Turn off time travelling

The Committee has identified four key principles of supervisory review under Pillar 2. These complement other supervisory guidance published by the Committee, including the Basel Core Principles.

Effective as of: 15 Dec 2019 | Last update: 15 Dec 2019
Status: Current (View changes)

The four key principles


Principle 1: Banks should have a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels.


Principle 2: Supervisors should review and evaluate banks’ internal capital adequacy assessments and strategies, as well as their ability to monitor and ensure their compliance with regulatory capital ratios. Supervisors should take appropriate supervisory action if they are not satisfied with the result of this process.


Principle 3: Supervisors should expect banks to operate above the minimum regulatory capital ratios and should have the ability to require banks to hold capital in excess of the minimum.


Principle 4: Supervisors should seek to intervene at an early stage to prevent capital from falling below the minimum levels required to support the risk characteristics of a particular bank and should require rapid remedial action if capital is not maintained or restored.

Principle 1 – banks’ process for assessing capital adequacy


Banks must be able to demonstrate that chosen internal capital targets are well founded and that these targets are consistent with their overall risk profile and current operating environment. In assessing capital adequacy, bank management needs to be mindful of the particular stage of the business cycle in which the bank is operating. Rigorous, forward-looking stress testing that identifies possible events or changes in market conditions that could adversely impact the bank should be performed. Bank management clearly bears primary responsibility for ensuring that the bank has adequate capital to support its risks.


The five main features of a rigorous process are as follows:


board and senior management oversight;1


sound capital assessment;


comprehensive assessment of risks;


monitoring and reporting; and


internal control review.

1 Footnote

Board and senior management oversight


A sound risk management process is the foundation for an effective assessment of the adequacy of a bank’s capital position. Bank management is responsible for understanding the nature and level of risk being taken by the bank and how this risk relates to adequate capital levels. It is also responsible for ensuring that the formality and sophistication of the risk management processes are appropriate in light of the risk profile and business plan.


The analysis of a bank’s current and future capital requirements in relation to its strategic objectives is a vital element of the strategic planning process. The strategic plan should clearly outline the bank’s capital needs, anticipated capital expenditures, desirable capital level, and external capital sources. Senior management and the board should view capital planning as a crucial element in being able to achieve its desired strategic objectives.


The bank’s board of directors has responsibility for setting the bank’s tolerance for risks. It should also ensure that management establishes a framework for assessing the various risks, develops a system to relate risk to the bank’s capital level, and establishes a method for monitoring compliance with internal policies. It is likewise important that the board of directors adopts and supports strong internal controls and written policies and procedures and ensures that management effectively communicates these throughout the organisation.

Sound capital assessment


Fundamental elements of sound capital assessment include:


policies and procedures designed to ensure that the bank identifies, measures, and reports all material risks;


a process that relates capital to the level of risk;


a process that states capital adequacy goals with respect to risk, taking account of the bank’s strategic focus and business plan; and


a process of internal controls, reviews and audit to ensure the integrity of the overall management process.

Comprehensive assessment of risks


All material risks faced by the bank should be addressed in the capital assessment process. While the Committee recognises that not all risks can be measured precisely, a process should be developed to estimate risks. Therefore, the following risk exposures, which by no means constitute a comprehensive list of all risks, should be considered.


Credit risk: Banks should have methodologies that enable them to assess the credit risk involved in exposures to individual borrowers or counterparties as well as at the portfolio level. Banks should assess exposures, regardless of whether they are rated or unrated, and determine whether the risk weights applied to such exposures, under the Standardised Approach, are appropriate for their inherent risk. In those instances where a bank determines that the inherent risk of such an exposure, particularly if it is unrated, is significantly higher than that implied by the risk weight to which it is assigned, the bank should consider the higher degree of credit risk in the evaluation of its overall capital adequacy. For more sophisticated banks, the credit review assessment of capital adequacy, at a minimum, should cover four areas:


risk-rating systems,


portfolio analysis / aggregation;


securitisation / complex credit derivatives; and


large exposures and risk concentrations.


