Data Maintenance at TSA & AMA Institutions

Similar documents
Use of Internal Models for Determining Required Capital for Segregated Fund Risks (LICAT)

IMPLEMENTATION NOTE. Corporate Governance Oversight at IRB Institutions

Guideline. Capital Adequacy Requirements (CAR) Chapter 8 Operational Risk. Effective Date: November 2016 / January

Guideline. Own Risk and Solvency Assessment. Category: Sound Business and Financial Practices. No: E-19 Date: November 2015

IMPLEMENTATION NOTE. Collateral Management Principles for IRB Institutions

Collective Allowances - Sound Credit Risk Assessment and Valuation Practices for Financial Instruments at Amortized Cost

Basel III Pillar 3 Supplemental Disclosures of ALTERNA BANK

Life Insurance Capital Adequacy Test Public Disclosure Requirements. Date: March 2018 Effective Date: December 31, 2018

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

Approval of Regulatory Capital Models for Deposit-Taking Institutions

Draft Guideline. Corporate Governance. Category: Sound Business and Financial Practices. I. Purpose and Scope of the Guideline. Date: November 2017

Basel III Pillar 3 and Leverage Ratio disclosures of ALTERNA BANK

Guideline. Liquidity Adequacy Requirements (LAR) Chapter 1 Overview Date: February 2018

Management Information Systems Reporting Supervisory Expectations James Dennison Managing Director

Guideline. Earthquake Exposure Sound Practices. I. Purpose and Scope. No: B-9 Date: February 2013

Title CIHI Submission: 2014 Prescribed Entity Review

IFRS 9 Financial Instruments and Disclosures

Corporate Governance Guideline

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

Susan Schmidt Bies: Implementing Basel II - choices and challenges

Amex Bank of Canada. Basel III Pillar III Disclosures December 31, AXP Internal Page 1 of 15

IT Risk in Credit Unions - Thematic Review Findings

Special Considerations in Auditing Complex Financial Instruments Draft International Auditing Practice Statement 1000

RESERVE BANK OF MALAWI

Corporate Governance of Federally-Regulated Financial Institutions

Basel II, Pillar 3 Disclosure for Sun Life Financial Trust Inc.

4.0 The authority may allow credit institutions to use a combination of approaches in accordance with Section I.5 of this Appendix.

A discussion of Basel II and operational risk in the context of risk perspectives

Basel III Pillar 3 and Leverage Ratio disclosures of ALTERNA BANK

Prudential Standard GOI 3 Risk Management and Internal Controls for Insurers

Inter-Segment Notes for Life Insurance Companies. The revised Guideline is effective for fiscal years beginning on or after January 1, 2011.

Guideline Impact Analysis Statement

Subject: Total Loss Absorbing Capacity (TLAC) Disclosure Requirements. Date: May 2018 Effective Date: November 2018

November 1, GRA - MPI Exhibit #81. Minimum Capital Test For Federally Regulated Property and Casualty Insurance Companies

Guidance Note Capital Requirements Directive Operational Risk

Filing and Reporting Requirements for Defined Contribution Pension Plan Terminations

Impact on Actuarially Determined Items SEAC Fall Meeting - Atlanta, GA November 19, 2003

Guideline. Capital Adequacy Requirements (CAR) Chapter 1 Overview. Effective Date: November 2016 / January

For institutions with a fiscal year ending October 31 or December 31, respectively. 2

Prudential Standard APS 117 Capital Adequacy: Interest Rate Risk in the Banking Book (Advanced ADIs)

Draft Guideline. Capital Adequacy Requirements (CAR) Chapter 1 Overview. Effective Date: November 2018 / January

Derivatives Sound Practices for Federally Regulated Private Pension Plans

THE BERMUDA MONETARY AUTHORITY BANKS AND DEPOSIT COMPANIES ACT 1999: The Management of Operational Risk

Capital Adequacy: Is Your Company Prepared For Basel II Implementation?

