aba operational risk consortium - american bankers … loss... · 2016-10-13 · established in...
TRANSCRIPT
ABA Operational Risk Consortium
Loss Data Collection & Reporting Guidelines
2015
1‐800‐BANKERS aba.com
© 2015 by the American Bankers Association, Washington, D.C. All rights reserved.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium i
Table of Contents
Introduction ............................................................................................................ 1 Operational Risk Definition .................................................................................... 2 Types of Losses/Costs and Recoveries Captured ................................................... 3 Reporting Thresholds, Gross and Net Loss ............................................................. 6 Timing of Loss Recognition ..................................................................................... 8 Legal Costs .............................................................................................................. 9 Event Aggregation ................................................................................................ 10 Timing Events ....................................................................................................... 12 Outsourcing and Other Third Party Issues ........................................................... 14 Projects ................................................................................................................. 16 Employment Practices .......................................................................................... 17 Tax Losses ............................................................................................................. 18 Short Description of Events .................................................................................. 19 Operational Gains ................................................................................................. 21 Boundary Events ................................................................................................... 22 Process to Ensure Completeness and Correctness of Loss Data .......................... 24 Business Line Allocation and Categorization ........................................................ 25 Event Type Allocation and Categorization ........................................................... 26 Product Categorization ......................................................................................... 29 Process Categorization ......................................................................................... 37 Cause Categorization ............................................................................................ 45
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium ii
Scaling Factors ...................................................................................................... 48 Appendix A: Frequently Asked Questions (for new members) ........................... 54 Appendix B: Potential Boundary Events—Charge Offs to Operational Loss vs. Credit Loss ............................................................................................... 58
Appendix C: Specific Data Reporting Questions and Recommendations ........... 61
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 1
Introduction Established in January 2003, the ABA Operational Risk Consortium generally follows the Basel II Framework in its loss data collection practices. Over time the Consortium members have encountered data reporting issues that are not directly addressed in the Basel II Framework. In 2006, a Reporting Group (Subcommittee) was formed to evaluate and recommend resolutions to various data reporting questions (See Appendix A). The Reporting Group’s recommendations are reviewed and approved by the full Consortium membership prior to implementation. This Loss Data Collection & Reporting Guidelines was developed under the auspices of the ABA Consortium Reporting Group to document the recommendations approved by the Consortium membership. It is intended to supplement the Participant’s Guide and to ensure data consistency and the ability to benchmark. It is expected that each consortium member make a diligent and good faith effort to comply with the guidelines. It will be revised periodically as issues arise and resolutions to data reporting questions raised by Consortium members are agreed to. The December 2010 Basel Committee on Banking Supervision’s Consultative Document “Operational Risk – Supervisory Guidelines for Advanced Measurement Approaches” (OR‐SGAMA), paragraphs 19–30 starting on page 5 and paragraphs 82–83 starting on page 20, are cited within the document, where appropriate, for additional reference. The Reporting Group may decide that certain events or circumstances are not reportable to the ABA Consortium, to ensure data consistency and the ability to benchmark operational loss. However, the bank is encouraged to monitor/track those events internally for risk management purposes. In addition to serving as a reference document for the Consortium, the guidelines are posted on ABA’s Members‐Only website for use by other member institutions. We hope the practices described in this document will help other banks prepare for operational loss data collection within their organization. To submit data reporting questions or comments regarding this document, please email [email protected].
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 2
Operational Risk Definition
The ABA Consortium uses the Basel II definition of Operational risk: “Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.” This definition includes legal risk, but excludes strategic and reputational risk. Legal risk includes, but is not limited to, exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 3
Types of Losses/Costs and Recoveries Captured The operational losses/costs captured in the database should be non‐discretionary and having an identifiable impact to the FI’s financial statements. The ABA Consortium captures direct losses to the FI, legal costs, and other costs. Other costs include any direct costs incurred that are directly related to a loss event. (OR‐SGAMA p. 21 par. 85 (b)) If direct losses plus legal costs, and other costs exceed the threshold amount of USD 10,000, it is considered a reportable event regardless of the event’s status. A recovery is defined to occur when the FI has no control over the funds in question and must rely on a third party to either return the funds or compensate the financial institution’s loss. In general, recovery amount comes from insurance policies, settlements, and/or repayments. Furthermore, the recovery amount should be calculated based on the cost amounts that have been realized or that are future contractual agreements. Expected or unrealized costs should not be included in the recovery amounts. Additionally, recoveries should be captured as a separate field in the database. This facilitates an accurate calculation of recovery rates for the different operational loss event categories. (OR‐SGAMA p. 6 par. 22 and p. 20 par. 84)
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 4
Specifically, the ABA Consortium suggests following the guidelines listed below for reporting losses/costs and recoveries: Direct Loss Included (OR‐SGAMA p. 21 par. 85, 87 (a))
Principle amounts Customer losses Damages Litigation/arbitration settlement charges Penalties Amounts paid directly to clients or plaintiffs by insurance company Timing events spanning two or more months (e.g., overstated revenue correction, teller differences)
Excluded (OR‐SGAMA p. 21 par. 86, 87)
Timing events, i.e., differences or errors discovered and resolved within what is considered a normal reconciliation or resolution time frame (e.g., overstated revenue correction, teller differences)
Customer goodwill gestures not stemming from operational loss Overtime Compensation of existing employees Corrections Bank fees
Legal Costs Included
External attorney fees Court costs Filing fees Expert witness fees
Excluded
Compensation of existing employees Other Costs (OR‐SGAMA p. 21 par. 85 (b)) Included
Temporary employees External — consultants, accountants, investigators Collection agency fees Additional rent expense
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 5
Public relations Costs associated with reissuance of cards after a data breach occurs even though the bank has not experienced any fraudulent transactions on those accounts.
Costs associated with offering credit monitoring service to customers after bank’s own data breach, as required by law
Excluded
Reputation impact Decreased market share Decreased shareholder value Cost of preventative/precautionary measures Costs associated with
offering credit monitoring service to customers after a third party data breach when bank is not required by law to offer such service
Other Recovery (OR‐SGAMA p. 6 par. 22 and p. 20 par. 84) Included
Subrogation Refund or return of funds Court ordered restitution, repayment agreement Right of offset
Excluded
Corrections Insurance recoveries
Insurance Recovery Included
Amounts paid to bank from purchased insurance Amounts paid directly to clients or plaintiffs from purchased insurance
Excluded
Subrogation Refund or return of funds Court ordered restitution, repayment agreement Right of offset
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 6
Reporting Thresholds, Gross and Net Loss The ABA Consortium captures gross losses and associated recoveries as discussed in the previous section. If the gross loss or gain (before recoveries) is USD 10,000 or greater, the event is reportable to the ABA Consortium. Member banks should report loss events charged‐off during each quarter exceeding the threshold amount. If additional losses or costs associated with a previously reported loss event occurred during the quarter, the reporting bank must resubmit the original loss‐event record to include updated or final aggregate loss information. Similarly, if recoveries associated with a previously reported loss event occurred during the quarter, the reporting bank must resubmit the original loss event record to include the recovery amounts. When resubmitting a previously reported event, be sure to use the same event ID and charge‐off date. Workers Compensation claims should be reported as soon as the cumulative loss hits the USD 10,000 threshold. The charge‐off date should be the oldest date that a payment was made. These events should be resubmitted quarterly with the updated information until the case is closed. If the FI pays into a state Workers Compensation Insurance Fund, and does not self‐fund its Workers Compensation claims, the payment is considered an insurance payment and it is not reportable as an operational loss. If the FI experiences a loss of USD 10,000 or greater and a portion of the loss is covered by a third‐party service provider, i.e., insurance carrier or vendor, resulting in the FI posting the net amount on their books, the full gross amount of the loss should be reported to the ABA with the amount covered by the third party reported as a recovery.
Example(s): A claimant brings a lawsuit against the FI. The FI has an insurance policy covering the activity in question and the insurance carrier negotiates a settlement with the claimant for USD 5 million. The insurance carrier pays USD 1 million in coverage directly to the claimant and the FI pays the remaining USD 4 million. The event should be submitted to the ABA as a gross loss of USD 5 million with an insurance recovery of USD 1 million.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 7
The cumulative loss in a workers compensation claim has reached the USD 10,000 threshold in the reporting quarter. It was submitted, along with other revised events, and the charge‐off date was the oldest date that a payment was made on the claim. In case the event’s first charge‐off date was prior to 01/01/2003, when the ABA Consortium was first established, 01/01/2003 would be the assigned charge‐off date for this event. The claim will be resubmitted quarterly, with the cumulative information updated, until the case is closed.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 8
Timing of Loss Recognition Only actual losses are to be submitted. Direct or actual losses are reported when the loss is posted to the general ledger. That date is reported as the charge‐off date. However, if specific reserves are established for an operational loss, then the date that the accrual is booked to the general ledger should be used as the charge‐off date, since this is the date of first financial impact. (OR‐SGAMA p. 6 par 27–29 and p. 28 par. 132, 133) A legal event is reportable to the ABA Consortium when the final payout amount is booked to the general ledger. The charge‐off date for a legal case should be the final payout date. This recommendation takes into consideration bank legal department’s concerns regarding “discovery” of on‐going cases. However, if event specific legal reserves are booked to the general ledger, then the event should be reported using the accrual amount, if this information is available, then updated when the final payout occurs. The event should have ‘yes’ in the Accrual Amount column on the submission form. When the event is settled, the amount should be updated to reflect the actual loss amount, legal costs and other costs should be updated as well, and the ‘yes’ should be removed from the Accrual Column on the submission form. (OR‐SGAMA p. 27 par. 125 and p. 28 par. 133–139) In the event the legal settlement amount is to be paid by the bank over a period of time, e.g., over a 10 year period:
Any settlement amount that covers prior infringement or violation by the bank is an operational loss and the full amount should be reported to the ABA Consortium upon settlement even though the payment will be made over time. The charge‐off date for this event will be the date of the first payment.
Any settlement amount designated to cover future use of the service is not an operational loss and should not be reported to the ABA Consortium.
Example: In case of a regulatory fine, once the fine amount is estimated and the accrual is booked to the general ledger, the event would be reported to the ABA Consortium with ‘yes’ in the Accrual Amount column on the reporting form. When the amount of the fine has been determined and paid, and the general ledger entries are made to adjust the accrual to the final amount, the event should be updated with the amount changed to reflect the actual fine paid, amount of legal costs and other costs should be updated, if appropriate, and the ‘yes’ in the Accrual Column should be removed.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 9
Legal Costs The ABA Consortium uses the Basel II definition of legal risk: Legal risk includes, but is not limited to, exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements. The legal costs and other costs to be included and excluded from ABA reporting are as follows:
Included External attorney fees (OR‐SGAMA p. 21 par. 85 (b)) Court costs (OR‐SGAMA p. 21 par. 85 (b)) Filing fees (OR‐SGAMA p. 21 par. 85 (b)) Expert witness fees (OR‐SGAMA p. 21 par. 85 (b)) Excluded Compensation of existing employees (OR‐SGAMA p. 21 par. 85 (b))
Example(s):
Consider a situation of legal settlement where the bank was not proven to be at fault, but it was less expensive to settle the case. These events should be included in the database and the Basel event type classification should be assigned based on the allegations.
In the case of a dispute where the institution was successful in defending itself and no settlement associated with the case was paid, i.e., the event has zero direct loss, the event should still be reported to the ABA Consortium with the amount in the direct loss column as zero, if this information is available.
An event specific accrual was booked to the general ledger. The date that the accrual posted to general ledger was used as the charge‐off date. Subsequently, the case was settled and the actual settlement amount (or an adjustment to the accrued amount) was booked to the general ledger. The event should be updated with the amount changed to reflect the actual fine paid. The amounts for legal costs and other costs should be updated, if appropriate. The ‘yes’ in the Accrual Column should be removed. The charge‐off date for a legal case should be the date that the accrual was booked (i.e., first financial impact). (see: Timing of Loss Recognition)
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 10
Event Aggregation Only losses that are directly related should be aggregated. See “Reporting Thresholds, Gross and Net Loss” and “Timing of Loss Recognition” as well as other sections for additional guidance, as appropriate. (OR‐SGAMA p. 7 par. 30 and p. 31 par. 146–154) A reportable event may only have one associated loss or it may have multiple associated losses. All losses associated with a reportable event may occur at one time, or they may occur over a period of time. In addition, losses associated with a reportable event may impact one business line or they may impact more than one business line. The ABA Consortium follows the following guidelines on aggregation of such losses. Multiple losses related to a specific event should be aggregated.
If losses associated with a reportable event occur over time, they should be aggregated and reported as one event. The charge‐off date reported should be the oldest charge‐off date. (Also see: Reporting Thresholds, Gross and Net Loss) Examples: A natural disaster (fire, earthquake, hurricanes, etc.) is a single occurrence that could result in multiple charge‐offs or costs that occur at different times. Charges related to building repairs, equipment replacement, clean‐up and other related direct costs should be aggregated. A customer reported a series of fraudulent transactions posting to their account as a result of stolen or counterfeit checks. Although the checks cleared on different dates, the transactions should be aggregated.
Multiple losses resulting from the same root cause should be aggregated and reported as one event.
Example:
A third party, responsible for processing credit card transactions, has a data breach. Over the next several months, the FI is experiencing an increase in credit card fraud and suspects it may be related to the data breach. These fraud events should be aggregated and reported as one event if the FI was able to establish a link between the data breach and
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 11
the fraudulent activity on the cards. The FI is encouraged to link these events if their data collection process permits.
