12 CFR 217.161 – Qualification requirements for incorporation of operational risk mitigants
(a) Qualification to use operational risk mitigants. A Board-regulated institution may adjust its estimate of operational risk exposure to reflect qualifying operational risk mitigants if:
(1) The Board-regulated institution’s operational risk quantification system is able to generate an estimate of the Board-regulated institution’s operational risk exposure (which does not incorporate qualifying operational risk mitigants) and an estimate of the Board-regulated institution’s operational risk exposure adjusted to incorporate qualifying operational risk mitigants; and
(2) The Board-regulated institution’s methodology for incorporating the effects of insurance, if the Board-regulated institution uses insurance as an operational risk mitigant, captures through appropriate discounts to the amount of risk mitigation:
(i) The residual term of the policy, where less than one year;
(ii) The cancellation terms of the policy, where less than one year;
(iii) The policy’s timeliness of payment;
(iv) The uncertainty of payment by the provider of the policy; and
(v) Mismatches in coverage between the policy and the hedged operational loss event.
(b) Qualifying operational risk mitigants. Qualifying operational risk mitigants are:
(1) Insurance that:
(i) Is provided by an unaffiliated company that the Board-regulated institution deems to have strong capacity to meet its claims payment obligations and the obligor rating category to which the Board-regulated institution assigns the company is assigned a PD equal to or less than 10 basis points;
(ii) Has an initial term of at least one year and a residual term of more than 90 days;
(iii) Has a minimum notice period for cancellation by the provider of 90 days;
(iv) Has no exclusions or limitations based upon regulatory action or for the receiver or liquidator of a failed depository institution; and
(v) Is explicitly mapped to a potential operational loss event;
(2) Operational risk mitigants other than insurance for which the Board has given prior written approval. In evaluating an operational risk mitigant other than insurance, the Board will consider whether the operational risk mitigant covers potential operational losses in a manner equivalent to holding total capital.