Response to consultation on Regulatory Technical Standards on operational risk loss
Question 1: Do you think that the granularity of and the distinction between the different Level 2 categories is clear enough? If not, please provide a rationale.
Key findings
Members identified several challenges with the proposed event type structure.
• Changing Level 2 causes distortions at Level 1
By significantly modifying the level 2 event types compared to Basel II, some inconsistencies have been generated at level 1 in the proposal. For example, in Basel II, IT failures are classified under Business Disruption and System Failures (BDSF), irrespective of whether they are related to management of transactions or not. In this proposal, those related to management of transactions should be classified as Execution, Delivery & Process Management (EDPM). This means that the scope of historic events in BDSF would be different from the scope of future events in BDSF under this proposal.
• Inconsistent level of scope between Level 2 categories
The relative scope of Level 2 categories seems to be inconsistent. For example, there is a high level of detail for some Level 2 categories such as internal frauds, financial crime risk and IT failures, when compared with a very wide-ranging category such as ‘Improper market practices, product and service design or licensing’.
• Some firms think proposed Level 2 event types are too granular for regulatory reporting purposes
The proposed event taxonomy is perceived to be too granular for regulatory reporting purposes. The more granular the taxonomy, the less precise the mapping would be from a firm’s internal risk taxonomy to the proposed taxonomy. Narrow categories may give the false impression of accurate, precise data, leading to a false sense of security in the loss data. Additionally, a more granular taxonomy causes less flexibility, which may require more frequent updates. Potential future events may not fit easily into a more rigidly designed and more granular taxonomy. This may lead to a requirement to regularly change the taxonomy in future, leading to an increased impact on organisations and less stability in the categorisation of events and continuity of reporting. Granularity can be valuable, but in order for more granular taxonomies to be implemented successfully you need strong guidance. This can provide firms with the confidence that they are recording events in a consistent manner across the firm or between different firms.
In addition, the current proposed granularity may require firms to change their own taxonomies, creating a significant impact at a global level (as many processes are dependent on the taxonomy).
• Some proposed event types require knowledge of intentionality
Distinguishing between intentional and accidental breaches of money laundering or sanctions rules requires knowledge that risk managers likely will not have at the time of recording the event, and potentially will never be able to judge. Although the Basel II event type taxonomy does have a notion of intentionality with the ‘Intentional mismarking of positions’ Level 3 event type under Internal fraud/Unauthorised activity, the proposed taxonomy takes this concept much further than concealing unauthorised trading activity.
Additional information requirements
Granularity challenges
• The EBA's proposed taxonomy is significantly more granular at Level 2 than Basel II. For members whose internal taxonomy is mapped to BCBS up to Level 2 (but not at Level 3 activities), mapping is challenging. This difficulty is compounded by areas where BCBS and EBA Level 2 taxonomies are difficult to align.
IT failures
• Several firms specifically said that they disagreed with splitting IT failures between those related or not related to the management of transactions. This would lead to IT failures being captured across separate Level 1 event types. Some members were unclear about what ‘…related to the management of transactions…’ means, and which events would be included or excluded here.
• Two thirds of respondents said that they would classify IT failures under BDSF rather than splitting between EDPM and BDSF as outlined in this proposal.
Intentionality
• Similarly, some risk types such as financial crime compliance have been split between various level 1 Basel categories (either Internal Fraud or Clients, Products & Business Practices (CPBP)), based on intentionality.
• For Sanctions and Money Laundering Breaches, 24% of respondents* make a distinction between ‘accidental’ and ‘intentional’ breaches. 76% do not make such a distinction in their current practices. Members have commented that they would only have information about intentionality very rarely. Some members would see an intentional sanctions breach as an internal fraud against the firm (as in the EBA proposal).
Fraud and cyber
• Cyber events are only included in the proposed taxonomy as a subset of Fraud, separate from Data Management, which means that events relating to cyber data theft may not be all easily reported. One way of addressing this may be the addition of a ‘Cyber’ attribute.
• 83% of respondents do not capture Second Party Fraud in their loss data collection. Capturing relevant second party fraud events would therefore require significant effort.
*that are wholly or partially regulated by the EBA
Question 2: Do you perceive the attribute “greenwashing risk” as an operational risk or as a reputational risk event? Please elaborate.
Key findings
The great majority of firms see ‘greenwashing risk’ as being both an operational and a reputational risk. 88% of respondents placed greenwashing in both categories. To note, the ORX Cause and Impact Taxonomy includes reputation as an impact channel, allowing firms to track both financial and non-financial impacts of an event.
