basel iii news, from the basel iii compliance professionals association

P a g e | 1

________________________________________ Basel iii Compliance Professionals Association (BiiiCPA)

Basel iii Compliance Professionals Association (BiiiCPA) 1200 G Street NW Suite 800 Washington, DC 20005-6705 USA

Tel: 202-449-9750 Web: www.basel-iii-association.com

Dear Member,

We have all the details of the Basel Committee’s Monitoring Report (March 2016) and the highlights of the Basel III monitoring exercise as of 30 June 2015. All large internationally active banks meet Basel III minimum and CET1 target capital requirements.

To assess the impact of the Basel III framework on banks, the Basel Committee on Banking Supervision monitors the effects and dynamics of the reforms. For this purpose, a semiannual monitoring framework has been set up on the risk-based capital ratio, the leverage ratio and the liquidity metrics using data collected by national supervisors on a representative sample of institutions in each country. This report is the ninth publication of results from the Basel III monitoring exercise and summarises the aggregate results using data as of 30 June 2015. The Committee believes that the information contained in the report will provide relevant stakeholders with a useful benchmark for analysis. Information considered for this report was obtained by voluntary and confidential data submissions from individual banks and their national supervisors.

http://www.basel-iii-association.com/

P a g e | 2


Data was provided for a total of 230 banks, including 101 large internationally active (“Group 1”) banks and 129 other (“Group 2”) banks. Members’ coverage of their banking sector is very high for Group 1 banks, reaching 100% coverage for some countries, while coverage is lower for Group 2 banks and varies by country. In general, this report does not take into account any transitional arrangements such as phase- in of deductions and grandfathering arrangements. Rather, the estimates presented generally assume full implementation of the final Basel III requirements based on data as of 30 June 2015. No assumptions have been made about banks’ profitability or behavioural responses, such as changes in bank capital or balance sheet composition, either since this date or in the future. For this reason, the results are not comparable with current industry estimates, which tend to be based on forecasts and consider management actions to mitigate the impact, and they also incorporate estimates where information is not publicly available. Furthermore, the report does not reflect any additional capital requirements under Pillar 2 of the Basel II framework, any higher loss absorbency requirements for domestic systemically important banks, nor does it reflect any countercyclical capital buffer requirements.

Risk-based capital requirements In the analysis of the risk-based capital requirements, this report focuses on the following items, assuming that the positions as of 30 June 2015 were subject to the fully phased-in Basel III standards: • Changes to bank capital ratios under the Basel III requirements, and estimates of any capital deficiencies relative to fully phased-in minimum and target capital requirements (including capital surcharges for global systemically important banks – G-SIBs); • Changes to the definition of capital that result from the full phasing-in of the Basel III capital standard, referred to as common equity Tier 1 (CET1), including a reallocation of deductions to CET1, and changes to the eligibility criteria for additional Tier 1 and Tier 2 capital; and

P a g e | 3


• Increases in risk-weighted assets resulting from phasing-in changes to the definition of capital.

Capital ratios Compared with the transitional Basel III framework, the average CET1 ratio under the fully phased-in Basel III framework would decline from 11.9% to 11.5% for Group 1 banks. The Tier 1 capital ratios of Group 1 banks would decline on average from 13.2% to 12.2% and total capital ratios would decline from 15.8% to 13.9%. For Group 2 banks, the decline in capital ratios is slightly less pronounced than for Group 1. Assuming full phasing-in of Basel III, the aggregate CET1 ratio would decline from 13.1% to 12.8% and Tier 1 capital ratios would decline on average from 13.9% to 13.2%. Total capital ratios would decline by a slightly greater amount, on average from 16.0% to 14.5% due to the phase-out of Tier 2 instruments which will no longer be eligible in 2022.

CET1 capital shortfalls Assuming full phasing-in of the Basel III requirements as of 30 June 2015, including changes to the definition of capital and risk-weighted assets, all Group 1 banks would meet the CET1 minimum capital requirement of 4.5% and the CET1 target level of 7.0% (ie including the capital conservation buffer); this target also includes the G-SIB surcharge according to the list of banks published by the Financial Stability Board in November 2015 where applicable. Group 1 banks report no shortfall at the CET1 target level for the second consecutive reporting period. Under the same assumptions, all Group 2 banks would meet the CET1 minimum capital requirement of 4.5%; however, the capital shortfall is estimated at €0.2 billion at the CET1 target level of 7.0%.

Leverage ratio The average transitional Basel III Tier 1 leverage ratios (ie reflecting all

P a g e | 4


applicable transitional arrangements to the definition of capital) would be 5.6% for Group 1 banks and for G-SIBs 5.5%, while it would amount to 5.6% for Group 2 banks. The average fully phased-in Basel III Tier 1 leverage ratios are 5.2% for both Group 1 banks and G-SIBs, while for Group 2 banks the average is 5.4%. Seven out of 106 Group 2 banks with an aggregate shortfall of €4.3 billion would not meet a fully phased-in minimum Basel III Tier 1 leverage ratio of 3%, while all Group 1 banks now meet the requirement.

Combined shortfall amounts This Basel III monitoring report also analyses the combined shortfall amounts needed to meet both risk- based capital and any applicable Tier 1 leverage ratio requirements (see Section 2.8). For Group 1 banks, the leverage ratio has no impact on the capital shortfalls at the minimum or target levels. For Group 2 banks, the inclusion of the fully phased-in Basel III Tier 1 leverage ratio shortfall raises the additional Tier 1 capital shortfall at the minimum level from zero to €4.3 billion. At the target level, the additional Tier 1 capital shortfall rises by €4.3 billion (from €2.9 billion to €7.2 billion) when the Basel III Tier 1 leverage ratio requirement is included. In turn, this inclusion of applicable Basel III Tier 1 leverage ratio shortfalls increases the total capital shortfall from €0.3 billion to €4.6 billion considering all capital ratio minimums and from €8.6 billion to €13.0 billion at the target level.

Liquidity standards Liquidity Coverage Ratio The Liquidity Coverage Ratio (LCR) was revised by the Committee in January 20137 and came into effect on 1 January 2015. This marks the first reporting period in which all banks are subject to the minimum 60% requirement that came into effect on 1 January 2015 according to the Basel III phase-in arrangements. The minimum requirement is initially set at 60% for 2015 and will then rise

P a g e | 5


in equal annual steps of 10 percentage points to reach 100% in 2019. The end-June 2015 reporting period was the sixth data collection exercise for which a comprehensive calculation of the revised LCR standard could be conducted. Key observations from a comparison of current period to previous period results include: • A total of 92 Group 1 and 68 Group 2 banks participated in the LCR monitoring exercise for the end-June 2015 reference period. • The average LCR for the Group 1 bank sample was 123.6%. For Group 2 banks, the average LCR was 140.1%. These figures compare to average LCRs of 125.3% and 144.3% for Group 1 banks and Group 2 banks, respectively, at end-December 2014. • Of the 160 banks in the LCR sample, 84% reported a ratio that met or exceeded a 100% minimum requirement, compared with 81% at end-December 2014, while all banks reported an LCR at or above a 60% minimum requirement, compared with 95% at end-December 2014. • The aggregate LCR shortfall at a minimum requirement of 100% was €57 billion, which represents approximately 0.1% of the more than €64.2 trillion in total assets of the aggregate sample. This compares to a shortfall of €147 billion (which represents approximately 0.2% of the €62.0 trillion total assets of the aggregate sample) as of end-December 2014. Since no bank reported an LCR below 60%, there was no LCR shortfall at a minimum requirement of 60%, compared to €70 billion at end-December 2014.

Net Stable Funding Ratio The Net Stable Funding Ratio (NSFR) was revised by the Committee in October 2014. The end-June 2015 reporting period was the second data collection exercise for which a comprehensive calculation of the revised NSFR standard could be conducted.

P a g e | 6


As such, comparisons to previous reporting periods are available beginning with this collection exercise. Key observations from the current period results include: • A total of 100 Group 1 and 102 Group 2 banks participated in the NSFR monitoring exercise for the end-June 2015 reference period. • The weighted average NSFR was 111.9% for Group 1 banks and 114.0% for Group 2 banks at end-June 2015 compared to 111.2% and 113.9% respectively, at end-December 2014. • 79% of Group 1 banks and 83% of Group 2 banks meet or exceed the 100% minimum NSFR requirement, with 92% of Group 1 banks and 94% of Group 2 banks at an NSFR of 90% or higher as of end-June 2015. • The aggregate NSFR shortfall – which reflects the aggregate shortfall for banks that are below the 100% NSFR requirement and does not reflect any surplus stable funding at banks above the 100% requirement – was €415 billion at end-June 2015 compared to €576 billion at end- December 2014. The shortfall was €374 billion and €41 billion at end-June 2015 for Group 1 and Group 2 banks, respectively, compared to €526 billion and €50 billion at end-December 2014. The NSFR, including any potential revisions, will become a minimum standard by 1 January 2018.

Detailed results of the Basel III monitoring exercise as of 30 June 2015 1. General remarks At its 12 September 2010 meeting, the Group of Governors and Heads of Supervision (GHOS), the oversight body of the Basel Committee on Banking Supervision, announced a substantial strengthening of existing capital requirements and fully endorsed the agreements it had reached on 26 July 2010. These capital reforms, together with the introduction of two international liquidity standards, responded to the core of the global financial reform agenda presented to the Seoul G20 Leaders summit in November 2010.

P a g e | 7


Subsequent to the initial comprehensive quantitative impact study published in December 2010, the Committee continues to monitor and evaluate the impact of these capital, leverage and liquidity requirements (collectively referred to as “Basel III”) on a semiannual basis. This report summarises the results of the latest Basel III monitoring exercise using 30 June 2015 data.

1.1 Scope of the monitoring exercise All but one of the 27 Committee member countries participated in the Basel III monitoring exercise as of 30 June 2015. The estimates presented are based on data submitted by the participating banks and their national supervisors in reporting questionnaires and in accordance with the instructions prepared by the Committee in July 2015. The questionnaire covered components of eligible capital, the calculation of risk- weighted assets (RWA), the calculation of a leverage ratio and components of the liquidity metrics. The final data were submitted to the Secretariat of the Committee by 22 January 2016. The purpose of the exercise is to provide the Committee with an ongoing assessment of the impact on participating banks of the capital and liquidity standards set out in the following documents: • Revisions to the BaselII market risk framework and Guidelines for computing capital for incremental risk in the trading book; • Enhancements to the BaselII framework which include the revised risk weights for re- securitisations held in the banking book; • Basel III: A global framework for more resilient banks and the banking system as well as the Committee’s 13 January 2011 press release on loss absorbency at the point of non-viability; • Capital requirements for bank exposures to central counterparties; • Global systemically important banks: updated assessment methodology and the additional loss absorbency requirement as well as the updated list of G-SIBs published by the Financial Stability Board in November 2015;

P a g e | 8


• Basel III: the Liquidity Coverage Ratio and liquidity risk monitoring tools; • Basel III: the net stable funding ratio; and • Basel III leverage ratio framework and disclosure requirements.

1.2 Sample of participating banks Data were provided for a total of 230 banks, including 101 Group 1 banks and 129 Group 2 banks. Group 1 banks are those that have Tier 1 capital of more than €3 billion and are internationally active. All other banks are considered Group 2 banks. Banks were asked to provide data at the consolidated level as of 30 June 2015. Subsidiaries are not included in the analyses to avoid double-counting. For Group 1 banks, members’ coverage of their banking sector was very high, reaching 100% coverage for some countries. Coverage for Group 2 banks was lower, and varied across countries. For a small number of banks data relating to some parts of the Basel III framework were unavailable. Accordingly, these banks are excluded from individual sections of the Basel III monitoring analysis due to incomplete data. In certain sections, data are based on a consistent sample of banks. This consistent sample represents only those banks that reported necessary data at the June 2011 (labelled “H1 2011”), December 2011 (“H2 2011”), June 2012 (“H1 2012”), December 2012 (“H2 2012”), June 2013 (“H12013”), December 2013 (“H22013”), June2014 (“H12014”), December2014 (“H2 2014”) and June 2015 (“H1 2015”) reporting dates, in order to make more meaningful period-to-period comparisons. Unless noted otherwise, the consistent sample includes 91 Group 1 banks, of which 30 are G-SIBs, and 71 Group 2 banks. The 30 banks in the G-SIB time series analyses are those banks which have been classified as G-SIBs as of November 2015, irrespective of whether they

P a g e | 9


have also been classified as G-SIBs previously. The Committee appreciates the significant efforts contributed by both banks and national supervisors to this ongoing data collection exercise.

1.3 Methodology Unless otherwise noted, the impact assessment was carried out by comparing banks’ capital positions under fully phased-in Basel III to the transitional Basel III framework as implemented by the national supervisor (ie with phase-in arrangements). The fully phased-in Basel III results are calculated without considering transitional arrangements pertaining to the phase-in of deductions and grandfathering arrangements set out in the Basel III framework. However, banks in some countries had difficulties providing fully phased-in Basel III capital amounts; in such cases, the capital amounts according to the fully phased-in national implementation of the Basel III framework was used instead. Consistent with previous reports, this report does not reflect any additional capital requirements under Pillar 2 of the Basel II framework, any higher loss absorbency requirements for domestic systemically important banks, nor does it reflect any countercyclical capital buffer requirements. Reported average amounts in this document have been calculated by creating a composite bank at a total sample level, which effectively means that the total sample averages are weighted. For example, the average common equity Tier 1 capital ratio is the sum of all banks’ common equity Tier 1 (CET1) capital for the total sample divided by the sum of all banks’ risk-weighted assets for the total sample. Similarly, the average fully phased-in Basel III Tier 1 leverage ratio is the sum of all banks’ fully phased-in Tier 1 capital for the total sample divided by the sum of all banks’ Basel III leverage ratio exposures for the total sample. To preserve confidentiality, many of the results shown in this report are presented using box plot charts. The median value is represented by a horizontal line, with 50% of the values

P a g e | 10


falling in the range shown by the box. The upper and lower end points of the thin vertical lines show the range of the entire sample unless noted otherwise.

1.4 Data quality For this monitoring exercise, participating banks submitted comprehensive and detailed non-public data on a voluntary and best-efforts basis. As with the previous studies, national supervisors worked extensively with banks to ensure data quality, completeness, and consistency with the published reporting instructions. Banks are included in the various analyses below only to the extent that they were able to provide data of sufficient quality to complete the analyses.

1.5 Interpretation of results The following caveats apply to the interpretation of results shown in this report: • When comparing results to prior reports, sample differences as well as minor revisions to data from previous periods need to be taken into account. Sample differences and data revisions also explain why results presented for the June 2015 reporting date may differ from the H1 2015 data point in graphs and tables showing the time series for the consistent sample of banks as described above. • The actual impact of the new requirements will almost certainly be less than shown in this report given the phased-in implementation of the standards and interim adjustments made by the banking sector to changing economic conditions and the regulatory environment. For example, the results do not consider bank profitability, changes in capital or portfolio composition, or other management responses to the policy changes since 30 June 2015 or in the future. For this reason, the results are not comparable to industry estimates, which tend to be based on forecasts and consider management actions to mitigate the impact, as well as incorporate estimates where information is not publicly available.

P a g e | 11


• The Basel III capital amounts shown in this report assume that all common equity deductions are fully phased in and all non-qualifying capital instruments are fully phased out (ie it is assumed that none of these capital instruments will be replaced by eligible instruments). As such, these amounts underestimate the amount of Tier 1 capital and Tier 2 capital held by a bank as they do not give any recognition for non-qualifying instruments that will actually be phased out over six years. • The treatment of deductions and non-qualifying capital instruments also affects figures reported in the section on the Basel III leverage ratio. The assumption that none of these capital instruments will be replaced by eligible instruments will become less of an issue as the implementation date of the Basel III leverage ratio nears.

2. Regulatory capital, capital requirements and capital shortfalls Table 1 shows the aggregate capital ratios under the transitional and fully phased-in Basel III frameworks and the capital shortfalls if Basel III were fully phased-in (“view 2022”), both for the definition of capital and the calculation of risk-weighted assets, as of June 2015. Details of capital ratios and capital shortfalls are provided in Sections 2.1 and 2.2. The Basel III framework includes the following phase-in provisions for capital ratios: • For CET1, the highest form of loss-absorbing capital, the minimum requirement was raised to 4.5% and was phased in on 1 January 2015; • For Tier 1 capital, the minimum requirement was raised to 6.0% and was phased in on 1 January 2015; • For total capital, the minimum requirement remains at 8.0%; • Regulatory adjustments (ie possibly stricter sets of deductions that apply under Basel III) will be fully phased in by 1 January 2018; • An additional 2.5% capital conservation buffer above the regulatory minimum capital ratios, which must be met with CET1, will be phased in by 1 January 2019; and

P a g e | 12


• The additional loss absorbency requirement for G-SIBs, which ranges from 1.0% to 3.5%, will be fully phased in by 1 January 2019. It will be applied as the extension of the capital conservation buffer and must be met with CET1. The Annex includes a detailed overview of the Basel Committee’s phase-in arrangements.

2.1 Capital ratios As compared with transitional CET1, the average CET1 capital ratio of Group 1 banks would have fallen from 11.9% to 11.5% (a decline of 0.4 percentage points) when Basel III deductions and risk-weighted assets are fully taken into account.

P a g e | 13


For Group 2 banks, the CET1 capital ratio declines from 13.1% under transitional rules to 12.8% as a result of the full phasing-in of Basel III (a reduction of 0.3 percentage points). Results continue to show significant variation across banks as shown in Graph 1 for the transitional Basel III rules and Graph 2 for fully phased-in Basel III. The reduction in CET1 ratios is driven by the full application of the new definition of eligible capital instruments, deductions that were not previously applied at the common equity level of Tier 1 capital in most countries (numerator), and by increases in risk-weighted assets (denominator). Since all countries in the sample have already implemented Basel III as of end-June 2015 the overall change in RWA is very limited and mainly due to different national phase- in plans. Tier 1 capital ratios of Group 1 banks would on average decline 1.0 percentage points from 13.2% to 12.2%, and total capital ratios of this same group would decline on average by 1.9 percentage points from 15.8% to 13.9%. Group 2 banks show similar declines in Tier 1 capital ratios (from 13.8% to 13.2%) and total capital ratios (from 16.0% to 14.5%). The stronger decline of total capital ratios is caused by the phase-out of Tier 2 instruments which will no longer be eligible in 2022.

P a g e | 14


Graph 3 shows that, out of the 101 banks in the Group 1 sample, all show a CET1 ratio under fully phased-in Basel III that is above both the 4.5% minimum capital requirement and the 7.0% target ratio (ie the minimum capital requirement plus the capital conservation buffer). Of 118 banks in the Group 2 sample, all report a CET1 ratio equal to or higher than 4.5%, while 97% also achieve the target of 7.0%.

P a g e | 15


Graph 4 below shows the average capital ratios under transitional Basel III rules for a consistent sample of Group 1 and Group 2 banks for the periods end-June 2011, end-December 2011, end-June 2012, end-December 2012, end-June 2013, end-December 2013, end-June 2014, end-December 2014 and end-June 2015. Transitional capital ratios have not changed greatly.

After full phasing in of Basel III (Graph 5), the CET1, Tier 1 and total capital ratios for this consistent sample of Group 1 banks improved by 0.3, 0.5 and

P a g e | 16


0.6 percentage points, respectively, over the previous six months. For Group 2 banks, the improvement in risk-based capital ratios over the reporting period was 0.9 percentage points each. The general improvement in fully phased-in Basel III capital ratios for both groups is due to Basel III-eligible capital added and, to a lesser extent, lower levels of deductions that reduce CET1, in spite of slightly higher overall risk-weighted assets.

2.2 Capital shortfalls This section shows the capital shortfalls for the Group 1 and Group 2 bank samples assuming full phasing in of the Basel III requirements based on data as of 30 June 2015 and disregarding transitional arrangements. The shortfalls presented are measured against different minimum capital ratio requirements (ie 4.5% CET1, 6.0% Tier 1 and 8.0% total capital) as well as against the target level, which includes the 2.5% capital conservation buffer and capital surcharges for 30 G-SIBs as applicable. Graph 6 and Graph 7 below as well as Table 1 above provide estimates of the amount of capital that Group 1 and Group 2 banks would need based on data as of 30 June 2015 in addition to capital already held at the reporting date, in order to meet the target CET1, Tier 1 and total capital ratios under Basel III assuming fully phased-in requirements and deductions.

P a g e | 17


Under these assumptions, there is no CET1 capital shortfall for Group 1 or Group 2 banks with respect to the 4.5% CET1 minimum requirement. For a CET1 target of 7.0% (ie the 4.5% CET1 minimum plus the 2.5% capital conservation buffer) plus any capital surcharge for Group 1 G-SIBs as applicable according to the updated list of banks published by the Financial Stability Board in November 2015, the Group 1 banks also have no shortfall, while the shortfall for Group 2 banks is €0.2 billion. As a point of reference, the aggregate sum of after-tax profits prior to distributions for the six-month period ending 30 June 2015 for Group 1 and Group 2 banks was €307.2 billion and €14.7 billion, respectively. Group 1 banks would not need additional Tier 1 or CET1 capital to meet the minimum Tier 1 capital ratio requirement of 6.0%. Assuming banks already hold 7.0% CET1 capital plus the surcharges on G-SIBs as applicable, Group 1 banks would need an additional €3.4 billion of additional Tier 1 or CET1 capital to meet the Tier 1 capital target ratio of 8.5% (ie the 6.0% Tier 1 minimum plus the 2.5% CET1 capital conservation buffer) plus the surcharges on G-SIBs as applicable, respectively. Group 2 banks need no additional Tier 1 or CET1 capital to meet the minimum Tier 1 capital requirement but require an additional €2.9 billion to meet the target ratio requirement. Group 1 banks do not need additional Tier 2 or higher-quality capital to meet the minimum total capital ratio requirement of 8.0% but require an additional €12.8 billion of Tier 2 or higher-quality capital to meet the total capital target ratio of 10.5% (ie the 8.0% Tier 1 minimum plus the 2.5% CET1 capital conservation buffer) plus the surcharges on G-SIBs as applicable. Group 2 banks would need an additional €0.3 billion of Tier 2 or higher-quality capital to meet these respective total capital minimum and an additional €5.64 billion of Tier 2 or higher-quality capital to meet the total capital target ratio requirements. As indicated above, no assumptions have been made about bank profits or behavioural responses, such as changes in balance sheet composition that would serve to reduce the impact of capital shortfalls over time.

P a g e | 18


At the CET1 target level of 7.0% plus the surcharges on G-SIBs as applicable, the aggregate CET1 shortfall remained zero over the six-month period ending 30 June 2015 (see Graph 7). Among Group 2 banks the CET1 shortfall at the 7.0% target level improved considerably, falling roughly 90% from December 2014.

P a g e | 19


2.3 Level of capital Graph 8 shows the development of the level of CET1 capital of banks in the consistent sample assuming full phasing-in of Basel III separately for Group 1 banks, Group 2 banks and G-SIBs. From end-December 2014 to end-June 2015, the level of Group 1 banks’ CET1 has increased by €173 billion or 5.0% to €3,443 billion. Around two thirds of this increase, €109 billion, can be attributed to the G-SIBs in the sample which collectively held €2,346 billion of capital at June 2015. Group 2 banks’ CET1 has increased by €17 billion or 9% to €206 billion. Since end-June 2011, a consistent sample of Group 1 banks have increased their CET1 capital by 59.9%. The overall increase for the G-SIBs included in this sample is somewhat lower at 58.6%, while the CET1 of the consistent sample of Group 2 banks has increased by 54.9%.

The CET1 capital raised by the consistent sample of Group 1 banks (see Graph 9) varied between €37.3 billion in the first half of 2011 and €21.7 billion in the first half of 2015.

P a g e | 20


Of these amounts, capital raised by the G-SIBs in the sample was 38.6% in the first half of 2011 and 53.0% in the second half of 2015. For the consistent sample of Group 2 banks, capital raised was the lowest in the first half of 2013 at slightly more than €1 billion, while the amount raised in the first half of 2015 was €2.1 billion.

In the first half of 2015 the full sample of Group 1 banks raised €22.0 billion of CET1 capital (see Table 2). More than half of this amount was raised by G-SIBs within the sample. Group 2 banks collectively raised €11.3 billion of CET1 capital during the reporting period.

2.4 Composition of capital

P a g e | 21


The graphs below show the composition of total capital for Group 1 and Group 2 banks under transitional Basel III rules (Graph 10) and after full phasing-in of Basel III (Graph 11). For Group 1 banks, the share of fully phased-in Basel III CET1 to total capital is 82.5%. Additional Tier 1 and Tier 2 capital amount to 5.4% and 12.1% of the total capital of Group 1 banks, respectively. Of the Group 1 bank sample, approximately 35% hold Basel III CET1 representing 90% or more of Basel III total capital. In the Group 2 sample, banks hold a similar share of CET1 at 87.1% with shares of additional Tier 1 capital and Tier 2 capital amounting to 2.8% and 10.1%, respectively. Under transitional Basel III rules, the share of CET1 to total capital is lower at 75.1% for Group 1 banks and at 78.8% for Group 2 banks, with correspondingly higher shares of additional Tier 1 and Tier 2 capital.

P a g e | 22


Regarding the composition of Basel III CET1 capital itself, retained earnings (55.0% for Group 1 banks and 38.3% for Group 2 banks) and paid-in capital (38.6% for Group 1 banks and 46.2% for Group 2 banks) comprise the predominant form of gross CET1 outstanding. Accumulated other comprehensive income (AOCI) makes up a substantial portion of CET1 outstanding in a few countries but contributes only 5.9% of gross CET1 on average for Group 1 banks and 11.5% for Group 2 banks. Meanwhile, total minority interest given recognition in CET1 contributes only a respective 0.8% and 4.0% to the outstanding CET1 balances of Group 1 and Group 2 banks.

2.5 Leverage ratio The results regarding the Basel III leverage ratio are provided using the two following measures of Tier 1 capital in the numerator: • Transitional Basel III Tier 1, which is Tier 1 capital eligible under the national implementation of the Basel III framework in place in member countries at the reporting date, including any phase- in arrangements; and • Fully phased-in Basel III Tier 1 capital. Following publication of the January 2014 Basel III leverage ratio framework,16 the Basel III leverage ratio exposure measure in the

P a g e | 23


denominator of the Basel III leverage ratio includes: •on-balance sheet assets, excluding securities financing transactions and derivatives; • securities financing transaction (SFT) exposures with limited recognition of netting of cash receivables and cash payables with the same counterparty under strict criteria; • derivatives exposures at replacement cost (net of cash variation margin meeting a set of strict eligibility criteria) plus an add-on for potential future exposure based on the current exposure method (CEM); • written credit derivative exposures at their effective notional amount (net of negative changes in fair value that have been incorporated into the calculation of Tier 1 capital) reduced by the effective notional amount of purchased credit derivatives that meet offsetting criteria related to reference name, level of seniority and maturity; • off-balance sheet exposures, obtained by multiplying notional amounts by the credit conversion factors in the standardised approach to credit risk, subject to a floor of 10%; and • other exposures as specified in the Basel III leverage ratio framework. Total exposures of the 101 Group 1 banks and the 108 Group 2 banks in the sample were €78.3 trillion. Graph 12 presents summary statistics related to the distribution of Basel III leverage ratios based on transitional Basel III Tier 1 and fully phased-in Basel III Tier 1 capital. The graph provides this information for Group 1 banks, G-SIBs and Group 2 banks. The weighted average transitional Basel III Tier 1 leverage ratios would be 5.6% for Group 1 banks and for G-SIBs 5.5%, while it would amount to 5.6% for Group 2 banks. The weighted average fully phased-in Basel III Tier 1 leverage ratios are 5.2% for both Group 1 banks and G-SIBs, while for Group 2 banks the weighted average is 5.4%. The analysis shows that Group 2 banks, while showing a greater dispersion

P a g e | 24


as can be seen in Graph 12, are generally less leveraged than Group 1 banks, and this difference increases when fully phased-in Basel III Tier 1 capital is used as the numerator. Under the transitional Basel III Tier 1 leverage ratio, seven banks in the sample would not meet the 3% ratio level, all of them being Group 2 banks. While this represents an increase of three banks compared to the previous report, this increase is due to changes in the sample composition. Under the fully phased-in Basel III Tier 1 leverage ratio, also seven banks in the sample would not meet the 3% ratio level, all of them still being Group 2 banks, with an aggregate shortfall of €4.3 billion.

