Response to consultation on Regulatory Technical Standards on operational risk loss
Question 1: Do you think that the granularity of and the distinction between the different Level 2 categories is clear enough? If not, please provide a rationale.
FOR GENERAL COMMENTS PLEASE REFER TO THE FIRST PART OF THE ATTACHED DOCUMENT.
We would like to underline two fundamental issues.
A) The new taxonomy is characterised not only by a greater granularity of event types but also by a more pervasive review, which sometimes leads to the migration of event types belonging to one Level 1 category to another.
Indeed, even if the Consultation Paper reports that the event classification should not have been modified at Level 1, a few inconsistencies appear between certain Level 2 categories and the current Level 1. The main cases identified are listed below:
- Within the Internal Fraud category, the ET 1.6 classification concerns malicious physical damage to internal parties and malicious destruction of physical assets of the institution or of public assets for which the institution is liable that banks currently include in ET5.
- The distinction between IT failures related and not related to management of transactions is not adequately described, nor is the rationale underlying the decision to map the former within ET 7 and the latter within ET 6. This split of the Level 2 category between ET 6 and ET 7 is not consistent with the current Level 1 ET 6, Business disruption and system failure, which includes both cases – related and not related to management of transactions. Consequently, it would be hard to re-allocate those events to two different Level 2 categories, even considering potential additional details requested from EBA, without a consequent change also in Level 1 categories ET 6 and ET 7, especially when we consider that basically, almost all IT failures could have an impact on the management of transactions.
- Level 2 categories Cyber attack and Data theft and manipulation are reported only in the Level 1 category External Fraud. No specific mention is reported for Level 1 category Internal Fraud, so cyber attacks perpetrated by internal parties appear to be classified among the new Level 2 categories, therefore potential changes in the Level 1 loss distribution could occur.
- Level 2 category 7.5 Improper distribution / marketing seems to include improper direct marketing practices, which are potentially allocated at present to Level 1 category ET 4, since it could overlap with the categories “Client mistreatment / failure to fulfill duties to customer” and “Improper market practices, product and service design or licensing” categories. If improper market practices were to be classified among two new Level 2 categories, potential changes to the Level 1 loss distribution could occur at Level 1 ET.
- The distinction between Level 2 category “Model Implementation and Use” and “Model/Methodology Design Error” leads to an overlap between ET4 and ET7. If errors in models are to be classified among these two new Level 2 categories, potential changes to the Level 1 loss distribution could occur. On account of this, we propose either eliminating the "Model Implementation and Use" category from ET7 or including it in ET4.
- The distinction between the Level 2 category “Rights/obligation failures in the preparation phase” and “Rights/obligation failures in the execution phase” has to be better detailed in order to properly understand the type of events that should be included in Level 2 category ET4. Based on our understanding, the definition of the Level 2 category "Rights/obligation failures in the preparation phase" includes all execution errors, consequently, those events mapped in this Level 2 category could cause potential changes in the Level 1 ET. On account of this, we propose eliminating the "Rights/obligation failures in the preparation phase" category from ET4 and renaming the Level 2 category in ET7 “Rights/obligation failures”, which includes failures in both the preparation and execution phases, consistently with the current taxonomy.
- The Level 2 category "Inadequate business continuity planning/event management" reported in the ET 6 of the proposed taxonomy seems to also cover, for example, execution errors caused by a missing or poor disaster recovery plan or business continuity plan. So, additional details should be provided in order to better understand whether potential events, currently classified in other ETs (e.g. ET7), should be re-mapped in this Level 2 category, resulting in a potential change in the Level 1 category distribution.
- The Level 2 category "Processing / execution failures" definition[1] reports, as an example, the case of change programmes: with reference to this, it might be better detailed if in this Level 2 category we were to allocate events due to IT changes, which are currently regarded as IT failures and allocated to the Level 1 ET6. If so, a potential inconsistency could occur for the Level 1 Event Type, since those events linked to change programmes must be re-allocated from ET6 to ET7.
