Skip to main content
  • Pillar 2

    • XI. Pillar 2 – Internal Capital Adequacy Assessment Process (ICAAP)

      • I. Introduction and Scope

        1.This Standard discusses the key principles of supervisory review, with respect to banking risks, including guidance relating to, among other things, the treatment of interest rate risk in the banking book, credit risk (stress testing, residual risk, and credit concentration risk), operational risk, enhanced cross-border communication and cooperation, and securitisation.

        2.Banks are only permitted to perform a Pillar I Plus approach. Internal models are not allowed in ICAAP for estimating capital requirements for credit, market or operational risk. For risk management purposes, banks may use internal models, but figures reported to the Central Bank should be based on the Standardised Approach.

        3.All buffers are to be in addition to existing requirements. An off-setting of certain requirements is not permitted i.e. lower Pillar 2 for Pillar 1 risks are not allowed.

        4.The type of capital which the Central Bank will require banks to provide for pillar 2 risks will be solely at the discretion of the Central Bank; this may be CET1 only, or a mix between CET1, AT1 and Tier 2.

        5.It should be noted that given a normal business model the capital risk charge for Pillar 2 should always be positive if the risk exists (in particular for the IRRBB and Concentration risk).

      • II. Definitions

        In general, terms in this Standard have the meanings defined in other regulations and standards issued by the Central Bank. In addition, for this Standard, the following terms have the meanings defined in this section.

        1. a.Concentration risk is the potential for a loss in value of an investment portfolio of a bank when an individual or group of exposures move together in an unfavorable direction.
        2. b.Cyber risk means any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.
        3. c.Management information system, or MIS: Any process, systems or framework used by an institution to collect, store or disseminate data in the form of useful information to the relevant stakeholders for decision-making.
        4. d.Operational Risk: The risk of loss resulting from inadequate or failed internal processes, people, systems or from external events. This definition includes legal risk but excludes strategic and reputational risk.
      • III. Importance of Supervisory Review

        6.The supervisory review process, as set forth by the Central Bank, is intended not only to ensure that banks in the UAE have adequate capital to support all the risks in their business, but also to encourage banks to develop and use better risk management techniques in monitoring and managing risks.

        7.The supervisory review process recognises the responsibility of bank management in developing an internal capital assessment process and setting minimum capital requirements that are commensurate with the bank’s risk profile and control environment. Bank management continues to bear responsibility for ensuring that the bank has adequate capital to support its risks beyond the core minimum requirements in Pillar 1.

        8.The Central Bank will evaluate how well banks are assessing their capital needs relative to their risks and intervene, where appropriate. This interaction is intended to foster an active dialogue between banks, the Central Bank such that when deficiencies are identified, prompt, and decisive action can be taken to reduce risk or restore capital.

        9.The Central Bank recognises the relationship that exists between the amount of capital held by the bank against its risks and the strength and effectiveness of the bank’s risk management and internal control processes. However, increased capital must not be viewed as sufficient for addressing increased risks confronting the bank. Other, complementary, means for addressing risk, such as strengthening risk management, applying internal limits, strengthening the level of provisions and reserves, and improving internal controls, must also be considered as complimentary measures. Furthermore, capital must not be regarded as a substitute for addressing fundamentally inadequate control or risk management processes. However, the Central Bank may require banks to hold more capital to compensate for deficiencies.

        10.There are three main areas that will be particularly suited for its treatment under Pillar 2: risks considered under Pillar 1 that are not fully captured by the Pillar 1 framework (e.g. credit concentration risk); those factors not taken into account by the Pillar 1 framework (e.g. interest rate risk in the banking book, business and strategic risk); and factors external to the bank (e.g. business cycle effects). A further important aspect of Pillar 2 is the assessment of compliance with the minimum standards and disclosure requirements of the more advanced methods in Pillar 1. The Central Bank will ensure that these requirements are being met, both as qualifying criteria and on a continuing basis. The quality of risk management will also be considered and any shortcoming may warrant a capital add-on by the bank or by the Central Bank.

      • IV. Four Key Principles of Supervisory Review

        11.The Central Bank has followed the international standards23 set out by the BCBS and identified four key principles of supervisory review.

        Principle 1: Banks must have a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels.

        12.Banks must be able to demonstrate that the decided minimum capital levels are well founded and that these levels are consistent with their overall risk profile and current operating environment. In assessing capital adequacy, bank management needs to be mindful of the particular stage of the business cycle in which the bank is operating. Rigorous forward-looking stress testing that identifies possible events or changes in market conditions that could adversely affect the bank must be performed. Bank management clearly bears the responsibility for ensuring that the bank has adequate capital to support its risks.

        13.The seven main features of a rigorous process are as follows:

        1. i.Active board and senior management oversight;
        2. ii.Appropriate policies, methodologies for assessment of capital needs, procedures and limits;
        3. iii.Sound capital assessment;
        4. iv.Comprehensive and timely identification, measurement, mitigation, controlling, monitoring and reporting of risks;
        5. v.Appropriate management information systems (MIS) at the business and firm-wide level;
        6. vi.Comprehensive internal controls;
        7. vii.For the completion of ICAAP, regulatory requirements (Pillar I) is required as the first step of computation.

        It should also be noted that under no circumstances could Pillar I and Pillar II be netted against each other. They are both separate requirements.


        23 BCBS128 and BCBS157

        • A. Board and Senior Management Oversight

          14.It is the responsibility of the Board of Directors and senior management to define the bank’s risk appetite and to ensure that the bank’s risk management framework includes detailed policies and methodologies that set specific firm-wide prudential limits on the bank’s activities, which are consistent with its risk taking appetite and capacity. In order to determine the overall risk appetite, the board and senior management must first have an understanding of risk exposures on a firm-wide basis. To achieve this understanding, senior management must bring together the perspectives of the key business and control functions. In order to develop an integrated firm-wide perspective on risk, senior management must overcome organisational silos between business lines and share information on market developments, risks and risk mitigation techniques. Senior management must establish a risk management process that is not limited to credit, market, liquidity and operational risks, but incorporates all material risks. This includes reputational, legal, anti-money laundering, conduct risk and strategic risks, as well as risks that do not appear to be significant in isolation, but when combined with other risks could lead to material losses. The analysis of a bank’s current and future capital requirements in relation to its strategic objectives is a vital element of the strategic planning process. The strategic plan must clearly outline the bank’s capital needs, anticipated capital depletion expenditures, minimum internally assessed required capital level, and external capital sources. Senior management and the board must view capital planning as a crucial element in being able to achieve its desired strategic objectives.

          15.The board of directors and senior management must possess sufficient knowledge of all major business lines to ensure that appropriate policies, controls and risk monitoring systems are effective. They must have the necessary expertise to understand the capital markets activities in which the bank is involved – such as securitisation and off-balance sheet activities – and the associated risks. The board and senior management must remain informed on an on-going basis about these risks as financial markets, risk management practices and the bank’s activities evolve. In addition, the board and senior management must ensure that accountability and lines of authority are clearly defined.

          16.With respect to new or complex products and activities, senior management must understand the underlying assumptions regarding business models, valuation and risk management practices. In addition, senior management must evaluate the potential risk exposure if those assumptions fail.

          17.Before embarking on new activities or introducing products new to the bank, the board and senior management must identify and review the changes in firm-wide risks arising from these potential new products or activities and ensure that the infrastructure and internal controls necessary to manage the related risks are in place. In this review, a bank must also consider and address the possible difficulty in valuing the new products and how they might perform in a stressed economic environment. It is also the responsibility of the banks to assess prudential and market conduct risks when reviewing new products or activities.

          18.A bank’s risk function and its Chief Risk Officer (CRO) or equivalent position must be independent of the individual business lines and report directly to the bank’s Board of Directors. In addition, the risk function must highlight to senior management and the board risk management concerns, such as risk concentrations, violations of risk appetite limits as well as violations of minimum internally set capital requirements.

        • B. Appropriate Policies, Procedures and Limits

          19.Firm-wide risk management programmes must include detailed policies that set specific firm-wide prudential limits on the principal risks relevant to a bank’s activities. Additionally, a bank must have a clearly defined risk appetite for market conduct risk (non-prudential risks). A bank’s policies and procedures must provide specific guidance for the implementation of broad business strategies and must establish, where appropriate, internal limits for the various types of risk to which the bank may be exposed. These limits must consider the bank’s role in the financial system and be defined in relation to the bank’s capital, total assets, and earnings or, where adequate measures exist, its overall risk level.

