented process for assessing the effects of economic downturn 
conditions on loss severities and for producing LGD estimates 
consistent with downturn conditions. The process must appropriately 
identify downturn conditions, identify the impact of economic downturn 
conditions on loss rates, identify any material adverse correlations 
between drivers of default and LGD, and incorporate any identified 
correlations and/or downturn impact into the quantification of LGD.
    S 4-23 Estimates of additional drawdowns must reflect net 
additional draws expected during economic downturn periods.

[[Page 9168]]

    S 4-24 Estimates of additional drawdowns prior to default for 
individual wholesale exposures or retail segments must not be negative.
    S 4-25 Quantification of the risk parameters should appropriately 
recognize the risk characteristics of exposures that were removed from 
reference data sets through loan sales or securitizations.

Chapter 5: Wholesale Credit Risk Protection

    S 5-1 Risk-based capital benefits are only recognized for credit 
protection that transfers credit risk to third parties.
    S 5-2 Banks must ensure that credit protection for which risk-based 
capital benefits are claimed represents unconditional and legally 
binding commitments to pay on the part of the guarantors or 
counterparties.

Chapter 6: Data Management and Maintenance

    S 6-1 Banks must collect and maintain sufficient data to support 
their IRB systems.
    S 6-2 For wholesale exposures, banks must collect, maintain, and 
analyze essential data for obligors and exposures. This should be done 
throughout the life and disposition of the credit exposure.
    S 6-3 Banks must capture and maintain all significant factors used 
to assign obligor and loss severity ratings.
    S 6-2 For retail exposures, banks must collect and maintain all 
essential data elements used in segmentation systems and the 
quantification process. The data must cover a period of at least five 
years and must include a period of economic downturn conditions, or the 
bank must adjust its estimates of risk parameters to compensate for the 
lack of data from periods of economic downturn conditions.
    S 6-5 Banks should ensure that outsourced activities performed by 
third parties are supported by sufficient data to meet IRB 
requirements.
    S 6-6 Banks should maintain data to allow for a thorough review of 
asset sale transactions.
    S 6-7 Banks should develop policies and controls around the 
integrity of the data maintained both internally and through third 
parties.
    S 6-8 Banks should document the process for delivering, retaining, 
and updating inputs to the data warehouse and ensuring data integrity.
    S 6-9 Banks must maintain detailed documentation of changes to the 
data elements supporting the IRB system.
    S 6-10 Banks must retain data using an electronic format that 
allows timely retrieval of data for analysis, validation, reporting, 
and disclosure purposes.

Chapter 7: Controls and Validation

    S 7-1 Banks must have an effective system of controls that ensures 
ongoing compliance with the qualification requirements, maintains the 
integrity, reliability, and accuracy of the IRB system, and includes 
adequate governance and project management processes.
    S 7-2 Control processes should be independent and transparent to 
supervisors and auditors.
    S 7-3 The annual assessment of the IRB system presented to the 
board of directors should be supported by the bank's comprehensive and 
independent reviews of the IRB system.
    S 7-4 Validation activities must be conducted independently of the 
advanced systems' development, implementation, and operation, or 
subjected to an independent assessment of their adequacy and 
effectiveness.
    S 7-5 The systems and processes used by a bank for risk-based 
capital purposes must be consistent with the bank's internal risk 
management processes and management information reporting systems.
    S 7-6 Internal audit must, at least annually, assess the 
effectiveness of the controls supporting the IRB system and report its 
findings to the board of directors (or a committee thereof).
    S 7-7 A bank's validation policy should cover the key aspects of 
risk rating and segmentation systems and the quantification process.
    S 7-8 Validation must assess the accuracy of the risk rating and 
segmentation systems and the quantification process.
    S 7-9 Validation processes for risk rating and segmentation 
systems, and the quantification process must include the evaluation of 
conceptual soundness, ongoing monitoring, and outcomes analysis.
    S 7-10 Banks must evaluate the developmental evidence supporting 
the risk rating and segmentation systems and the quantification 
process.
    S 7-11 Banks must conduct ongoing process verification of the risk 
rating and segmentation systems and the quantification process to 
ensure proper implementation and operation.
    S 7-12 Banks must benchmark their risk rating and segmentation 
systems, and their risk parameter estimates.
    S 7-13 Banks must analyze outcomes and must develop statistical 
methods to backtest their risk rating and segmentation systems and the 
quantification process.
    S 7-14 Banks should establish ranges around the estimated values of 
risk parameter estimates and model results in which actual outcomes are 
expected to fall and have a validation policy that requires them to 
assess the reasons for differences and that outlines the timing and 
type of remedial actions taken when results fall outside expected 
ranges.
    S 7-15 Each of the three activities in the validation process 
should be conducted often enough to ensure the ongoing integrity, 
reliability, and accuracy of the IRB risk rating and segmentation 
systems, and the quantification process.
    S 7-16 Developmental evidence must be updated whenever significant 
changes in methodology, data, or implementation occur. Other validation 
activities must be ongoing and must not be limited to a point in time.

Chapter 8: Stress Testing of Risk-Based Capital Requirements

    S 8-1 Banks must conduct and document stress testing of their 
advanced systems as part of managing risk-based capital.

Chapter 9: Counterparty Credit Risk Exposure

    S 9-1 All transactions with a counterparty subject to a qualifying 
master netting agreement constitute a netting set and may be treated as 
a single exposure, otherwise each transaction shall have its risk-based 
capital requirement calculated on a standalone basis.
    S 9-2 Banks should have an appropriately documented process for 
determining whether transactions are eligible for an EAD adjustment 
approach if they choose to use an EAD adjustment approach.
    S 9-3 Banks must use the same method for determining risk-based 
capital requirements for all similar transactions.
    S 9-4 The method for calculating EAD for transactions subject to 
counterparty credit risk should be appropriate for the risk, extent, 
and complexity of the bank's activity.
    S 9-5 Banks that use the VaR model approach for single product 
netting sets of repo-style transactions or eligible margin loans must 
conduct rigorous and regular backtesting to validate its model.
    S 9-6 Banks must meet certain qualifying criteria that consist of 
operational requirements, modeling standards, and model validation 
requirements before receiving their primary Federal supervisor's 
approval to use the internal models method.
    S 9-7 Banks that use the internal models methodology for 
counterparty credit risk transactions must establish initial model 
validation and ongoing model review procedures. The model

[[Page 9169]]

review should consider whether the inputs and risk factors as well as 
the model outputs are appropriate. The review of outputs should include 
a backtesting regime that compares the model's output with realized 
exposures.

Chapter 10: Risk-Weighted Assets for Equity Exposures

    S 10-1 Banks must apply the same methodology to like instruments.
    S 10-2 If a bank chooses to use an internal model, it must produce 
reliable estimates of the potential loss in the bank's portfolio from 
equity holdings under stress market conditions.
    S 10-3 Banks must validate internal models used for equity 
exposures.
    S 10-4 Internal models used to calculate risk-based capital 
requirements for equity exposures must be consistent with models used 
in the bank's risk management processes and management information 
reporting systems.

Chapter 11: Securitizations

    S 11-1 Banks must use the securitization framework for any 
exposures that involve the tranching of credit risk (with the exception 
of a tranched guarantee that applies only to an individual retail 
exposure).
    S 11-2 Banks should develop written implementation policies and 
procedures describing the allowed approaches, methods of application, 
and designated responsibilities for complying with the securitization 
framework.
    S 11-3 Securitization transactions must transfer credit risk to at 
least one third party to qualify for treatment under the securitization 
framework.
    S 11-4 Banks that provide implicit support to securitization 
transactions must hold risk-based capital as if the underlying assets 
had not been securitized, and must deduct from Tier 1 capital any 
after-tax gain-on-sale resulting from the securitization.
    S 11-5 A clean-up call constitutes implicit support if, in 
exercising the call, the bank provides support in excess of its 
contractual obligation to provide support to the securitization.
    S 11-6 The maximum risk-based capital requirement for all 
securitization exposures held by a bank associated with a single 
securitization transaction is the amount of risk-based capital plus 
expected losses that would have been required had the underlying 
exposures not been securitized.
    S 11-7 Banks must follow the specified hierarchy of approaches to 
determine risk-weighted asset amounts for all securitization exposures.
    S 11-8 In order to use the RBA, the securitization exposure must be 
externally rated by an NRSRO, or be eligible for an inferred rating.
    S 11-9 The securitization transaction must have an external rating 
assigned by an NRSRO that fully reflects the credit risk associated 
with timely repayment of principal and interest.
    S 11-10 Banks should document the factors that support their use of 
the RBA.
    S 11-11 Banks' internal credit assessment processes should be 
comprehensive, transparent, independent, well-defined, and fully 
documented.
    S 11-12 Banks should analyze the servicer's capabilities and 
document the analysis in the internal assessment.
    S 11-13 The bank must validate its ICA process on an ongoing basis 
and at least annually the ICA process and results must be subject to 
the full range of the bank's IRB validation activities.
    S 11-14 Banks should document the securitization structure and loss 
prioritization.
    S 11-15 Banks should retain the specific data elements necessary to 
calculate the appropriate securitization risk-based capital 
requirement.

Attachment C--Acronym List

------------------------------------------------------------------------
                Acronym                             Definition
------------------------------------------------------------------------
ABCP...................................  Asset-backed commercial paper.
ABS....................................  Asset-backed security.
AIR....................................  Accrued interest receivable.
ALLL...................................  Allowance for loan and lease
                                          losses.
ANPR...................................  Advance notice of proposed
                                          rulemaking.
AR.....................................  Accounts receivable.
ARM....................................  Adjustable rate mortgage.
ASRF...................................  Asymptotic single risk factor
                                          model.
CCR....................................  Counterparty Credit Risk.
CF.....................................  Credit conversion factor.
CDO....................................  Collateralized debt
                                          obligations.
CE.....................................  Credit enhancement.
CEIO...................................  Credit-enhancing Interest-Only.
CFR....................................  Code of Federal Regulations.
CRM....................................  Credit risk mitigation.
CUSIP..................................  Committee on Uniform Securities
                                          Identification Procedures.
CVA....................................  Credit valuation adjustment.
CVaR...................................  Credit value-at-risk.
EAD....................................  Exposure at default.
EBITDA.................................  Earnings before interest,
                                          taxes, depreciation and
                                          amortization.
EE.....................................  Expected exposure.
EPE....................................  Expected positive exposure.
EL.....................................  Expected loss.
ELGD...................................  Expected loss given default.
EWALGD.................................  Exposure-weighted average loss
                                          given default.
FASB...................................  Financial Accounting Standards
                                          Board.
FHLB...................................  Federal Home Loan Bank.
FIN....................................  Financial Accounting Standards
                                          Board interpretation number.
FTSE...................................  Financial Times Securities
                                          Exchange.
GAAP...................................  Generally accepted accounting
                                          principles.
GDP....................................  Gross domestic product.
GSE....................................  Government sponsored
                                          enterprise.
HVCRE..................................  High-volatility commercial real
                                          estate.
IAA....................................  Internal assessment approach.
ICA....................................  Internal credit assessment.
ID.....................................  Identification.
IMA....................................  Internal models approach.
IRB....................................  Internal ratings-based.
KIRB...................................  Capital requirement for
                                          underlying pool of exposures
                                          (securitizations).
L......................................  Credit enhancement level for
                                          the tranche of interest.
LEQ....................................  Loan equivalent exposure.
LF.....................................  Liquidity facility.
LGD....................................  Loss given default.
LTV....................................  Loan-to-value ratio.
M......................................  Effective maturity.
MBS....................................  Mortgage-backed security.
MSA....................................  Metropolitan statistical area.
N......................................  Effective number of underlying
                                          exposures.
NPR....................................  Noticed of proposed rulemaking.
NRSRO..................................  Nationally recognized
                                          statistical rating
                                          organization.
NSF....................................  Nonsufficient funds.
OTC....................................  Over-the-counter.
PD.....................................  Probability of default.
PE.....................................  Peak exposure.
PFE....................................  Potential future exposure.
PMI....................................  Private mortgage insurance.
QRE....................................  Qualifying revolving exposure.
RBA....................................  Ratings-based approach.
RE.....................................  Real estate.
RWA....................................  Risk-weighted assets.
S&P....................................  Standard and Poors.
SBIC...................................  Small business investment
                                          company.
SFA....................................  Supervisory formula approach.
SPE....................................  Special purpose entity.
T......................................  Thickness of the tranche of
                                          interest.
TFR....................................  Thrift financial report.
TP.....................................  Percentage of the tranche of
                                          interest the bank owns.
UE.....................................  Underlying exposure.
ULBII..................................  Unexpected losses from
                                          counterparty credit risk based
                                          on the Basel II capital
                                          requirement with an alpha of
                                          1.0.
ULCCR..................................  Unexpected losses from
                                          counterparty credit risk at a
                                          one year 99.9% confidence
                                          level based on banks internal
                                          models.
USC....................................  U.S. Code.
VaR....................................  Value-at-risk.
------------------------------------------------------------------------


[[Page 9170]]

Proposed Supervisory Guidance on Advanced Measurement Approaches for 
Operational Risk

Table of Contents

I. Introduction
    A. Purpose
    B. Qualification Requirements, Supervisory Standards, and 
Operational Risk AMA Systems
    C. Supervisory Objectives and Approach
II. Definitions
III. Operational Risk Management
    A. Governance
    B. Board of Directors and Management Oversight
    C. Firm-Wide Operational Risk Management Function
    D. Line of Business Management
    E. Reporting
IV. Operational Risk Data and Assessment
    A. Capture and Maintenance of Elements
    B. Internal Operational Loss Event Data
    C. External Operational Loss Event Data
    D. Scenario Analysis
    E. Business Environment and Internal Control Factors
V. Operational Risk Quantification
    A. Analytical Framework
    B. Eligible Operational Risk Offsets
    C. Unit of Measure
    D. Accounting for Dependence
    E. Risk Mitigation
    F. Alternative Approaches for Depository Institutions
    G. Documentation of Operational Risk Quantification Systems
VI. Data Management and Maintenance
VII. Verification and Validation
VIII. Appendices
    A. The NPR Qualification Requirements, Risk-Weighted Assets for 
Operational Risk, and Disclosure Requirements
    B. Supervisory Standards
    C. The NPR Qualification Process
    D. Basel II Operational Risk Information Collection Templates
    E. Operational Loss Event Types and Examples

I. Introduction

A. Purpose

    This document sets forth the supervisory guidance of the federal 
banking agencies \1\ (``Agencies'') for U.S. banks, savings 
associations, and bank holding companies (``banks'') that use Advanced 
Measurement Approaches (AMA) for calculating the risk-based capital 
requirement for operational risk under the Basel II capital regulation. 
The primary Federal supervisor will review a bank's AMA System relative 
to relevant regulatory requirements and this guidance to determine 
whether the bank may use Basel II-based rules to determine its risk-
based capital requirements. Banks will have considerable flexibility in 
developing operational risk management, data and assessment, and 
quantification processes that are appropriate for the nature of their 
activities, business environment, and internal controls.
---------------------------------------------------------------------------

    \1\ The Federal banking agencies are: the Board of Governors of 
the Federal Reserve System, the Federal Deposit Insurance 
Corporation, the Office of the Comptroller of the Currency, and the 
Office of Thrift Supervision.
---------------------------------------------------------------------------

    This guidance should be considered with the related notice of 
proposed rulemaking (NPR), published in the Federal Register on 
September 25, 2006.\2\ The NPR proposes the AMA regulatory framework 
and the AMA qualification requirements for banks that are required to 
operate, or seek to operate, under that framework. This supervisory 
guidance provides additional detail regarding supervisory standards for 
operational risk management, data and assessment, and quantification 
processes that will help a bank comply with the qualification 
requirements in the NPR.
---------------------------------------------------------------------------

    \2\ 71 FR 55830 (Sept. 25, 2006).
---------------------------------------------------------------------------

B. Qualification Requirements, Supervisory Standards, and Operational 
Risk AMA Systems

    Although operational risk is not a new risk, deregulation and 
globalization of financial services, together with the growing 
sophistication of financial technology, and new business activities and 
delivery channels are making banks' operational risk profiles (i.e., 
the level of operational risk across banks' activities and risk 
categories) more complex. As such, banks and supervisors are 
increasingly viewing operational risk management as a distinct risk 
discipline. The NPR and this guidance outline a more disciplined 
approach to operational risk management and measurement.
    The NPR establishes the qualification requirements that a bank must 
meet in order to use advanced systems for calculating its risk-based 
capital requirement. The NPR qualification requirements for banks using 
an AMA System to calculate the operational risk component of the bank's 
risk-based capital requirement are listed in Appendix A.\3\ This 
guidance identifies supervisory standards (``S'') that a bank should 
follow to implement and maintain an AMA System for regulatory capital 
purposes. Banks meeting these standards should be well positioned to 
demonstrate that their AMA System meets the qualification requirements 
of the NPR. The relevant supervisory standards are listed at the 
beginning of each major section of the guidance, with a full 
compilation of the standards provided in Appendix B. The standards 
establish broad regulatory guidelines, while providing each bank the 
ability to uniquely tailor the framework to its organizational 
structure and culture. This guidance should not be interpreted as 
weakening or superseding the safety and soundness principles 
articulated in existing statutes, or in the regulations or guidance 
issued by the Agencies.
---------------------------------------------------------------------------

    \3\ This guidance does not include all of the qualifying 
criteria contained in the NPR.
---------------------------------------------------------------------------

    The standards are organized into five major groupings: Operational 
risk management; operational risk data and assessment; operational risk 
quantification; data management and maintenance; and verification and 
validation. Operational risk management includes standards for the 
governance and organizational structures (including reporting) needed 
to manage operational risk. Operational risk data and assessment 
establishes the standards for a consistent and comprehensive capture of 
the four elements of the AMA.\4\ Operational risk quantification 
encompasses the standards governing the systems and processes that 
quantify a bank's operational risk exposure. The sections addressing 
data management and maintenance, and verification and validation, 
establish standards to help ensure that a bank's AMA System remains 
robust and relevant as its operational risk profile changes over time. 
The objectives of the standards are to help ensure rigor, integrity, 
and transparency for each bank's AMA System and the resulting 
operational risk component of the bank's risk-based capital 
requirement.
---------------------------------------------------------------------------

    \4\ The four elements of the AMA include internal operational 
loss event data, external operational loss event data, scenario 
analysis, and business environment and internal control factors. See 
Section IV for a detailed discussion of the supervisory standards 
for each element.
---------------------------------------------------------------------------

    A bank's AMA System should provide for the consistent application 
of operational risk policies and procedures throughout the bank, and 
address the roles of both the independent firm-wide operational risk 
management function and the lines of business. A sound AMA System will 
identify operational risk losses, calculate operational risk exposures 
and associated operational risk regulatory capital, promote risk 
management processes and procedures to mitigate or control operational 
risks, and help ensure that management is fully aware of emerging 
operational risk issues. This framework should also provide for the 
consistent and comprehensive capture and assessment of data elements 
needed to identify, measure, monitor, and control the bank's 
operational risk exposure. This includes identifying the nature, 
type(s), and underlying cause(s) of the operational loss event(s). 
Moreover, the

[[Page 9171]]

framework must also include independent verification and validation to 
assess the effectiveness of the controls supporting the bank's AMA 
System, including compliance with policies, processes, and procedures. 
Given the importance of these functions, the Agencies believe that a 
bank's validation and verification functions should begin their work 
soon after the bank has started to implement its AMA System.
    In practice, a bank's operational risk AMA System should reflect 
the scope and complexity of the business lines, as well as the 
corporate organizational structure. Each bank's operational risk 
profile is unique and requires a tailored risk management approach, 
appropriate for the scale and materiality of the risks present, and the 
size of the bank. There is no single framework that suits every bank; 
the Agencies expect that different banks will develop and implement 
unique risk management, data and assessment, and quantification 
systems, consistent with their culture and risk profile.