Card fraud claims linked to a mass data breach by a retailer should be aggregated and reported as one event.
Multiple losses related to a specific event that impacts more than one
business line should be aggregated (i.e., linked). A separate event would be reported for each business line, but each would have the same Event ID. Example: A reportable event impacted business lines BL4 and BL3. The gross loss
for the event was USD100,000, with 30 percent of the loss belonging to BL4 and 70 percent of the loss belonging to BL3.
In the reporting form, USD30,000 would be reported for BL4 with the
Event ID 1234 and USD70,000 would be reported for BL3 with the Event ID 1234. The appropriate explanation would be provided in the Verification Checklist.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 12
Timing Events Timing events are the occurrence of an operational risk event that results in the temporary distortion of a bank’s financial accounts (e.g., revenue overstatement, accounting errors, and mark‐to‐market errors). In general, differences or errors discovered and resolved within what is considered a normal reconciliation or resolution time frame should be treated as a near miss and should not be reported to the ABA. These timing events normally do not span over more than one accounting period and are often corrected by reversing the error or waiving fees. (OR‐SGAMA p. 21 par. 87 (b)) While timing events do not represent a true financial impact on the institution (net impact over time is zero), if the error continues across two or more accounting periods, it may represent a material misrepresentation the institution’s financial statements. Material “timing losses” due to operational risk events that span two or more accounting periods should be reported to the ABA when they give rise to legal events. The loss amount to be reported comprises all the expenses incurred as a result of the operational risk event, including the correction of the financial statement, when it involves the direct relation with third parties (such as customers or authorities) or employees of the institution, and excluding the correction of the financial statement in all other cases. (Source: European Banking Authority guidance)1 Examples:
Due to a procedural error or aggressive selling, for three years a customer is charged with higher than contracted fees/interests, which determine the revenue overstatement of the institution financial statement. After receiving the claim, the institution refunds the customer of the extra fees/interests; the institution also bears legal expenses and pays a fine to the competent authority. The loss amount to be included in the scope of operational risk loss are the extra fees/interests, the legal expenses, and the fine. (Source: European Banking Authority guidance)
In a dispute with an employee for mobbing (a deliberate attempt to force a person out of their workplace by humiliation, general harassment, emotional abuse and/or terror), an institution is convicted by the court to refund the employee of the unpaid income/salary during five years. The institution also bears legal expenses and pays a fine. The loss amounts to be included in the scope of operational risk loss are the unpaid income/salary, the legal expenses and the fine. (Source: European Banking Authority guidance)
1 The U.S. regulators have not provided specific guidance on reporting for timing events.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 13
An operational risk event, such as an accounting or a mark‐to‐market error, occurs in an institution’s portfolio determining the revenue overstatement of the institution’s financial statements for three years. After three years the institution recognizes the operational risk event and corrects the financial statement. Due to this event the institution is fined by the competent authorities, an action for collective redress is filed (e.g., as a consequence of a fallen share price) and a provision is made. As the operational risk event does not directly involve a third party or an employee, the loss amounts to be included in the scope of operational risk loss are the fines and the provisions only. The restatement is not included in the scope of operational risk loss. (Source: European Banking Authority guidance)
A teller difference was resolved over two accounting periods with no funds actually left the FI during that period. The difference was resolved with a zero net financial loss to the FI and it did not lead to a legal event. This is not a reportable event. The FI is encouraged to track resolved teller differences as near misses.
An overpayment is made to a vendor: it was discovered during the normal reconciliation period, the vendor was contacted and the vendor returned the overpayment. This is not a reportable event. The FI is encouraged to track this as a near miss.
A financial reporting error (i.e., general ledger entry) is discovered and fixed within the same accounting period. This event should be treated as a timing event and not reported to the ABA. The FI is encouraged to track this as a near miss.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 14
Outsourcing and Other Third Party Issues If a direct loss to the FI occurs as a result of failure on the part of a third‐party service provider or a vendor, the event should be reported to the ABA Consortium. If the FI is able to recover all or a part of the loss, the full gross amount of the loss should be reported to the ABA with the amount covered by the third‐party service provider or vendor reported as a recovery. If through an applicable service agreement the FI receives compensatory payment from the third‐party service provider or vendor and incurs no direct loss from the incident, the event should not be reported to the ABA Consortium. Example (s): Customer filed suit against the FI alleging that the collection effort that the collection agency used, acting on behalf of the FI, were tantamount to harassment and caused emotional distress. The customer agreed to a settlement of USD10,000 and dropped the suit.
The USD10,000 settlement would be reported to the ABA Consortium. The courier service lost the branch work. The FI was able to recreate a significant portion of the work, but was left with a USD27,000 outage it had to charge‐off. The agreement with the courier service required them to compensate the FI for the amount of the outage, and they did so.
This would not be reported to the ABA Consortium because the FI received compensatory payment from the vendor.
A third party, responsible for processing credit card transactions, has a data breach. Many customers at the FI were compromised. Over the next several months, the FI is experiencing an increase in credit card fraud and suspects it may be related to the data breach. The FI reissues new cards to all the impacted customers and provides them with 30 days of free credit monitoring service.
If there is a reasonably clear link between the data breach and the fraudulent activity on the cards, the losses should be aggregated and reported to the ABA Consortium. The cost of card reissue and credit monitoring should be aggregated and reported as Other Cost. (OR‐SGAMA p. 21 par. 85 (b); also see: Event Aggregation)
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 15
A third party, responsible for processing credit card transactions, reports that there has been a data breach which may have impacted their customers. It is not clear how many customers of the FI were compromised. The FI decides to reissue new cards to all the customers that may be impacted by the data breach as a preventative measure against fraud.
This would not be reported to the ABA Consortium. The FI may want to collect this for internal risk management reporting.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 16
Projects Project overruns should only be reported if they are due to an operational loss event. The FI may capture project cost write‐off and project overspending for internal purposes, however, such losses are usually considered business/strategic risk and should not be reported to the ABA Consortium. Example(s):
Scrapping a project half‐way through: the costs incurred so far should not
be reported to the ABA Consortium. “Costs over the original budgeted amount” should not be reported to the
ABA Consortium unless the project was undertaken without proper authorization.
A system outage causes an operational loss to the FI. This loss results in a
project going over budget. The amount reported to the ABA Consortium should be the amount loss due to the system outage, not the over‐budget portion of the project.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 17
Employment Practices The costs related to an Employment Practices operational risk event, such as, wrongful dismissals, discrimination, compensatory payments, etc., should be reported to the ABA Consortium. If legal or administrative action is filed against the bank for an Employment Practice related operational risk event, the accrual amount should be reported and then updated with the final settlement amount when it is known. The accrual should be event specific and should follow the rules for legal cases. See: Timing of Loss Recognition. Example: The FI terminates a broker because of poor trading practices. The broker takes the termination to arbitration, which results in a settlement of USD100,000. In addition, the FI was required to pay USD5,000 in filing and hearing fees and USD50,000 to outside counsel. A loss event totaling USD155,000 would be reported to the ABA Consortium. Direct Loss amount of USD100,000 Legal Costs of USD50,000 Other Costs of USD5,000
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 18
Tax Losses Tax‐related issues that result in a direct loss to the FI, for example, penalties, late payment charges, etc., should be reported to the ABA Consortium. However, losses resulting from aggressive tax strategies that are not resolved in the FI’s favor in court should not be reported to the ABA Consortium. Example(s): If an employee responsible for filing the FI’s taxes left the bank and fines were incurred due to non‐filing or late filing of taxes, the losses should be reported to the ABA Consortium.
Interest and penalty payments resulting from disputes with the tax authorities on the interpretation of the tax laws should not be reported to the ABA Consortium.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 19
Short Description of Events (Optional) The ABA Operational Risk Consortium Reporting Guidelines encourages member institutions to provide a short description of events when the gross realized loss is USD100,000 or more. The objective of gathering the short description is to provide member institutions an additional tool for completing scenario and risk identification analyses. It is recommended that three elements be included in the short description: product or service, cause, control failure. 1. Identify the product or service that best describes where the loss was
incurred.
2. In one to two sentences, explain what happened to cause the loss.
3. In one to two sentences, explain what failed to happen to prevent the loss.
Include the control that failed and the failure type (Failure Type: control did
not exist, control was not designed properly, & control was not implemented
properly). For some loss events, this element may be not applicable.
Examples: Credit Card Account. An employee increased a family member’s credit card line without authorization. The account was charged‐off. The control for the monitoring of suspicious activity in employee accounts was not being performed on a consistent basis. Auto Loans. A customer falsified income information and financial documents on a loan application. The loan was approved and eventually charged‐off. Underwriting procedures and training did not provide sufficient guidance to employees to detect fraud. Mortgage Loans. Employees in the loan processing department failed to comply with loan documentation guidelines. Per loan sales agreement, the investor required the institution to make investors whole on foreclosure deficiency. Closing agent did not comply with established guidelines. Trust Services. The institution agreed to a settlement with customer related to a breach of fiduciary duty claim. The department failed to complete the annual account review in a timely manner.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 20
Some examples of retail banking products and services:
Checking Accounts Personal Banking Services Student Loans
Savings Accounts Vault Services Home Equity Loans
Debit Cards Other Deposit Construction Loans
Certificate of Deposit Credit Card Accounts Mortgage Loans
Individual Retirement Account
Personal Loans Small Business Loans
Internet Bill Payment Line of Credits Other Loan
Funds Transfer Services Auto Loans Trust Services
Foreign Exchange Services Auto Leasing
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 21
Operational Gains (Optional) Operational gains are included as a part of the ABA Consortium Database and are subject to the same reporting threshold as the losses, i.e., gains are reportable when the absolute value of the gain exceeds USD10,000. Gains should be reported as a negative loss. The rationale behind collecting operational gains is that even though the event resulted in a gain, the same event could potentially result in a loss. Example(s): Teller overage Trading errors
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 22
Boundary Events (Optional) Boundary events are defined as losses that have components of operational risk and either credit and/or market risk. To avoid double counting, the datasets used for market, credit, and operational risk capital modeling should not overlap. However, the FIs should capture boundary events and follow the guidelines mentioned below on reporting them to the ABA Consortium: According to Basel II final rule:
Banks must treat operational losses that are related to market risk as operational losses for purposes of calculating risk‐based capital requirements under this final rule. For example, losses incurred from a failure of bank personnel to properly execute a stop loss order, from trading fraud, or from a bank selling a security when a purchase was intended, must be treated as operational losses.
Banks would treat losses that are related to both operational risk and credit risk as credit losses for purposes of calculating risk‐based capital requirements. For example, where a loan defaults (credit risk) and the bank discovers that the collateral for the loan was not properly secured (operational risk), the bank’s resulting loss would be attributed to credit risk (not operational risk). This general separation between credit and operational risk is supported by current U.S. accounting standards for the treatment of credit risk.
To be consistent with prevailing practice in the credit card industry, the final rule included an exception to this standard for retail credit card fraud losses. Specifically, retail credit card losses arising from non‐contractual, third party‐initiated fraud (for example, identity theft) would be treated as external fraud operational losses under the final rule. All other third party‐initiated losses would be treated as credit losses.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 23
Credit Risk: During the November 2, 2010 conference call with the ABA Consortium members to
discuss boundary events, the regulators identified the following criteria in determining
when a credit loss has occurred:
1. Whether the loss resulted from a borrower’s failure to pay
2. Whether the bank has the legal ability to pursue payment from a borrower
3. Whether the loss results from underwriting failures
4. Whether or not the bank retains an interest in the securitization
5. Whether the bank is exposed to recourse
6. Whether the bank has a residual credit exposure
If a loan loss is charged off to the allowance for loan loss account, but a portion of the loss can be attributed to operational error, the operational loss amount should be reported to the ABA Consortium as a loss event with the box for “credit/market risk related” in the ABA report form checked as yes. Such events should not be included in operational risk capital modeling. Consortium members are encouraged to capture and report these types of events to the ABA Consortium. See Appendix B for potential boundary event examples.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 24
Process to Ensure Completeness and Correctness of Loss Data To ensure that the internal loss event data set is complete and accurate, each FI should follow the following outlined steps.2
The FI should have established written policies and procedures dealing with the identification, tracking, and reporting of operational loss events as defined by the Basel Accord. The policies and procedures should be approved and supported by executive management.
The FI should have the ability to categorize loss events, loss causes, and lines of business consistent with the categories established by Basel (Level 2). If the bank has developed internal categories, they may map the internal categories to the Basel categories for purposes of reporting data to the ABA Consortium.
The FI should have established means of recording loss events and aggregating them into a comprehensive electronic database that reliably preserves the integrity of the loss data.
The FI must initially submit loss data for at least one business line and document with each data submission that it is reporting at least 80 percent of the total losses at the threshold limit for that line of business. The documentation may be made by validation against the general ledger or by other verifiable means approved by the bank’s senior operational risk manager.
The FI must be able to provide data for material lines of business and loss categories within two years of initial participation.
2 Additional documentation describing the minimum requirements to participate in the ABA Consortium is available upon request.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 25
Business Line Allocation and Categorization The ABA Consortium uses the eight Basel business line categories (BL1–BL8) plus a ninth business line entitled Corporate Center (BL9).
