(a) Timing. (1) A [bank] that is described in paragraph (b)(1) of section 1 must adopt a written implementation plan no later than six months after the later of the effective date of this appendix or the date the [bank] meets a criterion in that section. The plan must incorporate an explicit first floor period start date no later than 36 months after the later of the effective date of this appendix or the date the [bank] meets at least one criterion under paragraph (b)(1) of section 1. [AGENCY] may extend the first floor period start date.
(2) A [bank] that elects to be subject to this appendix under paragraph (b)(2) of section 1 must adopt a written implementation plan and notify the [AGENCY] in writing of its intent at least 12 months before it proposes to begin its first floor period.
(b) Implementation plan. The [bank]�s implementation plan must address in detail how the [bank] complies, or plans to comply, with the qualification requirements in section 22. The [bank] also must maintain a comprehensive and sound planning and governance process to oversee the implementation efforts described in the plan. At a minimum, the plan must:
(1) Comprehensively address the qualification requirements in section 22 for the [bank] and each consolidated subsidiary (U.S. and foreign-based) of the [bank] with respect to all portfolios and exposures of the [bank] and each of its consolidated subsidiaries;
(2) Justify and support any proposed temporary or permanent exclusion of business lines, portfolios, or exposures from application of the advanced approaches in this appendix (which business lines, portfolios, and exposures must be, in the aggregate, immaterial to the [bank]);
(3) Include the [bank]�s self-assessment of:
(i) The [bank]�s current status in meeting the qualification requirements in section 22; and
(ii) The consistency of the [bank]�s current practices with the [AGENCY]�s supervisory guidance on the qualification requirements;
(4) Based on the [bank]�s self-assessment, identify and describe the areas in which the [bank] proposes to undertake additional work to comply with the qualification requirements in section 22 or to improve the consistency of the [bank]�s current practices with the [AGENCY]�s supervisory guidance on the qualification requirements (gap analysis);
(5) Describe what specific actions the [bank] will take to address the areas identified in the gap analysis required by paragraph (b)(4) of this section;
(6) Identify objective, measurable milestones, including delivery dates and a date when the [bank]�s implementation of the methodologies described in this appendix will be fully operational;
(7) Describe resources that have been budgeted and are available to implement the plan; and
(8) Receive board of directors approval.
(c) Parallel run. Before determining its risk-based capital requirements under this appendix and following adoption of the implementation plan, the [bank] must conduct a satisfactory parallel run. A satisfactory parallel run is a period of no less than four consecutive calendar quarters during which the [bank] complies with all of the qualification requirements in section 22 to the satisfaction of [AGENCY]. During the parallel run, the [bank] must report to the [AGENCY] on a calendar quarterly basis its risk-based capital ratios using [the general risk-based capital rules] and the risk-based capital requirements described in this appendix. During this period, the [bank] is subject to [the general risk-based capital rules].
(d) Approval to calculate risk-based capital requirements under this appendix. The [AGENCY] will notify the [bank] of the date that the [bank] may begin its first floor period following a determination by the [AGENCY] that:
(1) The [bank] fully complies with the qualification requirements in section 22;
(2) The [bank] has conducted a satisfactory parallel run under paragraph (c) of this section; and
(3) The [bank] has an adequate process to ensure ongoing compliance with the qualification requirements in section 22.
(e) Transitional floor periods. Following a satisfactory parallel run, a [bank] is subject to three transitional floor periods.
(1) Risk-based capital ratios during the transitional floor periods - (i) Tier 1 risk-based capital ratio. During a [bank]�s transitional floor periods, a [bank]�s tier 1 risk-based capital ratio is equal to the lower of:
(A) The [bank]�s floor-adjusted tier 1 risk-based capital ratio; or
(B) The [bank]�s advanced approaches tier 1 risk-based capital ratio.
(ii) Total risk-based capital ratio. During a [bank]�s transitional floor periods, a [bank]�s total risk-based capital ratio is equal to the lower of:
(A) The [bank]�s floor-adjusted total risk-based capital ratio; or
(B) The [bank]�s advanced approaches total risk-based capital ratio.
