Stress tests under the internal ratings-based approaches

A bank should ensure that it has sufficient capital to meet the Pillar 1 requirements and the results (where a deficiency has been indicated) of the credit risk stress test performed as part of the Pillar 1 internal ratings-based (IRB) minimum requirements CRE36.50 to CRE36.54. Supervisors may wish to review how the stress test has been carried out. The results of the stress test will thus contribute directly to the expectation that a bank will operate above the Pillar 1 minimum regulatory capital ratios. Supervisors will consider whether a bank has sufficient capital for these purposes. To the extent that there is a shortfall, the supervisor will react appropriately. This will usually involve requiring the bank to reduce its risks and/or to hold additional capital/provisions, so that existing capital resources could cover the Pillar 1 requirements plus the result of a recalculated stress test.

Definition of default

A bank must use the reference definition of default for its internal estimations of probability of default (PD) and/or loss given default (LGD) and exposure at default (EAD). However, as detailed in CRE36.71, national supervisors will issue guidance on how the reference definition of default is to be interpreted in their jurisdictions. Supervisors will assess individual banks’ application of the reference definition of default and its impact on capital requirements. In particular, supervisors will focus on the impact of deviations from the reference definition according to CRE36.73 (use of external data or historic internal data not fully consistent with the reference definition of default).

Residual risk

The Framework allows banks to offset credit or counterparty risk with collateral, guarantees or credit derivatives, leading to reduced capital charges. While banks use credit risk mitigation (CRM) techniques to reduce their credit risk, these techniques give rise to risks that may render the overall risk reduction less effective. Accordingly these risks (eg legal risk, documentation risk, or liquidity risk) to which banks are exposed are of supervisory concern. Where such risks arise, and irrespective of fulfilling the minimum requirements set out in Pillar 1, a bank could find itself with greater credit risk exposure to the underlying counterparty than it had expected. Examples of these risks include:

Therefore, supervisors will require banks to have in place appropriate written CRM policies and procedures in order to control these residual risks. A bank may be required to submit these policies and procedures to supervisors and must regularly review their appropriateness, effectiveness and operation.

In its CRM policies and procedures, a bank must consider whether, when calculating capital requirements, it is appropriate to give the full recognition of the value of the credit risk mitigant as permitted in Pillar 1 and must demonstrate that its CRM management policies and procedures are appropriate to the level of capital benefit that it is recognising. Where supervisors are not satisfied as to the robustness, suitability or application of these policies and procedures they may direct the bank to take immediate remedial action or hold additional capital against residual risk until such time as the deficiencies in the CRM procedures are rectified to the satisfaction of the supervisor. For example, supervisors may direct a bank to:

Credit concentration risk

A risk concentration is any single exposure or group of exposures with the potential to produce losses large enough (relative to a bank’s capital, total assets, or overall risk level) to threaten a bank’s health or ability to maintain its core operations. Risk concentrations are arguably the single most important cause of major problems in banks.

Risk concentrations can arise in a bank’s assets, liabilities, or off-balance sheet items, through the execution or processing of transactions (either product or service), or through a combination of exposures across these broad categories. Because lending is the primary activity of most banks, credit risk concentrations are often the most material risk concentrations within a bank.

Credit risk concentrations, by their nature, are based on common or correlated risk factors, which, in times of stress, have an adverse effect on the creditworthiness of each of the individual counterparties making up the concentration. Concentration risk arises in both direct exposures to obligors and may also occur through exposures to protection providers. Such concentrations are not addressed in the Pillar 1 capital charge for credit risk.

Banks should have in place effective internal policies, systems and controls to identify, measure, monitor, and control their credit risk concentrations. Banks should explicitly consider the extent of their credit risk concentrations in their assessment of capital adequacy under Pillar 2. These policies should cover the different forms of credit risk concentrations to which a bank may be exposed. Such concentrations include:

A bank’s framework for managing credit risk concentrations should be clearly documented and should include a definition of the credit risk concentrations relevant to the bank and how these concentrations and their corresponding limits are calculated. Limits should be defined in relation to a bank’s capital, total assets or, where adequate measures exist, its overall risk level.

A bank’s management should conduct periodic stress tests of its major credit risk concentrations and review the results of those tests to identify and respond to potential changes in market conditions that could adversely impact the bank’s performance.

A bank should ensure that, in respect of credit risk concentrations, it complies with the Committee document Principles for the Management of Credit Risk (September 2000) and the more detailed guidance in the Appendix to that paper.