Code Level 1 Code Level 2 Activity Groups
BL1 Corporate Finance
BL11 Corporate Finance Mergers and acquisitions, underwriting, privatizations, securitization, research, debt (government, high yield), equity, syndications, IPO, secondary private placements*
BL12 Municipal/Government Finance
BL13 Merchant Banking
BL14 Advisory Services
BL2 Trading and Sales
BL21 Sales Fixed income, equity, foreign exchanges, commodities, credit, funding, own position securities, lending and repos, brokerage, debt, prime brokerage*
BL22 Market Making
BL23 Proprietary Positions
BL24 Treasury
BL3 Retail Banking
BL31 Retail Banking Retail lending and deposits, banking services, trust and estates*
BL32 Private Banking Private lending and deposits, banking services, trust and estates, investment advice*
BL33 Card Services Merchant/Commercial/Corporate cards, private labels and retail*
BL4 Commercial Banking
BL41 Commercial Banking Project finance, real estate, export finance, trade finance, factoring, leasing, lends, guarantees, bills of exchange*
BL5 Payment and Settlement1
BL51 External Clients Payments and collections, funds transfer, clearing and settlement*
BL6
Agency Services
BL61 Custody Escrow, depository receipts, securities lending (customers) corporate actions*
BL62 Corporate Agency Issuer and paying agents*
BL63 Corporate Trust
BL7
Asset Management
BL71 Discretionary Fund Management
Pooled, segregated, retail, institutional, closed, open, private equity*
BL72 Nondiscretionary Fund Management
Pooled, segregated, retail, institutional, closed, open*
BL8 Retail Brokerage
BL81 Retail Brokerage Execution and full service*
BL9 Corporate Center
BL91 Corporate Center Finance, Human Resources, Legal, Audit, Property Management, Marketing, Corporate Insurance, Payment Operations, Risk Management, Information Technology**
1 Payment and settlement losses related to a bank's own activities would be incorporated in the loss experience of the affected business line. * As defined by Basel. ** As defined by ABA Consortium.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 26
Event Type Allocation and Categorization The ABA Consortium uses the seven Basel event type categories (EL1–EL7). Code Level 1 Code Level 2 Code Level 3
EL1 Internal Fraud EL11 Unauthorized Activity EL111 Transactions not reported (intentional)
EL112 Trans type unauthorized (w/monetary loss)
EL113 Mistaking of position (intentional)
EL12 Theft and Fraud EL1201 Fraud/credit fraud/worthless deposits
EL1202 Theft/extortion/embezzlement/robbery
EL1203 Misappropriation of assets
EL1204 Malicious destruction of assets
EL1205 Forgery
EL1206 Check kiting
EL1207 Smuggling
EL1208 Account take‐over/impersonation /etc.
EL1209 Tax non‐compliance/evasion (willful)
EL1210 Bribes / kickbacks
EL1211 Insider trading (not on firm's account)
EL2 External Fraud
EL21 Theft and Fraud EL211 Theft/Robbery, Forgery, Check kiting
EL22 Systems Security EL221 Hacking damage
EL222 Theft of information (w/monetary loss)
EL3 Employment Practices and Workplace Safety
EL31 Employee Relations EL311 Compensation, benefit, termination issues
EL312 Organized labor activity
EL32 Safe Environment EL321 General liability (slip and fall, etc.)
EL322 Employee health & safety rules events
EL323 Workers compensation
EL33 Diversity and Discrimination
EL331 All discrimination types
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 27
Code Level 1 Code Level 2 Code Level 3
EL4
Clients, Products and Business Practices
EL41 Suitability, Disclosure, and Fiduciary
EL411 Fiduciary breaches/guideline violations
EL412 Suitability/disclosure issues (KYC, etc.)
EL413 Retail consumer disclosure violations
EL414 Breach of privacy
EL415 Aggressive sales
EL416 Account churning
EL417 Misuse of confidential information
EL418 Lender liability
EL42 Improper Business or Market Practices
EL421 Antitrust
EL422 Improper trade/market practices
EL423 Market manipulation
EL424 Insider trading (on firm's account)
EL425 Unlicensed activity
EL426 Money laundering
EL43
Product Flaws
EL431 Product defects (unauthorized, etc.)
EL432 Model errors
EL44
Selection, Sponsorship, and Exposure
EL441 Failure to investigate client per guidelines
EL442 Exceeding client exposure limits
EL45 Advisory Activity EL451 Disputes over performance of advisory activities
EL5 Damage to Physical Assets
EL51 Disasters and Other Events
EL511 Natural disaster losses
EL512 Human losses from external sources (terrorism, vandalism)
EL6 Business Disruption and System Failures
EL61 Systems EL611 Hardware
EL612 Software
EL613 Telecommunications
EL614 Utility outage/disruptions
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 28
Code Level 1 Code Level 2 Code Level 3
EL7 Execution, Delivery, and Process Management
EL71 Transaction Capture, Execution, and Maintenance
EL711 Miscommunication
EL712 Data entry, maintenance or loading error
EL713 Missed deadline or responsibility
EL714 Model/system disoperation
EL715 Accounting error/entity attribution error
EL716 Other task misperformance
EL717 Delivery failure
EL718 Collateral management failure
EL719 Reference data maintenance
EL72 Monitoring and Reporting
EL721 Failed mandatory reporting obligation
EL722 Inaccurate external report (loss incurred)
EL73 Customer Intake and Documentation
EL731 Client permissions/disclaimers missing
EL732 Legal documents missing /incomplete
EL74 Customer/Client Account Management
EL741 Unapproved access given to accounts
EL742 Incorrect client records (loss incurred)
EL743 Negligent loss or damage of client assets
EL75 Trade Counterparties EL751 Non‐client counterparty misperformance
EL752 Misc. non‐client counterparty disputes
EL76 Vendors and Suppliers EL761 Outsourcing
EL762 Vendor disputes
Other* All other events except EL111‐EL762 above
* For Event Level 3 only
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 29
Product Categorization Products, which also include services, are the sources of revenue for a bank via direct or indirect fees.
Prior to 2015, the ABA Consortium adopts the ORX Association’s product classification scheme (PD01‐PD10, PD99). In 2015, minor revisions to the ORX scheme were implemented to clarify and address event classification issues raised by the ABA Consortium members. Product information is reported for all individual events at and above the USD10,000 threshold.
Reporting at product type level 1 will be required. If a bank is adding this field in its internal data collection system, it is recommended to set data collection at the more detailed product type level 2. Over time, when all members are able to report data at level 2, the ABA Consortium may consider changing the reporting requirement from level 1 to level 2.
One product type per event: Losses will be allocated to the product type that has the largest share of the financial impact.
ORX Association’s product classification (revisions implemented by the ABA Consortium are highlighted in red)
LEVEL 1 LEVEL 2 NAME DESCRIPTION
PD0100 Capital Raising Structuring, issuance of placement of securities and similar instruments, not just for capital raising
PD0101 Equity Issuance The provision of services related to the initial public offering (IPO) or subsequent issuance into the market of any equity investment for any issuing company. Examples of offering instruments are common or preferred stock
PD0102 Bond Issuance The provision of services related to the issuance and placement of dept funding into the market for any issuing entity. Examples of debt funding instruments are corporate bonds and municipal bonds
PD0103 Structured Product Issuance
The provision of services related to the issuance and placement of structured financial products. Examples of structured financial products are equity‐linked bonds, warrants and convertibles.
PD0104 Securitizations The provision of services related to the issuance and placement of securitizations. Examples of securitizations are mortgage and asset backed securities
PD0105 Private Placements
The management of an off‐exchange placement of instruments to an investor or a group of investors. The manager can be acting on behalf of either the investors or the capital raising entity. This management includes the initial identification of the capital raising entity and the group of investors, due diligence on behalf of the investors, instrument structuring, the exchange of instruments and funds, and subsequent support for the financing.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 30
LEVEL 1 LEVEL 2 NAME DESCRIPTION
PD0106 Syndications The provision of services in support of a syndicated financing. The syndication agent can act on behalf of either the investors or the borrower. Examples of these services are due diligence, the creation of the syndicate, the initial allocation of the syndicate, the coordination of principal, interest and fee cash flows and ongoing syndicate maintenance.
PD0200 Corporate Finance Services
Advisory Services regarding corporate structure and strategic decisions.
PD0201 Mergers and Acquisitions
The provision of advisory services and/or financing in pursuit of or in opposition to, mergers and acquisitions. Also includes disposals
PD0202 Corporate Advisory Services
The provision of specialist advisory services and related research for corporate and other private commercial entities and government corporations. Examples of services would be advice on funding, breakups, reorganizations/restructurings, etc.
PD0300 Derivatives & Securities
Trading & Sale of all securities and derivatives either via an exchange or over‐the‐counter
PD0301 Fixed Income Interest rate based securities irrespective of whether they traded on or off exchange (OTC). Examples of such products are Corporate, Government and Municipal Bonds, Notes and Bills. (Excludes Mortgage based products ‐ see Credit Derivatives). This also includes inflation linked bonds.
PD0302 Equities Equity based securities irrespective of whether they traded on or off exchange on the "pink sheets" or private placements. Examples of such products are Equities, ADRs, Warrants and Convertibles Bonds.
PD0303 Commodities Commodity‐based cash products including energy‐based cash products irrespective of whether they are traded on or off exchange (OTC). Examples of such products are Coffee, Sugar, Agricultural Products, Metals, Energy, Carbon, and Weather.
PD0304 Foreign Exchange & Money Markets
Spot and forward foreign exchange products, money market deposits irrespective of whether they traded on or exchange (OTC). Examples include cash notes, coins and bullion; and short‐term paper (Certificates of Deposit, Commercial Paper, Trade Bills) and interbank loans and deposits.
PD0305 Repos / Securities Lending
The trading and sale of repos and the lending of securities, including reverse repos and securities borrowing.
PD0306 Investment Funds
Investment funds and ETFs (exchange traded funds) defined as pools or portfolios of instruments irrespective of whether they are traded on or off exchange (OTC). The underlying instruments themselves may or may not be listed. Examples of the underlying instruments in the pools/portfolios include fixed income, equities, commodities, money maker, mutual funds in some national markets among others. "Asset Back Securities" are not included. The trading and sale of both private equity funds and regulated exchange traded funds are not included.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 31
LEVEL 1 LEVEL 2 NAME DESCRIPTION
PD0307 Interest Rate Derivatives
Long and short‐dated interest rate‐based products irrespective of whether they are traded on or off exchange (OTC). This also includes securitization of Interest Rate Derivatives. Examples include swaps, options and options or swaps; FRAs, futures contracts, derivatives on interest rate / bond indices, warrants and structured debt products where the majority of the pay‐of is linked to interest rates.
PD0308 Credit Derivatives
Credit‐related based products irrespective of whether they are traded on or off exchange (OTC). Includes Credit Default Swaps and Options and options on swaps, securitized Mortgages (actual or synthetic), "Asset Backed Securities", credit indices, warrants and other credit based structured debt products.
PD0309 FX Derivatives Foreign exchange derivative products irrespective of whether they are traded on or off exchange (OTC). Includes Futures, Swaps, Options, options on swaps or futures, warrants and structured dept products where the payoff is dominated by movements in FX rates. May be a single currency pair or a portfolio. Excludes FX forwards which are captured under FX &MM.
PD0310 Equity Derivatives
Equity‐based derivative products irrespective of whether they are traded on or off exchange (OTC). Includes futures, swaps, options, options on futures or swaps, warrants and structured debt products, where the payoff is dominated by movements in equity prices. The underlying may be a single equity or a portfolio, such as an equity index.
PD0311 Commodity Derivatives
Commodity‐based derivative products irrespective of whether they are traded on or off exchange (OTC). Includes futures, swaps options, options on futures swaps, warrants and structured debt products, where the payoff is dominated by movements in commodity prices. The underlying may be a single commodity or a portfolio, such as a commodity index. For a list of commodities see Commodities above.
PD0312 Other Derivatives
Derivatives products on other underlying asset classes and financial variables, irrespective of whether they are traded on or off exchange (OTC). Includes futures, swap options, options on futures on swaps, warrants, structured debt products, where the payoff is dominated by movements in the underlying risk. The underlying risk can be property, earthquakes bonds (weather related products such as wind storms are Commodity Derivatives), mortality rates, pensions. This category should also be used for derivatives or structured products where the payoff is based upon the performance of multiple categories of "cash" products, for example "quantos", which may be a combination of equity and FX, or relative performance between fixed income and equity.
PD0400 Retail Credit Financing and related services
PD0401 Retail Cards The provision of credit, debit and other forms of card to facilitate payment and, in the case of credit cards to extend temporary revolving credit. Includes the servicing of both own name cards as well as the servicing of white labeled (branding) card products.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 32
LEVEL 1 LEVEL 2 NAME DESCRIPTION
PD0402 Vehicle Loans The provision of loans for the purchase of cars and other vehicles for domestic use, such as boats, secured by the vehicle. These loans are often originated indirectly by a dealer as opposed to the financial institution providing the funding.
PD0403 Vehicle Leasing The lease of cars or other vehicles to a user, usually, but not always, with an option to buy when the lease expires. Leases are often originated indirectly by a dealer as opposed to the financial institution providing the funding.
PD0404 Student Loans The direct provision of unsecured loans for the financing higher education. These are sometimes guaranteed by a third party corporation of agency.
PD0405 Mortgages The provision of loans for the purchase of homes and other real estate for personal use secured by the real estate. These loans are often originated indirectly by a real estate professional brokering the sale as opposed to the financial institution providing the funding.
PD0406 Home Equity Loans and Lines of Credit
The provision of loans or revolving lines of credit for the purpose secured by the equity in a home. These lines of credit are originated through a broker or directly by the financial institution providing the funding.
PD0407 Other Secured Consumer Loans
The provision of other retail loans and consumer credit secured by an asset other than real estate or vehicle.