C. Supervisory Objectives and Approach

    The supervisory standards in this document apply to banks subject 
to the Basel II regulation. However, the Agencies will not simply 
evaluate a bank's qualification using each of the individual 
supervisory standards. Supervisors will also assess how well the 
various components of a bank's AMA System complement and reinforce one 
another to achieve the overall objectives of effective management and 
measurement of operational risk.
    In performing their evaluation, the Agencies will exercise 
supervisory judgment in evaluating both the individual components and 
the overall AMA System. The NPR provides that the primary Federal 
supervisor may require a bank to assign a different risk-weighted asset 
amount for operational risk, to change aspects of its operational risk 
analytical framework (for example, distributional or dependence 
assumptions), or to make other changes to the bank's operational risk 
management processes, data and assessment systems, or quantification 
systems if the supervisor determines that the risk-weighted asset 
amount for operational risk produced by the bank is not commensurate 
with the bank's operational risk profile. The primary Federal 
supervisor may exercise this authority, for example, if it has 
identified significant changes or weakness within operational risk 
management processes that have not been appropriately captured in the 
bank's AMA System.
    A bank's AMA System will be assessed as part of the ongoing 
supervision process. Some elements of sound operational risk management 
(for example, internal controls and information technology) have long 
been subject to examination by supervisors. Where practical, 
supervisors will make every effort to leverage these examination 
activities to assess the effectiveness of AMA processes. Substantive 
weaknesses or changes in a bank's operational risk profile identified 
in an examination or through other supervisory activities will be 
factored into the AMA qualification process.\5\
---------------------------------------------------------------------------

    \5\ For example, mergers and acquisitions potentially change the 
operational risk profile of the bank, pose challenges in integrating 
operational risk management, data and assessment, and quantification 
processes of the affected banks, and consequently raise supervisory 
issues regarding a bank's AMA System. The Agencies will assess the 
effects of mergers and acquisitions as a part of the ongoing 
supervision of operational risk management.
---------------------------------------------------------------------------

    A part of the supervisory review will include an assessment of the 
bank's implementation plan.\6\ The implementation plan must address how 
the bank complies or plans to comply with the AMA qualification 
requirements. The plan must also address the qualifying standards for 
the bank and each consolidated subsidiary (U.S. and foreign-based). A 
comprehensive and sound planning and governance process to oversee the 
implementation efforts must also be maintained. For a complete 
description of the NPR's qualification process, please see Appendix C.
---------------------------------------------------------------------------

    \6\ A bank that becomes subject to the requirements of the rule 
must adopt a written implementation plan no later than six months 
after the later of the effective date of the final rule or the date 
the bank meets one of the applicability criterion of the rule. A 
bank that chooses to be subject to the requirements of the final 
rule must adopt a written implementation plan and notify its primary 
Federal supervisor in writing of its intent at least twelve months 
before it proposes to be subject to the first floor period.
---------------------------------------------------------------------------

II. Definitions

    There are important definitions relevant to an AMA System for the 
purposes of the Agencies' risk-based capital requirements. They are:
     Advanced Measurement Approach (AMA) System means a bank's 
advanced operational risk management processes, operational risk data 
and assessment systems, and operational risk quantification systems.
     Backtesting means the comparison of a bank's internal 
estimates with actual outcomes during a sample period not used in model 
development. In this context, backtesting is one form of out-of-sample 
testing.
     Benchmarking means the comparison of a bank's internal 
estimates with relevant internal and external data sources or 
estimation techniques.
     Business environment and internal control factors means 
the indicators of a bank's operational risk profile that reflect a 
current and forward-looking assessment of the bank's underlying 
business risk factors and internal control environment.
     Dependence means a measure of the association among 
operational losses across and within business lines and operational 
loss event types.
     Eligible operational risk offsets means amounts, not to 
exceed expected operational loss, that:
    (1) Are generated by internal business practices to absorb highly 
predictable and reasonably stable operational losses, including 
reserves calculated consistent with GAAP; and
    (2) Are available to cover expected operational losses with a high 
degree of certainty over a one-year horizon.
     Expected operational loss (EOL) means the expected value 
(mean) of the distribution of potential aggregate operational losses, 
as generated by the bank's operational risk quantification system using 
a one-year horizon.
     External operational loss event data, with respect to a 
bank, means gross operational loss amounts, dates, recoveries, and 
relevant causal information for operational loss events occurring at 
organizations other than the bank.
     GAAP means U.S. generally accepted accounting principles.
     Internal operational loss event data, with respect to a 
bank, means gross operational loss amounts, dates, recoveries, and 
relevant causal information for operational loss events occurring at 
the bank.
     Operational loss means a loss (excluding insurance or tax 
effects) resulting from an operational loss event. Operational loss 
includes all expenses associated with an operational loss event except 
for opportunity costs, forgone revenue, and costs related to risk 
management and control enhancements implemented to prevent future 
operational losses.
     Operational loss event means an event that results in loss 
and is associated with internal fraud; external fraud;\7\ employment 
practices and

[[Page 9172]]

workplace safety; clients, products, and business practices; damage to 
physical assets; business disruption and system failures; or execution, 
delivery, and process management (see Appendix D for examples of loss 
event types).
---------------------------------------------------------------------------

    \7\ Retail credit card losses arising from non-contractual, 
third-party initiated fraud (for example, identity theft) are to be 
treated as external fraud operational losses. All other third-party 
initiated losses are to be treated as credit losses--see discussion 
under Standard 17 for more details.
---------------------------------------------------------------------------

     Operational risk means the risk of loss resulting from 
inadequate or failed internal processes, people, and systems or from 
external events (including legal risk, but excluding strategic and 
reputational risk).
     Operational risk exposure means the 99.9\th\ percentile of 
the distribution of potential aggregate operational losses, as 
generated by the bank's operational risk quantification system using a 
one-year horizon (and not incorporating eligible operational risk 
offsets or qualifying operational risk mitigants).
     Parallel run period means a period of at least four 
consecutive quarters after adoption of the bank's implementation plan 
before the bank's first floor period during which the bank complies 
with all the qualification requirements to the satisfaction of the 
bank's primary Federal supervisor.
     Scenario analysis means a systematic process of obtaining 
expert opinions from business managers and risk management experts to 
derive reasoned assessments of the likelihood and loss impact of 
plausible high-severity operational losses.
     Total risk-weighted assets means:
    (1) The sum of:
    (i) Credit risk-weighted assets; and
    (ii) Risk-weighted assets for operational risk; minus
    (2) The sum of:
    (i) Excess eligible credit reserves not included in Tier 2 capital; 
and
    (ii) Allocated transfer risk reserves.
     Unexpected operational loss (UOL) means the difference 
between the bank's operational risk exposure and the bank's expected 
operational loss.
     Unit of measure means the level (for example, 
organizational unit or operational loss event type) at which the bank's 
operational risk quantification system generates a separate 
distribution of potential operational losses.

III. Operational Risk Management

A. Governance

    S 1. The bank's AMA System must include an operational risk 
management function and audit function that are independent of business 
line management. The operational risk management function should 
address operational risk on a firm-wide basis.
    The organizational structure that supports a bank's AMA System may 
vary across banks, but should reflect the scale and complexity of the 
bank's operational risk profile. However, within all AMA banks, there 
are three key components that should be evident: The firm-wide 
operational risk management function, line of business management, and 
an independent audit function. These three areas should have functional 
independence,\8\ but should work in cooperation to ensure that an 
effective AMA System is in place.
---------------------------------------------------------------------------

    \8\ For the purposes of this guidance, ``functional 
independence'' is the ability to carry out work freely and 
objectively and render impartial and unbiased judgments. 
Independence is often evidenced through separate reporting lines. 
Supervisory assessments of independence will rely upon guidelines 
contained in existing regulatory guidance (for example, audit, 
internal control systems, and board of directors/management).
---------------------------------------------------------------------------

    S 2. The bank must have and document a process that clearly 
describes its AMA System, including how the bank identifies, measures, 
monitors, and controls operational risk.
    Management should maintain comprehensive documentation on 
operational risk management policies, processes, and procedures and 
communicate them to appropriate staff. The documentation should outline 
all aspects of the bank's AMA System, including the following:
     The roles and responsibilities of the board of 
directors,\9\ the independent firm-wide operational risk management 
function, line of business management, and the independent verification 
and validation functions;
---------------------------------------------------------------------------

    \9\ For the purposes of this guidance, the ``board of 
directors'' refers to either the full board or its designated board 
committee.
---------------------------------------------------------------------------

     A definition for operational risk that, at a minimum, 
encompasses the regulatory definition of operational risk, including 
the loss event types that will be monitored;
     The capture and use of internal and external operational 
risk loss event data, including clear documentation of which losses are 
used in and which are excluded from estimating the bank's operational 
risk exposure;
     The appropriate use of scenario analysis;
     The development and incorporation of business environment 
and internal control factor assessments, and risk mitigants;
     A description of the analytical framework that quantifies 
the operational risk exposure of the bank;
     How eligible operational risk offsets are determined, 
measured, and accounted for;
     A description of report content, distribution, and 
frequency for board of directors, line of business, and firm-wide 
reporting, including escalation of emerging issues and changing trends;
     A description of the verification and validation processes 
and procedures; and
     Descriptions of the review and approval process for 
significant policy and procedural changes and exceptions.
    The bank's documentation should clearly differentiate the roles and 
responsibilities of the independent verification and validation 
functions. Activities to verify the bank's AMA System are typically 
included in the bank's internal or external audit programs. More 
specifically, independent verification includes the work done to test 
and verify the bank's AMA policies and procedures. Verification 
activities should be sufficiently broad to confirm that the bank's AMA 
System is working effectively and in a manner consistent with policies 
approved by the bank's board of directors. In addition, the 
verification function ensures that validation of AMA models was 
completed in accordance with the bank's validation policy. Validation 
includes processes the bank uses to test and assess the accuracy of 
models used to quantify the operational risk exposure and the 
operational risk component of the bank's risk-based capital 
requirement.
    The documentation need not be contained in a single comprehensive 
document. Instead, banks may choose to develop and maintain an umbrella 
document that provides the board of directors with an overview of its 
AMA System, including how the framework allows for identifying, 
measuring, monitoring, and controlling operational risk. A bank should 
consider including the following in this overview document:
     Define the bank's philosophy and strategy for operational 
risk management and its risk tolerance;
     Define the roles and responsibilities of those involved in 
the development, implementation, and oversight of the bank's AMA 
System; and
     Reference additional detailed policies, processes, and 
procedures.
    S 3. The bank must maintain effective internal controls supporting 
its AMA System.
    As one of the foundations of safe and sound banking, sound internal 
controls are essential to a bank's management of operational risk and 
are an important requirement for AMA qualification. When properly 
designed and consistently enforced, a sound system of internal controls 
will help management safeguard the bank's resources, produce reliable 
financial reports, and comply with laws and regulations. Sound internal 
controls, assessed annually for

[[Page 9173]]

effectiveness by internal audit, should also reduce the possibility of 
significant human errors and irregularities in internal processes and 
systems, and should assist in their timely detection when they do 
occur. The audit function's annual assessment is not required to assess 
all operational risk controls, but the scope of the assessment should 
be sufficient to assess the effectiveness of the controls supporting 
the bank's AMA System (see Section VII).
    The Agencies are not introducing new internal control standards, 
but rather emphasizing the importance of existing standards.\10\ 
Internal control systems may differ among banks due to the nature and 
complexity of a bank's products and services, organizational structure, 
and risk management culture. The existing regulatory standards allow 
for these differences, while also establishing regulatory expectations 
for the scope and quality of the internal control structure.
---------------------------------------------------------------------------

    \10\ Each Agency has extensive guidance on corporate governance, 
internal controls, and risk monitoring and reporting in its 
respective examination policies and procedures. All Agencies have 
standards for safe and sound operations and for safeguarding 
customer information. In addition, there are a number of interagency 
standards that cover topics relevant to the internal control 
structure.
---------------------------------------------------------------------------

    The extent to which a bank maintains effective internal controls 
will be assessed through ongoing supervisory processes. As noted 
earlier, the Agencies will leverage existing examination processes to 
avoid duplication in assessing implementation of a bank's AMA System.

B. Board of Directors and Management Oversight

    S 4. The bank must ensure that an effective framework is in place 
to identify, measure, monitor, and control operational risk, and to 
accurately compute the bank's operational risk component of the bank's 
risk-based capital requirement. The board of directors must at least 
annually evaluate the effectiveness of, and approve, the bank's AMA 
System, including the strength of the bank's control infrastructure.
    S 5. The board of directors and management should ensure that the 
bank's operational risk management, data and assessment, and 
quantification processes are appropriately integrated into the bank's 
existing risk management and decision-making processes and that there 
are adequate resources to support these processes throughout the bank.
    Strong board of directors and management oversight forms the 
cornerstone of an effective operational risk management process. The 
board of directors is responsible for overseeing the establishment and 
ongoing effectiveness of the AMA System. The board of directors must 
approve the bank's written implementation plan. In addition, the board 
of directors must at least annually evaluate the effectiveness of, and 
approve, the bank's AMA System. Information provided to the board of 
directors for this review should be detailed enough for the bank's 
board members to understand and evaluate its AMA System.\11\ The board 
of directors' evaluation should reflect the results of any independent 
reviews and the findings of the verification and validation 
functions.\12\
---------------------------------------------------------------------------

    \11\ Important sources of information about the effectiveness of 
the AMA System include: (1) Internal audit's annual review of the 
effectiveness of operational risk controls and the independent 
verification function's annual assessment of the adequacy of the 
overall operational risk framework, and (2) the results of the 
validation function's testing of model results and assessment of 
quantification processes--see Standards 3 and 32.
    \12\ See Section VII--Verification and Validation for more 
details regarding independent review requirements.
---------------------------------------------------------------------------

    Other board of directors' responsibilities with respect to 
operational risk may include:
     Understanding and approving the bank's tolerance for 
operational risk; \13\
---------------------------------------------------------------------------

    \13\ Banks use several approaches to define operational risk 
tolerance, including establishing expectations for control self 
assessments, establishing targeted ceilings for operational losses, 
developing key risk indicators, or establishing other qualitative 
expectations for operational risk management. These approaches will 
continue to evolve and banks are encouraged to continue to develop 
effective metrics to define their operational risk tolerance.
---------------------------------------------------------------------------

     Ensuring appropriate management responsibility, 
accountability, and reporting;
     Understanding the major aspects of the bank's operational 
risk profile through the periodic review of high-level reports that 
address material risks, capital adequacy, and strategic implications 
for the bank;
     Ensuring that management demonstrates that it is actively 
using its AMA System as a basis for assessing and managing operational 
risk, and that the framework's use is not limited to determining 
regulatory capital;
     Ensuring that mechanisms exist to allow for the 
independent verification of the AMA System's implementation and 
validation activities;
     Ensuring that mechanisms exist to allow for the 
independent validation of the bank's risk measurement and 
quantification processes; and
     Ensuring Compliance with regulatory disclosure 
requirements.
    The board of directors may delegate the responsibility and 
authority for the design and implementation of the AMA System to 
management. Management is responsible for translating the bank's AMA 
System into specific policies, processes, and procedures, implementing 
them across business lines, and ensuring independent verification and 
validation of the AMA System. Management is also responsible for 
communicating the policies, processes, and procedures throughout the 
bank to ensure consistent understanding and treatment of operational 
risk.
    While each level of management is responsible for implementing the 
AMA System in their areas, senior management should clearly assign 
authority and responsibilities to business managers to encourage and 
maintain accountability. Moreover, senior management should ensure 
appropriate implementation of the AMA System within individual business 
lines.
    Senior management is responsible for ensuring that operational risk 
is appropriately managed across the bank and that all components of the 
bank's AMA System function effectively and meet regulatory 
requirements. Specifically, management should ensure that the bank has 
qualified staff and sufficient resources to carry out the operational 
risk functions outlined in its AMA System. Appropriate staff and 
resources should be available within the lines of business, the firm-
wide operational risk management function, and the verification and 
validation functions to monitor and enforce compliance with the bank's 
policies and procedures related to the AMA System.
    Other management responsibilities include ensuring that:
     The bank's overall operational risk profile is monitored, 
maintained at prudent levels, and supported by adequate capital;
     Compensation policies are sufficiently flexible to attract 
and retain qualified and competent operational risk expertise; and
     Operational risk issues are communicated consistently to 
staff responsible for managing other risks (for example, credit, 
market, and liquidity risk), as well as staff responsible for 
purchasing insurance and overseeing third-party outsourcing 
arrangements.