Additional information requirements
A common rationale for this treatment is that the impacts of greenwashing events could comprise economic impacts such as litigation, which would fall under the scope of operational risk, but also reputational risk for the firm. This could take the form of damage to corporate image due to the litigation for example.
Question 3: To which Level 1 event types and/or Level 2 categories would you map greenwashing losses? Please provide a rationale.
Key findings
ORX members would primarily map greenwashing risk to CPBP at Level 1, and into ‘Improper market practices, product and service design or licensing’ at Level 2. One member would map greenwashing losses to a ‘Climate risk’ category in their internal operational risk event taxonomy.
Question 4: Is “Environmental – transition risk” an operational risk event? If yes, to which Level 2 categories should it be mapped? Please provide a rationale.
Key findings
There is a range of views amongst ORX member firms. A majority see Environmental – transition risk as being a driver of other operational risk events, rather than an event type itself. Where transition risk is seen as a driver, it can be mapped to a number of Level 2 categories. The most frequently cited are:
• Sale Service Failure.
• Improper Market Practices, Product and Service Design or Licensing.
• Level 2 risks under Execution, Delivery and Process Management.
• Inadequate Workplace Safety.
Additional information requirements
• Some firms see ‘Environmental risks’ as a driver of other risks, rather than a risk in itself.
• Some firms have responded that Environmental – transition risk can be considered strategic risk.
• Some firms have a dedicated ‘Climate Risk’ risk type which is where they would map Environmental – transition risk.
Question 5: Which of these attributes do you think would be the most difficult to identify? Please elaborate.
Key findings
Member firms have identified Environmental, Social and Governance (ESG) risks and Legal risks as being the most difficult to identify. Half of firms said Social risk would be difficult to identify, One third of firms said that Credit risk and Pending losses would also be difficult to identify. In contrast, all firms would be able to identify Market risk events.
Additional information requirements
Rationale for difficulty in identifying
Legal risk – misconduct/Legal risk – Other than misconduct
• Possible confidentiality issues in flagging events as relating to misconduct.
• Current procedures in some firms make no distinction between the ‘Legal – Misconduct’ and ‘Legal - Other than misconduct’ categories.
• The identification would depend on the definition. For example (1) legal costs are included in the event with the other manifestations. Would all events with a legal cost or a provision be flagged as legal risk (so the whole amount of the event?) (2) does legal risk mean: (i) events related to legal disputes or (ii) includes also events e.g. related to sanctions (that may also be challenged in or out of Court), complaints, events/expenses to avoid legal disputes?
• The distinction is highly dependent on how misconduct is defined.
Greenwashing risk
• Common feedback was that it is not clear what risks would be included here, with some firms seeing this as a buzzword and not adding value to risk management practices.
• One firm said that they could only imagine this applying to legal cases that specifically mention greenwashing.
Environmental, Social and Governance risks
• Social is a very broad category and needs careful definition.
• Social and Governance risks are not currently split out within the ESG risk bucket in some firms’ loss recording.
• Governance: there could be a significant delay between event occurrence and identification/reporting, and tracing back the originating cause to governance may be difficult with a large time lag.
Credit risk (where not included in RWA on credit risk)
Some banks do not understand what they would report here. For example:
• If an event is not included in Credit Risk Weighted Assets (RWA), it is considered pure OpRisk.
• Several members commented that this flag could never be used because each fraud case related to credit risk leads to a default. As each default is considered in the credit risk RWA as per definition, there should be no gap.
Pending losses
• Some firms made the point that material Pending losses are not common. If an item booked to a suspense account is confirmed to be an operational risk loss it would be treated the same as any other event.
• It would be challenging to identify all pending losses within the organisation that relate to an operational risk event.
• One firm commented that a pending loss is not a flag (it is a temporary situation), and therefore a pending loss may be reported one quarter and then removed from the loss dataset next quarter if the event is resolved (e.g. in the case of a rapid recovery over a reporting quarter-end, where the discrepancy is initially posted to a suspense account).
Question 6: Do you agree with the inclusion of the attribute “Large loss event”? If not, please elaborate.
Key findings
Members were fairly evenly split in favour (46%) or against (54%) the inclusion of this attribute. In both cases members noted that the threshold for this attribute would change as the bank’s average annual loss amount changed year-to-year.
A common piece of feedback was that firms did not see the value added by the flag, given that the attribute is effectively a filter applied to the current dataset. Therefore the ‘Large loss event’ attribution could be dynamically calculated in real time, rather than being applied at the time of loss recording.
Question 7: Do you think that the granularity the proposed list of attributes is clear enough? Would you suggest any additional relevant attribute? Please elaborate your rationale.
