Publications > Consultation Papers > Consultation Papers (1 - 10) > CP03

CP03

24 May 2004

The Application of the Supervisory Review Process under Pillar 2

1. This paper sets out a general overview of the approach which has been developed by the Committee of European Banking Supervisors (CEBS) towards the implementation of Pillar 2 of the revised Basel Accord ("Basel II") and the relevant provisions of the Capital Requirements Directive (NB1) .

(NB1 For reasons of simplicity, in this paper the term "Capital Requirements Dire ctive" or "Directive" refers to the prospective EU legislation that will be proposed by the European Commission in summer 2004 to create the legal framework f or the new EU capital requirements regime.)

2. The outcome of such work, reflecting the current thinking of European banking supervisors, is expressed as High Level Principles (HLPs) which are designed to deliver an appropriate degree of convergence and to underpin the legal texts being developed in the draft Capital Requirements Directive. They should also be viewed within the overall context of risk-based prudential supervision, which includes the information generally gathered by supervisors, and supervisors' interaction with institutions during their ongoing supervisory relationship.

3. The HLPs are based on a structure which has been developed through a combination of adopting existing best practices and developing agreed new practices to take account of the new elements of Basel II and the draft Capital Requirements Directive. At the time of producing this paper the Directive text is still under development, and the HLPs and terminology may still need to be amended to reflect any subsequent changes introduced in the final Directive text.

Structure of the paper

4. The outline of this paper is as follows:

. Section 2 sets out in basic terms what is meant by the overall Supervisory Review Process (SRP), and how the two elements - the Internal Capital Adequacy Assessment Process (ICAAP) and Supervisory Review and Evaluation Process (SREP) - fit together.

. Section 3 summarises the key considerations which underpin these HLPs.

. Section 4 details what the supervisory authority will expect from institutions in their own assessment of the adequacy of their financial resources (ICAAP).

. Section 5 looks at the supervisory authority's obligations under the SREP and how this might be performed.

. Annex A sets out key ingredients of the supervisory Risk Assessment System (RAS) that constitutes an integral part of the SREP, and which is used for organising (i.e. planning, prioritising and allocating) the use of resources, and performing and managing the supervisory risk assessment; and Annex B
summarises the risk and control factors which should be evaluated as a minimum.

5. CEBS invites comments on this consultation paper by 31 August 2004 ( CP03@c-ebs.org ). The received comments (unless the respondent requests otherwise) as well as a reasoned explanation addressing all major points raised will be published on the website.

Supervisory Review Process

6. The purpose of the SRP, according to the Basel Committee on
. ensure that institutions have adequate capital to support all
. encourage institutions to develop and use better risk management
7. The four principles for supervisory review agreed by the Basel Principle 1 : Banks should have a process for assessing
Principle 2 : Supervisors should review and evaluate
Principle 3 : Supervisors should expect banks to operate
Principle 4 : Supervisors should seek to intervene at
8. Under Principle 1, the management body of an institution bears
9. The Commission Services proposed in the third Consultation
10. The SRP therefore comprises a set of relationships between
11. Supervisors assess the risk profile of an institution through
12. While expressed as two separate processes, the SREP and ICAAP
. gain deeper insights into the institution's overall control
. establish a closer understanding of how individual institutions
. assess the extent to which the ICAAP may be relied upon as an
13. These principles are expected to enhance the level playing

