Basel: take two
The Basel banking accords get their names from the Swiss city where the super-regulator of global banks, the Bank for International Settlements, resides.The first one, the 1988 Basel Capital Accord, or Basel I, concentrated on capital adequacy, rigidly prescribing levels of capital against different assets. This agreement tried to encapsulate a bank`s total risk based on a prescriptive credit risk measure. However, the new, improved Basel II moves away from rigid, one-size-fits-all strictures, placing more emphasis on banks` own internal risk measurement systems, the role of regulatory supervision and the disciplines of the market.Therein lies the rub. Basel II comes into effect in early 2007 – after a dry run in 2006 – and introduces new levels of complexity to banking, forcing banks to confront issues in new ways.The incentive is a lower capital charge for different kinds of assets for those banks that invest the requisite time and money in getting systems up to scratch, depending on the quality of the assets.It entails a big investment up front, but this isn`t really the issue for large banks, especially the “big four” in South Africa who, in any event, spend vast amounts on technology and risk management. The real issue is creating a robust risk measurement framework, with accurate data and the ability to assess and act on that data.Basel II notwithstanding, it`s an issue banks would have had to face anyhow – as an important business challenge in an ever more complex world.“Twenty to 30 years ago there were a number of smaller banks. Information flows were not real-time and, with most activity restricted to domestic business, the risks of cross-border losses were less,” says Ray Leonard, former CEO of Global Technologies, an IT company specialising in banking and financial services solutions. “Technology today is faster, but settlement risks are huge. The domino effects are also great.”Market risk was a major focus of the first accord, but it is in the credit and, especially, operational risk arenas that Basel II aims to make its mark.Basel II offers a number of approaches for banks to measure their credit and operational risks, with either prescribed models or internally based ones, using regulatory inputs to varying degrees. Each is complex in its own right and, particularly in the case of operational risk, covers mostly new ground.Which of the many approaches banks choose to take will vary, according to their resources and the types and validity of data they have available. Most, it seems, will choose to drive the sedan models, before upgrading to the Rolls Royce.But banks are taking Basel II to heart, as a basis for good business and risk management. Many say Basel II has simply given impetus to projects they would probably have embarked on anyway.“What Basel II has done is constrict the timelines and enlarged the scope of projects we were undertaking anyway,” says Dave Hodnett, director group risk management at Standard Bank. The new groundBanks speak of Basel II allowing for the convergence of regulatory capital and economic capital. The latter concept is growing in importance in the global banking community, as banks work to allocate capital against assets in a way that accounts for the economic realities attached to a particular asset or activity. Economic capital is thus a more dynamic measure than the formula-driven measures of the 1988 accord.“It becomes a joint effort, a risk management tool as well as a capital management tool,” says René van Wyk, group chief risk officer at Nedcor. “We need to be able to use it to calculate risk-adjusted returns on our different business units.”Tertius Mostert, senior consultant for BCS financial services, at IBM, says Basel II can be used as a springboard to go further in issues that have long been on the “to do” list, such as data cleansing, helping create a single view of the client, implementing good customer relationship management programmes and centralising data warehousing.Basel II is being taken very seriously in Europe and elsewhere. According to a survey last year by the European Financial Markets Association, 93 percent of European banks surveyed regard Basel II as a project of major or critical importance, comparable to the Y2K or euro changeover projects. The IT windfallMany see increased scope for significant IT investment, with 53 percent saying current risk management systems are not capable of meeting the new accord`s reporting.Locally, banks are taking things seriously too. A recent Ernst & Young survey of Basel II readiness shows South African banks compare favourably with banks in developed markets, with the locals lagging in pretty much the same areas as their counterparts in the European Union (EU) and the US.Good banks should have an anecdotal feel for the risks of lending – who is likely to default and who isn`t. Competitive forces have made banks acutely aware, however, of the perils of getting it wrong, of growing assets too quickly and then seeing a major blow-out down the line.Banks are increasingly realising the importance of adopting a scientific approach to credit, and Basel II pushes that process further along. But whereas the original accord set prescriptive capital charges against different kinds of asset, Basel II leaves the way open for banks to develop their own risk models, taking into account their own markets, risk profiles and reporting sophistication.Basel II offers three approaches to the measurement of credit risk. The first, the standardised approach, is a variation on the current model, which allocates capital according to very broad types of borrower. Basel II refines these, using external ratings by rating agencies (such as Moody`s, Standard & Poor or Fitch) for corporates, banks, governments, municipalities and parastatals.The second and third approaches are internal rating-based (IRB), and allow banks to adopt their own estimates, subject to rigorous assessment by regulators. Risk weightings are generally more diverse than under the standardised approach.The foundation IRB approach allows banks to calculate their own default probabilities, with other inputs supplied by the regulator. The advanced IRB approach allows banks to calculate their own default, exposure at default and loss estimates, provided the methodology meets strict regulatory standards. A tough task“Eligibility for the IRB approaches requires a bank to demonstrate to the regulator (the Reserve Bank`s bank supervision department) that it meets certain minimum requirements at the outset and on an ongoing basis,” says Andries du Toit, head of capital management at FirstRand Bank.Putting together