Validation and Approval of IRB Systems under the CRD Guidelines on the implementation, validation an

1
Validation and Approval of IRB Systems under the
CRD Guidelines on the implementation,
validation and review of AMA and IRB
approachesThomas Dietz, CEBS secretariat

• PRMIA Workshop 18 September 2006

2
Outline

• CEBS role and tasks
• Industry reaction and scope of the Guidelines on
  Validation (GL10)
• The approval and post-approval process
• 3.1. Application, assessment, decision (approval
  process)
• 3.2. The cooperation and coordination process
  between supervisors
• Selected items of the Assessment process
• 4.1. Partial use and Roll-out
• 4.2. Use test
• 4.3. Rating assignment and risk quantification
  (PDs, LGDs, CFs)
• 4.4. Back-testing and benchmarking (incl. Low
  default portfolios)
• 4.5. Internal governance
• Summary

3
1. CEBS role and tasks

• CEBS is not a single European regulator, but a
  coordination body comprised of high level
  representatives of the 25 EU supervisory
  authorities (observers from ROM, BG, LI, Iceland
  and NO) responsible for banking supervision
• Guidelines are one of the CEBS tools to achieve
  convergence in supervisory practices
• Convergence is one of the main tasks of CEBS
  according to the European Commission decision in
  November 2003
• Convergence means that the national supervisory
  authorities implement and apply European banking
  legislation as homogenously as possible

4
1. CEBS role and tasks (2)

• Convergence is in the interest of both the
  supervisory authorities (avoiding regulatory
  arbitrage) and the industry (level-playing field,
  especially important for cross-border groups)
• Guidelines are not legally binding, but national
  supervisors have a high interest to respect them
• Guidelines affect the industry since CEBS sets
  out expectations towards the national supervisors
  concerning what they should expect from their
  institutions

5
2. Industry reaction and scope of GL10

• During the drafting process meeting with experts
  nominated by the CEBS Consultative Panel to get
  informal input (two meetings on AMA, one on CP10
  as a whole)
• Two rounds of public consultation (mid-July to
  end October 2005 and end January until end
  February 2006)
• Positive Reactions (among others)
• Framework proposed for cooperation between home
  and host well-reasoned
• Flexibility introduced for institutions which
  have already completed preliminary applications
  (good faith clause)
• Principle of proportionality

6
2. GL10 - Industry reaction (2)

• Negative Reactions (among others)
• Instead of principles based approach too many
  details (not necessary to reach convergence)
  and too prescriptive
• indicative examples will lead to tick-box
  approach (N.B. some associations asked for more
  details/examples)
• Internal Governance rules too burdensome
• Proposals are too conservative and
  superequivalent to the CRD
• Strong disagreement with general concept of
  downturn LGDs
• CEBS reaction
• 40 of the proposed changes in the first round
  of consultation taken on board in CP10 revised,
  50 of the proposed changes in the second round
  in the final Guidelines

7
2. Scope Underlying CRD requirements

• Under the IRB Approach use of own estimates of
  risk parameters for the calculation of the
  institutions capital requirements
• -gt adequacy of the resulting capital
  requirements depends critically on the adequacy
  of the estimated risk parameters
• No use of AMA or IRB approaches for regulatory
  purposes without prior approval
• -gt explicit application necessary
• Approval only if the competent authority is
  satisfied that the institution's systems for
  managing and rating credit risk exposures are
  sound, are implemented with integrity, and meet
  the requirements listed in Article 84 and Annex
  VII, Part 4 of the CRD.
• -gt supervisory assessment necessary
• Guidelines on validation supposed to support the
  national supervisors work when dealing with the
  application, decision and especially the
  assessment process

8
3. Approval and post-approval process Structure
of GL10

• Structure of GL10 a typical approval process

Preliminarycontacts Supervisorycooperation Appli
cation
Supervisorsassessment Dialogue andjudgement
Decision and permission Monitoring of
implementation
Ongoingreview
9
3. Approval process Art. 129 (2)

