12 CFR 217.122 – Qualification requirements
(a) Process and systems requirements. (1) A Board-regulated institution must have a rigorous process for assessing its overall capital adequacy in relation to its risk profile and a comprehensive strategy for maintaining an appropriate level of capital.
(2) The systems and processes used by a Board-regulated institution for risk-based capital purposes under this subpart must be consistent with the Board-regulated institution’s internal risk management processes and management information reporting systems.
(3) Each Board-regulated institution must have an appropriate infrastructure with risk measurement and management processes that meet the qualification requirements of this section and are appropriate given the Board-regulated institution’s size and level of complexity. Regardless of whether the systems and models that generate the risk parameters necessary for calculating a Board-regulated institution’s risk-based capital requirements are located at any affiliate of the Board-regulated institution, the Board-regulated institution itself must ensure that the risk parameters and reference data used to determine its risk-based capital requirements are representative of long run experience with respect to its own credit risk and operational risk exposures.
(b) Risk rating and segmentation systems for wholesale and retail exposures. (1)(i) A Board-regulated institution must have an internal risk rating and segmentation system that accurately, reliably, and meaningfully differentiates among degrees of credit risk for the Board-regulated institution’s wholesale and retail exposures. When assigning an internal risk rating, a Board-regulated institution may consider a third-party assessment of credit risk, provided that the Board-regulated institution’s internal risk rating assignment does not rely solely on the external assessment.
(ii) If a Board-regulated institution uses multiple rating or segmentation systems, the Board-regulated institution’s rationale for assigning an obligor or exposure to a particular system must be documented and applied in a manner that best reflects the obligor or exposure’s level of risk. A Board-regulated institution must not inappropriately allocate obligors or exposures across systems to minimize regulatory capital requirements.
(iii) In assigning ratings to wholesale obligors and exposures, including loss severity ratings grades to wholesale exposures, and assigning retail exposures to retail segments, a Board-regulated institution must use all relevant and material information and ensure that the information is current.
(iv) When assigning an obligor to a PD rating or retail exposure to a PD segment, a Board-regulated institution must assess the obligor or retail borrower’s ability and willingness to contractually perform, taking a conservative view of projected information.
(2) For wholesale exposures:
(i) A Board-regulated institution must have an internal risk rating system that accurately and reliably assigns each obligor to a single rating grade (reflecting the obligor’s likelihood of default). A Board-regulated institution may elect, however, not to assign to a rating grade an obligor to whom the Board-regulated institution extends credit based solely on the financial strength of a guarantor, provided that all of the Board-regulated institution’s exposures to the obligor are fully covered by eligible guarantees, the Board-regulated institution applies the PD substitution approach in § 217.134(c)(1) to all exposures to that obligor, and the Board-regulated institution immediately assigns the obligor to a rating grade if a guarantee can no longer be recognized under this part. The Board-regulated institution’s wholesale obligor rating system must have at least seven discrete rating grades for non-defaulted obligors and at least one rating grade for defaulted obligors.
(ii) Unless the Board-regulated institution has chosen to directly assign LGD estimates to each wholesale exposure, the Board-regulated institution must have an internal risk rating system that accurately and reliably assigns each wholesale exposure to a loss severity rating grade (reflecting the Board-regulated institution’s estimate of the LGD of the exposure). A Board-regulated institution employing loss severity rating grades must have a sufficiently granular loss severity grading system to avoid grouping together exposures with widely ranging LGDs.
(iii) A Board-regulated institution must have an effective process to obtain and update in a timely manner relevant and material information on obligor and exposure characteristics that affect PD, LGD and EAD.
(3) For retail exposures:
(i) A Board-regulated institution must have an internal system that groups retail exposures into the appropriate retail exposure subcategory and groups the retail exposures in each retail exposure subcategory into separate segments with homogeneous risk characteristics that provide a meaningful differentiation of risk. The Board-regulated institution’s system must identify and group in separate segments by subcategories exposures identified in § 217.131(c)(2)(ii) and (iii).
(ii) A Board-regulated institution must have an internal system that captures all relevant exposure risk characteristics, including borrower credit score, product and collateral types, as well as exposure delinquencies, and must consider cross-collateral provisions, where present.