          20.A bank’s policies, procedures and limits must:

          1. i.Provide for adequate and timely identification, measurement, monitoring, control and mitigation of the risks (prudential and market conduct risks) posed by its lending, investing, trading, securitisation, off-balance sheet, fiduciary and other significant activities at the business line and firm wide levels;
          2. ii.Ensure that the economic substance of a bank’s risk exposures, including reputational risk and valuation uncertainty, are fully recognised and incorporated into the bank’s risk management processes;
          3. iii.Be consistent with the bank’s stated requirements and objectives, as well as its overall financial strength;
          4. iv.Clearly define accountability and lines of authority across the bank’s various business activities, and ensure there is a clear separation between business lines and the risk management function;
          5. v.Escalate and address breaches of internal position limits;
          6. vi.Provide for the review of new businesses and products by bringing together all relevant risk management, control and business lines to ensure that the bank is able to manage and control the activity prior to it being initiated; and
          7. vii.Include a schedule and process for reviewing the policies, procedures and limits and for updating them as appropriate.
        • C. Sound Capital Assessment

          21.Fundamental elements of sound capital assessment include:

          1. i.Policies, procedures and methodologies designed to ensure that the bank identifies, measures, and reports all material risks;
          2. ii.A process that relates capital to the level of risk;
          3. iii.A process that states capital adequacy requirements (i.e. minimum thresholds for CAR ratio) with respect to risk, taking account of the bank’s strategic focus and business plan; and
          4. iv.A process of internal controls, reviews and audits to ensure the integrity of the overall management process.
        • E. Monitoring and Reporting

          37.The bank must establish an adequate system for monitoring and reporting risk exposures and assessing how the bank’s changing risk profile affects the need for capital. The bank’s senior management or board of directors must, on a regular basis, receive reports on the bank’s risk profile and capital needs. These reports must allow senior management to:

          1. i.Evaluate the level and trend of material risks and their effect on capital levels;
          2. ii.Evaluate the sensitivity and reasonableness of key assumptions used in the capital assessment measurement system;
          3. iii.Determine whether the bank holds sufficient capital against the various risks and is in compliance with established internal capital adequacy requirements; and
          4. iv.Assess its future capital requirements based on the bank’s reported risk profile (3 to 5 years) and make necessary adjustments to the bank’s strategic plan accordingly as well as the effect of any anticipated changes to regulatory requirements.

          38.A bank’s MIS must provide the board and senior management in a clear and concise manner with timely and relevant information concerning their bank’ risk profile. This information must include all risk exposures, including those that are off-balance sheet. Management must understand the assumptions behind and limitations inherent in specific risk measures.

          39.The key elements necessary for the aggregation of risks are an appropriate infrastructure and MIS that (i) allow for the aggregation of exposures and risk measures across business lines and (ii) support customised identification of concentrations and emerging risks. MIS developed to achieve this objective must support the ability to evaluate the impact of various types of economic and financial shocks that affect the whole bank. Further, a bank’s systems must be flexible enough to incorporate hedging and other risk mitigation actions to be carried out on a firm-wide basis while taking into account the various related basis risks.

          40.To enable proactive management of risk, the board and senior management need to ensure that MIS is capable of providing regular, accurate and timely information on the bank’s aggregate risk profile, as well as the main assumptions used for risk aggregation. MIS must be adaptable and responsive to changes in the bank’s underlying risk assumptions and must incorporate multiple perspectives of risk exposure to account for uncertainties in risk measurement. In addition, it must be sufficiently flexible so that the bank can generate forward-looking bank-wide scenario analyses that capture management’s interpretation of evolving market conditions and stressed conditions. Third-party inputs or other tools used within MIS (e.g. credit ratings, risk measures, models) must be subject to initial and ongoing validation.

          41.Banks are required that their MIS must be capable of capturing limit breaches and there must be procedures in place to promptly report such breaches to senior management, as well as to ensure that appropriate follow-up actions are taken. For instance, similar exposures must be aggregated across business platforms (including the banking and trading books) to determine whether there is a concentration or a breach of an internal position limit.

          • D. Comprehensive Assessment of Risks

            22.All material risks faced by the bank must be addressed in the capital assessment process. While the Central Bank recognises that not all risks can be measured precisely, a process must be developed to estimate risks. Therefore, the following risk exposures, which by no means constitute a comprehensive list of all risks, must be considered:

            23.Credit risk: Banks must have methodologies that enable them to assess the credit risk involved in exposures to individual borrowers or counterparties as well as at the portfolio level. For banks, the credit review assessment of capital adequacy, at a minimum, must cover four areas: risk rating systems, portfolio analysis/aggregation, securitisation/complex credit derivatives, and large exposures and risk concentrations.

            24.Internal risk ratings are an important tool in monitoring credit risk. Internal risk ratings must be adequate to support the identification and measurement of risk from all credit exposures, and must be integrated into a banks’ overall analysis of credit risk and capital adequacy. The ratings system must provide detailed ratings for all assets, not only for watch list or for problem assets. Appropriateness of loan loss reserves must be included in the credit risk assessment for capital adequacy.

            25.The analysis of credit risk must adequately identify any weaknesses at the portfolio level, including any concentrations of risk. It must also adequately take into consideration the risks involved in managing credit concentrations and other portfolio issues through such mechanisms as securitisation programmes and complex credit derivatives.

            26.Operational risk: The failure to properly manage operational risk can result in a misstatement of a bank’s risk/return profile and expose the bank to significant losses.

            27.A bank must develop a framework for managing operational risk (including cyber risk) and evaluate the adequacy of capital given this framework. The framework must cover the bank’s appetite and tolerance for operational risk, as specified through the policies for managing this risk, including the extent and manner in which operational risk is transferred outside the bank. It must also include policies outlining the bank’s approach to identifying, assessing, monitoring and controlling/mitigating the risk.

            28.Market risk: Banks must have methodologies that enable them to assess and actively manage all market risks, wherever they arise, at position, desk, business line and firm-wide level. For banks, their assessment of internal capital adequacy for market risk, at a minimum, must be based on stress testing, including an assessment of concentration risk and the assessment of illiquidity under stressful market scenarios, although all firms’ assessments must include stress testing appropriate to their trading activity.

            29.A bank must demonstrate that it has enough capital to not only meet the minimum capital requirements but also to withstand a range of severe but plausible market shocks. In particular, it must factor in, where appropriate:

            1. i.Illiquidity of prices;
            2. ii.Concentrated positions (in relation to market turnover);
            3. iii.One-way markets;
            4. iv.Non-linear products/deep out-of-the money positions;
            5. v.Events and jumps-to-defaults;
            6. vi.Significant shifts in correlations;

            30.The stress tests applied by a bank for market risk and, in particular, the calibration of those tests (e.g. the parameters of the shocks or types of events considered) must be reconciled back to a clear statement setting out the premise upon which the bank’s internal capital assessment is based (e.g. ensuring there is adequate capital to manage the traded portfolios within stated limits through what may be a prolonged period of market stress and illiquidity, or that there is adequate capital to ensure that, over a given time horizon to a specified confidence level, all positions can be liquidated or the risk hedged in an orderly fashion). The market shocks applied in the tests must reflect the nature of portfolios and the time it could take to hedge out or manage risks under severe market conditions.

            31.Concentration risk must be pro-actively managed and assessed by firms and concentrated positions must be routinely reported to senior management.

            32.Banks must demonstrate how they combine their risk measurement approaches to arrive at the overall internal capital for market risk.

            33.Interest rate risk in the banking book: The measurement process must include all material interest rate positions of the bank and consider all relevant repricing and maturity data, including modelling maturity assumptions. Such information will generally include current balance and contractual rate of interest associated with the instruments and portfolios, principal payments, interest reset dates, maturities, the rate index used for repricing, and contractual interest rate ceilings or floors for adjustable-rate items. The system must also have well-documented assumptions and techniques.

            34.Regardless of the type and level of complexity of the measurement system used, bank management must ensure the adequacy and completeness of the system. Because the quality and reliability of the measurement system is largely dependent on the various assumptions used in the model which will be checked by the Central Bank for reasonability, management must give particular attention to these items.

            35.Liquidity risk: Liquidity is crucial to the ongoing viability of any banking organisation. Banks’ capital positions can have an effect on their ability to obtain liquidity, especially in a crisis. Each bank must have adequate systems for measuring, monitoring and controlling liquidity risk. Banks must evaluate the adequacy of capital given their own liquidity profile and the liquidity of the markets in which they operate. Please refer to the Regulation regarding Liquidity Risk Circular No: 33/2015

            36.Other risks: Although the Central Bank recognises that ‘other’ risks, such as reputational, strategic and anti-money laundering, are not easily measurable, it expects banks to further develop techniques for managing all aspects of these risks.

          • F. Internal Control Review

            42.The bank’s internal control structure is essential to the capital assessment process. Effective control of the capital assessment process includes an independent review and, where appropriate, the involvement of internal and external audit. The bank’s board of directors has a responsibility to ensure that management establishes a system for assessing the various risks, develops a system to relate risk to the bank’s capital level, and establishes a method for monitoring compliance with internal policies. The board must regularly verify whether its system of internal controls is adequate to ensure well-ordered and prudent conduct of business.

            43.Risk management processes must be frequently monitored and tested by independent control areas and internal, as well as external, auditors. The aim is to ensure that the information on which decisions are based is accurate so that processes fully reflect management policies and that regular reporting, including the reporting of limit breaches and other exception-based reporting, is undertaken effectively. The risk management function of banks must be independent of the business lines in order to ensure an adequate separation of duties and to avoid conflicts of interest.