Graph 13 shows how the fully phased-in Basel III Tier 1 leverage ratios have evolved over time for a consistent sample of 91 Group 1 and 73 Group 2 banks, as well as for 30 G-SIBs, which provided leverage ratio data for all reporting dates from June 2011 to June 2015.

P a g e | 25


Graph 14 shows the evolution of the components of the capital ratios over time for a consistent sample of banks, ie banks that have consistently been providing the four data series for the period June 2011 to June 2015. The four components are Basel III Tier 1 capital, risk-weighted assets and the leverage ratio exposure measure, all assuming full implementation of Basel III, as well as accounting total assets. For Group 1 banks, capital steadily increased over the period, whereas leverage ratio exposures, which had followed a similar pattern until end-2012, decreased during 2013 and then has been increasing somewhat since 2014. Nevertheless, since June 2012, changes in leverage ratio exposure, accounting total assets and risk-weighted assets have been relatively modest. For Group 2 banks these three time series evolve more closely and have remained rather stable over the last four years. Group 2 banks also report significant increases in fully phased-in Basel III Tier 1 capital over the last reporting periods.

P a g e | 26


2.6 Relationship between the Basel III leverage ratio and risk-based capital requirements Table 3 below shows the migration of banks from bounded to non-bounded after Tier 1 capital rising to meet the target Tier 1 risk-based capital ratio. It shows in particular that 3.4% of the banks in the sample do not meet the minimum Basel III leverage ratio of 3%, even after Tier 1 capital rising to meet the target risk-based Tier 1 capital requirements.

Graph 15 below shows the interaction between the fully phased-in Basel III Tier 1 leverage ratios (horizontal axis) and the fully phased-in Basel III Tier 1 risk-weighted capital ratios (vertical axis).

P a g e | 27


Ratios of Group 1 banks are marked with red dots and those of Group 2 banks with blue dots. The dashed horizontal line represents a Tier 1 target capital ratio of 8.5%,18 whereas the dashed vertical line represents a Basel III Tier 1 leverage ratio of 3%. The diagonal line represents points where an 8.5% fully phased-in Basel III Tier 1 target capital ratio results in the same amount of required fully phased-in Basel III Tier 1 capital as a fully phased-in Basel III Tier 1 leverage ratio of 3%. By construction, it also represents a multiple of 8.5%/3%≈2.83 between risk-weighted assets and the Basel III leverage ratio exposure measure. Therefore, for banks plotted above the diagonal line, the Basel III Tier 1 leverage ratio requires more Tier 1 capital than the Tier 1 capital ratio (ie the Basel III Tier 1 leverage ratio becomes the constraining requirement). For banks plotted below the diagonal line, the target Tier 1 capital ratio requires more capital than the leverage ratio (ie the Tier 1 capital ratio remains the constraining requirement).

As shown in Graph 15, seven Group 2 banks do not meet the minimum fully phased-in Basel III Tier 1 leverage ratio of 3% (ie they are plotted left of the vertical dashed line).

P a g e | 28


Among those, one bank also does not meet the Basel III Tier 1 target capital ratio of 8.5% (hence they are plotted in the southwest quadrant of Graph 15). This graph also shows that the fully phased-in Basel III Tier 1 leverage ratio is constraining for 66 banks out of 207, including 34 Group 1 and 32 Group 2 banks – ie they are plotted above the diagonal line. Of these 66 banks, seven Group 2 banks also do not meet the minimum fully phased-in Basel III Tier 1 leverage ratio of 3% (hence they are plotted left of the vertical dashed line and above the diagonal line).

2.7 Pending settlement transactions Different accounting treatment of pending settlement transactions related to the purchase or sale of financial assets have been identified under IFRS and US GAAP with the potential of causing level playing field concerns across banks. IFRS gives entities the option to apply trade or settlement date accounting for regular purchases or sales of financial assets while US GAAP and Japanese GAAP require trade date accounting for banks and broker-dealers. In the latter case, for broker-dealers only, a netting option is provided to net the receivables and payables associated with pending settlement transactions. The Committee received 153 valid submissions on the specific panel associated with the treatment of pending settlement transactions. Table 4 shows the current distribution between Group 1 and Group 2 banks. According to this table, results differ across bank groups. Indeed, Group 2 banks tend to apply settlement date accounting, while the majority of Group 1 banks apply trade date accounting. Finally, banks using the trade date accounting with netting are mostly Group 1 banks.

P a g e | 29


2.8 Combined shortfall amounts Graph 16 below shows a breakdown of risk-based capital shortfalls and combined risk-based and Basel III leverage ratio capital shortfalls for Group 1 banks, Group 2 banks and G-SIBs. Each box consists of four bars. Note that the leftmost bar in each of the boxes (labelled with Minimum) shows the capital shortfall arising from a fully phased-in Basel III Tier 1 capital requirement of 6% and a fully phased-in Basel III total risk-based minimum capital requirement of 8%. In contrast, the second leftmost bar (also labelled with Minimum) shows the combined capital shortfall with respect to the fully phased-in Basel III Tier 1 capital ratio of 6%, the fully phased-in Basel III total risk-based minimum capital requirement of 8% and the fully phased-in Basel III Tier 1 leverage ratio requirement of 3%. These two bars are not applicable for Group 1 banks (and G-SIBs) as there is no shortfall at minimum level anymore. Similarly, the first bar on the right side (labelled with Target) shows the capital shortfall arising from not meeting the fully phased-in Basel III Tier 1 risk-based capital target of 8.5% and the fully phased- in Basel III total capital target of 10.5% plus, where applicable, the G-SIB surcharges, whereas the rightmost bar shows the combined shortfall arising from those target capital ratios and the fully phased-in Basel III Tier 1 leverage ratio of 3%. All Group 1 banks meet the target level for CET1 capital. For Group 2 banks, the CET1 capital shortfall required to meet the target

P a g e | 30


level is €0.2 billion (compared to €1.5 billion at end-December 2014). The CET1 shortfall amounts are driven purely by the risk-based capital requirements (the red bars do not change when introducing the Basel III Tier 1 leverage ratio requirement), since there is no minimum CET1 Basel III leverage ratio requirement examined here. However, the Basel III Tier 1 leverage ratio causes an increase in the additional Tier 1 capital shortfall of Group 2 banks, both at the minimum and target levels. At the both levels, the Basel III Tier 1 leverage ratio raises the additional Tier 1 capital shortfall by €4.3 billion (from zero to €4.3 billion and from €2.9 billion to €7.2 billion, respectively). If the Basel III Tier 1 leverage ratio is included in the calculation, Tier 2 capital shortfalls for the total capital targets are unchanged (ie the orange bars are equivalent to the yellow bars). This is explained by the fact that banks can also use the additional Tier 1 capital raised to meet the Basel III Tier 1 leverage ratio requirement in case there is a shortfall to meet the total risk-based capital ratio. Overall, the inclusion of applicable Basel III Tier 1 leverage ratio shortfalls has no impact on the capital shortfalls at the minimum or target levels for Group 1 banks. However, it increases the total capital shortfall for Group 2 banks by €4.3 billion at the minimum and target levels (from €0.3 billion to €4.6 billion and from €8.6 billion to €13.0 billion respectively).

P a g e | 31


3. Liquidity 3.1 Liquidity Coverage Ratio One of the two liquidity standards introduced by the Committee is the 30-day Liquidity Coverage Ratio (LCR), which is intended to promote short-term resilience against potential liquidity disruptions. The LCR has been designed to require global banks to have sufficient high-quality liquid assets to withstand a stressed 30-day funding scenario specified by supervisors. The LCR numerator consists of a stock of unencumbered, high-quality liquid assets that must be available to cover any net outflow, while the denominator comprises cash outflows less cash inflows (subject to a cap at 75% of outflows) that are expected to occur in a severe stress scenario. The LCR was revised by the Committee in January 2013 and came into effect on 1 January 2015. The minimum requirement is initially set at 60% in 2015 and will then rise in equal annual steps of 10 percentage points to reach 100% in 2019. Overall, 92 Group 1 and 68 Group 2 banks provided sufficient data in the

P a g e | 32


end-June 2015 Basel III monitoring exercise to calculate the LCR according to the revised standard. The average LCR was 123.6% for Group 1 banks and 140.1% for Group 2 banks, which compare to average LCRs of 125.3% and 144.3% for Group 1 banks and Group 2 banks, respectively, as of end-December 2014. The aggregate numbers under the revised LCR standard do not speak to the range of results across participating banks. Graph 17 below gives an indication of the distribution of bank results. Some 84% of all banks in the Basel III monitoring sample already meet or exceed the final LCR minimum requirement of 100%, while all have LCRs that are at or above the initial 60% minimum requirement. These results compare to 81% and 95% of all banks meeting the 100% and 60% minimum requirements, respectively, as of end-December 2014.

For the banks in the sample, Basel III monitoring results show a shortfall (ie the difference between high-quality liquid assets and net cash outflows) of €57 billion (which represents approximately 0.1% of the €64.2 trillion total assets of the aggregate sample) as of end-June 2015. This compares to a shortfall of €147 billion (which represents approximately 0.2% of the €62.0 trillion total assets of the aggregate sample) as of end-December 2014.

P a g e | 33


This number is reflective only of the aggregate shortfall for banks that are below an LCR minimum requirement of 100% and does not reflect surplus liquid assets at banks above a 100% requirement. Given that no bank reported an LCR below 60%, there was consequently no aggregate shortfall at a minimum requirement of 60% as of end-June 2015, compared with €70 billion as of end-December 2014. The key components of outflows and inflows are shown in Table 5. Group 1 banks show a notably larger percentage of total outflows, when compared with balance sheet liabilities, than Group 2 banks. This can be explained by the relatively greater contribution of wholesale funding activities and commitments within the Group 1 sample, whereas Group 2 banks, as a whole, are less reliant on these types of activities.

P a g e | 34


75% cap on total inflows As at end-June 2015, no Group 1 and 5 Group 2 banks reported inflows that exceeded the 75% cap. Of these 5 Group 2 banks, all exhibit LCR ratios well above the minimum requirement of 100%.

Composition of high-quality liquid assets The composition of high-quality liquid assets (measured after application of the LCR haircuts) currently held at banks is depicted in Graph 18. The majority of Group 1 and Group 2 banks’ holdings, in aggregate, are comprised of Level 1 assets (almost 90%); however, the sample as a whole shows diversity in their holdings of eligible liquid assets. Within Level 1 assets, 0% risk-weighted securities issued or guaranteed by sovereigns, central banks and public sector entities, and cash and central bank reserves comprise the most significant portions of the qualifying pool. By comparison, within the Level 2A asset class, the majority of holdings comprise 20% risk-weighted securities issued or guaranteed by sovereigns, central banks or public sector entities. Eligible non-financial common equity shares comprise the majority of holdings of Level 2B assets.

P a g e | 35


Caps on Level 2B and Level 2 assets Due to the 15% Level 2B cap and the 40% overall Level 2 cap, €510 million of Level 2 assets are excluded from high-quality liquid assets. In total, four banks are constrained, of which three banks are constrained only by the Level 2B cap and one bank is constrained only by the Level 2 cap. No bank is constrained by both caps. Of the four total banks that are constrained, one fails to meet an LCR minimum requirement of 100%.

Comparison of liquid assets and inflows to outflows and caps Graph 19 combines the above LCR components by comparing liquidity resources (pool of high-quality liquid assets and inflows) to outflows. Note that the €2,011 billion gross surplus shown in the graph differs from the €57 billion gross shortfall at an LCR minimum requirement of 100% that is noted above, as it is assumed here that excess assets at one bank can offset those at another. In practice the aggregate position in the industry is likely to lie somewhere between these two numbers depending on how efficiently banks redistribute liquidity around the system.

P a g e | 36


3.2 Net Stable Funding Ratio The second liquidity standard introduced by the Basel III reforms is the Net Stable Funding Ratio (NSFR), a longer-term structural ratio designed to reduce funding risk over a longer time horizon by requiring banks to fund their activities with sufficiently stable sources of funding in order to mitigate the risk of future funding stress. Overall, 100 Group 1 and 102 Group 2 banks provided sufficient data in the end-June 2015 Basel III monitoring exercise to calculate the revised NSFR according to the standard issued by the Committee in October 2014. Some 79% of Group 1 banks and 83% of Group 2 banks already meet or exceed the 100% minimum NSFR requirement, with 92% of Group 1 banks and 94% of Group 2 banks at an NSFR of 90% or higher as of end-June 2015. This compares to 75% of Group 1 banks and 85% of Group 2 banks which met or exceeded the 100% minimum standard, with 92% of Group 1 banks and 93% of Group 2 banks that had an NSFR 90% or higher in the end-December 2014 period. The weighted average NSFR was 111.9% for Group 1 banks and 114.0% for Group 2 banks at end-June 2015 compared to 111.2% and 113.8% respectively, at end-December 2014. Graph 20 shows the distribution of results for Group 1 and Group 2 banks; the red line indicates the 100% minimum requirement, the black horizontal lines inside the boxes indicate the median for the respective bank group.

P a g e | 37


Banks in the sample had a shortfall of stable funding24 of €415 billion at end-June 2015 compared to €576 billion at end-December 2014. This number is reflective only of the aggregate shortfall for banks that are below the 100% NSFR requirement and does not reflect any surplus stable funding at banks above the 100% requirement. Banks that are below the 100% required minimum have until 2018 to meet the standard. For the 100 Group 1 banks in the sample, the shortfall, as described above, is €374 billion at end-June 2015 compared to €526 billion at end-December 2014. For the 102 Group 2 banks in the sample, the shortfall, as described above, is €41 billion at end-June 2015 compared to €50 billion at end-December 2014.

Stable funding sources Deposits from retail and small business customers (ie “stable” and “less stable” deposits, as defined in the LCR) accounted for a significant portion of stable funding for banks in the sample, representing just under half of total weighted available stable funding for both Group 1 banks (46%) and Group 2 banks (48%). To a lesser degree, banks in the sample utilised funding from financial counterparties, which represented roughly 16% of total weighted available

P a g e | 38


stable funding. By comparison, funding from non-financial corporate counterparties accounted for 14% of total weighted available stable funding.

Funding requirements The NSFR assumes short-dated (ie maturing in less than one year) and higher quality assets require a smaller proportion of stable funding relative to longer term and lower quality assets. Indeed, much of the stable funding requirement across all banks in the sample was related to longer term assets such as loans. Loans with longer terms, including mortgages, represented roughly half of the stable funding requirement across all banks. By comparison, higher quality assets, such as HQLA securities, represented less than 5% of the total stable funding requirement. Assets encumbered for more than six months represented 11% of total stable funding requirement (the NSFR treats assets encumbered for less than six months as unencumbered).

P a g e | 39


Comprehensive QIS on interest rate risk in the banking book Background A Quantitative Impact Study (QIS) was conducted on end-June 2015 data in order to assess the feasibility and impact of the proposed revisions to the regulatory framework for interest rate risk in the banking book (IRRBB) outlined in the consultative document published by the Committee in June 2015. The consultative document presented two options for the capital treatment of IRRBB, namely: 1. A Pillar 1 (minimum capital requirements) approach based primarily on a standardised approach; the consultative document proposed four different options for the standardised calculation of minimum capital requirements; and 2. An enhanced Pillar 2 approach under which banks would be allowed to use their internal measurement systems (IMS) for IRRBB (and credit spread risk in the banking book) for assessing their capital adequacy subject to supervisory review and approval and which includes quantitative disclosure of IRRBB based upon banks' internal measurement systems and the fallback standardised approach. The main features of the proposed Pillar 1 standardised approach can be

P a g e | 40


summarised as follows: • The measure for calculating minimum capital requirements is mainly based on an economic value of equity (EVE) approach, but in order to mitigate incentives for banks to focus exclusively on hedging duration, the EVE measure has been complemented by a so-called simple earnings overlay (NII); • Under both the EVE and NII measures, all future notional repricing cash flows of interest-rate sensitive assets, liabilities and off-balance sheet positions are projected into a series of predefined time buckets; • However, for products in the banking book which have been identified as less or not amenable to standardisation (ie automatic interest rate options, non-maturity deposits (NMDs), fixed rate loans with prepayments, term deposits with early redemption risk and fixed-rate loan commitments or pipelines) banks may be allowed to use their internal estimates, sometimes with constraints and fallbacks for slotting positions, and subject to supervisory approval; • Regarding the interest rate shock scenarios, the baseline approach specifies six scenarios (including upward/downward parallel shifts, steepening, flattening, short rate up and down) selected based on criteria including the severity, redundancy and frequency of each scenario. For each shock scenario, the absolute shock levels are computed by multiplying the globally determined shock parameter with the local interest rate levels, in order to reflect differences in the local rate environment, subject to defined caps and floors; and • The proposal also includes an approach for calculating capital requirements for basis risk in the banking book, ie the risk of losses associated with relative changes in interest rates for financial instruments that have similar tenors but are priced of different reference rates. The objective of the IRRBB QIS has been to inform the Committee’s final policy decision and among others to: 1. assess the outcome of the four proposed options for calculating minimum capital requirements using the standardised approach as set out in the June 2015 consultative document; 2. assess the outcome of banks’ IMS to quantify their IRRBB;

P a g e | 41


3. assess the preliminary calibration of the standardised behavioural parameters in the consultative document with respect to banks’ internal estimates; and 4. assess the pertinence of the design and calibration of the predefined interest rate shock scenarios also with a view of further reducing the numbers of scenarios. This special feature summarises (i) a detailed analysis of the materiality of the components (ie EVE, NII, basis risk and net interest profit (NIP)) of the standardised approach for calculating minimum capital requirements; (ii) the overall results on the four options for the standardised approach for calculating minimum capital requirements as well as for the IMS; (iii) an analysis of the impact of the interest rate shock scenarios; and (iv) an analysis of the distribution of standardised as well as banks’ internal estimates of behavioural parameters.

Sample of banks and data quality This special feature summarises voluntary and confidential data submissions from individual banks and their national supervisors. A total of 153 banks from 20 member countries provided data for this part of the study, including 79 large internationally active (“Group 1”) banks, of which 23 G-SIBs, and 74 other (“Group 2”) banks.

P a g e | 42


In terms of the quality of the data submissions, a significant number of participating banks had difficulties reporting notional repricing cash flows for fixed rate loan commitments (pipelines), economic values of automatic interest rate options held in the banking book, basis risk exposures as well as NIP figures. Banks also experienced difficulties in specifically separating the notional repricing cash flows from retail transactional NMDs and either did not completely report those values, or chose the simplified approaches that did not require detailed reporting of the separated notional repricing cash flows. Table 2 shows the number of banks out of the 153 banks that submitted data for at least one currency in the QIS.

P a g e | 43


Key findings Overall materiality of EVE measures vs general and basis risk NII measures Total IRRBB capital requirements as per the consultative document are the result of some combination of EVE losses (including an add-on for the loss in economic value associated with explicit and embedded automatic interest rate options held in the banking book) and NII losses. The NII measure is broken down into a general NII and a basis risk NII component. The basis risk NII measure in turn is further broken down into a reference rate basis risk and a tenor basis risk component. NIP is an accounting based measure of the past net income in the banking book less overheads and other expenses. Table 3 shows that the weighted average delta NII as a percentage of CET1 capital is around 3% for both Group 1 and Group 2 banks. The impact of the reference rate and tenor rate basis is similar for Group 1 and Group 2 banks, but this is probably due to the difficulty banks had in reporting the information on basis risk. Table 3 also shows that the materiality of EVE is much higher than the materiality of NII (including basis risk).

P a g e | 44


Minimum capital requirements under the IRRBB standardised approach and the banks’ internal measurement systems Table 4 shows the distribution of the hypothetical CET1 ratios under the four consulted options for the IRRBB standardised approach as well as under the banks’ IMS. From the data received in the QIS, 83 banks (49 Group 1 banks, including 16 G-SIBs, and 34 Group 2 banks) were able to report the impact under all four of the consulted options, as well as under their IMS. Compared to the current total Pillar 1 capital requirements under Basel III, the CET1 ratios using national implementation rules, adding minimum capital requirements for IRRBB calculated based on option 1 (pure EVE capital requirements measure) of the proposed standardised approach would, on a weighted average basis for a consistent sample of banks, lead to a decline of the CET1 ratios from 12.2% to 10.3% for Group 1 banks. For G-SIBs within Group 1 banks, the weighted average CET1 ratio would decline from 12.0% to 10.1%, and for Group 2 banks, the impact is even greater, with the corresponding CET1 ratios declining from 12.1% to 9.3%. A similar impact is observed under options 2 and 3. Option 2 considers the highest of the EVE and NII loss measures as the minimum capital requirement. Option 3 is similar to option 2, but allows banks to offset earnings-based gains from the same interest rate scenario against EVE-based losses.

P a g e | 45


The capital impact under option 4 is smaller as compared to the other options. Under option 4, which allows for an offset through NIP (which is based on past accounting profit and loss measures) against EVE and earnings-based losses, the CET1 ratios would decline from 12.2% to 10.9% for Group 1 banks. For G-SIBs within Group 1 banks, the weighted average CET1 ratio would decline from 12.0% to 10.6%, and for Group 2 banks the CET1 ratios would decline from 12.1% to 10.0%. However, the numbers need to be interpreted with caution as many banks used approximations and estimations to calculate their NIP values (ie option 4).

This subsection further compares banks’ IMS for IRRBB with the standardised approach options proposed in the consultative document. As the IMS numbers reported in the QIS are measured by an EVE measure only, it is best compared to the standardised approach measure under option 1, which is also a purely EVE-based measure. Graph 1 below provides scatter plots of IMS numbers and numbers based on option 1 of the standardised approach. The left panel displays for each Group 1 bank, the IMS-based measure of ∆EVE (horizontal axis) and the corresponding standardised measure of

P a g e | 46


∆EVE (vertical axis) both expressed as a percentage of CET1. The right panel of Graph 1 shows the results of the same analysis for Group 2 banks.

In general, banks with a high IMS-based impact of interest rate shocks (horizontal axis) tend to exhibit also higher standardised IRRBB measures (vertical axis). This correlation is more pronounced for Group 1 banks than for Group 2 banks. Overall, the correlation between the outcome of banks’ IMS and option 1 in the sample is relatively high at 0.827. The vast majority of Group 1 banks and around one-third of Group 2 banks have both IMS-based and standardised IRRBB measures of EVE below 10% of their CET1, indicating that the difference between their IMS and the standardised approach is relatively low.

Impact of interest rate shock scenarios on EVE The standardised methodology of the consultative document considers the change in EVE under six different interest rate shock scenarios, namely (1) a parallel upward shift;

P a g e | 47


(2) a parallel downward shift; (3) a steepening of the yield curve; (4) a flattening of the yield curve; (5) a short-end upward shift; and (6) a short-end downward shift. For each bank, the scenarios are rank ordered from 1 to 6 with respect to the generated EVE loss (ie the interest rate shock scenario generating the maximum EVE loss is ranked 1, etc). The impact of the interest rate shock scenarios is shown in Table 5 and Table 6.

Analysis of behavioural parameters

P a g e | 48


Stability rates and pass-through rates of non-maturity deposits Non-maturity deposits (NMDs) are defined as liabilities of banks in which the depositor is free to withdraw at any time since they have no contractually agreed maturity date. Despite the contractual position, part of the balances of NMDs behaves as a long term, rate-insensitive liability (insensitive even to a large interest rate shock). Such NMDs are called core deposits. Under the Time Series Approach (TIA) proposed in the consultative document banks are required to estimate so-called stability rates, ie the proportion of NMDs that is found to remain undrawn with a high degree of likelihood, and pass-through rates, ie the rate-sensitive part of the stable deposits, to determine the proportion of core deposits, subject to constraints. Three segments of NMDs are prescribed under the TIA, namely (i) retail transactional NMDs; (ii) retail non-transactional NMDs; and (iii) wholesale NMDs. Non-core deposits are assumed to reprice overnight whereas core deposits must either be slotted uniformly across time buckets up to six years or alternatively, at the bank’s discretion, up to six years provided the average maturity does not exceed three years. Table 7 below provides an overview of the proposed values for the stability caps, pass-through floors and the implied cap on core deposits for the three NMD segments.

P a g e | 49


Table 8 below shows weighted average values of the stability and pass-through rates across Group 1 and Group 2 banks applying the proposed constraints (standardised) and the unconstrained estimates in the QIS sample. The last column shows the average implied maturity of core deposits.

The results show that the imposed constraints have a significant impact on the average implied maturity of core deposits across all segments in particular for Group 2 banks.

Analysis of prepayment rates The ability of a borrower to repay a fixed rate loan is an important behavioural option on banks’ balance sheets.

P a g e | 50


Prepayments, or parts thereof, for which the economic cost is not charged to the borrower, are referred to as uncompensated prepayments. The consultative document proposed a standardised fallback and an internal estimates approach for slotting the notional repricing cash flows of loan products where the economic cost of prepayments is never charged, or only charged for prepayments above a certain threshold. Under the standardised fallback banks are required to apply a scalar multiplier under each of the six prescribed interest rate shock scenarios to the so-called conditional prepayment rate (CPR) for the baseline interest rate scenario 0 to slot their notional repricing cash flows. Under the internal estimates approach banks may use their unconstrained internally measured prepayment speeds (IMPS) under each of the six prescribed interest rate shock scenarios to slot their notional repricing cash flows. Table 9 below shows the weighted average CPR and IMPS under the baseline interest rate scenarios as well as following the six prescribed interest rate shock scenarios.

The results show that the range of the weighted average CPR values is wider than the range of banks’ IMPS values under the six prescribed interest rate shock scenarios.

Statistical Annex

P a g e | 51


P a g e | 52


P a g e | 53


P a g e | 54


P a g e | 55


P a g e | 56


P a g e | 57


P a g e | 58


P a g e | 59


P a g e | 60


P a g e | 61


2016 EU-wide stress test: Frequently Asked Questions Scope 1. Why does the EBA run an EU-widestress test? The EU-wide stress test serves as a common foundation on which national authorities can base their supervisory assessment of banks’ resilience to relevant shocks, in order to identify residual areas of uncertainties, as well as appropriate mitigation actions. Moreover, the exercise strengthens market discipline, through the publication of consistent and granular data on a bank by bank level illustrating how balance sheets are affected by common shocks.

2. Who is involved? The EU-wide stress test is initiated and coordinated by the EBA and undertaken in cooperation with the Competent Authorities (the Single Supervisory Mechanism for the euro area banks), the European Central Bank (ECB), the European Systemic Risk Board (ESRB) and the European Commission (EC). The 2016 exercise covers a sample of 51 banks representing about 70% of EU banks total assets.

3. How does it work in practice? The EBA develops a common methodology that is applied by all the banks in the sample and checked by supervisors. The EBA also acts as a data hub for the final dissemination of the outcome of the common exercise. Competent Authorities (CAs) are responsible for the quality assurance process and the supervisory reaction function. The EBA supports the CAs’ quality assurance process by providing common quality assurance guidelines and EU-wide descriptive statistics on the main risk parameters.

4. Will banks under take an asset quality review ahead of the stress test?

P a g e | 62


In 2016, the stress test will not be preceded by a coordinated EU-wise asset quality review (AQR) as it was the case in 2014. However, the assessment of asset quality is regularly undertaken by CAs as part of their supervisory work.

Process and roles 5. What is the role of the EBA? The EBA is responsible for developing and providing CAs with a common methodology to allow them to undertake a rigorous assessment of banks’ resilience under stress in a common and comparable way. The ESRB is responsible for designing a common adverse scenario on which the stress test can be run. The EC provides the baseline scenario. The EBA also provides CAs with EU descriptive statistics on risk parameters for the purposes of consistency checks. Furthermore, the EBA acts as a data hub for the final dissemination of the common exercise, thus ensuring transparent and comparable disclosure of banks’ results. Finally, the EBA plays a key role in ensuring effective communication and coordination between home and host authorities in the framework of colleges of supervisors.

