[Federal Register Volume 73, Number 148 (Thursday, July 31, 2008)]
[Rules and Regulations]
[Pages 44620-44628]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-17555]



Office of the Comptroller of the Currency

12 CFR Part 3

[Docket ID OCC-2008-0009]


12 CFR Parts 208 and 225

[Docket No. OP-1322]


12 CFR Part 325


Office of Thrift Supervision

12 CFR Part 567

[Docket No. 2008-0008]

Supervisory Guidance: Supervisory Review Process of Capital 
Adequacy (Pillar 2) Related to the Implementation of the Basel II 
Advanced Capital Framework

AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC); 
Board of Governors of the Federal Reserve System (Board); Federal 
Deposit Insurance Corporation (FDIC); and Office of Thrift Supervision, 
Treasury (OTS) (collectively, the agencies).

ACTION: Final supervisory guidance.


SUMMARY: The agencies are publishing guidance regarding the supervisory 
review process for capital adequacy (Pillar 2) provided in the Basel II 
advanced approaches final rule, which was published in the Federal 
Register on December 7, 2007 (advanced approaches final rule). The 
supervisory review process described in this guidance outlines the 
agencies' standards for satisfying the qualification requirements 
provided in the advanced approaches final rule; addressing the 
limitations of the minimum risk-based capital requirements for credit 
risk and operational risk; ensuring that each institution has a 
rigorous process for assessing its overall capital adequacy in relation 
to its risk profile and a comprehensive strategy for maintaining 
appropriate capital levels; and encouraging each institution to improve 
its risk identification and measurement techniques. This supervisory 
guidance applies to any bank, savings association, or bank holding 
company \1\ implementing the advanced approaches final rule.

    \1\ Collectively referred to in the guidance as ``banks''.

DATES: This guidance is effective September 2, 2008. Comments on the 
Paperwork Reduction Act portion of this document may be submitted on or 
before September 2, 2008.

ADDRESSES: Comments on the Paperwork Reduction Act portion of this 
document should be addressed to:
    OCC: Communications Division, Office of the Comptroller of the 
Currency, Public Information Room, Mailstop 1-5, Attention: 1557-NEW, 
250 E Street, SW., Washington, DC 20219. In addition, comments may be 
sent by fax to (202) 874-4448, or by electronic mail to 
[email protected]. You may personally inspect and photocopy 
the comments at the OCC's Public Information Room, 250 E Street, SW., 
Washington, DC 20219. For security reasons, the OCC requires that 
visitors make an appointment to inspect comments. You may do so by 
calling (202) 874-5043. Upon arrival, visitors will be required to 
present valid government-issued photo identification and submit to 
security screening in order to inspect and photocopy comments.
    Board: You may submit comments, identified by OP-1322, by any of 
the following methods:
     Agency Web Site: http://www.federalreserve.gov. Follow the 
instructions for submitting comments at http://www.federalreserve.gov/.
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     Fax: (202) 452-3819 or (202) 452-3102.
     Mail: Jennifer J. Johnson, Secretary, Board of Governors 
of the Federal Reserve System, 20th Street and

[[Page 44621]]

Constitution Avenue, NW., Washington, DC 20551.

All public comments are available from the Board's Web site at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as submitted, 
unless modified for technical reasons. Accordingly, your comments will 
not be edited to remove any identifying or contact information. Public 
comments may also be viewed electronically or in paper form in Room MP-
500 of the Board's Martin Building (20th and C Streets, NW.) between 9 
a.m. and 5 p.m. on weekdays.
    FDIC: You may submit comments by any of the following methods:
     Agency Web Site: http://www.fdic.gov/regulations/laws/federal. Follow instructions for submitting comments on the Agency Web 
     E-mail: [email protected]. Include ``Basel II Supervisory 
Guidance'' in the subject line of the message.
     Mail: Robert E. Feldman, Executive Secretary, Attention: 
Comments, Federal Deposit Insurance Corporation, 550 17th Street, NW., 
Washington, DC 20429.
     Hand Delivery/Courier: Guard station at the rear of the 
550 17th Street Building (located on F Street) on business days between 
7 a.m. and 5 p.m. (EST).
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     Public Inspection: All comments received will be posted 
without change to http://www.fdic.gov/regulations/laws/federal 
including any personal information provided. Comments may be inspected 
and photocopied in the FDIC Public Information Center, 3501 North 
Fairfax Drive, Room E-1002, Arlington, VA 22226, between 9 a.m. and 5 
p.m. (EST) on business days. Paper copies of public comments may be 
ordered from the Public Information Center by telephone at (877) 275-
3342 or (703) 562-2200.
    OTS: Information Collection Comments, Chief Counsel's Office, 
Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552; 
send a facsimile transmission to (202) 906-6518; or send an e-mail to 
[email protected]. OTS will post comments and the 
related index on the OTS Internet site at http://www.ots.treas.gov. In 
addition, interested persons may inspect the comments at the Public 
Reading Room, 1700 G Street, NW., by appointment. To make an 
appointment, call (202) 906-5922, send an e-mail to 
public.info@ots.treas.gov">public.info@ots.treas.gov, or send a facsimile transmission to (202) 
906-7755. A copy of the comments may also be submitted to the OMB desk 
officer for the Agencies: By mail to U.S. Office of Management and 
Budget, 725 17th Street, NW., Room 10235, Washington, DC 20503 or by 
facsimile to 202-395-6974, Attention: Federal Banking Agency Desk 

    OCC: Akhtarur Siddique, Lead Expert, Risk Analysis, (202) 874-4665; 
or Ron Shimabukuro, Senior Counsel, Legislative and Regulatory 
Activities Division, (202) 874-5090; Office of the Comptroller of the 
Currency, 250 E Street, SW., Washington, DC 20219.
    Board: David Palmer, Senior Supervisory Financial Analyst, Credit 
Risk Section, (202) 452-2904 or Sabeth Siddique, Assistant Director, 
Credit Risk Section, (202) 452-3861; Board of Governors of the Federal 
Reserve System, 20th Street and Constitution Avenue, NW., Washington, 
DC 20551. For the hearing impaired only, Telecommunication Device for 
the Deaf (TDD), (202) 263-4869.
    FDIC: Gloria Ikosi, Senior Quantitative Risk Analyst, (202) 898-
3997, or Ryan Sheller, Capital Markets Specialist, (202) 898-6614; 
Capital Markets Policy Section, Division of Supervision and Consumer 
Protection; or Mark L. Handzlik, Senior Attorney, (202) 898-3990, or 
Michael B. Phillips, Counsel, (202) 898-3581, Supervision Branch, Legal 
Division, Federal Deposit Insurance Corporation, 550 17th Street, NW., 
Washington, DC 20429.
    OTS: Sonja White, Senior Project Manager, (202) 906-7857, Capital 
Policy, or Jonathan Jones, Senior Financial Economist, (202) 906-5729, 
Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552.