            44.The purpose of periodic reviews of the risk management process is to ensure its integrity, accuracy, and reasonableness. Areas that the Central Bank will review include:

            1. i.Appropriateness of the bank’s capital assessment process given the nature, scope and complexity of its activities;
            2. ii.Identification of large exposures and risk concentrations;
            3. iii.Accuracy and completeness of data inputs into the bank’s assessment process;
            4. iv.Reasonableness and validity of scenarios used in the assessment process (scenarios and modelling assumptions behind banks’ response to those scenarios); and
            5. v.Stress testing and analysis of assumptions and inputs together with the resultant outputs.
            6. vi.Validation of the output (not only of the process) with proper benchmarking to peers and best practice.

            Principle 2: The Central Bank will review and evaluate banks’ internal capital adequacy assessments and strategies, as well as their ability to monitor and ensure their compliance with regulatory capital Ratios. The Central Bank will take appropriate supervisory action if it is not satisfied with the result of this process.

            45.The Central Bank will regularly review the process by which a bank assesses its capital adequacy, risk position, resulting minimum required capital levels, and quality of capital held. The Central Bank will also evaluate the degree to which a bank has in place a sound internal process to assess capital adequacy. The emphasis of the review must be on the quality of the bank’s risk management and controls with the Central Bank setting the minimum required capital. The periodic review can involve some combination of:

            1. i.On-site examinations or inspections;
            2. ii.Off-site review;
            3. iii.Discussions with bank management;
            4. iv.Review of work done by internal auditors and where appropriate external auditors;
            5. v.Periodic reporting; and

            46.The substantial impact that errors in the methodology or assumptions of formal analyses can have on resulting capital requirements requires a detailed review by the Central Bank of each bank’s internal analysis. The Central Bank will have its own methodologies to benchmark the outcomes of the ICAAP and, if necessary, impose additional capital requirements.

          • Supervisory Review Process

            • A. Review of Adequacy of Risk Assessment

              47.The Central Bank will assess the degree to which internal requirements and processes incorporate the full range of material risks faced by the bank. The Central Bank will also review the adequacy of risk measures used in assessing internal capital adequacy and the extent to which these risk measures are also used operationally in setting limits, evaluating business line performance, and evaluating and controlling risks more generally. In addition, the Central Bank will review the results of stress tests (including sensitivity analyses and scenario analyses) conducted by the banks and how these results relate to capital plans.

            • B. Assessment of Capital Adequacy

              48.The Central Bank will review the bank’s processes to determine that:

              1. i.Minimum capital requirements chosen are comprehensive and relevant to the current operating environment and the risk profile of the bank;
              2. ii.Minimum capital requirements are properly monitored and reviewed by senior management; and
              3. iii.The composition of capital is appropriate for the nature and scale of the bank’s business.

              49.The Central Bank will also consider the extent to which the bank has provided for unexpected events in setting its minimum capital requirements. This analysis must cover a wide range of external conditions and scenarios, and the sophistication of techniques and stress tests used must be commensurate with the bank’s activities.

            • C. Assessment of the Control Environment

              50.The Central Bank will consider the quality of the bank’s management information reporting and systems, the manner in which business risks and activities are aggregated, and management’s record in responding to emerging or changing risks.

              51.In all instances, the capital requirement at an individual bank must be determined according to the bank’s risk profile and adequacy of its risk management process and internal controls. External factors such as business cycle effects and the macroeconomic environment must also be considered. Another consideration is the variability in a bank’s profitability in normal circumstances.

            • D. The Central Bank’s Review of the Regulatory Framework

              52.In order for certain internal methodologies (e.g. VaR), credit risk mitigation techniques and asset securitisations to be recognised for regulatory capital purposes, banks will need to meet a number of requirements, including risk management standards and disclosures. In particular, banks will be required to disclose features of their internal methodologies used in calculating minimum capital requirements. As part of the supervisory review process, the Central Bank will ensure that these conditions are met on an ongoing basis.

              53.The Central Bank regards this review of as an integral part of the supervisory review process under Principle 2.

              54.The Central Bank will also perform a review of compliance with certain conditions and requirements set for standardised approaches.

              Principle 3: The Central Bank expects banks to operate above the minimum regulatory capital ratios and may require banks to hold capital in excess of the minimum.

              55.The Central Bank will take appropriate action if it is not satisfied with the results of the bank’s own risk assessment and capital allocation or with the minimum capital levels as determined by the bank. The Central Bank will add additional capital requirements where the Central Bank is not satisfied that all risks have been identified. Important to note is that banks shall not disclose this publicly.

              56.Pillar 1 capital requirements shall include a buffer for uncertainties surrounding the Pillar 1 regime that affect the banking population as a whole. Bank-specific uncertainties will be treated under Pillar 2. The Central Bank require banks to operate with a buffer, over and above the Pillar 1 standards. Banks must maintain this buffer for example:

              1. i.Pillar 1 minimums are anticipated to be set to achieve a level of bank creditworthiness in markets that is below the level of creditworthiness sought by many banks for their own reasons. For example, most international banks appear to prefer to have low risk profile and thus be highly rated by internationally recognised rating agencies. This is currently the case in the UAE. Thus, banks are likely to choose to operate above Pillar 1 minimums for competitive reasons.
              2. ii.In the normal course of business, the type and volume of activities will change, as will the different risk exposures, causing fluctuations in the overall capital ratio.
              3. iii.It may be costly for banks to raise additional capital, especially if this needs to be done quickly or at a time when market conditions are unfavourable.
              4. iv.For banks to fall below minimum regulatory capital requirements is a serious matter. It will place banks in breach of the relevant law and/or prompt nondiscretionary corrective action on the part of supervisors such as withdrawal of license.
              5. v.There may be risks, either specific to individual banks, or more generally to an economy at large, that are not taken into account in Pillar 1. The Central Bank uses its own internal benchmarks and may request banks at any time for additional data to calculate an add-on.

              57.There are several means available to the Central Bank for ensuring that individual banks are operating with adequate levels of capital. Among other methods, the Central Bank may set higher minimum capital requirements or define categories above minimum ratios (e.g. well capitalised and adequately capitalised) for identifying the capitalisation level of the bank.

              Principle 4: The Central Bank will intervene at an early stage to prevent capital from falling below the minimum levels required to support the risk characteristics of a particular bank and will require rapid remedial action if capital is not maintained or restored.

              58.The Central Bank will consider a range of options if it becomes concerned that a bank is not meeting the requirements embodied in the supervisory principles outlined above. These actions may trigger the recovery plan that includes and not limited to intensifying the monitoring of the bank, restricting the payment of dividends, requiring the bank to prepare and implement a satisfactory capital adequacy restoration plan, and requiring the bank to raise additional capital immediately. The Central Bank have the discretion to use the tools best suited to the circumstances of the bank and its operating environment.

              59.The permanent solution to banks’ difficulties is not exclusively increased capital. However, some of the required measures (such as improving systems and controls) may take some time to implement. Therefore, increased capital requirements might be used as an interim measure while permanent measures to improve the bank’s position are being put in place. Once these permanent measures have been put in place and have been seen by the Central Bank to be effective, the interim increase in capital requirements may be removed.

      • V. Specific Issues to be Addressed Under the Supervisory Review Process

        60.Below are a few important issues that the Central Bank will particularly focus on when carrying out the supervisory review process. These issues include some key risks that are not directly addressed under Pillar 1.

        • A. Interest Rate Risk in the Banking Book

          61.Interest rate risk in the banking book is a potentially significant risk that requires capital. There is considerable heterogeneity across UAE banks in terms of the nature of the underlying risk and the processes for monitoring and managing it. In light of this, the Central Bank considers it is most appropriate to treat interest rate risk in the banking book under Pillar 2 of the Framework.

          62.To facilitate the Central Bank’s monitoring of interest rate risk exposures across banks, banks would have to provide the results of their internal measurement systems, expressed in terms of both, economic value and net interest income, relative to capital, using a standardised interest rate shock as described in the accompanying guidance document.

          63.If the Central Bank determines that banks are not holding capital commensurate with the level of interest rate risk, they must require the bank to reduce its risk, to hold a specific additional amount of capital or some combination of the two.

        • B. Stress Tests

          64.A bank should ensure that it has sufficient capital to meet the Pillar 1 requirements and the results (where a deficiency has been indicated) of the credit risk stress test performed. The Central Bank will review how the stress test has been carried out.

          65.Central bank will use the reference model to challenge the stress test results Reference model is based on +/- 200 basis point shock based on NII and EVE. Central Bank assumes a higher basis point for stress testing which is described in the accompanying guidance document.

          66.The results of the stress test will thus contribute directly to the expectation that a bank will operate above the Pillar 1 minimum regulatory capital ratios. The outcome of the Central Bank stress tests will be used as a benchmark. If there is an impact of more than 200bps, the Central Bank will require setting higher minimum capital requirements so that capital resources could cover the Pillar 1 requirements plus the result of a recalculated stress test.