• Art 129 (2) of the CRD decisive new element in
  the relations between consolidating and host
  supervisors, strengthening the responsibility of
  the consolidating supervisor
• In the case of applications submitted by an
  EU parent credit institution and its
  subsidiaries, or jointly by the subsidiaries of
  an EU parent financial holding company, the
  competent authorities shall work together, in
  full consultation, to decide whether or not to
  grant the permission sought and to determine the
  terms and conditions, if any, to which such
  permission should be subject. The competent
  authorities shall do everything within their
  power to reach a joint decision on the
  application within six months. In the absence
  of a joint decision between the competent
  authorities within six months, the competent
  authority referred to in paragraph 1 shall make
  its own decision on the application.
• De facto non-agreement after six months is
  unlikely. Supervisors will do everything to come
  to a common decision after the six-months period
  and will establish adequate cooperation
  procedures, already in the pre-application phase

10
3.1. Approval process Application

• Required minimum documentation for an application
  is divided into five parts
• Cover letter requesting approval
• Documentation of used or planned rating systems
• Control environment of the rating systems,
  implementation procedures and IT infrastructure
• Implementation plan (including Roll-Out) and
  details on permanent partial use
• Self-assessment
• Cover letter and supporting material must enable
  the supervisor to make an initial supervisory
  assessment of the application, and to develop a
  risk-based plan for a more thorough assessment
• The six months clock is started upon receipt of a
  complete application

11
3.1. Approval process - items to be covered in
the assessment

• Assessment? -gt the supervisor has to assess
  whether or not he is satisfied that the
  institutions systems meet the standards listed
  in Article 84 in accordance with the requirements
  of Annex VII, Part 4 of the CRD.
• IRB approach must have been validated by the
  institution (self-assessment), before supervisor
  starts its own assessment.
• Issues to be assessed by supervisors
• Methodology and documentation rating system
  methodology and the quality of internal
  documentation supporting the rating system
• Data quality quality of data and databases being
  used for the development of the rating systems,
  in the rating assignment process, and in the
  estimation of risk parameters, along with any
  other databases needed to calculate minimum
  regulatory capital

12
3.1. Assessment process items to be covered (2)

• Issues to be assessed by supervisors (continued)
  
• Quantitative procedures quantitative information
  relating to performance, validation, and
  monitoring of rating systems.
• Qualitative procedures perform an overall
  assessment of the quality of the internal model
  and assess compliance with the qualitative
  minimum regulatory requirements (use test,
  internal governance, the role of senior
  management, the adequacy of internal controls).
• Technological environment reliability and
  integration of systems, the functionality of the
  model, and the quality of information provided by
  systems.

13
3.1. Approval process and documentation Decision

• End of application process decision/permission
• Decision final act in the approval process, as a
  result of the consultation between the competent
  authorities.
• Permission legal form by which the decision,
  determinative and legally binding on the
  competent authorities, comes into force in their
  respective legislation (transposition of the full
  content of the decision under the standing legal
  provisions of each country)
• Decision document may contain certain terms and
  conditions or may also cover recommendations for
  the possible improvement of any imperfections
  revealed during the assessment process.

14
3.2.Supervisory cooperation and coordination

• As much cooperation as possible between
  consolidating and host supervisors to avoid a
  duplication of work (which supervisors to be
  involved, respective roles and responsibilities,
  allocation of specific tasks)
• Basic idea Streamlining 129 (2) process by a
  common understanding with regard to an
  application, its assessment and the decision on
  it
• Developing an overall supervisory plan of action
  (including time table, communication strategy and
  escalation process -gt exchange of information
  necessary already at a very early stage)

15
3.2.Supervisory cooperation and coordination (2)

• Consolidating supervisor as central point of
  contact (also for the group) and as central
  coordinator, e.g.
• Assessing whether application is complete
• Coordinate the on-site inspection/off-site
  assessment of the groups application
• Determining the contents of the decision document
• Communication of the decision to the group
• sharing of tasks and resources (e.g. host
  supervisor reviewing locally developed models)
• Monitoring of the roll-out plan and of the terms
  and conditions in the post-approval phase as well
  as processing of possible preliminary
  applications in the transition period before the
  CRD has come into force will be conducted by the
  supervisors involved (in the spirit of Art. 129
  (2))

