Response to consultation on Regulatory Technical Standards on operational risk loss
Question 1: Do you think that the granularity of and the distinction between the different Level 2 categories is clear enough? If not, please provide a rationale.
The EBA is to be commended in addressing the complex topic of risk classification. However, given the complexity of the topic, a two-level structure is insufficiently granular to provide clear insight into the full range of operational risk (taken here to incorporate the full spectrum of the so-called "non-financial risks" and inclusive of the risk of non-compliance).
There is a fundamental issue in retaining the 7 level 1 categories originally introduced under Basel II: for example, while "pure" Internal Fraud and "pure" External Fraud are obviously different things, they fail to address collusive fraudulent acts - while an argument may be made that of the insider is dominant, use internal fraud or conversely, if the outsider is dominant, use external fraud, this remains a very grey area. Similarly when looking at Damage to Physical Assets and at Business Disruption and Systems Failure - a natural disaster inevitably results in business disruption, an accident has both business disruption and employee relations issues.
Explicitly, there are two fundamental inaccuracies with the proposed level 2s: under Clients, Products and Business Practices, a level 2 of Model/Methodology Error introduces errors into what has always been considered the conduct or practice pillar of the taxonomy, while under Execution, Delivery and Process Management, a level 2 of Improper Distribution/Marketing introduces conduct/practice into what has always been considered errors and mistakes. It is also of concern that there is no explicit recognition of non-compliance risks under Clients, Products and Business Practices at level 2.
Overall, the EBA might be better served starting with an alternate level 1 structure, such as Errors and Omissions, Business Disruption, Fraud and Theft, and Conduct and Business Practices, then build outwards from this starting point.
Question 2: Do you perceive the attribute “greenwashing risk” as an operational risk or as a reputational risk event? Please elaborate.
Firstly, there is no such thing as "reputational risk". There is only reputational consequences arising from other risk types. Reputation takes a long time and significant effort to create, mould and maintain, but can be destroyed in an instant by any risk event, a significant credit loss, a market loss or any of the operational risk categories.
With regard to greenwashing risk (and more recently, "AI washing"), there are two aspects to consider - the first is a deliberate act to create perceptions that are not reality, such as in the composition of an investment portfolio, a firm's strategy and actions, the nature of a product, etc., while the second has the same outcome, but is not deliberate, being accidental or an error. In both cases, these are classic operational risks and should be included as such.
Question 3: To which Level 1 event types and/or Level 2 categories would you map greenwashing losses? Please provide a rationale.
Building off what is stated above, where greenwashing is intentional, it should be included under Clients, Products and Business Practices (or alternately, under Conduct and Business Practices per our response to Question 1) and where accidental, it should be included under Execution, Delivery and Process Management (or alternately, under Errors and Omissions per our response to Question 1).
Question 4: Is “Environmental – transition risk” an operational risk event? If yes, to which Level 2 categories should it be mapped? Please provide a rationale.
We suggest that transition risk is an operational risk and should be included under Clients, Products and Business Practices (or alternately, under Conduct and Business Practices per our response to Question 1). The rationale is based on a firm either failing (non-compliance) to adopt appropriate practices or adopting unsuitable practices in regard to environmental risk.
Question 5: Which of these attributes do you think would be the most difficult to identify? Please elaborate.
In terms of the "attributes", we see these as a disparate mix of attributes which do not have an explicit structure and which would in many cases, replicate lower levels (level 3, level 4 or level 5) risk categories under the proposed level 2's. We would advocate revising the proposed suite and having three (3) explicit groups: the first group should address size, frequency of occurrence, bulked events (the practice of grouping very large numbers of very small losses) and impact, covering the first three attributes provided, but extended to cover additional aspects as listed previously; the second group should be used to identify events which have strong correlation to other primary risk types, so credit risk, market risk, liquidity risk, business risk, strategic risk and insurance (peril) risk - note that environmental risk may also be included here if there is no appetite for including it under the operational risk category; the third grouping of attributes could address an alternate view on the risks, either using a causal structure or a thematic structure.
The inclusion of the so-called "business lines" as attributes will further obscure reality for several reasons: the Basel II business line structure is widely accepted as being incomplete, not catering for aspects such as financial exchanges, private banking, financial infrastructure provision, etc.; it is not mutually exclusive - how do you classify an event which equally affects retail banking and commercial banking or which affects trading and sales, asset management and retail brokerage, etc.; different entities will divide their business differently, with significant differences in the way firms look at their business between those with US head-offices to those primarily based in Europe. We would strongly suggest that events should include information on the business line and process/activity/function type where the event originated and was detected, rather than simply addressing a complex aspect through a few flags.
Question 6: Do you agree with the inclusion of the attribute “Large loss event”? If not, please elaborate.
Is this attribute actually necessary and will it actually provide beneficial information? The concept of "large" is also highly subjective, both across firms and within firms. For example, what is considered "large" in retail banking terms is usually considered insignificant in asset management or trading and sales terms. A small or medium firm will view "large" differently to a large, internationally active firm. The use of amount-based filters allows a data set to be filtered accordingly to how the user views "large".
In a similar vein, the "ten largest loss events" filter is redundant, as industry experience shows how these categories change over time. This attribute could be dropped and replaced by a filter at a specific point in time or for a selected time period.
Question 7: Do you think that the granularity the proposed list of attributes is clear enough? Would you suggest any additional relevant attribute? Please elaborate your rationale.
As per our response to question 5, we would strongly advocate the inclusion of explicit causal and thematic classification structure to augment the risk classification structure. These would provide additional granular capability which would facilitate far greater insight into the event set under consideration.
Question 8: Would it be disproportionate to also map the three years preceding the entry into force of these Draft RTS to Level 2 categories? If yes, what would be the main challenges?
No, it should not be. Most firms already use a more granular structure for event risk classification and should be able to map their classification structure to the proposed structure. Certainly firms that participate in loss data consortia such as GOLD and ORX already do so on a quarterly basis anyway.
Question 9: Is the length of the waivers (three years and one year) for institutions that, post merger or acquisition fall into the EUR 750 million – EUR 1 billion band for the business indicator, sufficient to set up the calculation of the operational risk loss following a merger or acquisition? If not, please provide a rationale.
No opinion.
Question 10: Are there other cases where it should be considered to be unduly burdensome for institutions to calculate the annual operational risk loss?
No opinion.
Question 11: Which of the provisions of Article 317(7), as developed by the draft RTS on the development of the risk taxonomy, and Article 318 of the CRR would be most difficult to implement after a merger or acquisition for the reporting entity? Please elaborate.
No opinion.
Question 12: In your experience, would the provisions of this article apply to most mergers and acquisitions, or would data usually be promptly implemented in the loss data set of the reporting institution?
No opinion.
Question 13: Are there other adjustments that should be considered in these draft RTS? If yes, please elaborate.
No opinion.