(iii) The Board-regulated institution must review and, if appropriate, update assignments of individual retail exposures to segments and the loss characteristics and delinquency status of each identified risk segment. These reviews must occur whenever the Board-regulated institution receives new material information, but generally no less frequently than quarterly, and, in all cases, at least annually.
(4) The Board-regulated institution’s internal risk rating policy for wholesale exposures must describe the Board-regulated institution’s rating philosophy (that is, must describe how wholesale obligor rating assignments are affected by the Board-regulated institution’s choice of the range of economic, business, and industry conditions that are considered in the obligor rating process).
(5) The Board-regulated institution’s internal risk rating system for wholesale exposures must provide for the review and update (as appropriate) of each obligor rating and (if applicable) each loss severity rating whenever the Board-regulated institution obtains relevant and material information on the obligor or exposure that affects PD, LGD and EAD, but no less frequently than annually.
(c) Quantification of risk parameters for wholesale and retail exposures. (1) The Board-regulated institution must have a comprehensive risk parameter quantification process that produces accurate, timely, and reliable estimates of the risk parameters on a consistent basis for the Board-regulated institution’s wholesale and retail exposures.
(2) A Board-regulated institution’s estimates of PD, LGD, and EAD must incorporate all relevant, material, and available data that is reflective of the Board-regulated institution’s actual wholesale and retail exposures and of sufficient quality to support the determination of risk-based capital requirements for the exposures. In particular, the population of exposures in the data used for estimation purposes, the lending standards in use when the data were generated, and other relevant characteristics, should closely match or be comparable to the Board-regulated institution’s exposures and standards. In addition, a Board-regulated institution must:
(i) Demonstrate that its estimates are representative of long run experience, including periods of economic downturn conditions, whether internal or external data are used;
(ii) Take into account any changes in lending practice or the process for pursuing recoveries over the observation period;
(iii) Promptly reflect technical advances, new data, and other information as they become available;
(iv) Demonstrate that the data used to estimate risk parameters support the accuracy and robustness of those estimates; and
(v) Demonstrate that its estimation technique performs well in out-of-sample tests whenever possible.
(3) The Board-regulated institution’s risk parameter quantification process must produce appropriately conservative risk parameter estimates where the Board-regulated institution has limited relevant data, and any adjustments that are part of the quantification process must not result in a pattern of bias toward lower risk parameter estimates.
(4) The Board-regulated institution’s risk parameter estimation process should not rely on the possibility of U.S. government financial assistance, except for the financial assistance that the U.S. government has a legally binding commitment to provide.
(5) The Board-regulated institution must be able to demonstrate which variables have been found to be statistically significant with regard to EAD. The Board-regulated institution’s EAD estimates must reflect its specific policies and strategies with regard to account management, including account monitoring and payment processing, and its ability and willingness to prevent further drawdowns in circumstances short of payment default. The Board-regulated institution must have adequate systems and procedures in place to monitor current outstanding amounts against committed lines, and changes in outstanding amounts per obligor and obligor rating grade and per retail segment. The Board-regulated institution must be able to monitor outstanding amounts on a daily basis.
(6) At a minimum, PD estimates for wholesale obligors and retail segments must be based on at least five years of default data. LGD estimates for wholesale exposures must be based on at least seven years of loss severity data, and LGD estimates for retail segments must be based on at least five years of loss severity data. EAD estimates for wholesale exposures must be based on at least seven years of exposure amount data, and EAD estimates for retail segments must be based on at least five years of exposure amount data. If the Board-regulated institution has relevant and material reference data that span a longer period of time than the minimum time periods specified above, the Board-regulated institution must incorporate such data in its estimates, provided that it does not place undue weight on periods of favorable or benign economic conditions relative to periods of economic downturn conditions.
(7) Default, loss severity, and exposure amount data must include periods of economic downturn conditions, or the Board-regulated institution must adjust its estimates of risk parameters to compensate for the lack of data from periods of economic downturn conditions.
(8) The Board-regulated institution’s PD, LGD, and EAD estimates must be based on the definition of default in § 217.101.