16
4. Selected items of the Assessment process

• 2. Cooperation procedures, approval and
  post-approval process
• 2.1.Co-operation between supervisory authorities
  under Art. 129 (2)
• Cross-reference to CP09 (Home/host)
• 2.2.Approval and post-approval process
• Application
• Supervisors assessment
• Decision and permission
• Post approval process
• Transition period

• 4. Supervisors assessment for Operational Risk
• 4.1. Partial Use combinations
• 4.2. Simpler Approaches (TSA, ASA, BIA)
• 4.3. AMA
• 4.3.1.Roll-out
• 4.3.2. Use test
• 4.3.3. Data
• 4.3.4. Guidelines for AMA Quantitative issues,
  internal validation, risk transfer mechanisms and
  allocation
• AMA four elements
• Consistency of risk measurement system
• Expected loss, correlation, Insurance and other
  risk transfer mechanisms
• Internal validation of risk measurement and
  management processes
• Allocation methodology
• 4.3.5. Internal governance

• 3. Supervisors assessment for Credit Risk
• 3.1. Partial use/Roll-out
• 3.2. Use test
• 3.3. Methodology and documentation
• Assignment to Exposure classes
• Definition of loss and default
• Rating systems and quantification
• Quality of internal documentation
• External vendor models
• 3.4. Data
• 3.5. Quantitative and qualitative validation and
  its assessment
• 3.6. Internal Governance
• Role of management body
• Credit Risk Control Unit
• Internal Audit

17
4.1 Partial use and Roll-out permanent partial
use

• Permanent partial use allowed for the
  institutions and/or central governments and
  central banks exposure classes (if number of
  material counterparties is limited and if unduly
  burdensome to implement a rating system for these
  counterparties).
• No further guidance on this given in GL10 -gt onus
  of the bank to justify its choice
• Other possibility for permanent partial use
  exposures in non-significant business units and
  exposure classes that are immaterial in terms of
  size and perceived risk profile
• In CP10 no quantitative thresholds set for
  significance and immateriality, but both should
  be measured by either Exposure value (indicator
  of size) or risk-weighted exposure amounts (risk
  profile), measuring of significance and
  immateriality at least at the aggregated level
• Institution needs to have systems and procedures
  for monitoring materiality issues in a timely and
  appropriate manner

18
4.1. Partial use and Roll out - Roll out

• General approach in the CRD (Art. 85 (1)) once
  an institution decides to apply the IRB approach,
  all exposures should be covered by this approach.
  Temporary or permanent partial use is possible,
  however (e.g. because extension of rating systems
  to some parts of their business may be unduly
  burdensome)
• Article 85 of the CRD gives institutions the
  possibility of implementing the IRB Approach
  sequentially across different exposure classes
  (Roll-out).
• Nevertheless, institutions should already be
  using the IRB approach for at least a portion of
  their business when they apply for approval
  (assessed by supervisors by either qualitative or
  quantitative rules Risk Weighted Exposure
  Amounts or Exposure values)
• Article 85(2) requires that IRB implementation
  shall be carried out within a reasonable period
  of time.
• Application already contains a complete roll-out
  plan, so no further Article 129 application will
  be needed as each portfolio is rolled out, with
  the possible exception of a merger or
  acquisition. New decisions may be necessary,
  however.

19
4.2. Use test

• Use test (Art.84(2)) refers to the time after the
  initial approval information used in or produced
  by its rating system to determine regulatory
  capital requirements has also to be used in the
  course of conducting its regular business,
  particularly in risk management
• Experience test (Art.84(3) and (4)) sets out
  minimum requirements for rating systems in the
  time period prior to the institutions
  qualification to use the IRB approach (one up to
  three years) Rating systems have to be broadly
  in line/broadly consistent with the minimum
  requirements for internal risk measurement and
  management purposes and the systems for risk
  parameter estimation
• -gt institutions need to show that they are
  familiar enough with the systems (The rating
  systems used prior to approval do not need to
  have been fully identical to the ones used
  before)
• -gt rating systems, ratings, and default and loss
  estimates designed and set up with the exclusive
  aim of qualifying for the IRB, and used only to
  produce the data necessary for the IRB approach,
  are not allowed.
• Data inputs and systems outputs (ratings and
  risk parameter estimates used in calculating
  capital requirements) must have a substantial
  influence on the institutions decision-making
  and actions, but in order not to hamper
  industry development do not have to be
  completely identical for internal purposes such
  as pricing.

