(a) Process and systems requirements.
(1) An FDIC-supervised institution must have a rigorous process for assessing its overall capital adequacy in relation to its risk profile and a comprehensive strategy for maintaining an appropriate level of capital.
(2) The systems and processes used by an FDIC-supervised institution for risk-based capital purposes under this subpart must be consistent with the FDIC-supervised institution's internal risk management processes and management information reporting systems.
(3) Each FDIC-supervised institution must have an appropriate infrastructure with risk measurement and management processes that meet the qualification requirements of this section and are appropriate given the FDIC-supervised institution's size and level of complexity. Regardless of whether the systems and models that generate the risk parameters necessary for calculating an FDIC-supervised institution's risk-based capital requirements are located at any affiliate of the FDIC-supervised institution, the FDIC-supervised institution itself must ensure that the risk parameters and reference data used to determine its risk-based capital requirements are representative of long run experience with respect to its own credit risk and operational risk exposures.
(b) Risk rating and segmentation systems for wholesale and retail exposures.
(1)
(i) An FDIC-supervised institution must have an internal risk rating and segmentation system that accurately, reliably, and meaningfully differentiates among degrees of credit risk for the FDIC-supervised institution's wholesale and retail exposures. When assigning an internal risk rating, an FDIC-supervised institution may consider a third-party assessment of credit risk, provided that the FDIC-supervised institution's internal risk rating assignment does not rely solely on the external assessment.
(ii) If an FDIC-supervised institution uses multiple rating or segmentation systems, the FDIC-supervised institution's rationale for assigning an obligor or exposure to a particular system must be documented and applied in a manner that best reflects the obligor or exposure's level of risk. An FDIC-supervised institution must not inappropriately allocate obligors or exposures across systems to minimize regulatory capital requirements.
(iii) In assigning ratings to wholesale obligors and exposures, including loss severity ratings grades to wholesale exposures, and assigning retail exposures to retail segments, an FDIC-supervised institution must use all relevant and material information and ensure that the information is current.
(iv) When assigning an obligor to a PD rating or retail exposure to a PD segment, an FDIC-supervised institution must assess the obligor or retail borrower's ability and willingness to contractually perform, taking a conservative view of projected information.
(2) For wholesale exposures:
(i) An FDIC-supervised institution must have an internal risk rating system that accurately and reliably assigns each obligor to a single rating grade (reflecting the obligor's likelihood of default). An FDIC-supervised institution may elect, however, not to assign to a rating grade an obligor to whom the FDIC-supervised institution extends credit based solely on the financial strength of a guarantor, provided that all of the FDIC-supervised institution's exposures to the obligor are fully covered by eligible guarantees, the FDIC-supervised institution applies the PD substitution approach in § 324.134(c)(1) to all exposures to that obligor, and the FDIC-supervised institution immediately assigns the obligor to a rating grade if a guarantee can no longer be recognized under this part. The FDIC-supervised institution's wholesale obligor rating system must have at least seven discrete rating grades for non-defaulted obligors and at least one rating grade for defaulted obligors.
(ii) Unless the FDIC-supervised institution has chosen to directly assign LGD estimates to each wholesale exposure, the FDIC-supervised institution must have an internal risk rating system that accurately and reliably assigns each wholesale exposure to a loss severity rating grade (reflecting the FDIC-supervised institution's estimate of the LGD of the exposure). An FDIC-supervised institution employing loss severity rating grades must have a sufficiently granular loss severity grading system to avoid grouping together exposures with widely ranging LGDs.
(iii) An FDIC-supervised institution must have an effective process to obtain and update in a timely manner relevant and material information on obligor and exposure characteristics that affect PD, LGD and EAD.
(3) For retail exposures:
(i) An FDIC-supervised institution must have an internal system that groups retail exposures into the appropriate retail exposure subcategory and groups the retail exposures in each retail exposure subcategory into separate segments with homogeneous risk characteristics that provide a meaningful differentiation of risk. The FDIC-supervised institution's system must identify and group in separate segments by subcategories exposures identified in § 324.131(c)(2)(ii) and (iii).
(ii) An FDIC-supervised institution must have an internal system that captures all relevant exposure risk characteristics, including borrower credit score, product and collateral types, as well as exposure delinquencies, and must consider cross-collateral provisions, where present.