(2) Floor-adjusted risk-based capital ratios. (i) A [bank]�s floor-adjusted tier 1 risk-based capital ratio during a transitional floor period is equal to the [bank]�s tier 1 capital as calculated under [the general risk-based capital rules], divided by the product of:
(A) The [bank]�s total risk-weighted assets as calculated under [the general risk-based capital rules]; and
(B) The appropriate transitional floor percentage in Table 1.
(ii) A [bank]�s floor-adjusted total risk-based capital ratio during a transitional floor period is equal to the sum of the [bank]�s tier 1 and tier 2 capital as calculated under [the general risk-based capital rules], divided by the product of:
(A) The [bank]�s total risk-weighted assets as calculated under [the general risk-based capital rules]; and
(B) The appropriate transitional floor percentage in Table 1.
(iii) A [bank] that meets the criteria in paragraph (b)(1) or (b)(2) of section 1 as of the effective date of this rule must use [the general risk-based capital rules] effective immediately before this rule became effective during the parallel run and as the basis for its transitional floors.
Transitional floor period | Transitional floor percentage |
---|---|
First floor period | 95 percent |
Second floor period | 90 percent |
Third floor period | 85 percent |
(3) Advanced approaches risk-based capital ratios. (i) A [bank]�s advanced approaches tier 1 risk-based capital ratio equals the [bank]�s tier 1 risk-based capital ratio as calculated under this appendix (other than this section on transitional floor periods).
(ii) A [bank]�s advanced approaches total risk-based capital ratio equals the [bank]�s total risk-based capital ratio as calculated under this appendix (other than this section on transitional floor periods).
(4) Reporting. During the transitional floor periods, a [bank] must report to the [AGENCY] on a calendar quarterly basis both floor-adjusted risk-based capital ratios and both advanced approaches risk-based capital ratios.
(5) Exiting a transitional floor period. A [bank] may not exit a transitional floor period until the [bank] has spent a minimum of four consecutive calendar quarters in the period and the [AGENCY] has determined that the [bank] may exit the floor period. The [AGENCY]�s determination will be based on an assessment of the [bank]�s ongoing compliance with the qualification requirements in section 22.
(a) Process and systems requirements. (1) A [bank] must have a rigorous process for assessing its overall capital adequacy in relation to its risk profile and a comprehensive strategy for maintaining an appropriate level of capital.
(2) The systems and processes used by a [bank] for risk-based capital purposes under this appendix must be consistent with the [bank]�s internal risk management processes and management information reporting systems.
(3) Each [bank] must have an appropriate infrastructure with risk measurement and management processes that meet the qualification requirements of this section and are appropriate given the [bank]�s size and level of complexity. Regardless of whether the systems and models that generate the risk parameters necessary for calculating a [bank]�s risk-based capital requirements are located at any affiliate of the [bank], the [bank] itself must ensure that the risk parameters and reference data used to determine its risk-based capital requirements are representative of its own credit risk and operational risk exposures.
(b) Risk rating and segmentation systems for wholesale and retail exposures. (1) A [bank] must have an internal risk rating and segmentation system that accurately and reliably differentiates among degrees of credit risk for the [bank]�s wholesale and retail exposures.
(2) For wholesale exposures, a [bank] must have an internal risk rating system that accurately and reliably assigns each obligor to a single rating grade (reflecting the obligor�s likelihood of default). The [bank]�s wholesale obligor rating system must have at least seven discrete rating grades for non-defaulted obligors and at least one rating grade for defaulted obligors. Unless the [bank] has chosen to directly assign ELGD and LGD estimates to each wholesale exposure, the [bank] must have an internal risk rating system that accurately and reliably assigns each wholesale exposure to loss severity rating grades (reflecting the [bank]�s estimate of the ELGD and LGD of the exposure). A [bank] employing loss severity rating grades must have a sufficiently granular loss severity grading system to avoid grouping together exposures with widely ranging ELGDs or LGDs.
