LO 58.6: Describe and contrast the major elements of the three options

LO 58.6: Describe and contrast the major elements of the three options available for the calculation of operational risk capital: basic indicator approach, standardized approach, and the Advanced Measurement Approach.
Basel II requires banks to maintain capital for operational risks. Operational risks include failures of the banks procedures that result in loss (e.g., fraud, losses due to improper trading activities). External events that result in loss, such as a fire, are also considered operational risks.
Under Basel II, there are three approaches banks may use to calculate capital for operational risk: 1. Basic indicator approach.
2. Standardized approach.
3. Advanced measurement approach. Basic Indicator Approach (BIA). This is the simplest approach and is used by banks with less sophisticated risk management functions. The required capital for operational risk is equal to the banks average annual gross income (i.e., net interest income plus non-interest income) over the last three years multiplied by 0.15.
The Standardized Approach (TSA). This method is similar to the basic indicator approach. The primary difference between the two approaches is that a different multiplier is applied to the banks gross income for different lines of business.
Advanced Measurement Approach (AMA). Like the IRB approach discussed for credit risk, the capital requirement for operational risk under the advanced measurement approach is based on an operational risk loss (i.e., VaR) calculated over a one-year time horizon with a 99.9% confidence level. The approach has an advantage in that it allows banks to consider risk mitigating factors such as insurance contracts (e.g., fire insurance).
Professors Note: While Basel IIgenerally lowered credit risk capital requirements fo r most banks, requiring banks to hold capital fo r operational risks had the effect o f raising overall capital requirements back to (approximately) Basel I levels.
B a s e l II P i l
l a r s o f S o u n d B a n k M a n a g e m e n t

LO 58.8: Define in the context of Basel II and calculate the worst-case default rate