(iii) The FDIC-supervised institution must review and, if appropriate, update assignments of individual retail exposures to segments and the loss characteristics and delinquency status of each identified risk segment. These reviews must occur whenever the FDIC-supervised institution receives new material information, but generally no less frequently than quarterly, and, in all cases, at least annually.
(4) The FDIC-supervised institution's internal risk rating policy for wholesale exposures must describe the FDIC-supervised institution's rating philosophy (that is, must describe how wholesale obligor rating assignments are affected by the FDIC-supervised institution's choice of the range of economic, business, and industry conditions that are considered in the obligor rating process).
(5) The FDIC-supervised institution's internal risk rating system for wholesale exposures must provide for the review and update (as appropriate) of each obligor rating and (if applicable) each loss severity rating whenever the FDIC-supervised institution obtains relevant and material information on the obligor or exposure that affects PD, LGD and EAD, but no less frequently than annually.
(c) Quantification of risk parameters for wholesale and retail exposures.
(1) The FDIC-supervised institution must have a comprehensive risk parameter quantification process that produces accurate, timely, and reliable estimates of the risk parameters on a consistent basis for the FDIC-supervised institution's wholesale and retail exposures.
(2) An FDIC-supervised institution's estimates of PD, LGD, and EAD must incorporate all relevant, material, and available data that is reflective of the FDIC-supervised institution's actual wholesale and retail exposures and of sufficient quality to support the determination of risk-based capital requirements for the exposures. In particular, the population of exposures in the data used for estimation purposes, the lending standards in use when the data were generated, and other relevant characteristics, should closely match or be comparable to the FDIC-supervised institution's exposures and standards. In addition, an FDIC-supervised institution must:
(i) Demonstrate that its estimates are representative of long run experience, including periods of economic downturn conditions, whether internal or external data are used;
(ii) Take into account any changes in lending practice or the process for pursuing recoveries over the observation period;
(iii) Promptly reflect technical advances, new data, and other information as they become available;
(iv) Demonstrate that the data used to estimate risk parameters support the accuracy and robustness of those estimates; and
(v) Demonstrate that its estimation technique performs well in out-of-sample tests whenever possible.
(3) The FDIC-supervised institution's risk parameter quantification process must produce appropriately conservative risk parameter estimates where the FDIC-supervised institution has limited relevant data, and any adjustments that are part of the quantification process must not result in a pattern of bias toward lower risk parameter estimates.
(4) The FDIC-supervised institution's risk parameter estimation process should not rely on the possibility of U.S. government financial assistance, except for the financial assistance that the U.S. government has a legally binding commitment to provide.
(5) The FDIC-supervised institution must be able to demonstrate which variables have been found to be statistically significant with regard to EAD. The FDIC-supervised institution's EAD estimates must reflect its specific policies and strategies with regard to account management, including account monitoring and payment processing, and its ability and willingness to prevent further drawdowns in circumstances short of payment default. The FDIC-supervised institution must have adequate systems and procedures in place to monitor current outstanding amounts against committed lines, and changes in outstanding amounts per obligor and obligor rating grade and per retail segment. The FDIC-supervised institution must be able to monitor outstanding amounts on a daily basis.
(6) At a minimum, PD estimates for wholesale obligors and retail segments must be based on at least five years of default data. LGD estimates for wholesale exposures must be based on at least seven years of loss severity data, and LGD estimates for retail segments must be based on at least five years of loss severity data. EAD estimates for wholesale exposures must be based on at least seven years of exposure amount data, and EAD estimates for retail segments must be based on at least five years of exposure amount data. If the FDIC-supervised institution has relevant and material reference data that span a longer period of time than the minimum time periods specified above, the FDIC-supervised institution must incorporate such data in its estimates, provided that it does not place undue weight on periods of favorable or benign economic conditions relative to periods of economic downturn conditions.
(7) Default, loss severity, and exposure amount data must include periods of economic downturn conditions, or the FDIC-supervised institution must adjust its estimates of risk parameters to compensate for the lack of data from periods of economic downturn conditions.
(8) The FDIC-supervised institution's PD, LGD, and EAD estimates must be based on the definition of default in § 324.101.