In the course of their activities, supervisors should assess the extent of a bank’s credit risk concentrations, how they are managed, and the extent to which the bank considers them in its internal assessment of capital adequacy under Pillar 2. Such assessments should include reviews of the results of a bank’s stress tests. Supervisors should take appropriate actions where the risks arising from a bank’s credit risk concentrations are not adequately addressed by the bank.

Counterparty credit risk

As counterparty credit risk (CCR) represents a form of credit risk, this would include meeting this Framework’s standards regarding their approaches to stress testing, “residual risks” associated with credit risk mitigation techniques, and credit concentrations, as specified in the paragraphs above.

The bank must have counterparty credit risk management policies, processes and systems that are conceptually sound and implemented with integrity relative to the sophistication and complexity of a firm’s holdings of exposures that give rise to CCR. A sound counterparty credit risk management framework shall include the identification, measurement, management, approval and internal reporting of CCR.

The bank’s risk management policies must take account of the market, liquidity, legal and operational risks that can be associated with CCR and, to the extent practicable, interrelationships among those risks. The bank must not undertake business with a counterparty without assessing its creditworthiness and must take due account of both settlement and pre-settlement credit risk. These risks must be managed as comprehensively as practicable at the counterparty level (aggregating counterparty exposures with other credit exposures) and at the firm-wide level.

The board of directors and senior management must be actively involved in the CCR control process and must regard this as an essential aspect of the business to which significant resources need to be devoted. Where the bank is using an internal model for CCR, senior management must be aware of the limitations and assumptions of the model used and the impact these can have on the reliability of the output. They should also consider the uncertainties of the market environment (eg timing of realisation of collateral) and operational issues (eg pricing feed irregularities) and be aware of how these are reflected in the model.

In this regard, the daily reports prepared on a firm’s exposures to CCR must be reviewed by a level of management with sufficient seniority and authority to enforce both reductions of positions taken by individual credit managers or traders and reductions in the firm’s overall CCR exposure.

The bank’s CCR management system must be used in conjunction with internal credit and trading limits. In this regard, credit and trading limits must be related to the firm’s risk measurement model in a manner that is consistent over time and that is well understood by credit managers, traders and senior management.

The measurement of CCR must include monitoring daily and intra-day usage of credit lines. The bank must measure current exposure gross and net of collateral held where such measures are appropriate and meaningful (eg over-the-counter, or OTC, derivatives, margin lending). Measuring and monitoring peak exposure or potential future exposure at a confidence level chosen by the bank at both the portfolio and counterparty levels is one element of a robust limit monitoring system. Banks must take account of large or concentrated positions, including concentrations by groups of related counterparties, by industry, by market, customer investment strategies, etc.

The bank must have a routine and rigorous program of stress testing in place as a supplement to the CCR analysis based on the day-to-day output of the firm’s risk measurement model. The results of this stress testing must be reviewed periodically by senior management and must be reflected in the CCR policies and limits set by management and the board of directors. Where stress tests reveal particular vulnerability to a given set of circumstances, management should explicitly consider appropriate risk management strategies (eg by hedging against that outcome, or reducing the size of the firm’s exposures).

The bank must have a routine in place for ensuring compliance with a documented set of internal policies, controls and procedures concerning the operation of the CCR management system. The firm’s CCR management system must be well documented, for example, through a risk management manual that describes the basic principles of the risk management system and that provides an explanation of the empirical techniques used to measure CCR.

The bank must conduct an independent review of the CCR management system regularly through its own internal auditing process. This review must include both the activities of the business credit and trading units and of the independent CCR control unit. A review of the overall CCR management process must take place at regular intervals (ideally not less than once a year) and must specifically address, at a minimum:

A bank that receives approval to use an internal model to estimate its exposure amount or EAD for CCR exposures must monitor the appropriate risks and have processes to adjust its estimation of expected positive exposure (EPE) when those risks become significant. This includes the following:

When assessing an internal model used to estimate EPE, and especially for banks that receive approval to estimate the value of the alpha factor, supervisors must review the characteristics of the firm’s portfolio of exposures that give rise to CCR. In particular, supervisors must consider the following characteristics, namely:

Supervisors will take appropriate action where the firm’s estimates of exposure or EAD under the internal models method (IMM) or alpha do not adequately reflect its exposure to CCR. Such action might include directing the bank to revise its estimates; directing the bank to apply a higher estimate of exposure or EAD under the IMM or alpha; or disallowing a bank from recognising internal estimates of EAD for regulatory capital purposes.