        • C. Residual Risk

          67.This section allows banks to offset credit or counterparty risk with collateral, guarantees or credit derivatives, leading to reduced capital charges in Pillar 1. While banks use credit risk mitigation (CRM) techniques to reduce their credit risk, these techniques give rise to risks that may render the overall risk reduction less effective. Accordingly, these risks (e.g. operational risk or liquidity risk) to which banks are exposed are of supervisory concern. Where such risks arise, and irrespective of fulfilling the minimum requirements set out in Pillar 1, a bank could find itself with greater credit risk exposure to the underlying counterparty than it had expected. Examples of these risks include:

          1. i.Inability to seize, or realise in a timely manner, collateral pledged (on default of the counterparty);
          2. ii.Refusal or delay by a guarantor to pay; and
          3. iii.Ineffectiveness of untested documentation.

          68.The Central Bank will require banks to have in place appropriate written CRM policies and procedures in order to control these residual risks. A bank may be required to submit these policies and procedures to the Central Bank and must regularly review their appropriateness, effectiveness and operation.

          69.In its CRM policies and procedures, a bank must consider whether, when calculating capital requirements, it is appropriate to give the full recognition of the value of the credit risk mitigant as permitted in Pillar 1 and must demonstrate that its CRM management policies and procedures are appropriate to the level of capital benefit that it is recognising. Where the Central Bank is not satisfied as to the robustness, suitability or application of these policies and procedures they may direct the bank to take immediate remedial action or hold additional capital against residual risk until the deficiencies in the CRM procedures are rectified to the satisfaction of the Central Bank. For example, the Central Bank may direct a bank to:

          1. i.Make adjustments to the assumptions on holding periods, supervisory haircuts, or volatility (in the own haircuts approach);
          2. ii.Give less than full recognition of credit risk mitigants (on the whole credit portfolio or by specific product line); and/or
          3. iii.Hold a specific additional amount of capital.
        • D. Risk Concentration

          70.Unmanaged risk and excessive concentrations are an important cause of major problems in banks. A bank must aggregate all similar direct and indirect exposures regardless of where the exposures have been booked. A risk concentration is any single exposure or group of similar exposures (e.g. to the same borrower or counterparty, including protection providers, geographic area, industry or other risk factors) with the potential to produce (i) losses large enough (relative to a bank’s earnings, capital, total assets or overall risk level) to threaten a bank’s creditworthiness or ability to maintain its core operations or (ii) a change in a bank’s risk profile. Risk concentrations must be analysed on both a bank legal entity and consolidated basis, as an unmanaged concentration at a subsidiary bank may appear immaterial at the consolidated level, but can nonetheless threaten the viability of the subsidiary. A change in the concentration risk is identified as a significant change.

          71.Risk concentrations must be viewed in the context of a single or a set of closely related risk-drivers that may have different impacts on a bank. These concentrations must be integrated when assessing a bank’s overall risk exposure. A bank must consider concentrations that are based on common or correlated risk factors that reflect more subtle or more situation-specific factors than traditional concentrations, such as correlations between market, credit risks and liquidity risk.

          72.The growth of market-based intermediation has increased the possibility that different areas of a bank are exposed to a common set of products, risk factors or counterparties. This has created new challenges for risk aggregation and concentration management. Through its risk management processes and MIS, a bank must be able to identify and aggregate similar risk exposures across the firm, including across legal entities, asset types (e.g. loans, derivatives and structured products), risk areas (e.g. the trading book) and geographic regions. The typical situations in which risk concentrations can arise include:

          1. i.Exposures to a single counterparty, borrower or group of connected counterparties or borrowers;
          2. ii.Industry or economic sectors, including exposures to both regulated and nonregulated financial institutions such as hedge funds and private equity firms;
          3. iii.Geographical regions;
          4. iv.Exposures arising from credit risk mitigation techniques, including exposure to similar collateral types or to a single or closely related credit protection provider;
          5. v.Trading exposures;
          6. vi.Exposures to counterparties (e.g. hedge funds and hedge counterparties) through the execution or processing of transactions (either product or service);
          7. vii.Assets that are held in the banking book or trading book, such as loans, derivatives and structured products; and
          8. viii.Off-balance sheet exposures, including guarantees, liquidity lines and other commitments.

          73.Risk concentrations can also arise through a combination of exposures across these broad categories. A bank must have an understanding of its firm-wide risk concentrations resulting from similar exposures across its different business lines.

          74.While risk concentrations often arise due to direct exposures to borrowers and obligors, a bank may also incur a concentration to a particular asset type indirectly through investments backed by such assets (e.g. collateralised debt obligations – CDOs), as well as exposure to protection providers guaranteeing the performance of the specific asset type (e.g. monoline insurers). A bank must have in place adequate, systematic procedures for identifying high correlation between the creditworthiness of a protection provider and the obligors of the underlying exposures due to their performance being dependent on common factors beyond systematic risk (i.e. “wrong way risk”).

          75.Procedures must be in place to communicate risk concentrations to the board of directors and senior management in a manner that clearly indicates where in the organisation each segment of a risk concentration resides. A bank must have credible risk mitigation strategies in place that have senior management approval. This may include altering business strategies, reducing limits or increasing minimum capital requirements in line with the desired risk profile. While it implements risk mitigation strategies, the bank must be aware of possible concentrations that might arise because of employing risk mitigation techniques.

          76.Banks must employ a number of techniques, as appropriate, to measure risk concentrations. These techniques include shocks to various risk factors; use of business level and firm-wide scenarios; and the use of integrated stress testing and economic capital models. The Central Bank will use the reference model to challenge the credit concentration risk. The reference model is based on Herfindahl-Hirschman index (HHI), therefore the Central Bank requires all the banks to calculate and report the credit concentration risk using Herfindahl-Hirschman Index (HHI) methodology (single name and sector concentration) to be part of ICAAP document irrespective of the approach chosen by the bank. Identified concentrations must be measured in a number of ways, including for example, consideration of gross versus net exposures, use of notional amounts, and analysis of exposures with and without counterparty hedges. A bank must establish internal position limits for concentrations to which it may be exposed. When conducting periodic stress tests, a bank must incorporate all major risk concentrations and identify and respond to potential changes in market conditions that could adversely have an impact on their performance and capital adequacy.

          77.The assessment of such risks under a bank’s ICAAP and the supervisory review process must not be a mechanical process, but one in which each bank determines, depending on its business model, its own specific vulnerabilities. Every bank must discuss these vulnerabilities with the Central Bank. An appropriate level of capital for risk concentrations must be incorporated in a bank’s ICAAP, as well as in Pillar 2 assessments.

          78.A bank must have in place effective internal policies, systems and controls to identify, measure, monitor, manage, control and mitigate its risk concentrations in a timely manner. Not only must normal market conditions be considered, but also the potential build-up of concentrations under stressed market conditions, economic downturns and periods of general market illiquidity. In addition, the bank must assess scenarios that consider possible concentrations arising from contractual and non-contractual contingent claims. The scenarios must also combine the potential build-up of pipeline exposures together with the loss of market liquidity and a significant decline in asset values. The Central Bank will use its own benchmarking to determine if banks estimation of additional capital requirements is sufficient.

        • E. Counterparty Credit Risk

          79.Counterparty Credit Risk (CCR) represents a form of credit risk and is covered in Pillar 1.

          80.The bank must have counterparty credit risk management policies, processes and systems that are conceptually sound and implemented with integrity relative to the sophistication and complexity of a firm’s holdings of exposures that give rise to CCR. A sound counterparty credit risk management framework shall include the identification, measurement, management, approval and internal reporting of CCR.

          81.The bank’s risk management policies must take account of the market, liquidity and operational riks that can be associated with CCR and, to the extent practicable, interrelationships among those risks. The bank must not undertake business with a counterparty without assessing its creditworthiness and must take due account of both settlement and pre-settlement credit risk. These risks must be managed as comprehensively as practicable at the counterparty level (aggregating counterparty exposures with other credit exposures) and at the firm-wide level.

          82.The board of directors and senior management must be actively involved in the CCR control process and must regard this as an essential aspect of the business to which significant resources need to be devoted.

          83.The bank’s CCR management system must be used in conjunction with internal credit and trading limits. In this regard, credit and trading limits must be the outcome of the firm’s risk measurement model in a manner that is consistent over time and that is well understood by credit managers, traders and senior management.

          84.The bank must have a routine and rigorous program of stress testing in place as a supplement to the CCR analysis based on the day-to-day output of the bank’s risk measurement model. The results of this stress testing must be reviewed periodically by senior management and must be reflected in the CCR policies and limits set by management and the board of directors. Where stress tests reveal particular vulnerability to a given set of circumstances, management must explicitly consider appropriate risk management strategies (e.g. by hedging against that outcome, or reducing the size of the firm’s exposures).

          85.The bank must have a routine in place for ensuring compliance with a documented set of internal policies, controls and procedures concerning the operation of the CCR management system. The firm’s CCR management system must be well documented, for example, through a risk management manual that describes the basic principles of the risk management system and that provides an explanation of the empirical techniques used to measure CCR.