PD0408 Other Unsecured Consumer Loans
The provision of other retail loans and overdrafts not secured by an asset.
PD0409 Other Consumer Leasing
The provision of leased finance for assets other than those of vehicles.
PD0410 Personal standby letters of credit or guarantees.
Letter of credit or similar arrangement, which represents an obligation to the beneficiary on the part of the issuer to repay money borrowed by or advanced to or for the account of the account party, or to make payment on account of any indebtedness undertaken by the account party, or to make payment on account of any default by the account party in the performance of any obligation.
PD0500 Commercial Credit
Financing and related services
PD0501 Commercial & Industrial Loans
The provision of funding to a commercial customer, on a revolving basis for general operating purposes (including inventory and receivables financing and "floor plan financing"), and on a fixed term basis for acquisition of plant, equipment and other fixed assets (includes 'fleet financing' and asset‐based lending).
PD0502 Commercial Real Estate Loans
The provision of funding for the acquisition or improvement of commercial property to be held for investment/income purposes.
PD0503 Construction, Acquisition & Development Loans
The provision of interim funding to a commercial real estate customer for the development of a site or construction of a building project (residential or commercial) that is intended for resale. Also know as 'builder finance' or 'construction financing'.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 33
LEVEL 1 LEVEL 2 NAME DESCRIPTION
PD0504 Commercial Leases
Provision of financing to commercial clients, generally for acquisition of equipment, via an agreement which provides the lessee (the commercial client) the right, for a stated period of time, to use an asset which continues to be owned by the lessor (financer), in return for a series of payments (lease payments) by the lessee.
PD0505 Commercial Cards
The provision of credit, debit and other forms of cards to commercial clients.
PD0506 Card Merchant Services
The provision of operational/infrastructure support services for credit and debit cards processed by the merchant.
PD0507 Project Finance Loans
The provision of funding for some specific capital project, where recourse is typically limited to the future cash flows of the project.
PD0508 Trade Finance The provision of time related financing linked to a specific commercial asset over which the financier acquires rights including Documentary Letters of Credit and Documentary Collections.
PD0509 Standby Letters of Credit, Bank Guarantees, Bankers Acceptances.
Provision of a financial guarantee by a bank with respect to its client's financial or other obligations, payable only in the event of non‐performance by the client under the terms of the obligation. Can take the form of a standby letter of credit, a bank guarantee or a bankers' acceptance (short‐term negotiable commercial paper issued by a non‐financial corporation but guaranteed by a bank).
PD0510 Factoring The provision of receivables financing and debt collection on a full recourse or a non recourse basis.
PD0511 Structured Lending
The provision of 'non‐plain‐vanilla' financing to commercial clients, inclusive of 'mezzanine financing' and 'Islamic banking' products.
PD0600 Deposits Bank account, deposit services, 'plain vanilla' investment products. Include in this category teller differences not associated with any particular product.
PD0601 Consumer Current Accounts (DDAs)
The provision of banking services related to an 'on demand' transactional account. Also known as 'checking account'.
PD0602 Consumer Notice Accounts (CDs, etc.)
The provision of banking services related to an account having access restrictions such as frequency or notice requirements. Includes time and term deposits, certificates of deposit (USA), guaranteed investment certificates (Canada) and similar instruments.
PD0603 Commercial Bank Accounts
The provision of banking services related to 'on demand' bank accounts, including current accounts, checking accounts, call accounts and demand deposits.
PD0604 Commercial Time and Term Deposits
The provision of fixed term deposits products to commercial clients.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 34
LEVEL 1 LEVEL 2 NAME DESCRIPTION
PD0605 Investment Products
The provision of retail investment products, where returns are variable with which life assurance products can be bundled. Examples include products such as unit trusts, mutual funds, other equity‐linked products, RRSPs (Canadian tax‐sheltered retirement savings program ‐ Registered Retirement Savings Program), ISAs and PEP Schemes (UK related), and other similar jurisdictionally specific products.
PD0606
Teller Differences not associated with any particular product
Teller Differences not associated with any particular product
PD0700 Cash Management, Payments & Settlements
Client management of cash inflows/outflows; all forms of payments, including bill pay; clearing, settlement and exchange services.
PD0701 Retail Cash Management
The provision of electronic banking services that support a client in managing his/her cash inflows and outflows. These include services such as consolidated account balance and transaction reporting; multi‐FI balance reporting; receipt and payment of e‐bills; one‐off, recurring and deferred electronic payments; inter‐account transfers; direct debit; direct deposit; and automatic balance sweeping and surplus cash investment.
PD0702 Commercial Cash Management
The provision of electronic and other banking services that support management of a company's cash inflows and outflows. These include receivable collection products, centralized cash control products and information services.
PD0703 Electronic Payments
All forms of payment initiated and executed electronically
PD0704 Mutual Payments
All forms of payment initiated manually or by other non‐electronic means, irrespective of how the payment is executed. Typical examples are checks, travelers checks or faxed payment instructions.
PD0705 Clearing The matching, aggregating and netting of sets of transactions and the subsequent simultaneous exchange of securities against cash or transfers of securities free of payment between buyers and sellers.
PD0706 Settlement Settlement ‐ Execution of securities transactions by a settlement organization or a custodian for a trading institution. Settlement includes the simultaneous exchange of securities versus cash and securities transfers free of payment between a buyer and a seller. It also includes the transfer of securities as the result of netting by a clearing organization.
PD0707 Exchange Services
The provision of services typically offered by a central exchange, by acting as a principal, taking settlement risk and all the business risks of the exchange, and by utilizing their own platform.
PD0800 Trust / Investment Management
Various services related to administration and management of estates, trusts, assets, portfolios etc.
PD0801 Custody Services
The safe keeping of physical and non‐physical assets and other items of value on behalf of customers.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 35
LEVEL 1 LEVEL 2 NAME DESCRIPTION
PD0802 Corporate Actions Services
The execution of notified events and decisions related to securities on behalf of the security holder.
PD0803 Corporate Trusts
The provision of registrar and agent services on behalf of an issuer.
PD0804 Prime Brokerage The provision of custody, clearance and settlement and other "back office" functions to trading entities such as hedge funds.
PD0805 Financial and Estate Planning
The provision of advisory , planning and related services with respect to wealth management and estate structure, including tax, legal, and financial advice, and trust, wills, probate and executor services.
PD0806 Discretionary Portfolio Management
The provision of portfolio management services to retail or private banking clients under a discretionary mandate, allowing the banker to make investment decision on behalf of the client.
PD0807 Execution‐only Services
The provision of execution‐only services for a client under a mandate which requires the client to direct all investment decisions for the private banker.
PD0808 Advisory Portfolio Management
The provision of private banking services to clients under the terms of a mandate which may require some input from the client or where the client may, from time to time, provide some input.
PD0809 Lombard Credits (collateralized credit facilities secured by assets)
The granting of credit by banks against pledged items, that is, collateralized credit facilities secured by assets (cash, securities, life insurance policies) that need to be monitored and marginal.
PD0900 Investment Products
Investment management, execution, administration, operational management services.
PD0901 Fund Administration
The provision of fund operational management and administration services
PD0902 Institutional Asset Management – Traditional
The provision of investment management and execution services on behalf of institutional clients holding portfolios of traditional assets such as listed securities
PD0903 Institutional Asset Management – Alternative
The provision of investment management and execution services on behalf of institutional clients holding portfolios of non‐traditional assets such as private equity, hedge funds, derivatives, real estate, etc.
PD1000 Brokerage Investment advisory, management and execution services.
PD1001 Full Service Brokerage
The provision of full investment advisory services including the provision of research, execution and margining, offered via a licensed retail brokerage entity or Broker‐Dealer.
PD1002 Self Directed Brokerage
The provision of execution only brokerage services (includes margining), typically in an on‐line "do‐it‐yourself" environment, offered via a licensed retail brokerage entity or Broker‐Dealer.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 36
LEVEL 1 LEVEL 2 NAME DESCRIPTION
PD9800 Non‐Banking Product
Other products/services not generally considered part of a bank or investment bank's offering, e.g. insurance, safe deposit box.
PD9801 Insurance Insurance
PD9802 Safe Deposit Box
Safe Deposit Box
PD9900 Not Product Related
Used for situations where no specific product was involved. This category can also be used where an event was so widespread that specifying individual products would no longer be relevant or would add little or no value (Example: Tsunami).
Examples:
Damage to physical assets Robbery Employee claims: ‐ Workers Compensation ‐ Termination ‐ Discrimination ‐ Sexual harassment Not product related patent infringement claims (if product related, use the product code)
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 37
Process Categorization
Prior to 2015, the ABA Consortium adopts the ORX Association’s process classification scheme (PC01‐PC13). In 2015, minor revisions to the ORX scheme were implemented to clarify and address event classification issues raised by the ABA Consortium members. Process information is reported for all individual events at and above the USD10,000 threshold.
Reporting at level 1 will be required.
ORX Association’s process classification (revisions implemented by the ABA Consortium are highlighted in red)
LEVEL 1 LEVEL 2 NAME DESCRIPTION
PC0100 Develop, Design, and Maintain Products, or Services
Identify, design, and produce new financial products, services and capabilities, including the models and methodologies upon which they are based. Products and Services is intended to encompass revenue‐generating activities from third parties. It also includes the maintenance of existing products, for example developments in models and methodologies.
PC0101 Market Analysis or Research
Research and analyze market needs and competitive offerings; Research and evaluate market segments and strategies; Generate and screen new and revised products and services; Develop preliminary product and service definitions.
PC0102 Product Development New product development; Product maintenance; Selection of third party products; Develop contractual terms / forms; Structuring / pricing; New product roll‐out / infrastructure.
PC0103 Reference Data Management
Product static data maintenance e.g. ISIN codes.
PC0200 Market Products and Services
Promote the firm and/or its products and services, through general marketing or advertising, including the publication of standard fees, rates charges, and prices for specific products and services.
PC0201 Research ‐ Marketing Particular market strategy ‐ for example inflation is going up, bond yields are expected to go up so sell long maturity bonds.
PC0202 Publish Prices Quotes This includes, but is not limited to the publication / reporting of prices on web sites / portals and to exchanges, media (Bloomberg & Newspapers), industry groups, and commercial entities (Markit).
PC0203 Marketing ‐ Other Advertise position and promote products and solicit customers directly and indirectly and manage cross business marketing.
PC0300 Sell or Reach Agreement to Conduct Specific Business
Sell or offer specific products and/or services of the firm in discussions with individual clients, including the quotation of firm or indicative fees, rates, charges, prices, or the like, with the intent of concluding a specific deal for specific product sales or service delivery.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 38
LEVEL 1 LEVEL 2 NAME DESCRIPTION
PC0301 Advisory or Pitch or Pre‐Sales
In relation to a specific transaction with a specific customer or group of customers. This could range from a project finance proposal to advice to an individual retail investor.
PC0302 Pricing & Quotation Providing a transaction price or indication that may only be applicable for a finite time period.
PC0303 Transaction or Limit Check
The process of checking limits, facilities and available balances during transaction execution, as well as the updating of utilization of such limits and facilities. It includes obtaining specific clearance or authorization to action an instruction or order received or transaction being contemplated.
PC0304 Reach Agreement or Receipt of Order
Explicit acknowledgement from the counterpart that the specific / individual transaction can proceed under the agreed terms
PC0400 Take on and Maintain Counterparties
Onboard and maintain client or counterparty accounts, including related due diligence, data and documentation. In this context, counterparties includes clients/customers and trade relationships.
PC0401 (New) Client Account Client due diligence (KYC); Client mandate / Authority; Client static data / SSI; Completion of General Agreements: The on‐boarding of new customer/client/counterparties relationships, including the account relationship management, the identification and documentation of customer information and related terms of business, as well as the ongoing review and relationship management. Specifically includes know‐your‐customer requirements and customer identification. It specifically excludes any form of credit assessment.
PC0402 Customer Relationship Management or Client Services
Process of managing the relationship with the counterpart, for example interview of retail clients by branch management or surveys. For larger account this may include a certain amount of entertainment.
PC0403 Client Due Diligence Client related credit screening and decision; Review creditworthiness (annual)/Rating review
PC0404 Loan Defaults Monitions; Sanctions; Apply collateral: The closure of facilities provided the repayment of obligations due through the collection and realization of assets held, ceded or due as security and/or collateral, following an adverse credit event. Includes repossession and foreclosure.
PC0500 Capture and Document Transactions
Record transaction‐specific terms and instructions in the processing systems of the firm; also produce related transaction documents.
PC0501 Capture Transactions Enter transaction data into internal and market systems as necessary.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 39
LEVEL 1 LEVEL 2 NAME DESCRIPTION
PC0502 Confirm and Document Transactions
Authentication checks; Client reporting/desk confirm; Final confirmation; The process of preparing, producing, authorizing, executing and protecting all forms of transaction receipt or advice, documentation, legal contract or acknowledgement and agreement, excluding routine account/activity statements.
PC0600 Deliver Products or Services
Deliver or fulfill agreed‐upon products and services, including the set‐up and maintenance of transactions and required arrangements, and agreed‐upon non‐transaction financial services (trust administration, financial, advisory services, sale of research as a product, etc.)
PC0601 Order Routing The receipt, documentation and actioning of instructions or orders from all parties, across all distribution channels. It includes any subsequent management and monitoring of unactioned or unexecuted instructions and orders (could include the presentation of a check or card, or the receipt execution of a market order). The completion of this business function typically initiates further processing and operational activity.