LO 58.8: Define in the context of Basel II and calculate the worst-case default rate (WCDR).
Basel II specifies three approaches that banks can use to measure credit risk: 1. Standardized approach.
2. Foundation internal ratings based (IRB) approach.
3. Advanced IRB approach.
The Standardized Approach
The standardized approach is used by banks with less sophisticated risk management functions. The risk-weighting approach is similar to Basel I, although some risk weights were changed. Significant changes include: OECD status is no longer considered important under Basel II. The credit ratings of countries, banks, and corporations are relevant under Basel II.
For example, sovereign (country) risk weights range from 0% to 150%, and bank and corporate risk weights range from 20% to 150%.
Bank supervisors may apply lower risk weights when the exposure is to the country in
which the bank is incorporated.
Bank supervisors may choose to base risk weights on the credit ratings of the countries in which a bank is incorporated rather than on the banks credit rating. For example, if a sovereign rating is AAA to AA, the risk weight assigned to a bank is 20%. The risk weight increases to 150% if the country is rated below B and is 100% if the countrys bonds are unrated.
Risk weights are lower for unrated countries, banks, and companies than for poorly rated
countries, banks, and companies.
Bank supervisors who elect to use the risk weights in Figure 3 are allowed to lower the
risk weights for claims with maturities less than three months. For example, the risk weights for short-maturity assets may range from 20% if the rating is between AAA to BBBor unrated, to 150% if the rating is below B.
A 75% risk weight is applied to retail loans, compared to 100% under Basel I. A 100%
risk weight is applied to commercial real estate loans. The uninsured residential mortgage risk weights are 35% under Basel II, down from 50% under Basel I.
A sample of risk weights under the standardized approach is presented in Figure 3.
Page 274
2018 Kaplan, Inc.
Topic 58 Cross Reference to GARP Assigned Reading – Hull, Chapter 15
Figure 3: Risk Weights (as a Percent) Under Basel Us Standardized Approach
AAA to AA- 0 20 20
A+ to A – 20 50 50
BBB+ to BBB-
50 50 100
BB+ to B B – 100 100 100
B+ to B – 100 100 150
Below B Unrated
150 150 150
100 50 100
Country
Bank
Corporation
Collateral Adjustments
Banks adjust risk weights for collateral using the simple approach, similar to Basel I, or the comprehensive approach, used by most banks. Under the simple approach, the risk weight of the collateral replaces the risk weight of the counterparty. The counterpartys risk weight is used for exposure not covered by collateral. Collateral must be revalued at least every six months. A minimum risk weight of 20% is applied to collateral. Using the comprehensive approach, banks adjust the size of the exposure upward and the value of the collateral downward, depending on the volatility of the exposure and of the collateral value.
Example: Adjusting for collateral using the simple approach
Blue Star Bank has a $100 million exposure to Monarch, Inc. The exposure is secured by $80 million of collateral consisting of AAA-rated bonds. Monarch has a credit rating of B. The collateral risk weight is 20% and the counterparty risk weight is 150%. Using the simple approach, calculate the risk-weighted assets.
Answer:
(0.2 x 80) + (1.5 x 20) = $46 million risk-weighted assets
Example: Adjusting exposure and collateral using the comprehensive approach
Blue Star Bank assumes an adjustment to the exposure in the previous example of + 15% to allow for possible increases in the exposures. The bank also allows for a 20% change in the value of the collateral. Calculate the new exposure using the comprehensive approach.
Answer:
(1.15 x 100) – (0.8 x 80) = $51 million exposure
Applying a risk weight of 150% to the exposure:
1.5 x 51 = $76.5 million risk-weighted assets
2018 Kaplan, Inc.
Page 27 5
Topic 58 Cross Reference to GARP Assigned Reading Hull, Chapter 15
The Internal Ratings Based (IRB) Approach
United States regulators applied Basel II to large banks only. As such, regulatory authorities decided that the IRB approach must be used by U.S. banks. Under the IRB approach, the capital requirement is based on a VaR calculated over a one-year time horizon and a 99.9% confidence level. The model underlying this approach is shown in Figure 4.
Figure 4: Capital Requirement
VaR = loss at a very high confidence level (99.9%)
expected loss
The goal of the IRB approach is to capture unexpected losses (UL). Expected losses (EL) should be covered by the banks pricing (e.g., charging higher interest rates on riskier loans to cover EL). The capital required by the bank is thus VaR minus the banks EL. The VaR can be calculated using a Gaussian copula model of time to default. That is:
WCDR; =N
N -1(PDi) + VpN – (0.999)
f – p
In this equation, WCDRj is the worst case probability of default. The bank can be 99.9% certain that the loss from the zth counterparty will not exceed this amount in the coming year. PD is the one-year probability of default of the zth obligor given a large number of obligors, and p is the copula correlation between each pair of obligors.
Professor’s Note: WCDR is called the worst case probability o f default in the assigned reading. It is also called the worst case default rate, hence the acronym WCDR.
Assuming the bank has a large portfolio of instruments such as loans and derivatives with the same correlation, the one-year, 99.9% VaR is approximately:
VaR9 9 9 o/0 iyear ~ T^EAD; x LGDj xWCDRi
1
Page 276
2018 Kaplan, Inc.
Topic 58 Cross Reference to GARP Assigned Reading – Hull, Chapter 15
EADj is the exposure at default of the zth counterparty or the dollar amount the zth counterparty is expected to owe if it defaults. For example, if the counterparty has a loan outstanding, EAD would likely be the principal amount outstanding on the loan at the time of default. LGDj is the loss given default for the zth counterparty or the proportion of the EADi that is expected to be lost in the event of default. For example, if the bank expected to collect (i.e., recover) 40% in the event of default, the LGDj would be 60% (i.e., 1 0.4 = 0.6).
Recall from Book 2 that the expected loss (EL) from default is computed as:
EL =
1
EAD; x LGD; x PD;
The capital the bank is required to maintain is the excess of the worst-case loss over the banks expected loss defined as follows:
required capital = y^EAD; x LGD| x (WCDRj PD^)
1
Note that WCDR, PD, and LGD are expressed as decimals while EAD is expressed in dollars.
Figure 5 shows the dependence of the one-year WCDR on PD and correlation, p.
Figure 5: Dependence of One-Year, 99.9% WCDR on PD and p = 0.0= 0.4= 0.8 p = 0.0 p = 0.2 p = 0.4 p = 0.6 p = 0.8
PD = 0.1%
0.1% 2.8% 7.1% 13.5% 23.3%
PD = 0.5%
0.5% 9.1% 21.1% 38.7% 66.3%
PD = 1% 1.0% 14.6% 31.6% 54.2% 83.6%
PD = 1.5%
1.5% 18.9% 39.0% 63.8% 90.8%
PD = 2.0%
2.0% 22.6% 44.9% 70.5% 94.4%
It is clear from Figure 5 that WCDR increases as the correlation between each pair of obligors increases and as the probability of default increases. If the correlation is 0, then WCDR is equal to PD.
Basel II assumes a relationship between the PD and the correlation based on empirical research. The formula for correlation is:
p = 0.12 x (1 + e~^ x PD)
Note that there is an inverse relationship between the correlation parameter and the PD. As creditworthiness declines, the PD increases. At the same time, the PD becomes more idiosyncratic and less affected by the overall market, thus the inverse relationship.
2018 Kaplan, Inc.
Page 277
Topic 58 Cross Reference to GARP Assigned Reading – Hull, Chapter 15
The relationship between WCDR and PD, as shown in Figure 6, is obtained by combining the previous equation with the calculation of WCDR. The WCDR increases as the PD increases, but not as fast as it would if the correlation were assumed to be independent of PD.
Figure 6: Relationship Between WCDR and PD for Firm, Sovereign, and Bank Exposures
PD WCDR
2.0% 0.1% 0.5% 1.0% 3.4% 9.8% 14.0% 16.9% 19.0%
1.5%
>From a counterpartys perspective, the capital required for the counterparty incorporates a maturity adjustment as follows:
required capital = EAD x LGD x (WCDR PD) x MA
where: MA = maturity adjustment = (1 + (M 2.5) x b)l{ 1 – 1.5 x ^) M = maturity of the exposure b [0.11852-0.05478 x In (PD)]2 = [0.11852-0.05478 x In (PD)]2
The maturity adjustment, MA, allows for the possibility of declining creditworthiness and/ or the possible default of the counterparty for longer term exposures (i.e., longer than one year). If M = 1.0, then MA =1.0 and the maturity adjustment has no impact. The risk- weighted assets are calculated as 12.5 times capital required:
RWA = 12.5 x [EAD x LGD x (WCDR – PD) x MA] The capital required is 8% of RWA. The capital required should be sufficient to cover unexpected losses over a one-year period with 99.9% certainty (i.e., the bank is 99.9% certain the unexpected loss will not be exceeded). Expected losses should be covered by the banks product pricing. Theoretically, the WCDR is the probability of default that happens once every 1,000 years. If the Basel Committee finds the capital requirements too high or too low, it reserves the right to apply a scaling factor (e.g., 1.06 or 0.98) to increase or decrease the required capital.
Professors Note: On the exam, i f you begin with RWA, multiply by 0.08 to get the capital requirement. I f instead you begin with the capital requirement, multiply by 12.5 (or divide by 0.08) to get RWA. In other words, these percentages are simply reciprocals (i.e., 1/0.08 = 12.5).
Foundation IRB Approach vs. Advanced IRB Approach
The foundation IRB approach and the advanced IRB approach are similar with the exception of who provides the estimates of LGD, EAD, and M. The key differences between the two approaches are outlined by the following.
Page 278
2018 Kaplan, Inc.
Topic 58 Cross Reference to GARP Assigned Reading – Hull, Chapter 15
Foundation IRB Approach The bank supplies the PD estimate. For bank and corporate exposures, there is a 0.03%
floor set for PD.
The LGD, EAD, and M are supervisory values set by the Basel Committee. The Basel
Committee set LGD at 45% for senior claims and 75% for subordinated claims. If there is collateral, the LGD is reduced using the comprehensive approach described earlier.
The EAD is calculated similar to the credit equivalent amount required under Basel I. It
includes the impact of netting.
M is usually set to 2.5.
Advanced IRB Approach Banks supply their own estimates of PD, LGD, EAD, and M. PD can be reduced by credit mitigants such as credit triggers subject to a floor of 0.03%
for bank and corporate exposures.
LGD is primarily influenced by the collateral and the seniority of the debt. With supervisory approval, banks can use their own estimates of credit conversion factors
when calculating EAD.
Foundations IRB Approach and Advanced IRB Approach for Retail Exposures The two methods are merged for retail exposures. Banks provide their own estimates of
PD, EAD, and LGD.
There is no maturity adjustment (MA) for retail exposures. The capital requirement is EAD x LGD x (W CD R- PD). Risk-weighted assets are 12.5 x EAD x LGD x (WCDR PD). Correlations are assumed to be much lower for retail exposures than for corporate
exposures.
Example: RWA under the IRB approach
Assume Blue Star Bank has a $150 million loan to an A-rated corporation. The PD is 0.1% and the LGD is 50%. Based on Figure 6, the WCDR is 3.4%. The average maturity of the loan is 2.5 years. Calculate the RWA using the IRB approach and compare it to the RWA under Basel I.
Answer:
b = [0.11852 – 0.05478 x ln(O.OOl)]2 = 0.247
MA = 1/ (1 – (1.5 x 0.247)) = 1.59
risk-weighted assets = 12.5 x 150 x 0.5 x (0.034 0.001) x 1.59 = $49.19 million
Under Basel I, the RWA for corporate loans was 100% or $150 million in this case. Thus, the IRB approach lowers the RWA for higher rated corporate loans, in this case from $150 million to $49.19 million.
2018 Kaplan, Inc.
Page 279
Topic 58 Cross Reference to GARP Assigned Reading – Hull, Chapter 15
O p e r a t i o n a l R i s k C a p i t a l R e q u i r e m e n t s