a robust credit rating system to meet the standards of the IRB approaches is no easy task, and requires inputs of all the methods, processes, controls, data collection and IT systems that support credit risk management, says Du Toit.Data can be a headache, and the Ernst & Young survey has identified this as a problem area for credit risk assessment. For the advanced IRB approach, banks will need to have new systems in place for three years, and data going back five to seven years; while the system will need to run in parallel with the existing system for a year prior to implementation.This is fine and good for retail credit. Banks have plenty of data available on their various retail books of probability to default levels, loss given default (LGD), exposures and historical recoveries, and this should allow them to adopt the advanced IRB, according to a report published by Fitch, the rating agency.But their wholesale and corporate books present a bit more of a problem. The relatively small size of the South African market has not been a problem in the past, with the big banks all generally dealing with the same names in their transactions, and all having a good anecdotal feel for the creditworthiness of each one.Basel II requires a more scientific approach, however.“For any model to work, you need a good population of data,” says Nedcor`s Van Wyk. “But how many corporate defaults have we seen in the South African market? Probably a handful. Is that sufficient to draw any statistically valid conclusions?“Compare that with the US and EU, where the markets are large enough to give a sufficient pool of default data.”Standard`s Hodnett concurs. “Default data in South Africa may be sketchy, but recovery data is worse. High profile cases like Leisurenet have still not been completed.”This transcends the issue of which applications the banks choose to purchase from the big vendors. “I can go and buy the best and most expensive tools available on the international market, but the problem remains because these are calibrated according to overseas data, not local data,” says Hodnett.Small and medium enterprises also present a problem for South African banks, with the threshold for these businesses to be classified as retail perhaps set too high for local conditions. But, according to Fitch, there is an initiative to pool banks` data to generate more accurate default statistics. This, in turn, could increase the capital requirements on bank exposures to the SME sector.At the core of Basel II is the so-called “use test”. It is not enough for banks to adopt an approach simply to meet regulatory reporting requirements; the approach has to be fundamental to the way banks manage their risks.“The regulators are saying that if you don`t use the models as a basis for running the business, they won`t approve them,” says Hodnett. “We have to prove we are pricing appropriately, and doing our provisioning off the model and so on.”If the eighties were about the refinement of market risk, and if the nineties saw the most work being done on credit risk, then this decade is likely to be the defining one for operational risk. Root of problemsOperational risk, which encompasses the risks posed by people, systems and processes, is not a new concept for banks. Indeed, behind most of the notable bank failures in the last 10 years an operational breakdown of some sort has been evident, with fraud, poor reporting or lack of sufficient controls being evident in the problems at Barings in the nineties, or even in the Sechold (1993) and Real Africa Durolink (2001) failures.Certainly, operational issues seem top of mind for most bank regulators, says Henry Mynhardt, director: financial services group at Ernst & Young. “Operational risk is the roof over the house made out of all of the other risks,” he says. “The concern is that a failure in systems, people and processes can lead to a systemic risk for the banking environment as a whole.”Local banks are not behind in tackling operational risk areas in their business though. “Although it`s a fairly new area from a regulatory point of view, it is an area where banks would have spent a great deal of time and money, in terms of building up operational resilience,” says Pieter Crafford of IBM`s BCS.Basel II offers four approaches to assessing operational risk: a basic indicator approach, two standardised approaches and an advanced measurement approach (AMA). The new frontierDeciding which of these methods of reporting and allocating capital to choose is not made easier by the fact that both banks and regulators are still building a model for best practice.“Of 600 pages in the draft accord, about 450 deal with credit,” says Hodnett, emphasising how much work needs to be done on the topic. “I think you will find that, whereas nine out of ten banks will have the same issues on credit risk, about nine out of ten will probably be doing things a little differently for operational risk.” Hodnett says operational risk is certainly becoming the new research frontier.Nedbank`s Van Wyk says local banks are probably ahead of the curve in terms of day-to-day operational risk management, but are grappling with the capital aspects.Those that use the AMA, which involves a sophisticated system of loss distribution analysis, will need to run it in parallel with their existing systems for a year before implementation at the end of 2006.Dave Allen of Accenture says the AMA is clearly the long-term goal for banks. “The AMA approach allows banks to use internal operational risk data to estimate capital requirements, whereas the other approaches impose capital charges based on fixed percentages defined by the regulators,” he says. “However, the AMA requires three years of data history.”Allen says most banks are typically looking to adopt a scorecard approach to economic capital allocation for operational risks, combining key risk indicator and self-assessment data with loss data so that capital allocation is more forward-looking – rather than being purely based on operational loss history. This scorecard approach would form the basis of an AMA for banks using this method, he says.