Solvency Assessment and Management: Steering Committee Position Paper (v 4) Life SCR - Retrenchment Risk

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE. Nepal Rastra Bank Bank Supervision Department. August 2012 (updated July 2013)

GUIDELINE ON ENTERPRISE RISK MANAGEMENT

ECB guide to internal models. Risk-type-specific chapters

FINANCIAL ADMINISTRATION MANUAL

Office of the Superintendent of Financial Institutions Internal Audit Report on Insurance Supervision Sector

Part III. Administrative, Procedural, and Miscellaneous

BERMUDA INSURANCE (GROUP SUPERVISION) RULES 2011 BR 76 / 2011

OPERATIONAL RISK. 1. Form BA Operational risk

Kenya Gazette Supplement No. 42 3rd April, (Legislative Supplement No. 19)

INTERNAL AUDIT DIVISION AUDIT REPORT 2013/091. Audit of the United Nations Peacebuilding Support Office

Subject: Guideline E-22 Margin Requirements for Non-Centrally Cleared Derivatives

Basel II: Application requirements for New Zealand banks seeking accreditation to implement the Basel II internal models approaches from January 2008

Office of the Superintendent of Financial Institutions (OSFI) - Enterprise-wide Risk Management (ERM)

REGULATORY GUIDELINE Liquidity Risk Management Principles TABLE OF CONTENTS. I. Introduction II. Purpose and Scope III. Principles...

Final draft RTS on the assessment methodology to authorize the use of AMA

Loan Classification & Loss Provisioning: A Primer

Solvency II Detailed guidance notes for dry run process. March 2010

IMPLEMENTATION NOTE. The Use of Ratings and Estimates of Default and Loss at IRB Institutions

Project Genesis Data Capture Service. Insurer Implementation Options and Related Benefits

BERMUDA MONETARY AUTHORITY

Analyzing Current Loan Performance Under CECL. A Discussion Paper of the AMERICAN BANKERS ASSOCIATION. ABA Contact: Michael L.

CP ON DRAFT RTS ON ASSSESSMENT METHODOLOGY FOR IRB APPROACH EBA/CP/2014/ November Consultation Paper

Guidelines on PD estimation, LGD estimation and the treatment of defaulted exposures

DOWNLOAD PDF UNDERSTANDING THE REPORTING PROCESS

9 Explain the risks of moral hazard and adverse selection when using insurance to mitigate operational risks

Defining the Internal Model for Risk & Capital Management under the Solvency II Directive

External Data as an Element for AMA

Please contact your OSFI Relationship Manager with any questions concerning the guidelines or their implementation.

DECREE. No. 23/2014 Coll. on the performance of the activities of banks, credit unions and investment firms

Actuaries Club of the Southwest

BERMUDA MONETARY AUTHORITY THE INSURANCE CODE OF CONDUCT FEBRUARY 2010

Guidance consultation FSA REVIEWS OF CREDIT RISK MANAGEMENT BY CCPS. Financial Services Authority. July Dear Sirs

OPERATIONAL RISK. 1. Form BA Operational risk

Solvency Assessment and Management: Pillar 2 - Sub Committee ORSA and Use Test Task Group Discussion Document 35 (v 3) Use Test

IOPS Toolkit for Risk-Based Pensions Supervision Kenya

PILLAR 3 Disclosures

STRESS TESTING GUIDELINE

CENTRAL BANK OF ARMENIA

Automated Integrated Global Provision VERTEX TAX ACCOUNTING

Credit risk, arising from losses due to obligor, counterparty or issuer failing to perform its contractual obligations to the Group;

DRAFT GUIDANCE NOTE ON MANAGEMENT OF OPERATIONAL RISK

Guidelines for Anti-Money Laundering and Combating the Financing of Terrorism

Solvency Assessment and Management: Stress Testing Task Group Discussion Document 96 (v 3) General Stress Testing Guidance for Insurance Companies

Public Disclosure Requirements related to Basel III Leverage Ratio

COMMISSION DELEGATED REGULATION (EU) /... of

Management Discussion and Analysis Risk Management

Chapter. Acquisition of Leased Office Space

Basel Committee on Banking Supervision. Sensitive Approaches for Equity Exposures in the Banking Book for IRB Banks

GUIDELINES FOR THE INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS FOR LICENSEES

OF RISK AND CAPITAL FOR BANKS USING ADVANCED SYSTEMS

GROUP RECORDS MANAGEMENT POLICY SUMMARY FOR THIRD PARTY SUPPLIERS

For the period ended April 30, 2016

Guidelines on credit institutions credit risk management practices and accounting for expected credit losses