C. Firm-Wide Operational Risk Management Function

    S 6. The bank must have a firm-wide operational risk management 
function that oversees the AMA System and is independent of business 
line

[[Page 9174]]

management. The operational risk management function is also 
responsible for the development of operational risk data and assessment 
systems, operational risk quantification systems, and related processes 
throughout the bank.
    S 7. The firm-wide operational risk management function should 
ensure adequate analysis and reporting of operational risk information. 
The function should also develop and report on the firm-wide 
operational risk profile.
    The roles and responsibilities of the firm-wide operational risk 
management function may vary among banks, but should be clearly 
documented in operational risk policies and procedures. The firm-wide 
function should have organizational stature commensurate with the 
bank's operational risk profile. At a minimum, the function should 
ensure the development of policies, processes, and procedures that 
explicitly manage operational risk as a distinct risk.
    Responsibilities of the firm-wide operational risk management 
function may include:
     Assisting in the implementation of the AMA System;
     Reviewing the bank's performance against stated 
operational risk objectives, goals, and risk tolerances;
     Periodically evaluating the effectiveness of the bank's 
AMA System;\14\
---------------------------------------------------------------------------

    \14\ The evaluation of a bank's operational risk framework may 
consider loss experience; effects of external market changes, other 
environmental factors, and the potential for new or changing 
operational risks associated with new products, activities or 
systems; and the framework's ability to detect or prevent potential 
operational losses. This evaluation process should include an 
assessment of leading industry practices.
---------------------------------------------------------------------------

     Reviewing and analyzing operational loss event data and 
reports; and
     Ensuring appropriate reporting to senior management and 
the board of directors.

D. Line of Business Management

    S 8. Line of business management is responsible for ensuring 
appropriate day-to-day management of the operational risks within its 
business unit.
    S 9. Line of business management should ensure that internal 
controls and practices within its business unit are consistent with 
firm-wide policies, processes, and procedures.
    Line of business management should ensure that business-specific 
policies, processes, and procedures are in place, and appropriate staff 
is available to manage operational risk associated with the products 
and activities offered. Implementation of the AMA System within each 
line of business should correspond to the scope of that business and 
its operational complexity and risk profile. Line of business 
operational risk reporting should be appropriate in frequency and scope 
to identify, measure, monitor, and control operational risk. Reporting 
should also address the condition of the internal control environment 
for a given line of business.

E. Reporting

    S 10. The board of directors and senior management must receive 
reports on operational risk exposure, operational risk loss events, and 
other relevant operational risk information. The reports should include 
information regarding firm-wide and business line risk profiles, loss 
experience, and relevant business environment and internal control 
factor assessments. These reports should be received quarterly.
    To facilitate monitoring of operational risk, results from the data 
and assessment, and quantification processes should be summarized and 
included in reports that can be used by different audiences to 
understand, manage, and control operational risk and losses. Reports 
generated by the bank's AMA System \15\ should provide the foundation 
for reporting to the board of directors and senior management. 
Comprehensive management reporting, geared toward the firm-wide 
operational risk management function and line of business management, 
should include:
---------------------------------------------------------------------------

    \15\ The firm-wide operational risk management function, lines 
of business, and the verification and validation functions should be 
generating reports for their unique needs. These reports should form 
the basis for aggregating reporting to senior management and the 
board of directors.
---------------------------------------------------------------------------

     Operational loss experience, including an overview and 
assessment of loss experience over time;
     Operational risk exposure;
     Changes in assessments of business environment and 
internal control factors;
     Changes in factors signaling an increased risk of future 
losses;
     Trend analysis, allowing line of business and independent 
firm-wide operational risk management to assess and manage operational 
risk exposures, systemic line of business risk issues, and other 
corporate risk issues;
     Policy and risk tolerance reporting; and
     Operational risk causal factors.

IV. Operational Risk Data and Assessment

    The bank must have operational risk data and assessment systems 
that include credible, transparent, systematic, and verifiable 
processes that incorporate the following elements on an ongoing basis:
     Internal operational loss event data,
     Relevant external operational loss event data,
     Scenario analysis, and
     Assessments of the bank's business environment and 
internal control factors.
    In addition, the operational risk data and assessment systems must 
be structured in a manner consistent with the bank's current business 
activities, risk profile, technological processes, and risk management 
processes. The operational risk data and assessment systems should 
provide for the consistent and comprehensive capture of the four 
elements needed to measure and verify the bank's operational risk 
exposure. The four elements should be combined in a manner that most 
effectively allows the bank to quantify its exposure to operational 
risk.

A. Capture and Maintenance of Elements

    S 11. The bank must have a systematic process for incorporating 
internal loss event data, external loss event data, scenario analyses, 
and assessments of its business environment and internal controls 
factors to support both its operational risk management and measurement 
framework, as well as its calculation of the bank's operational risk 
component of its risk-based capital requirement.
    S 12. The bank must use the regulatory definition of operational 
risk when assessing the operational risks to which the bank is exposed 
in order to calculate its risk-based capital requirement for 
operational risk. The bank should have clear standards for the 
collection and modification of all four elements in the operational 
risk data and assessment systems that support its AMA System.
    The four required elements of a bank's data and assessment systems 
that support its AMA System aid the bank in identifying the level of 
and trends in operational risk, determining the effectiveness of risk 
management and control, highlighting opportunities to better mitigate 
operational risk, and assessing operational risk on a forward-looking 
basis. The bank should demonstrate that the four elements jointly cover 
all significant operational risks to which it is exposed. In the case

[[Page 9175]]

where the bank has sustained an operational loss event above its 
established threshold, but the loss is not yet included in the internal 
loss database, the bank should be able to demonstrate that the exposure 
is reasonably captured elsewhere, such as in one of its external loss 
observations or in one of its scenarios (see Standard 16 regarding the 
use of thresholds).
    The bank should demonstrate that it has implemented its AMA System 
appropriately in all lines of business and corporate functions that 
could generate operational risk. For regulatory capital purposes, a 
bank must use the definition of operational risk that is provided in 
Section II--Definitions. A bank may use an expanded definition for risk 
management and measurement purposes, if it considers it more 
appropriate for risk management and measurement purposes.
    As part of its AMA System implementation, a bank should demonstrate 
that it has established a consistent and comprehensive process for the 
capture and modification of all four required elements. While the 
primary Federal supervisor will review the quantification processes 
that combine these elements to determine the operational risk exposure, 
the supervisor must have the capacity to review the data collection 
process and the individual elements as well.
    The bank should have a defined process that establishes 
responsibilities over the systems developed to capture and modify the 
AMA elements. In particular, the issue of modifying the data capture 
systems should be addressed in policies or procedures. System and 
process documentation should be maintained, with any modification 
tracked separately and reasons for the changes kept in the historical 
record. Such tracking allows management and supervisors to identify the 
nature and rationale of the modification. For example, the Agencies are 
particularly interested when a bank modifies its loss database by 
excluding a loss event from the quantitative measurement process. 
Management should have clear standards for addressing modifications and 
clearly delineate who has authority to override the data systems and 
under what circumstances. In addition, management should track override 
decisions.

B. Internal Operational Loss Event Data

    S 13. The bank must have a historical observation period of at 
least five years for internal operational loss event data. A shorter 
period may be approved by the primary Federal supervisor to address 
transitional situations, such as integrating a new business line. 
Internal data should be captured across all business lines, corporate 
functions, events, product types, and geographic locations. The bank 
must have a systematic process for capturing and using internal 
operational loss event data in its operational risk data and assessment 
systems.
    S 14. The bank should be able to map internal operational losses to 
the seven operational loss-event categories.
    S 15. The bank should have a policy that identifies when an 
operational loss is recognized and should be added to the loss event 
database. The policy should provide for consistent treatment across the 
bank.
    S 16. The bank may establish appropriate internal operational loss 
event data thresholds and, if so, must demonstrate the appropriateness 
of such thresholds.
    S 17. The bank should have a clear policy that allows for the 
consistent treatment of loss event classifications (for example, 
credit, market, or operational loss events) across the organization.
    Internal data with sufficient integrity is important in identifying 
the level of and trends in operational risk. A key to internal data 
integrity is the consistent and complete capture of loss event data 
across the bank. The bank must have a minimum historical observation 
period of five years of internal operational loss event data, or such 
shorter transitional period approved by the bank's primary Federal 
supervisor. For example, when a bank has recently acquired a firm that 
does not have comprehensive internal loss event data, the resulting 
bank should make use of both its internal loss data and the acquired 
firm's data to properly reflect the risks of the resulting institution. 
Depending on the quality of the data from the acquired firm, the 
resulting bank may have to place more weight on relevant external loss 
event data, results from scenario analysis, and factors reflecting 
assessments of the business environment and internal controls. 
Additionally, if a bank exits a business line and can clearly 
demonstrate that its exposure has been eliminated and that the loss 
experience does not have relevance to other remaining activities, the 
bank would likely be able to exclude that business unit's loss 
experience from subsequent quantification processes.
    The bank should have a policy that identifies when an operational 
loss is recognized and should be added to the loss event database. 
Policies and procedures should be communicated to ensure there is 
satisfactory understanding of operational risk and the data capture 
requirements by appropriate staff. The independent firm-wide 
operational risk management function should ensure that the loss data 
are captured across all business lines, corporate functions, products 
types, event types, and from all geographic locations that could 
generate operational risk. The bank's operational loss policies and 
procedures should consider the effect and treatment of operational loss 
events that are recovered within a short period of time.
    The bank's data and assessment system should have the ability to 
aggregate internal losses that are associated with the same loss event. 
This means the bank should be able to link operational loss events that 
cross multiple business lines or event types. Institutions should also 
maintain policies to ensure consistent identification and capture of 
multiple loss events that occur within one or several time periods, but 
that result from the same initial operational loss event. When 
capturing internal losses that span more than one business line, the 
bank may choose to assign the entire loss to one business line (for 
example, where the effect is the greatest, where the control breakdown 
occurred). Alternatively, the bank may choose to apportion the loss 
across several affected business lines. Regardless of how losses are 
assigned, the method should be well-reasoned and sufficiently 
documented. The treatment of related losses will also have an effect on 
dependence modeling, as discussed under Standard 28. If data are not 
captured across all business lines or from all geographic locations, 
the bank should document and explain the exceptions, including why the 
exceptions will not impair the bank's estimation of its operational 
risk exposure.
    The description of the loss event, including causal factors, should 
be collected for internal operational loss events. Examples of 
additional loss event information to be collected include:
     Gross loss amount;
     Where the loss is reported and expensed;
     Loss event type category;
     Date of the loss;
     Discovery date of the loss;
     Event end date;
     Insurance recoveries;
     Other recoveries; and
     Adjustments to the loss estimate.
    The level of detail describing the loss event and management action 
should be commensurate with the size of the gross loss amount. The bank 
may also choose to capture additional data that enhance

[[Page 9176]]

its operational risk management, data and assessment, and 
quantification processes. For example, it may be appropriate to capture 
data on ``near miss'' events, where no financial loss was incurred. 
While these near misses may not factor directly into the regulatory 
capital calculation, they may be useful to inform scenario analysis or 
for the operational risk management process.
    For regulatory capital purposes, AMA banks should be able to map 
operational risk losses into the seven operational loss event 
categories defined in Section II. Banks will not be required to produce 
reports or perform analysis on the basis of the operational loss event 
categories for internal purposes, but should use the information to 
verify the comprehensiveness of the bank's data set.
    The bank may refrain from collecting internal operational loss 
event data for individual operational losses below established 
thresholds, if the bank can demonstrate to its primary Federal 
supervisor that the thresholds are reasonable. There are a number of 
factors that a bank may use to establish the thresholds. Thresholds may 
be based on business lines, corporate functions, product types, 
geographic location, or other appropriate factors. The Agencies will 
allow flexibility in this area, provided the bank can demonstrate that 
the thresholds are reasonable, do not exclude important internal 
operational loss event data, and permit the bank to capture 
substantially all the dollar value of the bank's operational losses. A 
bank could demonstrate to its primary Federal supervisor that it has 
chosen appropriate thresholds by estimating the change in operational 
risk exposure as a result of using different thresholds.\16\
---------------------------------------------------------------------------

    \16\ As discussed later in Standard 26, the choice of thresholds 
may affect the amount of EL offset that a bank can recognize.
---------------------------------------------------------------------------

    Banks may also find it useful to capture loss events in their 
operational risk databases that are treated as credit risk for 
regulatory capital purposes, but have an underlying element of 
operational risk. These types of events, while not incorporated into 
the regulatory capital calculation for operational risk, may have 
implications for operational risk management. For banks that capture 
loss events differently for regulatory capital and risk management 
purposes, bank management should demonstrate that (1) loss events are 
being captured consistently across the bank; (2) the data systems are 
sufficiently advanced to allow for this differential treatment of loss 
events; and (3) credit, market, and operational risk losses are being 
accounted for in the correct manner for regulatory capital purposes.
    The agencies have established a boundary between credit and 
operational risks for regulatory capital purposes. Losses that arise 
from events associated with a credit arrangement with a borrower are 
credit losses with one proposed exception: Retail credit card fraud 
losses (for example, identity theft) are to be considered external 
fraud operational losses.

C. External Operational Loss Event Data

    S 18. The bank must have a systematic process for determining how 
external loss data will be incorporated into its operational risk data 
and assessment systems.
    S 19. The bank should systematically review external data to ensure 
an understanding of industry operational loss experience.
    External data may serve a number of different purposes in an AMA 
System. For example, where internal loss data are limited, external 
data may be a useful input in determining the bank's level of 
operational risk exposure. Even where external loss data are not an 
explicit input to a bank's database, such data may provide a means for 
the bank to understand industry experience and assess the adequacy of 
its internal data. External data may also prove useful to inform 
scenario analysis, provide additional data for severity distributions, 
or in model validation and out-of-sample testing.
    The bank must establish a systematic process for determining the 
methodologies for incorporating external loss data into its operational 
risk data and assessment systems. To incorporate external loss data 
into a bank's framework, examples of the type of information a bank 
should collect include:
     Loss amount;
     Loss description; \17\
---------------------------------------------------------------------------

    \17\ Loss descriptions should be included to the extent 
possible, but are not generally available from consortium data 
sources.
---------------------------------------------------------------------------

     Loss event type category;
     Loss event date;
     Adjustments to the loss amount (for example, recoveries 
and insurance settlements) to the extent that they are known; and
     Sufficient information about the reporting institution to 
facilitate comparison to its own organization.
    Banks may obtain external loss data in any reasonable manner. For 
example, some banks are using data acquired through membership with 
industry consortia while other banks are using data obtained from 
vendor databases or public sources such as court records or media 
reports. In all cases, management should carefully evaluate the data 
source to ensure that the information being reported is relevant and 
accurate. The bank should document its process for and decisions 
regarding external data selection and scaling.

D. Scenario Analysis

    S 20. The bank must have a systematic process for determining how 
scenario analysis will be incorporated into its operational risk data 
and assessment systems.
    Scenario analysis allows the bank to incorporate forward-looking 
elements into its operational risk data and assessment systems. More 
specifically, scenario analysis is a systematic process of obtaining 
expert opinions from business and risk managers to derive reasoned 
assessments of the likelihood and loss impact of plausible high-
severity operational losses that may occur at a bank. Scenario analysis 
is especially relevant for business lines or operational loss event 
types in which internal data, external data, or assessments of business 
environment and internal control factors do not provide a sufficiently 
robust estimate of the bank's exposure to operational risk. For 
example, a bank's scenario analysis should include consideration of 
high-severity loss events that occur infrequently in the industry. It 
could also include the effects of mergers or other significant 
organizational changes that may affect the nature of operational losses 
in the future. Business line and risk management experts' use of well-
reasoned, external data may itself be a form of scenario analysis.
    The bank must have a systematic process for determining the 
methodologies for incorporating scenario analysis into its operational 
risk data and assessment systems. The process should cover key elements 
of scenario analysis, such as the manner in which the scenarios are 
generated, the frequency with which they are updated, and the scope and 
coverage of operational loss events they are intended to reflect. The 
bank should document its process for conducting scenario analysis, as 
well as the results of the analysis.