LO 58.4: Calculate VaR and the capital charge using the internal models approach,

LO 58.4: Calculate VaR and the capital charge using the internal models approach, and explain the guidelines for backtesting VaR.
According to the 1996 .Amendment, the market risk VaR is calculated with a 10-trading day time horizon and a 99% confidence level. The market risk capital requirement is calculated as:
max(VaRt l, mc x VaRavg) + SRC multiplicative factor where: VaRt l = previous days VaR VaRavg = the average VaR over the past 60 trading days mc = multiplicative factor SRC = specific risk charge
The multiplicative factor must be at least three, but may be set higher by bank supervisors if they believe a banks VaR model has deficiencies. This means the capital charge will be the higher of either the previous days VaR or three times the average of the daily VaR plus a charge for company specific risks (i.e., the SRC).
Banks calculate a 10-day, 99% VaR for SRC. Regulators then apply a multiplicative factor (which must be at least four) similar to mc to determine the capital requirement. The total capital requirement for banks using the internal model-based approach must be at least 50% of the capital required using the standardized approach.
Page 272
2018 Kaplan, Inc.
Topic 58 Cross Reference to GARP Assigned Reading – Hull, Chapter 15
The banks total capital charge, according to the 1996 Amendment, is the sum of the capital required according to Basel I, described in LO 58.2, and the capital required based on the 1996 Amendment, described in this LO. For simplicity, the RWAs for market risk capital was defined as 12.5 times the value given in the previous equation. The total capital a bank has to keep under the 1996 Amendment is:
total capital = 0.08 x (credit risk RWA + market risk RWA)
where: market RWA = 12.5 x (max(VaRt_1, mc x VaRavg) + SRC) credit RWA = E(RWA on-balance sheet) + E(RWA off-balance sheet)
Example: Market risk capital charge
A bank calculates the previous days market risk VaR as $ 10 million. The average VaR over the preceding 60 trading days is $8 million. The specific risk charge is $5 million. Assuming a multiplicative factor of three, calculate the market risk capital charge.
Answer: $29 million market risk capital charge = 0.08 x {12.5 x [(3 x $8 million) + $5 million]} = $29 million
Backtesting
The 1996 Amendment requires banks to backtest the one-day, 99% VaR over the previous 250 days. A bank calculates the VaR using its current method for each of the 250 trading days and then compares the calculated VaR to the actual loss. If the actual loss is greater than the estimated loss, an exception is recorded. The multiplicative factor (mc) is set based on the number of exceptions. If, over the previous 250 days, the number of exceptions is: Less than 5, mc is usually set equal to 3.
Greater than 10, mc is set equal to 4. The bank supervisor has discretion regarding the multiplier. If the exception is due to changes in the banks positions during that day, the higher multiplier may or may not be used. If the exception is due to deficiencies in the banks VaR model, higher multipliers are likely to be applied. There is no guidance to supervisors in terms of higher multipliers if an exception is simply the result of bad luck.
5, 6, 7, 8, or 9, mc is set equal to 3.4, 3.5, 3.65, 3.75, and 3.85, respectively.
2018 Kaplan, Inc.
Page 273
Topic 58 Cross Reference to GARP Assigned Reading – Hull, Chapter 15
C r e d i t R i s k C a p i t a l R e q u i r e m e n t s

