Methodology

17. The ICAAP is an ongoing process. On an annual basis, every bank is required to submit a document outlining the outcome of the ICAAP to the Central Bank, usually referred to as its ICAAP document or report. The ICAAP supplements the Pillar 1 minimum regulatory capital requirements by (i) identifying risks that are not addressed or not fully addressed through Pillar 1 regulations, referred to as Pillar 2 risks, and (ii) determining a level of capital commensurate with the level of risk. The Central Bank requires each bank to adopt a Pillar 1 plus approach. According to this, the bank’s total capital requirements include the minimum Pillar 1 regulatory capital requirements, plus the capital required to cover Pillar 2 risks. As a result, the ICAAP should result in additional capital requirements specific to each bank’s business model.

18. Board and Senior Management are responsible to deliver a comprehensive, effective, and accurate assessment of capital adequacy. Each bank is consequently required to conduct an ICAAP supported by appropriate methods and procedures to ensure that adequate capital covers all material risks. Each bank should adopt progressively more sophisticated approaches in measuring risks to keep up with the business model evolvement, the risk profile, size of the bank, and appropriate market practice. The key objective is for each bank to be transparent and demonstrate the relevance of the approach taken in relation to the nature of their activities and risk profile to the Board and the Central Bank.

19. The frequency of reporting to the Board is expected to be at least quarterly, but, depending on the size, complexity, business model, risk types of the institution, and the market environment, reporting might need to be more frequent to ensure timely management actions. The quarterly reporting should comprise the internal calculation of the capital ratios (Pillar 1 and Pillar 2 under business-as-usual (BAU) and under stress scenarios), which includes determining the surplus/ shortfall of capital. Stress scenarios and internal forecasts only need to be updated on a quarterly basis, if required. Nevertheless, the ICAAP reporting to the Central Bank remains an annual exercise. However, if the quarterly results deviate significantly compared to the results of the ICAAP report as submitted to the Central Bank, then the bank should inform the Central Bank of the updated capital plan (including reasons for the deviations, capital ratios and mitigation actions).

20. The ICAAP should be supported by robust methodologies and data. All models used directly or indirectly in the ICAAP should follow the bank’s model management framework, in compliance with the Central Bank Standards and Guidance. The data employed in the ICAAP should be comprehensive, reliable, follow rigorous quality checks, and control mechanisms.

Scope

21. Each bank is expected to ensure the effectiveness and consistency of the ICAAP at each level, with a special focus on the group level for local banks. The ICAAP of these banks is expected to assess capital adequacy for the bank on a stand-alone basis, at regulatory consolidated level, and for the entities of the group. The ICAAP should primarily evaluate the capital requirement and capital adequacy of the bank at group level, following the regulatory consolidation. However, each bank should analyse whether additional risks arise from the group structure of the bank. The group structure must be analysed from different perspectives. To be able to effectively assess and maintain capital adequacy across entities, strategies, risk management processes, decision-making, methodologies, and assumptions applied should be coherent across the entire group. Identified additional risks may increase the capital requirement on group level accordingly.

22. Capital transferability within the group should be assessed conservatively and cautiously, which should be considered in the ICAAP. Each bank should have a process to ensure capital transferability that addresses any restrictions on the management's ability to transfer or allocate capital into or out of the bank's subsidiaries (for example contractual, commercial, regulatory, or statutory/legal restrictions that may apply). The capital allocation or distribution and the approval process between the bank’s holding company (group/parent) and the subsidiaries in the banking group should be well defined. The analysis should also consider risks arising from structural foreign currency positions relating to assets, liabilities, and equity.

23. A bank that has domestic or foreign subsidiaries or branches is expected to evaluate the difference between the ICAAP determined for the bank (including its subsidiaries) and the ICAAP at solo level (without subsidiaries). Therefore, the bank should identify any potential and additional risks both at consolidated group level and at solo bank level. The analysis should also address international operations that have jurisdictional capital requirements or restrictions.

24. Additional risks may also arise from entities that are not consolidated under Pillar 1, e.g. investments in commercial subsidiaries, including Special Purpose Vehicles (SPV), and insurance companies. Each bank should evaluate whether the required Pillar 1 capital adequately covers all risks arising from those entities. The evaluation should consider all risk types, including credit risk, reputational risk, and step-in risk, etc. The analysis should not be limited to branches and subsidiaries but should also consider affiliates, if material. Such analysis should not be limited to local banks only, also foreign banks operating in the UAE should identify and analyse all their dependencies on parent companies through centralised risk management/ shared services etc.

Use Test

25. The ICAAP and the bank’s business strategy form a feedback process. While the ICAAP has to reflect the bank’s business strategy, and business decisions. The bank should implement a formal process to analyse whether the outcomes of the ICAAP influence the business strategy. Banks should determine which additional capital requirements under Pillar 1 and Pillar 2 in business as usual BAU and stress scenarios on the top of the minimum regulatory requirements would be adequate and whether the bank’s risk appetite is adequate or requires to be adjusted accordingly. The formal feedback process should also include links to the banks’ business decisions, risk management process (e.g. using the ICAAP methodologies, results in the approval process, limit setting, strategic processes, such as capital planning or budgeting, and performance measurement). For that purpose, the Board and Senior Management should lead and approve the assumptions, methodology, framework, and outcome of the ICAAP. The usage of the ICAAP within the organisation and its alignment with strategic decisions is referred to as the ‘Use Test’.

26. The ICAAP should have an interactive relationship with other key processes within the bank, including but not limited to, (i) business strategies, (ii) financial budgeting, (iii) risk management, (iv) risk appetite setting, and (v) stress tests. Metrics related to capital allocation and capital consumption should be included in the banks’ risk appetite. Conversely, the metrics pertaining to business management and to risk management should take into consideration the capital plan.

27. Conceptually, this circular process should be articulated according to the following illustration and guidance. Each bank should design its own iterative process:

28. The stakeholders should regularly interact with each other during the production of the ICAAP in order to (i) obtain consistent forward-looking capital projections, and (ii) use capital projections consistently in their own decision-making. The stakeholders should include, but not be limited to, the Board, Senior Management, the business lines, the risk management function, and the finance function.

29. Each bank should demonstrate its appropriate usage of the ICAAP via the production of thorough documentation, reporting covering the process, methodology, decision-making for capital allocation, and strategy. Each bank should document the overall ICAAP design, including key elements and the mechanism by which they interact with each other. Such components should include, but not be limited to, the business strategies, risk appetite statement, risk measurement methods, stress tests programme, and reporting across the Group.

30. Regular reporting should be constructed to measure and monitor Pillar 2 risks in addition to the annual ICAAP report exercise. Adequate metrics and associated limits should be designed in relation to the bank’s size and complexity.

31. The Central Bank shall evaluate evidence that the bank has embraced the process for business rather than regulatory reasons. Evidence should be provided that the management has, through the ICAAP, made the business more efficient or less risky.