- Regarding third-party management, as of today, events caused by third parties are regarded as if they were caused by the institution itself and, consequently, classified on the basis of what happened rather than the fact that they were caused by a third party, possibly due to poor due diligence in selecting the third party. For example, "third party violating applicable regulations or legal requirements when performing services for the institution" is currently recorded under ET4, while in the CP this case is indicated as an example to be recorded under Level 2 category "Third-party management failures" within ET7, resulting in a re-mapping of these event types also within the Level 1 ET.
- According to the proposed taxonomy, the Level 2 category “Regulatory and Tax Authorities, including reporting (also to Tax Authorities)” represents a residual event type among which events not captured through other Level 2 categories are to be mapped. Based on this definition, it appears that certain events currently classified in other Level 1 ETs should be re-mapped to this Level 2 category; for example, potential losses due to lack of disclosure of the political role of a Board member, currently classified under ET4 as “Improper Business or Market Practices”, would be re-mapped to this residual proposed Level 2 category, resulting in a change in the Level 1 ET (from ET 4 to ET 7).
B) In our opinion the guidelines provided for classifying events according to the new taxonomy are not sufficiently clear for various reasons, the main ones being listed below.
Additional information/details could also be useful for managing potential inconsistencies summarised in point A.
- The proposed categories do not appear to be MECE, since some of them are mainly cause-driven (e.g. Business Disruption and System Failures, Third-party management failures) while others are more effect-driven (Data privacy breach, Third-party fraud, IT failures related to management of transactions) and it’s not clear which aspect should prevail in case of an event falling under both situations. For example, if a malpractice action is carried out by a third party to which the bank has outsourced a service, it is unclear whether the event should be classified under “Client mistreatment” or “Third-party management failures”, especially because it is difficult to distinguish between events caused by third-party errors and those resulting from inadequate due diligence by the bank towards third parties.
- The definition provided for the “Rights/obligation failures in the preparation phase (4.5)” and “Rights/obligation failures in the execution phase (7.3)” categories is the same, therefore the difference between them is not clear.
- The distinction between improper market practices, product and service design or licensing and improper distribution/marketing is not adequately described, nor is the rationale underlying the decision to map the former within ET 4 and the latter within ET 7.
- Moreover, the detail of Level 2 categories seems to be significantly inconsistent across event types. i.e. extreme detail is proposed for classifying internal frauds, events related to financial crime risk and IT failures, while other categories (e.g. improper market practices, product and service design or licensing, inadequate business continuity planning/event management) are wide-scope and include a variety of cases which can be ascribed to heterogeneous reasons/causes.
- Regarding the term “fraud”, it should be clarified whether bank robberies and ATM thefts/burglaries should be included and in which category they should be classified.
Some examples of events, which are not immediately classifiable, include:
- branch robbery
- ATM/safety box break-ins
- Theft in branches (branches, centres, general offices, etc.)
- Theft from security vans
- Theft/fraud with means of payment (cards, checks, counterfeit banknotes, etc.)
- On External fraud:
1. The definition of Level 2 “second-party” and “third-party” frauds requires some additional clarifications.
In addition, following the proposed text, second-party fraud occurs when the fraudster has an agreement with the colluded client and third-party fraud occurs if the fraudster does not have an agreement: it might be difficult to identify for each fraud whether the fraudster agreed with the client (second-party fraud) or not (third-party fraud).
2. The Level 2 “Data theft and manipulation” category includes cyber attacks with data being stolen or manipulated. It is unclear what kind of operational risk events will then be mapped to the “cyber attacks” category.
- In relation to the definition of the second-level Event Type and its attributes, a few more detailed definitions and examples of operational events should be included in those categories, since the distinction between certain second-level categories is not always clear.
- On Clients, Products & Business Practices & Internal Fraud:
the Level 2 “Insider Trading on the institution's account” (ET4) and “Insider Trading not on the institution's account” (ET 1) categories might need a review as to their name/definition so that they can be more clearly split.
[1] "Failure to process, manage and execute transactions and/or other processes (such as change programmes) correctly and/or appropriately”
Question 2: Do you perceive the attribute “greenwashing risk” as an operational risk or as a reputational risk event? Please elaborate.