LO 58.3: Describe and contrast the major elements—including a description of

LO 58.3: Describe and contrast the major elementsincluding a description of the risks coveredof the two options available for the calculation of market risk capital: Standardized Measurement Method
Internal Models Approach
The goal of the 1996 Amendment to the 1988 Basel Accord was to require banks to measure market risks associated with trading activities and maintain capital to back those risks. Banks must mark-to-market (i.e., fa ir value accounting) bonds, marketable equity securities, commodities, foreign currencies, and most derivatives that are held by the bank for the purpose of trading (referred to as the trading book). Banks do not have to use fair value accounting on assets they intend to hold for investment purposes (referred to as the banking book). This includes loans and some debt securities. The 1996 Amendment proposed two methods for calculating market risk: 1. Standardized Measurement Method.
2.
Internal Model-Based Approach.
2018 Kaplan, Inc.
Page 271
Topic 58 Cross Reference to GARP Assigned Reading – Hull, Chapter 15
Standardized Measurement Method. This method assigns a capital charge separately to each of the items in the trading book. It ignores correlations between the instruments. Banks with less sophisticated risk management processes are more likely to use this approach.
Internal Model-Based Approach. This method involves using a formula specified in the amendment to calculate a value at risk (VaR) measure and then convert the VaR into a capital requirement. Capital charges are generally lower using this method because it better reflects the benefits of diversification (i.e., correlations between the instruments). As such, banks with more advanced risk management functions prefer the internal models approach.
Risks covered by the VaR model include movements in broad market variables such as interest rates, exchange rates, stock market indices, and commodity prices.
The VaR model does not incorporate company-specific risks such as changes in a firms credit spread or changes in a companys stock price. The specific risk charge (SRC) captures company-specific risks. For example, a corporate bond has interest rate risk, captured by VaR, and credit risk, captured by the SRC. Tier 3 capital consisting of short-term subordinated, unsecured debt with an original maturity of at least two years could be used to meet the market risk capital requirement at the time of the amendment. Tier 3 capital has subsequently been eliminated under Basel III.