E. Business Environment and Internal Control Factors

    S 21. The bank must incorporate business environment and internal 
control factors into the bank's operational risk data and assessment 
systems.

[[Page 9177]]

    S 22. The bank must periodically compare the results of its 
business environment and internal control factor assessments against 
the bank's actual operational risk loss experience.
    Business environment and internal control factors are indicators of 
the bank's operational risk profile that reflect the underlying 
business risk factors, an assessment of the current internal control 
environment, and a forward-looking assessment of the bank's control 
environment. The framework established to maintain the business 
environment and internal control factor assessments should be 
sufficiently flexible to encompass the range and complexity of actual 
and planned activities, changes in internal control systems, or an 
increased volume of information. In principle, a bank with strong 
internal controls in a stable business environment will have, all other 
things being equal, less exposure to operational risk than a bank with 
internal control weaknesses, that is experiencing rapid growth, or that 
is introducing new products. In this regard, banks should identify and 
assess the level of and trends in operational risk and related control 
structures across the organization. These assessments should be current 
and comprehensive across the bank, and should identify the critical 
operational risks facing the bank.
    The business environment and internal control factor assessments 
should identify positive and negative trends in operational risk 
management within the bank. These assessments include reviewing both 
the control processes relating to current activities, as well as those 
relating to anticipated changes in a bank's business risk profile. 
Periodic comparisons must be made between the bank's actual operational 
loss exposure and the assessment results.

V. Operational Risk Quantification

    A bank must have a comprehensive operational risk quantification 
system, using inputs from its data and assessment systems, that 
provides an estimate of the bank's operational risk exposure, which is 
defined as the 99.9th percentile of the distribution of potential 
aggregate operational losses over a one-year horizon. The bank's 
operational risk exposure is the starting point in determining the 
risk-based capital requirement for operational risk (see Graph 1).
    A bank's estimate of operational risk exposure includes both EOL 
and UOL, forming the basis of the bank's risk-based capital requirement 
for operational risk. The bank's estimate of operational risk exposure 
should also consider qualitative factors (for example, changes in 
business environment and internal control factors). Qualitative factors 
can be incorporated into the bank's quantification methodology in 
different ways and at different modeling stages. While not prescribing 
a specific methodology, the Agencies will assess the processes banks 
use to integrate qualitative factors into the quantification of 
operational risk exposure.
[GRAPHIC] [TIFF OMITTED] TN28FE07.036

    Operational risk exposure may be reduced with eligible operational 
risk offsets, up to the amount of EOL (see Section B below). The bank's 
primary Federal supervisor will review the bank's use of eligible 
operational risk offsets for appropriateness. A bank may also adjust 
its operational risk exposure to reflect reductions from operational 
risk mitigants (for example, insurance), subject to the qualification 
requirements and limits (described in Section E below).
    The dollar risk-based capital requirement for operational risk, 
resulting from the bank's risk quantification system, is the greater 
of:

[[Page 9178]]

     The bank's operational risk exposure adjusted for 
qualifying operational risk mitigants minus eligible operational risk 
offsets; or
     0.8 multiplied by the difference between the bank's 
operational risk exposure and eligible operational risk offsets (if 
any).
    If the bank has no qualifying operational risk mitigants, the 
dollar risk-based capital requirement for operational risk is equal to 
its operational risk exposure less any eligible operational risk 
offsets.
    In recognition of the modeling challenges in legal entities with 
little internal operational risk loss data, a bank may generate an 
estimate of its operational risk exposure using an alternative approach 
to that described above, with the prior written approval of its primary 
Federal supervisor. Requirements for the use of an alternative approach 
are provided in Section V.F. below.
    The bank's risk-weighted asset amount for operational risk equals 
the bank's dollar risk-based capital requirement for operational risk 
determined as described above multiplied by 12.5.

A. Analytical Framework

    S 23. The bank must have an operational risk quantification system 
that provides an estimate of the bank's operational risk exposure.
    S 24. The bank's operational risk quantification system must use a 
combination of internal operational loss event data, relevant external 
operational loss event data, business environment and internal control 
factor assessments, and scenario analysis results. The bank should 
combine these elements in a manner that most effectively enables it to 
quantify its operational risk exposure. The bank should choose the 
analytical framework that is most appropriate to its business model.
    S 25. The bank must review and update its operational risk 
quantification system whenever it becomes aware of information that may 
have a material effect on the bank's estimate of operational risk 
exposure or risk-based capital requirement for operational risk, but no 
less frequently than annually. A complete review and recalculation of 
the bank's quantification system, including all modeling inputs and 
assumptions, must be done at least annually.
    While not specifying the exact methodology, the Agencies have 
developed regulatory requirements that a bank must use to determine its 
operational risk exposure. These requirements are intended to help 
ensure that the regulation can accommodate continued evolution of 
operational risk quantification techniques, yet remain amenable to 
consistent application and enforcement across banks. The Agencies 
expect that there will be significant variation in analytical 
frameworks across banks, with each bank tailoring its framework to 
leverage existing technology platforms and risk management procedures. 
The framework must use the following inputs: Internal operational loss 
event data, relevant external operational loss event data, assessments 
of business environment and internal control factors, and scenario 
analysis. The Agencies expect that there will be some uncertainty in 
the analytical frameworks because of the evolving nature of operational 
risk data and assessment systems. Therefore, the analytical frameworks 
should be conservative and reflect the evolutionary status of 
operational risk management, measurement and quantification, and its 
impact on data capture and analytical modeling.
    The Agencies expect there will be variation across banks in the 
combination and weighting of the four elements. In weighting each 
element, a bank should consider availability and applicability of each 
of the four elements within each unit of measure. For example, banks 
with comprehensive internal data that reflect the full range of their 
potential loss exposures may choose to place less emphasis on external 
data or scenario analysis. Conversely, banks with limited internal data 
would generally rely more heavily on external data and scenario 
analysis in estimating their operational risk exposure.
    Banks should be able to demonstrate (see Standard 30) the effect of 
each element on the operational risk exposure estimate. In cases where 
this is not possible, or where an element is not used as a direct input 
into the quantitative model, the bank should calculate a benchmark 
estimate using that element individually.
    A bank must review and update its operational risk quantification 
system whenever it becomes aware of information that may have a 
material effect on the bank's estimate of operational risk exposure, 
but no less frequently than annually. On a quarterly basis, a bank must 
publicly disclose its total and Tier 1 risk-based capital ratios and 
their components, including operational risk related data (see Appendix 
D). As a part of this disclosure process, the bank should consider any 
material changes in either (1) the qualitative/quantitative inputs and 
assumptions from the previous quarter or (2) the risk profile of the 
bank that may affect the estimate of operational risk exposure or the 
resulting operational risk capital requirement. Specifically, the bank 
should ensure that all major inputs, elements, and assumptions are 
reviewed, and adjusted as necessary, to reflect relevant changes in the 
bank's operational risk profile (for example, changes in loss 
experience, data inputs, business activity, external factors, 
assumptions, insurance coverage, and eligible offsets). Senior 
management should determine and document which components of the 
quantification system will need to be revised prior to recalculating 
the bank's operational risk exposure and operational risk capital 
requirement due to any identified material change in inputs or 
assumptions. A complete review and recalculation of a bank's estimate 
of operational risk exposure and its risk-based capital requirement for 
operational risk, including updating all modeling inputs and 
assumptions, must be done at least annually.

B. Eligible Operational Risk Offsets

    S 26. In calculating the risk-based capital requirement for 
operational risk, management may deduct certain eligible operational 
risk offsets from its estimate of operational risk exposure. To the 
extent that these offsets do not fully cover expected operational loss 
(EOL), the bank's risk-based capital requirement for operational risk 
must incorporate the shortfall. Eligible operational risk offsets may 
only be used to offset EOL, not UOL.
    In calculating the risk-based capital requirement for operational 
risk, a bank may deduct certain eligible operational risk offsets from 
its estimate of operational risk exposure. As with other aspects of the 
AMA, the eligible operational risk offset process is intended to be 
flexible and dynamic in order to accommodate the continuing evolution 
of underlying business practices and accounting standards. Supervisors 
will review all offsets to ensure they are eligible as defined by the 
NPR. The Agencies intend to develop a process of approving eligible 
operational risk offsets that is practical, clearly articulated, and 
grounded in prudential bank supervisory principles. Banks should 
clearly document how eligible operational risk offsets are measured and 
accounted for, including how they meet the conditions outlined above.
    The maximum offset is bounded by EOL. Furthermore, the losses

[[Page 9179]]

corresponding to the eligible operational risk offset must be fully 
consistent with the EOL-plus-UOL capital requirement calculated using 
the bank's AMA model. If certain small losses are not modeled (for 
example, because they are below a collection threshold), an operational 
risk offset should not be taken for such losses.
    Banks must demonstrate that losses corresponding to the potential 
eligible operational risk offset are highly predictable and reasonably 
stable. The bank's estimation process for eligible operational risk 
offsets should be consistent over time. The Agencies consider balance 
sheet reserves, established consistent with GAAP to cover such losses, 
as eligible operational risk offsets. Eligible offsets also must be 
clear capital substitutes or otherwise available to cover EOL with a 
high degree of certainty over a one-year horizon. Reserves associated 
with large, unexpected operational losses (UOL) do not qualify as 
eligible operational risk offsets. While additional eligible 
operational risk offsets may be considered in the future, the Agencies' 
review of the implementation of AMA Systems indicates that banks so far 
have only been able to demonstrate that losses resulting from external 
credit card fraud or securities processing errors may meet the test of 
being highly predictable and reasonably stable.

C. Unit of Measure

    S 27. The bank must employ a unit of measure that is appropriate 
for the bank's range of business activities and the variety of 
operational loss events to which it is exposed, and that does not 
combine business activities or operational loss events with different 
risk profiles within the same loss distribution.
    Banks should weigh the advantages and disadvantages of estimating a 
single loss distribution or very few loss distributions (top-down 
approach), versus a larger number of loss distributions for specific 
event types and/or business lines (bottom-up approach). One advantage 
of the top-down approach is that data sufficiency is less likely to be 
a limiting factor, whereas with the bottom-up approach there may be 
pockets of missing or limited data. However, a loss severity 
distribution may be more difficult to specify with the top-down 
approach, as it is a statistical mixture of (potentially) heterogeneous 
business line and event type distributions. Supervisors will consider 
the conditions necessary for the validity of top-down approaches and 
evaluate whether these conditions are met in their particular 
individual circumstances.

D. Accounting for Dependence

    S 28. The bank may use internal estimates of dependence among 
operational losses within and across business lines and operational 
loss events if the bank can demonstrate to the satisfaction of its 
primary Federal supervisor that the bank's process for estimating 
dependence is sound, robust to a variety of scenarios, and implemented 
with integrity, and allows for uncertainty surrounding the estimates. 
If the bank has not made such a demonstration, it must sum operational 
risk exposure estimates across units of measures to calculate its total 
operational risk exposure.
    A bank using internal estimates of dependence, whether explicit or 
embedded, must demonstrate that its process for estimating dependency 
is sound, robust to a variety of scenarios, and implemented with 
integrity, and allows for the uncertainty surrounding the estimates. To 
the extent a bank cannot support its process for estimating dependence, 
the bank must sum operational risk exposure estimates across its chosen 
units of measure to calculate the bank's total operational risk 
exposure. While dependence modeling for operational risk is an evolving 
area, banks should consider the following principles and guidelines:
     Assumptions regarding dependence should be supported by 
empirical analysis (data) where possible. The Agencies expect this 
analysis will become more feasible over time as data availability 
increases and greater consensus emerges with regard to dependence 
modeling.
     Where empirical support is not possible, dependence 
assumptions should be based on the judgment of business line experts. 
In such cases, it would be important to express dependence concepts in 
intuitive terms. For example, business line experts could assess the 
probability of certain large loss event scenarios occurring 
simultaneously. For banks that already rely heavily on scenario 
analysis, using expert judgment to assess dependence in this manner 
would merely be an extension of the scenario analysis process from a 
business line perspective to a broader perspective.
     The bank should demonstrate that it has considered the 
possibility that dependence may not be constant over time and may 
increase during stress environments.
     The bank should develop a process for assessing on-going 
improvements to the approach (for example, through out-of-sample 
testing). Such advances would in turn enhance the ability of the bank 
to estimate its aggregate operational losses at the 99.9 percent 
confidence level.
     Banks should perform sensitivity analyses of the effect of 
alternative dependence assumptions on their operational risk exposure 
estimate.
     Banks should not restrict dependence structures to those 
based on normal distributions, as normality may underestimate the 
amount of dependence between tail events.
     Dependence assumptions should be consistent with the way 
in which loss events are defined and used. For example, if one 
underlying factor causes multiple losses, such as an earthquake that 
results in damage to multiple buildings, recording multiple loss 
entries in the data set would require the bank to model the dependence 
between these losses. Judicious aggregation of related losses within 
the data set (in this example, aggregating all of the losses caused by 
a single earthquake into one loss entry) could satisfy some of the 
expectations regarding dependence modeling.
     The choice between a bottom-up or a top-down modeling 
approach affects how a bank accounts for dependence. A bottom-up 
approach requires explicit assumptions regarding dependence to estimate 
operational risk exposure at the bank-wide level. Top-down approaches 
inherently mask dependence and, under many circumstances, assume 
statistical independence across business lines and event types. To the 
extent a top-down approach is used, a bank should ensure that 
dependence within units of measure is suitably reflected in the 
operational risk exposure estimate.
     As with other areas of the framework, assumptions 
regarding dependence should be conservative given the uncertainties 
surrounding dependence modeling for operational risk. The Agencies will 
closely review frameworks that assume statistical independence across 
loss events.

E. Risk Mitigation

    S 29. The bank may adjust its operational risk exposure results by 
no more than 20 percent to reflect the impact of operational risk 
mitigants. In order to recognize the effects of risk mitigants, 
management must estimate its operational risk exposure with and without 
their effects.
    There are many mechanisms to manage operational risk, including 
risk transfer through risk mitigation products. Because risk mitigation 
can be an important element in limiting or reducing operational risk 
exposure in a

[[Page 9180]]

bank, an adjustment that will directly affect the amount of regulatory 
capital that is held for operational risk is being permitted. The 
adjustment is limited to 20 percent of the overall operational risk 
exposure less any eligible operational risk offsets.
    In order to recognize the effects of risk mitigants, the bank must 
calculate two estimates of its operational risk exposure. The first 
estimate should include the effects of risk mitigants, in addition to 
all other adjustments and effects (for example, expected losses, 
diversification, and qualitative adjustments) that are to be reflected 
in the risk-based capital requirement for operational risk. The second 
estimate should be identical to the first, except that it should not 
reflect the effects of risk mitigants. The first exposure estimate 
should be used to calculate risk-weighted assets for operational risk 
(as described in the introduction to Section V), provided that it is at 
least 80 percent of the second estimate. If the first exposure estimate 
is less than 80 percent of the second estimate, then risk weighted 
assets for operational risk should be calculated as the second exposure 
estimate multiplied by 0.8 and by 12.5.
    Currently, the primary risk mitigant used for operational risk is 
insurance. The industry has raised the possibility that some securities 
products may be developed to provide risk mitigation benefits; however, 
to date no specific products have emerged that have characteristics 
sufficient to be considered a capital replacement for operational risk. 
However, as innovation in this field continues, a bank may be able to 
realize the benefits of risk mitigation through certain capital markets 
instruments with the approval of their primary Federal supervisor.
    For a bank that wishes to adjust its regulatory capital requirement 
as a result of the risk mitigating effect of insurance, management must 
demonstrate that the insurance policy:
     Has been provided by an unaffiliated company that has a 
minimum claims paying ability that is rated in one of the three highest 
ratings categories by a Nationally Recognized Statistical Rating 
Organization (NRSRO); \18\
---------------------------------------------------------------------------

    \18\ Rating agencies may use slightly different rating scales. 
For the purpose of this supervisory guidance, the insurer must have 
a rating that is at least the equivalent of an ``A'' under Standard 
and Poor's Insurer Financial Strength Ratings or an ``A2'' under 
Moody's Insurance Financial Strength Ratings.
---------------------------------------------------------------------------

     Has an initial term of at least one year and a residual 
term of more than 90 days;
     Has a minimum notice period for cancellation by the 
provider of 90 days;
     Has no exclusions or limitations based upon regulatory 
action or for the receiver or liquidator of a failed bank; and
     Coverage has been explicitly mapped to a potential 
operational loss event.
    Insurance policies that meet these standards may be incorporated 
into a bank's adjustment for risk mitigation. A bank should be 
conservative in its recognition of such policies; for example, the bank 
should demonstrate that insurance policies used as the basis for the 
adjustment have a history of timely payouts. Banks must decrease the 
amount of the adjustment if the remaining term is less than one year. 
The bank's methodology for incorporating the effects of insurance must 
also capture, through appropriate discounts to the amount of risk 
mitigation, the residual term of the policy, if the remaining term is 
less than one year. In addition, the bank should be able to show that 
the policy would actually be used in the event of a loss situation; 
that is, the deductible should not be set so high that no loss would 
ever conceivably exceed the deductible threshold.
    The Agencies do not specify how banks should calculate the risk 
mitigation adjustment. Nevertheless, banks should use conservative 
assumptions when calculating adjustments. As the payout of a particular 
policy varies over time and depends upon the frequency and severity of 
covered losses, calculation of the adjustment should be embedded in the 
analytical framework rather than being an ex-post adjustment to the 
quantified operational risk exposure number. A bank should discount 
(i.e., apply its own estimates of haircuts) the impact of insurance 
coverage to take into account factors that may limit the likelihood or 
size of claims payouts. Among these factors are the remaining term of a 
policy (for example, when it is less than a year); the willingness and 
ability of the insurer to pay on a claim in a timely manner; the legal 
risk that a claim may be disputed; and the possibility that a policy 
can be cancelled before the contractual expiration.