6. What are the roles of national Competent Authorities (CAs) and the Single Supervisory Mechanism? CAs, including the Single Supervisory Mechanism for the euro area banks, are responsible for ensuring that banks correctly apply the common methodology developed by the EBA. In particular CAs and the SSM are responsible for assessing the reliability and robustness of banks’ assumptions, data, estimates and results. Furthermore, CAs and the SSM are responsible for the quality assurance process as well as for the resulting supervisory actions.

P a g e | 63


7. What banks will be involved in the stress test? The 2016 EU-wide stress test exercise will be carried out on a sample of banks covering about 70% of the EU banking sector, as expressed in terms of total consolidated assets as of end 2014. It will include 51 EU banks from 15 European countries.

8. Why has the sample shrunk compared to the 2014 EU-wide stress test and also to the 2015 EU-wide transparency exercise? Following a wide ranging exercise in 2014, the EBA decided to focus on a more homogeneous sample of large banks, to ensure greater comparability while ensuring a significant coverage of EU banking assets. The 2016 EU-wide stress test exercise is carried out on a sample of 51 banks covering broadly 70% of the national banking sector in the Eurozone, each non-Eurozone EU Member State and Norway, as expressed in terms of total consolidated assets as of end 2014. To be included in the sample, banks have to have a minimum of EUR 30 bn in assets. This threshold is consistent with the criterion used for inclusion in the sample of banks reporting supervisory reporting data to the EBA, as well as with the SSM definition of a significant institution. Smaller banks not included in the 2016 EU-wide stress test will be tested by their relevant competent authorities as part of the SREP Process.

Timeline and disclosure 9. What is the timeline for the stress test? After the launch of the exercise, banks will proceed to estimate the impact of the adverse scenario on banks’ balance sheets. Banks’ results will be quality assured and challenged by the CAs. This can lead to resubmissions and possible additional iterations.

P a g e | 64


The EBA expects to publish the final results of the 2016 EU-wide stress test by early Q3 2016.

10.How will data and results be published? The most important aspect of the EBA’s common EU-wide exercise is the disclosure of comparable and consistent data and results across the EU. Results will be disclosed on a bank by bank basis and the EBA will act as a data hub for the final dissemination of the outcome of the common exercise. The level of granularity of the data disclosed will be consistent with that of the 2014 EU-wide stress test and 2015 EU-wide transparency exercise. It will include the capital position of banks, risk exposures, and sovereign holdings. The credibility of the EU-wide stress test rests on transparency. Market participants will be able to determine for themselves how supervisors and banks are dealing with remaining pockets of vulnerability.

Methodological aspects and scenario 11.Why have you moved from a ‘pass or fail’ stress test to an exercise where no specific capital hurdle is defined? The objective of the crisis stress tests was to identify possible capital shortfalls and require immediate recapitalisation actions. As banks have now moved to a more steady-state setting, the aim of the 2016 exercise is rather to assess remaining vulnerabilities and understand the impact of hypothetical adverse market dynamics on banks. Although no hurdle rates or capital thresholds are defined for the purpose of the exercise, CAs will use stress test results as an input to the Supervisory Review and Evaluation Process (SREP). In addition the publication of capital ratios will enable market participants to make their own assessment.

P a g e | 65


12. What are the key methodological changes compared to the previous exercise? The building blocks of the common methodology are rather similar to those of the 2014 exercise. Some improvements have been included for both refining the previous methodology, based on prior experience, and addressing new relevant risks. In this regard, a methodology to estimate conduct risk-related losses is now included. Additionally, a more precise treatment of FX lending risk and hedging, together with a refinement of the net interest income (NII) methodology, were also introduced.

13.How will the EBA ensure consistency between both Eurozone and non-Eurozone countries in the conduct of the exercise? The aim of an EU-wide stress test is to assess the resilience of financial institutions across the Single Market to adverse market developments. Consistency in the way the exercise is conducted across the EU is necessary to ensure a rigorous assessment as well as comparability of data. To this end, two elements are crucial: (1) a common methodology and consistently applied constraints, such as a static balance sheet, which will provide market participants and institutions with a common exercise to contrast and compare EU banks under adverse market conditions; (2) a common baseline and adverse macro-economic scenario. In addition, the EBA will provide comparative analysis at the end of the quality assurance process by CAs and bank results will be discussed in in the framework of colleges of supervisors involving home and host authorities, as well as the EBA.

14.What is the scope of consolidation? The EU-wide stress test will be conducted on the highest level of consolidation (group level).

P a g e | 66


Subsidiaries of banks in the European Economic Area are excluded given the Single Market perspective of the exercise.

15. How will the stress test results feed into the SREP process? The 2016 EU-wide stress test will be one crucial piece of information in the SREP process in 2016. The results of the stress test will allow CAs to assess banks’ ability to meet applicable minimum and additional own funds requirements under the stress conditions against the common scenarios and assumptions. Furthermore, the results of the stress tests will be a solid ground for a discussion with individual banks to better understand relevant management actions and how their capital planning may be affected by the stress and ensure that the banks will be above the applicable capital requirements. As stated in the EBA Guidelines on common procedures and methodologies for the SREP, CAs are expected to factor the results of the EU-wide Stress test, together with ICAAP and other supervisory stress tests and other assessments into the assessment of banks’ adequacy of own funds, and in particular their ability to meet the own funds requirements over the economic cycle. Supervisors have a wide range of tools available which will be applied on a case by case basis. In order to inform the SREP process, the timeline of the exercise has been brought forward compared to 2014.

16.How will the stress test results be used for cross border banks? The results of the stress test forming a vital part of information for SREP purposes will be discussed within the framework of colleges of supervisors established for cross-border banks. Any measures affecting additional own funds requirements (Pillar 2 requirements) will be jointly agreed by the members of the colleges, as required under the legislation of joint decisions on institutions-specific prudential requirements. In order to inform the SREP process and the calendar of the joint decisions

P a g e | 67


in 2016, the timeline of the exercise has been brought forward compared to 2014.

P a g e | 68


Building a sound global Islamic financial system Opening remarks by Dr Zeti Akhtar Aziz, Governor of the Central Bank of Malaysia (Bank Negara Malaysia), at the Islamic Financial Services Board (IFSB) - Meet the Members & Industry Engagement Session, Kuala Lumpur It is my pleasure to welcome you to this Industry Engagement Session organised by the IFSB. Since its introduction in 2012, these sessions have drawn encouraging response from the members and the industry. Such an interface between the regulators, industry and the IFSB has become even more important in the current environment in which greater global attention is being accorded to the reform of prudential regulations. The strengthening of such an interface provides an important platform for building greater understanding on the expectations, issues and areas of concern amongst the regulators, the industry and the IFSB. With more than a decade since the inauguration of the IFSB in November 2002, the IFSB has built a solid global reputation as a prudential standard-setting body for Islamic finance. Its achievements also include initiatives to increase international regulatory cooperation, to encourage uniformity of regulatory frameworks and the efforts to enhance the monitoring of financial risks in the Islamic financial system. The enhanced stability and resilience of the current global Islamic financial system is reinforced by its vibrant growth and its increasing internationalisation and integration into the international financial system. This is a realisation of the aspirations and vision of the IFSB Founding Members. The IFSB has also made significant advancements in taking forward the recommendations made in the Islamic Finance and Global Financial Stability Report 2010 towards achieving financial stability in the national and the international Islamic financial system.

P a g e | 69


The prudential standards including that for liquidity management issued by the IFSB takes into account the unique characteristics of Islamic finance and are also designed to not impose any regulatory burden while upholding the financial stability agenda. The effective implementation of the standards issued by the IFSB is key towards promoting the soundness and stability of Islamic financial institution. To enhance this prospect, the IFSB has strengthened its role in facilitating greater jurisdictional preparedness in the adoption of these standards through the provision of technical assistance to its members. Malaysia is one of the jurisdictions that has adopted and operationalised the prudential standards and the guiding principles that have been issued for the industry. The implementation of these standards and guiding principles support the regulatory framework that we now have in place in our Islamic financial system. As the industry is aware, it places emphasis on the enforcement of standards for capital adequacy, effective risk management practices, liquidity management, greater financial disclosure and governance, reinforced by a strong Shariah and legal framework. Among the important initiatives of the IFSB is also the establishment of the International Islamic Liquidity Management Corporation (IILM) in 2010 which has changed the landscape for liquidity management in the international Islamic financial system, particularly in strengthening the cross-border liquidity arrangements among the Islamic financial institutions. A further initiative during the same year was the introduction of the Islamic Financial Stability Forum (IFSF), set up in 2010 to further solidify the global efforts in areas that will contribute towards safeguarding financial stability. Deliberations on wide ranging issues that pertain to risks to financial stability in the Islamic financial system have taken place at this forum. Greater awareness on issues relating to regulation and supervision of Islamic finance have also been raised at international meetings, conferences, seminars, workshops and other dialogues that have been

P a g e | 70


organised by the IFSB in many countries across several continents. The initiatives and milestones achieved by the IFSB have indeed paved the way for jurisdictions across the globe to build a solid foundation for the progressive growth of Islamic finance that is underpinned with stability. Additionally, the early recognition by the IFSB of the increasing interconnectivity in a financial system, the IFSB, unlike other prudential standard setting bodies, has advanced its mission through the development of prudential standards for a broader coverage that includes the banking, capital market and insurance or takaful sectors. The prudential standards issued by the IFSB takes into account the specificities of Islamic finance and the dynamics of the various Shariah contracts used in the wide ranging products offered by Islamic financial institutions. It is within this context that Islamic financial institutions are able to perform its role more effectively as financial intermediaries that are differentiated from its conventional counterparts. With greater readiness, Islamic financial institutions can strategically position themselves to further realise the true value proposition of Islamic finance, particularly as a financial regime that places emphasis on risk-sharing and that further strengthens the link of finance to the real economy. Of importance, industry players will be better positioned to ride the evolutionary waves of financial innovation that is prevalent in Islamic finance in order to enable greater offerings of risk-sharing products to customers and businesses. In Malaysia, Islamic banks now have the potential to be better able to pursue their role as investment intermediaries through the offering of investment accounts in addition to the entrenched deposit products, in which various modes of risk-sharing contracts can be applied. This is supported by the legal recognition of investment accounts in the Islamic Financial Services Act 2013 (IFSA). It provides a differentiation between the deposit account and the investment account which offers a new investment avenue that caters for a wider range of investor risk-return preferences.

P a g e | 71


In contrast to the deposit account, these funds are being channelled directly to finance entrepreneurship in productive activities. In promoting entrepreneurship and value-creating activities, it also contributes towards generating growth and enhances the prospects for job creation. Additionally, the Investment Account Platform (IAP) that is currently being developed will provide a centralised multi-bank platform as a new financing option for entrepreneurs with viable projects as well as an opportunity for the investing public to finance these projects. It is encouraging that to date, eight Islamic banks are offering investment accounts to their customers. More are expected to follow when the value proposition of such investment accounts, with its unique features and the different target market become better understood. The industry-led communication by the Association of Islamic Banking Institutions Malaysia will contribute towards increasing the awareness of customers on the concept and on the key features of investment account. The latest establishment of a consortium developed by four Islamic banks to develop and operate the IAP which is to be launched next month is also another initiative to advance this new offering. In the development of the investment account, it will be essential for Islamic banks, investors and entrepreneurs to embrace the different approaches in the management of the risk and return relationships that are embedded in the variations of the Shariah contracts used in such investment accounts. These relationships need to be well understood by the parties involved and which are aligned with clear contractual and operational requirements. The IFSB has an important role in not only providing guidance but also in initiating the convergence of the different practices between IFSB members with regard to the treatment of the investment account - also referred to as profit sharing investment account (PSIA) - in the IFSB standards. More in-depth work can also be explored by the IFSB on the prudential requirements for the investment account to further ensure a conducive

P a g e | 72


environment for such risk-sharing offerings. The global Islamic financial system is now operating at a time when the international economic and financial environment has become immensely more challenging. New risks that are more complex, with more profound systemic implications are emanating with the increasing forces of financial liberalisation, globalisation, technological advancement, intensified competition, financial innovation and the internationalisation of Islamic finance. Cumulatively, these developments necessitate greater prudential regulation and supervisory oversight to ensure a resilient and sustainable financial system. The role of the IFSB remains instrumental and paramount as we face a time of increasing uncertainties. Continuous and stronger support for the IFSB, particularly from its members including in actively providing feedback on its Consultative Papers and in the participation in IFSB related events, supported by the existing collaboration and cooperation among the regulators would collectively strengthen the potential for the IFSB to manage its journey ahead. Greater concerted efforts by members to consistently adopt and implement the prudential standards issued by the IFSB will not only contribute towards preserving financial stability but it will also enhance regulatory harmonisation across jurisdictions. These efforts will indeed place us on a path to realising our quest and shared aspirations for a more resilient and sound global Islamic financial system. It is also timely for the IFSB to elevate its level of engagement and connectivity with other international standard setting bodies. This would enable the framework for financial stability in the context of Islamic finance to interface with the arrangements that exists for the conventional financial system, therefore avoiding any fragmentation in the global regulatory framework.

P a g e | 73


Malaysia, as the host of the IFSB will continue to be committed to support its development and its potential as a prudential standard-setting body in the international financial system. On that note, I wish you a productive session today and look forward to the constructive outcomes of this engagement.

P a g e | 74


Banks and the German economy - will they continue to work hand in hand? Speech by Dr Andreas Dombret, Member of the Executive Board of the Deutsche Bundesbank, at the 4th Regensburger Wirtschaftsgespräch, Industrie- und Handelskammer (IHK) Regensburg, Regensburg.

1. Introductory remarks Mr Witzany President Olschok Ladies and gentlemen I am delighted to be here in Regensburg to speak to you today. Over the next hour, I would like to discuss with you whether banks and savings banks and enterprises will be able to continue working hand in hand in future to tackle the challenges of business life. I have learned that the forum provided by your first Wirtschaftsgespräch already discussed to what extent the sometimes complex rules of the Basel III framework might affect the supply of credit to small and medium-sized enterprises (SMEs) in particular. I would now like to revisit that debate and continue it in my speech.

2. Banks and enterprises: for or against each other? Mark Twain once said, "A banker is a fellow who lends you his umbrella when the sun is shining, but wants it back the minute it begins to rain." I probably don't have to point out that bankers aren't, of course, like that - well, at least most of them aren't. On the contrary, banks often play a very important role for enterprises and for the economy as a whole. They act as mediators between those who invest capital and those who need it. They finance investments, they take on and manage risks, they settle payments and they play a supporting role for enterprises in IPOs.

P a g e | 75


That means that businesses need banks, but that banks also need businesses. As at the end of last year, German banks and savings banks had lent a total of far over €900 billion to domestic enterprises alone - that corresponds to just under 12% of their consolidated balance sheet total. Their lending business, in particular with corporate clients, is therefore a key pillar of our domestic credit institutions' business activity. I am certainly not exaggerating when I say that this kind of cooperation between banks and savings banks and enterprises works well in Germany in the vast majority of cases. The traditional concept of the "house bank", or relationship banking, has major importance in particular for the German Mittelstand. Many enterprises work together with just a single credit institution, and, in a lot of cases, have done so for many years. Nevertheless, the recent financial crisis has not left the relationship between credit institutions and enterprises unaffected. The banks' standing was severely damaged, a lot of trust was forfeited, and quips like that by Mark Twain started making the rounds again. The loss of trust went so far that some enterprises made enquiries at the Bundesbank during the crisis about whether they could open an account with us, because they said that they no longer had any confidence in the commercial banks. At the same time, massive government financial rescue packages were being put together - without them it is likely that there would have been a complete collapse of the financial system with even more serious consequences for the real economy.

3. Banking regulation: we'll soon be there The financial crisis and the ensuing global financial crisis have made it abundantly clear to us how closely interlinked the financial system and the real economy are. We have learned that institutions can be so large that they can't really be

P a g e | 76


removed from the market - this is known in the debate as the "too big to fail" problem. We are also aware that credit institutions' bonus systems can get out of hand and generate destabilising effects if they are geared excessively to short-term profits and ignore long-term risks. And we now know that the banks' high degree of interconnectedness and phenomena such as herding behaviour can indeed give rise to risks for the financial system, even though each individual bank is stable when viewed in isolation. Comprehensive reforms were and are therefore still necessary in order to create a secure financial system that reliably fulfils its actual purpose for the real economy. And that is why we have seen many new regulatory initiatives over the past few years. Today, seven and a half years after the collapse of Lehman Brothers - which for many was the beginning of the financial crisis - we are significantly closer to our goal than ever before. In response to the financial crisis, the G20 countries have worked on improving the resilience of the individual banks. Strengthening the individual banks as the smallest component part of the financial system strengthens the system itself. With this goal in mind, in 2010 the Basel Committee on Banking Supervision adopted a regulatory framework, called Basel III for short. The first step set out in this framework was to overhaul the capital requirements in place for credit institutions. Equity capital is key to the stability of the banks as it constitutes their main buffer for absorbing losses. Under the new rules, banks have to satisfy higher capital requirements in terms of both quantity and quality. Since last year, these institutions have been required to hold CET1 capital equal to 4.5% of their risk-weighted assets.

P a g e | 77


This was followed on 1 January by an additional 0.625% for the capital conservation buffer, which is set to rise to a total of 2.5% by 2019. From 2019, when it is possible for all instruments to be deployed in full, banks and savings banks will have to hold CET1 capital equal to at least 7% of risk-weighted assets. This is a significant increase compared with the 2% minimum ratio that applied until the end of 2013. What is more, the other new capital instruments, which include the countercyclical capital buffer and the additional buffers for the most significant institutions, also need to be backed by CET1 capital. The new rules will help make the banking system more stable as a whole. At the same time, however, it goes without saying that the new rules also place a cost burden on the banks. This is by no means unintentional in the case of buffers for the most significant institutions: as their systemic importance puts them at an advantage in terms of funding costs, this burden levels the playing field at least in part. However, some observers fear that this is also detrimental to the real economy. They argue that the new rules are making it more expensive for banks to lend and are therefore concerned that the institutions will be forced to reduce their lending activities in the future. The Basel Committee was well aware of the impact that the new rules would have. It was for this reason that the Committee also established transitional periods with the aim of rendering it easier for banks and savings banks to make the necessary adjustments. These apply to both the qualitative and the quantitative aspects of the new capital requirements. For example, the capital instruments that are no longer eligible for inclusion in CET1 capital will not be excluded in one fell swoop; instead, they will be phased out over a period of several years.

P a g e | 78


Furthermore, increasing requirements regarding the level of capital to be held will be introduced only gradually. But the Basel Committee has also come in for criticism in response to these transitional periods - in the eyes of some government representatives and market observers, they appeared to constitute too great a concession to the banks. Personally, however, I believe that the Committee has served the interests of the real economy, in particular, without having to compromise on in its efforts to increase the resilience of the banking system. Of course, the development of Basel III has and will continue to be accompanied by impact studies that assess the effects of the new rules on financial institutions and the real economy. These studies have thus far come to the conclusion that the short-term economic impact is rather low and are therefore consistent with numerous earlier findings that were able to demonstrate, for instance, that credit institutions' borrowing costs would only rise marginally if additional capital requirements were imposed. According to these findings, increasing capital requirements by 100 basis points would, on average, cause institutions' overall capital costs to rise by less than ten basis points. Turning our attention to the future, tighter regulation actually promotes prosperity because it lessens the likelihood of financial crises. This is a very important point! When talking about the implications of regulation, we cannot focus solely on the short-term costs that the banks are facing - we must also pay attention to the long-term benefits. Just think of the many billions of euros of public money that had to be spent in Germany alone over recent years to stabilise the banks. In some countries, taking this measure has even plunged governments themselves into significant financial difficulties. Viewed from this perspective, I think the price we are paying for stricter

P a g e | 79


regulation is entirely appropriate. Of course, the impact that reforms have on the real economy must, nevertheless, always be taken into account. Our objective, not just within the Basel Committee, is to make banks safer and thus minimise the likelihood of financial crises. At the same time, we want to ensure two things in the event of an institution running into trouble: that the taxpayer will not immediately be called upon once again to foot the bill for failings on the part of the bank's management, and that the institution can be resolved without causing any major disruptions. Aside from this, the regulation seeks to accommodate those enterprises that rely on bank loans. Take, for instance, the Basel framework's "SME package", which was introduced under Basel II and updated under Basel III. As part of this package, the capital that has to be held against loans to small and medium-sized enterprises is cut by as much as half depending on probability of default and collateral. As a result, capital costs for loans to small and medium-sized enterprises are significantly cheaper than those for loans to larger enterprises. It will come as no surprise to you that it was the Bundesbank that campaigned so hard for this SME-friendly regulation. Notably, the Basel framework's SME package creates significant incentives for lending to small and medium-sized enterprises. Thanks to this regulation, I believe that we have been able to sensibly exert a positive influence on the relationship between banks and enterprises.

4. Regulation calls for a sense of proportion If we are to discuss the impact of banking regulation on small and medium-sized enterprises, I believe we must also consider the regulatory implications for small and medium-sized banks and savings banks. The global regulatory reform of the banking sector in the past few years was

P a g e | 80


intended to tighten the regulation of internationally active credit institutions whilst also creating a fair and level playing field worldwide. As a result, however, almost all regulatory measures are essentially aimed at internationally active large banks. This makes absolute sense in the context of the crisis. But here and there, there is a feeling that in applying the rules we may have thrown the baby out with the bathwater; in other words, we have made the rules so complex that they are overwhelming small and medium-sized institutions. As a result, the debate about the proportionality of regulation is heating up. Of course, tighter regulation means a considerable workload for banks and savings banks, as well as for supervisors. But it is also very important to weigh this against the cost to society of financial crises. Size is only one of several important criteria that determine whether an institution is "systemically important". Other major factors are substitutability, interconnectedness and exposure to similar risks, which is why we cannot simply apply a less complex set of rules to small banks than to their large competitors. Instead, these institutions must be regulated in relation to the risk they pose. At this point, I feel it is very important to emphasise that the current regulatory and supervisory frameworks are already largely proportionate. For example, at present, risk-weighted capital requirements are calculated differently under standardised approaches and internal ratings-based approaches. Furthermore, a portfolio has been introduced to help determine regulatory capital requirements in retail banking. And last but not least, small and medium-sized institutions are benefiting from greater regulatory leeway for business with corporate customers from the SME sector, which are an important client group for these banks.

P a g e | 81


So as you can see, the implications of the sometimes complex new rules of the Basel III framework affect credit institutions and enterprises in similar ways. Small and medium-sized market participants, in particular - both in the financial sector and in the real economy - are concerned about the new regulation. However, I think many of their worries are unfounded. The Basel framework creates active incentives to lend to SMEs, which play an important role in employment and economic activity - especially in Germany. In addition, the new rules will provide relief for credit institutions that are less significant in terms of their impact on financial stability. In my opinion, Basel III will bring us a balanced framework that lays the foundations for sustainable economic growth.

5. Capital markets union will broaden the funding base As I mentioned earlier, the cooperation between banks and enterprises is hugely important for both parties. Whilst banks provide financing to enterprises, they are themselves dependent on enterprises to generate their income. I am firmly convinced that this symbiotic relationship in Germany functions well. But the financial crisis also showed that this symbiosis can very quickly evolve into a destructive relationship, specifically when individual banks conduct business of rather limited use to the real economy, the repercussions of which cause everyone to suffer in the end. Enterprises suffer when a crisis in the financial system snowballs into an economic crisis. Taxpayers suffer when the state has to rescue ailing banks. And banks suffer when their reputations are ruined in the wake of a crisis and both enterprises and the general public lose their trust in them.

P a g e | 82


Against this backdrop, it is crucial that banks remember their true role: to finance the real economy. So how might the future relationship between banks and enterprises look? You may be familiar with the concept of the "capital markets union", which is currently the subject of much debate and which aims to bring about deeper integration of Europe's financial markets - and not just the debt markets, but also the equity capital markets. I am assuming that this will also trigger further changes to the structure of the European financial system. But we mustn't overlook the fact that much has already changed in recent years. In 1999, bank loans still made up 22% of German enterprises' liabilities; in the third quarter of 2015, this figure fell to just over 14% - and this was despite the healthy economic situation in Germany. Following their experiences in the financial crisis, when a number of banks drastically reduced their credit supply, enterprises have started seeking alternatives to the traditional bank loan and, where possible, have increasingly turned to the capital market. The scale of capital market financing nonetheless remains low in Germany - especially when compared to the United States or the United Kingdom. All the same, I am confident that the cooperation between banks and enterprises will still be of great importance going forward. For SMEs, in particular, the relationship with their principal bank continues to play a vital role - not least because trust is built on past experience. A principal bank thus has an information advantage over another investor, which is highly likely to benefit enterprises. But besides market-based funding, other lenders such as insurers, other financial intermediaries or trade credits from other enterprises are also increasingly taking the place of traditional bank loans. The use of own funds has also risen, primarily among SMEs.

P a g e | 83


In short, the funding options for German enterprises are becoming more varied. At this point, one might worry that this development will have a negative impact on banks' earnings, but I would like to put something into perspective here. Diversification of funding sources can surely contribute to the stability and efficiency of the financial system - and that ultimately benefits the banks, too. There is still a great deal of potential in this respect in Germany especially, but also other European countries, compared with the English-speaking world. For this reason, I take a thoroughly positive view of the increased importance of bonds, securitisations and borrowers' notes, even in the SME sector. It is particularly important, however, to pay attention to the quality of these instruments, especially in such a young market segment. Thus, even SME bonds do not provide a real way out of the funding problems of weak enterprises, but instead are a suitable instrument for larger SMEs with high credit quality.

6. Conclusion Let me sum up by saying that banks and enterprises are closely interconnected. They play a crucial role in the functioning of our economy, both individually and together. Yet to a great extent, banks and enterprises shape their relationship themselves: banks decide which enterprises to lend to at which conditions, and enterprises return this trust with their demand for loans. I am therefore firmly convinced that credit institutions and enterprises, working hand in hand, will still be able to overcome the future challenges of business life. Even so, their relationship will certainly experience further change in the coming years and incorporate additional participants, mainly in the capital

P a g e | 84


market. I consider this a positive development, as the next rainstorm is sure to come, and when it does, it will be a good thing that enterprises are able to procure their umbrellas both on the capital market and in the shape of loans.

P a g e | 85


Adverse macro-financial scenario for the EBA 2016 EU-wide bank stress testing exercise The European Banking Authority (EBA) 2016 EU-wide stress testing exercise will require banks to use the presented outcome of the adverse macro-financial scenario for variables such as GDP, inflation, unemployment, asset prices and interest rates in order to estimate the potential adverse impact on profit generation and capital. The adverse scenario covers three years, starting from the first quarter of 2016, when the shocks are assumed to materialise, and ending in 2018.

1. Main risks to stability of the EU financial sector The narrative of the adverse scenario reflects the four systemic risks identified by the ESRB General Board as representing the most material threats to the stability of the EU financial sector: 1. An abrupt reversal of compressed global risk premia , amplified by low secondary market liquidity; 2. Weak profitability prospects for banks and insurers in a low nominal growth environment, amid incomplete balance sheet adjustments; 3. Rising of debt sustainability concerns in the public and non-financial private sectors, amid low nominal growth; 4. Prospective stress in a rapidly growing shadow banking sector, amplified by spill over and liquidity risk. In the adverse scenario, the first systemic risk, assessed to be the most significant of the four, materialises through a change in investor preferences in the developed financial markets and, most notably, in the United States, with an increasing aversion to holding long-term fixed income securities. This induces a portfolio reallocation towards short-term instruments, causing a rise in US long-term risk-free interest rates and risk premia across all financial asset classes. The increases are amplified by limited secondary market liquidity.

P a g e | 86


A protracted period of global financial market uncertainty would follow, leading to a confidence-driven contraction of domestic demand in emerging markets, in line with country-specific vulnerabilities. The first systemic risk acts as a trigger for the vulnerabilities related to the remaining three sources of risk. In the EU this would lead, in particular, to a weakening of domestic demand, a decline in property prices and a renewed widening of sovereign credit spreads, as well as to a sell-off by the shadow banking sector that would amplify the shocks to financial asset prices in the EU.