LO 58.2: Explain the calculation of risk-weighted assets and the capital

LO 58.2: Explain the calculation of risk-weighted assets and the capital requirement per the original Basel I guidelines.
Basel I put forth two capital requirements: 1. The banks total assets to capital ratio had to be less than 20 (i.e., capital to total
assets had to be greater than 1/20 or 5%). This capital requirement was similar to the requirements in many countries prior to 1988.
2. The banks on- and off-balance sheet items had to be used to calculate risk-weighted
assets (RWA). RWA is intended to measure a banks total credit exposure. The ratio of capital to risk-adj usted assets is called the Cooke ratio, after Peter Cooke from the Bank of England. Basel I stipulated that the Cooke ratio must exceed 8%.
Most banks met the first requirement. However, the risk-based capital requirement (i.e., the second requirement) was the key change to capital regulation. The process for calculating risk-weighted assets includes assigning a risk weight that reflects the banks credit risk exposure, to each of the on- and off-balance sheet items. A sample of some of the risk weights assigned to various asset categories is shown in Figure 1.
Figure 1: Risk Weights for On-Balance Sheet Items
Risk Weight (%)
Asset Category
0%
20%
50% 100%
Cash, gold, claims on Organisation of Economic Co-operation and Development (OECD) countries such as U.S. Treasury bonds and insured residential mortgages Claims on OECD banks and government agencies like U.S. agency securities or municipal bonds Uninsured residential mortgages Loans to corporations, corporate bonds, claims on non-OECD banks
Example: Risk-weighted assets
The assets of Blue Star Bank consist of $20 million in U.S. Treasury bills, $20 million in insured mortgages, $50 million in uninsured mortgages, and $150 million in corporate loans. Using the risk weights from Figure 1, calculate the banks risk-weighted assets.
Answer:
(0.0 x $20) + (0.0 x $20) + (0.5 x $50) + (1.0 x $150) = $175 million
Page 268
2018 Kaplan, Inc.
Topic 58 Cross Reference to GARP Assigned Reading – Hull, Chapter 15
Off-balance sheet items are expressed as a credit equivalent amount. The credit equivalent amount is, in essence, the loan principal that is considered to have the same credit risk. This means the bank converts off-balance sheet items into on-balance sheet equivalents for the purpose of calculating risk-based capital. The weight is then multiplied by the principal amount (i.e., the credit equivalent amount) of the item to arrive at a risk-weighted value. A conversion factor is applied to the principal amount of the instrument for non-derivatives. Off-balance sheet items that are similar, from a credit perspective, to loans (e.g., bankers acceptances), have a conversion factor of 100%. Other off-balance sheet items, such as note issuance facilities, have lower conversion factors.
For interest rates swaps and other over-the-counter (OTC) derivatives, the credit equivalent amount is calculated as:
max(V, 0) + a x L
where: V = current value of the derivative to the bank a = add-on factor L = principal amount
The first term in the equation [max(V, 0)] reflects the banks current exposure. If the counterparty defaults and V, the current value of the derivative, is positive, the bank will lose V If the counterparty defaults and Vis negative, the exposure is 0 (i.e., no gain or loss to the bank). The add-on amount (a x L) allows for the possibility that the banks exposure may increase in the future. Add-on factors are higher for higher risk derivatives (e.g., longer maturities, riskier underlying assets). A sample of add-on factors is shown in Figure 2.
Figure 2: Add-on Factors as a Percent of Principal for Derivatives
Remaining Maturity
in Years
Interest Rate
Exchange Rate
and Gold year 15 years < 1 year 1 to 5 years > 5 years
0.0 0.5 1.5
1.0 5.0 7.5
Equity
6.0 8.0 10.0
Other
Commodities
10.0 12.0 15.0
Flxample: Credit equivalent amounts for off-balance sheet items
Blue Star Bank has entered a $175 million interest rate swap with a remaining maturity of three years. The current value of the swap is $2.5 million. Using the add-on factors in Figure 2, calculate the swaps credit equivalent amount.
Answer:
The add-on factor is 0.5% of the interest rate swap principal.
credit equivalent amount = $2.5 + (0.005 x $175) = $3,375 million
2018 Kaplan, Inc.
Page 269
Topic 58 Cross Reference to GARP Assigned Reading – Hull, Chapter 15
The credit equivalent amount is multiplied by the risk weight for the counterparty to calculate risk-weighted assets. Risk weights are similar to those shown in Figure 1 with the exception of corporate counterparties. If the counterparty is a corporation, the risk weight is 50%. If the counterparty is an OECD bank, the risk weight is 20%.
Example: Calculating risk-weighted assets for an off-balance sheet item
In the previous example, Blue Star Bank entered an interest rate swap that had a credit equivalent amount of $3,375,000. Calculate the risk-weighted assets assuming (1) the counterparty is an OECD bank and (2) the counterparty is a corporation.
Answer:
RWA assuming counterparty is an OECD bank: $3,375,000 x 0.2 = $675,000
RWA assuming counterparty is a corporation: $3,375,000 x 0.5 = $1,687,500
The total RWAs of the bank are calculated by summing the on- and off-balance sheet risk- weighted items as follows:
M N E wiLi + E wic i i=i
j= i
where: w- = the risk weight of the counterparty of the zth on-balance sheet item Lj = principal of the zth on-balance sheet item w. = the risk weight of the counterparty of theyth off-balance sheet item C. = credit equivalent amount of theyth off-balance sheet item The bank must maintain at least 8% capital to risk-weighted assets.
Example: Calculating risk-based capital
Using the information from the previous three examples, calculate Blue Star Banks required capital, assuming the swap counterparty is a corporation.
Answer:
($175 million + $1.6875 million) x 0.08 = $14,135 million
Page 270
2018 Kaplan, Inc.
Topic 58 Cross Reference to GARP Assigned Reading – Hull, Chapter 15
According to Basel I, capital has two components, Tier 1 capital and Tier 2 capital.
Tier 1 capital (or core capital) consists of items such as: Equity (subtract goodwill from equity). Non-cumulative perpetual preferred stock. Tier 2 capital (or supplementary capital) consists of items such as: Cumulative perpetual preferred stock. Certain types of 99-year debentures.
Subordinated debt with an original maturity greater than five years (where the subordination is to depositors).
Equity capital (i.e., Tier 1) absorbs losses. Supplementary capital (i.e., Tier 2) is subordinate to depositors and thus protects depositors in the event of a bank failure. At least 50% of capital must be Tier 1. This means there is a 4% Tier 1 capital to risk-weighted assets requirement (i.e., 8% x 0.5). Half of the Tier 1 requirement has to be met with common equity. Under Basel I, some countries required banks to have more capital than required by The Accord.
Professors Note: Basel I had a number o f shortcomings that were rem edied over the com ing years with new capital accords. For example, Basel I treats all corporate loans the same in terms o f capital requirements. The creditworthiness o f the borrower is ignored. Also, Basel 1 did not include a m odel o f default correlation.
M a r k e t R i s k C a p i t a l R e q u i r e m e n t s

LO 58.1: Explain the motivations for introducing the Basel regulations, including

LO 58.1: Explain the motivations for introducing the Basel regulations, including key risk exposures addressed, and explain the reasons for revisions to Basel regulations over time.
Prior to 1988, bank capital regulations were inconsistent across countries and ignored the riskiness of individual banks. Requirements were stated as minimum ratios of capital to total assets or as maximum ratios of total assets to capital. Some countries and/or regulatory authorities were more diligent in their enforcement of capital regulations than others. As banks became increasingly global, banks operating in countries with more lax standards were perceived to have a competitive advantage over banks operating in countries with strict enforcement of capital regulations.
There were additional problems with the existing regime. First, high risk loans from international banks to lesser developed countries such as Mexico and Brazil raised questions about the adequacy of existing capital to cover potential losses. Second, banks used accounting games to record some of these transactions, masking risk. Third, bank transactions were becoming more complex. Off-balance sheet transactions in over-the- counter (OTC) derivatives like interest rate swaps, currency swaps, and options were growing. These off-balance sheet deals did not affect total assets, and thus did not affect the amount of capital a bank was required to keep, providing fuel to the growing belief that total assets did not reflect a banks total risk. In 1988, the Basel Committee put forth its first guidance to set international risk-based capital adequacy standards, called the 1988 BIS Accord, now commonly known as Basel I.
2018 Kaplan, Inc.
Page 267
Topic 58 Cross Reference to GARP Assigned Reading – Hull, Chapter 15
Ba s e l I