F. Alternative Approaches for Depository Institutions

    The Agencies recognize that in certain limited circumstances, there 
may not be sufficient data available for a bank to generate an AMA 
estimate of its own operational risk exposure at the 99.9 percent 
confidence level. In these circumstances, a bank may propose use of an 
alternative operational risk quantification system, subject to approval 
by the bank's primary Federal supervisor. The Agencies are not 
prescribing any estimation methodologies for the alternative approach. 
However, the Agencies expect that use of an alternative approach will 
occur on a very limited basis. Furthermore, such approaches will not be 
available at the bank holding company level.
    A bank proposing to use an alternative operational risk 
quantification system must submit a proposal to its primary Federal 
supervisor. In evaluating a bank's proposal, the primary supervisor 
will review the bank's justification in light of:
     The bank's size, complexity, and risk profile; and
     Whether the proposed approach can be supported 
empirically.
    Additional areas that a primary Federal supervisory may consider in 
its evaluation of a proposal to use an alternative approach include:
     The bank's ability to establish that, for data or other 
reasons, a stand-alone AMA is not feasible or that it would not result 
in a credible capital estimate;
     Whether capital levels using the alternative approach are 
commensurate with the bank's operational risk profile;
     Whether the alternative approach is sensitive to changes 
in the bank's operational risk profile; and
     Whether the proposed approach allows for the bank's board 
members to fulfill their fiduciary responsibilities to ensure that the 
bank is adequately capitalized.
    Furthermore, a bank using an alternative operational risk 
quantification system must meet the regulatory requirements for the 
establishment and use of operational risk management, and data and 
assessment systems.\19\
---------------------------------------------------------------------------

    \19\ See also Standards 1 through 22 for supervisory guidance on 
risk management and data and assessment systems.
---------------------------------------------------------------------------

    A bank proposing an alternative approach that is based on an 
allocation methodology should be aware of certain limitations 
associated with the use of such an approach. Specifically, the agencies 
will not accept an allocation of operational risk capital requirements 
that includes non-depository institutions or the benefits of 
diversification across entities. The exclusion of allocations that 
include non-depository institutions is in recognition that depositors 
and creditors of a depository institution generally

[[Page 9181]]

have no legal recourse to capital funds that are not held by the 
depository institution or its affiliate depository institutions.\20\
---------------------------------------------------------------------------

    \20\ The cross-guarantee provision of the Federal Deposit 
Insurance Act provides that a depository institution is liable for 
any losses incurred by the FDIC in connection with the failure of 
commonly-controlled depository institutions. There are no statutory 
provisions requiring cross-guarantees between a depository 
institution and its non-depository institution affiliates.
---------------------------------------------------------------------------

G. Documentation of Operational Risk Quantification Systems

    S 30. The bank must document all material aspects of its AMA 
System. This documentation should include the rationale for the 
development, operation, and assumptions underpinning its chosen 
analytical framework, including the choice of inputs, distributional 
assumptions, and the weighting across qualitative and quantitative 
elements.
    Whatever analytical approach a bank chooses, it must document all 
material aspects of its AMA System. Generally, the documentation should 
include: A discussion of the bank's modeling philosophy; a ``how to'' 
guide that would provide sufficient detail for an independent party to 
substantially replicate the capital calculation; and an audit trail of 
any changes to the framework's assumptions. More specifically, this 
documentation should:
     Provide an overview of the analytical approach (for 
example, description of the model(s) and/or statistical technique(s) 
used, model inputs and outputs, and steps taken to ensure the integrity 
of the data used in the estimation process).
     Identify how the different inputs are combined and 
weighted to arrive at the overall operational risk exposure so that the 
analytical framework is transparent.
     Demonstrate that the analytical framework is comprehensive 
and internally consistent. Comprehensive and consistent means that all 
required inputs are incorporated and appropriately weighted and that 
there are not overlaps or double counting.
     Identify the quantitative assumptions embedded in the 
methodology and provide explanations for the choice and limitations of 
these assumptions (for example, quantitative assumptions include 
distributional assumptions, and dependence assumptions between 
operational losses across and within business lines).
     Include where possible, documentation of quantitative 
measures of each assumption's validity, based on the relevant data 
elements (for example, statistical goodness-of-fit tests should be used 
to evaluate distributional assumptions).
     Identify the qualitative assumptions embedded in the 
methodology and provide explanations for the choice of these 
assumptions. (For example, qualitative assumptions could include the 
use of business environment and internal control factor assessments, 
scenario analysis, and business judgment to derive dependence 
assumptions).
     Provide results based on alternative quantitative and 
qualitative assumptions to gauge the overall model's sensitivity to 
these assumptions.
     Identify all simplifying or normalizing assumptions. (For 
example, assumptions could include setting a maximum cap on losses in 
order to influence the shape of the severity distribution or to 
normalize results at specific units of measure for internal capital 
purposes or prior to aggregation. Assumptions should be consistent with 
relevant loss data from both internal and external sources).
     Provide results to assess the impact of simplifying or 
normalizing assumptions.
     Compare the operational risk exposure estimate generated 
by the analytical framework with actual loss experience over time, to 
assess the framework's performance and the reasonableness of its 
outputs.
     Identify all limitations of and changes to assumptions, 
and provide explanations for such changes.
     Include details and rationale for establishing thresholds 
and their use.
     Include information on the technical process underlying 
the analytical approach (for example, programming language(s) and 
software used, logical process flow diagrams, system or source of 
record for the data elements, how outputs are used in subsequent steps 
of the approach).
     Include technical change control information relating to 
the analytical approach (for example, a record of the changes, the 
associated rationale for the changes and the effects on the analytical 
approach).
     Provide the results of an independent verification and 
validation of the analytical framework.

VI. Data Management and Maintenance

    S 31. Banks using the AMA approach for regulatory capital purposes 
must have data management and maintenance systems that adequately 
support all aspects of an AMA System.
    AMA data management systems must support the requirements for the 
operational risk management, data and assessment, and quantification 
processes, as well as the verification and validation mechanisms 
described in this guidance. The precise data to be collected will be 
determined by a bank's specific AMA System methodology.
    A bank should have access to the key data elements needed for 
operational risk management, data and assessment, and quantification. 
An important factor in ensuring consistent reporting of the data 
elements is the development of comprehensive definitions for each data 
element used by the bank for reporting operational loss events or for 
the risk assessment inputs. The data must be stored in an electronic 
format to allow for timely retrieval for analysis, verification, 
validation, reporting, and disclosure purposes.
    While banks have substantial flexibility in the design of their 
data maintenance systems, data systems should be of sufficient depth, 
scope, and reliability to implement and evaluate the AMA System. The 
systems should be capable of:
     Identifying and tracking operational risk loss events from 
initial discovery through final resolution across all business lines, 
including instances where a loss event impacts multiple business lines.
     Producing timely and accurate internal and public reports 
on operational risk data and assessment, and quantification results, 
including patterns revealed by loss data, scenario analysis, and 
business environment and internal control factor assessments. The bank 
should also have sufficient data to produce exception reports for 
management (for example, a record of and justification for omitted 
large loss events).
     Supporting risk management activities and providing access 
to data management processes for all interested parties, including 
audit.
    In addition, the systems must be capable of retaining sufficient 
data elements related to key risk drivers to permit adequate 
monitoring, validation, and refinement of the bank's AMA System.
    Banks should also be able to use the data to identify patterns, 
track problem areas and identify emerging risks. Such data should 
include not only operational loss event information, but also 
information on business environment and internal control factor 
assessments, which are incorporated into the operational risk exposure 
calculation.
    Since data are collected at different stages of the risk management 
and quantification process, and involve a

[[Page 9182]]

variety of groups and individuals, there are potential challenges to 
ensuring the quality of the data including:
     Retaining data over long timeframes;
     Ensuring that data purchased from, or maintained by, third 
parties meet the bank's standards; and
     Retaining sufficient data elements and documentation of 
model methodologies, parameter estimates and assumptions to permit 
adequate ex-post review of operational risk data.
    Banks' policies and controls should address these potential data 
challenges. Furthermore, for external data, banks should seek 
reasonable assurance from third-party providers concerning data quality 
and integrity and a clear understanding of the sources and limitations 
of external data.
    Management should identify those responsible for maintaining the 
bank's data maintenance systems. In particular, policies and processes 
should be developed for delivering, storing, retaining, and updating 
the data warehouse. Policies and procedures should also cover the edit 
checks for data input functions. Like other areas of the AMA System, it 
is critical that management ensure accountability for ongoing data 
maintenance, as this will impact operational risk management and 
measurement efforts.

VII. Verification and Validation

    S 32. The bank must validate, on an ongoing basis, its AMA system. 
The bank's validation process must be independent of the AMA System's 
development, implementation, and operation, or the validation process 
must be subject to an independent review of its adequacy and 
effectiveness.
    Bank policies and procedures should clearly differentiate the roles 
and responsibilities of the independent verification and validation 
functions. Verification of the bank's AMA System typically encompasses 
internal and external audit activities. More specifically, verification 
includes the work done to test and verify that the policies, 
procedures, and processes that make up the bank's AMA System are 
working effectively and as intended. In addition, the verification 
function also ensures that validation of AMA models was completed in 
accordance with the bank's validation policy. Validation, often 
performed by non-audit staff, includes the processes the bank uses to 
test and assess the accuracy and integrity of models being used to 
quantify operational risk exposure and risk-based capital for 
operational risk. The primary Federal supervisor will consider, 
whenever possible, the work performed by the bank's verification and 
validation functions when assessing the bank's AMA System.
    Banks may use independent and qualified internal (for example, 
internal audit, and quality assurance) or external parties to perform 
verification and validation. The verification and validation functions 
should annually assess and report to the board of directors on the 
adequacy of the overall AMA System. This assessment should include the 
review of both the accuracy and integrity of the AMA System, control 
elements, as well as the scope and effectiveness of operational risk 
reporting. The verification and validation functions should also review 
reporting processes to ensure the timeliness, accuracy, and 
comprehensiveness of operational risk reporting systems, both at the 
firm-wide and the line of business levels. Other areas of assessment 
include, but are not limited to:
     Organizational structure, governance, and oversight;
     Internal and external data sources, collection processes, 
and repositories;
     Scenario analysis;
     Reporting and MIS;
     Business environment and internal control factor 
assessments;
     Quantification methodology and assumptions, including a 
review of the integrity of the operational risk exposure calculation; 
and
     Compliance with internal standards for validation of the 
models used to quantify operational risk exposure.
    Banks should have a formal written validation process that 
documents the development of risk quantification models and assures 
model accuracy, whether developed internally or externally. The 
validation process should address model documentation, data sources, 
model assumptions, coding and mathematical computations, conceptual 
soundness of the approach, comparison of estimates to results of 
alternative quantitative and qualitative models, model performance 
evaluation, and out-of-sample testing. The validation process must also 
require the bank to periodically stress test its quantitative and 
qualitative models. Stress testing must include a consideration of how 
economic cycles, especially downturns, affect the bank's operational 
risk-based capital requirement. Technically competent individuals who 
are independent of the development, implementation, or operation of the 
model should perform validation. These individuals may or may not be a 
part of the internal audit function. If validation is done by internal 
audit, staff performing the validation of bank models should not 
participate in the verification of the validation process.
    Validation of operational risk models should include review of:
     Adjustments to empirical operational risk capital 
estimates, including operational risk exposure;
     On-going monitoring processes that include verification of 
processes and benchmarking;
     Outcome analysis processes that includes model performance 
evaluation and out-of-sample testing;
     The operational risk models' conceptual soundness and 
underlying assumptions;
     Assumptions underlying operational risk exposure, data 
decision models, and the risk-based capital requirement for operational 
risk;
     Stress testing, robustness, and sensitivity analysis, as 
appropriate; and
     The sufficiency of the documentation pertaining to the 
analytical approach and of the change control process, including a 
review of the historical record of changes and associated rationale.
    Appropriate reports summarizing the results of independent 
verification and validation of the bank's AMA System, including 
associated models, should be provided to the board of directors and 
appropriate management. The board of directors should ensure that 
senior management initiates timely corrective action where necessary.
    The bank may determine the scope of its annual assessment, and the 
frequency of specific verification and validation work, based on risk-
based auditing principles. The extent of verification of individual 
components of the bank's AMA System may be based on a risk assessment 
of the overall system, which identifies key processes, controls, 
activities, and assumptions. All material components of a bank's AMA 
System should be assessed and tested (as appropriate) at least 
annually, with the remaining components tested consistent with risk-
based auditing and testing principles. Documentation of the 
verification and validation program should support the scope and 
frequency of work performed.

[[Page 9183]]

Appendix A--The NPR Qualification Requirements, Risk-Weighted Assets 
for Operational Risk, and Disclosure Requirements

Part III. Qualification

Section 22. Qualification Requirements \21\
---------------------------------------------------------------------------

    \21\ 71 FR 55922 through 55924 (Sept. 25, 2006).
---------------------------------------------------------------------------

    (a) Process and systems requirements. (1) A [bank] \22\ must have a 
rigorous process for assessing its overall capital adequacy in relation 
to its risk profile and a comprehensive strategy for maintaining an 
appropriate level of capital.
---------------------------------------------------------------------------

    \22\ For simplicity, and unless otherwise noted, the NPR uses 
the term [bank] to include banks, savings associations, and bank 
holding companies. [AGENCY] refers to the primary Federal supervisor 
of the bank applying the rules.
---------------------------------------------------------------------------

    (2) The systems and processes used by a [bank] for risk-based 
capital purposes under this appendix must be consistent with the 
[bank]'s internal risk management processes and management information 
reporting systems.
    (3) Each [bank] must have an appropriate infrastructure with risk 
measurement and management processes that meet the qualification 
requirements of this section and are appropriate given the [bank]'s 
size and level of complexity. Regardless of whether the systems and 
models that generate the risk parameters necessary for calculating a 
[bank]'s risk-based capital requirements are located at any affiliate 
of the [bank], the [bank] itself must ensure that the risk parameters 
and reference data used to determine its risk-based capital 
requirements are representative of its own credit risk and operational 
risk exposures.
    --Text omitted--
    (h) Operational risk--(1) Operational risk management processes. A 
[bank] must:
    (i) Have an operational risk management function that:
    (A) Is independent of business line management; and
    (B) Is responsible for designing, implementing, and overseeing the 
[bank]'s operational risk data and assessment systems, operational risk 
quantification systems, and related processes;
    (ii) Have and document a process to identify, measure, monitor, and 
control operational risk in [bank] products, activities, processes, and 
systems (which process must capture business environment and internal 
control factors affecting the [bank]'s operational risk profile); and
    (iii) Report operational risk exposures, operational loss events, 
and other relevant operational risk information to business unit 
management, senior management, and the board of directors (or a 
designated committee of the board).
    (2) Operational risk data and assessment systems. A [bank] must 
have operational risk data and assessment systems that capture 
operational risks to which the [bank] is exposed. The [bank]'s 
operational risk data and assessment systems must:
    (i) Be structured in a manner consistent with the [bank]'s current 
business activities, risk profile, technological processes, and risk 
management processes; and
    (ii) Include credible, transparent, systematic, and verifiable 
processes that incorporate the following elements on an ongoing basis:
    (A) Internal operational loss event data. The [bank] must have a 
systematic process for capturing and using internal operational loss 
event data in its operational risk data and assessment systems.
    (1) The [bank]'s operational risk data and assessment systems must 
include a historical observation period of at least five years for 
internal operational loss event data (or such shorter period approved 
by [AGENCY] to address transitional situations, such as integrating a 
new business line).
    (2) The [bank] may refrain from collecting internal operational 
loss event data for individual operational losses below established 
dollar threshold amounts if the [bank] can demonstrate to the 
satisfaction of the [AGENCY] that the thresholds are reasonable, do not 
exclude important internal operational loss event data, and permit the 
[bank] to capture substantially all the dollar value of the [bank]'s 
operational losses.
    (B) External operational loss event data. The [bank] must have a 
systematic process for determining its methodologies for incorporating 
external operational loss data into its operational risk data and 
assessment systems.
    (C) Scenario analysis. The [bank] must have a systematic process 
for determining its methodologies for incorporating scenario analysis 
into its operational risk data and assessment systems.
    (D) Business environment and internal control factors. The [bank] 
must incorporate business environment and internal control factors into 
its operational risk data and assessment systems. The [bank] must also 
periodically compare the results of its prior business environment and 
internal control factor assessments against its actual operational 
losses incurred in the intervening period.
    (3) Operational risk quantification systems. (i) The [bank]'s 
operational risk quantification systems:
    (A) Must generate estimates of the [bank]'s operational risk 
exposure using its operational risk data and assessment systems; and
    (B) Must employ a unit of measure that is appropriate for the 
[bank]'s range of business activities and the variety of operational 
loss events to which it is exposed, and that does not combine business 
activities or operational loss events with different risk profiles 
within the same loss distribution.
    (C) May use internal estimates of dependence among operational 
losses within and across business lines and operational loss events if 
the [bank] can demonstrate to the satisfaction of [AGENCY] that its 
process for estimating dependence is sound, robust to a variety of 
scenarios, and implemented with integrity, and allows for the 
uncertainty surrounding the estimates. If the [bank] has not made such 
a demonstration, it must sum operational risk exposure estimates across 
units of measure to calculate its total operational risk exposure.
    (D) Must be reviewed and updated (as appropriate) whenever the 
[bank] becomes aware of information that may have a material effect on 
the [bank]'s estimate of operational risk exposure, but no less 
frequently than annually.
    (ii) With the prior written approval of [AGENCY], a [bank] may 
generate an estimate of its operational risk exposure using an 
alternative approach to that specified in paragraph (h)(3)(i) of this 
section. A [bank] proposing to use such an alternative operational risk 
quantification system must submit a proposal to [AGENCY]. In 
considering a [bank]'s proposal to use an alternative operational risk 
quantification system, [AGENCY] will consider the following principles:
    (A) Use of the alternative operational risk quantification system 
will be allowed only on an exception basis, considering the size, 
complexity, and risk profile of a [bank];
    (B) The [bank] must demonstrate that its estimate of its 
operational risk exposure generated under the alternative operational 
risk quantification system is appropriate and can be supported 
empirically; and
    (C) A [bank] must not use an allocation of operational risk capital 
requirements that includes entities other than depository institutions 
or the benefits of diversification across entities.