Key Considerations

14. These proposals envisage that every institution to which the
15. The concept of proportionality is key to
16. It is the responsibility of the institution to define
17. The supervisor's role, within the SRP, includes the review
18. The Pillar 1 capital requirement will continue to be seen
19. The scope of application for the SRP should
The Internal Capital Adequacy Assessment Process the risks in their business; and
techniques in monitoring and measuring risks
committee are:
their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels.
banks' internal capital adequacy assessments and strategies as well as their ability to monitor and ensure their compliance with regulatory capital ratios. Supervisors should take supervisory action if they are not satisfied with the result of this process.
above the minimum regulatory capital ratios and should have the ability to require banks to hold capital in excess of the minimum.
an early state to prevent capital from falling below the minimum levels required to support the risk characteristics of a particular bank and should require rapid remedial action if capital is not maintained or restored.
primary responsibility for ensuring that processes exist to ensure that an institution holds sufficient capital to meet both regulatory and internal capital targets. Supervisors should review and validate this process, in accordance with Principle 2. Under Principle 3, supervisors are able to require (or encourage) institutions to hold capital in excess of the minimum Pillar 1 requirement. Finally, it is the opinion of supervisors that Principles 2 - 4 imply that the supervisory authority should have strong risk assessment capabilities as part of its review and evaluation, in order to form its own well-informed judgement on what constitutes an adequate level of capital in any one institution in relation to its risk and control profile.
paper (of July 2003) a framework which reflected these four principles. The SRP prescribed in the EU Directive is intended to achieve two equally important goals. On the one hand, it seeks to ensure that institutions hold internal capital which is consistent with their risk profile and strategy. And on the other, it requires review of institutions' processes and strategies by supervisors, and the timely adoption of prudential measures if weaknesses or deficiencies are detected.
supervisors and institutions that hinge on two main elements. The first is the Internal Capital Adequacy Assessment Process which places certain obligations on the institution itself (see ICAAP below). The second is the Supervisory Review and Evaluation Process which places certain obligations on the supervisory authority (see SREP below) and in turn leads to the identification of prudential measures.
a variety of sources (e.g. statistical, desk-based analysis, on-site visits, and routine relationship management etc.) as part of risk based prudential supervision. This provides the foundation for the supervisor to undertake, inter alia , an evaluation of the institution's risk profile, key inputs to which will be the evaluation of institution's ICAAP and the supervisory dialogue this generates with the institution. It also enables the supervisor to determine appropriate prudential measures (including if necessary setting a capital requirement above the Pillar 1 minimum), apply those prudential measures over an agreed supervisory period, and to keep the risk assessment under review in the light of progress in implementing those measures and/or other events which may have a significant impact on the risk assessment.
are in practice closely intertwined and it is intended that there will be a close interaction between them, especially so for the larger, more complex and systemically important institutions. This interaction will generate an important and necessary dialogue, and feedback mechanism, through which supervisors can:
and risk management frameworks;
approach the measurement of risks and the amount of internal capital allocated to them; and
input into the supervisor's evaluation of the adequacy of capital held against all risks.
field in the EU under the new capital regime. Industry views on this would be particularly helpful for further work by banking supervisors to develop, collectively, additional principles aimed at promoting convergence on how the ICAAP is linked to the SREP and how the outcomes of that process might be determined. This future work will help to underpin convergence and greater consistency of supervisory outcomes.
Capital Requirements Directive applies must have an Internal Capital Adequacy Assessment Process and will be subject to the Supervisory Review and Evaluation Process.
both the ICAAP and SREP. As such, the ICAAP should be commensurate and proportionate to the nature, scale and complexity of the activities of an institution. Similarly, the depth, frequency and intensity of the SREP will be determined by the risks posed to the supervisor's objectives.
and develop its ICAAP . The onus is on the institution to demonstrate to the supervisor in its dialogue (through the interaction of the ICAAP and SREP) that its internal capital assessment is comprehensive and adequate to the nature of risks posed by its business activities and its operating environment. The framework under which an institution should develop its ICAAP is designed to be risk based. The new framework emphasises the importance of capital planning , but also the importance of management, and other qualitative aspects of risk management . All institutions will have to assess the impact of economic cycles and other future business variables on their capital needs. For larger and more complex institutions this may mean developing a stress and scenario testing framework through which they will have to estimate the sensitivity of the institution's capital needs to external risks and factors.
and evaluation of the institution's ICAAP , and the performance of an independent assessment of the institution's risk profile , and if necessary taking prudential measures and other supervisory actions , including setting additional regulatory capital, to reflect the individual circumstances of the institution, with a view to ensuring consistency of capital treatment across institutions. Supervisors should have arrangements in place for the collection and verification of any relevant information, and procedures to maintain the quality and consistency of risk assessments.
as a minimum for regulatory capital requirements based on uniform rules. However, no set of uniform rules for capital requirements may capture all aspects of an individual institution's overall risk profile. For institutions and supervisors alike, judgements on risk and capital adequacy are based on the overall risk profile and are therefore more than an assessment of compliance with Pillar 1 minimum capital requirements. As part of the supervisory review process, regulatory capital over and above Pillar 1 is seen as one of several regulatory tools to be potentially used by the supervisor to mitigate identified risks, having carefully considered controls and other mitigating actions. Emphasis should also be placed on the institution's risk management process.
allow the supervisory authority to fulfil its legal responsibility for supervision at the individual institution level while minimising the burden on institutions. This element of the Directive is under active discussion. It will be necessary to ensure that these HLPs fully fit with the final text.
>

Summary

20. The ICAAP is a comprehensive process including the management body and senior management oversight, monitoring, reporting and internal control reviews, that institutions must have to identify and measure their risks, allowing them to ensure that adequate provision is made for holding internal capital in relation to their risk profile.

21. The ICAAP includes:

. Policies and procedures to identify, measure and report the risks inherent in the institution's activities.