Internal risk ratings are an important tool in monitoring credit risk. Internal risk ratings should be adequate to support the identification and measurement of risk from all credit exposures, and should be integrated into an institution’s overall analysis of credit risk and capital adequacy. The ratings system should provide detailed ratings for all assets, not only for criticised or problem assets. Loan loss reserves should be included in the credit risk assessment for capital adequacy.


The analysis of credit risk should adequately identify any weaknesses at the portfolio level, including any concentrations of risk. It should also adequately take into consideration the risks involved in managing credit concentrations and other portfolio issues through such mechanisms as securitisation programmes and complex credit derivatives. Further, the analysis of counterparty credit risk should include consideration of public evaluation of the supervisor’s compliance with the Core Principles for Effective Banking Supervision (BCP).


Operational risk: the Committee believes that similar rigour should be applied to the management of operational risk, as is done for the management of other significant banking risks. The failure to properly manage operational risk can result in a misstatement of an institution’s risk/return profile and expose the institution to significant losses.


A bank should develop a framework for managing operational risk and evaluate the adequacy of capital given this framework. The framework should cover the bank’s appetite and tolerance for operational risk, as specified through the policies for managing this risk, including the extent and manner in which operational risk is transferred outside the bank. It should also include policies outlining the bank’s approach to identifying, assessing, monitoring and controlling/mitigating the risk.


Market risk: banks should have methodologies that enable them to assess and actively manage all material market risks, wherever they arise, at position, desk, business line and firm-wide level. For more sophisticated banks, their assessment of internal capital adequacy for market risk, at a minimum, should be based on both value-at-risk (VaR) modelling and stress testing, including an assessment of concentration risk and the assessment of illiquidity under stressful market scenarios, although all firms’ assessments should include stress testing appropriate to their trading activity.


VaR is an important tool in monitoring aggregate market risk exposures and provides a common metric for comparing the risk being run by different desks and business lines. A bank’s VaR model should be adequate to identify and measure risks arising from all its trading activities and should be integrated into the bank’s overall internal capital assessment as well as subject to rigorous on-going validation. A VaR model estimates should be sensitive to changes in the trading book risk profile.


Banks must supplement their VaR model with stress tests (factor shocks or integrated scenarios whether historic or hypothetical) and other appropriate risk management techniques. In the bank’s internal capital assessment it must demonstrate that it has enough capital to not only meet the minimum capital requirements but also to withstand a range of severe but plausible market shocks. In particular, it must factor in, where appropriate:


illiquidity / gapping of prices;


concentrated positions (in relation to market turnover);


one-way markets;


non-linear products / deep out-of-the-money positions;


events and jumps-to-default;


significant shifts in correlations; and


other risks that may not be appropriately captured in VaR (eg recovery rate uncertainty, implied correlations or skew risk).


The stress tests applied by a bank and, in particular, the calibration of those tests (e.g. the parameters of the shocks or types of events considered) should be reconciled back to a clear statement setting out the premise upon which the bank’s internal capital assessment is based (eg ensuring there is adequate capital to manage the traded portfolios within stated limits through what may be a prolonged period of market stress and illiquidity, or that there is adequate capital to ensure that, over a given time horizon to a specified confidence level, all positions can be liquidated or the risk hedged in an orderly fashion). The market shocks applied in the tests must reflect the nature of portfolios and the time it could take to hedge out or manage risks under severe market conditions.


Concentration risk should be pro-actively managed and assessed by firms and concentrated positions should be routinely reported to senior management.


Banks should design their risk management systems, including the VaR methodology and stress tests, to properly measure the material risks in instruments they trade as well as the trading strategies they pursue. As their instruments and trading strategies change, the VaR methodologies and stress tests should also evolve to accommodate the changes.


Banks must demonstrate how they combine their risk measurement approaches to arrive at the overall internal capital for market risk.


Interest rate risk in the banking book: the measurement process should include all material interest rate positions of the bank and consider all relevant repricing and maturity data. Such information will generally include current balance and contractual rate of interest associated with the instruments and portfolios, principal payments, interest reset dates, maturities, the rate index used for repricing, and contractual interest rate ceilings or floors for adjustable-rate items. The system should also have well-documented assumptions and techniques.