PC0602 Execution or Order Fill Process of actually executing or tilling the order, for example making funds available to a borrower via a loan account, pre‐authorizing an overall facility, completing a transaction with a counterpart (internal or on the floor of an exchange or electronic marketplace).
PC0603 Position or Portfolio Mgt. (proprietary)
Exposure management; Limits; Hedging.
PC0604 Cash, Stock & Securities Mgt
Borrowing/lending; Short covering; Cash/liquidity Projections; Nostro & Vostro Management.
PC0605 Event Management or Corporate Actions (own assets)
Dividends / Coupons; Tax Reclaims; Bonus / Rights; Conversions; Exercises/Barriers; Maturity/expiration; Fixing/price resets.
PC0606 Fees Admin., Calculation & Application
Bill clients/customers for products and services performed per contractual agreements; Charge client/customer accounts and/or collect fees; Arrange payments to trade counterparties; Arrange interim and final payments per specific transaction schedules e.g. interest rate swaps, loans, salaries.
PC0607 Calculate & Apply Interest
The calculation of interest due or payable over relevant periods on the requisite basis and the application of that interest to the loan, deposit, account, product or position to which it applies.
PC0608 Collateral Management
Acquisition of collateral; Assessment of collateral; Collateral management (other): The real‐time or periodic valuation of exposure to collateral, collateral held, and margin required and the calling for margins and collateral and collateral and collateral acceptance.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 40
LEVEL 1 LEVEL 2 NAME DESCRIPTION
PC0609 Product Control Realized P&L; MTM/IPV; Market conformity; Provisions/reserves; Customer spreads. Incorrect allocation of asset/liability between trading book (held for sale/purchase) and banking book (held to maturity). Incorrect (but approved) model used to value position (asset or liability).
PC0610 Portfolio Mgt. (client assets)
Segregation of client assets from those of the bank, following the client’s instructions for assets held for safekeeping.
PC6011 Event Management or Corporate Actions (client assets)
Dividends/coupons, tax reclaims; Bonus/rights; Conversions; Exercises/barriers; Maturity/expiration; Fixing/price resets.
PC6012 Safekeeping of Client Assets
Physical safekeeping of client assets; electronic safekeeping of client assets; Filing/documentation required.
PC0613 Advisory Services The provision of any form of advisory service, as well as the general offering of advice, to external parties. This function markets products which are usually offered on a revenue generating basis.
PC0614 Customer Statements Assessment of non‐transaction related client statements; Prepare and send customer statements.
PC0700 Perform Settlements and Closing Activities
The definitive exchange or transfer of assets, currency or other property (commonly in exchange for value), and related transactional mechanics.
PC0701 Payment or Delivery (non‐cash/non‐physical)
Clearing; Payment; Draw‐downs; Deliveries from account to account, payments via credit card terminal.
PC0702 Cash Payment or Physical Delivery
Retail foreign exchange with physical transfer of notes or coins; Physical securities or coupons. Depositing physical cash into a bank account. ATMs.
PC0703 Fails Management The activities around monitoring that payments or deliveries (physical or account transfer) have proceeded as expected. For example funds have been transferred into an account on the due date in exchange for the delivery of securities.
PC0800 Perform Transaction Accounting
Record transaction and/or position information in the firm's accounting records/general ledger.
PC0801 Transaction Accounting
All forms of general ledger record keeping associated with transactional activity, including accounting for transaction activity, holdings, positions or provisions and the generation of account balances.
PC0900 Manage Human Resources
Manage human resources/employment issues, apart from direct business management functions.
PC0901 HR Management Recruitment; Personnel advisory services and development; Staff departures; Training and development.
PC0902 Remuneration, Expenses and Payroll
Payment of salary/bonuses; Other payments.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 41
LEVEL 1 LEVEL 2 NAME DESCRIPTION
PC0903 Travel Accidents A member of staff while traveling on company business falls ill (physical or mental) or incurs an injury, including death.
PC0904 Health and Safety, Not Related to Facilities and Workplace Environment (if facilities/workplace environments related, use code PC1400
PC0905 Other HR Issues
PC1000 Manage Information Technology
Acquire or design/develop information technology and implement security and incident response measures.
PC1001 IT Development and Maintenance (including IT Project Mgt)
The development of software applications, the implementation and subsequent maintenance and upgrading of applications as well as the project management of application projects.
PC1002 IT Implementation The implementation/installation of software and/or hardware in accordance with the instructions. Wiring a plug for a printer, matching software applications and the operating systems ‐ this can be for software built by the Member or a purchased application.
PC1003 IT Purchasing The specification of the IT requirements, which are filled by the counterparty. Specification of guarantees, performance standards, resilience etc.
PC1004 IT Security Access rights; Monitoring; Architecture or strategy: The establishment and maintenance of all forms of technology security, including internal and external user definition and maintenance, as well as creating and maintaining infrastructures to preclude unauthorized access and access attempts.
PC1005 Implement and Maintain Infrastructure & Networks
The provision, installation and ongoing maintenance of all forms of technology infrastructure and networks, as well as the establishment and ongoing upgrading of technology architectures.
PC1006 IT Production The provision of capacity for processing regular tasks in a batch or real time processing. That the applications function as expected.
PC1007 Mgt of IT Incidents or IT Support or Hotline
The establishment of technology back‐up; restoration, storage and minor technical problem resolution procedures and facilities, the training of technology staff in technology safeguard and continuity processes and the ongoing performance of back‐up, storage, restoration and maintenance activity. This business function is a routine process which differs from significant or large scale technology failures which would initiate business continuity crisis management.
PC1100 Manage Financial Reporting and Taxation
Perform financial reporting and control, based on (but not including) general ledger entries made during transaction accounting.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 42
LEVEL 1 LEVEL 2 NAME DESCRIPTION
PC1101 Budgeting & Forecasting
The development of various cost and revenue budgets, the ongoing collection of actual cost and revenue information over time and the comparison thereof against budget, the revision of budget and forecast values and performance measurement and reporting against budget.
PC1102 Management Accounting
Management Accounting ‐ P&L, balance sheet, cash flow; Intercompany cross‐charging.
PC1103 Management Reporting
Key performance metrics for the group, location, business, or activity. Includes risk related metrics.
PC1104 Financial Accounting & Reporting
Financial accounting; External financial reporting.
PC1105 Taxation The calculation of taxes and duties applicable on both internal and customer activity, the withholding or deduction of such taxes and dues and the payment or recovery of taxation amounts to/from the applicable fiscal authorities.
PC1200 Manage Capital, Funding & Liquidity
Manage the firm's capital account, liquidity and balance sheet.
PC1201 Capital Management & Funding
The management of the make‐up of capital, including using securitisation and by‐back programs. This function includes asset liability management. It may also include the calculation and allocation of capital at risk. Funding includes short term refinancing and liquidity management.
PC1202 Management of Corporate Investments
Investments in physical (e.g., Buildings) and financial assets (e.g. leases) involving the firm's equity and the investments are not available for immediate sale. Management accounting; Intercompany cross‐charging.
PC1300 Manage Suppliers and Outsourcing Service Suppliers
Selection, on‐boarding, management and oversight of third party vendors and outsourcing service providers.
PC1301 Take on Suppliers & Outsourcing
Selection of suppliers including service providers in outsourcing, including selection & suitability assessment, credit reviews. Contract negotiation, payment and other instructions.
PC1302 Conclusion of Contract Ensuring that contractual processes are completed, for example return or destruction of confidential information, on‐going liability, etc.
PC1303 Management & Monitoring
All forms of vendor management, contract management, review, service level agreement management, outsourcing management and vendor reporting. Includes accounts payable management.
PC1400 Manage Physical Assets and Facilities
Provision and management of physical facilities, equipment and safe workplace environments.
PC1401 Facility Management The provision of all forms of facilities, the management of property and other, lifts, air conditioning ducts, lighting, electrical wiring.
PC1402 Fleet Management Transport fleet.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 43
LEVEL 1 LEVEL 2 NAME DESCRIPTION
PC1403 Office Equipment Operate the asset ledgers for assets that can be moved and are not part of the physical structure of the building (lifts, air conditioning ducts) computers, printers, photocopiers, chairs, desks, filing cabinets, shredders, maintenance & replacement programs.
PC1404 Facilities and Workplace Environments Related Health & Safety Issues
Physical work environment ‐ walls, doors, lifts, air quality
PC1405 Physical Security All physical and electronic security measures taken to safeguard staff, facilities, premises and assets. (Excluding IT Security PC1004).
PC1406 Environmental Protection
Atmospheric conditions and qualities ‐ temperature & humidity of the workplace, toxic substances ‐ solvents, asbestos, bacteria & viruses; Water quality including toxic substances.
PC1407 Other Internal Services Other.
PC1500 Manage Compliance, Legal, Governance and Audit
Establish and maintain firm policies, standards, procedures, codes of conduct, and associated compliance controls and testing procedures.
PC1501 Policies, Governance & Monitoring
The establishment and maintenance of all policies, procedures and controls, and their documentation and review. Training in, monitoring or and reporting on conformity with policies, procedures and controls. This includes provision for whistle blowing, where required. It includes compliance with regulatory requirements and internal policies and procedures.
PC1502 Non‐Financial Regulatory Reporting
The reporting of compliance with regulatory requirements other than those concerned with financial performance. Includes reporting of compliance with security, privacy, money‐laundering, consumer protection and fair lending regulations.
PC1503 Legal Advisory Services All aspects of legal advisory services, offered both internally and externally.
PC1504 Not in use
PC1505 Audit All internal audit activity and the investigation of breaches in control, significant loss or suspected contravention of policies and procedures.
PC1506 Administration of mandates and directorships
Operation of Chinese walls. Register of counterparts "in play" that could be affected by insider dealing. Integrity in dealing with clients and awareness of potential bias. Register of directorships held by staff & executive. Provide advice on recusals.
PC1600 Manage Risk Systems Establish risk management processes and methodologies (apart from standard business process and supervisory controls) to record, monitor, evaluate, control or manage risk exposures with the firm.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 44
LEVEL 1 LEVEL 2 NAME DESCRIPTION
PC1601 Control & Oversight of Models & Methodologies
The oversight and management of the processes by which models are specified; the documentation and control of adoption for use; the validation: and the ongoing review of models and methodologies. It includes market risk, credit risk, liquidity, operational risk, capital calculation, and pricing and valuation models. It includes models and processes for setting risk appetites, thresholds and limits.
PC1602 Insurance Recoveries The maintenance of effective insurance protection, whether internal or external, the regular review of insurance requirements, recovery against insurance cover where applicable, as well as any recovery from third parties.
PC1603 Business Continuity Management
The assessment of impact, planning and plan testing necessary to ensure continuity of the essential business functions in the event of an incident and the support of the subsequent management of incidents and crises.
PC9900 Not Process‐Related Used for situations where no specific process was involved (e.g., branch or ATM robberies, natural disasters). Also used for legal claims that cannot be tied to a specific process.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 45
Cause Categorization
Prior to 2015, the ABA Consortium adopted the ORX Association’s attributes
“Alleged Causes” (CS0100‐CS0599). In 2015, minor revisions to the ORX scheme
were implemented to clarify and address event classification issues raised by the
ABA Consortium members.
Reporting at the more detailed level 2 is required.
To reduce the burden on banks that will be adding the Cause information manually, the ABA Consortium requires reporting Causes at the USD100,000 threshold. However, if a bank is adding this field in its internal data collection system, it is recommended to set the threshold at USD10,000.
For each event, banks will report for the primary, secondary, and tertiary Causes.
For each event, the loss amount will be reported in total and will not be allocated to individual Causes.
ORX Association’s “Alleged Causes” classification (revisions implemented by the ABA Consortium are highlighted in red)
LEVEL 1 LEVEL 2 NAME DESCRIPTION
CS0100 External Actions by agents external to the firm or the result of changes to the external environment.
CS0101 Not in use
CS0102 Assault by Criminals/ Terrorists / Vandalism
Act of aggression, attach and/or undercurrent crime from an external party against a teammate or the bank’s asset, including bank robbery, hacking, malware attack, phishing attack, denial of service. Includes also damaged physical assets from criminal activities such as vandalism.
CS0103 Natural Disasters Conditions caused by natural disaster events and/or weather conditions that have impacts on business continuity such as floods, wind/storm/tornado/hurricane, blizzard, wild fire, storm surge, earthquake, volcanic eruption, etc.
CS0104 Man‐Made Disasters Conditions caused by non‐natural disaster events such as utility outage, strike, pollution, etc.
CS0105 Political / Social / Cultural Environment
Failure to comply with external requirements such as one or more federal, state, and/or local regulations or laws, could include changes in rules and regulations or regulatory environment: seizure of assets; change in acceptable "norms;" civil strife/riot/war/protest; special interest groups.
CS0106 Actions of External Parties
The intentional or unintentional actions of a third party, including fraudulent or criminal (e.g., robbery), deliberate or undeliberate actions. The third party could be a supplier, a service bureau, a vendor or other external parties, but does not include outsourced staff.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 46
LEVEL 1 LEVEL 2 NAME DESCRIPTION
CS0199 Decline Legal Counsel has advised against providing the information.
CS0200 People / Staff Factors related to actions by teammates or management of teammates of the firm (internal staff), outside contractors hired by the firm who could be considered employees (contract staff or temporary employees), as well as staff/employees of companies to which the firm has outsourced functions that could be performed by the firm (outsourced staff).
CS0201 Inadequate Resources Operating errors due to inadequate resources to manage the process or lack of training that resulted in the teammate being ill prepare to execute his/her functions. This also includes missing personnel that results in compromise of integrity of strategic processes and controls.