(3) For retail exposures, a [bank] must have a system that groups exposures into segments with homogeneous risk characteristics and assigns accurate and reliable PD, ELGD, and LGD estimates for each segment on a consistent basis. The [bank]�s system must group retail exposures into the appropriate retail exposure subcategory and must group the retail exposures in each retail exposure subcategory into separate segments. The [bank]�s system must identify all defaulted retail exposures and group them in segments by subcategories separate from non-defaulted retail exposures.
(4) The [bank]�s internal risk rating policy for wholesale exposures must describe the [bank]�s rating philosophy (that is, must describe how wholesale obligor rating assignments are affected by the [bank]�s choice of the range of economic, business, and industry conditions that are considered in the obligor rating process).
(5) The [bank]�s internal risk rating system for wholesale exposures must provide for the review and update (as appropriate) of each obligor rating and (if applicable) each loss severity rating whenever the [bank] receives new material information, but no less frequently than annually. The [bank]�s retail exposure segmentation system must provide for the review and update (as appropriate) of assignments of retail exposures to segments whenever the [bank] receives new material information, but no less frequently than quarterly.
(c) Quantification of risk parameters for wholesale and retail exposures. (1) The [bank] must have a comprehensive risk parameter quantification process that produces accurate, timely, and reliable estimates of the risk parameters for the [bank]�s wholesale and retail exposures.
(2) Data used to estimate the risk parameters must be relevant to the [bank]�s actual wholesale and retail exposures, and of sufficient quality to support the determination of risk-based capital requirements for the exposures.
(3) The [bank]�s risk parameter quantification process must produce conservative risk parameter estimates where the [bank] has limited relevant data, and any adjustments that are part of the quantification process must not result in a pattern of bias toward lower risk parameter estimates.
(4) PD estimates for wholesale and retail exposures must be based on at least 5 years of default data. ELGD and LGD estimates for wholesale exposures must be based on at least 7 years of loss severity data, and ELGD and LGD estimates for retail exposures must be based on at least 5 years of loss severity data. EAD estimates for wholesale exposures must be based on at least 7 years of exposure amount data, and EAD estimates for retail exposures must be based on at least 5 years of exposure amount data.
(5) Default, loss severity, and exposure amount data must include periods of economic downturn conditions, or the [bank] must adjust its estimates of risk parameters to compensate for the lack of data from periods of economic downturn conditions.
(6) The [bank]�s PD, ELGD, LGD, and EAD estimates must be based on the definition of default in this appendix.
(7) The [bank] must review and update (as appropriate) its risk parameters and its risk parameter quantification process at least annually.
(8) The [bank] must at least annually conduct a comprehensive review and analysis of reference data to determine relevance of reference data to [bank] exposures, quality of reference data to support PD, ELGD, LGD, and EAD estimates, and consistency of reference data to the definition of default contained in this appendix.
(d) Counterparty credit risk model. A [bank] must obtain the prior written approval of [AGENCY] under section 32 to use the internal models methodology for counterparty credit risk.
(e) Double default treatment. A [bank] must obtain the prior written approval of [AGENCY] under section 34 to use the double default treatment.
(f) Securitization exposures. A [bank] must obtain the prior written approval of [AGENCY] under section 44 to use the internal assessment approach for securitization exposures to ABCP programs.
(g) Equity exposures model. A [bank] must obtain the prior written approval of [AGENCY] under section 53 to use the internal models approach for equity exposures.
(h) Operational risk - (1) Operational risk management processes. A [bank] must:
(i) Have an operational risk management function that:
(A) Is independent of business line management; and
(B) Is responsible for designing, implementing, and overseeing the [bank]�s operational risk data and assessment systems, operational risk quantification systems, and related processes;
(ii) Have and document a process to identify, measure, monitor, and control operational risk in [bank] products, activities, processes, and systems (which process must capture business environment and internal control factors affecting the [bank]�s operational risk profile); and
(iii) Report operational risk exposures, operational loss events, and other relevant operational risk information to business unit management, senior management, and the board of directors (or a designated committee of the board).
(2) Operational risk data and assessment systems. A [bank] must have operational risk data and assessment systems that capture operational risks to which the [bank] is exposed. The [bank]�s operational risk data and assessment systems must:
(i) Be structured in a manner consistent with the [bank]�s current business activities, risk profile, technological processes, and risk management processes; and
(ii) Include credible, transparent, systematic, and verifiable processes that incorporate the following elements on an ongoing basis:
(A) Internal operational loss event data. The [bank] must have a systematic process for capturing and using internal operational loss event data in its operational risk data and assessment systems.