Key findings
The proposed granularity of attributes is detailed, and those responsible for event reporting would need training to be able to identify the attributes consistently. Many ORX member firms have commented that they do not understand the supervisory purpose for collecting this detailed attribute information.
A slight majority of EBA-regulated members (55% in favour) would support the inclusion of an additional Cyber attribute. There was much less support for the inclusion of a Resilience attribute (30% in favour).
Question 8: Would it be disproportionate to also map the three years preceding the entry into force of these Draft RTS to Level 2 categories? If yes, what would be the main challenges?
Key findings
A majority of members (70%) see mapping three years of loss history to the proposed level 2 categories as being a disproportionate effort for unclear benefits.
Additional information requirements
For members that see the mapping of loss history as disproportionate, key reasons given include:
• There would be significant manual mapping required where there is not a simple one-to-one translation available from the firm’s own internal taxonomy. This would require a manual review of historic incident data. In addition, there would be system changes required.
• The accuracy of historically mapped events would be questionable.
• Some members do not see the value in the exercise for their internal risk management. There is also a lack of clarity about how the EBA would use this data.
• There is also some confusion over the time requirement for historic mappings, with some members seeing the requirement as mapping back 3 years, whilst others see the requirement as 10 + 3 years.
Question 9: Is the length of the waivers (three years and one year) for institutions that, post merger or acquisition fall into the EUR 750 million – EUR 1 billion band for the business indicator, sufficient to set up the calculation of the operational risk loss following a merger or acquisition? If not, please provide a rationale.
Key findings
For most ORX members, this question is not applicable as their Business Indicator will be above the EUR 750 million – EUR 1 billion band.
One member commented that a calculation of the operational risk loss may be achievable after a three-year waiver, whereas a one-year waiver would not give sufficient time.
Question 10: Are there other cases where it should be considered to be unduly burdensome for institutions to calculate the annual operational risk loss?
Key findings
For over 90% of respondents, there are not other cases where it is unduly burdensome to calculate the annual operational risk loss.
Additional information requirements
One case where it might be burdensome is when an institution acquires a loan portfolio (asset purchase). It would be impossible to obtain the historical Business Indicator (BI) for the acquired part and thus adjustment methodology cannot be used. Such type of activity should be included in BI and loss dataset on prospective basis (post-acquisition completion date) and no adjustment be made to account the pre-acquisition period.
Question 11: Which of the provisions of Article 317(7), as developed by the draft RTS on the development of the risk taxonomy, and Article 318 of the CRR would be most difficult to implement after a merger or acquisition for the reporting entity? Please elaborate.
Key findings
For members that saw this question as applicable to their firms, any combined reporting after a merger would be most difficult to implement if the entity being merged with does not have good quality loss data for the required time period.
Additional information requirements
Specific additional challenges reported include:
• Data migration challenges.
• Adjusting loss data set due to differences in currency between the acquired and acquiring institution. • Adjusting the loss data set due to differences in event taxonomy pre-merger.
• Pre-merger loss threshold differences.
• Article 318 requirements on the calculation of net and gross loss are exceedingly detailed and specific to implement and comply with confidence to the risk event dataset of a merged or acquired entity.
• Combining common events across the two data sets, such as pandemic, widespread conduct events etc.
Question 12: In your experience, would the provisions of this article apply to most mergers and acquisitions, or would data usually be promptly implemented in the loss data set of the reporting institution?
Key findings
All members provided very similar feedback here. The ability of a firm to implement the provisions of the article depends on the acquired entity already having in place a loss data collection process aligned with the new proposed EBA event type and risk taxonomies. If the acquired entity did not have this data, the collection of ALL the requested attributes could require material effort to be put in place on a retroactive base.
Question 13: Are there other adjustments that should be considered in these draft RTS? If yes, please elaborate.
Key findings
Whereas members are supportive of the move to update the Basel Event Types, we received strong feedback from member firms that they would like regulators to look to harmonise and standardise regulatory taxonomies. Although this wider perspective is outside the scope of the draft Regulatory Technical Standard (RTS), it is valuable. A harmonised taxonomy prescribed by regulators, as per the Basel Event Types, drives efficiency and also accuracy and comparability between different legal entities in the same company or group.
Additional information requirements
Strong appetite for international regulatory harmonisation
• 88% of responses either agree or strongly agree that there should be a broader conversation amongst regulators around the world to drive consistency in operational risk event taxonomies.
Other points noted by members
• The RTS should consider activities where a bank acquires an entity which did not maintain operational risk loss dataset (e.g. non-deposit taking institution) and provide guidance on how the annual average loss should be adjusted.