We deem that greenwashing risk is in between operational risk and reputational risk: it falls within the scope of operational risk for the part related to the economic consequences that could impact the institution (e.g. sanctions, litigations, complaints, for example linked to misadvising) but is relevant to reputational risk as well, in light of the possible impacts in terms of damage to the corporate image (for example, due to media coverage of certain events), which are difficult to quantify.
As for other OR events, the OR effects represent only a sub-set of the broader category relating to reputational and/or strategic risk.
Question 3: To which Level 1 event types and/or Level 2 categories would you map greenwashing losses? Please provide a rationale.
See Q4.
Question 4: Is “Environmental – transition risk” an operational risk event? If yes, to which Level 2 categories should it be mapped? Please provide a rationale.
- We agree that transition risk generates OR losses (but, as mentioned above, it might also be linked to strategic risk), therefore we agree with the proposed flag (please bear in mind that in the Annex there is no break-down into transition risk and physical risk as in the diagram in §20).
- Despite this specific phenomenon being in its early stages, in future fines, claims and client complaints could be linked to the EU sustainable finance legislative and regulatory framework (encompassing green washing). For these reasons, we could consider the possibility of flagging an event in ET 4 as linked the bank’s own transition risk. ET1 and ET7 could also be considered, depending on the specific nature of the transitional risk event.
Question 5: Which of these attributes do you think would be the most difficult to identify? Please elaborate.
We believe that the most difficult attributes to identify are:
- Environmental risk – physical risk, due to the impossibility of distinguishing whether a natural disaster (such as heavy rain, hailstorm, flood, etc.) is due to climate change or if its occurrence is not attributable to climate change.
- Governance risk, on account of the fact that similar events could produce their effects after a significant time and it could be complicated to ascribe the root cause to poor governance at the time of their occurrence.
- Greenwashing.
Moreover, we feel there has been poor guidance with regard to other flags:
- Pending loss: are banks expected to flag this field if at least one of the effects associated with an event still constitutes a pending loss (even if it represents the less relevant part of the total amount)? How should banks manage the fact that, sooner or later, pending loss effects will terminate (thanks to their recovery/discharge, or because an actual loss will be recorded should recovery be impossible)?
- Credit Risk: its definition seems to differ significantly from the meaning of “Credit Risk boundary” according to the regulation in force so far. This latter in fact demands flagging as credit risk boundary losses caused by an operational event but that have economic consequences which are included in the credit risk RWA calculation. On the contrary, the new definition demands flagging as credit risk boundary losses which are in a sense related to credit granting/monitoring, but which are not considered in the credit risk RWA calculation. The reasons behind the change are not clear and the examples provided are deemed not exhaustive for clarifying when banks are required to fill it in (e.g. are cases similar to salary-backed loans, loan processing fees, bankruptcy repeals to be flagged as credit risk-related according to the new definition?).
Legal risk should require an additional definition:
1. Legal costs are included in the event along with the other manifestations. Must all events with a legal cost or a provision be flagged as legal risk (therefore the entire amount relating to the event?)?
2. Does “legal risk” mean: (i) events related to legal disputes and also, for example, (ii) events related to penalties (that may also be challenged in/out of court), complaints and events/expenses for avoiding legal disputes?
Third-party risk: the “Third Party” attribute would need more detailed information: will the “third-party risk” attribute be automatically applied to all Level 2 “third-party frauds” even if, from the description, this Level 2 category includes frauds enacted by people outside the organisation (not just providers). This could lead to a misunderstanding with regard to “Third Party” assessments and risk taken to be as relating to outsourcers/service providers.
Question 6: Do you agree with the inclusion of the attribute “Large loss event”? If not, please elaborate.
We believe that such an attribute could be useful in theory but very difficult to implement and, above all, to maintain and update, taking to account that:
- the amount of an event evolves over time until its conclusion and, therefore, it could end up having an average annual loss over the last ten years for a certain period of time and drop below such a threshold as a consequence of the rolling of the reference time frame or thanks to the release of the related provision;
It is unclear at which moment banks are supposed to flag this field and update it.
The same comments also apply to the field “Ten largest loss events” whose valorisation suffers from the same problems highlighted with reference to the “Large loss event”.
After having better defined the criteria for “Large losses” and “Top ten”, they could be the result of a reporting calculation and not an event attribute.