(9) If an FDIC-supervised institution uses internal data obtained prior to becoming subject to this subpart E or external data to arrive at PD, LGD, or EAD estimates, the FDIC-supervised institution must demonstrate to the FDIC that the FDIC-supervised institution has made appropriate adjustments if necessary to be consistent with the definition of default in § 324.101. Internal data obtained after the FDIC-supervised institution becomes subject to this subpart E must be consistent with the definition of default in § 324.101.
(10) The FDIC-supervised institution must review and update (as appropriate) its risk parameters and its risk parameter quantification process at least annually.
(11) The FDIC-supervised institution must, at least annually, conduct a comprehensive review and analysis of reference data to determine relevance of the reference data to the FDIC-supervised institution's exposures, quality of reference data to support PD, LGD, and EAD estimates, and consistency of reference data to the definition of default in § 324.101.
(d) Counterparty credit risk model. An FDIC-supervised institution must obtain the prior written approval of the FDIC under § 324.132 to use the internal models methodology for counterparty credit risk and the advanced CVA approach for the CVA capital requirement.
(e) Double default treatment. An FDIC-supervised institution must obtain the prior written approval of the FDIC under § 324.135 to use the double default treatment.
(f) Equity exposures model. An FDIC-supervised institution must obtain the prior written approval of the FDIC under § 324.153 to use the internal models approach for equity exposures.
(g) Operational risk.
(1) Operational risk management processes. An FDIC-supervised institution must:
(i) Have an operational risk management function that:
(A) Is independent of business line management; and
(B) Is responsible for designing, implementing, and overseeing the FDIC-supervised institution's operational risk data and assessment systems, operational risk quantification systems, and related processes;
(ii) Have and document a process (which must capture business environment and internal control factors affecting the FDIC-supervised institution's operational risk profile) to identify, measure, monitor, and control operational risk in the FDIC-supervised institution's products, activities, processes, and systems; and
(iii) Report operational risk exposures, operational loss events, and other relevant operational risk information to business unit management, senior management, and the board of directors (or a designated committee of the board).
(2) Operational risk data and assessment systems. An FDIC-supervised institution must have operational risk data and assessment systems that capture operational risks to which the FDIC-supervised institution is exposed. The FDIC-supervised institution's operational risk data and assessment systems must:
(i) Be structured in a manner consistent with the FDIC-supervised institution's current business activities, risk profile, technological processes, and risk management processes; and
(ii) Include credible, transparent, systematic, and verifiable processes that incorporate the following elements on an ongoing basis:
(A) Internal operational loss event data. The FDIC-supervised institution must have a systematic process for capturing and using internal operational loss event data in its operational risk data and assessment systems.
(1) The FDIC-supervised institution's operational risk data and assessment systems must include a historical observation period of at least five years for internal operational loss event data (or such shorter period approved by the FDIC to address transitional situations, such as integrating a new business line).
(2) The FDIC-supervised institution must be able to map its internal operational loss event data into the seven operational loss event type categories.
(3) The FDIC-supervised institution may refrain from collecting internal operational loss event data for individual operational losses below established dollar threshold amounts if the FDIC-supervised institution can demonstrate to the satisfaction of the FDIC that the thresholds are reasonable, do not exclude important internal operational loss event data, and permit the FDIC-supervised institution to capture substantially all the dollar value of the FDIC-supervised institution's operational losses.
(B) External operational loss event data. The FDIC-supervised institution must have a systematic process for determining its methodologies for incorporating external operational loss event data into its operational risk data and assessment systems.
(C) Scenario analysis. The FDIC-supervised institution must have a systematic process for determining its methodologies for incorporating scenario analysis into its operational risk data and assessment systems.
(D) Business environment and internal control factors. The FDIC-supervised institution must incorporate business environment and internal control factors into its operational risk data and assessment systems. The FDIC-supervised institution must also periodically compare the results of its prior business environment and internal control factor assessments against its actual operational losses incurred in the intervening period.
(3) Operational risk quantification systems.