(1) The [bank]�s operational risk data and assessment systems must include a historical observation period of at least five years for internal operational loss event data (or such shorter period approved by [AGENCY] to address transitional situations, such as integrating a new business line).
(2) The [bank] may refrain from collecting internal operational loss event data for individual operational losses below established dollar threshold amounts if the [bank] can demonstrate to the satisfaction of the [AGENCY] that the thresholds are reasonable, do not exclude important internal operational loss event data, and permit the [bank] to capture substantially all the dollar value of the [bank]�s operational losses.
(B) External operational loss event data. The [bank] must have a systematic process for determining its methodologies for incorporating external operational loss data into its operational risk data and assessment systems.
(C) Scenario analysis. The [bank] must have a systematic process for determining its methodologies for incorporating scenario analysis into its operational risk data and assessment systems.
(D) Business environment and internal control factors. The [bank] must incorporate business environment and internal control factors into its operational risk data and assessment systems. The [bank] must also periodically compare the results of its prior business environment and internal control factor assessments against its actual operational losses incurred in the intervening period.
(3) Operational risk quantification systems. (i) The [bank]�s operational risk quantification systems:
(A) Must generate estimates of the [bank]�s operational risk exposure using its operational risk data and assessment systems; and
(B) Must employ a unit of measure that is appropriate for the [bank]�s range of business activities and the variety of operational loss events to which it is exposed, and that does not combine business activities or operational loss events with different risk profiles within the same loss distribution.
(C) May use internal estimates of dependence among operational losses within and across business lines and operational loss events if the [bank] can demonstrate to the satisfaction of [AGENCY] that its process for estimating dependence is sound, robust to a variety of scenarios, and implemented with integrity, and allows for the uncertainty surrounding the estimates. If the [bank] has not made such a demonstration, it must sum operational risk exposure estimates across units of measure to calculate its total operational risk exposure.
(D) Must be reviewed and updated (as appropriate) whenever the [bank] becomes aware of information that may have a material effect on the [bank]�s estimate of operational risk exposure, but no less frequently than annually.
(ii) With the prior written approval of [AGENCY], a [bank] may generate an estimate of its operational risk exposure using an alternative approach to that specified in paragraph (h)(3)(i) of this section. A [bank] proposing to use such an alternative operational risk quantification system must submit a proposal to [AGENCY]. In considering a [bank]�s proposal to use an alternative operational risk quantification system, [AGENCY] will consider the following principles:
(A) Use of the alternative operational risk quantification system will be allowed only on an exception basis, considering the size, complexity, and risk profile of a [bank];
(B) The [bank] must demonstrate that its estimate of its operational risk exposure generated under the alternative operational risk quantification system is appropriate and can be supported empirically; and
(C) A [bank] must not use an allocation of operational risk capital requirements that includes entities other than depository institutions or the benefits of diversification across entities.
(i) Data management and maintenance. (1) A [bank] must have data management and maintenance systems that adequately support all aspects of its advanced systems and the timely and accurate reporting of risk-based capital requirements.
(2) A [bank] must retain data using an electronic format that allows timely retrieval of data for analysis, validation, reporting, and disclosure purposes.
(3) A [bank] must retain sufficient data elements related to key risk drivers to permit adequate monitoring, validation, and refinement of its advanced systems.
(j) Control, oversight, and validation mechanisms. (1) The [bank]�s senior management must ensure that all components of the [bank]�s advanced systems function effectively and comply with the qualification requirements in this section.
(2) The [bank]�s board of directors (or a designated committee of the board) must at least annually evaluate the effectiveness of, and approve, the [bank]�s advanced systems.
(3) A [bank] must have an effective system of controls and oversight that:
(i) Ensures ongoing compliance with the qualification requirements in this section;
(ii) Maintains the integrity, reliability, and accuracy of the [bank]�s advanced systems; and
(iii) Includes adequate governance and project management processes.
(4) The [bank] must validate, on an ongoing basis, its advanced systems. The [bank]�s validation process must be independent of the advanced systems� development, implementation, and operation, or the validation process must be subjected to an independent review of its adequacy and effectiveness. Validation must include:
(i) The evaluation of the conceptual soundness of (including developmental evidence supporting) the advanced systems;
(ii) An on-going monitoring process that includes verification of processes and benchmarking; and
(iii) An outcomes analysis process that includes back-testing.
(5) The [bank] must have an internal audit function independent of business-line management that at least annually assesses the effectiveness of the controls supporting the [bank]�s advanced systems and reports its findings to the [bank]�s board of directors (or a committee thereof).
(6) The [bank] must periodically stress test its advanced systems. The stress testing must include a consideration of how economic cycles, especially downturns, affect risk-based capital requirements (including migration across rating grades and segments and the credit risk mitigation benefits of double default treatment).
(k) Documentation. The [bank] must adequately document all material aspects of its advanced systems.
(a) Changes to advanced systems. A [bank] must meet all the qualification requirements in section 22 on an ongoing basis. A [bank] must notify the [AGENCY] when the [bank] makes any change to an advanced system that would result in a material change in the [bank]�s risk-weighted asset amount for an exposure type, or when the [bank] makes any significant change to its modeling assumptions.
(b) Mergers and acquisitions - (1) Mergers and acquisitions of companies without advanced systems. If a [bank] merges with or acquires a company that does not calculate its risk-based capital requirements using advanced systems, the [bank] may use [the general risk-based capital rules] to determine the risk-weighted asset amounts for, and deductions from capital associated with, the merged or acquired company�s exposures for up to 24 months after the calendar quarter during which the merger or acquisition consummates. [AGENCY] may extend this transition period for up to an additional 12 months. Within 30 days of consummating the merger or acquisition, the [bank] must submit to [AGENCY] an implementation plan for using its advanced systems for the acquired company. During the period when [the general risk-based capital rules] apply to the merged or acquired company, any ALLL, net of allocated transfer risk reserves established pursuant to 12 U.S.C. 3904, associated with the merged or acquired company�s exposures may be included in the [bank]�s tier 2 capital up to 1.25 percent of the acquired company�s risk-weighted assets. All general reserves of the merged or acquired company must be excluded from the [bank]�s eligible credit reserves. In addition, the risk-weighted assets of the merged or acquired company are not included in the [bank]�s credit-risk-weighted assets but are included in total risk-weighted assets. If a [bank] relies on this paragraph, the [bank] must disclose publicly the amounts of risk-weighted assets and qualifying capital calculated under this appendix for the acquiring [bank] and under [the general risk-based capital rules] for the acquired company.
(2) Mergers and acquisitions of companies with advanced systems. If a [bank] merges with or acquires a company that calculates its risk-based capital requirements using advanced systems, the acquiring [bank] may use the acquired company�s advanced systems to determine the risk-weighted asset amounts for, and deductions from capital associated with, the merged or acquired company�s exposures for up to 24 months after the calendar quarter during which the acquisition or merger consummates. [AGENCY] may extend this transition period for up to an additional 12 months. Within 30 days of consummating the merger or acquisition, the [bank] must submit to [AGENCY] an implementation plan for using its advanced systems for the merged or acquired company.
(c) Failure to comply with qualification requirements. If [AGENCY] determines that a [bank] that is subject to this appendix and has conducted a satisfactory parallel run fails to comply with the qualification requirements in section 22, [AGENCY] will notify the [bank] in writing of the [bank]�s failure to comply. The [bank] must establish a plan satisfactory to the [AGENCY] to return to compliance with the qualification requirements and must disclose to the public its failure to comply with the qualification requirements promptly after receiving notice from the [AGENCY]. In addition, if the [AGENCY] determines that the [bank]�s risk-based capital requirements are not commensurate with the [bank]�s credit, market, operational, or other risks, the [AGENCY] may require such a [bank] to calculate its risk-based capital requirements:
(1) Under [the general risk-based capital rules]; or
(2) Under this appendix with any modifications provided by the [AGENCY].