For banks that make use of the standardised approach to counterparty credit risk (SA-CCR), supervisors should review the bank’s evaluation of the risks contained in the transactions that give rise to CCR and the bank’s assessment of whether the SA-CCR captures those risks appropriately and satisfactorily. If the SA-CCR does not capture the risk inherent in the bank’s relevant transactions (as could be the case with structured, more complex OTC derivatives), supervisors may require the bank to apply the SA-CCR on a transaction-by-transaction basis (ie no netting will be recognised).

Securitisation

A bank’s on- and off-balance-sheet securitisation activities should be included in its risk management disciplines, such as product approval, risk concentration limits and estimates of market, credit and operational risk (as discussed in SRP30).

In light of the wide range of risks arising from securitisation activities, which can be compounded by rapid innovation in securitisation techniques and instruments, minimum capital requirements calculated under Pillar 1 are often insufficient. All risks arising from securitisation, particularly those that are not fully captured under Pillar 1, should be addressed in a bank’s internal capital adequacy assessment process (ICAAP). These risks include:

Securitisation exposures should be included in the bank’s management information systems to help ensure that senior management understands the implications of such exposures for liquidity, earnings, risk concentration and capital. More specifically, a bank should have the necessary processes in place to capture in a timely manner updated information on securitisation transactions including market data, if available, and updated performance data from the securitisation trustee or servicer.

A bank should conduct analyses of the underlying risks when investing in the structured products and must not solely rely on the external credit ratings assigned to securitisation exposures by the credit rating agencies. A bank should be aware that external ratings are a useful starting point for credit analysis, but are no substitute for full and proper understanding of the underlying risk, especially where ratings for certain asset classes have a short history or have been shown to be volatile. Moreover, a bank also should conduct credit analysis of the securitisation exposure at acquisition and on an ongoing basis. It should also have in place the necessary quantitative tools, valuation models and stress tests of sufficient sophistication to reliably assess all relevant risks.

When assessing securitisation exposures, a bank should ensure that it fully understands the credit quality and risk characteristics of the underlying exposures in structured credit transactions, including any risk concentrations. In addition, a bank should review the maturity of the exposures underlying structured credit transactions relative to the issued liabilities in order to assess potential maturity mismatches.

A bank should track credit risk in securitisation exposures at the transaction level and across securitisations exposures within each business line and across business lines. It should produce reliable measures of aggregate risk. A bank also should track all meaningful concentrations in securitisation exposures, such as name, product or sector concentrations, and feed this information to firm-wide risk aggregation systems that track, for example, credit exposure to a particular obligor.

A bank’s own assessment of risk needs to be based on a comprehensive understanding of the structure of the securitisation transaction. It should identify the various types of triggers, credit events and other legal provisions that may affect the performance of its on- and off-balance sheet exposures and integrate these triggers and provisions into its funding/liquidity, credit and balance sheet management. The impact of the events or triggers on a bank’s liquidity and capital position should also be considered.

A bank should consider and, where appropriate, mark-to-market warehoused positions, as well as those in the pipeline, regardless of the probability of securitising the exposures. It should consider scenarios which may prevent it from securitising its assets as part of its stress testing (as discussed in SRP30) and identify the potential effect of such exposures on its liquidity, earnings and capital adequacy.

A bank should develop prudent contingency plans specifying how it would respond to funding, capital and other pressures that arise when access to securitisation markets is reduced. The contingency plans should also address how the bank would address valuation challenges for potentially illiquid positions held for sale or for trading. The risk measures, stress testing results and contingency plans should be incorporated into the bank’s risk management processes and its ICAAP, and should result in an appropriate level of capital under Pillar 2 in excess of the minimum requirements.

A bank that employs risk mitigation techniques should fully understand the risks to be mitigated, the potential effects of that mitigation and whether or not the mitigation is fully effective. This is to help ensure that the bank does not understate the true risk in its assessment of capital. In particular, it should consider whether it would provide support to the securitisation structures in stressed scenarios due to the reliance on securitisation as a funding tool.

Further to the Pillar 1 principle that banks should take account of the economic substance of transactions in their determination of capital adequacy, supervisory authorities will monitor, as appropriate, whether banks have done so adequately. As a result, regulatory capital treatments for specific securitisation exposures might differ from those specified in Pillar 1 of the Framework, particularly in instances where the general capital requirement would not adequately and sufficiently reflect the risks to which an individual banking organisation is exposed.