[[Page 9184]]

    (i) Data management and maintenance. (1) A [bank] must have data 
management and maintenance systems that adequately support all aspects 
of its advanced systems and the timely and accurate reporting of risk-
based capital requirements.
    (2) A [bank] must retain data using an electronic format that 
allows timely retrieval of data for analysis, validation, reporting, 
and disclosure purposes.
    (3) A [bank] must retain sufficient data elements related to key 
risk drivers to permit adequate monitoring, validation, and refinement 
of its advanced systems.
    (j) Control, oversight, and validation mechanisms. (1) The [bank]'s 
senior management must ensure that all components of the [bank]'s 
advanced systems function effectively and comply with the qualification 
requirements in this section.
    (2) The [bank]'s board of directors (or a designated committee of 
the board) must at least annually evaluate the effectiveness of, and 
approve, the [bank]'s advanced systems.
    (3) A [bank] must have an effective system of controls and 
oversight that:
    (i) Ensures ongoing compliance with the qualification requirements 
in this section;
    (ii) Maintains the integrity, reliability, and accuracy of the 
[bank]'s advanced systems; and
    (iii) Includes adequate governance and project management 
processes.
    (4) The [bank] must validate, on an ongoing basis, its advanced 
systems. The [bank]'s validation process must be independent of the 
advanced systems' development, implementation, and operation, or the 
validation process must be subjected to an independent review of its 
adequacy and effectiveness. Validation must include:
    (i) The evaluation of the conceptual soundness of (including 
developmental evidence supporting) the advanced systems;
    (ii) An on-going monitoring process that includes verification of 
processes and benchmarking; and
    (iii) An outcomes analysis process that includes back-testing.
    (5) The [bank] must have an internal audit function independent of 
business-line management that at least annually assesses the 
effectiveness of the controls supporting the [bank]'s advanced systems 
and reports its findings to the [bank]'s board of directors (or a 
committee thereof).
    (6) The [bank] must periodically stress test its advanced systems. 
The stress testing must include a consideration of how economic cycles, 
especially downturns, affect risk-based capital requirements (including 
migration across rating grades and segments and the credit risk 
mitigation benefits of double default treatment).
    (k) Documentation. The [bank] must adequately document all material 
aspects of its advanced systems.
    --Text omitted--

Part VII. Risk-Weighted Assets for Operational Risk

Section 61. Qualification Requirements for Incorporation of Operational 
Risk Mitigants \23\
---------------------------------------------------------------------------

    \23\ 71 FR 55946 through 55947 (Sept. 25, 2006).
---------------------------------------------------------------------------

    (a) Qualification to use operational risk mitigants. A [bank] may 
adjust its estimate of operational risk exposure to reflect qualifying 
operational risk mitigants if:
    (1) The [bank]'s operational risk quantification system is able to 
generate an estimate of the [bank]'s operational risk exposure (which 
does not incorporate qualifying operational risk mitigants) and an 
estimate of the [bank]'s operational risk exposure adjusted to 
incorporate qualifying operational risk mitigants; and
    (2) The [bank]'s methodology for incorporating the effects of 
insurance, if the [bank] uses insurance as an operational risk 
mitigant, captures through appropriate discounts to the amount of risk 
mitigation:
    (i) The residual term of the policy, where less than one year;
    (ii) The cancellation terms of the policy, where less than one 
year;
    (iii) The policy's timeliness of payment;
    (iv) The uncertainty of payment by the provider of the policy; and
    (v) Mismatches in coverage between the policy and the hedged 
operational loss event.
    (b) Qualifying operational risk mitigants. Qualifying operational 
risk mitigants are:
    (1) Insurance that:
    (i) Is provided by an unaffiliated company that has a claims 
payment ability that is rated in one of the three highest rating 
categories by a NRSRO;
    (ii) Has an initial term of at least one year and a residual term 
of more than 90 days;
    (iii) Has a minimum notice period for cancellation by the provider 
of 90 days;
    (iv) Has no exclusions or limitations based upon regulatory action 
or for the receiver or liquidator of a failed depository institution; 
and
    (v) Is explicitly mapped to a potential operational loss event; and
    (2) Operational risk mitigants other than insurance for which the 
[AGENCY] has given prior written approval. In evaluating an operational 
risk mitigant other than insurance, [AGENCY] will consider whether the 
operational risk mitigant covers potential operational losses in a 
manner equivalent to holding regulatory capital.

Section 62. Mechanics of Risk-Weighted Asset Calculation

    (a) If a [bank] does not qualify to use or does not have qualifying 
operational risk mitigants, the [bank]'s dollar risk-based capital 
requirement for operational risk is its operational risk exposure minus 
eligible operational risk offsets (if any).
    (b) If a [bank] qualifies to use operational risk mitigants and has 
qualifying operational risk mitigants, the [bank]'s dollar risk-based 
capital requirement for operational risk is the greater of:
    (1) The [bank]'s operational risk exposure adjusted for qualifying 
operational risk mitigants minus eligible operational risk offsets (if 
any); or
    (2) 0.8 multiplied by the difference between:
    (i) The [bank]'s operational risk exposure; and
    (ii) Eligible operational risk offsets (if any).
    (c) The [bank]'s risk-weighted asset amount for operational risk 
equals the [bank]'s dollar risk-based capital requirement for 
operational risk determined under paragraph (a) or (b) of this section 
multiplied by 12.5.

Part VIII. Disclosure

Section 71. Disclosure Requirements \24\
---------------------------------------------------------------------------

    \24\ 71 FR 55947 and 55952 (Sept. 25, 2006).
---------------------------------------------------------------------------

    (a) Each [bank] must publicly disclose each quarter its total and 
tier 1 risk-based capital ratios and their components (that is, tier 1 
capital, tier 2 capital, total qualifying capital, and total risk-
weighted assets).\25\
---------------------------------------------------------------------------

    \25\ Other public disclosure requirements continue to apply--for 
example, Federal securities law and regulatory reporting 
requirements.
---------------------------------------------------------------------------

    [Disclosure paragraph (b)]
    [Disclosure paragraph (c)]
    --Text omitted--

[[Page 9185]]



                      Table 11.9--Operational Risk
------------------------------------------------------------------------
 
------------------------------------------------------------------------
Qualitative disclosures.......  (a)..............  The general
                                                    qualitative
                                                    disclosure
                                                    requirement for
                                                    operational risk.
                                (b)..............  Description of the
                                                    AMA, including a
                                                    discussion of
                                                    relevant internal
                                                    and external factors
                                                    considered in the
                                                    bank holding
                                                    company's
                                                    measurement
                                                    approach.
                                (c)..............  A description of the
                                                    use of insurance for
                                                    the purpose of
                                                    mitigating
                                                    operational risk.
------------------------------------------------------------------------

Appendix B--Supervisory Standards

    S 1. The bank's AMA System must include an operational risk 
management function and audit function that are independent of business 
line management. The operational risk management function should 
address operational risk on a firm-wide basis.
    S 2. The bank must have and document a process that clearly 
describes its AMA System, including how the bank identifies, measures, 
monitors, and controls operational risk.
    S 3. The bank must maintain effective internal controls supporting 
its AMA System.
    S 4. The bank must ensure that an effective framework is in place 
to identify, measure, monitor, and control operational risk, and to 
accurately compute the bank's operational risk component of the bank's 
risk-based capital requirement. The board of directors must at least 
annually evaluate the effectiveness of, and approve, the bank's AMA 
System, including the strength of the bank's control infrastructure.
    S 5. The board of directors and management should ensure that the 
bank's operational risk management, data and assessment, and 
quantification processes are appropriately integrated into the bank's 
existing risk management and decision-making processes and that there 
are adequate resources to support these processes throughout the bank.
    S 6. The bank must have a firm-wide operational risk management 
function that oversees the AMA System and is independent of business 
line management. The operational risk management function is also 
responsible for the development of operational risk data and assessment 
systems, operational risk quantification systems, and related processes 
throughout the bank.
    S 7. The firm-wide operational risk management function should 
ensure adequate analysis and reporting of operational risk information. 
The function should also develop and report on the firm-wide 
operational risk profile.
    S 8. Line of business management is responsible for ensuring 
appropriate day-to-day management of the operational risks within its 
business unit.
    S 9. Line of business management should ensure that internal 
controls and practices within its business unit are consistent with 
firm-wide policies, processes, and procedures.
    S 10. The board of directors and senior management must receive 
reports on operational risk exposure, operational risk loss events, and 
other relevant operational risk information. The reports should include 
information regarding firm-wide and business line risk profiles, loss 
experience, and relevant business environment and internal control 
factor assessments. These reports should be received quarterly.
    S 11. The bank must have a systematic process for incorporating 
internal loss event data, external loss event data, scenario analyses, 
and assessments of its business environment and internal controls 
factors to support both its operational risk management and measurement 
framework, as well as its calculation of the bank's operational risk 
component of its risk-based capital requirement.
    S 12. The bank must use the regulatory definition of operational 
risk when assessing the operational risks to which the bank is exposed 
in order to calculate its risk-based capital requirement for 
operational risk. The bank should have clear standards for the 
collection and modification of all four elements in the operational 
risk data and assessment systems that support its AMA System.
    S 13. The bank must have a historical observation period of at 
least five years for internal operational loss event data. A shorter 
period may be approved by the primary Federal supervisor to address 
transitional situations, such as integrating a new business line. 
Internal data should be captured across all business lines, corporate 
functions, events, product types, and geographic locations. The bank 
must have a systematic process for capturing and using internal 
operational loss event data in its operational risk data and assessment 
systems.
    S 14. The bank should be able to map internal operational losses to 
the seven operational loss-event categories.
    S 15. The bank should have a policy that identifies when an 
operational loss is recognized and should be added to the loss event 
database. The policy should provide for consistent treatment across the 
bank.
    S 16. The bank may establish appropriate internal operational loss 
event data thresholds and, if so, must demonstrate the appropriateness 
of such thresholds.
    S 17. The bank should have a clear policy that allows for the 
consistent treatment of loss event classifications (for example, 
credit, market, or operational loss events) across the organization.
    S 18. The bank must have a systematic process for determining how 
external loss data will be incorporated into its operational risk data 
and assessment systems.
    S 19. The bank should systematically review external data to ensure 
an understanding of industry operational loss experience.
    S 20. The bank must have a systematic process for determining how 
scenario analysis will be incorporated into its operational risk data 
and assessment systems. S 21. The bank must incorporate business 
environment and internal control factors into the bank's operational 
risk data and assessment systems.
    S 22. The bank must periodically compare the results of its 
business environment and internal control factor assessments against 
the bank's actual operational risk loss experience.
    S 23. The bank must have an operational risk quantification system 
that provides an estimate of the bank's operational risk exposure.
    S 24. The bank's operational risk quantification system must use a 
combination of internal operational loss event data, relevant external 
operational loss event data, business environment and internal control 
factor assessments, and scenario analysis results. The bank should 
combine these elements in a manner that most effectively enables it to 
quantify its operational risk exposure. The bank should choose the 
analytical framework that is most appropriate to its business model.
    S 25. The bank must review and update its operational risk 
quantification system whenever it

[[Page 9186]]

becomes aware of information that may have a material effect on the 
bank's estimate of operational risk exposure or risk-based capital 
requirement for operational risk, but no less frequently than annually. 
A complete review and recalculation of the bank's quantification 
system, including all modeling inputs and assumptions, must be done at 
least annually.
    S 26. In calculating the risk-based capital requirement for 
operational risk, management may deduct certain eligible operational 
risk offsets from its estimate of operational risk exposure. To the 
extent that these offsets do not fully cover expected operational loss 
(EOL), the bank's risk-based capital requirement for operational risk 
must incorporate the shortfall. Eligible operational risk offsets may 
only be used to offset EOL, not UOL.
    S 27. The bank must employ a unit of measure that is appropriate 
for the bank's range of business activities and the variety of 
operational loss events to which it is exposed, and that does not 
combine business activities or operational loss events with different 
risk profiles within the same loss distribution.
    S 28. The bank may use internal estimates of dependence among 
operational losses within and across business lines and operational 
loss events if the bank can demonstrate to the satisfaction of its 
primary Federal supervisor that the bank's process for estimating 
dependence is sound, robust to a variety of scenarios, and implemented 
with integrity, and allows for uncertainty surrounding the estimates. 
If the bank has not made such a demonstration, it must sum operational 
risk exposure estimates across units of measures to calculate its total 
operational risk exposure.
    S 29. The bank may adjust its operational risk exposure results by 
no more than 20 percent to reflect the impact of operational risk 
mitigants. In order to recognize the effects of risk mitigants, 
management must estimate its operational risk exposure with and without 
their effects.
    S 30. The bank must document all material aspects of its AMA 
System. This documentation should include the rationale for the 
development, operation, and assumptions underpinning its chosen 
analytical framework, including the choice of inputs, distributional 
assumptions, and the weighting across qualitative and quantitative 
elements.
    S 31. Banks using the AMA approach for regulatory capital purposes 
must have data management and maintenance systems that adequately 
support all aspects of an AMA System.
    S 32. The bank must validate, on an ongoing basis, its AMA system. 
The bank's validation process must be independent of the AMA System's 
development, implementation, and operation, or the validation process 
must be subject to an independent review of its adequacy and 
effectiveness.

Appendix C--The NPR Qualification Process

Part III. Qualification

Section 21. Qualification Process \26\
---------------------------------------------------------------------------

    \26\ 71 FR 55921 through 55922 (Sept. 25, 2006).
---------------------------------------------------------------------------

    (a) Timing. (1) A [bank] \27\ that is described in paragraph (b)(1) 
of section 1 must adopt a written implementation plan no later than six 
months after the later of the effective date of this appendix or the 
date the [bank] meets a criterion in that section. The plan must 
incorporate an explicit first floor period start date no later than 36 
months after the later of the effective date of this appendix or the 
date the [bank] meets at least one criterion under paragraph (b)(1) of 
section 1. [AGENCY] may extend the first floor period start date.
---------------------------------------------------------------------------

    \27\ For simplicity, and unless otherwise noted, the NPR uses 
the term [bank] to include banks, savings associations, and bank 
holding companies. [AGENCY] refers to the primary Federal supervisor 
of the bank applying the rules. In addition, the text in Appendix C 
refers often to an `appendix.' Use of `appendix' within the text 
refers to where the NPR rule text will be inserted within each 
Agency's capital adequacy regulation. The `appendix' is titled 
``Capital Adequacy Guidelines for [Bank]s: Internal-Ratings-Based 
and Advanced Measurement Approaches.''
---------------------------------------------------------------------------

    (2) A [bank] that elects to be subject to this appendix under 
paragraph (b)(2) of section 1 must adopt a written implementation plan 
and notify the [AGENCY] in writing of its intent at least 12 months 
before it proposes to begin its first floor period.
    (b) Implementation plan. The [bank]'s implementation plan must 
address in detail how the [bank] complies, or plans to comply, with the 
qualification requirements in section 22. The [bank] also must maintain 
a comprehensive and sound planning and governance process to oversee 
the implementation efforts described in the plan. At a minimum, the 
plan must:
    (1) Comprehensively address the qualification requirements in 
section 22 for the [bank] and each consolidated subsidiary (U.S. and 
foreign-based) of the [bank] with respect to all portfolios and 
exposures of the [bank] and each of its consolidated subsidiaries;
    (2) Justify and support any proposed temporary or permanent 
exclusion of business lines, portfolios, or exposures from application 
of the advanced approaches in this appendix (which business lines, 
portfolios, and exposures must be, in the aggregate, immaterial to the 
[bank]);
    (3) Include the [bank]'s self-assessment of:
    (i) The [bank]'s current status in meeting the qualification 
requirements in section 22; and
    (ii) The consistency of the [bank]'s current practices with the 
[AGENCY]'s supervisory guidance on the qualification requirements;
    (4) Based on the [bank]'s self-assessment, identify and describe 
the areas in which the [bank] proposes to undertake additional work to 
comply with the qualification requirements in section 22 or to improve 
the consistency of the [bank]'s current practices with the [AGENCY]'s 
supervisory guidance on the qualification requirements (gap analysis);
    (5) Describe what specific actions the [bank] will take to address 
the areas identified in the gap analysis required by paragraph (b)(4) 
of this section;
    (6) Identify objective, measurable milestones, including delivery 
dates and a date when the [bank]'s implementation of the methodologies 
described in this appendix will be fully operational;
    (7) Describe resources that have been budgeted and are available to 
implement the plan; and
    (8) Receive board of directors approval.
    (c) Parallel run. Before determining its risk-based capital 
requirements under this appendix and following adoption of the 
implementation plan, the [bank] must conduct a satisfactory parallel 
run. A satisfactory parallel run is a period of no less than four 
consecutive calendar quarters during which the [bank] complies with all 
of the qualification requirements in section 22 to the satisfaction of 
[AGENCY]. During the parallel run, the [bank] must report to the 
[AGENCY] on a calendar quarterly basis its risk-based capital ratios 
using [the general risk-based capital rules] and the risk-based capital 
requirements described in this appendix. During this period, the [bank] 
is subject to [the general risk-based capital rules].
    (d) Approval to calculate risk-based capital requirements under 
this appendix. The [AGENCY] will notify the [bank] of the date that the 
[bank] may begin its first floor period following a determination by 
the [AGENCY] that:
    (1) The [bank] fully complies with the qualification requirements 
in section 22;

