Understanding banking regulatory requirements

Introduction

Operational risk management is a critical aspect of the banking industry, aimed at identifying, assessing, and mitigating risks associated with internal processes, people, and systems. In order to promote stability and resilience within the banking sector, regulators have implemented stringent frameworks and requirements to address operational risk.

History of operational risk regulation

Regulatory expectations regarding operational risk management were set out by the Basel Committee on Banking Supervision’s (BCBS) 2003 document Sound Practices for the Management and Supervision of Operational Risk. Soon after, Basel II requirements included operational risk for the first time to accommodate a more structured approach to its management and the holding of capital to support operational risk exposures.

The financial crisis highlighted many deficiencies in the overall regulatory framework. Although Basel III introduced quite significant changes, few were related to operational risk. The main change, initially anyway, was the update of the 2003 document with the publication of Principles for the Sound Management of Operational Risk in 2011.

 
The other change post-crisis was greater regulatory intrusion in all aspects of risk management, including operational risk. One reason for this was the number of high-profile operational risk failures that led to regulatory fines, censure, and the need for banks to compensate customers. More recently, changes were announced in relation to calculating regulatory capital for operational risk as well as standardizing reports to enhance Pillar 3 disclosures.

Under Basel II, banks had three options for calculating regulatory capital for operational risk. These options were initially left unchanged in Basel III.

>> Read “Operational risk management for the banking industry”

1. Base Indicator Approach (BIA)

This approach bases the capital requirement on the average of a bank’s gross income for the previous three years (omitting years with zero or negative income). The average is then multiplied by a factor – denoted alpha (α) and set at 15% – to generate the capital charge.

2. The Standardized Approach (TSA)

This approach is similar to the BIA, but the percentages applied – denoted beta (β) in this case – vary by business unit income rather than a bank’s overall income (for example, 12% for retail banking and 18% for trading). The total capital charge is the three-year average of the sum of the charges across each of the business lines in each year.

3. Advanced Measurement Approach (AMA)

This approach allows banks to use their own model provided capital is sufficient to cover one year’s losses with a 99.9% confidence interval and other key requirements are met.

The BIA is easy to calculate, but there is no correlation with the size and nature of a bank’s operational risk exposures or the strength of its internal controls. Two banks with the same average income, for example, would have the same capital requirement even if one experienced lower losses due to better operational risk management. TSA addresses this in part as the different percentages recognize that some activities carry more operational risk than others – but it is still fairly crude. 
 
Initially, the AMA was an attractive option for larger banks, based on the anticipated benefit of lower capital requirements. But building a model, and getting regulatory approval, proved challenging. In practice, only a few banks obtained approval, and many abandoned the AMA option completely. The lack of comparability arising from a wide range of internal modeling practices was also a concern. In response, the BCBS decided to adopt a single methodology for calculating regulatory capital for operational risk, replacing the three approaches just described.  Details of this “standardized approach” were finalized in December 2017 and the implementation date for banks was set for January 1, 2022. 

Standardized approach for calculating regulatory capital

The standardized approach for calculating regulatory capital for operational risk is a key component of the Basel framework. It provides a standardized method for banks to estimate their capital requirements based on their operational risk profiles. The standardized approach categorizes banks into business lines, each with its own predetermined factor, and applies these factors to calculate the capital charge for operational risk.

Categorization of business lines

The Basel framework defines seven business lines for categorizing operational risk. These business lines are:

1. Corporate Finance
2. Trading and Sales
3. Retail Banking
4. Commercial Banking
5. Payment and Settlement
6. Agency Services
7. Asset Management

Determining capital charge

To calculate the capital charge for operational risk, banks assign a risk weight to each business line based on their relative operational risk exposure. The risk weights are expressed as percentages and are applied to the average gross income generated by each business line over a reference period. The resulting capital charge is then added to other capital charges for credit risk, market risk, and other components to determine the total regulatory capital requirement.

Advantages and challenges of the standardized approach

The standardized approach for calculating regulatory capital for operational risk offers several advantages. It provides a consistent and transparent method for estimating capital requirements, facilitates benchmarking across banks, and enhances comparability and consistency in reporting. However, challenges arise in capturing the full spectrum of operational risks, as well as the subjectivity in assigning risk weights to business lines, which may lead to potential underestimation or overestimation of capital requirements.

Governance and risk management framework expectations

The BCBS’s principles articulate expectations in relation to a bank’s governance activities and the requirements of a bank’s risk management framework (RMF).

>> Read What is a Risk Management Framework?

Board of directors

A bank’s board is expected to ensure that there is:

• An appropriate risk management culture
• An appropriate and effective RMF
• A clear statement of risk appetite and tolerance

Senior management

Senior management is expected to put in place policies and processes for managing operational risk for all the bank’s material products, activities, processes, and systems that are consistent with the board’s risk appetite and tolerance.

Risk identification

There must be means to identify the operational risks inherent in material products, activities, processes, and systems.

Control & mitigation

Robust controls and risk mitigation/transfer strategies (such as business continuity plans) are expected to be in place.

Monitoring & reporting

Processes to monitor and report, up to board-level, operational risk profiles and material exposures are required.

Disclosure

Banks are required to disclose how they manage operational risk as well as details of risk exposures and capital requirements in their annual report and/or their Pillar 3 disclosure report.

>> Read “The ultimate guide to operational risk management”

Banks use these principles when developing and updating their RMFs and as a checklist when regulators are assessing the operational risk management and capital adequacy of individual banks. But the Review of the Principles for the Sound Management of Operational Risk published by the BCBS in 2014 concluded that “…banks have made insufficient progress in implementing the Principles.” As a result, regulators continue to be rigorous when assessing how requirements have been implemented, such as when reviewing ICAAP (internal capital adequacy assessment process) submissions.

The current banking regulatory requirements for operational risk management, as defined by the Basel Committee on Banking Supervision, emphasize the importance of effectively identifying, assessing, and managing operational risks. As the banking industry continues to evolve, regulatory requirements will likely adapt to address emerging risks and promote the stability and resilience of the financial system.

Test your knowledge of operational risk management