Amongst other things, supervisory authorities may review where relevant a bank’s own assessment of its capital needs and how that has been reflected in the capital calculation as well as the documentation of certain transactions to determine whether the capital requirements accord with the risk profile (eg substitution clauses). Supervisors will also review the manner in which banks have addressed the issue of maturity mismatch in relation to retained positions in their economic capital calculations. In particular, they will be vigilant in monitoring for the structuring of maturity mismatches in transactions to artificially reduce capital requirements. Additionally, supervisors may review the bank’s economic capital assessment of actual correlation between assets in the pool and how they have reflected that in the calculation. Where supervisors consider that a bank’s approach is not adequate, they will take appropriate action. Such action might include denying or reducing capital relief in the case of originated assets, or increasing the capital required against securitisation exposures acquired.

Securitisation transactions may be carried out for purposes other than credit risk transfer (eg funding). Where this is the case, there might still be a limited transfer of credit risk. However, for an originating bank to achieve reductions in capital requirements, the risk transfer arising from a securitisation has to be deemed significant by the national supervisory authority. If the risk transfer is considered to be insufficient or non-existent, the supervisory authority can require the application of a higher capital requirement than prescribed under Pillar 1 or, alternatively, may deny a bank from obtaining any capital relief from the securitisations. Therefore, the capital relief that can be achieved will correspond to the amount of credit risk that is effectively transferred. The following includes a set of examples where supervisors may have concerns about the degree of risk transfer, such as retaining or repurchasing significant amounts of risk or “cherry picking” the exposures to be transferred via a securitisation.

Retaining or repurchasing significant securitisation exposures, depending on the proportion of risk held by the originator, might undermine the intent of a securitisation to transfer credit risk. Specifically, supervisory authorities might expect that a significant portion of the credit risk and of the nominal value of the pool be transferred to at least one independent third party at inception and on an ongoing basis. Where banks repurchase risk for market-making purposes, supervisors could find it appropriate for an originator to buy part of a transaction but not, for example, to repurchase a whole tranche. Supervisors would expect that where positions have been bought for market making purposes, these positions should be resold within an appropriate period, thereby remaining true to the initial intention to transfer risk.

Another implication of realising only a non-significant risk transfer, especially if related to good quality unrated exposures, is that both the poorer quality unrated assets and most of the credit risk embedded in the exposures underlying the securitised transaction are likely to remain with the originator. Accordingly, and depending on the outcome of the supervisory review process, the supervisory authority may increase the capital requirement for particular exposures or even increase the overall level of capital the bank is required to hold.

As the minimum capital requirements for securitisation may not be able to address all potential issues, supervisory authorities are expected to consider new features of securitisation transactions as they arise. Such assessments would include reviewing the impact new features may have on credit risk transfer and, where appropriate, supervisors will be expected to take appropriate action under Pillar 2. A Pillar 1 response may be formulated to take account of market innovations. Such a response may take the form of a set of operational requirements and/or a specific capital treatment.

Support to a transaction, whether contractual (ie credit enhancements provided at the inception of a securitised transaction) or non-contractual (implicit support) can take numerous forms. For instance, contractual support can include over collateralisation, credit derivatives, spread accounts, contractual recourse obligations, subordinated notes, credit risk mitigants provided to a specific tranche, the subordination of fee or interest income or the deferral of margin income, and clean-up calls that exceed 10 percent of the initial issuance. In contrast to contractual credit exposures, such as guarantees, implicit support is a more subtle form of exposure. Implicit support arises when a bank provides post-sale support to a securitisation transaction in excess of any contractual obligation. Such non-contractual support exposes a bank to the risk of loss, such as loss arising from deterioration in the credit quality of the securitisation’s underlying assets. Examples of implicit support include the purchase of deteriorating credit risk exposures from the underlying pool, the sale of discounted credit risk exposures into the pool of securitised credit risk exposures, the purchase of underlying exposures at above market price or an increase in the first loss position according to the deterioration of the underlying exposures.

The provision of implicit (or non-contractual) support, as opposed to contractual credit support (ie credit enhancements), raises significant supervisory concerns. By providing implicit support, a bank signals to the market that all of the risks inherent in the securitised assets are still held by the organisation and, in effect, had not been transferred. For traditional securitisation structures the provision of implicit support undermines the clean break criteria, which when satisfied would allow banks to exclude the securitised assets from regulatory capital calculations. For synthetic securitisation structures, it negates the significance of risk transference. By providing implicit support, banks signal to the market that the risk is still with the bank and has not in effect been transferred. The institution’s capital calculation therefore understates the true risk. Accordingly, national supervisors are expected to take appropriate action when a banking organisation provides implicit support.