Question 7: Do you think that the granularity the proposed list of attributes is clear enough? Would you suggest any additional relevant attribute? Please elaborate your rationale.
The granularity of the attributes is excessive and, in some cases, difficult to apply for loss detection. This could result in a failure to populate certain attributes.
Should all the attributes remain, as described also in the answers provided to questions 5 and 6, we suggest providing additional information for all attributes, in order to:
- better distinguish the attributes for level 2 ETs;
- completely clarify each flag;
- know how to fill the flags out and, whether they should be tracked with “yes” or “no”;
- know whether the flags should be filled out only for reported events starting from 01/01/2025, given that it’s almost impossible to attribute those flags to past events.
Question 8: Would it be disproportionate to also map the three years preceding the entry into force of these Draft RTS to Level 2 categories? If yes, what would be the main challenges?
The proposed modification to the event type taxonomy is perceived as disruptive at both Level 1 and Level 2 given the different rationale underlying the current and proposed classification (please refer to the answer to Question 1).
In light of this, in several cases the requested re-mapping to Level 1 of losses related to the previous ten years will imply a huge effort and costs for banks which, in re-evaluating each loss event case by case, could re-map even to Level 2.
Moreover, we deem that it is not clear how banks are required to identify the events relating to the previous ten/three years in order to identify the perimeter of events to be re-mapped (namely, an event registered more than ten/three years ago could still be open if it refers to a legal case not yet closed and, therefore, should be re-mapped to the new taxonomy even if it dates back to more than ten/three years). We demand that in the final RTS the first accounting date should be the one considered for identifying events relating to the previous ten/three years. In addition, the request to apply this new regulation to losses above the 20k/€ threshold doesn’t seem to be applicable because an event could remain under such a threshold for a certain period of time and then increase above 20k/€, so it should be re-classified according to the new taxonomy.
Given the above, we believe that banks need a longer period of time in order to fulfil the new obligations related to the event type classification, especially as far as the re-mapping of past events is concerned, and further clarifications are deemed crucial to ensure a consistent application of new categories across the whole banking sector.
Question 11: Which of the provisions of Article 317(7), as developed by the draft RTS on the development of the risk taxonomy, and Article 318 of the CRR would be most difficult to implement after a merger or acquisition for the reporting entity? Please elaborate.
It depends on the fact that the acquired entity has already in place a loss data collection process aligned with the new event type and risk taxonomies. If the entity was not required to fulfil such new obligations, the collection of ALL the requested attributes could require a huge effort to be implemented on a retroactive basis.
In addition, the CP requires that, if the merged or acquired entity uses a different currency to that used by the acquiring institution, the exchange rate used at the end of the relevant year for each of the ten-year windows should be applied to losses stemming from merged or acquired entities and included in the loss data set.
The application of this requirement could cause a potential misalignment in the management of operational losses of the acquired/merged entity and an inconsistency with the rules already applied by the acquiring institution for managing events collected in that currency. For example, a completely different exchange rate could be applied to potential impacts occurring in different years, resulting in a potential inconsistency with the event amounts. Our proposal is to leave the institutions the choice of defining the right exchange rate that could be applied to losses originally collected in different currencies.
Question 12: In your experience, would the provisions of this article apply to most mergers and acquisitions, or would data usually be promptly implemented in the loss data set of the reporting institution?
Yes, and also see the answer provided to Question 11.
Question 13: Are there other adjustments that should be considered in these draft RTS? If yes, please elaborate.
We’ve noticed an inconsistency in the proposed matrix between event types and risks. The mandatory value “Yes” imposed in the cell referred to Third-party fraud and Third-party risk is not correct because third-party fraud does not necessarily imply that the event occurred with the involvement of a service provider/sub-contractor. Therefore, this cell should be left blank and filled in with “Yes” or “No” depending on the single case.
A unique taxonomy that goes beyond event types and focusing on non-financial risks would allow a common representation of phenomena / risks in different activities, such as reporting, monitoring and assessment. For example, Level 1 and 2 Basel event types proposed in the paper are both different compared to (i) EBA taxonomy defined for IT risk and (ii) the risk taxonomies developed / reviewed according to regulator requests for ICAAP purposes.