LO 57.3: Describe topics and provisions that should be addressed in a contract

LO 57.3: Describe topics and provisions that should be addressed in a contract with a third-party service provider.
Considerations and contract provisions for third-party service providers should include the following elements:
Scope. A contract will state the rights and responsibilities of each party. Examples include (1) contract duration, (2) support, maintenance, and customer service, (3) training of financial institution employees, (4) policies regarding subcontracting, (5) insurance coverage, and (6) policies regarding the use of the financial institutions assets and employees.
Cost and compensation. A contract should indicate the party (or parties) responsible for the payment of any equipment purchases, legal fees, and audit fees pertaining to the service providers activities. In addition, there should be a listing of all forms of compensation (i.e., fixed, variable, special charges).
Incentive compensation. A contract should include a provision to allow the financial institution to review the appropriateness of incentive compensation (if applicable). Specifically, the service provider may be involved in sales on behalf of the financial institution. Therefore, the incentives should be structured to ensure that the service provider places the interests of the customers (i.e., suitable financial products) over their own interests (i.e., earning higher fees) and to ensure that the service provider does not expose the financial institution to excessive risks.
Right to audit. A contract could optionally contain a provision to allow the financial institution to audit the service provider. It may also require the receipt of various audit reports [e.g., American Institute of Certified Public Accountants (AICPA) Service Organization Control 2 report, Federal Financial Institutions Examination Council (FFIEC) Technology Service Provider examination report] relating to the service provider at stipulated intervals.
2018 Kaplan, Inc.
Page 261
Topic 57 Cross Reference to GARP Assigned Reading – Board o f Governors o f the Federal Reserve System
Establishment and monitoring o f performance standards. A contract should state specific and measurable performance standards (i.e., metrics) with regard to the service providers work.
Oversight and monitoring. A contract should include a provision requiring the service provider to provide annual financial statements (and the annual report, if applicable) to the financial institution to allow the financial institution to monitor the service providers ability to continue as a going concern. In addition, a provision should be included to allow the financial institution to increase monitoring and oversight activities when performance deficiencies, control weaknesses, and viability concerns are noted. With regard to higher- risk service providers, a contract could stipulate extra reporting by the service provider or additional monitoring by the financial institution.
Confidentiality and security o f information. A contract must contain extensive provisions concerning the confidentiality and security of information pertaining to both the financial institution and its customers. The service provider should only be given such information that is necessary to perform its tasks. Specifically, in the United States, the FFIEC guidance and section 501(b) of the Gramm-Leach-Bliley Act must be followed and should be noted in the contract.
With regard to nonpublic personal information (NPPI) pertaining to the financial institutions customers, a contract should address access, security, and retention of NPPI data by the service provider (if applicable) to comply with privacy laws and regulations. A contract should also require the service provider to give notice to the financial institution of any breaches of data. In that regard, a contract needs to clarify the parties roles and responsibilities pertaining to NPPI data.
Ownership and license. A contract should state when service providers are permitted to use the financial institutions property (i.e., data and equipment). In addition, clarification is needed regarding the ownership and control of data produced by a service provider. In the event of software purchased from a service provider, it could be necessary to have escrow agreements in place so that the financial institution could access the source code and programs under certain conditions, such as discontinued product support or insolvency of a service provider.
Indemnification. A contract should require the service provider to indemnify (i.e., hold harmless) the financial institution in the event of any legal proceedings arising from the service providers negligence.
Default and termination. A contract should clarify the types of actions that would constitute a default together with any reasonable remedies that could be undertaken by the financial institution and methods to overcome default by the service provider. In terms of termination, common reasons, such as change in control, poor performance, and nonperformance of duties, should be explained and measured. There should be a provision that requires the service provider to give sufficient notice of termination to the financial institution in the event of a termination by the service provider. Finally, it is important to include provisions detailing the service providers requirement to return the financial institutions data, records, and any other property.
Page 262
2018 Kaplan, Inc.
Topic 57 Cross Reference to GARP Assigned Reading – Board o f Governors o f the Federal Reserve System
Dispute resolution. A contract should lay out an agreed-upon dispute resolution plan to resolve disputes quickly and minimize disruption during a dispute.
Limits on liability. A contract may allow for service providers to limit their liability subject to approval by the financial institutions board of directors and management team.
Insurance. A contract should stipulate the requirement of service providers to carry sufficient insurance and provide evidence of coverage. In addition, any significant changes in coverage should be communicated to the financial institution.
Customer complaints. A contract should state which party will deal with customer complaints. If it is the service provider, then they should be required to prepare reports to the financial institution listing the complaints and their status.
Business resumption and contingency plan o f the service provider. A contract should detail how the service provider will continue to provide services should a major disaster occur. The focus should be on critical services and any necessary alternative arrangements. Other items, such as backups, disaster recovery and business continuity plans, responsibility for maintaining and testing of such plans, and frequency of testing of such plans, should be included.
Foreign-based service providers. A contract could attempt to provide for the law and regulations of only one jurisdiction (i.e., the financial institutions) to apply for the purposes of contract enforcement and resolution of disputes. This would avoid potentially confusing situations where the foreign laws differ substantially from local laws.
Subcontracting. The subcontractor should be held to the same contract terms in the event that subcontracting is permitted. The contract should explicitly state that the primary service provider is ultimately responsible for all the work performed by the service provider and its subcontractors. The contract should provide a list of acceptable tasks that may be subcontracted and how the primary service provider will supervise and review the subcontractors work. Finally, the primary service providers method of performing financial due diligence on the subcontractor should be documented in the contract.
2018 Kaplan, Inc.
Page 263
Topic 57 Cross Reference to GARP Assigned Reading – Board o f Governors o f the Federal Reserve System
Ke y C o n c e pt s
LO 57.1 The following risks could arise when a financial institution outsources its operational functions to third-party service providers: (1) compliance risk, (2) concentration risk, (3) reputation risk, (4) country risk, (5) operational risk, and (6) legal risk.
An effective program to manage outsourcing risk should include (1) risk assessments, (2) due diligence in selecting service providers, (3) contract provisions, (4) incentive compensation review, (5) oversight and monitoring of service providers, and (6) business continuity and contingency plans.