Since the risk arising from the potential provision of implicit support is not captured ex ante under Pillar 1, it must be considered as part of the Pillar 2 process. In addition, the processes for approving new products or strategic initiatives should consider the potential provision of implicit support and should be incorporated in a bank’s ICAAP. When a bank has been found to provide implicit support to a securitisation, it will be required to hold capital against all of the underlying exposures associated with the structure as if they had not been securitised. It will also be required to disclose publicly that it was found to have provided non-contractual support, as well as the resulting increase in the capital charge (as noted above). The aim is to require banks to hold capital against exposures for which they assume the credit risk, and to discourage them from providing non-contractual support.

If a bank is found to have provided implicit support on more than one occasion, the bank is required to disclose its transgression publicly and national supervisors will take appropriate action that may include, but is not limited to, one or more of the following:

Supervisors will be vigilant in determining implicit support and will take appropriate supervisory action to mitigate the effects. Pending any investigation, the bank may be prohibited from any capital relief for planned securitisation transactions (moratorium). National supervisory response will be aimed at changing the bank’s behaviour with regard to the provision of implicit support, and to correct market perception as to the willingness of the bank to provide future recourse beyond contractual obligations.

As with credit risk mitigation techniques more generally, supervisors will review the appropriateness of banks’ approaches to the recognition of credit protection. In particular, with regard to securitisations, supervisors will review the appropriateness of protection recognised against first loss credit enhancements. On these positions, expected loss is less likely to be a significant element of the risk and is likely to be retained by the protection buyer through the pricing. Therefore, supervisors will expect banks’ policies to take account of this in determining their economic capital. Where supervisors do not consider the approach to protection recognised is adequate, they will take appropriate action. Such action may include increasing the capital requirement against a particular transaction or class of transactions.

Supervisors expect a bank not to make use of clauses that entitles it to call the securitisation transaction or the coverage of credit protection prematurely if this would increase the bank’s exposure to losses or deterioration in the credit quality of the underlying exposures.

Besides the general principle stated above, supervisors expect banks to only execute clean-up calls for economic business purposes, such as when the cost of servicing the outstanding credit exposures exceeds the benefits of servicing the underlying credit exposures.

Subject to national discretion, supervisory authorities may require a review prior to the bank exercising a call which can be expected to include consideration of:

The supervisory authority may also require the bank to enter into a follow-up transaction, if necessary, depending on the bank’s overall risk profile, and existing market conditions.

Date-related calls should be set at a date no earlier than the duration or the weighted average life of the underlying securitisation exposures. Accordingly, supervisory authorities may require a minimum period to elapse before the first possible call date can be set, given, for instance, the existence of up-front sunk costs of a capital market securitisation transaction.

Supervisors should review how banks internally measure, monitor and manage risks associated with securitisations of revolving credit facilities, including an assessment of the risk and likelihood of early amortisation of such transactions. At a minimum, supervisors should ensure that banks have implemented reasonable methods for allocating economic capital against the economic substance of the credit risk arising from revolving securitisations and should expect banks to have adequate capital and liquidity contingency plans that evaluate the probability of an early amortisation occurring and address the implications of both scheduled and early amortisation.

Because most early amortisation triggers are tied to excess spread levels, the factors affecting these levels should be well understood, monitored and managed to the extent possible (see SRP32.44 to SRP32.48 on implicit support) by the originating bank. For example, the following factors affecting excess spread should generally be considered:

Banks should consider the effects that changes in portfolio management or business strategies may have on the levels of excess spread and on the likelihood of an early amortisation event. For example, marketing strategies or underwriting changes that result in lower finance charges or higher charge-offs might also lower excess spread levels and increase the likelihood of an early amortisation event.

Banks should use techniques such as static pool cash collection analyses and stress tests to better understand pool performance. These techniques can highlight adverse trends or potential adverse impacts. Banks should have policies in place to respond promptly to adverse or unanticipated changes. Supervisors will take appropriate action where they do not consider these policies adequate. Such action may include, but is not limited to, directing a bank to obtain a dedicated liquidity line or increasing the bank’s capital requirements.

Supervisors expect that the sophistication of a bank’s system in monitoring the likelihood and risks of an early amortisation event will be commensurate with the size and complexity of the bank’s securitisation activities that involve early amortisation provisions.