SUPPLEMENTARY INFORMATION: The agencies issued a notice of proposed 
rulemaking (NPR) on September 25, 2006,\2\ seeking comment on a new 
risk-based capital adequacy framework that requires some and permits 
other qualifying banks to use an internal ratings-based (IRB) approach 
to calculate regulatory capital requirements for credit risk and 
certain advanced measurement approaches (AMA) to calculate regulatory 
capital requirements for operational risk (together, the IRB and the 
AMA are referred to as the ``advanced approaches''). On December 7, 
2007, the agencies published the advanced approaches final rule.\3\ The 
advanced approaches final rule is based largely on a series of 
publications by the Basel Committee on Banking Supervision (BCBS) that 
culminated in a comprehensive release in June 2006, titled, 
``International Convergence of Capital Measurement and Capital 
Standards: A Revised Framework'' (New Accord). The New Accord presents 
a three-pillar framework for determining risk-based capital 
requirements for credit risk, market risk, and operational risk (Pillar 
1); supervisory review of capital adequacy (Pillar 2); and market 
discipline through enhanced public disclosure (Pillar 3).

    \2\ 71 FR 55830.
    \3\ 72 FR 69288.

    On February 28, 2007, the agencies published in the Federal 
Register three separate documents proposing supervisory guidance 
related to the implementation of the advanced approaches.\4\ Two of 
those documents provided guidance for certain aspects of Pillar 1, that 
is, for the IRB systems for determining the credit risk of retail and 
wholesale exposures, and other systems for equity and securitization 
exposures, and for the AMA for determining operational risk. The third 
document proposed guidance for Pillar 2. This final guidance document 
provides supervisory guidance only for Pillar 2, and it does not 
provide Pillar 1 guidance on the systems for determining regulatory 
capital requirements for credit risk or for determining regulatory 
capital requirements for operational risk. This document does not 
differ significantly from the proposed Pillar 2 guidance.

    \4\ 72 FR 9084.

    The agencies recognize that a number of institutions may need 
additional guidance to implement the advanced approaches final rule. 
Accordingly, consistent with the proposed guidance for Pillar 2, this 
guidance document highlights certain aspects of existing supervisory 
review that are being augmented or clarified to support the 
implementation of the supervisory assessment of overall capital 
adequacy under the advanced approaches final rule. In making this 
assessment, the agencies will consider, among other items, whether each 
institution (i) has satisfied the qualification requirements for 
implementing the advanced approaches; (ii) has a rigorous process for 
assessing its overall capital adequacy in relation to its risk profile 
and a comprehensive strategy for maintaining appropriate capital levels 
(internal capital adequacy assessment process--ICAAP); and (iii) 
maintains a satisfactory risk management and control structure, 
consistent with its capital position and overall risk profile.
    The agencies received ten public comments on the proposed guidance

[[Page 44622]]

from banking organizations, trade associations representing the banking 
or financial services industry, and other interested parties. Overall, 
the commenters supported the principles-based orientation of the 
guidance. However, some commenters recommended revisions to certain 
sections of the guidance that they viewed as overly prescriptive. One 
commenter expressed concern that the guidance appeared to suggest that 
increases in risk should result in greater capital, even if an 
institution already maintains a substantial capital buffer. To address 
this concern, the agencies have revised the guidance to clarify that an 
increase in risk may not necessarily require an increase in capital 
where the bank already holds capital at a level exceeding what its 
internal processes and supervisors regard as adequate.
    Other commenters expressed concern regarding the agencies' position 
that liquidity risk should be addressed within the ICAAP. However, the 
proposed guidance was consistent with the agencies' view of liquidity 
risk as a material risk that can affect capital adequacy. The agencies 
clarified this section of the guidance to indicate that, within the 
ICAAP, institutions should consider the capital adequacy implications 
of liquidity risk. One commenter expressed the concern that each bank's 
ICAAP measures would be compared to (and reconciled with) Pillar 1 
measures and to other institutions' ICAAP results. The agencies 
acknowledge that there may be limited comparability to Pillar 1 
measures because a bank's ICAAP under Pillar 2 should be tailored to 
its individual risk profile, while Pillar 1 measures are based on 
certain common assumptions that may not apply to each individual bank. 
Accordingly, there is likely to be some limit to the comparisons that 
can be made across institutions.
    Some commenters expressed confusion about the stress testing 
requirement in Pillar 1 and stress testing discussed in the Pillar 2 
guidance. The agencies regard stress testing as a critical component in 
the identification and measurement of material risks. Although there 
are no prescriptive stress testing requirements in Pillar 2, 
institutions should use stress testing or similar exercises in their 
ICAAP to consider the consequences of unlikely but severe events and 
outcomes as an input to the capital adequacy assessment process.
    Finally, one commenter indicated that it might not be practical to 
incorporate the ICAAP into bank management's decision-making process. 
The agencies believe that for the ICAAP to be meaningful and relevant, 
it should be consistent with the bank's other risk management 

Paperwork Reduction Act

A. Request for Comment on Proposed Information Collection

    In accordance with the requirements of the Paperwork Reduction Act 
of 1995, the Agencies may not conduct or sponsor, and the respondent is 
not required to respond to, an information collection unless it 
displays a currently valid Office of Management and Budget (OMB) 
control number. The Agencies are requesting comment on a proposed 
information collection. The Agencies are also giving notice that the 
proposed collection of information has been submitted to OMB for review 
and approval.
    Comments are invited on:
    (a) Whether the collection of information is necessary for the 
proper performance of the Agencies' functions, including whether the 
information has practical utility;
    (b) The accuracy of the estimates of the burden of the information 
collection, including the validity of the methodology and assumptions 
    (c) Ways to enhance the quality, utility, and clarity of the 
information to be collected;
    (d) Ways to minimize the burden of the information collection on 
respondents, including through the use of automated collection 
techniques or other forms of information technology; and
    (e) Estimates of capital or start up costs and costs of operation, 
maintenance, and purchase of services to provide information.