LO 57.2 In performing due diligence on a third-party service provider, a financial institution should involve any relevant technical specialists and/or important stakeholders. The three key areas of review include (1) business background, reputation, and strategy; (2) financial performance and condition; and (3) operations and internal controls.
LO 57.3 Considerations and provisions that should be addressed in a contract with a third-party service provider include the following: (1) scope, (2) cost and compensation, (3) incentive compensation, (4) right to audit, (5) establishment and monitoring of performance standards, (6) oversight and monitoring, (7) confidentiality and security of information, (8) ownership and license, (9) indemnification, (10) default and termination, (11) dispute resolution, (12) limits on liability, (13) insurance, (14) customer complaints, (15) business resumption and contingency plan of the service provider, (16) foreign-based service providers, and (17) subcontracting.
Page 264
2018 Kaplan, Inc.
Topic 57 Cross Reference to GARP Assigned Reading – Board o f Governors o f the Federal Reserve System
C o n c e pt C h e c k e r s
1.
2.
3.
4.
5.
Bank Inc., (Bank) operates in the United States and has a service contract in place with Service Co. (Service), which operates in France. Service manages a significant amount of confidential customer data for Bank, and recently a computer glitch at Service resulted in the accidental public disclosure of confidential customer data. As a result of the data breach, which of the following risks is Bank least likely to face? A. Compliance risk. B. Country risk. C. Legal risk. D. Operational risk.
Which of the following statements regarding risk management programs with service providers to manage outsourcing risk is correct? A. The program should focus on business continuity and contingency plans. B. The program should contain more detail if there are only a few outsourced
activities to established service providers.
C. The program should contain adequate oversight and controls over all activities
that impact the financial institution.
D. The program should require risk assessments to be updated as a result of
updated risk mitigation techniques on a sufficiently regular basis.
When performing due diligence on a service provider, ascertaining the sufficiency of its insurance coverage would most appropriately be covered under which of the following categories? A. Business background, reputation, and strategy. B. Financial performance and condition. C. Operations and internal controls. D. Oversight and monitoring.
The use of performance metrics to assist in determining an acceptable level of performance by a service provider would most appropriately be included in which of the following provisions of a contract with a financial institution? A. Customer complaints. B. Default and termination. C. Indemnification. D. Right to audit.
Which of the following provisions would a financial institution least likely include in a contract with a third-party service provider? A. Establishment and monitoring of performance standards. B. Indemnification. C. Ownership and license. D. Right to audit.
2018 Kaplan, Inc.
Page 265
Topic 57 Cross Reference to GARP Assigned Reading – Board o f Governors o f the Federal Reserve System
C o n c e pt Ch e c k e r A n s w e r s
1. B Country risk refers to using a service provider based in a foreign country and subjecting the
financial institution to potential economic and political risks in that country. Clearly, it is not a relevant risk arising from the breach of confidential customer data.
Compliance risk is a possibility given the apparent lack of security controls of the service provider that resulted in the data breach. Operational risk is clearly a relevant risk to the financial institution here given the data breach caused by the service provider. Legal risk is clearly a relevant risk given that the customers affected by the data breach may sue the financial institution as a result of the breach.
2. A Unexpected events could result in the inability of the service provider to provide its services
to the financial institution. Depending on the nature and importance of the services provided, the financial institution may be exposed to substantial losses as a result of the inability of the service provider to provide its services. Therefore, business continuity and contingency plans should be a key focus in any risk management program with service providers.
The program should contain less detail if there are only a few outsourced activities to established service providers given that the risk to the financial institution would be reduced substantially as a result of the service provider being established. The program should not deal with all activities that impact the financial institution but instead focus only on those that have a material impact. The program should require risk mitigation techniques to be updated on a sufficiently regular basis as a result of updated risk assessments.
3. B A review of a potential service providers financial performance and condition would include
queries regarding its level of insurance coverage.
The area of business background, reputation, and strategy takes a more global view of the service provider and would be far less concerned with financial matters such as insurance. Operations and internal controls deal with compliance with relevant laws and regulations, for example, and would be less concerned with financial matters such as insurance. Oversight and monitoring is not an element within the due diligence process, but it is one of the elements (together with due diligence) of an effective risk management program with service providers.
4. B With regard to the default and termination provision, common reasons include poor
performance and nonperformance of duties, which would be detected through the use of performance metrics. The customer complaints provision deals with which party will deal with customer complaints. The indemnification provision deals with the service provider to indemnify the financial institution in the event of any legal proceedings arising from the service providers negligence. The right to audit provision deals with allowing the financial institution to audit the service provider.
5. D The right to audit provision is optional and is the least important provision of the four listed.
The use of performance standards is essential for monitoring and oversight purposes that may result in the determination of default by the service provider and possible termination of the contract. The indemnification provision is important because it deals with the service provider indemnifying (i.e., holding harmless) the financial institution in the event of any legal proceedings arising from the service providers negligence. The ownership and license provision is crucial because it would state when service providers are permitted to use the financial institutions property (i.e., data and equipment) as well as clarify the ownership and control of data produced by a service provider.
Page 266
2018 Kaplan, Inc.
The following is a review of the Operational and Integrated Risk Management principles designed to address the learning objectives set forth by GARP. This topic is also covered in:
Ba s e l I, Ba s e l II, a n d So l v e n c y II
Topic 58
E x a m F o c u s
This topic provides an overview of the international capital standards put in place by the Basel Committee on Banking Supervision. Basel I (1988) contained the first steps toward risk-weighting bank activities on- and off-balance sheet to relate required capital to risk. Basel I was the first to set a capital to risk-weighted assets requirement, but it only considered credit risk, not market or operational risk. Basel II took a more sophisticated approach to measuring bank credit risk, market risk, and operational risk. For the exam, understand the contribution Basel II makes to risk measurement, and know the differences between the methods used to calculate various risks. Also, know the difference between Basel II and Solvency II, a similar international standard for insurance companies, and the likely repercussions a firm will face if it breaches the standards. In addition, be able to calculate a banks required capital under the various regimes. One of the recurring themes in this topic is the difference between a standardized approach for measuring risk, used by less sophisticated banks (and insurance companies), and an internal approach that is firm specific and more complex but often lowers required capital because it allows banks to use their own model inputs and considers the correlations between assets.