2. Macro-financial shocks driving the out come of the adverse scenario Specific macro-financial shocks that are assumed to materialise under each of the parts of the scenario are presented in Table 1.

P a g e | 87


Concerning the calibration of the specific shocks, the yields on long-term Treasury securities United States are assumed to rise sharply, deviating by 250 basis points (bps) from the baseline by end-2016. The increased investor risk aversion would affect the prices of European fixed income instruments, and yields on ten-year German sovereign debt would increase by about 80 basis points over the same horizon.

P a g e | 88


The impact on sovereign bond yields would be lasting, so that German ten-year bond yields would remain some 53 basis points above the baseline levels in 2018 (see Table 2). In addition, sovereign credit spreads in the euro area would widen, reflecting broadly the market assessment of individual sovereigns’ vulnerabilities. Overall, long-term interest rates in the EU would be higher by 71 basis points in 2016, 80 basis points in 2017 and 68 basis points in 2018.

Against the backdrop of global financial tensions, bilateral nominal exchange rates of the central and eastern European (CEE) countries against the euro would depreciate sharply, by between 8% and 24% in the course of 2016, corresponding to the historical exchange rate volatilities. Subsequently, these exchange rates would remain stable at the weaker levels for the remainder of the exercise horizon. The increase in bond yields in the CEE countries would be stronger than that observed in the euro area and western European non-euro area countries. At the same time, the Swiss franc would appreciate by 23% against the euro (see Table 3). These exchange rate movements would take place despite the implied strong fundamental misalignment of the respective currencies that would not begin to correct before end-2018. More generally, the global increase in risk premia has effects well beyond

P a g e | 89


fixed income markets. Global equity prices would decline by 36% by the end of 2016. As a result, and amplified by a sell-off by shadow banking entities, EU stock prices would fall, on an annual basis, by 25% in comparison with the baseline scenario in 2016, followed by a mild recovery that would reduce the average deviation from the baseline scenario to about 16% in 2018 (see Table 4).

Commodity prices would also be affected, responding to financial shocks and the expected weakening of global economic growth, with oil prices

P a g e | 90


falling by about 48% in 2016 compared with the baseline projection of about 54 US dollars per barrel, standing at about 44% below baseline levels in 2017 and 2018. Money market rates (three-month interbank offered rates) in all EU countries would rise by about 33 basis points compared with the baseline scenario in 2016, reflecting a higher credit premium. This additional credit premium would decline to 23 basis points in 2017 and 6 basis points in 2018. As monetary policy is assumed to follow the expectations implied by the baseline scenario also under the adverse scenario, this increase should not be interpreted as being driven by monetary policy decisions. Tighter financing conditions caused by a reduction in the availability of funding from shadow banking entities would contribute directly to a contraction in economic activity. It is assumed that banks would respond by tightening lending standards on loans to the private non-financial sector. This funding shock is represented by country-specific shocks to the cost of corporate credit and loans to households, via an increase in the user cost of capital and a reduction in the financial wealth of households respectively. The corresponding impact on 2018 GDP is estimated to be limited to about 0.12%. Finally, swap rates would respond to the increase in money market rates and long-term government bond yields. Depending on the maturity, euro swap rates would increase by between 44 and 58 basis points in 2016 compared with the baseline, and remain elevated until 2018. Detailed paths for swap rates for the US dollar and most EU currencies are presented in the annex. The increased global uncertainty would reduce global economic growth, notably through confidence and financial spillovers to emerging market economies (EMEs), spanning all major emerging market regions (Asia, Latin America, emerging Europe).

P a g e | 91


The spillovers give rise to a sudden re-assessment of growth expectations in these countries. In turn, sizeable capital outflows from EMEs lead to a reduction in emerging market asset prices, causing domestic demand in these economies to suffer from both tighter financing conditions and business and consumer confidence shocks. This would have an impact on the EU economies through trade channels, as foreign demand for EU exports would be materially reduced. The estimated impact of the above-mentioned financial and real shocks on economic activity in the countries outside the EU would be sizeable, in particular for EMEs that are also commodity exporters (see Table 5). Cumulative GDP growth in the developed economies would be between 2.5% and 5% lower than under the baseline scenario in 2016-17. By 2018, as the impact of the shocks would begin to wear off, GDP growth rates would approach those projected under the baseline scenario. Among the main emerging economies, the impact would be particularly strong for Brazil, Russia and Turkey, while for China and India total GDP would stand about 4.5% below the baseline projections in 2018. Overall, the demand for EU exports would stand nearly 8% below the baseline projection in 2017 and 6.5% below the baseline in 2018. The global shocks are also assumed to negatively affect confidence, resulting in country-specific reductions in private consumption and investment in all EU countries. Lower consumer confidence, together with increased risk premia, would additionally cause a slowdown in property market activity, both in the residential and commercial property segments. The exogenous shocks to house prices reflect the country-specific misalignment of house prices with regard to estimated fundamental levels and historical volatility of house prices. These shocks, which overall drive the house prices down by about 6%, are supplemented with a common shock of about 7.5% affecting all EU countries and some country-specific exogenous add-ons calibrated

P a g e | 92


according to the assessment of national competent authorities. Commercial property prices are also affected by a common shock, calibrated in a uniform way for all EU countries at about 7%.

P a g e | 93


3. Results for the euro area and European Union As a combined result of the foreign demand shocks, financial shocks and domestic demand shocks in the EU, the scenario implies a deviation of EU GDP from its baseline level by 3.1% in 2016, 6.3% in 2017 and 7.1% in 2018. The implied EU real GDP growth rates under the adverse scenario over the three years of the exercise amounts to -1.2%, -1.3% and +0.7% respectively (see Table 6).

The major part of the impact on GDP is driven by the domestic demand factors, namely the exogenously set reductions in consumption and investment, which collectively reduce EU real GDP by about 3.6% compared with the baseline by 2018 (see Chart 1). Assumed shocks to foreign demand contribute a further 2.7% to the total 2018 deviation of EU GDP from the baseline.

P a g e | 94


The combined impact of interest rate, house price and stock price shocks is somewhat weaker. The positive contribution of lower commodity prices and weaker exchange rates to EU GDP moderates the negative deviation from the baseline by about 0.8%. In combination with substantially lower headline inflation, the impact on nominal GDP would be particularly pronounced.

In a historical perspective, the adverse scenario, leading to a total reduction in EU GDP by 1.7% in 2018 from the 2015 level, is slightly less severe than the 2008-10 period when the EU economy contracted by about 2.0% over three years. The recession considered under the adverse scenario is longer but shallower than the 2008-10 events (see Chart 2).

P a g e | 95


The Harmonised Index of Consumer Prices (HICP) inflation rate in the EU

P a g e | 96


under the adverse scenario is well below the baseline scenario, by -2.0 p.p. in 2016, -1.9 p.p. in 2017 and -2.1 p.p. in 2018 (see Table 7). Following a sharp reduction in energy and food commodity prices in early 2016, under the adverse scenario HICP inflation would reach -0.9% in 2016. Prices would fall slightly in 2017 and 2018, with annual inflation rates of -0.2% and -0.2% respectively. The projected inflation is initially driven by much lower commodity prices, which explain a large majority of the deviation of HICP inflation rate from the baseline scenario in 2016. Over time, the deviation is increasingly explained by the impact on prices of weaker aggregate demand, both domestic and foreign. The adverse scenario implies a substantial increase in the EU unemployment rate, instead of a slight reduction expected under the baseline scenario. The EU unemployment rate would reach 11.6% in 2018, some 2.8 percentage points higher than the baseline (see Table 8). Residential property prices in the EU would fall, reflecting the assumed exogenous shocks as well as their reaction to the general deterioration in the economic outlook. Overall, EU residential property prices would stand about 21.3% below the baseline levels by 2018 (see Table 9), having contracted by about 10.7% from the 2015 levels. Commercial property prices, similar to residential property prices, would deviate downwards from the levels consistent with the baseline economic projections. By 2018, prime commercial property prices would contract by about 15% from their 2015 levels, and stand about 23% below the baseline projections (see Table 10).

P a g e | 97


In comparison with the adverse scenario of the 2014 EU-wide stress testing exercise, this scenario would result at the end of the horizon in a similarly-sized deviation from baseline of EU GDP level (-7.1% compared with -7.0% in the 2014 exercise) and a much stronger deviation of the price level (-5.8% and -2.8% respectively) from the baseline. The impact on GDP is driven primarily by more severe domestic demand shocks, as foreign demand shocks are less severe than in the 2014 scenario and lower commodity prices stimulate growth in the EU economy. Owing to a more favourable baseline projection than in the 2014 exercise, GDP over the three- year horizon falls by -1.7% in the adverse scenario, which is slightly higher than the -2.1% assumed in the 2014 exercise. Consumer prices fall by 1.3% over the horizon in the adverse scenario, while they were assumed to increase by 1.7% in the 2014 exercise. The impact of both scenarios on the EU unemployment rate and residential property prices is similar.

P a g e | 98


The change in residential property prices over the horizon, however, is somewhat less adverse in this scenario (-10.7%) than in the 2014 exercise (-15.4%), again owing to a substantially more favourable baseline. As the impact of this scenario on commercial property prices is stronger than that assumed in the 2014 exercise, the change over the horizon is also more adverse (-15.0%, compared to -8.3% in 2014).

P a g e | 99


P a g e | 100


P a g e | 101


Caught in the middle? Small and medium-sized banks and European banking supervision Ms Sabine Lautenschläger, Member of the Executive Board of the European Central Bank and Vice-Chair of the Supervisory Board of the Single Supervisory Mechanism, at the Banking Evening of the Deutsche Bundesbank Regional Office in Baden-Württemberg, Stuttgart Ladies and gentlemen, I am delighted to be here in Stuttgart this evening. On the one hand, because I can honour the promise I gave to the President of the Bundesbank's Regional Office, Mr Sibold, when I was still Vice-President of the Bundesbank. On the other hand, because I am looking forward to the opportunity of a discussion with you after I have given my speech. I hope it will be a lively discussion of what you expect from European banking supervision. I also hope to be able to answer some questions and clear up misunderstandings - regarding, for example, which tasks European banking supervision, the SSM, does perform and does not perform in supervising small and medium-sized institutions, as well as those tasks it does not wish to perform. Let me start by clearing up one misunderstanding. Yes, the SSM supervises small and medium-sized institutions only indirectly - and we have absolutely no desire to directly supervise these institutions. If an individual small or medium-sized institution fails, it does not generally jeopardise the stability of either the national or the European financial market; so it does not need to be subject to European banking supervision. Let me briefly put the role of small and medium-sized institutions in the euro area into perspective, before I deal with the greatest challenges facing

P a g e | 102


this group of institutions. There are roughly 3,300 banking groups in the euro area, 129 of which are directly supervised by the ECB. We will leave these few banks out of the picture this evening and devote our time to the remaining 3,200 or so groups of institutions instead. And let me start by going straight to the trickiest part: the correct description of these institutions. The official term for them is "less significant institutions". This is because, although they are clearly in the majority, their balance sheet total is comparatively small. If we look at the overall balance sheet total of the euro area banking system, scarcely 18% can be attributed to the "less significant institutions". Does this mean that small and medium-sized institutions and their services are completely unimportant and so do not require good supervision? Not at all! This 18% of the balance sheet total for the entire euro area banking system is not evenly spread across all countries, but is essentially concentrated in three: Germany, Austria and Italy. These three countries alone are home to four-fifths of all the supposedly "less significant" institutions, whose balance sheet total amounts to 80% of annual economic output in Austria and Germany. And in Germany, it is precisely these institutions that provide funding to small and medium-sized enterprises, which, in turn, form the bedrock of the economy. All in all, the "less significant" institutions in Germany finance 70% of the regional economy. I'm therefore not going to discuss at this point whether or not these institutions are important for the real economy - everyone knows that they are. And everyone knows that the "less significant" institutions can indeed be

P a g e | 103


significant for the stability of the banking system - not individually, but collectively as associations of savings banks and cooperative banks. That is particularly true when you consider that many small and medium-sized institutions in the euro area belong to institutional protection schemes and are hence closely interlinked - and often they are also in protection schemes with large, systemically relevant banks. I'll come back to this topic later on. Ladies and gentlemen, at this point, I'm going to have to disappoint one or two of you: I do not think it is a good idea to leave the "less significant" banks to regulate themselves or to encourage a form of supervision that is more akin to gravedigging than supervising, focusing solely on resolvability. And, the type of supervision being advocated by some, whereby supervision is exercised over the association rather than over the individual institution, is also no solution as long as there is no legal basis or tools for the appropriate, effective and efficient supervision of associations. For all the reasons I have just mentioned, and I could give many more, the supervision of "less significant" institutions, which tend to have a regional focus, needs to take into account national particularities on the one hand and meet high quality standards on the other hand. After all, the aim is to have a functioning banking sector over the medium and long term, providing the real economy with the services that it requires - and it is precisely small and medium-sized institutions that make for a functioning banking sector, as clearly highlighted by the financial crisis. Given the experience of the past year, I believe that indirect supervision, as is being carried out by the ECB, can be of great benefit - to banks, to their customers, to the stability of national financial centres and to the real economy. But I will come back to that later too. Now, going back to finding a name for the "less significant" institutions. How should we refer to these 3,200 banks? As you've probably noticed by now, I've opted for the term "small and medium-sized institutions" - and this decision was preceded by a lengthy discussion.

P a g e | 104


For those of you who represent a small or medium-sized bank, I hope that you are happy with this description; it will see us through the rest of the evening. Having now resolved the naming problem, we can turn our attention to some slightly more straightforward issues. I will address two topics this evening. First, the challenges now facing small and medium-sized banks; and Second, the cooperation between the ECB and the national authorities in supervising small and medium-sized banks.

The challenges - weak profitability and low interest rates Whether national or European, supervisors are always interested in banks' stability. And the most important components of a stable bank are capital, liquidity and profitability. Capital serves as a buffer for losses - the higher it is, the more losses a bank can absorb before it collapses. If we want to assess a bank's stability, we should first look at its capital. The capital ratios of small and medium-sized institutions in the euro area are gratifying. The average Tier 1 capital ratio is 15.2%. In Germany, the Tier 1 capital ratio of this group of institutions is slightly below average at 14%, but is still significantly above the regulatory requirements, which, as a supervisor, I find reassuring! And if we now look at how Tier 1 capital ratios have developed recently, we can see another welcome development. They are stable. In the first instance, that is somewhat surprising, given that the balance sheet total of small and medium-sized banks has increased slightly, while capital has marginally declined.

P a g e | 105


In fact, Tier 1 capital ratios could reasonably have been expected to fall too. The fact that they remained stable can be explained by the reduction in the riskiness of banks' balance sheets - because this is the basis for calculating Tier 1 capital ratios. That is also something I like to see as a supervisor. As far as the liquidity of small and medium-sized institutions in Germany is concerned, there isn't really a lot I can say. Instead of there being too little liquidity, there is too much liquidity in Germany. And this liquidity is searching for yield. First and foremost, high capital and liquidity ratios are sound preconditions for the stability of small and medium-sized institutions. They are good preconditions for the banking system being able to withstand unfavourable market conditions or unexpected shocks - even over a prolonged period. It is important that these preconditions are met, because small and medium-sized institutions are facing a series of risks and challenges. The greatest of these challenges is the banks' business models and earnings performance. It's nothing new that some banks in the euro area are suffering from weak profitability. And that's not just since the period of low interest rates began. It was also the case before that - including for some small and medium-sized institutions. In some countries, competition among banks for customers is rife - and it is an unhealthy form of competition if risks and collateral are not priced in correctly. In 2014 banks' return on equity was just over 3%, considerably lower than what market participants would deem sustainable.

P a g e | 106


However, it is not just a question, for example, of whether there is sufficient business among small and medium-sized enterprises and retail customers for the roughly 1,650 banking groups in Germany. It goes without saying that the prolonged period of very low interest rates is not helping to remedy this weak profitability - on the contrary. The vast majority of small and medium-sized institutions operate a traditional business model that is heavily reliant on interest rates - and consequently they are often harder hit than larger banks. At the same time, those institutions that mainly extend credit to retail customers are more severely affected by low interest rates. It should come as no surprise that banks that primarily issue fixed-rate loans have thus far coped with the low interest rates comparatively well. However, I don't need to tell you that, as soon as loans and investments with high and fixed interest rates expire and have to be replaced with lower-yielding assets, these banks incur burdens. Moreover, these banks will suffer from the effects of the low interest rates for longer than banks that mainly grant variable-rate loans - the latter see the benefits more quickly when interest rates go up again. In order to safeguard earnings performance, small and medium-sized institutions need to assess the efficiency of their business model - and better sooner than later. I will not give any detailed advice on business policy here - supervisors are not the better bankers. Fundamentally, though, banks have two options: they either raise their earnings or lower their costs. Let's look at the earnings side first. It makes sense to create new sources of earnings that are less dependent on interest rates - such as fees and commissions. A survey of German institutions conducted by the German Federal Financial Supervisory Authority (BaFin) and the Bundesbank has indeed revealed that more than half of the respondents have already expanded the

P a g e | 107


share of fees and commissions income in their earnings. On the costs side, precisely German institutions have potential for savings. By European standards, their cost efficiency is relatively low. For every euro of earnings, they bear costs of almost 70 cent - compared with just 50 cent in other countries. However, the solution does not necessarily lie in merging small institutions to ultimately create a large, systemically relevant institution. On the contrary: "small is beautiful" is a good, if not better, alternative - provided that "small" is sustainable in the long term. In order to realise scale effects, banks could also centralise certain areas - such as reporting, transaction settlement or some elements of risk management. The German savings banks and cooperative banks in particular already have experience in this regard. Whatever way the institutions choose, it's crucial that they keep proper control of the risks they have taken on. Banks are obviously not having an easy time right now. They are obliged to increase earnings in times of low interest rates and tough competition, but at the same time must not take any excessive risks when doing so. Many would liken this to trying to square the circle. I think it's more like a system of mathematical equations with many unknowns - complicated, but nevertheless resolvable. There are always ways to revive your own business - even without incurring excessive risks. Digitalisation, for example, is opening new paths, which some alert managers are already exploring - be it to develop new sources of income or distribution channels, or to reduce costs. Cases in point are online banking through smartphones or advisory services for customers by video conference.

P a g e | 108


Digitalisation also offers opportunities for small and medium-sized institutions. For these institutions, the trick will be to innovate, without losing sight of their roots. Ladies and gentlemen, business models and earnings performance are currently the biggest challenges facing the banking sector - but they are not the only ones. For example, the activities of small and medium-sized institutions are often very concentrated - on certain sectors or regions. While that is in the nature of small and medium-sized institutions with a regional focus, it also creates a dependency which makes them vulnerable. So it is all the more important to take this concentration risk into consideration in risk management - particularly with regard to its qualitative elements. If there is no way to avoid concentration risks, the principle of "know your customer" gradually becomes more critical. And that is exactly where the strength of small and medium-sized institutions lies. They know the risk profile of the individual borrowers as well as the value of their collateral. And they know the regional markets and their potential. All this needs to be used by banks in the context of their risk management and must continuously be taken into account in their decision-making in order to ensure their success and survival. It will come as no surprise to you that for me, as a representative of the SSM, it is not just about business models, earnings performance and the concentration of risks when it comes to small and medium-sized institutions. As the SSM, we are always having to ask ourselves how we can support our colleagues at the national supervisors.

P a g e | 109


Supervision - division of roles between the ECB and national supervisors Now let's move on to the division of roles that has been in place since November 2014 for the supervision of small and medium-sized institutions in the euro area. As you know, within European banking supervision, the national supervisors are responsible for supervising small and medium-sized institutions - so in Germany, it's BaFin and the Bundesbank. The ECB only plays an indirect role in respect of supervising small and medium-sized banks - the point of contact is not the institutions themselves, but rather the national supervisors. Direct contact between the ECB and the institutions only occurs in exceptional cases - for example with regard to the granting or withdrawal of banking licences. This indirect approach reflects two major principles underlying European banking supervision: subsidiarity and proportionality. Most small and medium-sized institutions have relatively low-risk business models that are tailored to their region - direct European supervision is generally not required here. But what is the SSM's contribution, what is the contribution of European banking supervision? It is up to the SSM to give background support to the national supervisors. Together with the national supervisors, we are developing high quality, flexible standards and tools for risk-oriented supervision, which can take into account regional aspects such as the size, business and risk profile of the institution. This indirect supervisory approach involves, for example, agreeing with the national supervisors on the key components of a recovery plan for small and medium-sized institutions. It also involves obtaining an overview of whether on-site inspections and discussions are also taking place at these institutions; of whether the level of supervision is tailored to the risk profile of the individual bank; and of

P a g e | 110


whether the national supervisors take macroeconomic developments into account when conducting their risk analyses. Let me make one thing clear, however: it is not our intention to remove all particularities and replace national supervisory approaches with a European approach. Instead, we are trying to ensure that the key elements of supervision meet certain minimum requirements. This will enable national particularities to be taken into account - only, however, if these particularities are justifiable in terms of risk. Something we all agree on, I'm sure. Taking this approach for the indirect supervision of small and medium-sized institutions also ensures two things. First, it ensures that the principle of the supervision being tailored to the risk profile and size of the institution is safeguarded. Second, it ensures that the principle of proportionality is fully upheld, as it is up to each individual supervisor to use the supervisory tools in a risk-oriented and proportional manner. Small and medium-sized institutions fall indirectly under European banking supervision. But they benefit directly from it nonetheless. After all, the objective of indirect supervision is to contribute to the stability of national financial markets and in so doing reflect the importance and particularities of small and medium-sized institutions. European banking supervision has a much wider overview than national supervisors. The ECB can look at all countries in the euro area and it shares its insights with the national supervisors. It may well be that a number of national supervisors have already decided to intensify their supervision of certain institutions owing to the increase in information.

P a g e | 111


Conversely, the ECB gains important insights into small and medium-sized enterprises from the national supervisors. The past few months, in particular, have shown that considerable contagion effects can arise within a banking system. Against this background, it is very important that the ECB covers and understands a banking system as a whole. This is also of benefit to the supervision of large, directly supervised institutions. For those exact reasons, European banking supervision can better prevent future crises and that also helps small and medium-sized institutions. After all, financial crises always damage the real economy too - and the real economy is crucial for small and medium-sized institutions. For the reasons I have mentioned, European banking supervision will also boost the trust that customers and investors have in the banking sector. And that too is of benefit to small and medium-sized institutions. After all, trust is the foundation of banking - whatever the size of the bank.

The future - open issues relating to the supervision of small and medium-sized institutions Ladies and gentlemen, European banking supervision is barely one-and-a-half years' old. In that time, we have also made some headway with regard to small and medium-sized institutions. In close collaboration with the national supervisors, we have established a set of common standards and methods - and, in many cases, the national supervisors have at their disposal a range of methods and standards that they can choose from. We have therefore come a lot closer to achieving our goal of creating a more stable banking system. Nevertheless, there are still a number of open issues.

P a g e | 112


One of those is reporting requirements that provide a minimum amount of data. In general, reporting is a controversial topic right now - and not just because of AnaCredit. There are still a number of misunderstandings that could be cleared up in this regard. In the wake of the financial crisis, the information needs of banking supervisors have increased significantly - that's for sure. The crisis quite clearly highlighted that the German reporting system did not even fulfil the necessary minimum. For example, the reports that had to be submitted on a regular basis did not contain any information on country risks - for example to what extent the institutions depended on what was happening in Greece or the United States. Subsequent ad hoc requests then had to be made, which were expensive - for the banks and for the supervisors. Sound risk analysis and effective supervision are only possible if the appropriate data are available. The increasing need for data obviously also affects small and medium-sized institutions. Of course, it's important to weigh up the costs and benefits when collecting data. That is required under the principle of proportionality. In order to analyse the risks of a small or medium-sized bank, supervisors need and ask for less data; in order to analyse the risks of a large, international bank, they need and ask for more. Accordingly, the reporting requirements are tailored to, among other things, the size of the institutions. For example, in anticipation of future reporting requirements, we asked the national supervisors last year, for the first time ever, to provide us with

P a g e | 113


supervisory data on all small and medium-sized banks. They were asked to submit 37 separate data points, including the balance sheet total, the level of customer deposits or the trading book portfolio - so nothing complex at all. By contrast, the banks that are directly supervised by the ECB are asked to give more than 8,000 data points - and these have to be submitted not annually but quarterly. Our requests for information of course comply with the guidelines of the European Banking Authority. For indirect supervision, however, it is not a question of more reports. It is much more about using the experience collected within the SSM for the supervision of small and medium-sized banks. For example, we are currently working on a concept for the Supervisory Review and Evaluation Process, or SREP. The SREP is the most important tool of banking supervision. The supervisors analyse each institution's business model and governance, as well as its capital and liquidity risks. On this basis, national supervisors determine how much capital each individual institution is required to hold. Last year, for the first time ever, the SREP for the large banks in the euro area was conducted in accordance with a common methodology - an important step towards genuine European banking supervision. From 2018 it is likely that, for small and medium-sized institutions, the national supervisors will use a simplified methodology that covers the key aspects. Another thing that also plays an important role for small and medium-sized institutions is the system of institutional protection schemes. More than half of all euro area banks belong to an institutional protection scheme - large banks along with small and medium-sized institutions. In Germany, four out of five institutions belong to such a protection scheme

P a g e | 114


- measured by balance sheet size, that represents 40% of the German banking system. Institutional protection schemes are therefore highly relevant for the stability of the banking system. But they are also important to supervisors for another reason. Under European law, more specifically the Capital Requirements Regulation (CRR), banks may be granted certain privileges if they belong to a protection scheme. For example, institutions need not necessarily hold capital against exposures to members of the same protection scheme. The decision whether to grant such a privilege is taken by the competent supervisor - for small and medium-sized institutions, the national supervisors; for large banks, the ECB. There is therefore much to be said for granting these privileges in accordance with uniform criteria - both across countries and across institutions. I'd like to be clear about one thing, however: the aim is not to call into question the protection schemes in general. The objective is to harmonise the supervisory treatment of the systems. We have therefore defined the relevant criteria and are currently conducting a public consultation that will run until the middle of April.

Concluding remarks Ladies and gentlemen, I began my speech with the conclusion that the term "less significant" institutions is not justified for the group of small and medium-sized banks. In view of the importance and particularities of this banking sector, I believe indirect European banking supervision to be necessary and appropriate. I also believe that the division of roles that has been in place since

P a g e | 115


November 2014 is clear and unambiguous. Small and medium-sized institutions basically fulfil the ideal function of the financial system: they finance the real economy. However, this traditional business model is being challenged - at the moment also by sluggish economic growth, weak investment and the prolonged period of low interest rates. In some countries, many banks have also for a long time been plagued by relentless competition for too few customers for a large number of banks. The German institutions, in particular, indeed have considerable reserves, their customers are generally solvent and liquid, and the ratio of non-performing loans is accordingly low. Therefore, as a supervisor, I'm not immediately concerned. Nonetheless, even these institutions should not try to just hold their breath until they surface from the low interest rate phase. They could rapidly run out of air. The small and medium-sized institutions will not be able to avoid assessing (in detail) the efficiency of their business model - and better sooner than later. Small and medium-sized institutions are subject to national supervision. Nonetheless, European supervision still plays an important part, but indirectly through cooperation with the national authorities. These institutions benefit directly from European supervision, however; trust in the banking sector is increasing, the information base for supervision is becoming wider, the likelihood of crises is decreasing and competition is becoming fairer. After one-and-a-half years of European supervision, much has changed for small and medium-sized institutions too. Reporting requirements are higher, the SREP is being harmonised and the supervisory treatment of institutional protection schemes is being standardised.

P a g e | 116


The ECB and the national supervisors are working together on implementing these changes. The objective is to exercise the best possible supervision, which follows the principle of proportionality, takes appropriate account of national particularities and reflects the particular importance of this banking sector for the stability of national financial markets. Thank you for your attention.