CS0202 Not in use
CS0203 Criminal Activity by Internal or External Staff
Criminal activities committed by a teammate, including theft, check kiting, forgery, fake check/cash/certificate of deposits/treasury bonds, etc.
CS0204 Management / Control of Staff
Management supervision insufficient or lacking; management miscommunication of risk tolerance, etc.
CS0205 Human Error Non‐deliberate mis‐understanding, mis‐interpretation, mis‐decision, mis‐action made by a teammate. An unintentional error or oversight by an employee during a routine task; the failure to exercise prudent care to complete a task appropriately.
CS0206 Unauthorized Activity Actions as a result of intentional and deliberate mis‐understanding, mis‐interpretation, mis‐decision, mis‐action or over‐extension of authority by a teammate.
CS0207 Workplace Environment Failure to provide safe environment for the teammates to operate within.
CS0299 Decline Legal Counsel has advised against providing the information.
CS0300 Governance & Structure Factors related to the governance and oversight practices of the bank.
CS0301 Remove Business Unit A business site outside of the bank's primary business regions.
CS0302 Subsidiaries ‐ Control & Consolidation
No clear delineation between activities conducted by different business units through the same legal entity or by the same business units through multiple legal entities. This may be associated with a restructuring and/or reorganization event.
CS0303 Financial Reporting Failures in financial reports, failure to reconcile p/l accounts or daily cash flow, SOX (Sarbanes‐Oxley) failures.
CS0304 Organizational Controls Losses due to inadequate organizational structure: no proper escalation process, not adequately or timely responding to reported problems.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 47
LEVEL 1 LEVEL 2 NAME DESCRIPTION
CS0399 Decline Legal Counsel has advised against providing the information.
CS0400 Processes Factors related to the way that the firm is organized and certain broad management processes.
CS0401 Not in use
CS0402` Process Design Losses due to inadequacies or flaws of process design such as complexity, transparency, documentation, ‘Fit for Purpose.’
CS0403 Inadequate Policy / Procedure
Policies / procedures that are not Used, Missing/Unavailable, Incomprehensible, Incomplete, Outdated.
CS0404 Inadequate Segregation of Duties
Lack of or inadequate segregation of duties within a process.
CS0405 Data Quality An error caused by incomplete/incorrect/wrong format and/or poor data quality.
CS0499 Decline Legal Counsel has advised against providing the information.
CS0500 Internal Systems Failures Factors related to inadequacies or failures in internal technology, physical and communication systems.
CS0501 Hardware ‐ Inadequate Maintenance
Cleaning of hardware equipment and periodic diagnostics not done.
CS0502 Hardware ‐ Performance Degradation
Losses resulting from poor hardware performance (i.e., capacity, functionality) due to inadequate planning and/or decision making such as inadequate equipment purchases.
CS0503 Software ‐ Inadequate Maintenance
Losses resulting from certain upgrade, patches, enhancements not done.
CS0504 Software ‐ Performance Degradation
Losses resulting from poor software performance (i.e., capacity, functionality) due to inadequate planning and/or decision making such as inadequate software purchases.
CS0505 Infrastructure ‐ Inadequate Maintenance
Losses resulting from failure to perform adequate maintenance for security access systems, lighting, telephone, building air quality, building lifts, and other workplace infrastructure.
CS0506 Infrastructure ‐Performance Degradation
Losses resulting from building infrastructure not operating as expected due to inadequate planning and/or decision making related to infrastructure purchases.
CS0599 Decline Legal Counsel has advised against providing the information.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 48
Scaling Factors The ABA Consortium captures six scaling factors: 1. Gross Domestic Income (Quarterly) 2. Domestic Assets (Quarter‐end) 3. Number of Full Time Equivalent Employees (Quarter‐end) 4. Total Domestic Compensation (Quarterly) 5. Current Depreciated Book Value of Domestic Physical Assets (Quarter‐end) 6. Domestic Deposits (Quarter‐end) Listed below are the definitions of the scaling factors: 1. Gross Domestic Income (Quarterly)
According to Consolidated Financial Statements for Bank Holding Companies—FR Y‐9C, Schedule HI, gross domestic income includes net interest income, non‐interest income, and net trading income.3 Net Interest Income: 1. Net interest income (which is total interest income minus total interest
expense)
Non‐Interest Income: a) Income from fiduciary activities b) Service charges on deposit accounts in domestic offices d) Investment banking, advisory, brokerage, and underwriting fees &
commissions e) Venture capital revenue f) Net servicing fees g) Net securitization income i) Net gains (losses) on sales of loans and leases j) Net gains (losses) on sales of OREO k) Net gains (losses) on sales of other assets (excluding securities) l) Other non‐interest income
Net Trading Income:
c) Trading revenue
3 It is recommended to use either the FR Y‐9C or the 10 Q definitions of the scaling factors as the reporting guidelines.
However, the numbers should be consistently reported from the same source for all quarters.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 49
Reporting by Business Line The scaling factors are captured and reported by the nine business line categories discussed in the “Business Line Allocation and Categorization” section—Corporate Finance, Trading and Sales, Retail Banking, Commercial Banking, Payment and Settlement, Agency Services, Asset Management, Retail Brokerage, and Corporate Center. The sum of the gross domestic income by business lines should equal the total gross domestic income for the quarter. 2. Domestic Assets (Quarter‐end) According to Consolidated Financial Statements for Bank Holding Companies—FR Y‐9C, Schedule HC, domestic assets include cash and balances due from depository institutions, securities, federal funds sold and securities purchased under agreements to resell, loans and lease financing receivables, trading asset, premises and fixed assets, other real estate owned, investments in unconsolidated subsidiaries and associated companies, intangible assets, and other assets.* 1. Cash and balances due from depository institutions:
a) Noninterest‐bearing balances and currency and coin b) Interest‐bearing balances:
(1) In U.S. offices (2) In foreign offices, Edge and Agreement subsidiaries, and IBFs
2. Securities: a) Held‐to‐maturity securities (from Schedule HC‐B, column A) b) Available‐for‐sale securities (from Schedule HC‐B, column D)
3. Federal funds sold and securities purchased under agreements to resell: a) Federal funds sold in domestic offices. b) Securities purchased under agreements to resell
4. Loans and lease financing receivables: a) Loans and leases held for sale b) Loans and leases, net of unearned income c) LESS: Allowance for loan and lease losses d) Loans and leases, net of unearned income and allowance for loan and
lease losses (item 4.b minus 4.c) 5. Trading assets (from Schedule HC‐D) 6. Premises and fixed assets (including capitalized leases) 7. Other real estate owned (from Schedule HC‐M) 8. Investments in unconsolidated subsidiaries and associated companies 9. Not applicable 10. Intangible assets:
a) Goodwill b) Other intangible assets (from Schedule HC‐M)
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 50
11. Other assets (from Schedule HC‐F) Exclude off‐balance sheet assets. Reporting by Business Line The scaling factors are captured and reported by the nine business line categories discussed in the “Business Line Allocation and Categorization” section—Corporate Finance, Trading and Sales, Retail Banking, Commercial Banking, Payment and Settlement, Agency Services, Asset Management, Retail Brokerage, and Corporate Center. The sum of the domestic assets by business lines should equal the total domestic assets for the quarter.
3. Number of Full‐Time Equivalent Employees (Quarter‐end) According to Consolidated Financial Statements for Bank Holding Companies—FR Y‐9C, Schedule HI (Memoranda, Line Item 5), report the number of full‐time equivalent employees on the payroll of the bank holding company and its consolidated subsidiaries as of the report date. To convert the number of part‐time employees to fulltime equivalent employees, add the total number of hours all part‐time and temporary employees worked during the quarter ending on the report date and divide this amount by the number of hours a full‐time employee would have been expected to work during the quarter. Round the result to the nearest whole number and add it to the number of full‐time employees. (A full‐time employee may be expected to work more or less than 40 hours each week, depending on the policies of the reporting bank holding company.) Reporting by Business Line The scaling factors are captured and reported by the nine business line categories discussed in the “Business Line Allocation and Categorization” section—Corporate Finance, Trading and Sales, Retail Banking, Commercial Banking, Payment and Settlement, Agency Services, Asset Management, Retail Brokerage, and Corporate Center. The sum of the number of FTE employees by business lines should equal the total FTE employees for the quarter.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 51
4. Total Domestic Compensation (Quarterly) According to Consolidated Financial Statements for Bank Holding Companies—FR Y‐9C, Schedule HI (Line Item 7), report salaries and benefits of all officers and employees of the bank holding company and its consolidated subsidiaries including guards and contracted guards, temporary office help, dining room and cafeteria employees, and building department officers and employees (including maintenance personnel).* Include as salaries and employee benefits:
1. Gross salaries, wages, overtime, bonuses, incentive compensation, and extra compensation
2. Social security taxes and state and federal unemployment taxes paid by the consolidated bank holding company
3. Contributions to the consolidated bank holding company’s retirement plan, pension fund, profit sharing plan, employee stock ownership plan, employee stock purchase plan, and employee savings plan
4. Premiums (net of dividends received) on health and accident, hospitalization, dental, disability, and life insurance policies for which the consolidated bank holding company is not the beneficiary
5. Cost of office temporaries whether hired directly by the bank holding company or its consolidated subsidiaries or through an outside agency
6. Workmen’s compensation insurance premiums 7. The net cost to the bank holding company or its consolidated subsidiaries
for employee dining rooms, restaurants, and cafeterias 8. Accrued vacation pay earned by employees during the calendar year‐to‐
date 9. The cost of medical or health services, relocation programs and
reimbursements of moving expenses, tuition reimbursement programs, and other so called fringe benefits for officers and employees
10. Compensation expense (service component and interest component) related to deferred compensation agreements
Exclude from salaries and employee benefits (report in item 7(d), ‘‘Other noninterest expense’’):
1. Amounts paid to attorneys, accountants, management consultants, investment counselors, and other professionals who are not salaried officers or employees of the bank holding company or its consolidated subsidiaries
2. The cost of bank holding company or consolidated subsidiary newspapers and magazines prepared for distribution to bank holding company or its consolidated subsidiaries’ officers and employees.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 52
3. Premiums on life insurance policies for which the bank holding company or its consolidated subsidiaries are the beneficiary
4. Dues fees, and other expenses associated with memberships in country clubs, social or private clubs, civic organizations, and similar clubs and organizations
Reporting by Business Line The scaling factors are captured and reported by the nine business line categories discussed in the “Business Line Allocation and Categorization” section—Corporate Finance, Trading and Sales, Retail Banking, Commercial Banking, Payment and Settlement, Agency Services, Asset Management, Retail Brokerage, and Corporate Center. The sum of the domestic compensation by business lines should equal the total domestic compensation for the quarter.
5. Current Depreciated Book Value of Domestic Physical Assets (Quarter‐ end)
Report quarter‐end depreciated book value of physical assets including property, land, furniture, software and equipment less accumulated depreciation. Cash is not part of physical assets.
Reporting by Business Line The scaling factors are captured and reported by the nine business line categories discussed in the “Business Line Allocation and Categorization” section—Corporate Finance, Trading and Sales, Retail Banking, Commercial Banking, Payment and Settlement, Agency Services, Asset Management, Retail Brokerage, and Corporate Center. The sum of the current depreciated book value of domestic physical assets by business lines should equal the total current depreciated book value of domestic physical assets for the quarter.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 53
Domestic Deposits (Quarter‐end) According to Consolidated Financial Statements for Bank Holding Companies—FR Y‐9C, Schedule HC‐E, include the following in domestic deposits: 1. Deposits held in domestic offices if commercial bank subsidiaries of the reporting bank holding company:
a) Demand deposits b) NOW, ATS, and other transaction accounts c) Money market deposits accounts and other savings accounts d) Time deposits of less than USD100,000 e) Time deposits of USD100,000 or more
2. Deposits held in the domestic offices of other depository institutions that are subsidiaries of the reporting bank holding company:
a) Noninterest–bearing balances b) NOW, ATS, and other transaction accounts c) Money market deposits accounts and other savings accounts d) Time deposits of less than USD100,000 e) Time deposits of USD100,000 or more
Reporting by Business Line The scaling factors are captured and reported by the nine business line categories discussed in the “Business Line Allocation and Categorization” section—Corporate Finance, Trading and Sales, Retail Banking, Commercial Banking, Payment and Settlement, Agency Services, Asset Management, Retail Brokerage, and Corporate Center. The sum of the domestic deposits by business lines should equal the total domestic deposits for the quarter.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 54
Appendix A: Frequently Asked Questions (for new members)
1. Scaling Factors – Number of Full‐time Employees and Total Compensation – should this include third party service providers? Our bank utilizes third‐party call centers.
If the third party service provider’s employees are paid by the service provider, and your institution is simply billed by the third party service provider for its services, then you should not report the number of FTEs and Total Compensation (TC) of this third party vendor to the ABA.
However, if your third party call center’s employees are compensated by your institution’s HR and the losses incurred by the call center are the responsibility of your institution, then the call center’s FTEs and TC will be included in the scaling factors you report to ABA.
The number of FTEs and Total Compensation (TC) should include the numbers and amounts that HR reports. These include salaries, bonus, benefits, and payroll tax as HR‐related by business line. Corporate HR would be included in Corporate Center – BL9.
2. Can you please elaborate on how we should report corporate support losses? At our bank, any loss
event booked in the General Ledger to a support area has its Basel Business Line assigned to the line of business that the support area was supporting related to that loss. If that is not possible, then it remains in a Corporate Center Basel Business Line. For example, a retail check fraud support area loss would get a Retail Banking Basel Business Line, but a Workers’ Comp loss in Enterprise Risk Management would go to Corporate Center. Does this match how the ABA would like the data reported?