          86.The bank must conduct an independent review of the CCR management system regularly through its own internal auditing process. This review must include both the activities of the business credit and trading units and of the independent CCR control. A review of the overall CCR management process must take place at regular intervals (ideally not less than once a year) and must specifically address, at a minimum:

          1. i.The adequacy of the documentation of the CCR management system and process;
          2. ii.The organisation of the CCR control;
          3. iii.The integration of CCR measures into daily risk management;
          4. iv.The approval process for risk pricing models and valuation systems used by front and back-office personnel;
          5. v.The validation of any significant change in the CCR measurement process;
          6. vi.The scope of counterparty credit risks captured by the risk measurement model;
          7. vii.The integrity of the management information system;
          8. viii.The accuracy and completeness of CCR data;
          9. ix.The verification of the consistency, timeliness and reliability of data sources used to run internal models, including the independence of such data sources;
          10. x.The accuracy and appropriateness of volatility and correlation assumptions;
          11. xi.The accuracy of valuation and risk transformation calculations;
          12. xii.The verification of the model’s accuracy through frequent back testing.
        • F. Operational Risk

          87.Gross income, used in the Basic Indicator and Standardised Approaches for operational risk, is only a proxy for the scale of operational risk exposure of a bank and can in some cases underestimate the need for capital for operational risk. The Central Bank will consider whether the capital requirement generated by the Pillar 1 calculation gives a consistent picture of the individual bank’s operational risk exposure, for example in comparison with other banks of similar size and with similar operations. The use of Pillar 2 to charge capital for inadequacy in risk management may also be applied by the Central Bank.

          88.A bank offering Islamic financial services must ensure that its operational risk management framework addresses any operational risks arising from potential noncompliance with Sharī’ah provisions and Higher Shari’ah Authority resolutions.

        • G. Market Risk

          Policies and procedures for trading book eligibility

          89.Clear policies and procedures used to determine the exposures that may be included in, and those that must be excluded from, the trading book for purposes of calculating regulatory capital are critical to ensure the consistency and integrity of a bank’s trading book. The Central Bank must be satisfied that the policies and procedures clearly delineate the boundaries of the bank’s trading book and consistent with the bank’s risk management capabilities and practices. The Central Bank must also be satisfied that transfers of positions between banking and trading books can only occur in a very limited set of circumstances. The Central Bank will require a bank to modify its policies and procedures when they prove insufficient with the general principles set forth in this Standard, or not consistent with the bank’s risk management capabilities and practices.
           

          Valuation

          90.Prudent valuation policies and procedures form the foundation on which any robust assessment of market risk capital adequacy must be built. For a well-diversified portfolio consisting of highly liquid cash instruments, and without market concentration, the valuation of the portfolio, combined with the minimum quantitative standards may deliver sufficient capital to enable a bank, in adverse market conditions, to close out or hedge its positions in a quick and orderly fashion. However, for less well diversified portfolios, for portfolios containing less liquid instruments, for portfolios with concentrations in relation to market turnover, and/or for portfolios which contain large numbers of positions that are marked-to-model this is less likely to be the case. In such circumstances, the Central Bank will consider whether a bank has sufficient capital. To the extent, if there is a shortfall, the Central Bank will react appropriately. This will usually require the bank to reduce its risks and set higher minimum capital requirements.
           

        • H. Reputational Risk and Implicit Support

          91.Reputational risk of the bank can be defined as the risk arising from negative perception on the part of customers, counterparties, shareholders, investors, debt-holders, market analysts, other relevant parties or regulators that can adversely affect a bank’s ability to maintain existing, or establish new, business relationships and continued access to sources of funding (e.g. through the interbank or securitisation markets). Reputational risk is multidimensional and reflects the perception of other market participants. Furthermore, it exists throughout the organisation and exposure to reputational risk is essentially a function of the adequacy of the bank’s internal risk management processes, as well as the manner and efficiency with which management responds to external influences on bank-related transactions.

          92.Reputational risk can lead to the provision of implicit support by the bank, which may give rise to credit, liquidity, market and legal risk – all of which can have a negative impact on a bank’s earnings, liquidity and capital position. A bank must identify potential sources of reputational risk to which it is exposed. These include the bank’s business lines, liabilities, affiliated operations, off-balance sheet vehicles and the markets in which it operates. The risks that arise must be incorporated into the bank’s risk management processes and appropriately addressed in its ICAAP and liquidity contingency plans.

          93.A bank must incorporate the exposures that could give rise to reputational risk into its assessments of whether the requirements under the securitisation framework have been met and the potential adverse impact of providing implicit support.

          94.Reputational risk also may affect a bank’s liabilities, since market confidence and a bank’s ability to fund its business are closely related to its reputation. For instance, to avoid damaging its reputation, a bank may call its liabilities even though this might negatively affect its liquidity profile. This is particularly true for liabilities that are components of regulatory capital, such as hybrid/subordinated debt. In such cases, a bank’s capital position is likely to suffer.

          95.Bank management must have appropriate policies in place to identify sources of reputational risk when entering new markets, products or lines of activities. In addition, a bank’s stress testing procedures must take account of reputational risk so management has a firm understanding of the consequences and second round effects of reputational risk.

          96.Once a bank identifies potential exposures arising from reputational concerns, it must measure the amount of support it might have to provide (including implicit support of securitisations) or losses it might experience under adverse market conditions. In particular, in order to avoid reputational damages and to maintain market confidence, a bank must develop methodologies to measure as precisely as possible the effect of reputational risk in terms of other risk types (e.g. credit, liquidity, market or operational risk) to which it may be exposed. This could be accomplished by including reputational risk scenarios in regular stress tests. For instance, non-contractual off-balance sheet exposures could be included in the stress tests to determine the effect on a bank’s credit, market and liquidity risk profiles. Methodologies also could include comparing the actual amount of exposure carried on the balance sheet versus the maximum exposure amount held off-balance sheet, that is, the potential amount to which the bank could be exposed.

          97.A bank must pay particular attention to the effects of reputational risk on its overall liquidity position, taking into account both possible increases in the asset side of the balance sheet and possible restrictions on funding, as well as the loss of reputation as a result in various counterparties’ loss of confidence.

          98.In contrast to contractual credit exposures, such as guarantees, implicit support is a more subtle form of exposure. Implicit support arises when a bank provides post-sale support to a securitisation transaction in excess of any contractual obligation. Such non-contractual support exposes a bank to the risk of loss, such as loss arising from deterioration in the credit quality of the securitisation’s underlying assets.

          99.By providing implicit support, a bank signals to the market that all of the risks inherent in the securitised assets are still held by the organisation and, in effect, had not been transferred. Since the risk arising from the potential provision of implicit support is not captured ex ante under Pillar 1, it must be considered as part of the Pillar 2 process. In addition, the processes for approving new products or strategic initiatives must consider the potential provision of implicit support and must be incorporated in a bank’s ICAAP.

        • I. Market Conduct Risk

          100.This Standard will focus on regulatory supervision of market conduct by the Central Bank. Supervision will rely on the supervisory activities identified in the previous chapters and is supplemented by the follow requirements and activities.

          101.The Central Bank has taken steps to strengthen its regulatory and supervisory framework regarding market conduct of financial institutions by creating a separate Consumer Protection Department (CPD) that will have the resources and mandate to focus on monitoring market conduct, providing regulatory supervision and addressing issues of compliance / enforcement. It also has a mandate to improve consumer financial literacy through consumer education programs and outreach activities.

          Consumer Protection Framework

          102.A Consumer Protection Framework (CPF) is a regulatory and supervisory response designed to protect consumers by establishing standards of market conduct for institutional behaviour to mitigate potential risks of misconduct and protect consumers from harm.
           

          103.Market conduct is defined simply as to how a financial institution conducts itself in the marketplace in terms of the level of integrity, fairness, and competency that it demonstrates in dealing with consumers. It includes the behaviour and actions of a financial institution in the market place involving such matters as:

          1. i.product design, development
          2. ii.marketing and sales practices,
          3. iii.advertising,
          4. iv.compliance with laws,
          5. v.fulfilling its obligations to customers,
          6. vi.treatment of customer’s / dispute resolution,
          7. vii.conflicts of interest,
          8. viii.transparency and disclosure
          9. ix.Market competition, pricing, etc.

          104.The supervisory activities under the CPF are risk-based and requires a comprehensive understanding of the retail operations of the financial institutions; the risks created by the behaviour of these organisations, the risks from products and services offered, and how these risks are being managed. The risk-based approach assesses the nature of the institution’s business activities and the risks that are inherent to each type of activity undertaken. The supervisory framework requires open, transparent and frequent flow of quality data and information between the financial institutions and the Central Bank that allows CPD to effectively perform up-to-date market conduct assessments.

          Importance of Supervisory Review – Market Conduct

          105.Many of the supervisory requirements discussed in previous sections of these Standards fully apply to the supervision of market conduct. However, supervision of market conduct adds another dimension and perspective in regulatory supervision. The additional supervisory concerns are highlighted as follows.
           

          Board and Senior Management Oversight

          106.In addition to the previous chapters, it is expected that effective reporting occur quarterly regarding any compliance issues regarding retail operations, analysis of consumer complaints / trends and identification of systemic issues. Boards should be confident that its retail workers have had the training and qualification to fulfil their responsibilities and regulatory responsibilities and those effective verifications are carried out.
           

          Appropriate Policies, Procedures and Limits:

          107.More specifically, market conduct will focus on policies, procedures, practices and related training associated with product design, development, distribution, marketing, advertising and sales. The Central Bank will evaluate the same elements for third parties carrying out outsourced retail activities.
           