GUIDELINES ON FINANCIAL MARKET INFRASTRUCTURES SC-GL/1-2017

NAIC OWN RISK AND SOLVENCY ASSESSMENT (ORSA) GUIDANCE MANUAL

Transcription:

Implementation Note Subject: Category: Capital No. A & A-1 Date: May 2006 I. Introduction This implementation note provides key data maintenance principles for operational risk data. These principles are based on OSFI s Capital Adequacy Requirements (CAR) Guideline A, Chapter 6 and CAR Guideline A-1, Chapter 7. This implementation note is relevant for an institution 1 applying for The Standardized Approach (TSA) 2 or the Advanced Measurement Approach (AMA) for operational risk. An institution implementing the Basic Indicator Approach (BIA) is not required to collect operational loss data. However, should a BIA institution collect operational risk data, OSFI encourages the institution to adopt the key principles set out in this implementation note as appropriate. The term data maintenance incorporates the key components of the data management process, including data collection, data processing, data access/retrieval and data storage/retention. This note provides principles for specific operational risk data categories including gross income, operational loss data and other data elements of operational risk measurement 3. Operational loss data includes internal data, external data and scenario analysis data. 1 Banks and bank holding companies to which the Bank Act applies and federally regulated trust companies and loan companies to which the Trust and Loan Companies Act applies are collectively referred to as institutions. 2 As per the CAR Guideline, all TSA institutions must be able to track and report relevant operational risk data including material operational risk losses by significant business line. OSFI recognizes that the sophistication of an institution s tracking and reporting mechanism should be appropriate for the size of the institution, taking into account its reporting structure as well as the operational risk exposure of the institution. 3 This implementation note does not provide principles for using the data elements in the quantification of operational risk capital. 255 Albert Street Ottawa, Canada K1A 0H2 www.osfi-bsif.gc.ca

Table of Contents I. Introduction...1 II. Data Maintenance Principles...3 1. Senior Management and Oversight...3 2. Data Collection...3 3. Data Processing...4 4. Data Access/Retrieval...4 5. Data Storage/Retention...5 III. Operational Risk Data Categories...5 1. Gross Income Data...6 2. Operational Loss Data...6 (i) Internal Loss Data...6 (ii) External Loss Data...7 3. Other Operational Risk Data...8 IV. Conclusion...8 May 2006 Page 2 of 8

II. Data Maintenance Principles 1. Senior Management and Oversight An institution applying for TSA or AMA should establish information technology and data management processes appropriate to the nature, scope and complexity of its data maintenance requirements. Senior Management should assess the scope, plans and risks associated with timely execution of data maintenance projects, if any. In this context, the accountabilities of Senior Management include, but are not limited to: Reviewing and approving organizational structure and functions to facilitate development of appropriate data architecture to support implementation of TSA or AMA, Establishing an enterprise-wide data management framework defining, where appropriate, the institution s policies, governance, technology, standards and processes to support the data collection, data maintenance, data controls and distribution of processed data, i.e., information, Ensuring data maintenance processes provide security, integrity and auditability of the data from its inception through to its archival and/or logical destruction, Instituting internal audit testing, as appropriate, to provide for periodic independent assessment of the effectiveness of controls over data maintenance processes and functions, and Ensuring that appropriate policies, procedures and accountabilities are in place to monitor the enterprise-wide observance of the data management framework, including ongoing updates to procedures and documentation, as necessary. 2. Data Collection The data collection for operational risk typically involves identifying the appropriate data elements pertinent to the management of operational risk. An institution s data collection processes should: Establish clear and comprehensive documentation for data definition, collection and aggregation, including data mapping to CAR business lines, data schematics where necessary, and other identifiers, if any, Establish standards for data accuracy, completeness, timeliness and reliability, Identify and document gaps and, where applicable, document the manual or automated workarounds used to close data gaps and meet data requirements, Establish standards, policies and procedures around the cleansing of data through reconciliation, field validation, reformatting, decomposing or use of consistent standards, as appropriate, and May 2006 Page 3 of 8