Your example is consistent with how ABA Consortium members report for Corporate Center vs. other business lines. The activities groups included in Corporate Center are: Finance, HR, Legal, Audit, Property Management, Marketing, Corporate Insurance, Payment Operations, Risk Management, and IT.
3. On the reporting form, how should we report events that were submitted in prior quarter, but are later deleted (e.g., it is later determined to not meet requirements for submission)?
You simply submit the event IDs that need to be deleted to ABA as part of your revisions with the indication “To be deleted” in the cell next to the events’ ID numbers – with no other data. ABA will delete these events from the database and all subsequent reports will reflect these deletions.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 55
4. In the Participant’s Guide sections 2.4.16 & 17 it explains that the scaling factors are used based on when the event was first reported to ABA. I understand a future recovery would use the old scaling factors, but what about future new losses for that event? Also, how will we initially report our historical data? Will we have to provide scaling factors retroactively for every historical loss quarter that we provide?
There are several parts in answering this question.
1. Whether there is a recovery or new loss, an event will always use the scaling factors based on the quarter when the event was initially charged off. In other words, if there are new/additional losses in the current quarter for an event reported previously, the cumulative loss amount‐to‐date for that event will be scaled by the old scaling factors, unless there are revisions to the previously reported scaling factors.
2. For purposes of ABA data reporting, if a loss event occurred with a loss amount less than USD10,000, it should not be reported to ABA. The same event will be reportable, if at a future date, an additional loss was booked that made the total gross loss for this event greater than or equal to USD10,000. For example, a loss Event A occurred and had a direct gross loss amount of USD9,000 associated with it which was charged‐off on 01/01/09. This event will not be reported to ABA. However, suppose an additional USD3,000 of legal cost was charged‐off for the same event on 10/09/09, bringing the total gross loss for this event to USD12,000. Event A should now be reported to ABA with a USD12,000 gross loss (USD9,000 in field 6 of the ABA Loss Event Report Form, USD3,000 in field 7, and the total USD12,000 in field 9) as part of your 3rd quarter 2009 submission of events. The charge‐off date for Event A will be 01/01/09 (the date on which the first loss was charged‐off), and it would remain the same even if further losses were booked for Event A at later times (see example 3 in Appendix A of the “ABA Loss Data Collection and Reporting Guidelines”). Any further losses or recoveries will be reported to ABA as revisions for event A. The scaling factor for this event will be those reported for Q1 2009, consistent with the charge‐off date.
3. To report historical data, you will need to provide scaling factors retroactively for every historical loss quarter that you provide.
5. How do we report an event that had more than one loss or recovery within the reporting quarter? For example, event 1000 has a loss on 1/31/09 and another loss on 3/15/09. Would this event be reported on two separate rows so that both charge‐off dates could be provided?
You would combine the two charge‐off amounts and report event 1000 as a single event on one single row. In your example:
Suppose the amount of loss charged‐off on 01/31/09 was USD10,500, and then an additional USD3,500 charged‐off on 03/15/09. This event would be reported as one single event with an aggregated gross loss of USD14,000, and the charge‐off date should be 01/31/09 – the first charge‐off date for this event. This event 1000 would be submitted as part of your regular 1st quarter 2009 data submission to ABA. If additional losses or recoveries for event 1000 occur after this submission, then you would submit the revised amounts as part of your revisions in a future submission – the charge‐off date of 01/31/09 remains the same.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 56
6. How do we report an event that had more than one loss or recovery across the reporting quarters? For example, event 2000 has a loss on 1/31/09 and another loss on 5/15/09. Would this event be reported on two separate rows so that both charge‐off dates could be provided?
1. Suppose the amount of loss charged‐off on 01/31/09 was USD8,500, and then an additional USD3,500 charged‐off on 05/15/09. This event would be reported as one single event with an aggregated gross loss of USD12,000, and the charge‐off date should be 01/31/09 – the first charge‐off date for this event. This event 2000 would be reported to ABA in the 2nd quarter 2009. If additional losses or recoveries for event 2000 occur after this submission, then you would submit the revised amounts as part of your revisions in a future submission – the charge‐off date of 01/31/09 remains the same.
2. Suppose the amount of loss charged‐off on 01/31/09 was USD10,500, and then an additional USD3,500 charged‐off on 05/15/09. This event would be reported in the 1st quarter of 2009 with a gross loss of USD10,500, and the charge‐off date would be 01/31/09 – the first charge‐off date for this event. On 05/15/09 an additional loss of USD3,500 occurred. Therefore in the 2nd quarter of 2009, you should resubmit event 2000 with a revised gross loss of USD14,000 – the charge‐off date of 01/31/09 remains the same.
7. What date to use when we have a recovery for an event that occurred before a loss was charged off?
It depends on whether or not the recovery occurred pre‐charge‐off.
Example 1 – internal fraud:
02/01/07 USD15,000 loss occurred, but did not hit the GL yet.
02/25/07 USD3,000 was paid back by the employee.
02/26/07 This loss event was recorded in the GL.
Usually, the amount charged‐off as gross loss for this event would be the net amount of USD12,000, the amount the bank was out. In this case, the charge‐off date would be 02/26/07, the event date would be 02/01/07, and no recovery amount or recovery date.
Example 2 – internal fraud:
02/01/07 USD15,000 loss occurred, discovered and was recorded in the GL.
02/25/07 USD3,000 was paid back by the employee and this amount was recorded as a recovery in the GL.
In this case, the gross loss would be USD15,000, the charge‐off date would be 02/01/07, the event date and discovery data would be the same 02/01/07; the recovery amount would be USD3,000, and the recovery date would be 02/25/07.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 57
Example 3 – Workers’ Compensation:
03/31/07 USD2,000 loss charged‐off to the GL.
09/30/07 USD1,000 recovery recorded in GL.
12/31/07 USD1,000 loss charged‐off.
3/31/08 USD25,000 loss charged‐off.
The standard way this event is reported is as follows: This event became reportable to ABA on 3/31/08, not earlier. It should be submitted to ABA in the 1st quarter of 2008 as a revision. The gross loss amount would be USD28,000, the charge‐off date 03/31/07, recovery amount USD1,000, recovery date 09/30/07.
However, since your institution will report data from 01/01/08 on, you would use 01/01/08 as charge‐off and recovery dates. This is consistent with example 3 in Appendix A of the “ABA Loss Data Collection and Reporting Guidelines.” This event reached the USD10,000 threshold in the 1st Q of 2008, a quarter for which you are reporting to ABA, therefore, this event is reportable to ABA.
8. For the Event ID field on the reporting form, what date should be used for the month and year part of the ID? Is this the first month and year that the event had a loss, the discovery date, event date, etc.? For example, if event 1000 gets reported in Q1 2009, then reports additional losses in Q2 2009, then does the Q1 form have 0309‐1000 and Q2 have 0609‐1000? What if the loss amount from Q1 2009 is updated, does it need to be 0309‐1000?
In the Event ID field, you would report your internal unique ID for a particular event. You may design the Event ID to meet your internal requirements. The key is that the event ID, once established, remains constant and does not change. It is this ID that we use to identify the event across different revisions, if any.
If your internal unique ID assigned for event 1000 is 0109‐1000, as in your example, then this ID would be 0109‐1000 and does not change in subsequent revisions.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 58
Appendix B: Potential Boundary Events—Charge Offs to Operational Loss vs. Credit Loss
Risk Type under AMA
(ops, credit, or market)
Preliminary4
1 A bank customer signed a letter of intent to take out a loan. In connection with the loan the customer wanted to lock in a fixed rate so they executed an Interest Rate Swap, effective as of the closing day of the loan. The bank following its normal processes was unable to deliver the funds in time to meet the customer's needs, so the customer went to another bank and got the loan along with executing a connected Interest Rate Swap. The first bank ended up having to unwind the Interest Rate Swap they had established for their client, which netted a loss amount. The bank had a long standing relationship with the customer so they decided not to hold the customer liable in any way for monies lost in connection with the Interest Rate Swap. How should the loss be treated? Ops or Market?
Neither credit nor operational Customer accommodation
2 A client was credit downgraded, but the loan system was not properly updated. The client used their entire line of credit and then the client defaulted resulting in a multi‐million dollar loss to the bank. Ops or Credit?
Credit
3.1 Transaction released or loan granted by somebody exceeding the authority:- ACH suspended file released and client defaults: The customer does not have a
credit line with the bank and there were insufficient funds in the customer's account. Officer releasing the file exceeded his authority limits. Ops or Credit?
Credit
3.2 - A loan was granted by bank staff exceeding the authority. The loan defaulted and bank experienced a loss. Ops or Credit?
Credit
4 Credit line bust out fraud: Counterfeit checks were used to pay down a line of credit. Line was then drawn down and not repaid. Payment checks were returned two days later as counterfeit checks. Ops or Credit?
Credit
5 Both credit card fraud and DDA fraud related to the same event: A customer's identify is stolen and as a consequence both his checking and credit card accounts have been compromised. Both the credit card and the DDA fraud losses have been aggregated to a single unique event ID. Should the entire event be considered a • credit boundary event or • operational event or • should the event reflect both the operational and credit loss components of the event separately?
Credit
6 Loan repurchases: A Loan portfolio sold to an investor contains errors and inconsistencies in the loan data and in the loan files, resulting in a loan repurchase. Should any portion of the repurchase (unpaid principal balance, accrued interest, or any premium paid by the investor at time of purchase) be considered an operational loss? Also, if there is collateral associated with the loans, such as property, which is subsequently sold below market value, should this also be considered an operational loss?
Pending
4 Based on preliminary response from one individual supervisor. A formal, inter‐agency consensual response is pending.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 59
Risk Type under AMA
(ops, credit, or market)
Preliminary4
7.1 Mortgage Loan Fraud: Fraud for Profit vs. Fraud for Property Fraud for Profit – Ops Loss or Credit Loss? Fraud for Profit losses should be infrequent and exhibit fraud for profit characteristics such as:
• Motivation is typically immediate or short‐term financial gains, or undue enrichment, and most likely will result in eventual default.
• Fraud for profit may result in little to no collateral value relative to the loan amount, resulting in a loss as a percentage of the loan amount that is significant relative to other loss rates.
• The motivated party to the fraud can be any person(s) or business(es) related to the transaction, not just the borrower.
• Where any party in a transaction committed fraud for profit (e.g., the seller, appraiser, settlement agent, buyer), the entire loss will be characterized as fraud for profit.
Examples of Fraud for Profit:
1.a Account takeover: Defined as an unauthorized address change followed by a line increase, check order, card order or balance transfer. This category also includes counterfeit checks and stolen checks or credit cards.
1.b Air loan: Essentially unsecured, typically due to falsified collateral ownership or transfer information, or security interest in collateral that does not exist. The settlement agent, or a shell company acting as an agent, may either be complicit or negligent.
1.c Auto dealer fraud: Defined as a dealer attempting to mislead the lender for financial gain, and typical examples include the dealer not owning the vehicle, falsifying VIN, not paying the wholesaler or floor plan lender, payoff does not occur or the previous lien is not satisfied as expected.
1.d Borrower Identity: • Borrower may use a fictitious identity also known as false name fraud. An
example of this is a person who applies for a loan using a fake name and social security number to create a false identity.
• Another form of borrower identity fraud occurs with Identity Theft, also called true name fraud and fictitious company representative fraud. • True name identity theft is when the identity of a consumer was
assumed by a perpetrator to finance real property, usually resulting in the payment of excessive fees or disbursements to unrelated parties.
• Fictitious company representative fraud is a person who fraudulently claims to be an authorized party or officer to borrow funds on behalf of a business entity.
1.e Multiple lien fraud: When a borrower simultaneously secures multiple loans with the same property from multiple lenders and none of the lenders is aware of the other liens. The lenders are typically overexposed on the property with their liens exceeding the collateral value.
1.f Property flipping: Property flipping in itself may not be illegal or fraudulent. However, when the borrower makes severe misrepresentations to the lender in the financing of a flipped property, fraud for profit may exist. These misrepresentations may include, but are not limited to, overstated property
Credit
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 60
Risk Type under AMA
(ops, credit, or market)
Preliminary4
values, excessive fee disbursement, disbursements to unrelated parties, the seller is not the vested owner of the property, or a straw buyer.
1.g Settlement agent theft: When the settlement agent retains the lender’s closing funds and fails to disburse the disclosed fund distributions required to satisfy the interest of existing lien holders and vested parties.
7.2 Fraud for Property – Ops Loss or Credit Loss? A loss exhibit Fraud for Property characteristics if: • The transaction is driven by the desire to own, purchase or refinance real property,
and/or • Although the loan may not perform subsequent to the loan’s inception, the borrower
usually exhibits an intent or expectation of repayment. Examples of Fraud for Property: 2.a Application Misrepresentation: The borrower misstates intentions to occupy the
subject property, fails to disclose liabilities, overstates income or assets, but may exhibit the ability and intent for repayment.
2.b Straw Buyer: The borrower purchased the property on behalf of another party, such as a relative, but may exhibit intent for repayment either through direct or indirect payment delivery. However, if there is evidence of the borrower’s intent to disassociate himself/herself from the transaction after closing, as exhibited with property flipping and excessive fees, the nature of the fraud would typically not be fraud for property.
2.c Social Security Number Theft: The borrower utilizes his true name in a transaction, but another party’s social security number. The borrower typically does not have his own social security number, but the borrower may exhibit ability and intent for repayment.