B. Proposed Information Collection

    Title of Information Collection: Basel II Interagency Supervisory 
Guidance for the Supervisory Review Process (Pillar 2).
    Frequency of Response: Event-generated.
    Affected Public:
    OCC: National banks.
    Board: State member banks and bank holding companies.
    FDIC: Insured state nonmember banks and certain subsidiaries of 
these entities.
    OTS: Savings associations and certain of their subsidiaries.
    Abstract: The notice sets forth a supervisory guidance document for 
implementing the supervisory review process (Pillar 2). The guidance 
was issued for 60 days of comment on February 28, 2007 (72 FR 9084). No 
comments were received on the burden estimates provided in that notice.
    The Agencies believe that paragraphs 37, 41, 43, and 46 impose new 
information collection requirements. Section 37 states that banks 
should state clearly the definition of capital used in any aspect of 
ICAAP and document any changes in the internal definition of capital. 
Under section 41, banks should maintain thorough documentation of 
ICAAP. Section 43 specifies that boards of directors should approve the 
bank's ICAAP, review it on a regular basis, and approve any changes. 
Boards of directors are also required under Section 46 to periodically 
review the assessment of overall capital adequacy and to analyze how 
measures of internal capital adequacy compare with other capital 
measures (such as regulatory or accounting).
    The agencies burden estimates for these information collection 
requirements are summarized below. Note that the estimated number of 
respondents listed below include both institutions for which the Basel 
II risk-based capital requirements are mandatory and institutions that 
may be considering opting-in to Basel II (despite the lack of any 
formal commitment by most of these latter institutions).
    Estimated Burden:
    Number of Respondents: 52.
    Estimated Burden per Respondent: 140 hours.
    Total Estimated Annual Burden: 7,280 hours.
    Number of Respondents: 15.
    Estimated Burden per Respondent: 420 hours.
    Total Estimated Annual Burden: 6,300 hours.
    Number of Respondents: 19.
    Estimated Burden per Respondent: 420 hours.
    Total Estimated Annual Burden: 7,980 hours.
    Number of Respondents: 4.
    Estimated Burden per Respondent: 420 hours.
    Total Estimated Annual Burden: 1,680 hours.
    The full text of the guidance follows:

Supervisory Review Process of Capital Adequacy (Pillar 2) Related to 
the Implementation of the Advanced Approaches Final Rule

    1. This guidance supplements the final rule published jointly by 
the U.S.

[[Page 44623]]

Federal banking agencies\1\ in the Federal Register on December 7, 2007 
(advanced approaches rule).\2\ The advanced approaches rule implements 
a new risk-based capital framework encompassing three pillars:

    \1\ The Federal banking agencies are the Board of Governors of 
the Federal Reserve System; the Federal Deposit Insurance 
Corporation; the Office of the Comptroller of the Currency; and the 
Office of Thrift Supervision; and are collectively referred to as 
``the agencies,'' ``supervisors,'' or ``regulators'' in this 
    \2\ 72 FR 69288. The advanced approaches rule as codified at 12 
CFR part 3, Appendix C (national banks); 12 CFR part 208, Appendix F 
(state member banks); 12 CFR part 225, Appendix G (bank holding 
companies); 12 CFR part 325 Appendix D (state nonmember banks); 12 
CFR part 567, Appendix C (savings associations).

     Minimum risk-based capital requirements (Pillar 1);
     Supervisory review (Pillar 2); and
     Market discipline through enhanced public disclosures 
(Pillar 3).
    The minimum risk-based capital requirements in Pillar 1 of the 
advanced approaches rule apply to a bank's calculation of minimum risk-
based capital requirements for credit risk and operational risk.\3\ If 
the bank is also subject to the market risk rule,\4\ then the minimum 
risk-based capital requirements in that rule would apply.\5\

    \3\ The term ``bank'' as used in this guidance includes banks, 
savings associations and bank holding companies. The terms ``bank 
holding company'' and ``BHC'' refer only to bank holding companies 
regulated by the Federal Reserve Board and do not include savings 
and loan holding companies regulated by the Office of Thrift 
    \4\ 12 CFR part 3, Appendix B (national banks), 12 CFR part 208, 
Appendix E (state member banks), 12 CFR part 225, Appendix E (bank 
holding companies), 12 CFR part 325, Appendix C (state nonmember 
banks). OTS intends to codify a market risk capital rule for savings 
associations at 12 CFR part 567, Appendix D.
    \5\ If a bank is subject to both the advanced approaches rule 
and the market risk rule, then the bank is subject to this guidance. 
If a bank is subject only to the market risk rule, it is not subject 
to this guidance.

    2. This document addresses the process for supervisory review in 
the advanced approaches rule. As described in this guidance, 
supervisory review covers three main areas:
     Comprehensive supervisory review of capital adequacy;
     Compliance with regulatory capital requirements; and
     Internal capital adequacy assessment process (ICAAP).
    3. The process of supervisory review described in this guidance 
reflects a continuation of the longstanding approach employed by the 
agencies in their supervision of banks. However, because implementation 
of the advanced approaches rule affects certain aspects of supervisory 
review, this guidance highlights areas of existing supervisory review 
that are being augmented or more clearly defined to support 
implementation of the advanced approaches rule by U.S. banks.
    4. The supervisory review process described in this document is 
intended to help ensure overall capital adequacy by:
     Confirming a bank's compliance with regulatory capital 
     Addressing the limitations of minimum risk-based capital 
requirements as a measure of a bank's full risk profile--including 
risks not covered or not adequately addressed or quantified in Pillar 
     Ensuring that each bank is able to assess its own capital 
adequacy (beyond minimum risk-based capital requirements) based on its 
risk profile and business model; and
     Encouraging banks to develop and use better techniques to 
identify and measure risk.
    5. This guidance neither supersedes nor alters the functioning of 
the existing Prompt Corrective Action requirements.\6\ Similarly, this 
guidance does not affect any other requirements for compliance with 
existing regulations and supervisory standards related to risk-
management practices or other areas. The supervisory review process 
described in this guidance supports the supervisors' existing ability 

    \6\ See 12 CFR part 6 (national banks); 12 CFR part 208 (state 
member banks); 12 CFR 325.103 (state nonmember banks); 12 CFR part 
565 (savings associations). In addition, savings associations remain 
subject to the tangible capital requirement at 12 CFR 567.2(a)(3) 
and 567.9.