Regardless of the type and level of complexity of the measurement system used, bank management should ensure the adequacy and completeness of the system. Because the quality and reliability of the measurement system is largely dependent on the quality of the data and various assumptions used in the model, management should give particular attention to these items.


Liquidity risk: liquidity is crucial to the ongoing viability of any banking organisation. Banks’ capital positions can have an effect on their ability to obtain liquidity, especially in a crisis. Each bank must have adequate systems for measuring, monitoring and controlling liquidity risk. Banks should evaluate the adequacy of capital given their own liquidity profile and the liquidity of the markets in which they operate.


Other risks: although the Committee recognises that “other” risks, such as reputational and strategic risk, are not easily measurable, it expects industry to further develop techniques for managing all aspects of these risks.

Monitoring and reporting


The bank should establish an adequate system for monitoring and reporting risk exposures and assessing how the bank’s changing risk profile affects the need for capital. The bank’s senior management or board of directors should, on a regular basis, receive reports on the bank’s risk profile and capital needs. These reports should allow senior management to:


evaluate the level and trend of material risks and their effect on capital levels;


evaluate the sensitivity and reasonableness of key assumptions used in the capital assessment measurement system;


determine that the bank holds sufficient capital against the various risks and is in compliance with established capital adequacy goals; and


assess its future capital requirements based on the bank’s reported risk profile and make necessary adjustments to the bank’s strategic plan accordingly.

Internal control review


The bank’s internal control structure is essential to the capital assessment process. Effective control of the capital assessment process includes an independent review and, where appropriate, the involvement of internal or external audits. The bank’s board of directors has a responsibility to ensure that management establishes a system for assessing the various risks, develops a system to relate risk to the bank’s capital level, and establishes a method for monitoring compliance with internal policies. The board should regularly verify whether its system of internal controls is adequate to ensure well-ordered and prudent conduct of business.


The bank should conduct periodic reviews of its risk management process to ensure its integrity, accuracy, and reasonableness. Areas that should be reviewed include:


appropriateness of the bank’s capital assessment process given the nature, scope and complexity of its activities;


identification of large exposures and risk concentrations;


accuracy and completeness of data inputs into the bank’s assessment process;


reasonableness and validity of scenarios used in the assessment process; and


stress testing and analysis of assumptions and inputs.

Principle 2 – supervisory review of banks’ internal capital adequacy assessments


The supervisory authorities should regularly review the process by which a bank assesses its capital adequacy, risk position, resulting capital levels, and quality of capital held. Supervisors should also evaluate the degree to which a bank has in place a sound internal process to assess capital adequacy. The emphasis of the review should be on the quality of the bank’s risk management and controls and should not result in supervisors functioning as bank management. The periodic review can involve some combination of:


on-site examinations or inspections;


off-site review;


discussions with bank management;


review of work done by external auditors (provided it is adequately focused on the necessary capital issues); and


periodic reporting.


The substantial impact that errors in the methodology or assumptions of formal analyses can have on resulting capital requirements requires a detailed review by supervisors of each bank’s internal analysis.


Supervisors should assess the degree to which internal targets and processes incorporate the full range of material risks faced by the bank. Supervisors should also review the adequacy of risk measures used in assessing internal capital adequacy and the extent to which these risk measures are also used operationally in setting limits, evaluating business line performance, and evaluating and controlling risks more generally. Supervisors should consider the results of sensitivity analyses and stress tests conducted by the institution and how these results relate to capital plans.


Supervisors should review the bank’s processes to determine that:


target levels of capital chosen are comprehensive and relevant to the current operating environment;


these levels are properly monitored and reviewed by senior management; and


the composition of capital is appropriate for the nature and scale of the bank’s business.


Supervisors should also consider the extent to which the bank has provided for unexpected events in setting its capital levels. This analysis should cover a wide range of external conditions and scenarios, and the sophistication of techniques and stress tests used should be commensurate with the bank’s activities.