(9) If a Board-regulated institution uses internal data obtained prior to becoming subject to this subpart E or external data to arrive at PD, LGD, or EAD estimates, the Board-regulated institution must demonstrate to the Board that the Board-regulated institution has made appropriate adjustments if necessary to be consistent with the definition of default in § 217.101. Internal data obtained after the Board-regulated institution becomes subject to this subpart E must be consistent with the definition of default in § 217.101.
(10) The Board-regulated institution must review and update (as appropriate) its risk parameters and its risk parameter quantification process at least annually.
(11) The Board-regulated institution must, at least annually, conduct a comprehensive review and analysis of reference data to determine relevance of the reference data to the Board-regulated institution’s exposures, quality of reference data to support PD, LGD, and EAD estimates, and consistency of reference data to the definition of default in § 217.101.
(d) Counterparty credit risk model. A Board-regulated institution must obtain the prior written approval of the Board under § 217.132 to use the internal models methodology for counterparty credit risk and the advanced CVA approach for the CVA capital requirement.
(e) Double default treatment. A Board-regulated institution must obtain the prior written approval of the Board under § 217.135 to use the double default treatment.
(f) Equity exposures model. A Board-regulated institution must obtain the prior written approval of the Board under § 217.153 to use the internal models approach for equity exposures.
(g) Operational risk. (1) Operational risk management processes. A Board-regulated institution must:
(i) Have an operational risk management function that:
(A) Is independent of business line management; and
(B) Is responsible for designing, implementing, and overseeing the Board-regulated institution’s operational risk data and assessment systems, operational risk quantification systems, and related processes;
(ii) Have and document a process (which must capture business environment and internal control factors affecting the Board-regulated institution’s operational risk profile) to identify, measure, monitor, and control operational risk in the Board-regulated institution’s products, activities, processes, and systems; and
(iii) Report operational risk exposures, operational loss events, and other relevant operational risk information to business unit management, senior management, and the board of directors (or a designated committee of the board).
(2) Operational risk data and assessment systems. A Board-regulated institution must have operational risk data and assessment systems that capture operational risks to which the Board-regulated institution is exposed. The Board-regulated institution’s operational risk data and assessment systems must:
(i) Be structured in a manner consistent with the Board-regulated institution’s current business activities, risk profile, technological processes, and risk management processes; and
(ii) Include credible, transparent, systematic, and verifiable processes that incorporate the following elements on an ongoing basis:
(A) Internal operational loss event data. The Board-regulated institution must have a systematic process for capturing and using internal operational loss event data in its operational risk data and assessment systems.
(1) The Board-regulated institution’s operational risk data and assessment systems must include a historical observation period of at least five years for internal operational loss event data (or such shorter period approved by the Board to address transitional situations, such as integrating a new business line).
(2) The Board-regulated institution must be able to map its internal operational loss event data into the seven operational loss event type categories.
(3) The Board-regulated institution may refrain from collecting internal operational loss event data for individual operational losses below established dollar threshold amounts if the Board-regulated institution can demonstrate to the satisfaction of the Board that the thresholds are reasonable, do not exclude important internal operational loss event data, and permit the Board-regulated institution to capture substantially all the dollar value of the Board-regulated institution’s operational losses.
(B) External operational loss event data. The Board-regulated institution must have a systematic process for determining its methodologies for incorporating external operational loss event data into its operational risk data and assessment systems.
(C) Scenario analysis. The Board-regulated institution must have a systematic process for determining its methodologies for incorporating scenario analysis into its operational risk data and assessment systems.
(D) Business environment and internal control factors. The Board-regulated institution must incorporate business environment and internal control factors into its operational risk data and assessment systems. The Board-regulated institution must also periodically compare the results of its prior business environment and internal control factor assessments against its actual operational losses incurred in the intervening period.