     Require an individual bank to take measures to prevent its 
capital from falling below the level needed to adequately support its 
risks; or
     Otherwise intervene to ensure that the bank's capital 
levels are adequate.

Comprehensive Supervisory Review of Capital Adequacy

    6. Capital helps protect individual banks from insolvency, thereby 
promoting safety and soundness in the overall U.S. banking system. 
Minimum risk-based capital requirements establish a threshold below 
which a sound bank's risk-based capital must not fall. Risk-based 
capital ratios permit some comparative analysis of capital adequacy 
across banks because they are based on certain common assumptions. 
However, supervisors must perform a more comprehensive review of 
capital adequacy that considers the risks that are specific to each 
individual bank, including those not incorporated in risk-based capital 
requirements. In short, supervisors must ensure that a bank's overall 
capital does not fall below the level required to support its entire 
risk profile.
    7. Supervisors generally expect banks to hold capital above their 
minimum risk-based capital levels, commensurate with their individual 
risk profiles, to account for all material risks. Going forward under 
the advanced approaches rule, supervisors will continue to review the 
overall capital adequacy of any bank through a comprehensive evaluation 
that considers all relevant available information. In determining the 
extent to which banks should hold capital in excess of risk-based 
capital minimums, supervisors will consider: The combined implications 
of a bank's compliance with qualification requirements for regulatory 
capital standards; the quality and results of a bank's own process for 
determining whether capital is adequate (the ICAAP); and the bank's 
risk-management processes, control structure, and other relevant 
information relating to the bank's risk profile and capital level.\7\ 
This review is consistent with current supervisory practice, under 
which the agencies assess a bank's overall capital adequacy through a 
comprehensive evaluation of all relevant information.

    \7\ See Part III, section 22(a)(1)-(3) of the advanced 
approaches rule.

    8. The supervisory review process assesses whether a bank has a 
satisfactory process to determine that its overall capital is adequate, 
and that the bank maintains adequate capital on an ongoing basis, as 
underlying conditions change. For example, changes in a bank's risk 
profile or in relevant capital measures are areas of particular focus 
that are effectively addressed through the supervisory review process. 
Generally, a bank should hold more capital for material increases in 
risk that are not otherwise mitigated, unless the bank already holds 
capital at a level exceeding what its internal processes and 
supervisors would regard as adequate. Conversely, a bank may be able to 
reduce overall capital (to a level still above regulatory minimums) if 
the supervisory review supports the conclusion that the bank's inherent 
risk has materially declined or that it has been appropriately 
    9. As a result of its comprehensive supervisory review, a bank's 
primary Federal supervisor may take action if it is not satisfied that 
capital is adequate. The primary Federal supervisor may require the 
bank to take actions to address identified supervisory concerns, which 
may include requiring the bank to hold additional capital to bring

[[Page 44624]]

capital to levels that the supervisor deems commensurate with the 
bank's risk profile. In addition, the primary Federal supervisor may, 
under its enforcement authority, require a bank to modify or enhance 
risk-management and internal-control processes, reduce its exposure to 
risk, or take any action deemed necessary to address identified 
supervisory concerns.

Compliance With Regulatory Capital Requirements

    10. In order to use the advanced approaches rule to calculate 
minimum risk-based capital requirements, a bank must meet certain 
process and systems requirements. As part of the supervisory review 
process, the agencies will ensure that each bank meets these 
requirements. The advanced approaches rule provides an explanation of 
these qualification requirements for any systems and processes used.
    11. A bank using the advanced approaches rule must comply with the 
rule's qualification requirements for both initial and ongoing 
qualification. A bank that falls out of compliance with the 
qualification requirements would be required to establish a plan to 
return to compliance that satisfies its primary Federal supervisor.
    12. Supervisors will ensure that each bank using the advanced 
approaches rule complies with the qualification requirements both at 
the consolidated level and at any subsidiary bank that uses the 
advanced approaches rule. Thus, each bank that applies the advanced 
approaches rule must have appropriate risk-measurement and risk-
management processes and systems that meet the rule's qualification 


    13. The qualification requirements in the advanced approaches rule 
state that ``a bank must have a rigorous process for assessing its 
overall capital adequacy in relation to its risk profile and a 
comprehensive strategy for maintaining an appropriate level of 
capital.'' \8\ Because minimum risk-based capital requirements are 
based on certain assumptions and address only a subset of risks faced 
by an individual bank, each bank must conduct an internal assessment of 
whether its capital is adequate, given its risk profile. A bank must 
conduct this assessment, using the ICAAP, in addition to its 
calculation of minimum risk-based capital requirements.\9\ Accordingly, 
a bank's capital should exceed the level required by its minimum risk-
based capital requirements, and also should be adequate according to 
its own ICAAP.

    \8\ Part III, section 22(a) (1) of the advanced approaches rule.
    \9\ Should the primary Federal supervisor exempt a bank from 
application of the advanced approaches rule based upon a written 
determination that the application of the rule is not appropriate in 
light of the bank's asset size, level of complexity, risk profile, 
or scope of operations, such exemption would likewise apply to the 
advanced approaches requirement that the bank have an ICAAP, but 
would not automatically exempt the bank from other regulatory 
requirements or supervisory expectations to maintain a satisfactory 
internal process to assess capital adequacy.