20
4.3. Rating assignment and Risk quantification
PD

• In practice a variety of different methodologies
  in use to assign obligor grades (statistical
  models, heuristic models, causal models, or other
  mechanical methods). Institutions can combine
  various methodologies for assigning obligor
  grades. (For example, they can combine
  statistical models with expert judgement
  systems.)
• Similarly, institutions may use different
  estimation methods (and different data sources)
  to estimate PDs for obligor rating grades or
  pools, including
• mapping internal rating grades to the scale used
  by an ECAI
• statistical default prediction models
• or other estimation methods or combinations of
  methods.

21
4.3. Risk quantification - LGD

• Realised LGDs are ex-post values that can be
  applied to a facility grade or pool. Estimated
  LGDs are based on realised LGDs predicting a
  long-run forward-looking recovery rate for the
  facility grade or pool, taking both current and
  future economic circumstances into account
• Realised LGD might be zero or even positive (e.g.
  technical default or selling of a collateral to a
  price higher than the outstanding amount). Even
  if positive outcomes in the recovery processes
  have been observed and can be explained, the
  estimated LGD used to calculate capital
  requirements must not be less than zero.
• In principle, supervisors do not require any
  specific technique for LGD estimation (or for
  estimating other IRB parameters). However,
  institutions will have to demonstrate that the
  methods they choose are appropriate to the
  institutions activities and the portfolios to
  which they apply.

22
4.3. Risk quantification Downturn LGDs

• Institutions should produce an LGD estimate
  appropriate for an economic downturn (Downturn
  LGD) if this is more conservative than the
  long-run average.
• Three-stage process
• Identify appropriate downturn conditions for each
  supervisory exposure class in each jurisdiction
• Identify adverse dependencies, if any, between
  default rates and recovery rates
• Generate LGDs being consistent with identified
  downturn conditions
• Supervisors recognise Data problems! Therefore
  While institutions are building better data sets
  and developing more experience in estimating
  downturn LGDs, supervisors may choose to direct
  them to focus their efforts on types of exposures
  for which they believe the downturn effect is of
  special concern.

23
4.3. Risk quantification Conversion factors

• Conversion factors are part of the Exposure at
  Default calculation
• Definition conversion factor means the ratio
  of the currently undrawn amount of a commitment
  that will be drawn and outstanding at default to
  the currently undrawn amount of the commitment
• Not much guidance, since industry practice in
  this area is still at an early stage. However,
  four indicative examples are given how to
  estimate CFs. One of them (momentum approach) can
  only be accepted for a transitional period of
  time
• Controversial discussion For what instruments is
  the estimation of own CFs allowed/obligatory? (No
  estimation for 100 risk factors as listed in
  Basel framework)

24
4.4. Backtesting and benchmarking High level
principles of validation

• High Level Principles of the Basel Accord
  Implementation Group (AIG)
• Validation encompasses a range of processes and
  activities that contribute to an assessment of
  whether ratings adequately differentiate risk and
  whether estimates of risk components (such as PD,
  LGD, or CF) appropriately characterise the
  relevant aspects of risk.
• The credit institution has primary responsibility
  for validation
• Validation is an iterative process and there is
  no single validation method Validation should be
  subject to independent review
• Validation should encompass both qualitative and
  quantitative elements (A validation process needs
  to contain a mix of developmental evidence
  (assessing the logic of the approach, its
  conceptual soundness, statistical testing
  performed prior to use), benchmarking and process
  verification (comparisons to relevant
  alternatives, verification that the process is
  being applied as intended), and outcomes analysis
  (backtesting)

25
4.4. Backtesting and benchmarking

• The CRD explicitly requires institutions to use
  both Backtesting and Benchmarking tools in their
  validation process (Annex VII, Part 4, Paragraphs
  110 and 111).
• Backtesting checking the performance of the risk
  rating systems estimates by comparing realised
  risk parameters with estimated risk parameters.
  When backtesting is hindered by lack of data or
  insufficient quantitative information,
  institutions will need to rely more heavily on
  additional qualitative elements such as quality
  control tests (qualitative validation)
• Benchmarking comparing the outputs of the
  reviewed risk rating systems with the outputs of
  other risk rating systems with external
  information (other institutions or ECAIs).
• In cases where a lack of internal or external
  data prevents the proper use of these techniques,
  institutions should apply a higher margin of
  conservatism in their estimations.