P a g e | 117


The UK economy post crisis - a series of unfortunate events? Sir Jon Cunliffe, Deputy Governor for Financial Stability of the Bank of England, at the Centre for International Business Studies, London South Bank University, London There is a well-known myth - much loved in management schools - that if you put a frog in boiling water it will jump out; but if you put it in cold water and bring the water very slowly to the boil, its nervous system will not register the temperature change and it will be boiled. I am assured by zoologist friends that it is indeed a myth. Frogs sense gradually changing temperatures like the rest of us. But it is an instructive parable. Sometimes when you focus on incremental changes you can forget the big picture until the water has become very hot - or very cold. The Monetary Policy Committee (MPC) meets every month. We assess a very wide range of changing data - for the world and the economy is constantly changing. The past usually becomes clearer but the future is always uncertain. So as a policymaker occasionally it is worth standing a long way back and asking "What did I expect to happen last year and the year before? And what can I learn from what actually happened?". And, crucially, "Have I been lulled by the ever turning kaleidoscope of data and missed a change in the big picture?". So tonight I want to stand back and review how I saw the big picture two years ago and how what has happened since has changed my view. And what evidence I am looking for to confirm my view of the likely future.

Slow healing story Since the Great Recession of 2008/9 we have had the slowest recovery in our modern history - slower than the recovery from the Great Depression. For those of you familiar with children's literature, one title for the story of the last eight years is "a series of unfortunate events".

P a g e | 118


In this big picture story, the UK economy was hit by a very unfortunate event, a massive financial crisis, leading to the deepest recession for 80 years. Three years later, as it is just beginning to recover, the economy is hit again by the effects - via confidence and financial market and trade - of the euro-area crisis. Three years on the economy finally picks itself up with a burst of strong growth. Unemployment falls at the fastest rate for 40 years, confidence recovers and business investment starts to grow strongly. But pay growth and hence incomes respond much less, reflecting in part the fact that productivity growth does not recover. And, in the latest chapter, just as we see signs of income growth and productivity growth coming back into life, a deflationary shock from a collapse of oil prices, which should boost the economy, allied to a slump in emerging markets, pulls us back and the economy begins to slow. Markets worry that the next chapter will be another unfortunate event. I would call this the "slow healing" story. Recoveries from financial busts tend to be slow and painful. Indeed, that is why it is worth doing all that you can - in advance and in good times - to avoid financial crises. The academic literature suggests it takes an average of eight years to recover. If in the meantime you are hit by other bad surprises it can take longer. And in this story most of the events are related. As many commentators have observed, as well as country-specific factors, many of the stresses now seen in emerging markets are knock-on effects, if not from the financial crisis itself, then from the responses to it in the post-crisis recession. One can tell a version of this slow healing and unfortunate events story for the world economy as well as for the UK. You can see that reflected in the IMF's forecasts for world growth. In every one of the last five years the world economy has underperformed the forecast.

P a g e | 119


Indeed it has pretty much become an annual event that the world economic growth forecast is downgraded as stresses emerge somewhere in the world economy or there are serial disappointments on pay and productivity. This is not to denigrate the IMF's forecasters. You see the same effect in the Bank's own forecasts and in private sector forecasting. For example, the Bank's growth forecasts made in 2010 were derailed by the euro-area crisis. These outcomes are a combination of not understanding at the outset how slow the healing process from the 2008 crisis would be and subsequent unforeseeable and unfortunate events.

Secular stagnation story There is another rather different story however, one more reminiscent of our friend the mythical boiled or frozen frog. In this other world, we are not on a slow healing path, subject to a series of unfortunate events. Rather, there are deep secular and structural forces pushing down on our economies. These began to have an impact before the financial crisis. But their effect was masked somewhat by stimulative effects of the financial sector bubble as it inflated and was only exposed in the post-crisis world. In this story there is recovery from the crisis, of course, but it is recovery to economies with both considerably weaker growth potential and considerably greater vulnerability to shocks. We are in a "secular stagnation" world but have not fully woken up to it. There are different hypotheses as to why we might be in such a world. One is that we are stuck in an era of very low demand because there are more savers than opportunities to invest. This is due to fundamental factors such as demographic changes, inequality and preferences for low-risk assets. When the supply of savings exceeds demand for borrowing the price - i.e. the natural real interest rate - goes down.

P a g e | 120


If this natural real interest rate is pushed down below zero and held there by this imbalance between supply of savings and demand for borrowing, central banks can't push demand back up and economies remain stuck. In this world, neither central banks nor the private sector can easily break the cycle; the government has to step in to borrow massively to invest thus correcting the imbalance of savers and borrowers and pushing the natural interest rate back up. Another, somewhat different take, is that we are stuck in an era not of low demand but of low supply growth. In this view, productivity growth slowed in the 1970s after the benefits of the Second Industrial Revolution had finished working through. And, despite the manifest technological developments, such as ICT, technological change has not since had an equivalent impact on productivity. Or, as Peter Thiel said: "we wanted flying cars, instead we got 140 characters". This is a world in which it is harder for policy to boost productivity and growth. In these secular stagnation views of the world, the water around us was getting colder before the crisis and has become colder since. But we have not noticed it. And it is this, rather than the slowness of the healing process and the aftershocks of the crisis, that explains the serial disappointments in economic growth. I have set this out as two very different stories about what is happening - "slow healing" and "secular stagnation". Of course, given enough unfortunate events and enough repeated disappointment on the pace of recovery, they could look and feel the same for a long time. There is much that is common to them. In both stories for a period of time, productivity is lower, interest rates stay low for long and pay and income growth is weak.

P a g e | 121


But these effects are longer-lived in a secular stagnation world. It is quite possible that we are in some combination of both worlds. But I think it is important, especially when thinking about policy, to distinguish the different forces that drive these respective stories about the world.

The UK picture Which brings me to the UK. When I joined the MPC over two years ago, the data seemed to point quite firmly towards the healing story. The UK was experiencing a burst of growth, driven by the return of credit and confidence and pent-up demand from the recession and slow recovery. Many commentators were arguing that the Bank was in danger of getting behind the curve; these arguments grew louder as unemployment fell at its fastest rate for 40 years. The Bank's forecasts two years ago suggested that growth would fall back a touch, but only a touch, to around its pre-crisis average of 0.7% per quarter. Our forecast for growth in 2014,15,16 was 3.4%, 2.7% and 2.9% respectively. The reality has confirmed part but only part of that story. Over the course of 2014 and 2015 growth drifted down, slowly but consistently and by more than forecast. The economy grew at around 2% annualised in the last quarter of 2015 - around 0.7 percentage points lower than the February 2014 forecast; growth in 2015 was 0.2 percentage points lower. The Bank's most recent forecast is for growth to pick up slowly over the next few years to 2.5%. That is less than the average growth rate of nearly 3% in the decade before the crisis but around the average growth rate in the last 60 years. It will, according to the OECD, be the fastest growth rate among G7 economies this year. Over the period, inflation has been pushed down to around zero by the strength of sterling and by the very sharp fall in the oil price. I hesitate to describe the oil price fall as an "unfortunate event". Much of the fall is the result of an increase of supply, the product of the oil investment cycle that

P a g e | 122


accompanied oil prices staying at over $100 per barrel for much of the last ten years. That will have boosted consumption and supported growth in oil-consuming countries like the UK. But the speed and size of the fall has made the shock to inflation very abrupt and exposed weaknesses in oil-producing economies. And more worryingly some of the fall over the last 18 months has been due not to an increase in supply but rather to slowing demand in emerging markets especially China. This will have had an adverse effect on world growth. There are continued signs of strength in the UK economy. Consumer confidence is near record levels and business investment intentions are strong. Housing market transactions and investment are picking up. Credit has picked up and is growing around the rate of GDP. On pre-crisis metrics, there are signs of tightening in the labour market. Unemployment is now at 5.1% - its lowest level since 2006. Job-to-job flows have picked up sharply and are nearly at pre-crisis levels and the vacancy to unemployment ratio - a measure of labour-market tightness - is at its highest level since 2005. But, some things have still not improved as we had hoped. Despite being stronger in the middle of 2015, pay growth has now fallen back to the 2% range - roughly its average since the crisis. And forward-looking surveys do not suggest any significant recovery in pay growth is around the corner. Productivity growth similarly showed signs of picking up in the middle of 2015 but has dropped back to annual growth of around a quarter of a percentage point at the end of 2015. Unit labour costs have picked up a bit over the last year. The picture is not completely consistent across different measures but most measures are subdued or expected to fall in the near term.

P a g e | 123


Meanwhile, risks from the rest of the world economy have shifted and increased. Boosted by monetary policy, the euro area has recovered over the past two years, albeit to low rates of growth. The stresses around Greece and its creditors have so far been managed. But the risk to the UK from a more severe hard landing in emerging markets has grown. Emerging market economies now account for more than half of global GDP and they accounted for more than 95% of world economic growth between 2008Q1 and 2011Q4. They are now facing a set of inter-related challenges, including high and growing levels of debt to GDP, slowing economic growth, falls in commodity prices which has hit commodity exporters and a strong US dollar.

The healing process How should we read this picture? Is it still slow healing, just slower and hit by more adverse events than we expected? Or, like our friend the frog, has the gradual nature of the drift down in prospects and the fact that the deflationary shock looks so clearly to have been externally generated lulled us into missing some more fundamental shift? Is the water around us much colder than we thought? I think there is still some mileage in the slow healing story to explain the drift down in UK growth and the failure of pay and productivity to recover. One cannot repair quickly the damage to the global economy from the worst international financial crisis for 80 years. Some, but not all, of the effects of the financial bust and deep recession have passed. But some have not. I want to look now at some of these effects and headwinds that may be holding us back.

P a g e | 124


First, there are signs that there may still be some scarring effects in the labour market. The amount of average weekly leave taken - a sign of worker confidence - has recovered sharply over the last two years but remains someway off its pre-crisis level. And long-term unemployment and the proportion of part-time workers who say they want full-time jobs remains elevated. To the extent that workers do not yet feel confident in asking for a pay increase, that might be one reason why wage growth has been relatively unresponsive to the sharp fall in unemployment. And we may still be seeing some cyclical effects from changes in the composition of those in work; low skilled, low paid workers tend both to lose their jobs early in a recession and regain employment late in the recovery. The increases in employment over the last year or so have added proportionally more younger and lower skilled workers and hence pushed average pay down. Second, on top of some of these scarring effects, the deflationary shock from lower energy prices does seem to be having some effect on pay. The Bank's Agents have reported that low inflation is restraining pay awards. And the resulting increases in real disposable income may have made workers less willing to press for higher pay. Medium term inflation expectations appear to remain anchored and consistent with the inflation target. But the current very low rate of inflation may have made it less necessary for employers to increase pay now especially given low productivity. As the deflationary shocks pass, any dampening effect of inflation on pay should fade, providing inflation expectations remain well anchored. Migration may have had some role in restraining wage growth too, though evidence suggests that it has had only a small negative impact on average British wages.

P a g e | 125


Third, the economy is facing fiscal headwinds as the Government repairs the damage to the public sector balance sheet from the crisis and the deep recession. This drag on growth will continue for a number of years. In the decade prior to the financial crisis, government spending on average contributed 0.6 percentage points per year to GDP growth - over 2016-2018, the MPC expect it to contribute 0.1 percentage points on average. Fourth, headwinds from weakness in the world economy are also likely to endure. Net trade detracts from growth in every year of the MPC's forecast for UK growth. Overall, the healing story is for me, the story behind the MPC's latest forecast to which I subscribe. Growth picks up slowly over the next few years, driven by domestic consumption and business and housing investment. As the deflationary shocks from oil prices and the past strength of sterling wane, the closing of the output gap and consequent domestic cost pressures push inflation slowly back up to target. This forecast is premised on a market yield curve in which interest rates rise gradually though to levels substantially below their pre-crisis average. The forecast recognises the risks to this picture from another unfortunate event in the form of a harder landing in emerging markets.

Secular signals? But while one can still explain the current conjuncture this way, there must be less confidence in the healing story than when I first arrived on the MPC. We have already incorporated a weaker structural picture into our thinking. A few years ago we were expecting a period of above trend productivity growth to recover some of the productivity growth lost during the Great Recession. We no longer expect any catch-up of the lost productivity growth and indeed, productivity growth in our latest forecast only recovers to 1.8%, compared to 2.7% between 1950-2007 and 2.2% in the decade before the

P a g e | 126


crisis. This downgrading of prospects is true more broadly - according to the IMF, potential output growth in advanced economies fell from 2.2% over the period 2001-07 to 1.5% over 2013-14. And the natural rate of interest probably remains around, or a touch below, zero. This is the unobservable underlying real interest rate that is consistent with inflation at target and economic activity at its potential. One cannot observe this "natural rate" directly; it has to be estimated and that is difficult to do with precision. In the crisis, estimates of this rate were deeply into negative territory, which is why the MPC cut Bank Rate to 0.5% and launched quantitative easing (QE). The MPC's asset purchases can be thought of as equivalent to reducing the level of Bank Rate, since both policies provide stimulus to activity and boost inflation. If you adjust real Bank Rate to factor in the effects of QE, the resulting, "adjusted", rate is probably below zero at present. Our latest forecast is consistent with the natural rate and adjusted Bank Rate recovering slowly. But it is very much part of our thinking that the natural rate of interest will not rise to pre-crisis levels which is why we believe increases in Bank rate will be both gradual and limited. Moves in financial markets may also be signalling nervousness in the slow healing story. Financial markets drifted down in the second half of 2015 and they fell quite sharply in the first months of this year. Some of these moves have recovered a bit in the last week or so. But nevertheless current market signals seem to be suggesting a structurally weaker economic picture. UK 10-year real yields are negative. And yield curves are flat as far as the eye can see - the 5-year point on the UK forward market interest rate curve has fallen by around 0.8 percentage points to 1% in the last month. It is difficult to identify any really major economic news in 2016 that might underlie this. Rather it may be that markets are shifting to a new perception of the world economy and risks, and of policy-makers' ability to respond to future challenges.

P a g e | 127


Policy implications What does all of this mean for policy? While the water has not become as warm as two years ago I thought it would, I do not yet see enough evidence that we have missed some shift to a permanently colder environment. My central expectation remains that as the effects of the crisis continue to heal and as the deflationary effects of past sterling strength and oil price falls wane, domestic cost pressures will gradually push inflation back to target. I will be looking to see that consumer confidence remains robust and business intentions remain strong. I will be watching to see if pay growth picks up as disinflationary pressures fade and if productivity growth accelerates as a result of the pick-up in investment and of the tightness of the labour market. And I will be looking very carefully at the risks of another unfortunate event for the UK economy from a hard landing elsewhere in the world. If economic growth falters and pay and productivity remain stuck at current levels then the healing story will become increasingly less convincing. There are of course other possible stories one can tell about the economy and other risks. I want to mention three. The first is the possibility, much in the news two years ago, that monetary policy will not react in time to the build-up of inflationary pressure. Monetary policy typically has its peak impact on inflation somewhere between 18 and 24 months ahead. The risk here is that when the current external disinflationary pressures subside, domestic cost growth pressures will have built up and will push inflation above target before monetary policy can restrain it. I would not discount this risk. The labour market has clearly become much tighter. And if pay is being held down by cyclical or scarring effects, these could change quickly. And there has been a substantial depreciation in sterling in the past three months which will push up on inflation, possibly more

P a g e | 128


quickly than the usual prolonged lag between changes in the exchange rate and inflation. But with interest rates near the effective lower bound, with powerful disinflationary forces from abroad likely to persist for the next year, with low growth in unit labour costs and with an economy growing at around 2%, I think this is the lesser risk. Second, there is the concern that continued low interest rates lead to the build-up of financial stability risks through an acceleration of credit growth, increase in bank leverage and household indebtedness. The financial system has only recently come back to life with economy-wide credit now growing in the UK at around the rate of GDP. While there are some elements of credit that are growing more strongly, such as buy to let mortgages and unsecured debt, I think we are now emerging from the post-crisis phase and in a more standard stage of the credit cycle and we now have macroprudential tools to manage risks as they build up. Of course, even after paying down debt following the crisis, UK households' indebtedness is high by historical and international measures so there may not be a great deal of room for growth in this area if we want to avoid vulnerabilities building up in the economy generally. The growth in credit since the crisis, however, has been in emerging markets rather than in advanced economies which brings me to the last risk - an unfortunate event from some form of a hard landing in major emerging markets. These are now a large part of the world economy and debt stocks in many emerging economies have grown sharply over the last eight years. This could amplify the stresses many of these economies already face from the inter-related effects of slower emerging market economy growth, much lower commodity prices and a stronger dollar. A more severe slowdown and debt-related financial stress in key emerging markets could well have an impact on advanced economies, including the UK, through a number of channels.

P a g e | 129


One reassuring point is that the major UK banks and building societies were tested against precisely this scenario by the Bank of England in 2015 and demonstrated they had the resilience to weather such a shock and carry on lending to the UK economy.

Conclusion Looking back over the last two years, I think that the slow healing story can still explain where we are and provide a guide to our future prospects. But the story has to be adapted in the face of more UK and world weakness than I had expected and this weakness might be signalling that there are deeper structural factors at work. Nonetheless, my central projection remains that the UK economy will continue to grow solidly and that inflation will return to target over the next few years. But, as always, policymakers need to be alive to the possible meaning of disappointments, to be very sensitive to the possibility of changing temperatures around them, and to the risk of unfortunate events. We have a range of tools at our disposal and should be ready to use them whichever risk materialises.

P a g e | 130


Interest rate benchmarks Guy Debelle, Assistant Governor (Financial Markets) of the Reserve Bank of Australia, at the KangaNews Debt Capital Markets Summit 2016, Sydney

I would like to thank Ellis Connolly for assistance in the preparation of these remarks. Today I am going to talk again about interest rate benchmarks, as there have been some important recent developments. These benchmarks are very much at the heart of the plumbing of the financial system. They are widely referenced in financial contracts. For example, the interest rate on a corporate loan is often a spread to an interest rate benchmark. Many classes of derivative contracts generally are based on them, as are most asset-backed securities. In light of the issues around London Inter-Bank Offered Rate (LIBOR) and other interest rate benchmarks, there has been a global reform effort under the aegis of the Financial Stability Board (FSB) and the International Organization of Securities Commissions (IOSCO) to improve the functioning of interest rate benchmarks. I will focus on domestic reforms around the principal interest rate benchmark in Australia, the bank bill swap rate (BBSW). I will also mention plans underway to introduce a “risk-free” interest rate for the domestic market, as a complement to BBSW. I will not talk about the investigations that ASIC is currently undertaking into conduct around BBSW.

Reforms to the BBSW methodology As you may be aware, in recent months, the Council of Financial Regulators (CFR) has been conducting a consultation on possible reforms to the BBSW methodology.

P a g e | 131


I will run through the motivation for doing so, outline the key issues that have been raised in the consultation, and put forward some proposed reforms for market participants to consider. Given its wide usage, BBSW has been identified by ASIC as a financial benchmark of systemic importance in our market. It is important there is ongoing confidence in it. Without that, we have a serious problem, given its integral role in the infrastructure of domestic financial markets. As you may know, BBSW was calculated for a number of years by, each day, asking a panel of banks to submit their assessment of where the market was trading in Prime Bank paper at a particular time of the day. While it was a calculation based on submissions, it differed from LIBOR in that BBSW submitters were asked about where the market for generic Prime Bank paper was trading that day. In contrast, LIBOR submitters were asked about where they thought their own bank’s cost of funds was that day. In response to the prospect of a large number of the participants on the submission panel no longer being willing to provide submissions, the calculation of BBSW was reformed in 2013 in line with the IOSCO Principles for Financial Benchmarks, which were issued in July 2013. Since 2013, the Australian Financial Markets Association (AFMA) has calculated BBSW benchmark rates as the midpoint of the (nationally) observed best bid and best offer (NBBO) for Prime Bank Eligible Securities, which are bank accepted bills and negotiable certificates of deposit (NCDs). Currently, the Prime Banks are the four major Australian banks. The rate set process uses live and executable bid and offer prices sourced from interbank trading platforms approved by AFMA, These platforms are currently ICAP, Tullett Prebon and Yieldbroker. The bids and offers are sourced at three points in time around 10.00 am each day. While the outstanding stock of bills and NCDs issued by the Prime Banks has increased since 2013 to around $140 billion (Graph 1), trading activity during the daily BBSW rate set has declined over recent years to very low

P a g e | 132


levels (Graphs 2 and 3).

P a g e | 133


There are quite a number of days where there is no turnover at all at the rate set. The low turnover in the interbank market raises the risk that market participants may at some point be less willing to use BBSW as a benchmark. This is the motivation for the CFR’s consultation to ensure that BBSW remains a trusted, reliable and robust financial benchmark. There is considerably more activity in the NCD market than is being measured at the rate set, with the activity mainly occurring outside the interbank market. Given the size of the market and the short maturity of the securities, on average over $1 billion in NCDs are issued each day. Some preliminary data collected from the four major Australian banks indicate that this issuance is regular, with at least $100 million in NCDs bought or sold on almost all business days at the one, three and six-month tenors. However, the non-bank participants that buy and sell NCDs tend to transact bilaterally with the issuing bank, with the price struck at the (yet to be determined) BBSW rate, rather than at a directly negotiated rate. If these participants could be encouraged to buy and sell NCDs at outright

P a g e | 134


yields, then these transactions would have the potential to make the BBSW benchmark more robust. Consistent with there being a shift in NCD trading activity to outside the interbank market, banks’ holdings of NCDs as a share of total issuance has declined over recent years to below 20 per cent (Graph 4). Over the same period, there has been a steady increase in holdings by super and other investment funds, with their share of NCD issuance rising to almost half recently.

As part of the consultation, the CFR received 15 written submissions from a wide range of market participants, including the Prime Banks, NCD investors, and users of BBSW as a benchmark. We have also spoken directly with market participants to better understand what has caused the decline in trading activity during the rate set and to discuss potential solutions. To bring all this together, the CFR recently released a discussion paper for AFMA and market participants to consider, which summarises the views of market participants and proposes some improvements to the BBSW methodology. Most market participants share our concern about the low trading volumes

P a g e | 135


during the rate set and acknowledge that changes to the BBSW methodology will be necessary. But before making any changes, it is crucial to understand why so little trading has been occurring during the rate set. Four key reasons were put forward by market participants: • First, institutions face a potential conflict of interest when they participate in the market underpinning a benchmark as well as the derivatives market that references the benchmark. Many institutions state they are uncertain about how regulators expect these conflicts to be managed. As a result, they are reluctant to trade during the rate set. • Second, managers of money market funds are reluctant to trade at outright yields during the rate set. They prefer to agree the volume of their bill transactions with a Prime Bank before 10.00 am and set the rate after 10.00 am at BBSW, since this minimises their tracking error against their benchmark. • Third, investors subject to credit limits are reluctant to trade during the rate set where bills are traded as a homogeneous asset class, as they could be delivered the bills of a Prime Bank for which they have already used up their credit limit. • Finally, foreign bank branches have less demand for bank paper than in the past since it is not considered a high-quality liquid asset under the Liquidity Coverage Ratio either in Australia or in their home jurisdictions. Despite these challenges, it is crucial that BBSW remain a trusted, reliable and robust financial benchmark given its importance to the financial system. To ensure this, the CFR has put together a proposal for the evolution of the BBSW methodology, taking into account the feedback provided through the consultation process. In putting forward this proposal, the key objectives are to ensure that:

P a g e | 136


• BBSW is anchored to observable arm’s length transactions in an active underlying market; • the BBSW calculation mechanism is robust to changing market conditions; • the fundamental properties of BBSW are maintained to ensure a seamless transition for financial contracts as the methodology evolves. While most participants are in favour of some changes to the methodology, there are many features of the existing methodology where there is consensus that they should be retained. In particular, there was broad support that the securities underlying BBSW continue to be the NCDs and bank bills of the Prime Banks, as they are relatively homogeneous and liquid. As a result, we don’t need to go down the path of calculating BBSW as a broader measure of banks’ short-term wholesale funding, as is being considered for LIBOR and Euro Interbank Offered Rate (EURIBOR). This avoids the risk of there being a significant change in the characteristics of BBSW which could lead to contract frustration. To boost activity during the rate set, most submissions supported broadening the definition of the underlying market beyond the interbank market to include transactions with a wider range of counterparties, such as investment funds and the treasury corporations. These submissions highlighted that there is much more activity in the market prior to the rate set than during the rate set. This activity prior to the rate set has the potential to underpin BBSW, assuming market participants agree to transact at directly negotiated rates rather than at BBSW. Given the much larger role that non-banks play in the market, we agree that it is time to widen the underlying market beyond the interbank market to include such counterparties. There is a risk that activity in the interbank market alone will not be sufficient to support the calculation of BBSW, and the credibility of the benchmark would be enhanced by the participation of counterparties that

P a g e | 137


come from outside the banking sector. The key change to the methodology proposed by many of these submissions was to calculate BBSW directly from market transactions, rather than using the NBBO method. That is, calculating BBSW as the volume-weighted average price (VWAP) of market transactions during the rate set window. Given the objective is to better anchor BBSW to transactions in the underlying market, we support moving the calculation methodology to the VWAP. Calculating the VWAP should be feasible for the one, three and six-month BBSW tenors, since these are the most liquid. The Prime Banks issue three and six-month NCDs on almost a daily basis, and there is an active market in buying back one month NCDs. If there were to be insufficient transactions to calculate the VWAP at these tenors, NBBO was widely supported by market participants as an appropriate fall-back methodology. However, there is unlikely to be sufficient liquidity in the underlying market at the two, four and five-month tenors to reliably calculate the VWAP, so we propose that these tenors be calculated by interpolation from the more liquid tenors. While there was solid support for the VWAP methodology, there was a wide range of views as to how the transactions during the rate set should be executed. Three methods proposed were: 1. Direct negotiation between Prime Banks and investors, with issuance and secondary market transactions being negotiated and executed in terms of outright yields, most likely over the phone. A rate set window of around 60–90 minutes (for instance, from 8.30 am to 10.00 am) should provide sufficient time for such transactions to take place. 2. An electronic trading market, with transactions being executed on the

P a g e | 138


trading platforms where the Prime Banks and investors post bids and offers in terms of outright yields for a particular Prime Bank’s NCDs. A rate set window of around 30–45 minutes (for instance, from 9.15 am to 10.00 am) should be sufficient. 3. A tender process, with the issuance and secondary trading of each Prime Bank’s NCDs taking place in terms of outright yields through an auction. Given that all the transactions would be executed at the same time, the rate set window could be quite short (for instance, bids and offers could be submitted over a 15-minute period, with the tender closing at 10.00 am). Each of these methods has its advantages and disadvantages. Conducting the transactions over the phone is flexible and is most similar to current market practice, so it would be unlikely to require extensive changes to systems and procedures. However, it would be the least transparent, which may discourage participation from investors and necessitate more oversight of the conduct of market participants. An electronic trading market would also be able to facilitate a wide range of transactions while significantly improving market transparency. However, the platforms currently only serve the inter-bank market, so other participants would need to change their systems and procedures. Finally, a tender would probably have the shortest rate set window, reducing basis risk for investors and minimising the length of time that the Prime Banks are required to make prices. However, the design of the tender would be quite complex to support a wide range of transactions such as switch trades (where, for instance, an investor simultaneously sells NCDs with a one-month tenor and purchases those with a six-month tenor). This may lead some market participants to be reluctant to participate. While none of these execution methods is clearly superior to the others in all dimensions, the market will need to eventually coalesce around one of them to maximise the amount of activity during the rate set.