[[Page 9187]]

    (2) The [bank] has conducted a satisfactory parallel run under 
paragraph (c) of this section; and
    (3) The [bank] has an adequate process to ensure ongoing compliance 
with the qualification requirements in section 22.
    (e) Transitional floor periods. Following a satisfactory parallel 
run, a [bank] is subject to three transitional floor periods.
    (1) Risk-based capital ratios during the transitional floor 
periods--(i) Tier 1 risk-based capital ratio. During a [bank]'s 
transitional floor periods, a [bank]'s tier 1 risk-based capital ratio 
is equal to the lower of:
    (A) The [bank]'s floor-adjusted tier 1 risk-based capital ratio; or
    (B) The [bank]'s advanced approaches tier 1 risk-based capital 
ratio.
    (ii) Total risk-based capital ratio. During a [bank]'s transitional 
floor periods, a [bank]'s total risk-based capital ratio is equal to 
the lower of:
    (A) The [bank]'s floor-adjusted total risk-based capital ratio; or
    (B) The [bank]'s advanced approaches total risk-based capital 
ratio.
    (2) Floor-adjusted risk-based capital ratios. (i) A [bank]'s floor-
adjusted tier 1 risk-based capital ratio during a transitional floor 
period is equal to the [bank]'s tier 1 capital as calculated under [the 
general risk-based capital rules], divided by the product of:
    (A) The [bank]'s total risk-weighted assets as calculated under 
[the general risk-based capital rules]; and
    (B) The appropriate transitional floor percentage in Table 1.
    (ii) A [bank]'s floor-adjusted total risk-based capital ratio 
during a transitional floor period is equal to the sum of the [bank]'s 
tier 1 and tier 2 capital as calculated under [the general risk-based 
capital rules], divided by the product of:
    (A) The [bank]'s total risk-weighted assets as calculated under 
[the general risk-based capital rules]; and
    (B) The appropriate transitional floor percentage in Table 1.
    (iii) A [bank] that meets the criteria in paragraph (b)(1) or 
(b)(2) of section 1 as of the effective date of this rule must use [the 
general risk-based capital rules] effective immediately before this 
rule became effective during the parallel run and as the basis for its 
transitional floors.

                      Table 1.--Transitional Floors
------------------------------------------------------------------------
                                                           Transitional
                Transitional floor period                      floor
                                                            percentage
------------------------------------------------------------------------
First floor period......................................              95
Second floor period.....................................              90
Third floor period......................................              85
------------------------------------------------------------------------

    (3) Advanced approaches risk-based capital ratios. (i) A [bank]'s 
advanced approaches tier 1 risk-based capital ratio equals the [bank]'s 
tier 1 risk-based capital ratio as calculated under this appendix 
(other than this section on transitional floor periods).
    (ii) A [bank]'s advanced approaches total risk-based capital ratio 
equals the [bank]'s total risk-based capital ratio as calculated under 
this appendix (other than this section on transitional floor periods).
    (4) Reporting. During the transitional floor periods, a [bank] must 
report to the [AGENCY] on a calendar quarterly basis both floor-
adjusted risk-based capital ratios and both advanced approaches risk-
based capital ratios.
    (5) Exiting a transitional floor period. A [bank] may not exit a 
transitional floor period until the [bank] has spent a minimum of four 
consecutive calendar quarters in the period and the [AGENCY] has 
determined that the [bank] may exit the floor period. The [AGENCY]'s 
determination will be based on an assessment of the [bank]'s ongoing 
compliance with the qualification requirements in section 22.

Appendix D--Basel II Operational Risk Information Collection Templates 
(Schedule V) \28\
---------------------------------------------------------------------------

    \28\ Notices of Proposed Rulemaking and Proposed Agency 
Information Collections--Requests for Comments were published in the 
Federal Register for comment on September 25, 2006 (71 FR 55981 
through 55986). The Notices contained Basel II information 
collection templates, including a template for operational risk that 
is included in this Appendix.
---------------------------------------------------------------------------

BILLING CODES 4810-33-P, 6210-01-P, 6714-01-P, 6720-01-P

[[Page 9188]]

[GRAPHIC] [TIFF OMITTED] TN28FE07.037

BILLING CODES 4810-33-C, 6210-01-C, 6714-01-C, 6720-01-C

[[Page 9189]]



                      Operational Risk--Definitions
------------------------------------------------------------------------
 
------------------------------------------------------------------------
Business environment and internal   The indicators of a bank's
 control factors.                    operational risk profile that
                                     reflect a current and forward-
                                     looking assessment of the bank's
                                     underlying business risk factors
                                     and internal control environment.
Dependence........................  A measure of the association among
                                     operational losses across and
                                     within business lines and
                                     operational loss event types.
Eligible operational risk offsets.  Amounts, not to exceed expected
                                     operational loss, that: (1) Are
                                     generated by internal business
                                     practices to absorb highly
                                     predictable and reasonably stable
                                     operational losses, including
                                     reserves calculated consistent with
                                     GAAP; and (2) are available to
                                     cover expected operational losses
                                     with a high degree of certainty
                                     over a one-year horizon.
Expected operational loss (EOL)...  The expected value of the
                                     distribution of potential aggregate
                                     operational losses, as generated by
                                     the bank's operational risk
                                     quantification system using a one-
                                     year horizon.
Frequency distribution............  Statistical distribution used to
                                     calculate the frequency of losses.
Operational loss event............  An event that results in loss and is
                                     associated with internal fraud;
                                     external fraud; employment
                                     practices and workplace safety;
                                     clients, products, and business
                                     practices; damage to physical
                                     assets; business disruption and
                                     system failures; or execution,
                                     delivery, and process management.
Operational risk..................  The risk of loss resulting from
                                     inadequate or failed internal
                                     processes, people, and systems or
                                     from external events (including
                                     legal risk but excluding strategic
                                     and reputational risk).
Operational risk exposure.........  The 99.9th percentile of the
                                     distribution of potential aggregate
                                     operational losses, as generated by
                                     the bank's operational risk
                                     quantification system over a one-
                                     year horizon (and not incorporating
                                     eligible operational risk offsets
                                     or qualifying operational risk
                                     mitigants).
Risk mitigants (e.g., insurance)..  A contractual arrangement whose
                                     primary purpose is to transfer risk
                                     to a third party.
Scenario analysis.................  A systematic process of obtaining
                                     expert opinions from business
                                     managers and risk management
                                     experts to derive reasoned
                                     assessments of the likelihood and
                                     loss impact of plausible high-
                                     severity operational losses.
Severity distribution.............  Statistical distribution used to
                                     calculate the severity of losses.
Unexpected operational loss (UOL).  The difference between the bank's
                                     operational risk exposure and the
                                     bank's expected operational loss.
Unit of measure...................  The level (for example,
                                     organizational unit or operational
                                     loss event type) at which the
                                     bank's operational risk
                                     quantification system generates a
                                     separate distribution of potential
                                     operational losses.
------------------------------------------------------------------------

Appendix E--Operational Loss Event Types and Examples

------------------------------------------------------------------------
                                        Examples (not intended to be
            Event Type                           inclusive)
------------------------------------------------------------------------
Internal fraud....................  Employee theft, intentional
                                     misreporting of positions, and
                                     insider trading on an employee's
                                     own account.
 External fraud...................  Robbery, forgery, and check kiting.
Employment practices and workplace  Workers' compensation and
 safety.                             discrimination claims, violation of
                                     employee health and safety rules,
                                     and general liability.
Clients, products, and business     Fiduciary breaches, misuse of
 practices.                          confidential customer information,
                                     money laundering, and sale of
                                     unauthorized products.
Damage to physical assets.........  Terrorism, vandalism, earthquakes,
                                     fires, and floods.
Business disruption and system      Hardware and software failures,
 failures.                           telecommunication problems, and
                                     utility outages.
Execution, delivery, and process    Data entry errors, collateral
 management.                         management failures, incomplete
                                     legal documentation, and vendor
                                     disputes.
------------------------------------------------------------------------

Proposed Supervisory Guidance on the Supervisory Review Process (PILLAR 
2).

    1. This guidance supplements the notice of proposed rulemaking 
(NPR) published jointly by the U.S. Federal banking agencies \1\ in the 
Federal Register on September 25, 2006.\2\ The NPR proposes the 
implementation of a New Advanced Capital Adequacy Framework (U.S. 
Advanced Framework) encompassing three pillars:
---------------------------------------------------------------------------

    \1\ The Federal banking agencies are: The Board of Governors of 
the Federal Reserve System; the Federal Deposit Insurance 
Corporation; the Office of the Comptroller of the Currency; and the 
Office of Thrift Supervision; and will collectively be referred to 
as ``the agencies,'' ``supervisors,'' or ``regulators'' in this 
guidance.
    \2\ 71 FR 55830 (Sept. 25, 2006).
---------------------------------------------------------------------------

     Minimum risk-based regulatory capital requirements (Pillar 
1);
     Supervisory review (Pillar 2); and
     Market discipline through enhanced public disclosures 
(Pillar 3).
    The regulatory capital requirements in Pillar 1 of the U.S. 
Advanced Framework would apply to credit risk and operational risk.\3\
---------------------------------------------------------------------------

    \3\ Some banks may be subject to both the U.S. Advanced 
Framework and the revised Market Risk Capital Rule, as published in 
the Federal Register on September 25, 2006 (71 FR 55958). If so, the 
requirement for banks to conduct an internal assessment of capital 
adequacy for market risk in the revised Market Risk Capital Rule 
could be satisfied by the requirement for banks to have a 
comprehensive internal capital adequacy assessment (covering all 
risk types) under the U.S. Advanced Framework. Additionally, banks 
subject only to the revised Market Risk Capital Rule would not need 
to conduct a comprehensive internal capital adequacy assessment 
covering all risk types, but only an internal assessment for market 
risk of covered positions as defined in the revised Market Risk 
Capital Rule.
---------------------------------------------------------------------------

    2. This document addresses the process for supervisory review in 
the proposed U.S. Advanced Framework. Supervisory review as described 
in this guidance covers three main areas:
     Comprehensive supervisory assessment of capital adequacy;
     compliance with regulatory capital requirements;
     Internal capital adequacy assessment process (ICAAP).

[[Page 9190]]

    3. The process of supervisory review described in this document 
reflects a continuation of the longstanding approach employed by the 
agencies in their supervision of banking institutions. However, the new 
methods proposed for calculating regulatory capital requirements in the 
U.S. Advanced Framework affect certain aspects of supervisory review. 
Thus, this guidance highlights areas of existing supervisory review 
that are being augmented or more clearly defined to support 
implementation of the U.S. Advanced Framework. It applies only to those 
banks calculating U.S. regulatory capital requirements under that 
framework, and not to banks calculating U.S. regulatory capital 
requirements by other means.\4\
---------------------------------------------------------------------------

    \4\ The term ``bank'' as used in this guidance includes banks, 
savings associations and bank holding companies. The terms ``bank 
holding company'' and ``BHC'' refer only to bank holding companies 
regulated by the Federal Reserve Board and do not include savings 
and loan holding companies regulated by the Office of Thrift 
Supervision.
---------------------------------------------------------------------------

    4. The supervisory review process described in this document is 
intended to help ensure overall capital adequacy by:
     Confirming a bank's compliance with regulatory capital 
requirements;
     Addressing the limitations of regulatory capital 
requirements as a measure of a bank's full risk profile--including 
risks not covered or not adequately quantified;
     Encouraging banks to develop and use better techniques in 
identifying and measuring the risks they face; and
     Ensuring that each bank is able to assess its own 
individual capital adequacy (beyond regulatory capital requirements), 
based on its risk profile and business mix.
    5. This guidance does not supersede or alter the functioning of the 
existing U.S. Prompt Corrective Action requirements.\5\ This guidance 
also does not change requirements for compliance with existing 
regulations and supervisory standards related to risk management 
practices or other areas. The supervisory review process described in 
this guidance helps to support supervisors' ability to intervene when 
necessary to prevent an individual bank's capital from falling below 
the level required to support its risk profile.
---------------------------------------------------------------------------

    \5\ See section 38 of the Federal Deposit Insurance Act (12 
U.S.c. 1831o).
---------------------------------------------------------------------------

Comprehensive Supervisory Assessment of Capital Adequacy

    6. Capital helps protect individual banks from insolvency, thereby 
promoting safety and soundness in the overall U.S. banking system. 
Minimum regulatory capital requirements (Pillar 1 in the U.S. Advanced 
Framework) establish a threshold below which a sound bank's regulatory 
capital must not fall. Regulatory capital ratios permit some 
comparative analysis of capital adequacy across regulated institutions 
because they are based on certain common assumptions. However, 
supervisors must perform a more comprehensive assessment of capital 
adequacy that considers risks specific to the bank, conducting analyses 
that go beyond minimum regulatory capital requirements.
    7. Supervisors generally expect banks to hold capital above their 
minimum regulatory capital levels, commensurate with their individual 
risk profiles, to account for all material risks. Going forward, 
supervisors will continue to assess the overall capital adequacy of any 
bank through a comprehensive evaluation that considers all relevant 
available information. In determining the extent to which banks should 
hold capital in excess of regulatory minimums, supervisors would 
consider the combined implications of a bank's compliance with 
qualification requirements for regulatory capital standards, the 
quality and results of a bank's ICAAP, and supervisory assessment of 
the bank's risk management processes, control structure, and other 
relevant information relating to the bank's risk profile and capital 
position. This supervisory assessment process is consistent with 
current supervisory practice, under which supervisors assess the 
overall capital adequacy of a bank through a comprehensive evaluation 
of all relevant information.
    8. On an ongoing basis, the supervisory assessment process 
determines whether a bank's overall capital remains adequate as 
underlying conditions change. Changes in a bank's risk profile or in 
relevant capital measures are areas of particular focus that are 
effectively addressed through the supervisory review process. 
Generally, material increases in risk that are not otherwise mitigated 
should be accompanied by commensurate increases in capital. Conversely, 
reductions in overall capital (to a level still above regulatory 
minimums) may be appropriate if the supervisory assessment provides 
support to conclude that risk has materially declined or that it has 
been appropriately mitigated.
    9. As a result of its comprehensive supervisory assessment, a 
bank's primary Federal supervisor may take action if it is not 
satisfied that capital is adequate. The primary supervisor may require 
the bank to take actions designed to address identified supervisory 
concerns, which may include holding an amount of capital greater than 
otherwise would be required. In addition, a primary supervisor may, 
under its enforcement authority, require a bank to modify or enhance 
risk management and internal control processes, or reduce risk 
exposures, or take any other action as deemed necessary to address 
identified supervisory concerns.

Compliance With Regulatory Capital Requirements

    10. In order to qualify under the U.S. Advanced Framework to use 
new methods for calculating regulatory capital requirements, banks must 
meet certain process and systems requirements. Supervisors must ensure 
that banks are indeed meeting these requirements. Thus, one aspect of 
supervisory review pertains to the evaluation of a bank's compliance 
with the qualification requirements for the systems and processes to be 
used in the calculation of regulatory capital under the U.S. Advanced 
Framework. The supervisory guidance regarding the U.S. Advanced 
Framework provides a detailed explanation of these qualification 
requirements for the systems and processes for the calculation of 
regulatory capital.
    11. Banks adopting the U.S. Advanced Framework must comply with the 
qualification requirements not just for initial qualification, but also 
for ongoing use. A bank that falls out of compliance with the 
qualification requirements would be required to establish a plan 
satisfactory to its primary Federal supervisor to return to compliance, 
as discussed in the U.S. Advanced Framework.
    12. Supervisors will ensure that each bank using the U.S. Advanced 
Framework complies with the qualifying requirements for calculating 
regulatory capital, both at the consolidated level and at any U.S. 
subsidiary banks also subject to the U.S. Advanced Framework. Thus, 
each bank applying the U.S. Advanced Framework must have appropriate 
risk measurement and management processes and systems that meet the 
rule's qualification requirements for calculating regulatory capital.