    14. The fundamental objectives of a sound ICAAP are:
     Identifying and measuring material risks;
     Setting and assessing internal capital adequacy goals that 
relate directly to risk; and
     Ensuring the integrity of internal capital adequacy 
    15. Assessing overall capital adequacy through the ICAAP requires 
thorough identification of all material risks, measurement of those 
that can be reliably quantified, and systematic assessment for the 
limitations of minimum risk-based capital requirements. The ICAAP 
should address the capital implications arising from both on- and off-
balance sheet positions, as well as from provisions of explicit or 
implicit support. Material risks include those that in isolation do not 
appear to be material at first, but when combined with other risks 
could lead to material losses. In this manner, the ICAAP should 
contribute broadly to the development of better risk management within 
the organization at both the individual entity and consolidated levels.
    16. Each bank implementing the advanced approaches rule should have 
an ICAAP that is appropriate for its unique risk characteristics and 
should not rely solely upon the assessment of capital adequacy at the 
parent company level. This does not preclude the use of a consolidated 
ICAAP as an important input to a subsidiary bank's own ICAAP, provided 
that each entity's board and senior management ensure that the ICAAP is 
appropriately modified to address the unique structural and operating 
characteristics and risks of the subsidiary bank.
    17. In general, the ICAAP will likely go beyond the assumptions 
built into minimum risk-based capital requirements. However, in certain 
instances a bank's ICAAP--when supported by proper justification and 
evidence--may build upon and utilize the methods, practices, and 
results it uses to determine minimum risk-based capital requirements. 
For example, in developing the ICAAP, a bank may choose to use data, 
ratings, or estimates from internal ratings-based approaches for credit 
risk; or a bank may choose to use the advanced measurement approaches 
as the basis for its internal assessment of operational risk. 
Furthermore, although the ICAAP should be a distinct and comprehensive 
process that produces its own capital measures, in some cases a bank 
may be able to demonstrate that minimum risk-based capital measures 
appropriately reflect certain aspects of a bank's risk profile and thus 
are appropriate for use in its ICAAP.
    18. The design and operation of any systems used to meet the ICAAP 
requirements will likely differ, depending on the complexity of each 
bank's operations and risk profile. Many banks employ ``economic 
capital'' measures for some elements of risk management, such as limit 
setting, or for evaluating performance or determining aggregate capital 
needs.\10\ In some cases, economic capital measures may relate directly 
to a bank's assessment of capital adequacy under the ICAAP; however, in 
other cases, a bank may be using economic capital measures that are not 
intended for capital adequacy assessments. In the latter case, a bank 
does not necessarily need to change its existing process or systems, 
but it may need to build upon or adjust its economic capital measures 
for use in the ICAAP and the bank would have to demonstrate clearly how 
it does so. Notably, economic capital is not the only means to meet the 
ICAAP requirement. Regardless of the specific implementation method(s) 
chosen, the bank's ICAAP should address the three ICAAP objectives 
listed in paragraph 14.

    \10\ The term ``economic capital'' generally refers to the 
capital attributed to cover the economic effects of a bank's risk 
taking activities. Within the banking industry, economic capital 
takes on a variety of definitions and is applied in a number of ways 
at the product, business-line, and consolidated institution level.

Identifying and Measuring Material Risks

    19. The first objective of the ICAAP is to identify all material 
risks. Risks that can be reliably measured and quantified should be 
treated as rigorously as data and methods allow. The appropriate means 
and methods to measure and quantify those material risks are likely to 
vary across banks. The key point is for a bank to be able to identify 
all material risks and measure those that can be reliably quantified in 
order to determine how those risks affect the bank's overall capital 
    20. Some of the risks to which a bank may be exposed include credit 

[[Page 44625]]

market risk, operational risk, interest rate risk in the banking book, 
and liquidity risk (as outlined below).\11\ Other risks, such as 
reputational risk, business or strategic risk, and country risk may 
also be material for a bank and, in such cases, should be given equal 
consideration to the more formally defined risk types.\12\ 
Additionally, if a bank employs risk mitigation techniques it should 
understand the risk to be mitigated and the potential effects of that 
mitigation (including enforceability and effectiveness).

    \11\ Examination policies and procedures from each agency 
provide extensive guidance on the major risk categories. A bank's 
risk management processes, including its ICAAP, should be consistent 
with each corresponding agency's existing body of guidance, as well 
as with relevant interagency guidance.
    \12\ For example, a bank may be engaged in businesses for which 
periodic fluctuations in activity levels, combined with relatively 
high fixed costs, have the potential to create unanticipated losses 
that must be supported by adequate capital. Additionally, a bank 
might be involved in strategic activities (such as expanding 
business lines or engaging in acquisitions) that introduce 
significant elements of risk and for which additional capital would 
be appropriate.

     Credit risk: A bank should have the ability to assess 
credit risk at the portfolio level in addition to the exposure or 
counterparty level. In making this assessment, the bank should be 
particularly attentive to identifying any credit risk concentrations 
and ensuring that their effects are adequately assessed. The bank 
should consider the various types of dependence among exposures, and 
the credit risk effects of extreme outcomes, stress events, and shocks 
to assumptions about portfolio and exposure behavior. The bank also 
should carefully assess concentrations in counterparty credit 
exposures, including those that result from trading in less liquid 
markets, and determine the effect that these exposures might have on 
capital adequacy.
     Market risk: A bank should be able to identify risks in 
trading and capital markets activities resulting from a movement in 
market prices and rates. This determination should consider factors 
such as illiquidity of instruments, leverage, concentrated positions, 
one-way markets, non-linear or deep out-of-the money option positions 
as well as embedded optionality, and the potential for significant 
shifts in correlations or other types of dependence structures. 
Assessments that incorporate extreme events, idiosyncratic variations, 
credit migrations or changes in credit spreads, defaults, and shocks 
should also be tailored to capture key portfolio vulnerabilities.
     Operational risk: A bank should be able to assess the 
potential risks resulting from inadequate or failed internal processes, 
people, and systems, as well as from events external to the bank.\13\ 
This assessment should include the effects of extreme events and shocks 
relating to operational risk. Extreme events could include a 
substantial or sudden increase in failed processes across business 
units or a significant incidence of failed internal controls.

    \13\ In many cases, a bank may capture legal risk within 
operational risk. Regardless of whether it is classified as its own 
risk type or included within another risk type, a bank should 
understand the impact of legal risk on capital adequacy.