P a g e | 139


To me, the methods involving trading on electronic platforms are the most attractive, given the associated visibility and transparency that comes with trading across a platform. However, to ensure that BBSW remains robust in the near term, it may be necessary for market participants to continue transacting over the phone but at outright yields, and for the benchmark administrator to use these transactions to calculate the VWAP. Regardless of which method for executing the transactions is chosen, the key challenge is going to be to get investors to be more comfortable with transacting a significant share of their NCD transactions at directly negotiated rates. Maintaining BBSW as a robust benchmark is clearly in everyone’s best interest, including the Prime Banks, since many of their loan contracts reference BBSW, and the investment funds, since BBSW is their performance benchmark. So to some extent, we should be able to rely on the survival instincts of all participants in the market to encourage more activity during the rate set. This is why we are proposing that the market convention should be for the Prime Banks to conduct their primary issuance and secondary market trading in terms of outright yields during the rate set window. Nevertheless, the current lack of trading activity during the rate set suggests that there may need to be more explicit incentives to encourage participation in the rate set, particularly from a broader range of NCD investors. Assuming the market shifts to trading on the electronic platforms, the improvement in market transparency that would result may be enough to encourage more buy-side participation. We note that some submissions suggested more onerous alternatives. For instance, one way to ‘encourage’ investors to transact at outright yields would be for the Prime Banks to charge a fee for Eligible Securities transactions negotiated at the BBSW rate. Alternatively, if the bulk of market activity continues to take place outside the rate set window, the Administrator could keep widening the window,

P a g e | 140


which at the extreme could be a 24-hour period to ensure that all market activity is within scope. We do not support these alternatives at this stage, as they would not be in the best interests of investors. However, if activity during the rate set continues to be too low to sustain BBSW in the medium term, then these alternatives may need to be reconsidered. So the key questions that we are left with are: • First, how should the transactions be executed during the rate set window for BBSW to be calculated as the VWAP? • Second, will market participants be willing to transact at directly negotiated rates rather than at BBSW? These questions are the focus of our continuing discussions with AFMA and market participants. While the CFR has an ongoing interest in BBSW as a systemically important financial benchmark, the ultimate responsibility for the BBSW methodology, and the implementation of any changes, resides with the administrator of the benchmark. The CFR appreciates that AFMA and market participants will need to give the proposal in the discussion paper further consideration, and that any associated changes to market practice and infrastructure will take time to implement. As a result, it will be necessary for the current BBSW methodology to be maintained for a period. To support this process, we have put forward a timeline for consideration of the proposal by AFMA and market participants as well as the implementation of changes by the administrator. We would like to see AFMA complete any further consultation and finalise a set of amendments to the BBSW methodology by the middle of this year, and for the changes to be implemented by the end of this year – although we acknowledge that the feasibility of this timeline will depend on the scope of the amendments to the methodology that are eventually implemented.

P a g e | 141


Risk-free rates Next I would like to briefly raise some issues around whether the use of BBSW needs to be quite as widespread as it is. In a number of instances, BBSW has become the default reference rate without much thought being given as to whether it is the most appropriate reference rate. BBSW is a credit-based reference rate. It is based on the borrowing costs of the major banks, with the credit risk that entails embodied in the rate. For a number of purposes, a credit-based rate is completely appropriate. However, for other purposes, a rate that is closer to risk-free may be more appropriate. For instance, in recent years, market participants have moved to use overnight-indexed swap (OIS) rates more often when discounting the cash flows in their swaps. The FSB, through its official sector steering group (OSSG) on benchmark reform, is encouraging market participants to contemplate switching from credit-based benchmark rates like BBSW or LIBOR to risk-free rates, where appropriate. In the local market, there appears to be growing interest in using risk-free rates as benchmarks. Such a rate could be backward looking, like the cash rate, or forward looking, like OIS rates. As a first step, some market participants have indicated that a total return index of the cash rate would be a useful backward-looking benchmark. Implementing this would be straightforward, since the RBA already calculates and publishes the cash rate. Some market participants are also interested in referencing a forward-looking rate with equivalent tenors to BBSW, and we will continue to work with AFMA on the development of such a benchmark.

P a g e | 142


One example where a change in reference rate could be contemplated is for floating rate notes (FRNs) issued by governments. FRN coupon payments are typically priced at a spread to BBSW. While referencing BBSW makes sense for FRNs issued by banks, it is less clear why governments should tie their coupon payments to a measure of bank funding costs. That is one example worthy of consideration. There are a number of others. I know this is not necessarily an issue you may have thought that much about until now. At the very least, I would encourage you to at least ask the question whether the product you are issuing or holding is using the most appropriate reference rate.

Conclusion Let me conclude. Interest rate benchmarks such as BBSW are a very critical part of the plumbing of the financial system. Market participants need to have confidence in their robustness and integrity. To help ensure that is the case, the CFR has undertaken a consultation process on the BBSW methodology. The industry, working through AFMA and with the CFR, will need to act on these proposals to ensure that BBSW remains a trusted, reliable and robust financial benchmark.

P a g e | 143


European Union Agency For Network And Information Security

Big Data Threat Landscape and Good Practice Guide Executive Summary The term Big Data is often used loosely to designate the palette of algorithms, technology and systems employed for collecting data of unprecedented volume and variety, and extracting value from them by massively parallel computation of advanced analytics. The sources of Big Data are many and diverse. Distributed multimedia sensors on the Internet of Things, mobile telecommunication devices and networks, distributed business processes, and Web-based applications are all candidate data providers/generators. As Big Data usage has increased over the years, the various algorithms, technologies, and systems are gradually reaching a level of development and maturity suitable for widespread adoption. Experience has shown that Big Data applications can provide a dramatic increase in the efficiency and effectiveness of decision-making in complex organizations and communities. It is expected that it will constitute an important part of a thriving data-driven economy, with applications ranging from science and business to military and intelligence. However, besides its benefits or in some cases because of them, Big Data also bears a number of security risks. Big Data systems are increasingly becoming attack targets by threat agents, and more and more elaborate and specialized attacks will be devised to exploit vulnerabilities and weaknesses. This Threat Landscape and Good Practice Guide for Big Data provides an overview of the current state of security in the Big Data area. In particular, it identifies Big Data assets, analyses exposure of these assets to threats, lists threat agents, takes into account published vulnerabilities

P a g e | 144


and risks, and points to emerging good practices and new researches in the field. To this aim, ongoing community-driven efforts and publicly available information have been taken into account. The study analyses threats to all identified Big Data asset classes. Highlights include:

Big Data threats include, but are not limited to, threats to ordinary data. The high level of replication in Big Data storage and the frequency of outsourcing Big Data computations introduce new types of breach, leakage and degradation threats that are Big Data-specific.

Big Data is having significant privacy and data protection impacts. The creation of links at data collection (a.k.a. “ingestion”) time is a key requirement for parallelization – and therefore performance - of Big Data analytics, but the additional information it creates may increase the impact of data leakages and breaches.

The interests of different asset owners (e.g., data owners, data transformers, computation and storage service providers) in the Big Data area are not necessarily aligned and may even be in conflict. This creates a complex ecosystem where security countermeasures must be carefully planned and executed.

As in many other areas of ICT, starting to apply basic privacy and security best practices would significantly decrease overall privacy and security risks in the Big Data area. At this still early stage of this emerging paradigm, embracing the Security-by-default principle can prove to be both highly practical and beneficial; as opposed to the cost and effort required to provide ad hoc solutions later on. This guide finally provides a gap analysis presenting a comparison between identified Big Data threats and identified Big Data countermeasures. In this context, the lack of current Big Data countermeasures and pressing needs in the development of next-generation countermeasures are

P a g e | 145


discussed. In particular, the question arises of the trend of current countermeasures of adapting existing solutions against traditional data threats to the Big Data environments, mostly focusing on the volume of the data. This practice mainly targets scalability issues and clearly does not fit the Big Data peculiarities (5V- Volume, Variety, Value...) resulting in partial and ineffective approaches. A set of recommendations for next-generation countermeasures concludes the guide. Among these recommendations, we remark: i) to depart from current approaches for traditional data, defining Big Data-specific solutions, ii) to identify gaps and needs for current standards, planning the definition of standardization activities, iii) to focus on training of specialized professionals, iv) to define tools for security and privacy protection of Big Data environments, v) to clearly identify Big Data assets simplifying the selection of solutions mitigating risks and threats. Aligning to its mandate ENISA published two more reports studying the impact of Big Data in the more specialized areas of data protection and privacy (“Privacy by design in big data”4) and critical infrastructures.

1. Introduction In this reports ENISA elaborates on threats related to Big Data, a technology that has gained much traction in recent years and is expected to play a significant role affecting various aspects of our sociatey, ranging from health, food security, climate and resource efficiency to energy, intelligent transport systems and smart cities. The European Commission has acknowledged the potential impact of Big Data in a “thriving data-driven economy” by outlining a strategy on Big

P a g e | 146


Data. According to estimates, the value of just personal data of EU citizens has “the potential to grow to nearly €1 trillion annually by 2020” (sic). It is thus conceivable that data will continue to be a significant economic drive. But also in science and research Large and nowadays Big Data continue to proliferate and many agencies and institutions in Europe and around the globe have or are planning to launch Big Data projects to facilitate scientific data analysis and exploitation. Big Data technologies are also being used in military applications; such as fighting terrorism; assisting in combat; gathering and analysing intelligence from heterogeneous sources, including battlefield data and open sources. In addition, many existing data intensive environments have in recent years adopted a Big Data approach. To name just a few examples, Facebook is thought to store one of the biggest datasets worldwide, storing more than 300 petabytes of both structured and unstructured data; Twitter recently decided to tap directly into its own raw data using Big Data analytics and the world’s telecommunications capacity was already by 2007 near 65 Exabytes (without signs of this trend declining); straining existing storage and analytic processes and technologies. Given that Big Data approaches make use of extremely novel and high tech ICT systems, with little time to mature against cyber-attacks it is not suprising that attacks are showing an increased trend in both number, sophistication and impact. But because of the loose use of definitions and the unwillingness of affected organizations to disclose attack data, accurate estimates are not easy to come up with. Additionally, as more and more businesses and organizations venture into the Big Data field, attackers will have more incentives to develop specialized attacks against Big Data. Somewhat paradoxically, Big Data approaches can also be used as a powerful tool to combat cyber threats by offering security professionals

P a g e | 147


valuable insigts in threats and incident management. Being an ENISA deliverable in the area of Threat Landscape, this report constitutes a detailed threat assessment in the area of Big Data, based on input from the ENISA Threat Landscape activities. The rationale behind this piece of work is to “deepen” the generic threat assessment by taking into account the specificities of Big Data.

Policy context Threat analysis and emerging trends in cyber security are an important topic in the Cyber Security Strategy for the EU. Moreover, the new ENISA regulation highlights the need of analysing current and emerging risks and dictates that “the Agency, in cooperation with Member States and, as appropriate, with statistical bodies and others, collects relevant information”. More specifically, it is stated that it should “enable effective responses to current and emerging network and information security risks and threats”. To this end the ENISA Work Programme 2015 included this study on “Big Data Threat Landscape and Good Practice Guide” as one of this year’s deliverables (“WPK1.1-D2: Risk Assessment on two emerging technology/application areas” that focuses on Big Data). The report aims to identify emerging trends in cyber-threats and to provide a concise state of the art analysis of the cyber threat and security issues of Big Data; consolidating existing and open literature and available information, and contributing to a cyber security public and private initiatives by addressing industry concerns in the area..

1.1 Scope This report contributes to the definition of a threat landscape, by providing an overview of current and emerging threats applicable to Big Data technologies, and their associated trends. Several Big Data definitions exist in the literature and the area is constantly being shaped by advantages in methods, tools, and new applications, thus it is not possible to take into consideration all Big Data systems.

P a g e | 148


The research done focuses on assets, threats and controls applicable to prominent, important and/or widely used

1.2 Big Data systems. The goal is to deepen our understanding of the threats that affect Big Data and to provide good practices and recommendations for those threats that are considered important or emerging.

1.3 Target audience It is expected that this report will be useful for performing detailed Risk Assessments (RA) and Risk Management (RM) by Big Data providers and operators according to their particular needs and for Big Data consumers in drafting their SLAs. The asset and threat taxonomies presented here are to be expanded by asset owners, based on the particular Big Data system instantiation at hand, before being used as input to RA/RM and cyber threat exposure analysis. Moreover, the presented Big Data threat landscape will be of use to policy-makers for understanding the current state of threats and respective mitigation practices and measures in the area. Further, the extensive research of relevant existing literature in Big Data security and threat research means this study will be of particular interest to researchers and institutions working in the field.

1.4 Methodology This study and its outcome are based on desk research and review of conference papers, articles, technical blogs and a variety of other open sources of information relevant to Big Data. This report identifies the majority of sources consulted; the details of all documentary sources consulted during this study are available on request. More than one hundred documentary sources were identified through a number of search methods, including specialist search engines for academic sources and journal articles. The sources collected are all in English.

P a g e | 149


The overall work went through a three-step process as follows: The first step “Information collection” was about the identification and collection of relevant information, in particular the assets and threats. The second step “Assessment, Guidelines and Gap Analysis” performed an analysis about the collected information to identify current and emerging trends and then elaborated countermeasures in a Big Data scenario. The third step “Good practices definition” was focused on findings, current practices, and needs that formalized the Big Data threat landscape report. A final note, all referenced web resources were last accessed in November 2015.

1.5 Structure of this document The structure of document is as follows: in section 2 we define Big Data and describe an abstract architecture upon which the study is based; in section 3 we present an asset taxonomy for Big Data; in section 4 we identify threats against Big Data, based on the threat taxonomy used by ENISA in “Threat Landscape and Good Practice Guide” reports, and map these threats to Big Data assets; in section 5 we consider which threat agents are more relevant to Bog Data attacks; in section 6 we present a set of recommendations and good practices for Big Data; we conclude in section 7 with a gap analysis. In addition 6 annexes are provides at the end of the report. Annex A contains the Big Data asset taxonomy in full depth; including all identified asset groups, asset types, assets and asset details. Annex B contains the detailed Big Data asset taxonomy diagram. Annex C contains the Big Data threat taxonomy in full detail; including all identified threat groups/types correlated to threat agents and affected Big Data assets. Annex D contains the detailed Big Data threat taxonomy diagram. Annex E contains a concise presentation on how Big Data analytics can assist security professionals in analysing threats and attacks and detecting intrusion and fraud cases.

P a g e | 150


Annex F contains a summary of existing threat taxonomies, which were used along with ENISA’s threat taxonomy to drive this study.

2. Big Data Environments The term Big Data describes the vast amount of data in our information-driven world. In a 2001 research report and related lectures, the META Group (now Gartner) defined the data growth challenges and opportunities as being three-dimensional, i.e. increasing Volume (amount of data), Velocity (speed of data in and out), and Variety (range of data types and sources). Gartner, and then the industry, used this "3Vs" model for describing Big Data: "Big data is high volume, high velocity, and/or high variety information assets that require new forms of processing to enable enhanced decision making, insight discovery and process optimization.”. Additionally, some new Vs have been added by some organizations to further define Big Data: "Veracity" (data authenticity since the quality of captured data can vary greatly and an accurate analysis depends on the veracity of source data), “Variability” (data meaning is often changing, and the data can show inconsistency at times, and this can hamper the process of handling and managing the data effectively) and “Value” (the potential revenue of Big Data). This being a developing field, several other alternative or complenetary definitions have been proposed, in an effort to capture different nuances attributed to Big Data; such as its evolutianary nature: “datasets whose size is beyond the ability of typical database software tools to capture, store, manage, and analyze.” (sic). Given that the field is still not mature, for the purposes of this report we take into account the different ways Big Data is defined. While a great scientific opportunity exists with Big Data, this growth is outpacing the technological advances in computational power, storage, analysis and analytics. Furthermore a real concern is arising about the security of this massive amount of digital information, the data protection and privacy issues, and the protection of the (critical) infrastructure supporting it.

P a g e | 151


2.1 Big Data architecture The architecture is a high-level conceptual model that facilitates the discussion of security requirements in Big Data and introduces the terminology used in this report. It does not represent the system architecture of a specific Big Data system, nor it is tied to any specific vendor products, services, or reference implementation, but rather it is a tool for describing some common Big Data components; i.e. the Big Data environment. In our vision the notion of Big Data architecture can be detailed into five layers: “Data sources”, “Integration process”, “Data storage”, “Analytics and computing models“, “Presentation”.

The function of each layer is as follows: The “Data sources” layer consists of disparate data sources, ranging from sensor streaming data, to structured information such as relational databases, and to any sort of unstructured and semi-structured data. The “Integration process” layer is concerned with acquiring data and

P a g e | 152


integrating the datasets into a unified form with the necessary data pre-processing operations. The “Data storage” layer consists of a pool of resources such as distributed file systems, RDF stores, NoSQL and NewSQL databases, which are suitable for the persistent storage of a large number of datasets. The “Analytics and computing models” layer encapsulates various data tools, such as Map Reduce, which run over storage resources and include the data management and the programming model. The “Presentation” layer enables the visualisation technologies. Cloud computing can be deployed as the infrastructure layer for Big Data systems to meet some infrastructure requirements, such as cost-effectiveness, elasticity, and the ability to scale up or down.

3. Big Data assets Assets can be abstract assets (like processes or reputation), virtual assets (for instance, data), physical assets (cables, a piece of equipment), human resources, money”. An item of our taxonomy is either a description of data itself, or describes assets that generate, process, store or transmit data chunks and, as such, is exposed to cyber-security threats. For information security considerations, this study focuses on assets that are related mainly to information and communication technology (ICT) under the scope of Big Data. A major source of information for this study is the work made by the NIST Big Data Public Working Group (NBD-PWG), which is developing consensus on important and fundamental questions related to Big Data. They have produced two draft Volumes (Volume 1 about Definitions and Volume 2 about Taxonomy). Another source of information is the report “Big Data Taxonomy”, issued by Cloud Security Alliance (CSA) Big Data Working Group in September 2014. In that document, CSA proposes a six-dimensional taxonomy for Big Data, pivoted around the nature of the data to be analysed.

P a g e | 153


The objective is to help “navigate the myriad choices in compute and storage infrastructures as well as data analytics techniques” and the proposed structure is mainly intended as a high-level taxonomy for decision makers. Specifically, most of the terminology used in this report for high level asset types (Data, Infrastructure, Analytics, and Security and Privacy techniques) comes, with some small modifications, from the CSA taxonomy; where our term Infrastructure also comprises of the other two CSA main categories; viz. Compute Infrastructure and Storage Infrastructure. Another high-level type, Roles, comprises human resources and other related assets, as in previous ENISA thematic studies.

3.1 Big Data asset taxonomy The full list of identified the Big Data assets is given in Annex A.

P a g e | 154


3.2 Big Data asset categories With the following list we attempt to identify some of the known Big Data valuable assets in a hierarchical manner. The first and second level category items (asset group and asset type) can be thought of as intuitively clear, but we give a brief description of them nevertheless. The full taxonomy, with further levels in the taxonomy such assets and asset details, is presented in Annex A. Data – This is the core category of the Big Data taxonomy and includes: Metadata, i.e. schemas, indexes, data dictionaries and stream grammars’ data (which often but not necessarily come together with stream data). Structured data, i.e. database records structured according to a data model, as for example a relational or hierarchical schema; structured identification data, as for example users’ profiles and preferences; linked open data; inferences and re-linking data structured according to standard formats. Semi-structured and unstructured data, for example logs, messages and web (un)formatted data (Web and Wiki pages, e-mail messages, SMSs, tweets, posts, blogs, etc.), files and documents (e.g. PDF files and Office suite data in Repositories and File Servers), multimedia data (photos, videos, maps, etc.), and other non-textual material besides multi-media (medical data, bio-science data and raw satellite data before radiometric/geometric processing, etc.). Streaming data, i.e. single-medium streaming (for example in-motion sensor data) and multimedia streaming (remote sensing data streams, etc.). Volatile data, i.e. data that are either in motion or temporarily stored, as, for example, network routing data or data in devices’ random access memory. Infrastructure – The term infrastructure comprises software, hardware resources denoting both physical and virtualized devices, the basic computing infrastructure with its batch and streaming processes and the storage infrastructure with all sort of database management systems, ranging from old-style relational databases to NoSQL or NewSQL, as well as Semantic Web tools.

P a g e | 155


Specifically, the Infrastructure first level category includes: Software, including operating systems, device drivers, firmware, server-side software packages (as Web and Application Server software) and applications. Applications sub-category includes software implementation as back-end services and all sorts of functionalities that utilize other assets in order to fulfil a defined task, such as for example asset management tools, requirements gathering applications, billing services and tools to monitor performances and SLAs. Hardware (physical and virtual), i.e. servers (physical devices and hardware nodes, all the virtualized hardware, including virtual Data Centres with their management consoles and virtual machines, as well as the physical hardware supporting their provisioning), clients, network devices (for example, physical switches, virtual switches and virtual distributed switches, etc.), media and storage devices (the various types of disk storage, etc.), data gathering devices (sensors, remote platforms as airborne platforms or drones, etc.), Human Interface Devices (HID) and mobile devices. Computing Infrastructure Models, this category includes paradigms of abstract processing architectures, on whether the processing can be done in batch mode, for example MapReduce; on real-time/near real- time streaming data, as for example Sketch or Hash-based models; or follow a unified approach supporting both, as for example Cloud Dataflow. Storage Infrastructure Models, this category includes paradigms of abstract storage architectures, including Big Files and triples-based models. Big Data Analytics – This category includes models which define protocols and algorithms for Big Data analysis, like procedures, models, algorithms definitions down to the source code, and analysis’ results. The category includes: Data analytics algorithms and procedures, which include algorithm source code with their set-up parameters, configuration and thresholds, metrics, the model definitions, advanced techniques that streamline the data preparation stage of the analytical process. Analytical results, either in textual or in graphical mode (e.g. spatial

P a g e | 156


layouts, abstract, interactive and real time visualizations). Security and Privacy techniques – This category name includes the term “techniques” to remark that the security-related assets it includes are the ones of interest to attackers and therefore more subject to unauthorized disclosure and leakage, as for example security best practice documents, cryptography algorithms and methods, information about the access control model used, etc. The category includes the following sub-categories: Infrastructure Security, i.e. the first aspect of a Big Data ecosystem security, which deals with how to secure the distributed computation systems and the data stores, with security Best Practices and policy set-ups. Data Management, i.e. documents and techniques about how to secure Data Storage and Logs, and documentation about granular audits and data life cycle (Data provenance). Integrity and reactive security, which deals with all the practices, techniques, and documents related to End Point validation and filtering and the monitoring of real-time security, including incident handling and information forensics. Data Privacy, i.e. all the techniques put in place to protect privacy as it is requested by law, for example cryptographic methods and access control. Roles - This terminology for this category was introduced by the NIST Big Data Public Working Group and includes: Data provider, such as enterprises, organizations, public agencies, academia, network operators and end- users. Data consumer, partly overlapping the previous category, but from a different scope, and including enterprises, organizations, public agencies, academia and end-users. Operational roles, i.e. system orchestrators (business leader, data scientists, architects, etc.), Big Data application providers (application and platform specialists), Big Data framework providers (Cloud provider personnel), security and privacy specialists, technical management (in-house staff, etc.).

P a g e | 157


We remark that leaving the taxonomy unbalanced (some sub trees, like those rooted in Data and Infrastructure are deeper than others) is a deliberate choice. Indeed some leaf subcategories of our taxonomy, such as Models definitions, could be used to integrate external taxonomies designed for different reasons, such as data science ones. Another remark is that most of the categories and sub-categories could be related to data, rather than Big Data. For example, relational databases are a very typical and common resource in every enterprise infrastructure, not necessarily storing big data volumes. Even when relational databases have big volume size, they are often manageable through traditional hardware clusters, appliances and software tools. Another example is applications’ random-access memory (featured in volatile data category), i.e. the data that is temporarily in memory due to processing operations. This memory is often (though not invariably, as witnessed by the success of in-memory processing systems) not large, compared to massive data sizes of in-memory databases. Nevertheless, we included these assets in our taxonomy for completeness of information. Data stored in relational databases, often very valuable for data owners, might be used in some cases as data source for analytics, while leakage of RAM content could compromise login credentials and cryptographic keys, paving the way to dangerous attacks to Big Data. The presented asset taxonomy should only be considered as a snapshot of the complex range of Big Data assets and could as such not be exhaustive.

4. Big Data threats 4.1 ENISA threat taxonomy In this section, we introduce the major characteristics of the ENISA threat taxonomy.

P a g e | 158


The ENISA taxonomy is a comprehensive one, with a special focus on cyber-security threats; i.e., threats applying to information and communication technology assets. Additional non-ICT-stemming threats have been considered to cover threats to physical assets and also both natural disasters [not directly triggered by humans] and environmental disasters directly caused by human. The threat taxonomy has been developed by the ENISA Threat Landscape (ETL) Group and is a consolidation of threats previously considered in other thematic reports and extensive research. The taxonomy includes threats applicable to the Big Data assets and only these are depicted in figure 4-1. In the following subsection, threats specific to Big Data that were identified through extensive literature that have been assigned to the relevant categories defined in ENISA’s Threat Taxonomy are mapped to the previously discussed Big Data Asset Taxonomy.

P a g e | 159


P a g e | 160


4.2 Mapping threats to Big Data assets In this section, we discuss the threats that can be mapped to the Big Data asset taxonomy presented in the previous chapter. This analysis is based on an extensive review of actual threat incidents and attacks to Big Data presented in articles, technical blogs, conference papers, as well as online surveys for gathering supplemental information. Our review was driven by the ENISA generic threat taxonomy presented in the previous section. In general terms, threats, such as network outage or malfunctions of the supporting infrastructure, may heavily affect Big Data. In fact, since a Big Data has millions of pieces of data and each piece may be located in a separate physical location, this architecture leads to a heavier reliance on the interconnections between servers. Past ENISA thematic reports have dealt in depth with threats such as outages and malfunctions, which affect network communication links. For this reason, in this report, we don’t take these threats into account. Also, we chose not to dwell on physical attacks (deliberate and intentional), natural and environmental disasters, and failures / malfunction (e.g. malfunction of the ICT supporting infrastructure), since their effects are strongly mitigated by the intrinsic redundancy of Big Data, though Big Data owners deploying their systems in private clouds or other on-premise infrastructure should take these attacks under serious consideration . In general, a threat is “any circumstance or event with the potential to adversely impact an asset through unauthorized access, destruction, disclosure, modification of data, and/or denial of service”. Given the definition we gave of Big Data (Volume, Velocity, Variety, Veracity, Variability and Value), a threat to a Big Data asset can be considered as any circumstance or event that affects, often simultaneously, big volumes of data and/or data in various sources and of various types and/or data of great value. We also identify two different sub-categories of threats: “Big Data Breach” and “Big Data Leak”, orthogonal to the used threat taxonomy.

P a g e | 161


A breach occurs when “a digital information asset is stolen by attackers by breaking into the ICT systems or networks where it is held/transported”. We can define “Big Data Breach” as the theft of a Big Data asset executed by breaking into the ICT infrastructure. A Big Data Leak on the other hand, can be defined as the (total or partial) disclosure of a Big Data asset at a certain stage of its lifecycle. A Big Data Leak can happen for example in inadequate design, improper software adaptation or when a business process fails. In terms of the attacker model, a Big Data Breach requires pro-active hostile behaviour (the break-in), while a Big Data Leak can be exploited even by honest-but- curious attackers.

4.2.1 Threat Group: Unintentional damage / loss of information or IT assets This group includes Information leakage or sharing due to human errors, unintentional intervention or erroneous use of administration of systems (misconfiguration), loss of devices.

Threat: Information leakage/sharing due to human error Accidental threats are those not intentionally posed by humans. They are due to misconfiguration, skill- based slips and clerical errors (for example pressing the wrong button), misapplication of valid rules (poor patch management, use of default user names and passwords or easy-to-guess passwords), and knowledge-based mistakes (software upgrades and crashes, integration problems, procedural flaws). Information leakage due to misconfiguration can be a common problem: according to a recent study, erroneous system administration setups led to numerous weaknesses in four different Big Data technologies; viz. Redis, MongoDB, Memcache and ElasticSearch. According to the same study most of these new products “are not meant to be exposed to the Internet. [...] These technologies' default settings tend to have no configuration for authentication, encryption, authorization or any other type of security controls that we take for granted. Some of them don't even have a built-in access control.”

P a g e | 162


Furthermore, in the past, there have been reported incidents of inappropriate sharing of files containing possible sensitive and confidential information, which affected even very popular online services like Dropbox. This is also confirmed by many surveys. The assets targeted by these threats include asset group “Data”, and asset “Applications and Back-end services” (such as for example “Billing services”).