. A process to relate the institution's internal capital to its risks

. A process to state the institution's goals in terms of adequate internal capital

. A process of internal controls, review and audit

Background

22. The latest texts from the Basel Committee (CP3) and the European Commission include some key requirements in relation to the ICAAP as a process for assessing capital adequacy :

- Basel Committee - Principle 1 states that "banks should have a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels"

- CP3 then elaborates the five main features of a rigorous process, of which two relate specifically to the process for assessing how much capital the institution needs:

. "sound capital assessment" (policies and procedures to ensure capture of all material risks, a process to relate capital to risk; a process to state capital adequacy goals to risk (which should take account of the institution's strategic focus and business plan); internal controls to ensure integrity); and

. "comprehensive assessment of risks" (all material risks to be included, with consideration at least of credit risk, operational risk, market risk, interest rate risk in the banking book, liquidity risk and other risks, such as reputation and strategic risk).

23. The remaining three features set out some essential elements of the overall environment within which the ICAAP should operate:

. management body and senior management oversight;

. monitoring and reporting; and

. internal control.

24. EU draft directive (Third Consultation paper of July 2003 incorporates the basic requirements concerning the assessment process to be implemented by institutions to ensure that their internal capital is adequate to cover the risks inherent in their activities.

25. Therefore, even if the Directive is not final, there will be a requirement for institutions to have a process/arrangements to ensure that they have adequate internal capital to support all material risks to which they are exposed and to encourage the development and use of better risk management techniques. For the purposes of simplification, the process defined above is referred to as the internal capital adequacy assessment process.

26. The proposed High Level Principles set out how an institution can comply with both the qualitative (corporate governance and risk management) and the quantitative elements (internal capital assessment) that ICAAP should include (i.e. comprising all five features mentioned in relation to Basel CP3 in paragraph 21 above). It is important to note however, that these high level principles deal mainly with those issues related to the calculation of the adequate internal capital to ensure that all material risks are supported.

27. Adequate risk management arrangements and other important elements of corporate governance are a necessary condition for an adequate ICAAP and are the foundation of the capital adequacy process. Notwithstanding this, those more qualitative elements have further-reaching implications for an institution that go well beyond the ICAAP. This paper does not intend to elaborate on that risk management process or on other elements of corporate governance.

ICAAP High Level Principles

I. Every institution must have a process for assessing its capital adequacy in relation to its risk profile (an ICAAP).

a. The scope of application of this principle to institutions which are part of a group subject to consolidated supervision (i.e. consolidated, sub-consolidated and/or solo) will depend on the final decision taken in the Directive in relation to this issue.

II. The ICAAP is the responsibility of the institution.

a. Institutions bear the responsibility for setting targets of adequate internal capital in a way which is consistent with their risk profile and operating environment.

b. Therefore the ICAAP should be the responsibility of each institution itself to fit its circumstances and needs, and using its own inputs and definitions.

c. At the same time, the institution must be able to explain and demonstrate how the ICAAP meets supervisory requirements.

III. The ICAAP should be proportionate to the nature, size, risk profile and complexity of the institution.

a. Deciding on how to categorise institutions in order to apply the principle of proportionality cannot be defined in a principles paper; it is more of a case-by-case issue, which will probably take account of factors such as size, significance to financial stability or to other objectives of the

supervisory authority, risk profile, complexity, sophistication, history of compliance, legal form of the institution etc.

b. It can be expected that proportionality considerations will have a particular influence on the structure, comprehensiveness and complexity of less sophisticated institutions' ICAAPs.

c. For less sophisticated institutions, and without prejudice to Principe V, the outsourcing of parts of the ICAAP and/or its review is also an issue. Conditions for accepting such outsourcing could be established nationally or at European level. It must be clear that each institution is considered according to its specific situation and individual risk profile.

IV. The ICAAP should be formal, the capital policy fully documented and the management body's responsibility.

a. Responsibility rests with the management body of the institution to initiate and design the ICAAP. It should approve the "conceptual design" (at the very least the scope, general methodology and objectives) of the ICAAP. The detailed "design" (being the technical concept) is a task for the senior management. The management body is also responsible for integrating capital planning and management into the overall risk management culture and approach. It must ensure that capital planning and management policies and procedures are communicated and implemented institution-wide and supported by sufficient authority and resources.

b. The institution's ICAAP (methodologies, assumptions and procedures) and capital policy should be formally documented and approved and reviewed at the top level (management body) of the institution.

c. The outcome of the ICAAP should be reported to senior management and the top level management body.

d. Even though outsourcing of parts of the ICAAP - bearing in mind CEBS' high level principles on outsourcing - could be permissible for less sophisticated institutions, it must be clear that the ICAAP remains at all times the responsibility of the institution's management body. ( NB2)

(NB2 The management body is responsible for defining general policy and for oversight or supervision.)

V. The ICAAP should form an integral part of the management process and decision-making culture of the institution.

a. For the more sophisticated institutions, a complete integration of the ICAAP into the day-to-day management is expected.

b. For less sophisticated institutions, the ICAAP should be constructed in a way which allows the management body to assess, on an ongoing basis, the risks inherent in their activities and which are material to the institution.

c. As an integral part of the management process, this could range