          Comprehensive Risk Assessment:

          Operational Risk:

          108.The financial institution must have a framework for monitoring, identifying and mitigating market conduct risks association with business lines and the products and services offered at the retail level. This includes identifying risks associated with institutional errors or misconduct. Risk analysis must consider such activities including product design, development, marketing, pricing, distribution, sales, advertising, disclosure, suitability, affordability, product assumptions and accuracy / method of calculations, fraud, technology downtime, etc. Institutions must also evaluate the risks related to third party distributors, suppliers / contractors.

          109.An important differentiation from prudent supervision is the matter of materiality. It is not the basis for mitigating conduct risks in the retail market place. The regulatory concerns are on proactive mitigation of risks with the objectives of promoting consumer confident in the integrity of the market place, preventing harm done to the consumer and ensuring proper dispute resolution and redress where there is harm.

          Reputational Risks:

          110.The institution must also evaluate the impact that a risk event in the retail operations may have on its reputation in the market place, (a) whether it is an event of significant misselling or improper disclosure or calculation errors, these may be systemic issues that will attract regulatory actions, may attract public awareness and media attention and (b) what measures will the institution have in place to mitigate this risk and associated response by consumers.

          Monitoring and Reporting:

          111.Institutions are expected to have an adequate system for monitoring and reporting on their retails operations. The bank’s senior management or board of directors must, ensure proper monitoring and reporting including risk analysis and trends in consumer inquires and complaints. Reporting to the board should evaluate the quality and frequency of training of front line staff; the proper qualifications of staff to sell or market products, the meeting of performance indicators, the identification and frequency of bank errors, compliance with regulatory requirements and other matters of conduct risk.

          112.Financial institutions will provide timely and accurate information as requested by the Central Bank including complaint information as required by the Central Bank as per Notice 383/2017 regarding setting up a Complaint Unit.

          113.Financial institutions will provide notice to the Central Bank of any material changes and/or important issues that may affect consumers or the retail operations of the financial institution.

        • J. Liquidity Risk Management and Supervision

          114.The financial market crisis underscores the importance of assessing the potential impact of liquidity risk on capital adequacy in a bank’s ICAAP. Senior management must consider the relationship between liquidity and capital since liquidity risk can affect capital adequacy, which, in turn, can aggravate a bank’s liquidity profile.

          115.Another facet of liquidity risk management is that a bank must appropriately price the costs, benefits and risks of liquidity into the internal pricing, performance measurement, and new product approval process of all significant business activities.

          116.A bank is expected to be able to thoroughly identify, measure and control liquidity risks, especially with regard to complex products and contingent commitments (both contractual and non-contractual). This process must involve the ability to project cash flows arising from assets, liabilities and off-balance sheet items over various time horizons, and must ensure diversification in both the tenor and source of funding. A bank must utilise early warning indicators to identify the emergence of increased risk or vulnerabilities in its liquidity position or funding needs. It must have the ability to control liquidity risk exposure and funding needs, regardless of its organisation structure, within and across legal entities, business lines, and currencies, taking into account any legal, regulatory and operational limitations to the transferability of liquidity.

          117.A bank’s failure to effectively manage intraday liquidity could leave it unable to meet its payment obligations at the time expected, which could lead to liquidity dislocations that cascade quickly across many systems and institutions. As such, the bank’s management of intraday liquidity risks must be considered as a crucial part of liquidity risk management. It must also actively manage its collateral positions and have the ability to calculate all of its collateral positions.

          118.While banks typically manage liquidity under “normal” circumstances, they must also be prepared to manage liquidity under stressed conditions. A bank must perform stress tests or scenario analyses on a regular basis in order to identify and quantify their exposures to possible future liquidity stresses, analysing possible impacts on the bank’s cash flows, liquidity positions, profitability, and solvency. The results of these stress tests must be discussed thoroughly by management, and based on this discussion, must form the basis for taking remedial or mitigating actions to limit the bank’s exposures, build up a liquidity cushion, and adjust its liquidity profile to fit its risk tolerance. The results of stress tests must also play a key role in shaping the bank’s contingency funding planning, which must outline policies for managing a range of stress events and clearly sets out strategies for addressing liquidity shortfalls in emergencies.

          119.The Central Bank’s reserves the right to set higher liquidity requirements in Pillar 2.

        • K. Valuation Practices

          120.In order to enhance the supervisory assessment of banks’ valuation practices, the Basel Committee published Supervisory guidance for assessing banks’ financial instrument fair value practices in April 2009. This guidance applies to all positions that are measured at fair value and at all times, not only during times of stress.

          121.The characteristics of complex structured products as well as simple but illiquid products, including securitisation transactions, make their valuation inherently difficult due, in part, to the absence of active and liquid markets, the complexity and uniqueness of the cash waterfalls, and the links between valuations and underlying risk factors. The absence of a transparent price from a liquid market means that the valuation must rely on models or proxy-pricing methodologies, as well as on expert judgment. The outputs of such models and processes are highly sensitive to the inputs and parameter assumptions adopted, which may themselves be subject to estimation error and uncertainty. Moreover, calibration of the valuation methodologies is often complicated by the lack of readily available benchmarks.

          122.Therefore, a bank is expected to have adequate governance structures and control processes for fair valuing exposures for risk management and financial reporting purposes. The valuation governance structures and related processes must be embedded in the overall governance structure of the bank, and consistent for both risk management and reporting purposes. The governance structures and processes are expected to explicitly cover the role of the board and senior management. In addition, the board must receive reports from senior management on the valuation oversight and valuation model performance issues that are brought to senior management for resolution, as well as all significant changes to valuation policies.

          123.A bank must also have clear and robust governance structures for the production, assignment and verification of financial instrument valuations. Policies must ensure that the approvals of all valuation methodologies are well documented. In addition, policies and procedures must set forth the range of acceptable practices for the initial pricing, marking-to-market/model, valuation adjustments and periodic independent revaluation. New product approval processes (which has to be established in the first place) must include all internal stakeholders relevant to risk measurement, risk management, and the assignment and verification of valuations of financial instruments.

          124.A bank’s control processes for testing and reporting valuations must be consistently applied across the firm and integrated with risk measurement and management processes. In particular, valuation controls must be applied consistently across similar instruments (risks) and consistent across business lines (books). These controls must be subject to internal audit. Regardless of the booking location of a new product, reviews and approval of valuation methodologies must be guided by a minimum set of considerations. Furthermore, the valuation/new product approval process must be supported by a transparent, well-documented inventory of acceptable valuation methodologies that are specific to products and businesses. The Board must be familiar with and approve the basic assumptions behind these methodologies.

          125.In order to establish and verify valuations for instruments and transactions in which it engages, a bank must have adequate capacity, including during periods of stress. This capacity must be commensurate with the importance, riskiness and size of these exposures in the context of the business profile of the bank. In addition, for those exposures that represent material risk, a bank is expected to have the capacity to produce valuations using alternative methods that cannot just solely rely on the valuations provided by its counterparts in the event that primary inputs and approaches become unreliable, unavailable or not relevant due to market discontinuities or illiquidity. A bank must test and review the performance of its models under stress conditions so that it understands the limitations of the models under stress conditions.

          126.The relevance and reliability of valuations is directly related to the quality and reliability of the inputs. Where values are determined to be in an active market, a bank must maximise the use of relevant observable inputs and minimise the use of unobservable inputs when estimating fair value using a valuation technique. However, where a market is deemed inactive, observable inputs or transactions may not be relevant, such as in a forced liquidation or distress sale, or transactions may not be observable, such as when markets are inactive. In such cases, accounting fair value guidance provides assistance on what must be considered, but may not be determinative. In assessing whether a source is reliable and relevant, a bank must consider, among other things:

          1. i.The frequency and availability of the prices/quotes;
          2. ii.Whether those prices represent actual regularly occurring transactions on an arm's length basis;
          3. iii.The breadth of the distribution of the data and whether it is generally available to the relevant participants in the market;
          4. iv.The timeliness of the information relative to the frequency of valuations;
          5. v.The number of independent sources that produce the quotes/prices;
          6. vi.The maturity of the market; and
          7. vii.The similarity between the financial instrument sold in a transaction and the instrument held by the bank.
        • L. Sound Stress Testing Practices

          127.In order to strengthen banks’ stress testing practices, as well as improve supervision of those practices, in October 2018 the Basel Committee published Principles for sound stress testing practices and supervision. Improvements in stress testing alone cannot address all risk management weaknesses, but as part of a comprehensive approach, stress testing has a leading role to play in strengthening bank corporate governance and the resilience of individual banks and the financial system.

          128.Stress testing is an important tool that is used by banks as part of their internal risk management that alerts bank management to adverse unexpected outcomes related to a broad variety of risks, and provides an indication to banks of how much capital might be needed to absorb losses if large shocks occur. Moreover, stress testing supplements other risk management approaches and measures. It plays a particularly important role in:

          1. i.Providing forward looking assessments of risk,
          2. ii.Overcoming limitations of models and historical data,
          3. iii.Supporting internal and external communication,
          4. iv.Feeding into capital and liquidity planning procedures,
          5. v.Informing the setting of a banks’ risk tolerance,
          6. vi.Addressing existing or potential, firm-wide risk concentrations, and
          7. vii.Facilitating the development of risk mitigation or contingency plans across a range of stressed conditions.