ICAAP

    13. The qualification requirements in the U.S. Advanced Framework 
state that ``a bank must have a rigorous process for assessing its 
overall capital adequacy in relation to its risk profile and a

[[Page 9191]]

comprehensive strategy for maintaining an appropriate level of 
capital.'' \6\ A bank's internal process for assessing its overall 
capital adequacy, the ICAAP, must be conducted by a bank in addition to 
its calculation of regulatory capital requirements.\7\
---------------------------------------------------------------------------

    \6\ Part III, section 22 (a) (1) of the U.S. Advanced Framework.
    \7\ Should the primary Federal supervisor exempt a bank from the 
application of the U.S. Advanced Framework based upon a written 
determination that the application of the rule is not appropriate in 
light of the bank's asset size, level of complexity, risk profile, 
or scope of operations, such exemption would likewise apply to the 
requirement that the bank have an ICAAP in the U.S. Advanced 
Framework.
---------------------------------------------------------------------------

    14. The fundamental objectives of a sound ICAAP are:
     Identifying and measuring material risks;
     Setting and assessing internal capital adequacy goals that 
relate directly to risk;
     Ensuring the integrity of internal capital adequacy 
assessments.
    15. Assessing overall capital adequacy through the ICAAP requires 
thorough identification of all material risks, measurement of those 
that can be reliably quantified, and systematic assessment of all risks 
and their implications for capital adequacy. In this manner, an ICAAP 
should contribute broadly to the development of better risk management 
within the organization at both the individual entity and consolidated 
levels.
    16. Each bank that uses the U.S. Advanced Framework should have an 
ICAAP appropriate for its unique risk characteristics and should not 
rely solely upon the assessment of capital adequacy at the parent 
company level. This does not preclude the use of a consolidated ICAAP 
as an important input to a subsidiary bank's own ICAAP, provided that 
each entity's board and senior management ensure that such processes 
are appropriately modified from the consolidated ICAAP to address the 
unique structural and operating characteristics and risks of their 
bank.
    17. In general, the ICAAP will likely go beyond the restrictive or 
simplifying assumptions in regulatory requirements. However, in certain 
instances the ICAAP may build on and utilize methods, practices, and 
results from a bank's work for determining regulatory capital 
requirements. For example, an ICAAP may use data, ratings, or estimates 
from internal ratings-based approaches to credit risk. Furthermore, 
while an ICAAP should generally be a distinct and comprehensive process 
that produces its own capital measures, in some cases banks may be able 
to justify that regulatory capital measures are appropriate for 
internal use and reflect the bank's risk profile.
    18. The design and operation of systems to meet the ICAAP 
requirement will necessarily differ based upon the complexity of each 
bank's operations and risk profile. Many banks currently employ 
``economic capital'' measures for some elements of risk management, 
such as, limit setting, or for evaluating performance and determining 
aggregate capital adequacy needs.\8\ In some cases, economic capital 
measures may relate directly to ICAAP requirements; in other cases, 
banks may be using economic capital measures that do not relate 
directly to ICAAP requirements. For the latter, a bank does not 
necessarily need to change its existing process or systems, but may 
build upon or reconcile its economic capital process in relation to the 
ICAAP requirement to demonstrate how the two are generally related. 
Regardless of the specific implementation method(s) chosen, a bank's 
overall ICAAP should address the three ICAAP objectives stated in 
paragraph 14.
---------------------------------------------------------------------------

    \8\ The term ``economic capital'' generally refers to the 
capital attributed to cover the economic effects of an institution's 
risk taking activities. In practice, economic capital takes on a 
variety of definitions and is applied in a number of ways at the 
product, business-line, and consolidated institution level.
---------------------------------------------------------------------------

Identifying and Measuring Material Risks in ICAAP

    19. The first objective of an ICAAP is to identify all material 
risks. Risks that can be reliably measured and quantified should be 
treated as rigorously as data and methods allow. The appropriate means 
and methods to measure and quantify those material risks are likely to 
vary across banks.
    20. Some of the risks to which banks are exposed include credit 
risk, market risk, operational risk, interest rate risk in the banking 
book, and liquidity risk (as outlined below).\9\ However, other risks, 
such as reputational risk, business or strategic risk, and country risk 
may be as important for a bank and, in such cases, should be given 
equal consideration to the more formally defined risk types.\10\ 
Additionally, if banks employ risk mitigation techniques, they should 
understand the risk to be mitigated and the potential effects of that 
mitigation (including its enforceability and effectiveness).
---------------------------------------------------------------------------

    \9\ Examination policies and procedures from each agency provide 
extensive guidance on the major risk categories. A bank's risk 
management processes, including its ICAAP, should be consistent with 
this existing body of guidance, as well as with relevant interagency 
guidance.
    \10\ For example, a bank may be engaged in businesses for which 
periodic fluctuations in activity levels, combined with relatively 
high fixed costs, have the potential to create unanticipated losses 
that must be supported by adequate capital. Additionally, a bank 
might be involved in strategic activities (such as expanding 
business lines or engaging in acquisitions) that introduce 
significant elements of risk and for which additional capital would 
be appropriate.
---------------------------------------------------------------------------

     Credit risk: A bank should have the ability to assess 
credit risk at the portfolio level as well as at the exposure or 
counterparty level. Banks should be particularly attentive to 
identifying credit risk concentrations and ensuring that their effects 
are adequately assessed. This should include consideration of various 
types of dependence among exposures, incorporating the credit risk 
effects of extreme outcomes, stress events, and shocks to assumptions 
about portfolio and exposure behavior. Banks should also carefully 
assess concentrations in counterparty credit exposures, including 
counterparty credit risk exposures emanating from trading in less 
liquid markets, and determine the effect that these might have on 
capital adequacy.
     Market risk: A bank should be able to identify risks in 
trading activities resulting from a movement in market prices. This 
determination should consider factors such as illiquidity of 
instruments, concentrated positions, one-way markets, non-linear/deep 
out-of-the money positions, and the potential for significant shifts in 
correlations. Exercises that incorporate extreme events and shocks 
should also be tailored to capture key portfolio vulnerabilities.
     Operational risk: A bank should be able to assess the 
potential risks resulting from inadequate or failed internal processes, 
people, and systems, as well as from events external to the bank. This 
assessment should include the effects of extreme events and shocks 
relating to operational risk. Events could include a sudden increase in 
failed processes across business units or a significant incidence of 
failed internal controls.
     Interest rate risk in the banking book: A bank should 
identify the risks associated with changing interest rates on balance 
sheet and off-balance sheet exposures in the banking book from both a 
short-term and long-term perspective. This might include the impact of 
changes due to parallel shocks, yield curve twists, yield curve 
inversions, changes in the relationships of rates (basis risk), and 
other relevant scenarios. The bank should be able to support its 
assumptions about the behavioral characteristics of servicing rights, 
non-maturity deposits and other

[[Page 9192]]

assets and liabilities, especially those exposures characterized by 
embedded optionality. Given uncertainty in such assumptions, stress 
testing and scenario analysis should be used in the analysis of 
interest rate risks.
     Liquidity risk: A bank should understand risks resulting 
from its inability to meet its obligations as they come due, because of 
difficulty in liquidating assets or in obtaining adequate funding. This 
assessment should include analysis of sources and uses of funds, an 
understanding of the funding markets in which the bank operates, and an 
assessment of the efficacy of a contingency funding plan for events 
that could arise.
    The risk factors discussed above should not be considered an 
exhaustive list of those affecting any given bank. All relevant factors 
that present a material source of risk to capital should be 
incorporated in a well-developed ICAAP. Furthermore, banks should be 
mindful of the capital adequacy effects of concentrations that may 
arise within each risk type.
    21. All measurements of risk incorporate both quantitative and 
qualitative elements, but generally a quantitative approach should form 
the foundation of a bank's measurement framework. In some cases, 
quantitative tools can include the use of large historical databases; 
when data are more scarce, a bank may choose to rely more heavily on 
the use of stress testing and scenario analyses. Banks should 
understand when measuring risks that measurement error always exists, 
and in many cases is, itself, difficult to quantify. In general, an 
increase in uncertainty related to modeling and business complexity 
should result in a larger capital cushion.
    22. Quantitative approaches that focus on most likely outcomes for 
budgeting, forecasting, or performance measurement purposes may not be 
fully applicable for capital adequacy because the ICAAP should also 
take less likely events into account. Stress testing and scenario 
analysis can be effective in gauging the consequences of outcomes that 
are unlikely but would have a considerable impact on safety and 
soundness.
    23. To the extent that risks cannot be reliably measured with 
quantitative tools--for example, where measurements of risk are based 
on scarce data or unproven quantitative methods--qualitative tools, 
including experience and judgment, may be more heavily utilized. Banks 
should be cognizant that qualitative approaches have their own inherent 
biases and assumptions that affect risk assessment; accordingly, banks 
should recognize the biases and assumptions embedded in, and the 
limitations of, the qualitative approaches used.
    24. An effective ICAAP should assess risks across the entire bank. 
A bank choosing to conduct risk aggregation among various risk types or 
business lines should understand the challenges in such aggregation. In 
addition, when aggregating risks, banks should be sure to address any 
potential concentrations across more than one risk dimension, 
recognizing that losses could arise in several risk dimensions at the 
same time, stemming from the same event or a common set of factors. For 
example, a localized natural disaster could generate losses from 
credit, market, and operational risks at the same time.
    25. In considering possible effects of diversification, management 
should be systematic and rigorous in documenting decisions, and in 
identifying assumptions used in each level of risk aggregation. 
Assumptions about diversification should be supported by analysis and 
evidence. The bank should have systems capable of aggregating risks 
based on the bank's selected framework. For example, a bank calculating 
correlations within or among risk types should consider data quality 
and consistency, and the volatility of correlations over time and under 
stressed market conditions.

Setting and Assessing Capital Adequacy Goals That Relate to Risk

    26. The second objective of an ICAAP is to set and assess capital 
adequacy goals in relation to all material risks. Importantly, banks 
should recognize that regulatory capital requirements represent a floor 
below which a bank's overall capital level must not fall, even if bank 
management believes that there is justification for a lower overall 
level.
    27. Assessments of risk and capital adequacy should reflect the 
risk appetite of the bank. This appetite may be expressed through an 
established risk tolerance that generally reflects a desired level of 
risk coverage and/or a certain degree of creditworthiness, such as an 
explicit solvency standard. Because risk profiles and choices of risk 
tolerance may differ across banks, chosen capital targets may also 
differ.
    28. Actual capital held should reflect not only the measured amount 
of risk, but also potential uncertainties related to the measurement of 
risk. In addressing concerns about how limitations of risk measurement 
affect capital adequacy, banks should pay particular attention to the 
relative importance to the bank of the activities producing the risk. 
In their assessment of capital adequacy, banks should challenge 
fundamental assumptions embedded in the measurement of risks; in 
certain cases, assumptions that were accurate during one historical 
time period may no longer be valid and may lead to mismeasurement or 
misunderstanding of risks and/or the capital needed to support them. 
Banks should be explicitly aware of how sensitive their risk 
measurements are to various input assumptions.
    29. A bank should consider external conditions and other factors 
that influence overall capital adequacy. The potential impact of 
contingent exposures and changing economic and financial environments 
should be addressed; such analysis can include stress testing or 
scenario analysis, but in all cases should incorporate both 
quantitative and qualitative methods.\11\
---------------------------------------------------------------------------

    \11\ The use of stress testing and scenario analysis in 
identifying and measuring risk exposures and assessing capital 
adequacy in an ICAAP is not the same as the stress testing 
requirement related to minimum regulatory capital requirements (as 
described in the U.S. Advanced Framework and supervisory guidance 
relating to qualification requirements). The stress testing and 
scenario analysis encouraged in the ICAAP guidance is intended to 
focus on overall capital needs and their possible fluctuations--not 
just fluctuations in minimum regulatory capital requirements.
---------------------------------------------------------------------------

    30. A bank's ICAAP should ensure adequate capital is held against 
all material risks not just at a point in time, but over time, in order 
to account for inevitable changes in a bank's strategic direction, 
evolving economic conditions, and volatility in the financial 
environment. Indeed, sensitivity of capital to economic and financial 
cycles is an important feature to be included in a bank's planning for 
current and future capital needs. For example, a bank's ICAAP should 
consider the potential effects of a sudden, sustained downturn. The 
level of capital deemed adequate by an ICAAP might also be influenced 
by a bank's intention to hold additional capital to mitigate the impact 
of volatility in capital requirements, the need to accommodate 
acquisition plans, or the decision to accommodate market perceptions of 
capital adequacy and their impact on funding costs.
    31. Various definitions of bank capital are used within banking. A 
bank should state clearly the definition of capital used in any aspect 
of its ICAAP. For example, the definition used in models to measure 
capital adequacy relative to risk may not correspond to capital 
actually held (available capital resources), and the bank should 
understand such differences. For internal purposes, some banks may 
choose a narrow capital definition, such

[[Page 9193]]

as only common equity, while others may define capital more broadly. 
Banks should also state explicitly the impact that retained earnings 
have on capital positions. Since components of capital are not 
necessarily alike and have varying ability to absorb losses, a bank 
should thoroughly understand the relationship between its internal 
capital definition and its assessment of capital adequacy. The bank 
should document any changes in its internal definition of capital, and 
the reason for those changes.
    32. For effective capital planning, banks should identify the time 
horizon over which they are assessing capital adequacy. Banks should 
evaluate whether long-run capital targets are consistent with short-run 
goals, based on current and planned changes in risk profiles and the 
recognition that accommodating additional capital needs can require 
significant lead time. Capital planning should factor in the potential 
difficulties of raising additional capital during downturns or other 
times of stress. Banks should have contingency plans to address 
unexpected capital needs or liquidity/funding issues.

Ensuring Integrity of Internal Capital Adequacy Assessments

    33. A satisfactory ICAAP comprises a complete process with proper 
oversight and controls, not just an ability to carry out certain 
capital calculations. The various elements of a bank's ICAAP should 
supplement and reinforce one another to achieve the overall objective 
of assessing the adequacy of the bank's actual capital resources, 
taking into account the full risk profile.
    34. Adequate internal controls and documentation should be in place 
to ensure transparency, objectivity, and consistency in an ICAAP. 
Decisions regarding the design and operation of the ICAAP should 
reflect sound risk management objectives, and should not be unduly 
influenced by competing business objectives. Principles underlying a 
bank's ICAAP should be incorporated in policies that are reviewed and 
approved at appropriate levels within the organization.
    35. Banks should have complete documentation covering the ICAAP. At 
a minimum, such documentation should include a description of the 
overall process, including committees and individuals responsible for 
the ICAAP, the frequency of ICAAP-related reporting, and procedures for 
the periodic evaluation of the appropriateness and adequacy of ICAAP. 
In addition, where applicable, documentation should cover all aspects 
ordinarily expected for sound use of quantitative methods, including 
model selection, limitations, data selection and maintenance, controls, 
and validation.
    36. An ICAAP should be enhanced and refined over time, with 
learning and experience (both quantitative and qualitative) 
contributing to its improvement. It should evolve with changes in the 
risk profile and activities of the bank as well as advances in risk 
measurement and management practices. Special attention may be 
necessary for areas where the operational or business environment has 
changed, such as the introduction of new products and activities.
    37. The board of directors and senior management have certain 
responsibilities in developing, implementing, and overseeing an ICAAP. 
The board or its appropriately delegated agent should approve the ICAAP 
and its components, review them on a regular basis, and approve any 
revisions. That review should encompass the effectiveness of the ICAAP, 
the appropriateness of risk tolerance levels and capital planning, and 
the strength of control infrastructures. Senior management should 
continually ensure that the ICAAP is functioning effectively and as 
intended; considerations by senior management should be explicit, 
formal, and documented. Additionally, internal audit should play a key 
role in the controls and governance surrounding an ICAAP on an ongoing 
basis.
    38. Each bank should ensure that the components of its ICAAP, 
including any models and their inputs, are subject to validation 
policies and procedures. Validation is generally defined as an ongoing 
process that encompasses, but is not limited to, the collection and 
review of developmental evidence, process verification, benchmarking, 
outcomes analysis, and monitoring activities used to confirm that 
processes are operating as designed. The sophistication of validation 
policies and procedures should be appropriate to the bank's business, 
structure, and sophistication, as well as the relative importance of 
each component of ICAAP. In conducting validation, banks should adhere 
to the existing body of supervisory guidance on the subject.
    39. The primary use of an ICAAP is to provide an assessment of 
internal capital adequacy. Beyond that, management should be able to 
demonstrate that the ICAAP influences business decisions and overall 
risk management, and is not simply a compliance exercise. An ICAAP 
should influence decision-making at both the consolidated and 
individual business-line levels.
    40. An ICAAP should, to the extent possible, be integrated with 
other management processes related to risk assessment, business 
planning and forecasting, pricing strategies and performance 
measurement. Additionally, the components of an ICAAP, including models 
and their inputs, should be used in (or at the very least be consistent 
with elements used in) regular business and risk management decisions.
    41. As part of the ICAAP, the board or its delegated agent, as well 
as appropriate senior management, should periodically review the 
resulting assessment of overall capital adequacy and determine that 
actual capital held is consistent with the risk appetite of the bank, 
taking into account all material risks. This review should include an 
analysis of how measures of internal capital adequacy compare with 
other capital measures (such as regulatory, accounting-based or market-
determined). The review should also result in formal procedures to 
correct any deficiencies uncovered in the assessment process, 
especially if capital is not consistent with the risk profile or risk 
appetite of the bank.

    Dated: February 12, 2007.
John C. Dugan,
Comptroller of the Currency.
    By order of the Board of Governors of the Federal Reserve 
System.

    Dated: February 13, 2007.
Jennifer J. Johnson,
Secretary of the Board.
    Dated at Washington, DC, the 15th day of February, 2007.

    By order of the Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
    Dated: February 15, 2007.

    By the Office of Thrift Supervision,
John M. Reich,
Director.
[FR Doc. 07-811 Filed 2-27-07; 8:45 am]
BILLING CODES 4810-33-P, 6210-01-P, 6714-01-P, 6720-01-P