26
4.4. Backtesting and Benchmarking Low default
portfolios

• Low-default portfolios are portfolios with few or
  no defaults observed. Low-default portfolios can
  arise under different circumstances (high-quality
  borrowers or small number of borrowers)
• In the case of systemic Low default portfolios
  ((data unavailable for all institutions)
  Exposures in low-default Portfolios should not
  necessarily be excluded from the IRB approach
  simply because of the absence of sufficient data
  to validate PD, LGD and CF estimates on a
  statistical basis.
• Such exposures may be included if institutions
  can demonstrate that the methods and techniques
  applied to estimate and validate PD, LGD and CF
  constitute a sound and effective risk-management
  process and are employed in a consistent way.
• Institutions will be required to use appropriate
  conservatism in risk parameter estimation

27
4.5. Internal Governance some definitions

• Management body as defined in the CRD. The use
  of the term management body does not advocate
  any particular board structure represents the
  top management level of an institution
• Senior management should be understood to
  represent the level of management below the
  management body
• GL10 National authority can define which
  function of the management body is responsible
  for the tasks and responsibilities listed in the
  internal governance section
• Proportionality principle Assessment of an
  institutions organisational structure, internal
  governance, and internal control systems should
  take into account their size and the complexity
  and nature of their business (could include a
  comply or explain approach)

28
4.5. Internal governance CRCU

• CRCU shall be responsible for the design or
  selection, implementation, oversight and
  performance of the rating systems (Annex VII,
  Part 4, Paragraph 127)
• Credit Risk Control function (CRCF) should be
  independent from the business lines it monitors
  and controls.
• in most cases organisational CRCU and CRC
  identical (consequently CRCU would encompass
  only people responsible for fulfilling the Credit
  Risk Control function), but CRCU could encompass
  both people responsible for the design of the
  model and for its independent review
• Counterbalance in this case any potential for
  lack of objectivity to be offset with rigorous
  controls, administered by Internal Audit
• Basic idea of Internal audit control of the
  control function. It must not be directly
  involved in model design/selection and not in
  day-to-day operations (e.g. reviewing each
  individual rating assignment)

29
4.5 Internal governance Role of management body
and senior management

• Management body may where appropriate -
  delegate tasks to senior management and/or risk
  committees
• However, no relief for both bodies from general
  awareness of the IRB framework used by the
  institution
• management body ultimate responsibility for the
  IRB framework
• senior management ultimate responsibility for
  developing and implementing it
• both management body and senior management should
  be responsible for approving all material aspects
  of the rating and estimation processes
• Mangement body and senior management to have a
  general understanding of the institutions rating
  systems and detailed comprehension of its
  associated management reports

30
5. Summary and Outlook

• GL 10 was heavily critizised by the industry (too
  much rules- and not enough principles-based).
  However, managing an IRB application is a new
  field for supervisors rather detailed guidelines
  were therefore deemed helpful at this stage
• Probably most helpful for the industry common
  application and decision process, part on Low
  Default Portfolios
• Evolving industry practices and the practical
  application of these guidelines will enlarge
  supervisors experience. It could turn out that
  certain elements of the guidelines may not stand
  the test of time (e.g. unexpected side effects).
  Supervisors may reflect such additional
  information for the interpretation of these
  guidelines.
• GL10 will be subject to review following
  implementation of the CRD, when and where
  necessary ('maintenance').
• Implementation seminars on (e.g.) Article 129(2)
  applications, Downturn LGD and CF estimations,
  etc. are scheduled/envisaged.