Establish procedures for identifying and reporting on data errors and data linkage breaks to source, downstream and/or external systems. 3. Data Processing The data processing component covers a wide range of data management tasks, including its conversion through multiple systems (or manual) processes, transmissions, source/network authentication, validation, reconciliation, etc. An institution s data processing should: Limit reliance on workarounds and manual data manipulation in order to mitigate the operational risk related to human error and dilution of data integrity, Ensure appropriate levels of validation, data cleansing and reconciliation for each process, as applicable, Establish adequate controls to ensure processing by authorized staff acting within designated roles and established authorities, Institute appropriate change control procedures for changes to the processing environment, including, where applicable, change initiation, authorization, program modifications, testing, parallel processing, sign-offs, release, library controls, and Provide appropriate levels of disaster back-up, process resumption and recovery capabilities to mitigate loss of data and/or data integrity. 4. Data Access/Retrieval From OSFI s supervisory perspective, a key component of data maintenance is the continued availability of an institution s data and information. More importantly for an AMA institution, the monitoring of adherence to CAR minimum requirements will include back-testing, historical or other trend analyses. An institution should ensure that: Data repositories and underlying extract, query and retrieval routines are designed and built to support the institution s own data requirements as well as ongoing needs for supervisory assessments of various data as appropriate, Access controls and data/information distribution are based on user roles/ responsibilities and industry sound practices in the context of effective segregation of duties, and is in conformance with the need to know principle, which is assessed by the institutions internal compliance and audit functions for overall effectiveness of the internal controls designed to ensure this conformance and compliance, and May 2006 Page 4 of 8

Access to data/information is not restricted in any arrangements where data maintenance is outsourced 4 to external service provider(s). Notwithstanding these arrangements, an institution should be able to provide data/information at no additional cost. 5. Data Storage/Retention The data storage/retention component of data maintenance addresses the dual expectations of electronic data retention and archival to meet the minimum historical retention criteria established under CAR, as well as the requirements of an institution. CAR requires an AMA institution to use internal losses as one of its data elements to measure the regulatory capital for operational risk. The measurement must be based on a minimum fiveyear observation period 5 of internal loss data. In addition, TSA and AMA institutions should: Establish documented policies and procedures addressing storage, retention and archiving, including, where applicable, the procedures for logical/physical deletion of data and destruction of data storage media and peripherals, Maintain back-ups of relevant data files/stores and databases in a manner that can facilitate readily available data/information to meet information calls on TSA and AMA compliance and ongoing supervisory assessments, and Ensure that availability of electronic versions for all relevant and material data/information is in a machine-readable format and can be made accessible. III. Operational Risk Data Categories Operational risk capital measurement, whether TSA or AMA, is highly dependent on an institution s ability to maintain a reliable operational risk dataset(s) for various operational risk data categories. The operational risk data categories include gross income data, operational loss data and other qualitative data representing business environment and internal control factors. As per paragraph 653 of CAR, a TSA institution is required to calculate its capital based on three years of gross income. In addition, for effective operational risk management, a TSA institution is required to track and report its material losses. Comprehensive data are important for the successful implementation of AMA, especially in the measurement of operational risk capital and the management of an institution s operational risk exposures. An AMA institution is required to incorporate four data elements in its capital 4 For guidance on outsourcing, refer to OSFI s Guideline B-10: Outsourcing of Business Activities, Functions and Processes. 5 As per CAR, when the bank first moves to the AMA, a three-year historical data window is acceptable (including parallel calculations). May 2006 Page 5 of 8