“Most South African banks are currently in the throes of implementing group-wide operational loss management systems, but are still some way off having consistent key risk indicator and self-assessment processes rolled out across the group. Given the requirements for three years of data history, achieving AMA by end-2006 may prove a stretch for local banks.” Making sense of it allWith this in mind, South African banks are likely to adopt the standardised approach, says Fitch, calculating a capital requirement for each line of business against the gross income of each business and a factor determined by the regulator. The banks will still need to have in place adequate risk measurement systems.Les Horne, head of Financial IQ, part of the IQ Business Group, says banks will need to start focusing on risk issues in an end-to-end way, assessing how each process as a whole contributes to risk. “The key really is to identify the process and then to understand the segregation of the process. Risk resides in the entire transaction, not in just one level of it,” says Horne.IBM`s Mostert says banks need to standardise approaches throughout the group, and then identify and monitor the processes. “Banks have already started this, but the trick now is to collect the data and make sense of it,” he says.The operational landscape will remain challenging, as further consolidation in the industry and the growth of e-business presents new hurdles. Last year`s small bank crisis, which saw the fall of Saambou, Absa take a hit on microlender Unifer and a run on deposits at BOE, is still fresh in the memory. Operational issues were present in all these cases.Van Wyk says the Nedcor/BOE merger came at a fortuitous time, when Nedcor was introducing its new business model. “We would have had to re-engineer our processes anyway,” he says.Technology and e-business presents challenges, says Shaun Nel of Computer Associates. “Banks are pretty IT dependent, so almost every business process has a set of underlying technologies. A good example is online banking. If anything goes wrong, such as a failed transaction or fraud, each piece of technology can flag an event. Technology creates multiple checkpoints,” he says. The road ahead“Basel II highlights the technology issues,” says Glotec`s Ray Leonard. “We need to look at legacy systems, the accuracy of historic information, and whether it`s auditable. The mathematical understanding is just the tip of the iceberg.”The bad news for banks is that 2006 is not terribly far away; the good news is that their state of readiness compares favourably with many developed markets.According to Ernst & Young`s recent survey, 66 percent of local banks are partially prepared for the implementation. This puts South Africa ahead of Luxembourg, where a similar survey was conducted late last year.South African banks participated in the Basel Committee`s third quantitative impact study, released in May, and have been keeping tabs on events in Switzerland. The Reserve Bank has set up a number of forums with the banks, to discuss key issues.According to Jay Tikam of the Reserve Bank`s Bank Supervision department, while South Africa is not a member of the G10, it will follow best practice, so adoption of Basel II principles is inevitable. “Banks have simulated the accord, done the gap analysis and are undertaking projects to collect data,” he says. Everyone`s talkingIntegrators, software providers and other solutions providers have also been impressed by the extent to which the major banks are taking the issue seriously. “Interest is much higher than it was. All the banks have committees in place to deal with the Basel II issues,” says Lloyd Chisholm of SAP.While willingness and mindset to adopt Basel II is there, integration of data and systems is a concern for many. “Some banks still stick to the silo approach to risk,” says Kerry Evans, sales manager financial services at SAS Institute.South Africa shares many of the problems faced by the US and the EU, particularly around mergers and the introduction of new risk areas such as electronic fraud and global anti-money laundering regulations, which put new disclosure pressures and sanctions on banks.Indeed, a raft of new compliance requirements is coming into effect, including accounting corporate governance (King II) and anti-money laundering laws.In addition, there are peculiarly South African banking issues, such as the relative small size of the local market – which is creating a headache in relation to corporate default data – and the importance of micro-lending in the economy. Banks that operate in this space (and all the big four do, to some extent) will need to allocate capital against the risks involved.The small and medium enterprise market will also present difficulties. According to Andre Blaauw of Absa, an appropriate level will have to be found for setting a threshold below which a corporate account can be classified as retail. “The one million euro level may not be appropriate for South Africa,” he says.Regional risks will also have quite a different impact on South Africa. “South African banks do not have the large and diverse offshore balance sheets of the major international banks, and so rely on lines provided to them by the international banks,” says Van Wyk. Beware big brother“The international banks have a very cold, mechanistic approach. If they decide to cut lines with South Africa, for whatever reason, it can have a major impact on the local banking sector. That means we need to follow best practice wherever possible.”This also raises the problem of pro-cyclicality, says Hodnett. “If there was a downgrading to South Africa`s credit rating, banks lending to South Africa would have to account for higher capital requirements – this at the very time when the system needs more liquidity. The accord has not really dealt with this issue.”When Basel II was first discussed, many believed great rewards in terms of capital relief would come to those who invested in systems and applications to run the more sophisticated risk measurement models.But while quantitative impact studies by the Basel Committee have shown that some relief on banks` retail books is likely, this may be offset by the corporate, sovereign and SME books, says Fitch. And operational risk charges are still unknown at this stage.“I don`t see a competitive advantage arising out of Basel II. If all the banks do it properly, there is no advantage. It`s more a case of a disadvantage if one doesn`t comply,” says Hodnett.All things considered, one can expect the risk debates raised in the accord to continue long after the date of implementation, perhaps with the major risk areas morphing with one another. Basel III is already being discussed.
01 July 2003
The Basel banking accords get their names from the Swiss city where the super-regulator of global banks, the Bank for International Settlements, resides.
Therein lies the rub. Basel II comes into effect in early 2007 – after a dry run in 2006 – and introduces new levels of complexity to banking, forcing banks to confront issues in new ways.
ITWeb Premium
Get 3 months of unlimited access
No credit card. No obligation.