Threat: Leaks of data via Web applications (unsecure APIs) Various sources claim that Big Data is often built with little security. New software components are usually provided with service-level authorization, but few utilities are available to protect core features and application interfaces (APIs). Since Big Data applications are built on web services models, APIs may be vulnerable to well-known attacks, such as the Open Web Application Security Project (OWASP) Top Ten list, with few facilities for countering common web threats. The security software vendor Computer Associate (CA) and other sources report data breaches, due to insecure APIs, in many industries, especially in social networks, mobile photo-sharing and video-sharing services, as Facebook, Yahoo and Snapchat. For example, a threat of this category may consist in injection attacks to Semantic Web technologies through SPARQL code injection. Security flaws are rather common in new Big Data languages like SPARQL, RDQL (both are read-only query languages) and SPARUL (or SPARQL/Update, which has modification capabilities). The use of these new query languages introduces vulnerabilities already found in a bad use of old-style query languages, since attacks like SQL, LDAP and XPath injection are already well known and still dangerous. Libraries of these new languages provide tools to validate user input and minimize the risk. However, “main ontology query language libraries still do not provide any

P a g e | 163


mechanism to avoid code injection” and without these mechanisms, attackers’ arsenal might get enhanced with SPARQL, RDQL and SPARQL injections. Other new Big Data software products, as for example Hive, MongoDB and CouchDB, also suffer from traditional threats such as code execution and remote SQL injection. The assets targeted by these threats belong to group “Data” and asset type “Storage Infrastructure models” (such as “Database management systems (DBS)” and “Semantic Web tools”)

Threat: Inadequate design and planning or incorrect adaptation Techniques for improving Big Data analytics performance and the fusion of heterogeneous data sources increase the hidden redundancy of data representation, generating ill-protected copies. This challenges traditional techniques to protect confidentiality51 and the effect of redundancy must be taken into account. As already stated, Big Data redundancy can be seen as a threat mitigation technique for physical attacks, disasters and outages, however in some cases it signals a system weakness, being a risk booster for Big Data leaks. In other words, if our Big Data storage replicates data records ten times and distributes the copies to ten storage nodes for some reason (e.g., to speed up the analytics pipeline), the ten nodes may end up with different levels of security robustness (e.g., different security software versions) and this will increase the probability of data disclosure and data leaks. This can be considered a specific weakness of Big Data designs. On the other hand we can also note that even the redundancy and the replication that are necessary features to enhance Big Data functionality, are not always a failsafe against data loss. For example Hadoop, the well-known framework for Big Data processing, replicates data three times by default, since this protects against inevitable failures of commodity hardware. However, a corrupted application could destroy all data replications.

P a g e | 164


Also, recent studies put forward the idea that Hadoop redundancy could even be a non-linear risk booster for Big Data leakages. Even the design of the Hadoop Distributed File System (HDFS) signals problems as reported by literature. HDFS is the basis of many Big Data large-scale storage systems and is used by social networks. HDFS clients perform file system metadata operations through a single server known as the Namenode, and send and retrieve file system data by communicating with a pool of nodes. The loss of a single node should never be fatal, but the loss of the Namenode cannot be tolerated. Big social networks, such as Facebook, suffered this problem and took countermeasures against the threat (Hadoop installed at Facebook includes one of the largest single HDFS cluster, more than 100 PB physical disk space in a single HDFS file system). One more threat related to the design is the lack of scalability of some tools. For example NIST reports that original digital rights management (DRM) techniques were not built to scale and to meet demands for the forecasted use of the data and “DRM can fail to operate in environments with Big Data characteristics— especially velocity and aggregated volume”. The assets that are targeted by these threats belong to asset groups “Data” and “Big Data analytics”, and to asset types “Software”, “Computing Infrastructure models“ and “Storage Infrastructure models”.

4.2.2 Threat Group: Eavesdropping, Interception and Hijacking This group includes threats that rely on alteration/manipulation of the communications between two parties. These attacks do not require installing additional tools or software on the victims’ infrastructure.

Threat: Interception of information A common issue that affects any ICT infrastructure is when offenders can

P a g e | 165


intercept communications between nodes by targeting the communication links. Various sources claim that inter-node communication with new Big Data tools is often unsecured, that it is not difficult to hijack a user session or gain unauthorized access to services in social networks as Facebook and Twitter, and that there is evidence of flaws in communication protocols. Big Data software distributions (for example Hadoop, Cassandra, MongoDB, Couchbase) rarely have the protocols that ensure data confidentiality and integrity between communicating applications (e.g., TLS and SSL) enabled by default or configured properly (e.g., changing default passwords). The assets targeted by this threat belong to asset groups “Data” and “Roles”, and to asset “Applications and Back-end services”.

4.2.3 Threat Group: Nefarious Activity/Abuse This group includes threats coming from nefarious activities. Unlike the previous group, these threats (often) require the attacker to perform some actions altering the victims’ ICT infrastructure; usually with the use of specific tools and software.

Threat: Identity fraud Big Data systems store and manage credentials for accessing personal data and financial accounts with information such as credit card numbers and payment and billing details, which are targets for cyber criminals. Big Data systems also store profiling data that can describe user behaviour, preferences, habits, travel, media consumption at a high degree of detail, and may help attackers in more elaborate forms of impersonation fraud, creating big opportunities for identity thieves. Since most Big Data systems are built on top of cloud infrastructure, a threat to users’ identity is, for example, when the control of a system interface, in either a Big Data system based on a large public cloud or in a widely used private cloud, gets lost. A successful attack on a console grants the attacker complete power over the victim's account, including all the stored data.

P a g e | 166


The control interfaces could be initially compromised via novel signature wrapping and advanced XSS techniques, then privilege escalation may lead to identity fraud. While in traditional information systems the loss of control of a console interface could cause limited information leakage, in Big Data the effect is amplified and the impact is more severe. Social engineering is not a new issue, but as social networking becomes important both for home users and businesses, attacks often involve social engineering. Attackers have been abusing social networks since they first came online. For example, XSS vulnerabilities on Twitter have been used to push malicious and fake tweets, while Internet malware has emerged on Facebook as a means of promoting malicious profiles. The assets targeted by these threats are “Personal identifiable information”, “Applications and Back end services” (such as, for example, “Billing services”) and “Servers”.

Threat: Denial of service Big Data components can be threaten by traditional denial of service (DoS) and distributed denial of service (DDoS) attacks. For example, such attacks may remove Big Data components from the network and then exploit its vulnerabilities or an attacker could exhaust the limited resources in a Hadoop cluster, leading to a significant decrease of system performance and causing the loss of the targeted resource to other cloud users. But, at the same time, countering mechanisms have been developed for/using Big Data systems. For example administrators of Hadoop infrastructure can deploy specialized components to track DDOS attacks. In the past this kind of attacks has led to some service outages for Amazon distributed storage, through elevated levels of authenticated requests and account validation.

P a g e | 167


Furthermore, as already stated, also specific attacks against social networks such as Facebook have been mounted, exploiting some weaknesses of the Hadoop Distributed File system, for example the Namenode single server. Assets targeted by this threat include the asset “Servers” (viz. Virtualized Data Centre”, “Physical Machine” and “Virtual Machine”) and the asset “Network”.

Threat: Malicious code / software / activity These very generic threats affect almost all the ICT components of an infrastructure. Examples of these threats are: i) exploit kits, which allow virus and malware infections, ii) worms, which may be distributed by using the network to send copies to other nodes, iii) Trojans, which are pieces of malware that facilitate unauthorized access to a computer system, iv) backdoors and trapdoors, which are undocumented entry points into a computer program, generally inserted by a programmer to allow remote access to the program, v) service spoofing, which is an attack in which the adversary successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage, vi) web application attacks and injection attacks through code injection –examples of exploiting this threats to mount more elaborate attacks have already been discussed –. After the deployment of the code, the attacker may manipulate infected devices. In Big Data, malware infected nodes may send targeted commands to other servers and disturb or manipulate their operations, worms may replicate themselves sending copies to other nodes and affect the behaviour of all components connected to the network.

P a g e | 168


There is always the possibility that vendors of Big Data tools, or somebody else in the software chain, may have installed firmware with backdoors or some hidden functionality to facilitate access to the devices, in particular in the context of very new technologies such as NoSQL and NewSQL. An example of hacking Big Data through a malicious code attack is reported in literature as faulty results of the Hadoop logging data system. System administrators use Hadoop server logs to identify potential attacks. A demo of this hack requires that a service, called Flume, streams logs into a SQL based Hadoop data store (Hcatalog). In this scenario, an attacker runs a malicious script and alters the results by modifying the log data before Flume can stream them into Hcatalog. The logs can be corrupted even when Hadoop services seem to be working as expected. Malicious software can be a threat also in distributed programming frameworks, which use parallel computation, and may have untrusted components. For example, MapReduce computational framework splits the input file into multiple chunks: in the first phase a mapper reads the data, performs computation, and outputs key/value pairs. In the second phase, a reducer works on these pairs and outputs the result. A key issue is how to secure the mappers, since untrusted mappers alter results. With large data sets, it becomes difficult to identify malicious mappers. The assets targeted by this attack include “Database management systems (DBMS)” (such as the traditional “Relational SQL” databases, and the Big Data new tools “NoSQL” and “NewSQL”), and asset type “Computing infrastructure models”.

Threat: Generation and use of rogue certificates Device signing and media encryption can be critically undermined by the use of rogue certificates allowing attackers the access to Big Data assets and

P a g e | 169


communication links. These can then be used to access data storage and thus causing data leakage, intercept and hijack individuals’ secure Web-based communications, misuse of brand, and upload/download malware or force updates, which potentially contain undesired functionality for Big Data software and hardware components. Social networks such as Facebook are affected. According to reports in some circumstances download flaws allowed attackers to plant a malicious file on a victim’s machine that looks like it is coming from a trusted Facebook domain. Many assets are targeted by this threat: including asset groups “Data” and “Big Data analytics”, and assets “Software” and “Hardware”.

Threat: Misuse of audit tools / Abuse of authorizations / Unauthorized activities Audit information is necessary to ensure the security of the system and understand what went wrong; it is also necessary due to compliance and regulation. The scope and the granularity of the audit might be different in a Big Data context and the effect of the misuse of such information may be amplified. For example, key personnel at financial institutions require access to large data sets that contain personally identifiable data . Also, there can be massive breaches of privacy when employees of providers hosting social networks, using their administrative credentials, regularly access private user information. For this reason, it is important to keep security-relevant chronological records. Since the misuse and abuse of authorization can become a common issue, it is necessary to protect a large number of assets containing granular audits, documentation of the security policies, logs and cryptographic keys (e.g. all the assets included in category “Security and privacy techniques” of our asset taxonomy).

P a g e | 170


The assets targeted by these threats include “identification record data”, “Database management systems (DBS)” (for example “NoSQL” and “NewSQL”) and asset group “Security and privacy techniques”.

Threat: Failures of business process Failures of business process according to ENISA taxonomy are threats of damage and/or loss of assets due to improperly executed business process. In Big Data, this class includes all threats related to data integrity that can be favoured by Big Data storage policies. In particular, the highly-replicated and eventual consistency nature of big data represents a driver towards attacks to data integrity, where data items stored in different replicas can be inconsistent. This scenario is summarized in the new concept of Big Data degradation, which represents an increasing risk for Big Data correctness. This scenario also defines a “Big Data Leak”, a total or partial disclosure of a Big Data asset at a certain stage of its lifecycle as opposed to a “Big Data breach” (e.g. a theft of an asset executed by breaking into the infrastructure). In our case Big Data can be unwillingly disclosed by the owner to the provider of an outsourced process, for example when computing data analytics. This disclosure of information, at a certain stage of the Big Data lifecycle, can be exploited by an honest, but curious attacker, even without hostile intention. Also, several cases of inadequate anonymisation of users are reported. While data collection and aggregation uses anonymization techniques, individual users can be re-identified by leveraging other Big Data datasets, often available in the public domain. This is an emergent phenomenon introduced by Big Data variety that has the ability to infer identity from anonymized datasets by correlating with apparently innocuous public information. Examples related to de-identification of personally identifiable information

P a g e | 171


(PII) are given by the AOL case and by NIST Big Data publications in Web logs collection and analysis. For a more detailed study on deanonymizatuion and anonymity issues in Big Data systems see ENISA’s report “Privacy by design in big data: An overview of privacy enhancing technologies in the era of big data analytics “. The assets targeted by this threat include asset groups “Data” and “Big Data analytics”.

4.2.4 Threat Group: Legal This group includes threats due to the legal implications of a Big Data system such as violation of laws or regulations, the breach of legislation, the failure to meet contractual requirements, the unauthorized use of Intellectual Property resources, the abuse of personal data, the necessity to obey judiciary decisions and court orders.

Threat: Violation of laws or regulations / Breach of legislation / Abuse of personal data Data storage in the European Union falls under the Data Protection directive: organizations are required to i) adhere to this compliancy law throughout the life of the data, ii) remain responsible for the personal data of their customers and employees, and iii) guarantee its security even when a third-party like a cloud provider processes the data on their behalf. In the traditional data centric model, data is stored on-premise, and every organization has control over the information. In Big Data, instead, a real concern is arising about the security of this massive amount of digital information and the protection of the critical infrastructure supporting it, as demonstrated by a vast literature about privacy risks. We should also note that EU has stricter regulations regarding the collection of personal data than other countries, but sometimes multinationals operating in the EU are based in the United States.

P a g e | 172


In this context, the most important privacy issues are how to protect individual privacy when the data is stored in multiple sites, and how efficient the protection isError! Bookmark not defined. Big Data also raises the potential issue of data residency. Data, when stored in cloud storage of providers that offer multi-national storage solutions, may fall under different legal jurisdictions. An example brought by the NIST Big Data Public Working Group regards the custody of pharmaceutical data beyond trial disposition, which is unclear, especially after firms merge or dissolve. The assets targeted by this threat include asset groups “Data” (especially “identification record data”) and “Roles”.

4.2.5 Threat Group: Organisational threats This group includes threats pertaining to the organizational sphere.

Threat: Skill shortage The analysis of large datasets can underpin new waves of productivity growth and innovation, and unlock significant value. However, companies and policy makers must tackle significant hurdles, such for instance a possible shortage of skilled data scientists and managers. The asset targeted by this threat is asset group “Roles”.

5. Threats agents According to ENISA Threat Landscape 2013, a threat agent is “someone or something with decent capabilities, a clear intention to manifest a threat and a record of past activities in this regard”. For Big Data asset owners it is crucial to be aware of which threats emerge from which threat agent group. This study does not develop a new glossary on threat agents, but utilises the ENISA Threat Landscape 2013’s consolidation of several publications.

P a g e | 173


The categorization of threat agents is as follows: Corporations: they refer to organizations/enterprises that adopt and/or are engaged in offensive tactics. In this context, corporations are considered as hostile threat agents and their motivation is to build competitive advantage over competitors, who also make up their main target. Depending on their size and sector, corporations usually possess significant capabilities, ranging from technology up to human engineering intelligence, especially in their area of expertise. Cyber criminals: they are hostile by nature. Moreover, their motivation is usually financial gain and their skill level is, nowadays, quite high. Cybercriminals can be organised on a local, national or even international level. Cyber terrorists: they have expanded their activities and engage also in cyber-attacks. Their motivation can be political or religious, and their capability varies from low to high. Preferred targets of cyber terrorists are mostly critical infrastructures (e.g. public health, energy production, telecommunication), as their failures cause severe impact in society and government. It has to be noted, that in the public material analyses, the profile of cyber terrorists still seems to be blurred. Script kiddies: they are unskilled individuals using scripts or programs developed by others to attack computer systems and networks, and deface websites. Online social hackers (hacktivists): they are politically and socially motivated individuals that use computer systems to protest and promote their cause.

P a g e | 174


Their typical targets are high profile websites, corporations, intelligence agencies and military institutions. Employees: they refer to the staff, contractors, operational staff or security guards of a company. They can have insider access to company’s resources, and are considered as both non-hostile threat agents (i.e. distracted employees) and hostile agents (i.e., disgruntled employees). This kind of threat agents possesses a significant amount of knowledge that allows them to place effective attacks against assets of their organization. Nation states: they can have offensive cyber capabilities and use them against an adversary. Nation states have recently become a prominent threat agent due to the deployment of sophisticated attacks that are considered as cyber weapons. From the sophistication of these malware, it can be confirmed that Nation states have a plethora of resources and they have a high level of skills and expertise. All agents listed in this section, may have an interest in exploiting certain vulnerabilities in Big Data for different reasons. Only some specific threats come more typically from certain agents, as, for instance, the abuse of authorization that is related to corporation employee, who can use their administrative credentials to access systems. In the following table we propose a cross relation between threats and agents in Big Data. Annex C presents an overall mappings between assets, threat agents and threats.

P a g e | 175


6. Good practices In this section, we provide a discussion summarizing good practices93 to protect Big Data assets. A good practice is a method or technique that has consistently shown results superior to those achieved with other means, and that is used as a benchmark.

P a g e | 176


To this aim, different sources have been collected, reviewed, and mapped to the previously identified Big Data threats. They specify vulnerabilities, recommendations, controls, countermeasures, and good practices published by institutions or working groups, and relevant for the protecting the assets and counteracting the threats in this report. The first result of our analysis is that publicly available information on Big Data security issues mainly originates from research and is based on requirements and generic assumptions, while materials of real-life experience are not often available. This is mainly due to the fact that development of Big Data infrastructures and their related security measures are at an early stage of maturity. In fact, on one side, many of Big Data infrastructures have been operational for a limited period of time; on the other side, Big Data security assessment is in many cases managed confidentially for reasons of competitiveness. Generally speaking, Big Data being a collection of input channels from sensors, networks, storage and computing systems, and output to data consumers, there is shared responsibility for security and infrastructure management. Every party, such as a data provider or a data consumer, should be conscious that its own security also depends on the security of its neighbours. Countermeasures and good practices are expected to be implemented to increase security of single parties, and of other related parties when applicable. Different documents produced by the following bodies have been examined: ISO, COBIT, Council on Cyber Security (CCS) and NIST. ISO terminology proposes security controls, while COBIT provides best practices that allow bridging the gap between control requirements, technical issues and business risks. The CCS is an independent and not-for-profit organization, which presents a recommended set of actions (the so called CIS Critical Security Controls for Effective Cyber Defence).

P a g e | 177


When appropriate, we provide practices suggested by the NIST Big Data use cases. During the analysis, we tried to uniform the terminologies used by the above bodies, which in some cases were nonhomogeneous. For controls and technologies specifically directed towards data protection see ENISA’s “Privacy by design in big data: An overview of privacy enhancing technologies in the era of big data analytics” (2015). One more source of potential controls and technical countermeasures stems from the use of Big Data analytics as a tool for increasing system and data security, and improving intrusion detection and prevention. For completeness a small presentation of the expected capabilities is given in Annex E: Big Data analytics for security.

P a g e | 178


P a g e | 179


P a g e | 180


7. Gap analysis In this section, we provide a gap analysis for those cases where further research and investigations are required in the areas of Big Data threats, security, and good practice. This analysis aims to close the gaps highlighted in the previous section and is summarised as follows. The use of cryptography may be not always sufficient and there are obvious risks associated to administrators and security professionals with equivalent privileges. This is especially true when threats related to information leakage and/or sharing due to human errors are considered. Furthermore, leaks of data via Web applications (unsecure APIs) and inadequate design/planning or improperly adaptation need an improved design of computing and storage infrastructure models, while streaming data from sensors may have issues of confidentiality that cannot be mitigated by current solutions. Personal identifiable information is at risk even when best practices are widely followed and calls for privacy-oriented defensive approaches. Malicious code and activities pose a risk to models of computing infrastructure and storage due to the difficulties of patch management in a Big Data heterogeneous environment, while violation of laws or regulations, breach of legislation and abuse of personal data may affect final users. All these breaches requires, on one side, Big Data specific countermeasures, and, on the other side, the involvement of policy makers to reflect changes in current IT environment in EU laws and legislations.

P a g e | 181


Finally, a skill shortage in roles such as data scientists is foreseen. We categorize the gaps into four groups: gaps (i) on data, (ii) on the use of cryptography (iii) on computing and storage models and (iv) on roles (e.g. administrators, data scientist, and final users).

Gaps on data protection Major gaps are found due to threats to privacy (e.g., the identification of personal identifiable information) and to confidentiality of sensor data streams. As already reported in this report, several cases of identity fraud due to traffic capture and data mining have been recorded in recent years. Big Data analysis has facilitated the intrusion of privacy by strengthening common techniques and further research in this field is required. Since countermeasures, discussed in the previous section, such as anonymization did not prove to be always effective against Big Data mining, new research efforts are made to devise better controls. For example, a promising topic, actively researched, is privacy-preserving data mining (PPDM). The basic idea of PPDM is to modify the data in such a way so as to perform data mining algorithms effectively without compromising the security of sensitive information contained in the data. In addition, it is foreseeable to have streams of data from sensors certified when possible. Since centralized cryptography systems are hard to implement when a large number of sensors is involved, the use of Trusted Computing (TC) appears to be a promising technology. Trusted computing relies on Trusted Platform Modules (TPMs) and related hardware to prove integrity of software, processes, and data.

P a g e | 182


TPM chips are not expensive and could be fitted in sensors at build time. TPM-enabled devices could provide reliable data streams. However, on the server side (e.g., Big Data cloud-based installations), the use of this new technology is more challenging since hardware TPM should be adapted to virtualized environments. A researched approach is based on the notion of virtual Trusted Platform Module (vTPM), which provides secure storage and cryptographic functions of TPM to applications and operating systems running in virtual machines. Other hardware-based security technologies include the development of new processors for the embedded smart sensors. These new processors include protected areas for storage of user authentication keys, as well as areas of the processor that are off-limits to unauthorized users. Besides the above technically-oriented aspects of data protection gaps, in 2015 ENISA has conducted a privacy-oriented assessment of Big Data ”Privacy by design in big data”4. In this work, more thorough privacy gaps have been identified and recommendations have been made. Highlights include: application of privacy by design, preservation of privacy by data analytics and the need for coherent and efficient privacy policies for big data. It is recommended to refer to this document in order to obtain full perspective of security and privacy issues of Big Data.

Use of cryptography in applications and back-end services The use of cryptography in Big Data as a mitigation countermeasure can be challenging. Gaps related to the use of cryptography are mainly related to: i) performance and scalability,

P a g e | 183


ii) protection of logical and physical fragments, such as data blocks. In fact, in Big Data, cryptography adds complexity and negatively affects performance. New dedicated products and ad hoc solutions are under development, as for example the already discussed TC and TPM technologies, while some interesting new approaches to cryptography for Big Data applications as the notion of “cryptography-as-a-service” in cloud environments are emerging. In recent years, there has been a lot of discussion around novel, but still rather esoteric crypto-algorithms. Homomorphic encryption, honey encryption and other proposals could, at least in theory, provide end-to-end data protection and confidentiality. As an example, assuming the existence of a fully homomorphic crypto- scheme, one could use public Big Data systems to perform analytics – with the expected speed or accuracy losses – without ever revealing the data to anyone else, not even the computation and storage service provider. Research is still ongoing but the interested reader can find a concise study of the current state of the art in ENISA’s “Privacy by design in big data: An overview of privacy enhancing technologies in the era of big data analytics”.

Gaps on computing and storage models Computing Infrastructure and storage models in Big Data face new challenges such as the lack of standardization and portability of security controls among different open source projects (e.g., different Hadoop versions) and Big Data vendors, and the poor design of security features. Often, standards do not exist or are still under development. An example of lack of standards is brought by NIST Big Data Working Group for the shipping industry, which uses Big Data in the identification, transport, and handling of items in the supply chain. However, at the moment, the status of the shipped items (e.g., unique identification number, GPS coordinates, sensors information, etc.) is not passed through the entire chain. A unique identification schema is under development within an ISO

P a g e | 184


technical committee. From a security perspective, we note that in a traditional management system as, for example, in an SQL relational database, security has slowly evolved and many new controls have been proposed over the years. Unlike such solutions, the security of Big Data components has not undergone the same level of rigor or evaluation due to the immaturity of Big Data research and development.

Gaps on roles (administrators, data scientist, and final users) As stated in the previous section, many roles can be critical in Big Data, in particular system administrators, data scientist, and users. Big Data administrators and other privileged users are a big concern since they require access to corporate data systems when working on behalf of the cloud services provider. Moreover, they could use their grants to access key stores and other sensitive information. All the data scientist positions are unlikely to be filled in the near future, while users might not always be conscious of or care about the legal implications of data storage – legal implications that will vary large and wide around the world. Awareness, education, and training are the keys to close these gaps concerning human resourses. Some new online educational web sites are offering specialised courses in Big Data, for example the Big Data University sponsored by IBM, and MIT. The Big Data University is run by a community, which includes many IBM staff members, contributing voluntarily to the development of courses, and to enhancing the site; also Amazon is contributing to the initiative. Other courses are available at Massive Open Online Course (MOOC) websites like Coursera. But, as with ICT security, it will take years to fulfil industry’s requirements on skilled and trained personnel.

P a g e | 185


Recommendations The above gaps naturally result in a set of recommendations that can be classified as general recommendations, technical recommendation and recommendation on human resources. General recommendations: they target the main Big Data stakeholders such as owner of Big Data projects and policy makers. In particular, stakeholders should depart by the assumption that a Big Data environment is simply a traditional data environment focusing on large amount of data. Big Data is more than a simple scalability problem, and management tools and risk assessment countermeasures and solutions should consider and address all 5V characterizing a Big Data environment. This consideration is important both for policy makers specifying laws and regulations targeting current ICT environment, and stakeholders managing Big Data platforms and analytics. Especially for the latters, it becomes fundamental to evaluate i) the current level of security by understanding the assets covered (and not covered) by existing security measures, ii) the effectiveness of the application of good practices adapted from traditional security and privacy tools and techniques. General recommendation requires a parallel standardization effort supporting the definition of proper and specific Big Data tools and legislations. Technical recommendations: they target owners of Big Data projects and developers of corresponding products. Following general recommendation of being Big Data specific, stakeholders should limit as much as possible the practice of adapting existing products to Big Data. Big Data introduces completely novel environments with new assets, threats, risk, and challenges.

P a g e | 186


As a consequence, new products are needed to provide effective countermeasures and increase the trustworthiness of Big Data environments. Such products must be put in the Big Data life cycle after a careful evaluation, through pilots, aimed to verify and prove their correct behaviour. Success of these new products passes from a commitment by third- party vendors to apply security measures and stay focused on any updates. Moreover, developers of Big Data products should benefit from new tools providing security and privacy functionalities by default. To conclude, as already specified in the general recommendations, international bodies are invited to support this shift to Big Data specific security and privacy solutions by starting a gap analysis on Big Data standards, and new standardization activities according to the identified gaps. Recommendations on human resources: they target human resources managing and using Big Data assets. As in traditional environments, in fact, human resources are one of the main sources of threats, and include users that attack a system either maliciously or accidentally. To limit these scenarios, all involved parties should focus on training of specialized professionals. Big players should support education initiatives on Big Data to raise/train tomorrow's scientists, fostering information and communication technology security awareness and training programs. Private companies and governmental bodies should encourage technical staff to attend offline/online courses from respected institutes to increase their competences. Final users should learn about their rights and threats to privacy attending courses and educational initiatives. Big Data administrator and other privileged users should cooperate with the international community to exchange on threats and promote the

P a g e | 187


application of good practices as mitigation measures. Finally, Big Data administrator should rely on good practices, and report on their implementations choices in terms of considered assets, threat, countermeasures, and identified gaps.