measurement methodology. These include internal losses, external losses, scenario analysis and business environment and internal control factors. In addition to the key data maintenance principles outlined earlier in this implementation note, specific principles for TSA and AMA operational risk data categories have been set out below. 1. Gross Income Data As per paragraph 653 of CAR, a TSA institution is required to use gross income to determine the operational risk capital charge. To maintain reliable gross income data for the calculation of capital, and in alignment with the implementation of CAR requirements relating to gross income, an institution should consider the following: Documenting the mapping process to provide for the consistent mapping of gross income data, Establishing a system or process that facilitates the reconciliation of gross income reported in CAR reporting forms to the firm s reported financial results, and Ensuring that the robustness is commensurate with the complexity of the gross income mapping process. 2. Operational Loss Data (i) Internal Loss Data All TSA institutions must be able to track their material internal losses and related data elements by business line. OSFI recognizes that the industry practices for collecting internal operational losses are emerging. It is expected that tracking systems will vary across TSA institutions. As outlined in CAR, the sophistication of an institution s tracking system should appropriately reflect the size, reporting structure and the operational risk exposure of the institution. Accordingly, an institution s tracking system will be assessed against its ability to comprehensively capture its material operational losses. Accountabilities assigned to the data maintenance of internal loss data (and its related data elements) should consider: Ensuring that the maintenance of internal loss data aligns with the established enterprise-wide data management framework 6, Determining and documenting the scope of internal loss data to be collected according to its operational risk management needs, Establishing and documenting processes for mapping internal loss data to business lines, 6 As outlined under the accountabilities of Senior Management on page 3 of this document. May 2006 Page 6 of 8

Developing and documenting standards to ensure a consistent process for the collection of internal loss data, Incorporating internal loss data as part of its operational risk reporting to effectively support the ongoing management of operational risk, Ensuring periodic independent reviews of the processes involved in the collection of loss data. An AMA institution is also expected to adhere to certain CAR requirements (paragraphs 670 to 673) as relevant to the data maintenance of its internal losses. In order to facilitate the implementation of these minimum requirements, an AMA institution should consider: Identifying and documenting the scope of loss data collected for the purposes of calculating capital, Establishing and documenting standards for the use of internal loss data in the measurement of operational risk capital. This may include the use of internal loss data in a quantification model as well as any use of internal loss data in scenario analysis, Ensuring that the organizational structure and processes (e.g. centralized functions, decentralized functions) supports the data collection process, including timeliness and integrity, Documenting data field definitions to ensure consistency and completeness in the data collection, Separately flagging loss events (e.g., opportunity costs, credit losses relating to operational risk loses) that are collected in the dataset but are not used for the purposes of regulatory reporting, and Incorporating the internal loss data, in a complete and timely manner, into the operational risk reporting for both operational risk management purposes and capital impact analysis. (ii) External Loss Data As per paragraph 674 of CAR, an AMA institution is required to incorporate relevant external data, whether it is in the form of public data and/or pooled industry data. External data can be useful additional information especially when an institution has limited internal loss data. In order to facilitate the implementation of these minimum requirements, AMA institutions should consider: Identifying and documenting a consistent process for determining the scope of external data used, ensuring that the data is appropriate for assessing infrequent, yet potentially severe losses, Establishing and documenting standards for a systematic process that incorporates external data into measurement methodologies, May 2006 Page 7 of 8

Ensuring that external data is used to measure operational risk appropriately, reflecting its operational risk exposure and is used to represent of tail-end losses, Incorporating external data as part of its operational risk reporting to effectively support the ongoing management of operational risk exposures, and Conducting periodic independent reviews of the processes involved in the use of external loss data. 3. Other Operational Risk Data Other operational risk data (quantitative or qualitative elements) may include scenario analysis, risk assessments of business environment and internal control factors that underscore an operational risk profile (e.g. risk and control self-assessment results, key risk indicators), and audit scores. For AMA institutions, minimum requirements related to scenario analysis and business environment and internal control factors have been set out in paragraphs 675 and 676 of CAR. An institution should consider the following for the maintenance of other operational risk data: Establishing standards and processes for determining the scope and criteria for these data, Documenting the use of these data in its operational risk methodology, Incorporating these data, in a complete and timely manner, into operational risk reporting, as appropriate, and Ensuring that the processes of collecting these data are subject to periodic independent review. IV. Conclusion This implementation note has focused on principles to guide an institution in maintenance of operational risk data. Accordingly, the focus is on the TSA and AMA institutions to ensure that the operational risk data is consistent and provides a sound, reliable and a representative basis for management of institution s operational risk exposure. OSFI has specifically not prescribed requirements for deploying the operational risk data in the measurement of operational risk capital charges for an AMA institution. OSFI recognizes that the scope of operational risk data, and the methodologies of collecting and incorporating such data in the quantification process, will evolve; and with this development the range of acceptable of practices will emerge within the industry, OSFI expects that further guidance on the use of operational risk data in capital measurement process will follow, as appropriate. May 2006 Page 8 of 8

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback