While the widely publicized Basel II Accord is not expected to take effect until late 2006 at the earliest, some of the world's largest financial institutions and vendors are already in full swing with a combination of technological and business preparations to comply with the prescribed changes to the way credit and operational risk is measured to set aside sufficient regulatory capital.
Concerns about the Basel II Accord's methodology - or even whether firms can make the implementation date, aside the new proposal has now become one of the top - if not the top priority at many financial institutions particularly since firms are required to keep three years of historical data on operational losses.
The comment period for the latest version of the Basel Accord, first unveiled in 1998, ends July 31. It remains to be seen whether it will reach beyond banks and how widely it will be implemented within the more than 100 countries, which have signed the accord. While the draft Basel II Accord only mentions banks, the European Commission may interpret it as applying to all financial institutions, including brokerages and insurance companies.
Even if a bank does not fall under the Basel II Accord's jurisdiction - the U.S' Federal Reserve insists it will affect only ten U.S. banks - to some, compliance appears to be a defacto business requirement. "It is irrelevant whether a bank doesn't have to technically follow the accord. Its guidelines will be used as a best practices measure by institutional clients," said Peter Rossiter, executive vice president of corporate risk management at Chicago's Northern Trust, which evenly splits its revenues between securities processing and private banking.
By year-end Northern Trust will install a combination of its own software and that of Toronto-based risk measurement house Algorithmics - OpData - to measure operational risk. The bank has been using Algorithmics' AlgoLimits to measure credit risk since 1998, when the first version of the Basel Accord, known as Basel I was floated.
Algorithmics' rival SunGard Data Systems, is also jumping on the operational risk management bandwagon. Dean Jovic, SunGard's group managing director for risk management and Basel II, said that the firm will either partner with another firm or acquire an operational risk management house - a strategy in line with SunGard's corporate philosophy of taking a best-of-breed approach. Through its subsidiary Trading and Risk Systems, SunGard Data Systems already offers Credience and BancWare for credit risk analysis.
Measuring credit risk is nothing new, particularly to large banks which have hefty risk management departments to keep tabs on their customers, trading practices, and post-trade processing activities. But Basel II requires that for the first time banks set aside capital against operational risk, which the regulation defines as the risk of direct or indirect loss resulting from inadequate or failed internal processes, people, and systems or from external events. Business contingency preparations are therefore taken into account because they impact data continuity.
The pricetag for meeting the Basel II recommendations is hefty: according to financial services consultancy Oliver, Wyman & Company, large internationally active banks will each spend around $100 million to become compliant and the process entails stringent data requirements: not only ensuring that information is correct but consistent across geographic locations and multiple business lines; JP Morgan Chase, for one contends that Basel II will impact 7,000 business units.
The Basel II Accord has also prompted a new profession: Basel II project management experts. Most Basel II programs will be led by senior managers in the risk areas but IT directors will also play a key role.
Over the past decade, the largest internationally active banks have developed sophisticated risk rating systems, particularly on the credit side, but the information doesn't reside in a single unit. It is spread out over disparate systems – particularly in the case of merged banks - and must be aggregated. Credit risk analysis, for instance, consists of data on counterparty defaults, asset recovery, and collateral which might be stored in hundreds of applications.
In the case of operational risk, firms must track transaction flows from the front office all the way to the back office, which includes reconciliation with counterparties, said Barry Patel, who heads up the London based software house ePulse, which offers a Basel II compliance package known as SentinelPlus. The key, he believes, is knowing in real-time whether transactions have been completed and whether they have followed correct internal processes (such as credit limits).
"Banks must establish a common risk management methodology, data collection, IT systems and disclosure processes, all of which are underpinned by the overall integration of risk into core business processes," said Steven Burkhardt, director of business development at Pinnacle Systems, a Piscataway, N.J. based technology consultancy.
Moreover, the data is often incomplete and inconsistent - in part because clean and timely data is not considered a high enough priority. "Any yahoo can download a position but is the information actionable," said Mark Rodrigues, managing director for the information technology practice at Oliver, Wyman. Credit risk analysis, for instance requires accurate reference data – information on counterparties and the financial instruments traded.
Exotic derivatives, in particular, will pose the greatest challenge in complying with Basel II - hence may require the greatest capital requirements - because they are not exchange-traded. "The process of recording the trading in profit and loss statements remains largely manually based and data needs to be posted in multiple systems depending on the nature of the contract: the equity, swaps and credit trading departments," said Andrew Cheriman, European product manager for J.P. Morgan Chase’s Horizon, a global operational risk management platform.
J.P Morgan is widely touted as being the most advanced among U.S. banks in complying with Basel II having installed a corporate operational risk management team of about a dozen in early 2001 to create an integrated consistent approach to operational risk mangement. The bank installed Horizon on a global basis at the end of that year.
"We had already begun capturing operational losses before 1999 but the process was paper-intensive and difficult to maintain consistent results across all the business lines," said Cherriman. Making the process particularly cumbersome was the diversity of practices within JP Morgan and Chase which merged in 2000.
Within the next month, the bank will be incorporating the measurement of operational errors - typically mistakes in booking transactions – now done through a separate proprietary system in Horizon. "The move will allow the bank to compare its self assessment of operational risk with operational errors," said Cheriman.
Citigroup installed the prototype of an "Events Data Capture" platform in 2001 with full implementation at the end of March, thereby allowing the bank to have three years of historical operational loss data as required by Basel II. The system collects operational loss information across several hundred business units and reports it to the management information systems department which in turn relays the information to regional risk management committees.
Citigroup is now developing a modeling system that will feed into the EDC platform. "The modeling system will look at the probability of events occurring that would result in operational loss," said Sue Kingman, vice president of European fund operations for Citigroup Global Transaction Services in London.
Another obstacle to complying with the Basel II Accord is clearly its legal standing. Created by the Basel Committee on Banking Supervision, formed by central bank directors and financial regulators, the Basel Accord does not carry the weight of a formal supranational supervisory authority. It merely formulates broad-based supervisory principles and strategies with each of the countries signing the accord free to implement it in a way that suits its market best. In doing so, the Basel Committee can only encourage common approaches and standards.
Basel II evolved out of the framework of the 1988 Basel Accord but is more than an update. Rather than applying a one-size fits all approach to credit and operational risk, banks will be able to choose among three regulatory frameworks to calculate capital requirements: standard, internal ratings based (IRB) and advanced IRB, with the later two expected to be used among large financial firms.
Calculating capital requirements, however, just one of the first of the three pillars of the Basel II Accord. The second focuses on how supervisors view a bank's risk management systems while the third aims to improve market discipline through expanded disclosure.
To U.S. bank regulators and many European industry players, the Basel II Accord has sparked a hornet's nest of criticism. Federal Reserve Vice Chairman Roger Ferguson has touted the strengths of the new agreement while John Hawke, Controller of the Currency has said that more study is needed. Some banks, which have made substantial investments in risk mangement techniques would prefer to have their operational capital requirements set by regulatory supervisors rather than being constrained by the Basel II Accord's formal predefined capculations.
Speaking at a London software conference last Friday, Angela Knight chief executive of APCIMS, the U.K. trade group for retail brokerages and transfer agents said that although the European Commission's latest draft of its new Capital Adequacy Directive is an improvement for companies defined as "simple" investment firms, its complicated formula still leaves many non-banks caught in a regime designed for the banking industry.
The result will be completely disproportionate increases in costs for many investment firms, she told delegates to the Security Industry Software Association conference in London.
The Directive seeks to apply the Basel rules to all of Europe's financial industry. Although its stated aim is to devise a system, which is more closely related to risk, its basic assumption is that all firms are banks or bank-lookalikes. "It's like putting a six-year-old girl in a size 18 party frock. It fits nowhere, it covers everything several times over and it keeps tripping her up every time she tries to move. Additional costs, not justified by additional risks, simply mean that the customer will pay more for no extra benefit," said Knight.
A similar argument was made recently by the U.S broker-dealer trade group Securities Industry Association, which called for U.S. regulators to have discretion in the application of the rules to securities firms.
"Investment firms have to have their own tailored regime. It cannot be right to burden them with the same capital requirements as internationally active banks," said Knight.