(i) The FDIC-supervised institution's operational risk quantification systems:
(A) Must generate estimates of the FDIC-supervised institution's operational risk exposure using its operational risk data and assessment systems;
(B) Must employ a unit of measure that is appropriate for the FDIC-supervised institution's range of business activities and the variety of operational loss events to which it is exposed, and that does not combine business activities or operational loss events with demonstrably different risk profiles within the same loss distribution;
(C) Must include a credible, transparent, systematic, and verifiable approach for weighting each of the four elements, described in paragraph (g)(2)(ii) of this section, that an FDIC-supervised institution is required to incorporate into its operational risk data and assessment systems;
(D) May use internal estimates of dependence among operational losses across and within units of measure if the FDIC-supervised institution can demonstrate to the satisfaction of the FDIC that its process for estimating dependence is sound, robust to a variety of scenarios, and implemented with integrity, and allows for uncertainty surrounding the estimates. If the FDIC-supervised institution has not made such a demonstration, it must sum operational risk exposure estimates across units of measure to calculate its total operational risk exposure; and
(E) Must be reviewed and updated (as appropriate) whenever the FDIC-supervised institution becomes aware of information that may have a material effect on the FDIC-supervised institution's estimate of operational risk exposure, but the review and update must occur no less frequently than annually.
(ii) With the prior written approval of the FDIC, an FDIC-supervised institution may generate an estimate of its operational risk exposure using an alternative approach to that specified in paragraph (g)(3)(i) of this section. An FDIC-supervised institution proposing to use such an alternative operational risk quantification system must submit a proposal to the FDIC. In determining whether to approve an FDIC-supervised institution's proposal to use an alternative operational risk quantification system, the FDIC will consider the following principles:
(A) Use of the alternative operational risk quantification system will be allowed only on an exception basis, considering the size, complexity, and risk profile of the FDIC-supervised institution;
(B) The FDIC-supervised institution must demonstrate that its estimate of its operational risk exposure generated under the alternative operational risk quantification system is appropriate and can be supported empirically; and
(C) An FDIC-supervised institution must not use an allocation of operational risk capital requirements that includes entities other than depository institutions or the benefits of diversification across entities.
(h) Data management and maintenance.
(1) An FDIC-supervised institution must have data management and maintenance systems that adequately support all aspects of its advanced systems and the timely and accurate reporting of risk-based capital requirements.
(2) An FDIC-supervised institution must retain data using an electronic format that allows timely retrieval of data for analysis, validation, reporting, and disclosure purposes.
(3) An FDIC-supervised institution must retain sufficient data elements related to key risk drivers to permit adequate monitoring, validation, and refinement of its advanced systems.
(i) Control, oversight, and validation mechanisms.
(1) The FDIC-supervised institution's senior management must ensure that all components of the FDIC-supervised institution's advanced systems function effectively and comply with the qualification requirements in this section.
(2) The FDIC-supervised institution's board of directors (or a designated committee of the board) must at least annually review the effectiveness of, and approve, the FDIC-supervised institution's advanced systems.
(3) An FDIC-supervised institution must have an effective system of controls and oversight that:
(i) Ensures ongoing compliance with the qualification requirements in this section;
(ii) Maintains the integrity, reliability, and accuracy of the FDIC-supervised institution's advanced systems; and
(iii) Includes adequate governance and project management processes.
(4) The FDIC-supervised institution must validate, on an ongoing basis, its advanced systems. The FDIC-supervised institution's validation process must be independent of the advanced systems' development, implementation, and operation, or the validation process must be subjected to an independent review of its adequacy and effectiveness. Validation must include:
(i) An evaluation of the conceptual soundness of (including developmental evidence supporting) the advanced systems;
(ii) An ongoing monitoring process that includes verification of processes and benchmarking; and
(iii) An outcomes analysis process that includes backtesting.
(5) The FDIC-supervised institution must have an internal audit function or equivalent function that is independent of business-line management that at least annually:
(i) Reviews the FDIC-supervised institution's advanced systems and associated operations, including the operations of its credit function and estimations of PD, LGD, and EAD;
(ii) Assesses the effectiveness of the controls supporting the FDIC-supervised institution's advanced systems; and
(iii) Documents and reports its findings to the FDIC-supervised institution's board of directors (or a committee thereof).
(6) The FDIC-supervised institution must periodically stress test its advanced systems. The stress testing must include a consideration of how economic cycles, especially downturns, affect risk-based capital requirements (including migration across rating grades and segments and the credit risk mitigation benefits of double default treatment).
(j) Documentation. The FDIC-supervised institution must adequately document all material aspects of its advanced systems.
[78 FR 55471, Sept. 10, 2013, as amended at 80 FR 41423, July 15, 2015]