     Interest rate risk in the banking book: A bank should 
incorporate interest rate risk in the banking book into its assessment 
of capital adequacy. In making this assessment, the bank should 
identify the risks associated with changes in interest rates that 
impact both on- and off-balance sheet exposures in the banking book 
from a short- and long-term perspective. This might include the impact 
of changes due to parallel yield curve shocks, yield curve twists, 
yield curve inversions, changes in the adjustment of rates earned and 
paid on different financial instruments with otherwise similar 
repricing characteristics (basis risk), and other relevant scenarios 
including some that incorporate stress events, extreme outcomes, and 
shocks to assumptions. The bank should be able to support any 
assumptions it has made with respect to the behavioral characteristics 
of servicing rights, non-maturity deposits, positions subject to 
prepayment risk, and other assets and liabilities, especially for those 
exposures characterized by embedded optionality.
     Liquidity risk: A bank should incorporate liquidity risk 
into the assessment of its capital adequacy. A bank should evaluate 
whether capital is adequate given its own funding liquidity profile and 
given the liquidity of the markets in which it operates. This 
assessment should incorporate various types of liquidity environments 
and include an evaluation of the potential for a material disruption in 
the sources of liquidity typically relied on by the bank as a result of 
bank-specific as well as systemic events. A bank should consider the 
capital adequacy implications of lacking a well-diversified funding 
base, relying predominantly on wholesale credit markets for its 
funding, or relying heavily on volatile funding sources. A bank 
involved in securitization activities should consider the capital 
adequacy implications of relying on market liquidity to distribute 
warehoused assets, including the potential for disruptions that would 
cause a bank to bring certain items onto its balance sheet. In its 
assessment of the impact of liquidity risk on capital adequacy, the 
bank should also challenge assumptions built into its definition of 
liquid products.
    The risk factors discussed above are not an exhaustive list of 
those affecting any given bank. A well-developed ICAAP should include 
an assessment of all relevant factors that present a material source of 
risk to capital, and should account for concentrations within each risk 
    21. A bank should assess whether its capital is sufficient to 
absorb any losses that may arise from activities that expose the bank 
to multiple risks within and across business lines or create 
concentrations across risk types.\14\ A bank should recognize that 
losses could arise in several risk dimensions at the same time, 
stemming from the same event or a common set of factors. For example, a 
localized natural disaster could generate losses from credit, market, 
and operational risks. Additionally, the ICAAP should focus on any 
complex activities that give rise to multiple risks, and to their 
interaction. These activities can involve instruments that may be 
complex, illiquid, or difficult to value. For example, securitization 
activities expose a bank to a variety of risks that can affect capital 
adequacy at the same time, including credit, market, liquidity, and 
reputational risks; structured products can have multiple embedded 
risks that interact in complex ways and can present losses in multiple 
risk areas across different business lines at the same time. In 
general, the ICAAP should include an assessment of the potential 
effects of convergence of risks within and across business lines and 
their combined impact on capital adequacy.

    \14\ Concentrations may include exposures or groups of exposures 
that have the potential to produce losses large enough to threaten 
an institution's health or materially change its risk profile.

    22. The ICAAP should take into consideration the linkage between 
capital adequacy and damage or potential damage to a bank's reputation. 
A bank might incur losses affecting capital adequacy because of damage 
to its reputation, or the bank might incur losses trying to prevent or 
mitigate damage to its reputation. In assessing the linkage between 
reputational risk and capital adequacy, a bank should assess risks 
associated with both on-balance sheet and off-balance sheet exposures 
and activities, as well as risks associated with affiliates, 

[[Page 44626]]

counterparties, clients, or other third parties. The assessment should 
include activities for which the bank acts as a sponsor or advisor, and 
cases in which the bank provides explicit or implicit support. A bank 
should also assess the risk of having to assume the losses of a third 
party to prevent or mitigate damage to the bank's reputation.
    23. The bank's ICAAP should assess risks associated with new 
products, markets and activities. In making this assessment, the bank 
should account for any uncertainty in the valuation of new products, 
whether by the bank or a third party, which could be more challenging 
if the new products are particularly complex or do not have liquid 
markets. The ICAAP should take into consideration changing dynamics in 
markets for new products and uncertainty as to how new markets might 
respond to stress conditions. The ICAAP should also assess the 
challenges presented by new business lines or strategic acquisitions in 
terms of their impact on capital adequacy.
    24. All measurements of risk should incorporate both quantitative 
and qualitative elements. Generally, a quantitative approach should 
form the foundation of a bank's measurement framework. Quantitative 
approaches that focus on most likely outcomes for budgeting, 
forecasting, or performance measurement purposes may not be fully 
applicable for assessing capital adequacy, which also should take less 
likely outcomes into account.
    25. In some cases, quantitative tools can include the use of large 
historical databases. These databases are most applicable when they are 
fully reflective of all relevant risk characteristics, incorporate 
appropriate variability, and have adequate granularity and history; for 
example, they should include data based not just on benign but also 
more stressful economic periods or operating environments. When 
internal data are not available or do not reflect a bank's risk 
profile, a bank may rely on external data for risk measurements, but 
should ensure that external data have applicability to the bank's own 
activities and risk profile.
    26. The confidence a bank places in the results of its ICAAP should 
depend on the quality and robustness of the associated risk 
assessments. When measuring risks, a bank should understand that 
estimation and measurement errors are common, and in many cases are 
themselves difficult to quantify. In general, the bank's ICAAP should 
reflect an appropriate level of conservatism to account for uncertainty 
in risk identification, risk mitigation or control, and risk 
quantification. In most cases, appropriate conservatism will result in 
greater capital needs.
    27. In many cases, risk assessments may rely to a significant 
degree on models that use both qualitative and quantitative inputs. The 
use of models can enhance the ICAAP, but it can also introduce 
challenges. Specifically, models may fail to work as intended or 
expected, or they may be used inappropriately for purposes not 
considered in their initial design. These concerns apply to models 
purchased from third-party vendors, as well as to models that are 
internally developed. A bank using models as part of the ICAAP should 
recognize these possibilities and ensure that appropriate controls, 
such as rigorous initial and ongoing validation and independent review, 
are in place to mitigate and manage any risks related to model use. A 
bank should apply appropriate conservatism to compensate for any risks 
associated with models. Additional conservatism may be necessary to 
account for any uncertainties in the use of models to value on- or off-
balance sheet exposures or for imperfections and volatility in market-
based valuations. Additional conservatism may be necessary to 
compensate for increased risk, for example, when models or applications 
are more complex, or when they have a more significant influence on the 
ICAAP's results.
    28. To gain a fuller understanding of the risks beyond more typical 
quantitative measures--such as those based on certain parameter 
behavior or distributional assumptions--a bank should also rely on 
other types of quantitative exercises. For example, stress testing, 
including scenario analysis and sensitivity analysis, is an additional 
quantitative exercise that a bank should regularly apply to complement 
more typical quantitative measures. A bank may need to rely more 
heavily on such exercises when internal or demonstrably relevant 
external data are scarce. These exercises can help gauge the 
consequences of outcomes that are unlikely, but would have a 
considerable impact on safety and soundness.
    29. In addition to quantitative approaches for assessing risk, a 
bank should also employ qualitative approaches that incorporate 
management experience and judgment. Qualitative measures should be 
employed not only for those cases in which scarce data or unproven 
quantitative methods limit a full assessment of risk, but also more 
generally to complement even sophisticated quantitative estimates based 
on extensive and high-quality data.
    30. A bank should be cognizant that both quantitative and 
qualitative approaches have their own inherent biases and assumptions 
that affect risk assessment. Accordingly, a bank should recognize the 
biases and assumptions embedded in, and the limitations of, the 
approaches used.
    31. An effective ICAAP is comprehensive, assessing material risks 
across the entire bank. Each bank should have systems capable of 
aggregating across risk types. A bank should understand the challenges 
presented by risk aggregation and the inherent uncertainty in 
quantitative estimates used to aggregate risks (including the 
difficulty in estimating concentrations across risk types as noted in 
paragraph 21). For example, a bank is encouraged to consider the 
various interdependencies among risk types, the different techniques 
used to identify such interdependencies, and the channels through which 
those interdependencies might arise--across risk types, within the same 
business line, and across different business lines. Consistent with 
paragraph 26, any associated uncertainty in aggregating capital 
estimates across risk types and business lines should translate into 
greater capital needs.
    32. Management should be systematic and rigorous in considering 
possible effects of diversification. Assumptions about diversification 
should be identified at each level where diversification is recognized, 
supported by analysis and evidence, and remain robust over time and 
under different market environments, including stressed market 
conditions. For example, a bank calculating the dependence structure 
within or among risk types should consider data quality and 
consistency, such as the volatility of correlations over time and 
during periods of market stress. In general, a bank should consider a 
wide range of possible adverse outcomes that have the potential to 
affect multiple risks at the same time and to limit expected 
diversification benefits. Consistent with paragraph 26, uncertainty in 
diversification estimates should translate into greater capital needs.