          129.Stress testing is especially important after long periods of benign risk, when the fading memory of negative economic conditions can lead to complacency and the underpricing of risk, and when innovation leads to the rapid growth of new products for which there is limited or no loss data.

          130.Stress testing must form an integral part of the overall governance and risk management culture of the bank. Board and senior management involvement in setting stress testing objectives, defining scenarios, discussing the results of stress tests, assessing potential actions and decision making is critical in ensuring the appropriate use of stress testing in banks’ risk governance and capital planning. Senior management must take an active interest in the development and operation of stress testing. The results of stress tests must contribute to strategic decision making and foster internal debate regarding assumptions, such as the cost, risk and speed with which new capital could be raised or that positions could be hedged or sold. Board and senior management involvement in the stress-testing program is essential for its effective operation.

          131.Therefore, a bank’s capital planning process must incorporate rigorous, forward-looking stress testing that identifies possible events or changes in market conditions that could adversely have an impact on the bank. Banks, in their ICAAPs must examine future capital resources and capital requirements under adverse scenarios. In particular, the results of forward-looking stress testing must be considered when evaluating the adequacy of a bank’s capital buffer. Capital adequacy must be assessed under stressed conditions against a variety of capital ratios, including regulatory ratios. In addition, the possibility that a crisis impairs the ability of even very healthy banks to raise funds at reasonable cost must be considered.

          132.In addition, a bank must develop methodologies to measure the effect of reputational risk arising from other risk types, namely credit, liquidity, market and other risks that they may be exposed to in order to avoid reputational damages and in order to maintain market confidence. This could be done by including reputational risk scenarios in regular stress tests. For instance, AML sanctions.

          133.A bank must carefully assess the risks with respect to commitments to off-balance sheet vehicles and third-party firms related to structured credit securities and the possibility that assets will need to be taken on-balance sheet for reputational reasons. Therefore, in its stress-testing programme, a bank must include scenarios assessing the size and soundness of such vehicles and firms relative to its own financial, liquidity and regulatory capital positions. This analysis must include structural, solvency, liquidity and other risk issues, including the effects of covenants and triggers.

          134.The Central Bank will assess the effectiveness of banks’ stress testing programme in identifying relevant vulnerabilities. The Central Bank will review the key assumptions driving stress-testing results and challenge their continuing relevance in view of existing and potentially changing market conditions. The Central Bank will challenge the banks on how stress testing is used and the way it affects decision-making. Where this assessment reveals material shortcomings, the Central Bank will require a bank to detail a plan of corrective action

      • VI. Other Aspects of the Supervisory Review Process

        • Supervisory Transparency and Accountability

          135.The supervision of banks is not an exact science, and therefore, discretionary elements within the supervisory review process are inevitable. The Central Bank will carry out its obligations in a transparent and accountable manner. The Central Bank will make publicly available the criteria (defined in the accompanying Guidance) to be used in the review of banks’ internal capital assessments. If the Central Bank chooses to set higher minimum capital requirements or to set categories of capital in excess of the regulatory minimum, factors that may be considered in doing so will be publicly available. Where the capital requirements are set above the minimum for an individual bank, the Central Bank will explain to the bank the risk characteristics specific to the bank, which resulted in the requirement and any remedial action necessary.

        • Supervisory Review Process for Securitisation

          136.Further to the Pillar 1 principle that banks must take account of the economic substance of transactions in their determination of capital adequacy, the Central Bank will monitor, as appropriate, whether banks have done so adequately. As a result, regulatory capital treatments for specific securitisation exposures might differ from those specified in Pillar 1 of the Framework, particularly in instances where the general capital requirement would not adequately and sufficiently reflect the risks to which an individual banking organisation is exposed.

          137.Amongst other things, the Central Bank will review where relevant a bank’s own assessment of its capital needs and how that has been reflected in the capital calculation as well as the documentation of certain transactions to determine whether the capital requirements accord with the risk profile (e.g. substitution clauses). The Central Bank will also review the manner in which banks have addressed the issue of maturity mismatch in relation to retained positions in their economic capital calculations. In particular, they will be vigilant in monitoring for the structuring of maturity mismatches in transactions to artificially reduce capital requirements. Additionally, the Central Bank will review the bank’s economic capital assessment of actual correlation between assets in the pool and how they have reflected that in the calculation. Where the Central Bank considers that a bank’s approach is not adequate, they will take appropriate action. Such action might include denying or reducing capital relief in the case of originated assets, or increasing the capital required against securitisation exposures acquired.

        • Significance of Risk Transfer

          138.Securitisation transactions may be carried out for purposes other than credit risk transfer (e.g. funding). Where this is the case, there might still be a limited transfer of credit risk. However, for an originating bank to achieve reductions in capital requirements, the risk transfer arising from a securitisation has to be deemed significant by the Central Bank. If the risk transfer is considered insufficient or non-existent, the Central Bank will require the application of a higher capital requirement than prescribed under Pillar 1 or, alternatively, may deny a bank from obtaining any capital relief from the securitisations. Therefore, the capital relief that can be achieved will correspond to the amount of credit risk that is effectively transferred. The following includes a set of examples where the Central Bank will have concerns about the degree of risk transfer, such as retaining or repurchasing significant amounts of risk or “cherry picking” the exposures to be transferred via a securitisation.

          139.Retaining or repurchasing significant securitisation exposures, depending on the proportion of risk held by the originator, might undermine the intent of a securitisation to transfer credit risk. Specifically, the Central Bank might expect that a significant portion of the credit risk and of the nominal value of the pool be transferred to at least one independent third party at inception and on an ongoing basis. Where banks repurchase risk for market making purposes, the Central Bank could find it appropriate for an originator to buy part of a transaction but not, for example, to repurchase a whole tranche. The Central Bank will expect that where positions have been bought for market making purposes, these positions must be resold within an appropriate period, thereby remaining true to the initial intention to transfer risk.

          140.Another implication of realising only a non-significant risk transfer, especially if related to good quality unrated exposures, is that both the poorer quality unrated assets and most of the credit risk embedded in the exposures underlying the securitised transaction are likely to remain with the originator. Accordingly, and depending on the outcome of the supervisory review process, the Central Bank will increase the capital requirement for particular exposures or even increase the overall level of capital the bank is required to hold.

        • Market Innovations

          141.As the minimum capital requirements for securitisation may not be able to address all potential issues, the Central Bank will consider new features of securitisation transactions as they arise. Such assessments would include reviewing the impact new features may have on credit risk transfer and, where appropriate, the Central Bank will be expected to take appropriate action under Pillar 2. A Pillar 1 response may be formulated to take account of market innovations. Such a response may take the form of a set of operational requirements and/or a specific capital treatment.

        • Risk Evaluation and Management

          142.A bank must conduct analyses of the underlying risks when investing in the structured products and must not solely rely on the external credit ratings assigned to securitisation exposures by the credit rating agencies. A bank must be aware that external ratings are a useful starting point for credit analysis, but are no substitute for full and proper understanding of the underlying risk, especially where ratings for certain asset classes have a short history or have been shown to be volatile. Moreover, a bank also must conduct credit analysis of the securitisation exposure at acquisition and on an ongoing basis. It must also have in place the necessary quantitative tools, valuation models and stress tests of sufficient sophistication to reliably assess all relevant risks.

          143.When assessing securitisation exposures, a bank must ensure that it fully understands the credit quality and risk characteristics of the underlying exposures in structured credit transactions, including any risk concentrations. In addition, a bank must review the maturity of the exposures underlying structured credit transactions relative to the issued liabilities in order to assess potential maturity mismatches.

          144.A bank must track credit risk in securitisation exposures at the transaction level and across securitisations exposures within each business line and across business lines. It must produce reliable measures of aggregate risk. A bank also must track all meaningful concentrations in securitisation exposures, such as name, product or sector concentrations, and feed this information to firm-wide risk aggregation systems that track, for example, credit exposure to a particular obligor.

          145.A bank’s own assessment of risk needs to be based on a comprehensive understanding of the structure of the securitisation transaction. It must identify the various types of triggers, credit events and other legal provisions that may affect the performance of its on- and off-balance sheet exposures and integrate these triggers and provisions into its funding/liquidity, credit and balance sheet management. The impact of the events or triggers on a bank’s liquidity and capital position must also be considered.

          146.Banks either underestimated or did not anticipate that a market-wide disruption could prevent them from securitising warehoused or pipeline exposures and did not anticipate the effect this could have on liquidity, earnings and capital adequacy. As part of its risk management processes, a bank must consider and, where appropriate, mark-to-market warehoused positions, as well as those in the pipeline, regardless of the probability of securitising the exposures. It must consider scenarios that may prevent it from securitising its assets as part of its stress testing and identify the potential effect of such exposures on its liquidity, earnings and capital adequacy.