(3) Operational risk quantification systems. (i) The Board-regulated institution’s operational risk quantification systems:
(A) Must generate estimates of the Board-regulated institution’s operational risk exposure using its operational risk data and assessment systems;
(B) Must employ a unit of measure that is appropriate for the Board-regulated institution’s range of business activities and the variety of operational loss events to which it is exposed, and that does not combine business activities or operational loss events with demonstrably different risk profiles within the same loss distribution;
(C) Must include a credible, transparent, systematic, and verifiable approach for weighting each of the four elements, described in paragraph (g)(2)(ii) of this section, that a Board-regulated institution is required to incorporate into its operational risk data and assessment systems;
(D) May use internal estimates of dependence among operational losses across and within units of measure if the Board-regulated institution can demonstrate to the satisfaction of the Board that its process for estimating dependence is sound, robust to a variety of scenarios, and implemented with integrity, and allows for uncertainty surrounding the estimates. If the Board-regulated institution has not made such a demonstration, it must sum operational risk exposure estimates across units of measure to calculate its total operational risk exposure; and
(E) Must be reviewed and updated (as appropriate) whenever the Board-regulated institution becomes aware of information that may have a material effect on the Board-regulated institution’s estimate of operational risk exposure, but the review and update must occur no less frequently than annually.
(ii) With the prior written approval of the Board, a state member bank may generate an estimate of its operational risk exposure using an alternative approach to that specified in paragraph (g)(3)(i) of this section. A state member bank proposing to use such an alternative operational risk quantification system must submit a proposal to the Board. In determining whether to approve a state member bank’s proposal to use an alternative operational risk quantification system, the Board will consider the following principles:
(A) Use of the alternative operational risk quantification system will be allowed only on an exception basis, considering the size, complexity, and risk profile of the state member bank;
(B) The state member bank must demonstrate that its estimate of its operational risk exposure generated under the alternative operational risk quantification system is appropriate and can be supported empirically; and
(C) A state member bank must not use an allocation of operational risk capital requirements that includes entities other than depository institutions or the benefits of diversification across entities.
(h) Data management and maintenance. (1) A Board-regulated institution must have data management and maintenance systems that adequately support all aspects of its advanced systems and the timely and accurate reporting of risk-based capital requirements.
(2) A Board-regulated institution must retain data using an electronic format that allows timely retrieval of data for analysis, validation, reporting, and disclosure purposes.
(3) A Board-regulated institution must retain sufficient data elements related to key risk drivers to permit adequate monitoring, validation, and refinement of its advanced systems.
(i) Control, oversight, and validation mechanisms. (1) The Board-regulated institution’s senior management must ensure that all components of the Board-regulated institution’s advanced systems function effectively and comply with the qualification requirements in this section.
(2) The Board-regulated institution’s board of directors (or a designated committee of the board) must at least annually review the effectiveness of, and approve, the Board-regulated institution’s advanced systems.
(3) A Board-regulated institution must have an effective system of controls and oversight that:
(i) Ensures ongoing compliance with the qualification requirements in this section;
(ii) Maintains the integrity, reliability, and accuracy of the Board-regulated institution’s advanced systems; and
(iii) Includes adequate governance and project management processes.
(4) The Board-regulated institution must validate, on an ongoing basis, its advanced systems. The Board-regulated institution’s validation process must be independent of the advanced systems’ development, implementation, and operation, or the validation process must be subjected to an independent review of its adequacy and effectiveness. Validation must include:
(i) An evaluation of the conceptual soundness of (including developmental evidence supporting) the advanced systems;
(ii) An ongoing monitoring process that includes verification of processes and benchmarking; and
(iii) An outcomes analysis process that includes backtesting.
(5) The Board-regulated institution must have an internal audit function or equivalent function that is independent of business-line management that at least annually:
(i) Reviews the Board-regulated institution’s advanced systems and associated operations, including the operations of its credit function and estimations of PD, LGD, and EAD;
(ii) Assesses the effectiveness of the controls supporting the Board-regulated institution’s advanced systems; and
(iii) Documents and reports its findings to the Board-regulated institution’s board of directors (or a committee thereof).
(6) The Board-regulated institution must periodically stress test its advanced systems. The stress testing must include a consideration of how economic cycles, especially downturns, affect risk-based capital requirements (including migration across rating grades and segments and the credit risk mitigation benefits of double default treatment).
(j) Documentation. The Board-regulated institution must adequately document all material aspects of its advanced systems.