Setting and Assessing Capital Adequacy Goals That Relate to Risk

    33. The second objective of the ICAAP is to set and assess capital 
adequacy goals in relation to all material risks. Under this objective, 
a bank should have a well-defined process to translate estimates of 
risk into an assessment of capital adequacy. In practice, capital

[[Page 44627]]

adequacy goals may be reflected in various ways. A bank may choose to 
hold capital in excess of the level internal processes would regard as 
adequate for any number of business or strategic reasons. Excess 
capital may fluctuate over time. Each bank should recognize that 
minimum risk-based capital requirements represent a floor below which 
the bank's overall capital level must not fall, even if bank management 
believes that there is justification to maintain less capital.
    34. A bank may establish its risk-tolerance level to reflect a 
desired level of risk coverage and/or a certain degree of 
creditworthiness, such as an explicit solvency standard. Accordingly, 
assessments of risk and capital adequacy should reflect the chosen risk 
tolerance of the bank. Because risk profiles and choices of risk 
tolerance may differ across banks, capital targets may also differ. 
However, if for internal capital adequacy purposes a bank were to 
choose to apply a level of risk coverage or a solvency standard that is 
less than that implied by minimum risk-based capital requirements, the 
bank would have to be able to: Identify and support the rationale for a 
lower solvency standard; demonstrate clearly that its ICAAP adequately 
addresses low-probability, high-severity events; and ensure that there 
is sufficient capital to absorb losses associated with such extreme 
events. Regardless of the solvency standard used, supervisors expect 
banks to hold capital at a level above that established by minimum 
risk-based capital requirements.
    35. A bank should consider external conditions and other factors 
that influence its overall capital adequacy, including the potential 
impact of contingent exposures and changing economic and financial 
environments. The ICAAP should address the potential impact of broader 
market or systemic events, which could cause risk to increase beyond 
the bank's chosen risk-tolerance level, and have appropriate 
contingency plans for such outcomes. Such exercises may include stress 
testing, such as scenario and sensitivity analysis; however, in all 
cases they should incorporate both quantitative and qualitative 

    \15\ The use of stress testing in identifying and measuring risk 
exposures and assessing capital adequacy in the ICAAP is not the 
same as the Pillar 1 stress testing requirement related to minimum 
risk-based capital requirements and qualification requirements (as 
described in the advanced approaches rule). The stress testing 
encouraged in the ICAAP guidance is intended to focus on overall 
capital needs and their possible fluctuations, not just fluctuations 
in minimum risk-based capital requirements. However, work conducted 
to meet the stress testing requirement under Pillar 1 may have 
application to or may provide a starting point for any stress 
testing banks decide to conduct as part of the ICAAP.

    36. Through the ICAAP, a bank should ensure that adequate capital 
is held against all material risks, and that capital remains adequate 
not just at a point in time, but over time, to account for changes in a 
bank's strategic direction, evolving economic conditions, and 
volatility in the financial environment. A bank should be cognizant of 
the impact of market-driven valuations on the volatility of capital. 
Moreover, recognizing the sensitivity of capital to economic and 
financial cycles should be a critical component of a bank's planning 
for current and future capital needs. For example, a bank should 
consider the potential effects of a sudden, sustained economic 
downturn. The level of capital deemed adequate by a bank given its 
ICAAP might also be influenced by the bank's intention to hold 
additional capital to mitigate the impact of volatility in capital 
requirements, its need to support acquisition plans, or its decision to 
accommodate market perceptions of capital adequacy and their impact on 
funding costs.
    37. In analyzing capital adequacy, a bank should evaluate the 
capacity of its capital to absorb losses. Because various definitions 
of capital are used within the banking industry, each bank should state 
clearly the definition of capital used in any aspect of its ICAAP. 
Since components of capital are not necessarily alike and have varying 
capacities to absorb losses, a bank should be able to demonstrate the 
relationship between its internal capital definition and its assessment 
of capital adequacy. If a bank's definition of capital differs from the 
regulatory definition, the bank should reconcile such differences and 
provide an analysis to support the inclusion of any capital instruments 
that are not recognized under the regulatory definition. Although 
common equity is generally the predominant component of a bank's 
capital structure, a bank may be able to support the inclusion of other 
capital instruments in its internal definition of capital if it can 
demonstrate a similar capacity to absorb losses. The bank should 
document any changes in its internal definition of capital, and the 
reason for those changes.
    38. An effective capital plan recognizes a bank's short- and long-
term capital needs and objectives. Accordingly, a bank should evaluate 
whether long-run capital targets are consistent with short-run goals, 
based on current and planned changes in risk profiles. In developing 
its capital plan, the bank also should recognize that accommodating 
additional capital needs can require significant lead time, can be 
costly, or can be quite difficult, especially during downturns or other 
times of stress. A bank should have contingency plans to address 
unexpected capital needs.