LO 57.2: Explain how financial institutions should perform due diligence on third-

LO 57.2: Explain how financial institutions should perform due diligence on third- party service providers.
In performing due diligence on a third-party service provider, a financial institution should involve any relevant technical specialists and/or important stakeholders. The three key areas of review include (1) business background, reputation, and strategy; (2) financial performance and condition; and (3) operations and internal controls. Ultimately, the financial institution must ensure that the service provider follows all relevant laws and regulations in performing services on the institutions behalf.
Business Background, Reputation, and Strategy
There should be a review of the potential service providers past business history and of its key management personnel. The service provider should provide evidence of an adequate background check system for its new employees.
A review of the service providers experience, strategy and mission statement, service philosophy, methods of maintaining and improving quality, and company policies is needed. The flexibility and feasibility of the service providers business model should be evaluated to determine the likelihood of providing services to the financial institution for the long term.
References should be contacted and confirmed, and any licenses and certifications necessary to perform the services should be confirmed. A search for any past or present legal and compliance problems should also be undertaken.
Financial Performance and Condition
The service providers most recent financial statements (and annual report, if applicable) should be obtained to analyze its assets, liabilities, liquidity, and operating performance for sufficiency. Financial information of any subcontractors should be obtained and analyzed for the same reason. The expected financial impact of the potential contract on the service provider should be determined.
Page 260
2018 Kaplan, Inc.
Topic 57 Cross Reference to GARP Assigned Reading – Board o f Governors o f the Federal Reserve System
The service providers long-term survival prospects should be analyzed by considering how long it has been operating as well as its market share growth. Furthermore, its ability to provide the service for the length of the contract in terms of capital and personnel needs to be ascertained. Finally, the amount of insurance coverage and any other issues that may impact the service providers finances should be considered.
Operations and Internal Controls
The service providers internal controls, IT systems development and support, IT security systems, and methods of securing confidential information should be evaluated. Additionally, there should be a review of the service providers staff training, analysis of the service support provided, and confirmation that employee background checks are being performed. Finally, queries should be made about the process involved in maintaining records and any disaster recovery processes in place.
C o n t r a c t P r o v i s i o n s

LO 57.1: Explain how risks can arise through outsourcing activities to third-

LO 57.1: Explain how risks can arise through outsourcing activities to third- party service providers, and describe elements of an efFective program to manage outsourcing risk.
R i s k s o f O u t s o u r c i n g A c t
i v i t
i e s t o T h i r d -P a r t y S e r v i c e P r o v i d e r s
The following risks could arise when a financial institution outsources its operational functions to third-party service providers: Compliance risk refers to a service provider not operating in compliance with the
relevant local laws and regulations.
Concentration risk refers to having very few service providers to choose from or that the
service providers are clustered in only a few geographic areas.
Reputational risk refers to a service provider executing its tasks in a substandard manner,
resulting in a negative public perception of the financial institution.
Country risk refers to using a service provider based in a foreign country and subjecting
the financial institution to potential economic and political risks in that country.
Operational risk refers to potential losses sustained by a financial institution as a result of
internal control breaches and human error caused by a service provider.
Legal risk refers to subjecting the financial institution to lawsuits and other costs due to
potentially negligent activities of a service provider.
E f f e c t i v e P r o g r a m t o M a n a g e O u t s o u r c i n g R i s k
The risk management program with service providers needs to contain adequate oversight and controls over activities that have a material impact on the institutions finances and operations. In addition, importance must be placed on activities relating to sensitive customer information and new products and services. The depth and complexity of the program may be relatively low if there are few outsourced activities, and the service providers are established and reliable. Conversely, the depth and complexity may be relatively high if there are many service providers involved in outsourced activities.
2018 Kaplan, Inc.
Page 259
Topic 57 Cross Reference to GARP Assigned Reading – Board o f Governors o f the Federal Reserve System
Risk management programs should include (1) risk assessments, (2) due diligence in selecting service providers, (3) contract provisions, (4) incentive compensation review, (5) oversight and monitoring of service providers, and (6) business continuity and contingency plans.
The last five elements will be discussed in subsequent sections. The crucial first step is to perform risk assessments of the applicable business activities to determine whether these activities are best executed in-house or by a third party. Assuming the outsourcing option is consistent with the financial institutions business objectives, then a cost-benefit analysis and a risk analysis of the service provider should be performed. Two key questions to be answered include the following: (1) Do qualified and experienced service providers exist? (2) Is the financial institution sufficiently qualified to perform oversight duties and manage the relationship with the service provider? Risk mitigation techniques should be updated on a sufficiently regular basis as a result of updated risk assessments.
D u e D i l
i g e n c e o n S e r v i c e P r o v i d e r s