2.d Appraisal Misrepresentation: The value of the subject property or equipment is overstated to obtain improved loan pricing, or a reduced down payment for purchase transactions.
Credit
7.3 Other Mortgage Loan Fraud Types – Operational Loss or Credit LossThere are many other types of loan fraud that include losses in addition to those listed above, including, but not limited to the following:
• Borrower misuse of the credit facility to kite checks • Settlement misrepresentation • Occupancy fraud (Occupancy fraud occurs when a borrower says he or she plans
to live in a home, all the while knowing the property will be rented out. Lenders offer higher interest rates and less favorable terms to non‐owner occupants because the lender's risk is higher.)
• Inflated appraisals • Misdirected payments • Short sale collusion • Account inflation
Credit
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 61
Appendix C: Specific Data Reporting Questions and Recommendations
Following is a list of specific questions raised by the Consortium members and the recommended resolution approved by the full Consortium membership on the month specified below. The appendix will be reviewed annually to discuss any updates on the recommendations.
Question Recommendation
1 Situation: A legal settlement where the bank was not at fault but it was cheaper to settle the case.
1. Do you include such events in the operational loss database?
If yes, how do you classify such events? Do you assign the Basel event type based on the alleged issue?
These events should be included in the database and the Basel event type classification should be assigned based on the alleged issue. Those banks that have not been able to report this information in the past should go back to the extent they can to capture and report such events. However, going forward it will be mandatory to report these types of events. (Approved February 2, 2007)
2 Negative Assets—How to treat them in data processing, specifically in calculating the Business Mix?
Any negative assets reported for BL1‐BL8 will be converted to zero value. To offset this conversion, we will add the negative value (s) reported to BL9 assets. This step is necessary to maintain the total assets reported for the quarter consistent with the 9C or 10Q report. (Approved February 2, 2007)
3 An event started in 2003 and has multiple transactions dated as below along with multiple charge‐off dates:
01/01/2003=USD2,000
03/20/2004=USD3,000
01/31/2006=USD6,000
02/20/2006=USD6,000
The total dollar amount for the event is USD17,000. However, for ABA reporting purposes (1Q2006), will they submit this event with a total dollar amount of only USD12,000 (partial loss amount for 1Q)?
This type of situation often associates with Workers Compensation. The event should be reported as soon as the cumulative losses hit the USD10,000 threshold. In the example above, the event will be reportable in the first quarter 2006. For 1Q2006, the total loss of USD17,000 would be reported. The charge‐off date would be the event’s first charge‐off date of 01/01/2003. In case the event’s first charge‐off date was prior to 01/01/2003, when the ABA Consortium was first established, 01/01/2003 would be the assigned charge‐off date for this event.
(Approved January 17, 2008)
4 If a bank lost confidential customer information, how are related losses classified?
The classification depends on the details of each individual event. For example, if an ID theft occurs, it may be classified as External Fraud. However, if customer account information was lost on bank system due to a process management error, it may be classified as Execution, Delivery and Process Management. (Approved February 2, 2007)
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 62
Question Recommendation
5 How do the reporting banks collect data for scaling factors? It is recommended to use either the FR Y‐9C or the 10 Q definitions of the scaling factors as the reporting guidelines. However, the numbers should be consistently reported from the same source for all quarters. (Approved February 2, 2007)
6 Are you tracking Net Losses vs. Net Income? One Consortium member has recently started using this figure in some of their monthly reports and was wondering what other banks were doing for benchmarking purposes and how they ranked against the other members.
The reporting members are not tracking Net losses vs. Net Income. The comparison does not appear to be very meaningful. (Approved February 2, 2007)
7 Consider this: A clients ends a relationship with the institution. Since fees are billed in arrears, a final invoice for fees due is prepared and sent to the client. The invoice is correct, prepared timely and the client does not dispute the charges on the invoice. The client has paid all previous invoices. The client refuses to pay the final invoice. All collection attempts have failed and the amount of the invoice is charged off. Should this be considered an operational loss event? If so, how should it be categorized? Our interpretation is that it is not an operational loss event since there was no failure or inadequacy in internal processes, people or systems.
This is not an operational loss event. (Approved February 2, 2007)
8 What threshold is being considered by banks for capturing operational event data related to Credit Risk?
If a loan‐related operational loss is charged off to an operational‐loss expense account, it is still considered a credit loss. When reporting such events to the ABA Consortium, the box for “credit/market risk related” in the ABA report form should be checked as yes. (Revised November , 2010)
If a loan‐related operational loss is charged off to the allowance for loan loss account, the loss event should be reported to the ABA Consortium with the box for “credit/market risk related” in the ABA report form checked as yes. Such events should not be included in operational risk capital modeling. (Approved February 2, 2007)
9 What type of information/events are banks capturing regarding operational events related to Market Risk?
Only operational risk related losses should be reported to the ABA Consortium. For the credit, market and operational risk capital to make sense, the dataset used for capital modeling should not overlap. (Approved February 2, 2007)
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 63
Question Recommendation
10 How are loan fraud treated? Are these already being captured as part of the operational loss database by the participants?
Loan fraud losses are considered credit losses. If they are reported to the ABA Consortium, the box for “credit/market risk related” in the ABA report form checked as yes. Such events should not be included in operational risk capital modeling. (Revised November, 2010)
11 How should multiple retail mortgage losses be reported? Should they be aggregated by month (regardless of specific documentation problem) or should one documentation issue be considered as one event? (Waiting for Response from Regulators RE Boundary Events)
Multiple losses specifically related to an event should be aggregated.
Example:
Consider a case where documentation errors have been made on several loans in a pool of loans sold to an investor. The FI is required to buy back the loans if they go into default and the documentation is not in order as specified in the sales agreement. The FI is required to buy back 4 loans, at USD25,000 each, returned by the investor. These loans have gone into default and the documentation did not meet the requirements.
This will be reported to the ABA Consortium as one event with a total of USD100,000 because it was the same error within the same pool of loans sold to the same investor.
Similar losses not directly related to each other should not be aggregated.
Example:
Consider a case where several underwriting errors have been made in a pool of loans and one investor asks to be indemnified for USD100,000 for the loans that have gone in default. The same underwriting error occurs on loans from a different pool sold to another investor who also asks to be indemnified for USD100,000 for the same reason.
These will be reported to the ABA Consortium as two separate events since there are different investors and different loan pools involved. (Approved February 2, 2007)
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 64
Question Recommendation
12 Timing of inclusion of workers compensation/auto liability/general liability type of payments/claims in the database—Are these items included after cases are closed or are they included once they hit the USD10,000 threshold and then keep updating the records on a quarterly basis, where cases are still open?
Include these events in the database once they hit the USD10,000 threshold and update the records going forward on a quarterly basis until the event is closed. (Approved February 2, 2007)
13 What are the guidelines for determining the charge‐off date for the following scenarios?
Scenario #1: The bank makes an overpayment to a vendor on January 1, uncovers the error on February 1, and recovers the amount on March 1. For this event, is the Charge‐off date January 1 when vendor was overpaid?
Scenario #2: An event specific accrual was booked to the general ledger. Is the charge‐off date for this event the date the accrual was booked to the GL or the final payout date?
Scenario #1 is not considered a reportable event because the overpayment was never charged off to the general ledger as operational losses. This event should not be reported to the ABA Consortium.
Scenario #2: If event specific legal reserves are booked to the general ledger, then the event should be reported using the accrual amount, if this information is available, then updated when the final payout occurs. The charge‐off date for a legal case should be the date that the accrual was booked (i.e., first financial impact).
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 65
Question Recommendation
14 Are the 2007/2008 Visa and MasterCard settlements considered an operational loss event for banks to report to the ABA Consortium?
Visa and MasterCard settled antitrust lawsuits with Amex and Discover Financial Services.
The lawsuits began after a U.S. Supreme Court ruling forced Visa and MasterCard to abandon their exclusionary rules and allow their member banks to issue payment cards on rival networks. Discover and Amex claimed that Visa's and MasterCard's exclusionary rules hurt their potential for success.
If each lawsuit settlement exceeded a set amount, then Visa and MasterCard would assess the member banks to pay their share based on the bank's card volume.
To add confusion, while the cases were being tried, Visa and MasterCard switched from being owned by the member banks to being a publically traded company. Stock was issued to member banks to buy them out when Visa and MasterCard went public. However, restrictions were placed on this stock pending the lawsuit settlement. As a result of the lawsuit settlements, the stock shares banks received were converted to the publicly traded class of stock at a lower conversion rate. This devalued the stock the member banks held by an amount equivalent to what the members would have been assessed if Visa and MasterCard remained member owned.
We can break the question into parts for discussion. If Visa and MasterCard remained member owned (didn't go public), then would the member assessments be a loss? Since they went public does the reduced value of the stock not count as an operational loss (it doesn't seem like a market risk either)?
Visa and MasterCard may have other “covered litigation” that could have a similar impact on shares given to member banks. The Notes to Consolidated Financial Statements – Legal Matters for Visa and MasterCard provide more details.
We have at least one event in the consortium database that may be related to this lawsuit (assumed based on Visa in the description and the dates). If we all agree this should be a loss, then we should see more events since many of the consortium members sell Visa or MasterCard cards and the amounts likely exceed the USD100,000 amount requiring a description.
Because the anti‐trust lawsuits were settled with proceeds from other sources such as Visa IPOs, most banks have reversed the accruals set aside for the settlement. These events are not considered an operational loss event and they should not be reported to the ABA Consortium.
15 What should banks do with events from a line of business that goes away? For example if the line of business is sold or closed down? Should these events be reported to the ABA as deleted?
Those events should be mapped to related, existing business lines. Those events should remain in the ABA Consortium dataset.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 66
Question Recommendation
16 Introduction: The Bank’s business objective is to originate Mortgage loans and sell them to investor groups (secondary market). Loan “A” was originated by Bank and sold to Investor Group. Loan “A” was randomly selected for audit by the Investor Group. Audit findings indicate there is a defect with the loan (underwriting execution and operational errors) and the Investor Group request the loan to be repurchased by the originating Bank. Scenario: The status of the loan at the time of repurchase is non‐performing/delinquent. A LOCOM adjustment is booked to the Bank’s general ledger at the time of repurchase. Subsequently, the property was foreclosed and Bank took possession of the property. The property was eventually sold. The Bank incurred foreclosure‐related costs and a loss on sale of REO was recognized. Should the LOCOM adjustment, foreclosure‐related costs or loss on sale be classified as an operational loss? Reminder: the loan did have an underwriting execution error The Bank may also be responsible for paying the Investor Group past due interest, service release premium (SRP) and miscellaneous fees. Should these fees also be recognized as operational losses? Reminder: the loan did have an underwriting execution error
This is a credit boundary event. The event is reportable to the ABA Consortium when the LOCOM adjustment was booked to the Bank’s General Ledger and if the LOCOM adjustment amount was at or greater than USD10,000.
Any subsequent foreclosure‐related costs, recognized loss on sale of REO, and other fees paid to the investor should be reported under the same event ID and be added to the original loss amount as revisions to the original event.
The charge‐off date of this event would be the date when the LOCOM adjustment was first booked to the General Ledger.
17 How to classify mortgage related losses that involved multiple loans but resulted from the same Consent Order, Investor Fines on foreclosure activities, or FIN45?
Mortgage loan losses resulting from the same root cause (e.g., consent order or fines) should be aggregated and reported as one event.
18 I am finding that on many litigation records, the start and detection dates are the same. Both are the date that the bank was served notice of litigation. I can also see an argument for making the “start” date the date in which the alleged wrongdoing began (i.e., months or years before the bank was sued). In many cases, my bank does not feel that there is a true “start” to the underlying allegations because we refute that any wrongdoing occurred (which is why we decided to use the lawsuit date as the “start” date. Thoughts?
The event date would be the alleged failure start date. If unsure, use the date the notice of litigation was served as the event date.
Loss Data Collection & Reporting Guidelines Approved April 2015
ABA Operational Risk Consortium 67
Question Recommendation
19 The Secondary Market in our Residential Mortgages group will either sell mortgages to an investor, or maintain the mortgages with the bank. The mortgage will apply risk‐based overlays which are captured as fees on the loan. The fee is to be passed onto the customer. In the event there is a processing error and the fee is not added to the loan, the following are the two results.
If the loan was sold to an investor, the bank would be responsible to make the payment for the additional fee and would report as an operational loss. If the loan is not sold to an investor (i.e. not eligible for resale), the error is not due or payable to another party. The bank cannot go back to the customer to collect the fee. The result is less revenue for the bank. Would this be considered a loss, near miss or a business risk? Our thought it would be considered a near miss, as this was due to a failure in the process. There was no “real” loss other than to revenue.
Both would be operational loss because the root cause was a processing error, even if the loss is offset by revenue.
20 Bank ABC changes USD500,000 in fees to customers due to a coding error (unearned income). The bank realizes its error and reverse the fees.
Would you record these as a:
Non‐operational timing impact? Operational loss, even though there was no actual
loss to the bank or to the customers.
This is a timing event. Follow the guidance for reporting timing events.
21 Bank CDF is assessed fees each month due to missing certain GSE timelines. The bank determines it is more cost effective to pay the monthly fines then to add additional staff to ensure timelines are met. Additionally, capturing and using the customer number for aggregation is too costly. How would you aggregate losses in this situation?
Would you aggregate these fees
Place them all in one large event. This would eventually result a very large event containing tens of millions of dollars of monthly fee write‐offs.
Aggregate to a new event each month Other?
To retain more granular information for this type of events for future research and analysis, it is recommended to aggregate the losses by customer account number.