Ensuring Integrity of Internal Capital Adequacy Assessments

    39. A satisfactory ICAAP comprises a complete process with proper 
oversight and controls, and not just an ability to carry out certain 
capital calculations. The various elements of a bank's ICAAP should 
complement and reinforce one another to achieve the overall objective 
of assessing capital adequacy, taking into account the bank's risk 
    40. A bank should maintain adequate internal controls to ensure the 
integrity, objectivity, and consistent application of the ICAAP. 
Decisions regarding the design and operation of the ICAAP should 
reflect sound risk management, and should not be unduly influenced by 
competing business objectives. A bank should identify any deficiencies 
in its ICAAP and plan and take remedial actions to address the 
deficiencies in a timely manner. The principles underlying a bank's 
ICAAP should be incorporated into policies that are reviewed and 
approved at appropriate levels within the organization.
    41. A bank should maintain thorough documentation of its ICAAP to 
ensure transparency. At a minimum, this should include a description of 
the bank's overall capital-management process, including the committees 
and individuals responsible for the ICAAP; the frequency and 
distribution of ICAAP-related reporting; and the procedures for the 
periodic evaluation of the appropriateness and adequacy of the ICAAP. 
In addition, where applicable, ICAAP documentation should demonstrate 
the bank's sound use of quantitative methods (including model selection 
and limitations) and data-selection techniques, as well as appropriate 
maintenance, controls, and validation. A bank should document and 
explain the role of third-party and vendor products, services and 
information--including methodologies, model inputs, systems, data, and 
ratings--and the extent to which they are used within the ICAAP. A bank 
should have a process to regularly evaluate the performance of third-
party and vendor products, services and information. As part of the 
ICAAP documentation, a bank should document the assumptions, methods,

[[Page 44628]]

data, information, and judgment used in its quantitative and 
qualitative approaches.
    42. The ICAAP should be enhanced and refined over time, with 
learning and experience (both quantitative and qualitative) 
contributing to its improvement. The ICAAP should evolve with changes 
in the risk profile and activities of the bank, as well as with 
advances in risk measurement and management practices. For example, a 
bank should incorporate in its ICAAP the introduction of new products 
and business lines and activities to ensure that the bank's capital 
plan is responsive to changes in the operational and/or business 
    43. The board of directors and senior management have certain 
responsibilities in developing, implementing, and overseeing the ICAAP. 
The board should approve the ICAAP and its components. The board or its 
appropriately delegated agent should review the ICAAP and its 
components on a regular basis, and approve any revisions. That review 
should encompass the effectiveness of the ICAAP, the appropriateness of 
risk tolerance levels and capital planning, and the strength of control 
infrastructures. Senior management should continually ensure that the 
ICAAP is functioning effectively and as intended, under a formal review 
policy that is explicit and well documented. Additionally, a bank's 
internal audit function should play a key role in reviewing the 
controls and governance surrounding the ICAAP on an ongoing basis.
    44. Each bank should ensure that the components of its ICAAP, 
including any models and their inputs, are subject to the bank's 
validation policies and procedures. Validation should be independent of 
the development, implementation, and operation of the ICAAP components, 
or the validation process should be subject to an independent review of 
its adequacy and effectiveness. Validation is generally defined as an 
ongoing process that includes, but is not limited to, the collection 
and review of developmental evidence, process verification, 
benchmarking, outcomes analysis, and monitoring activities used to 
confirm that processes are operating as designed. Validation policies 
and procedures should reflect the bank's business, structure, and 
sophistication, as well as the relative importance of each component of 
the ICAAP. Accordingly, a bank is encouraged to consult the agencies' 
existing guidance on validation.
    45. A bank's ICAAP should be aligned with and be a part of the 
bank's wider internal governance structure and overall risk-management 
processes. The ICAAP should not be viewed as simply a compliance 
exercise. Rather, it is a dynamic and evolving process that is used by 
a bank to provide internal assurance that capital is adequate given the 
bank's risk profile. Management is responsible for ensuring that the 
ICAAP is fully consistent with the overall risk management framework of 
the bank. Information derived through the ICAAP process should 
influence decision making at both the consolidated and individual 
business-line levels, and be used to inform other management processes 
related to risk assessment, business planning and forecasting, pricing 
strategies, and performance measurement.
    46. As part of the ICAAP, the board or its delegated agent, as well 
as appropriate senior management, should periodically review the 
resulting assessment of overall capital adequacy. This review, which 
should occur at least annually, should include an analysis of how 
measures of internal capital adequacy compare with other capital 
measures (such as regulatory, accounting-based or market-determined). 
Upon completion of this review, the board or its delegated agent should 
determine that, consistent with safety and soundness, the bank's 
capital takes into account all material risks and is appropriate for 
its risk profile. However, in the event a capital deficiency is 
uncovered (that is, if capital is not consistent with the bank's risk 
profile or risk tolerance) management should consult and adhere to 
formal procedures to correct the capital deficiency.

    Dated: July 14, 2008.
John C. Dugan,
Comptroller of the Currency.
    By order of the Board of Governors of the Federal Reserve 
System, July 15, 2008.
Jennifer J. Johnson,
Secretary of the Board.
    Dated at Washington, DC, the 15th day of July, 2008.

    By order of the Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
    Dated: July 14, 2008.

    By the Office of Thrift Supervision.
John M. Reich,
[FR Doc. E8-17555 Filed 7-30-08; 8:45 am]
BILLING CODE 4810-33-P, 6210-01-P, 6714-01-P, 6720-01-P