Supervisors should consider the quality of the bank’s management information reporting and systems, the manner in which business risks and activities are aggregated, and management’s record in responding to emerging or changing risks.


In all instances, the capital level at an individual bank should be determined according to the bank’s risk profile and adequacy of its risk management process and internal controls. External factors such as business cycle effects and the macroeconomic environment should also be considered.


In order for certain internal methodologies, credit risk mitigation techniques and asset securitisations to be recognised for regulatory capital purposes, banks will need to meet a number of requirements, including risk management standards and disclosures. In particular, banks will be required to disclose features of their internal methodologies used in calculating minimum capital requirements. As part of the supervisory review process, supervisors must ensure that these conditions are being met on an ongoing basis.


The Committee regards this review of minimum standards and qualifying criteria as an integral part of the supervisory review process under Principle 2. In setting the minimum criteria the Committee has considered current industry practice and so anticipates that these minimum standards will provide supervisors with a useful set of benchmarks that are aligned with bank management expectations for effective risk management and capital allocation.


There is also an important role for supervisory review of compliance with certain conditions and requirements set for standardised approaches. In this context, there will be a particular need to ensure that use of various instruments that can reduce Pillar 1 capital requirements are utilised and understood as part of a sound, tested, and properly documented risk management process.


Having carried out the review process described above, supervisors should take appropriate action if they are not satisfied with the results of the bank’s own risk assessment and capital allocation. Supervisors should consider a range of actions, such as those set out under Principles 3 and 4 below.

Principle 3 – banks should operate above minimum regulatory capital ratios


Pillar 1 capital requirements will include a buffer for uncertainties surrounding the Pillar 1 regime that affect the banking population as a whole. Bank-specific uncertainties will be treated under Pillar 2. It is anticipated that such buffers under Pillar 1 will be set to provide reasonable assurance that a bank with good internal systems and controls, a well-diversified risk profile and a business profile well covered by the Pillar 1 regime, and which operates with capital equal to Pillar 1 requirements, will meet the minimum goals for soundness embodied in Pillar 1. However, supervisors will need to consider whether the particular features of the markets for which they are responsible are adequately covered. Supervisors will typically require (or encourage) banks to operate with a buffer, over and above the Pillar 1 standard. Banks should maintain this buffer for a combination of the following:


Pillar 1 minimums are anticipated to be set to achieve a level of bank creditworthiness in markets that is below the level of creditworthiness sought by many banks for their own reasons. For example, most international banks appear to prefer to be highly rated by internationally recognised rating agencies. Thus, banks are likely to choose to operate above Pillar 1 minimums for competitive reasons.


In the normal course of business, the type and volume of activities will change, as will the different risk exposures, causing fluctuations in the overall capital ratio.


It may be costly for banks to raise additional capital, especially if this needs to be done quickly or at a time when market conditions are unfavourable.


For banks to fall below minimum regulatory capital requirements is a serious matter. It may place banks in breach of the relevant law and/or prompt non-discretionary corrective action on the part of supervisors.


There may be risks, either specific to individual banks, or more generally to an economy at large, that are not taken into account in Pillar 1.


There are several means available to supervisors for ensuring that individual banks are operating with adequate levels of capital. Among other methods, the supervisor may set trigger and target capital ratios or define categories above minimum ratios (eg well capitalised and adequately capitalised) for identifying the capitalisation level of the bank.

Principle 4 – early supervisory intervention


Supervisors should consider a range of options if they become concerned that a bank is not meeting the requirements embodied in the supervisory principles outlined above. These actions may include intensifying the monitoring of the bank, restricting the payment of dividends, requiring the bank to prepare and implement a satisfactory capital adequacy restoration plan, and requiring the bank to raise additional capital immediately. Supervisors should have the discretion to use the tools best suited to the circumstances of the bank and its operating environment.


The permanent solution to banks’ difficulties is not always increased capital. However, some of the required measures (such as improving systems and controls) may take a period of time to implement. Therefore, increased capital might be used as an interim measure while permanent measures to improve the bank’s position are being put in place. Once these permanent measures have been put in place and have been seen by supervisors to be effective, the interim increase in capital requirements can be removed.