          147.A bank must develop prudent contingency plans specifying how it would respond to funding, capital and other pressures that arise when access to securitisation markets is reduced. The contingency plans must also address how the bank would address valuation challenges for potentially illiquid positions held for sale or for trading. The risk measures, stress testing results and contingency plans must be incorporated into the bank’s risk management processes and its ICAAP, and must result in an appropriate level of capital under Pillar 2 in excess of the minimum requirements.

          148.A bank that employs risk mitigation techniques must fully understand the risks to be mitigated, the potential effects of that mitigation and whether or not the mitigation is fully effective. This is to help ensure that the bank does not understate the true risk in its assessment of capital. In particular, it must consider whether it would provide support to the securitisation structures in stressed scenarios due to the reliance on securitisation as a funding tool.

        • Provision of Implicit Support

          149.Support to a transaction, whether contractual (i.e. credit enhancements provided at the inception of a securitised transaction) or non-contractual (implicit support) can take numerous forms. For instance, contractual support can include over collateralisation, credit derivatives, spread accounts, contractual recourse obligations, subordinated notes, credit risk mitigants provided to a specific tranche, the subordination of fee or interest income or the deferral of margin income, and clean-up calls that exceed 10 percent of the initial issuance. Examples of implicit support include the purchase of deteriorating credit risk exposures from the underlying pool, the sale of discounted credit risk exposures into the pool of securitized credit risk exposures, the purchase of underlying exposures at above market price or an increase in the first loss position according to the deterioration of the underlying exposures.

          150.The provision of implicit (or non-contractual) support, as opposed to contractual credit support (i.e. credit enhancements), raises significant supervisory concerns. For traditional securitisation structures the provision of implicit support undermines the clean break criteria, which when satisfied would allow banks to exclude the securitised assets from regulatory capital calculations. For synthetic securitisation structures, it negates the significance of risk transference. By providing implicit support, banks signal to the market that the risk is still with the bank and has not in effect been transferred. The bank’s capital calculation therefore understates the true risk. Accordingly, the Central Bank will take appropriate action when a banking organisation provides implicit support.

          151.When a bank has been found to provide implicit support to a securitisation, it will be required to hold capital against all of the underlying exposures associated with the structure as if they had not been securitised. It will also be required to disclose publicly that it was found to have provided non-contractual support, as well as the resulting increase in the capital charge (as noted above). The aim is to require banks to hold capital against exposures for which they assume the credit risk, and to discourage them from providing non-contractual support.

          152.If a bank is found to have provided implicit support on more than one occasion, the bank is required to disclose its transgression publicly and the Central Bank will take appropriate action that may include, but is not limited to, one or more of the following:

          1. i.The bank may be prevented from gaining favourable capital treatment on securitised assets for a period of time to be determined by the Central Bank;
          2. ii.The bank may be required to hold capital against all securitised assets as though the bank had created a commitment to them, by applying a conversion factor to the risk weight of the underlying assets;
          3. iii.For purposes of capital calculations, the bank may be required to treat all securitised assets as if they remained on the balance sheet;
          4. iv.The bank must be required by the Central Bank to hold regulatory capital in excess of the minimum risk-based capital ratios.

          153.The Central Bank will be vigilant in determining implicit support and will take appropriate supervisory action to mitigate the effects. Pending any investigation, the bank may be prohibited from any capital relief for planned securitisation transactions (moratorium). The Central Bank’s response will be aimed at changing the bank’s behaviour with regard to the provision of implicit support, and to correct market perception as to the willingness of the bank to provide future recourse beyond contractual obligations.

        • Residual Rrisks

          154.As with credit risk mitigation techniques more generally, the Central Bank will review the appropriateness of banks’ approaches to the recognition of credit protection. In particular, with regard to securitisations, the Central Bank will review the appropriateness of protection recognised against first loss credit enhancements. On these positions, expected loss is less likely to be a significant element of the risk and is likely to be retained by the protection buyer through the pricing. Therefore, the Central Bank will expect banks’ policies to take account of this in determining their economic capital. If the Central Bank does not consider the approach to protection recognised as adequate, action will be taken. Such action may include increasing the capital requirement against a particular transaction or class of transactions.

        • Call Provisions

          155.The Central Bank expects a bank not to make use of clauses that entitles it to call the securitisation transaction or the coverage of credit protection prematurely if this would increase the bank’s exposure to losses or deterioration in the credit quality of the underlying exposures.

          156.Besides the general principle stated above, the Central Bank expects banks to only execute clean-up calls for economic business purposes, such as when the cost of servicing the outstanding credit exposures exceeds the benefits of servicing the underlying credit exposures.

          157.Subject to national discretion, the Central Bank will require a review prior to the bank exercising a call which can be expected to include consideration of:

          1. i.The rationale for the bank’s decision to exercise the call; and
          2. ii.The impact of the exercise of the call on the bank’s regulatory capital ratio.

          158.The Central Bank will also require the bank to enter into a follow-up transaction, if necessary, depending on the bank’s overall risk profile, and existing market conditions.

          159.Date related calls must be set at a date no earlier than the duration or the weighted average life of the underlying securitisation exposures. Accordingly, supervisory authorities may require a minimum period to elapse before the first possible call date can be set, given, for instance, the existence of up-front sunk costs of a capital market securitisation transaction.

        • Early Amortisation

          160.The Central Bank will review how banks internally measure, monitor, and manage risks associated with securitisations of revolving credit facilities, including an assessment of the risk and likelihood of early amortisation of such transactions. At a minimum, the Central Bank will ensure that banks have implemented reasonable methods for allocating economic capital against the economic substance of the credit risk arising from revolving securitisations and must expect banks to have adequate capital and liquidity contingency plans that evaluate the probability of an early amortisation occurring and address the implications of both scheduled and early amortisation. In addition, the capital contingency plan must address the possibility that the bank will face higher levels of required capital under the early amortisation Pillar 1 capital requirement.

          161.Because most early amortisation triggers are tied to excess spread levels, the factors affecting these levels must be well understood, monitored, and managed, to the extent possible by the originating bank. For example, the following factors affecting excess spread must generally be considered:

          1. i.Interest payments made by borrowers on the underlying receivable balances;
          2. ii.Other fees and charges to be paid by the underlying obligors (e.g. late-payment fees, cash advance fees, over-limit fees);
          3. iii.Gross charge-offs;
          4. iv.Principal payments;
          5. v.Recoveries on charged-off loans;
          6. vi.Interchange income;
          7. vii.Interest paid on investors’ certificates;
          8. viii.Macroeconomic factors such as bankruptcy rates, interest rate movements, unemployment rates; etc.

          162.Banks must consider the effects that changes in portfolio management or business strategies may have on the levels of excess spread and on the likelihood of an early amortisation event. For example, marketing strategies or underwriting changes that result in lower finance charges or higher charge-offs, might also lower excess spread levels and increase the likelihood of an early amortisation event.

          163.Banks must use techniques such as static pool cash collections analyses and stress tests to better understand pool performance. These techniques can highlight adverse trends or potential adverse impacts. Banks must have policies in place to respond promptly to adverse or unanticipated changes. The Central Bank will take appropriate action where they do not consider these policies adequate. Such action may include, but is not limited to, directing a bank to obtain a dedicated liquidity line or raising the early amortisation credit conversion factor, thus, increasing the bank’s capital requirements.

          164.While the early amortisation capital charge described in Pillar 1 is meant to address potential supervisory concerns associated with an early amortisation event, such as the inability of excess spread to cover potential losses, the policies and monitoring described in this section recognise that a given level of excess spread is not, by itself, a perfect proxy for credit performance of the underlying pool of exposures. In some circumstances, for example, excess spread levels may decline so rapidly as to not provide a timely indicator of underlying credit deterioration. Further, excess spread levels may reside far above trigger levels, but still exhibit a high degree of volatility, which could warrant supervisory attention. In addition, excess spread levels can fluctuate for reasons unrelated to underlying credit risk, such as a mismatch in the rate at which finance charges reprice relative to investor certificate rates. Routine fluctuations of excess spread might not generate supervisory concerns, even when they result in different capital requirements. This is particularly the case as a bank moves in or out of the first step of the early amortisation credit conversion factors. On the other hand, existing excess spread levels may be maintained by adding (or designating) an increasing number of new accounts to the master trust, an action that would tend to mask potential deterioration in a portfolio. For all of these reasons, supervisors will place particular emphasis on internal management, controls, and risk monitoring activities with respect to securitisations with early amortisation features.

          165.The Central Bank expects that the sophistication of a bank’s system in monitoring the likelihood and risks of an early amortisation event will be commensurate with the size and complexity of the bank’s securitisation activities that involve early amortisation provisions.

          166.For controlled amortisations specifically, the Central Bank will also review the process by which a bank determines the minimum amortisation period required to pay down 90% of the outstanding balance at the point of early amortisation. Where the Central Bank does not consider this adequate, it will take appropriate action, such as increasing the conversion factor associated with a particular transaction or class of transactions.

      • VIII. Shari’ah Implementation

        Banks providing Islamic financial services must comply with the requirements and provisions of this standard for their Shari’ah compliant transactions that are alternative to transactions referred to in this Standard, provided it is acceptable by Islamic Shari’ah. This is applicable until relevant standards and/or guidance are issued specifically for transactions of banks offering Islamic financial services