P a g e | 188


PSIFIs Member Countries Maintain Robust Capital Adequacy and Strong Liquidity in the Islamic Banking Sector

The Islamic Financial Services Board (IFSB) is pleased to announce the third dissemination of data on financial soundness and growth of the Islamic banking systems in participating IFSB member jurisdictions, covering quarterly data from December 2013 to the Q2 of 2015. The dissemination is part of the IFSB’s Prudential and Structural Islamic Financial Indicators (PSIFIs) project, which currently compiles data from 17 member countries. This release expands the data provided in the earlier releases as many member jurisdictions have improved their data collection and consolidation of their frameworks for the Islamic banking industry, in line with the requirements of PSIFIs project. In this release, a few jurisdictions have also started reporting the data on newly introduced Basel III indicators such as the leverage ratio, Liquidity Coverage Ratio (LCR), and Net Stable Funding Ratio (NSFR) during the observation period. An important feature of the current dissemination is the inclusion of Islamic banking data of the United Arab Emirates, released for the first time, as the country became the 17th member of the PSIFIs project in December 2015. The 17 countries participating in this project are: Afghanistan, Bahrain, Bangladesh, Brunei, Egypt, Indonesia, Iran, Jordan, Kuwait, Malaysia, Nigeria, Oman, Pakistan, Saudi Arabia, Sudan, Turkey, and United Arab Emirates. Accordingly, the IFSB Task Force on PSIFIs now includes representatives from all 17 member jurisdictions as well as three international organisations – the International Monetary Fund (IMF), Islamic Development Bank (IDB) and the Asian Development Bank (ADB). The international collaboration between the IFSB, multilateral institutions and participating countries has greatly facilitated the collection of Islamic

P a g e | 189


banks data and enhanced the clarity and consistency of indicators across jurisdictions. A summary on key PSIFI indicators are given below.

Growth of Islamic Banking Based on the available data, the total assets of the Islamic banking industry grew from USD 1,208 billion in 2014Q2 to USD 1,293 billion in 2015Q2 (calculated from country-wise aggregated data converted into USD terms using end-period exchange rates). Total funding/liabilities grew from USD 1,027 billion in 2014Q2 to USD 1,120 billion in 2015Q2. Financing by Islamic banks from the jurisdictions participating in the PSIFI project reached USD 733 billion in 2015Q2 from USD 678 billion in 2014Q2. The data on “financing by type of Sharī`ah-compliant contracts” reveals that four major financing contracts used by the Islamic banking industry as on 2015Q2 were: Murābahah (41.3%), commodity Murābahah/Tawwaruq (14.6%), Ijārah/Ijārah Muntahia Bittamlīk (14.5%), and Bay` Bithaman Ajil (7.5%).

Capital Adequacy Capital adequacy provides an important indication of the health and financial soundness of the banking industry in a jurisdiction. As of the 2nd quarter of 2015, the average capital adequacy ratio and average Tier 1 capital ratio from 16 jurisdictions were 19.2% and 17.4 % respectively, significantly higher than the regulatory requirements. The average capital adequacy ratio and average Tier 1 capital ratio were 22.7% and 21.4% at the same period of the previous year (2014Q2),

Asset Quality On asset quality indicators, gross non-performing financing ratio (gross non-performing financing to total financing) showed an improvement with a decrease from 6.3% in 2014Q2 to 4.9% in 2015Q2 on an average.

P a g e | 190


A similar trend is also apparent in the net non-performing financing to capital ratio which decreased from 11.5 percent in 2014Q2 to 9.0% in 2015Q2.

Earnings Islamic banks and Islamic windows in the PSIFIs member countries maintained comparable rates of return on assets (ROA) and return on equity (ROE) during the periods under report. Overall, the ROA and ROE were 1.3% and 8.6% in 2015Q2 as compared to 0.9% and 8.9% in 2014Q2 respectively.

Liquidity On the liquidity indicators, the liquid assets ratio (liquid assets to total assets) and liquid assets to short-term liabilities ratio improved over the period from 24.7% and 12.7% in 2014Q2 to 35.8% and 13.6% in 2015Q2 respectively. Three PSIFIs member countries also started the reporting of Liquidity Coverage Ratio (LCR) which exceeded the 100 percent benchmark.

Size of Islamic Banking The number of full-fledged Islamic banks and Islamic windows of conventional banks in 17 countries stood at 169 and 86 in 2015Q2 as compared to 163 and 86 in 2014Q2 respectively. At the end of 2015Q2, a total of 385,612 staff members were working in 29,148 branches of full-fledged Islamic banks, an increase from 1,466 branches and 29,029 staff over the year from 2014Q2. The first set of PSIFIs data was released on 27 April 2015 covering the period of December 2013. The second set of data released on 24 November 2015, included the indicators for the four quarters of 2014, with necessary adjustments and revisions to the earlier data set. The PSIFIs Database (full set of data with metadata) is available on the PSIFIs portal at the IFSB website http://psifi.ifsb.org

http://psifi.ifsb.org/

P a g e | 191


Basel Committee on Banking Supervision Consultative Document

Standardised Measurement Approach for operational risk Issued for comment by 3 June 2016

1. Introduction 1. Establishing consistency in the implementation of post-crisis regulatory reforms is an important focus of the Basel Committee. Consistent application of global bank standards will improve the resilience of the global banking system, promote public confidence in regulatory capital ratios and encourage a level playing field for internationally active banks. In October 2014, the Committee published for consultation a revised Standardised Approach for operational risk that sought to address weaknesses in the existing standardised approaches. In conjunction with that proposal, the Committee embarked on a review of the costs and benefits of the framework’s Advanced Measurement Approaches (AMA) for operational risk. 2. A key outcome from the Committee’s analysis is that the combination of a simple standardised measure of operational risk and bank-specific loss data provides a sufficiently risk sensitive measure of operational risk. The Committee believes that this combination also meets its objectives of promoting comparability of risk-based capital measures and reducing model complexity. 3. Building on this finding, the Committee has developed the Standardised Measurement Approach (SMA), which provides a single non-model-based method for the estimation of operational risk capital. The SMA, which builds on the simplicity and comparability offered by a standardised approach, also incorporates the risk sensitivity of an advanced approach by combining in a standardised fashion the use of a bank’s financial statement information and its internal loss experience.

P a g e | 192


4. Consistent with Part I (Scope of Application) of the Basel II framework, the proposed SMA framework would be applied to internationally active banks on a consolidated basis. Supervisors retain discretion to apply the SMA framework to non-internationally active institutions.

2. Withdrawal of internal modelling for operational risk regulatory capital from the Basel Framework 5. Introduced as part of the Basel II framework in 2006, the AMA allows for the estimation of regulatory capital to be based on a diverse range of internal modelling practices subject to supervisory approval. Commensurate with the relative infancy of the field of operational risk measurement at the time, the AMA’s principles-based framework was established with a significant degree of flexibility. This flexibility was expected to considerably narrow over time, and ultimately lead to the emergence of best practice. 6. A recent review of the measures related to banks’ operational risk modelling practices and capital outcomes revealed that the Committee’s expectations failed to materialise. Supervisory experience with the AMA has been mixed. The inherent complexity of the AMA and the lack of comparability arising from a wide range of internal modelling practices have exacerbated variability in risk-weighted asset calculations, and have eroded confidence in risk-weighted capital ratios. The Committee has therefore determined that the withdrawal of internal modelling approaches for operational risk regulatory capital from the Basel Framework is warranted. 7. In the light of the Committee’s findings, the estimation of regulatory capital for the entire operational risk framework has been standardised. The approach presented in this consultative document combines the main elements of the previously consulted standardised approach with banks’ internal loss experience, which was a key component of the AMA.

P a g e | 193


The Committee believes that, in addition to significantly improving the simplicity of the framework, the SMA embeds greater risk sensitivity in the standardised approach for operational risk and ensures greater comparability. 8. During the course of 2016, the Committee will provide further details on the timeline for the withdrawal of the AMA, and the implementation of the SMA.

3. Next steps 9. The Committee encourages market participants to engage in a constructive dialogue during the consultation period. Comments from the public are welcomed on all aspects of this consultative document; comments on the proposals should be uploaded by Friday 3 June 2016 using the following link: www.bis.org/bcbs/commentupload.htm. All comments will be published on the website of the Bank for International Settlements unless a respondent specifically requests confidential treatment. 10. In its 11 January 2016 press release, the Committee’s oversight body, the Group of Central Bank Governors and Heads of Supervision, noted the important work of the Committee to assess the quantitative impact of its proposed revisions to the regulatory framework. The results of the quantitative impact study (QIS) related to the proposals set out in this consultative document will be a key input to the final design and calibration of the operational risk framework. The QIS will help ensure that the framework produces capital requirements that are prudent and stable, while retaining risk-sensitivity. The objective of these proposals is to not significantly increase overall capital requirements. The impact, however, of the new operational risk framework will vary from bank to bank and may lead to an increase in minimum capital requirements for some banks. Once the Committee has reviewed responses to this second consultative

http://www.bis.org/bcbs/commentupload.htm

P a g e | 194


document and the QIS results, it intends to publish the final standard within an appropriate timeframe and provide sufficient time for implementation. Before publication of the final standard, implementation arrangements (including the timetable) will be discussed by the Committee, taking into account the range of other reforms that have been, or are due to be, considered by the Committee.

4. The Standardised Measurement Approach (SMA) for operational risk 11. The SMA combines the Business Indicator (BI), a simple financial statement proxy of operational risk exposure, with bank-specific operational loss data. Since the October 2014 consultation, the structure of the BI has been revised to avoid penalising certain business models, such as those based on the distribution of products bought from third parties, and those based on high interest margins. Adjustments have also been made to address issues related to the treatment of financial and operating leases. 12. The BI bucket thresholds and marginal coefficients shown in Table 2 below reflect updated data and changes to the methodology. The analysis undertaken by the Committee demonstrates that operational loss exposure increases more than proportionally with the BI, and thus the proposed calibration includes progressively increasing marginal coefficients for the BI. 13. Although the BI is stable and comparable across banks, business volume is only one factor that influences exposure to operational risk. Significant differences in the risk profile of medium to large banks cannot be fully accounted for by an approach that relies only on financial statement proxies. Other sources of information are therefore needed to increase risk sensitivity. Analysis conducted by the Committee supports the introduction of

P a g e | 195


historical loss experience as a relevant risk indicator of future operational risk loss exposure. 14. The introduction of the Loss Component into the framework not only enhances the SMA’s risk sensitivity, but also provides incentives for banks to improve operational risk management. Banks with more effective risk management and low operational risk losses will be required to hold a comparatively lower operational risk regulatory capital charge. The following sections describe each of the components necessary for SMA’s the calculation.

4.1 The Business Indicator (BI) 15. As in the 2014 consultation, the BI is made up of almost the same P&L items that are found in the composition of Gross Income (GI). The main difference relates to how the items are combined. The BI uses positive values of its components, thereby avoiding counterintuitive negative contributions from some of the bank’s businesses to the capital charge (eg negative P&L on the trading book), which is possible under the GI. In addition, the BI includes income statement items related to activities that produce operational risk that are omitted (eg P&L on the banking book) or netted (eg fee expenses, other operating expenses) in the GI. In particular, changing the impact of other operating expenses on capital requirements from negative (in GI) to positive (in the BI) is necessary to improve the coherence of the BI as a proxy indicator for operational loss exposure, as other operating expenses typically include operational losses, and thus an increase in other operating expenses should not result in a decrease in operational risk capital requirements. 16. In response to comments received during the first consultation, the Committee adjusted the structure of the BI to address the following issues: (a) Asymmetric impact on the “distribute only” and the “originate to distribute” business models: since the previous “Services” component of the BI was defined as the sum of fee income, fee expenses, other operating

P a g e | 196


income, and other operating expenses, banks that distribute products bought from third parties would include both the income and the expenses associated with these products in the BI, while banks which produce the products themselves would include only income. Therefore, the former banks would see higher capital charges than the latter, despite the two types of banks facing similar operational risks; (b) Inconsistency in the treatment of dividend income: the treatment of dividend income in financial statements varies significantly across jurisdictions and can lead to inconsistency or arbitrage in the determination of the BI. For example, some jurisdictions account for dividend income in the “Interest” component, while others include it as a separate income statement item; (c) Overcapitalisation of banks with a high net interest margin (NIM): business models with high NIM, defined as the net interest income divided by the interest-earning assets, have very high BI values. This may lead to regulatory capital that is too conservative relative to the operational risk faced by these banks; (d) Overcapitalisation of banks with high fee revenues and expenses: banks with a high fee component in respect to the overall BI amount have a very high BI value which results in capital requirements that are too conservative relative to the operational risk faced by these banks; and (e) Inconsistent treatment of leasing compared with credit: business models based on credit finance, financial leasing or operating leasing employ similar administrative and management processes, and thus face similar operational risks. Therefore, the contributions to the BI of the income and expenses from financial and operating lease should be consistent with the contribution of credit finance, irrespective of their accounting treatment. 17. To address item (a) above, the Services component is modified from “Fee Income + Fee Expense + Other Operating Income + Other Operating Expense” to “Max (Fee Income; Fee Expense) + Max (Other Operating Income; Other Operating Expense)”.

P a g e | 197


This solution still enhances the risk sensitivity of the SMA in respect to the current simple approaches because the “Fee” and “Other Operating” components are not netted. Thus banks with a large volume of services business but with a low margin are treated differently from banks with a small volume of services business, but the treatment is no longer overly punitive for banks with both high fee income and high expenses. 18. To address item (b), dividend income is included in the Interest component of the BI. 19. To address item (c), a linear normalisation ratio for high-margin banks, defined as those with NIM larger than 3.5%, is adopted. Under this approach, the BI ́s interest component is adjusted by the ratio of the NIM cap, set to 3.5%, to the actual NIM. 20. To address item (d), besides the modification of the Services component mentioned under (a), the BI structure for high fee banks (ie banks with the share of fees greater than 50% of the unadjusted BI) is modified by accounting for only 10% of fees in excess of 50% of the unadjusted BI (with the absolute value of net fee income as a floor to avoid unintended capital reductions).

22. To address item (e) and guarantee consistency of treatment across banks and jurisdictions, all financial and operating lease income and expenses – including depreciation of the leased assets and gains/losses from the selling of leased assets – are netted and included in absolute value into the interest component. 23. To compute the BI for year t, a bank must determine the three-year average of the BI, as the sum of the three-year average of its components:

P a g e | 198


24. Definitions for each of the components of the revised BI are provided in Annex 1.

P a g e | 199


4.2 The BI Component 25. SMA capital requirements are anchored by a bank’s BI Component, which is an increasing function of the BI. The BI Component was calibrated using QIS data collected by the Committee in the second half of 2015. Due to its calibration reflecting the aggregate experience of QIS banks, the BI Component reflects the operational loss exposure of an average QIS bank of a given BI size. 26. Under the SMA, banks are divided into five buckets according to the size of their BI. For banks in bucket 1, capital is an increasing linear function of the BI and does not depend on internal losses. For banks in buckets 2 through 5, capital is calculated in two steps: (i) a baseline level of capital is calculated using the BI (the “BI Component”); and (ii) the portion of the BI Component above the threshold separating buckets 1 and 2 is multiplied up or down by a function that depends on the banks’ internal losses in order to differentiate between banks with different risk profiles. 27. The BI Component increases linearly within buckets, but the marginal effect of the BI on the BI Component is greater for the higher buckets than for the lower ones. This progressive increase of the marginal impact of the BI is motivated by analysis which showed that operational loss exposure increases more than proportionally with the BI. The BI buckets in the BI Component are presented below:

P a g e | 200


28. The marginal increase of the BI Component resulting from a one unit increase in the BI is 0.11 in bucket 1, 0.15 in bucket 2, 0.19 in bucket 3, 0.23 in bucket 4, and 0.29 in bucket 5. The constants added to the BI Component in buckets 2–5 are necessary to ensure that the BI Component is continuous as they reflect the value of the BI Component at the top of the range of the bucket directly below.

4.3 The Internal Loss Multiplier and Loss Component 29. The SMA builds on the assumption that the relationship between the BI and operational loss exposure is stable and similar for banks with similar values of the BI. However, business volume is not the only factor that influences operational loss exposure and, in some cases, there could be significant differences in operational exposure between banks of similar BI values. These differences may be due to, for example, banks’ different business models. The addition of the Loss Component to the BI improves the risk sensitivity of the SMA. 30. To assess the feasibility of using banks’ internal losses in the SMA, the Committee investigated the proportion of banks using an AMA, the Standardised Approach (TSA) or its variant, the Alternative Standardised Approach (ASA) in the QIS sample across different BI buckets. AMA, TSA and ASA banks are currently required to collect operational losses and, in many jurisdictions, they are also required to report these losses to supervisors.

P a g e | 201


Therefore, these banks should be prepared to calculate the Loss Component of the SMA. The analysis showed that more than 80% of the banks with BI > €1 billion are non-BIA banks. Also, most banks in buckets 2–5 are medium to large banks with total assets above €20 billion. Thus, the Committee proposes that internal losses should be used by banks in buckets 2–5, but not by banks in bucket 1. 31. Internal loss experience is introduced to the SMA through the Internal Loss Multiplier. The formula of the Internal Loss Multiplier is presented below:

32. The Loss Component reflects the operational loss exposure of a bank that can be inferred from its internal loss experience. The Loss Component distinguishes between loss events above €10 million and €100 million and smaller loss events to differentiate between banks with different loss distribution tails but similar average loss totals. Banks should use 10 years of good-quality loss data, as defined in Section 6, to calculate the averages used in the Loss Component. In the transition period, banks that do not have 10 years of good- quality loss data may use a minimum of five years of data to calculate the Loss Component; as banks accumulate more years of good-quality loss data, the number of years used in the averages used in the Loss Component should increase until it reaches 10 years. Banks that do not have five years of good data must calculate the capital requirement based solely on the BI Component.

P a g e | 202


33. A bank with the Loss Component equal to the BI Component is a bank with exposure at the average of the industry and, thus, under the proposed formula its Internal Loss Multiplier is 1 and its SMA capital corresponds to the BI Component. Banks with loss experience above the industry average will have a Loss Component above the BI Component and their SMA capital will be above the BI Component. Similarly, banks with loss experience below the industry average will have a Loss Component below the BI Component and their SMA capital will be below the BI Component. 34. The Internal Loss Multiplier is bounded below by The logarithmic function used to calculate the Internal Loss Multiplier means that it increases at a decreasing rate with the Loss Component. The results of the QIS conducted by the Committee will help ensure that the combination of the Loss Component and the BI produces stable capital requirements. The Committee will carefully evaluate the efficacy of the logarithmic function and may consider alternative approaches to ensure a stable and risk sensitive framework. For example, a brief description of a possible alternative to the Internal Loss Multiplier is described in Annex 2. The Committee is open to considering alternative adjustments to the methodology that appropriately incorporate the impact of extreme loss events.

4.4 The SMA capital requirement 35. The operational risk capital requirement is determined as follows:

P a g e | 203


36. As shown above, capital for banks in bucket 1 corresponds solely to the BI Component. For banks in buckets 2 through 5, capital results from multiplying the BI Component by the Internal Loss Multiplier except that, for continuity of the capital requirement as banks move from bucket 1 to bucket 2, the portion of the BI Component relative to the first €1 billion of the BI (ie €110 million) is not multiplied by the Internal Loss Multiplier.

5. Application of the SMA within a group 37. At the consolidated level, SMA calculations use fully consolidated BI figures, which net all the intragroup income and expenses. SMA calculations at a subconsolidated level use BI figures for the banks consolidated at that particular sublevel. SMA calculations at the subsidiary level use the BI figures from the subsidiary. 38. Similar to bank holding companies, when BI figures for subconsolidated or subsidiary banks reach bucket 2, these banks use loss experience in SMA calculations. A subconsolidated bank or a subsidiary bank uses only the losses it has incurred in SMA calculations (and does not include losses incurred by other parts of the bank holding company). 39. In case that a subsidiary of a bank belonging to bucket 2 or higher does not meet the qualitative standards for the use of the Loss Component, this subsidiary calculates the SMA capital by applying 100% of the BI

P a g e | 204


Component.

6. Minimum standards for the use of loss data under the SMA 40. As previously stated, under the SMA, medium to large banks are required to use loss data as a direct input to capital calculations. Therefore, the soundness of data collection and the quality and integrity of the data are crucial to generating SMA outcomes aligned with the bank’s operational loss exposure. 41. To promote consistency in the implementation of the Loss Component and prevent gaming of loss data collection and reporting, the Committee proposes that banks using the SMA’s Loss Component must adhere to minimum loss data standards under Pillar 1, split in general and specific criteria, and described in subsections 6.1 and 6.2 below. Supervisors should be comfortable with the quality of this data. For banks failing to meet these standards, capital would at a minimum equal 100% of the BI Component. Nevertheless, banks with heavy losses could seek to arbitrage Pillar 1 capital by choosing not to meet the qualitative requirements. To address such cases, supervisors will ensure that such banks apply a multiplier to the BI Component which is also disclosed. 42. The Committee continues to encourage all banks, irrespective of the use of the Loss Component under the SMA, to comply with the Committee’s Principles for the sound management of operational risk (PSMOR) published in 2011 under Pillar 1, as it is currently done.

6.1 General criteria on loss data identification, collection and treatment 43. The proper identification, collection and treatment of internal loss event data are essential prerequisites to capital calculation under the SMA. Therefore, banks which use the Loss Component in the SMA must follow the general criteria set out in this subsection. The general criteria for the use of the Loss Component in the SMA are as

P a g e | 205


follows: • Internally generated loss data calculations used for SMA regulatory capital purposes must be based on a 10-year observation period. When the bank first moves to the SMA, a five-year observation period is acceptable on an exceptional basis when good-quality data are unavailable for more than five years. • Internal loss data are most relevant when clearly linked to a bank’s current business activities, technological processes and risk management procedures. Therefore, a bank must have documented procedures and processes for the identification, collection and treatment of internal loss data. • For risk management purposes, and to assist in supervisory validation and/or review, a bank must be able to map its historical internal loss data into the relevant Level 1 supervisory categories as defined in Annex 9 of the Basel II accord8 and to provide this data to supervisors upon request. The bank must document criteria for allocating losses to the specified event types. • A bank’s internal loss data must be comprehensive and capture all material activities and exposures from all appropriate subsystems and geographic locations. A bank must have an appropriate de minimis gross loss threshold for internal loss data collection. While the de minimis gross loss threshold may vary somewhat between banks and within a bank across event types, it must not be higher than €10,000. When the bank first moves to the SMA, a de-minimis gross loss threshold of €20,000 is acceptable. • Aside from information on gross loss amounts, the bank must collect information about the reference dates of the operational risk event, including the date when the event happened or first began (“date of occurrence”), where available; the date on which the bank became aware of the event (“date of discovery”); and the date when a loss, reserve or

P a g e | 206


provision against a loss was first recognised in the bank’s profit and loss (P&L) accounts (“date of accounting”). In addition, the bank must collect information on recoveries of gross loss amounts as well as descriptive information about the drivers or causes of the loss event. The level of detail of any descriptive information should be commensurate with the size of the gross loss amount. • A bank must develop specific criteria for assigning loss data arising from an event in a centralised function (eg an information technology department), and from common or related events over time (“grouped losses”). • Operational risk losses related to credit risk that have historically been included in banks’ credit risk databases (eg collateral management failures) will continue to be treated as credit risk for the purposes of calculating minimum regulatory capital under this framework. Therefore, such losses will not be subject to the SMA regulatory capital. • Operational risk losses related to market risk are treated as operational risk for the purposes of calculating minimum regulatory capital under this framework and will therefore be subject to the SMA regulatory capital.

6.2 Specific criteria on loss data identification, collection and treatment10 Building of the SMA loss data set • The bank must have a policy that determines criteria for when a loss or an operational risk event recorded in the internal loss event database should be included in the loss data set for the calculation of SMA regulatory capital (“SMA loss data set”). This policy must provide a consistent treatment of loss data across the bank. • Building a proper SMA loss data set from the available internal data requires that the bank develop policies and procedures to address its several features, including gross loss definition, reference date and grouped losses.

P a g e | 207


Gross loss, net loss, and recovery definitions • Gross loss is a loss before recoveries of any type. Net loss is defined as the loss after taking into account the impact of recoveries. The recovery is an independent occurrence, related to the original loss event, separate in time, in which funds or inflows of economic benefits are received from a third party. • Banks must be able to discretely identify the gross loss amounts, non-insurance recoveries, and insurance recoveries for all operational loss events. Banks must not use losses net of insurance recoveries as an input for the SMA loss data set. The following items must be included in the gross loss computation of the SMA loss data set: (a) Direct charges, including impairments and settlements, to the bank’s P&L accounts and write-downs due to the operational risk event; (b) Costs incurred as a consequence of the event including external expenses with a direct link to the operational risk event (eg legal expenses directly related to the event and fees paid to advisors, attorneys or suppliers) and costs of repair or replacement, incurred to restore the position that was prevailing before the operational risk event; (c) Provisions or reserves accounted for in the P&L against the potential operational loss impact; (d) Losses stemming from operational risk events with a definitive financial impact, which are temporarily booked in transitory and/or suspense accounts and are not yet reflected in the P&L (“pending losses”). Material pending losses should be included in the SMA loss data set within a time period commensurate with the size and age of the pending item; and (e) Negative economic impacts booked in a financial accounting period, due to operational risk events impacting the cash flows or financial statements of previous financial accounting periods (timing losses”).

P a g e | 208


Material “timing losses” should be included in the SMA loss data set when they are due to operational risk events that span more than one financial accounting period and give rise to legal risk. 44. The following items must be excluded from the gross loss computation of the SMA loss data set (this list is not exhaustive): (a) Costs of general maintenance contracts on property, plant or equipment; (b) Internal or external expenditures to enhance the business after the operational risk event: upgrades, improvements, risk assessment initiatives and enhancements; and (c) Insurance premiums. 45. In each reporting year of the SMA regulatory capital, gross losses in the SMA loss data set must include loss adjustments made within the reporting year (eg increase/decrease of provisions, additional losses, settlements) of operational risk events whose reference date is up to 10 years before that reporting year. In order to identify an operational loss event above €10 million or €100 million, the loss amount of the event must include the loss adjustments described above and the resulting figure should be compared with the €10 million and to the €100 million threshold.

Reference date • The bank must use either the date of discovery or date of accounting for building the SMA loss data set. No other dates are acceptable. • The bank must use a date no later than the date of accounting for including losses related to legal events in the SMA loss data set. For legal loss events, the date of accounting is the date when a legal reserve is established for the probable estimated loss in the P&L.

Grouped losses • Losses caused by a common operational risk event or by related

P a g e | 209


operational risk events over time must be grouped and entered into the SMA loss data set as a single loss. • The bank’s internal loss data policy should establish criteria for deciding the circumstances, types of data and methodology for grouping data as appropriate for its business, risk management and SMA regulatory capital calculation needs. The bank must also clarify and document individual judgments in applying these criteria.

Annex 1 Business Indicator definitions

P a g e | 210


46. The following P&L items should not contribute to any of the items of the BI: • Income and expenses from insurance or reinsurance businesses • Premiums paid and reimbursements/payments received from insurance

P a g e | 211


or reinsurance policies purchased • Administrative expenses, including staff expenses, outsourcing fees paid for the supply of non- financial services (eg logistical, IT, human resources), and other administrative expenses (eg IT, utilities, telephone, travel, office supplies, postage) • Recovery of administrative expenses including recovery of payments on behalf of customers (eg taxes debited to customers) • Expenses of premises and fixed assets (except when these expenses result from operational loss events) • Depreciation/amortisation of tangible and intangible assets (except depreciation related to operating lease assets, which should be included in financial and operating lease expenses) • Provisions/reversal of provisions (eg on pensions, commitments and guarantees given) except for provisions related to operational loss events • Expenses due to share capital repayable on demand • Impairment/reversal of impairment (eg on financial assets, non-financial assets, investments in subsidiaries, joint ventures and associates) • Changes in goodwill recognised in profit or loss • Corporate income tax (tax based on profits including current tax and deferred tax).

Annex 2 Example of an alternative method to help ensure the stability of the SMA methodology 47. As noted in section 4.3, the Committee will consider the results of its QIS exercise and respondents’ feedback as it reviews the design and calibration of the framework. The Committee may consider alternative methods to the logarithmic function described in section 4.3 that would help ensure that the combination of loss data and the BI produces stable capital requirements, while retaining risk-sensitivity.

P a g e | 212


An example of such an alternative method is the incorporation of a maximum multiple for the Loss Component relative to BI Component. This would take the place of the logarithmic function. 48. This modification would set capital requirements at a maximum multiple of the BI Component (based on the calibration of the factor “m”) and a lower bound on the BI Component. In particular, the Internal Loss Multiplier [ie ln(...)] that is incorporated in the formula in paragraph 35 would be replaced by the following formula:

49. By setting minimum and maximum multiples of the BI component, the proposed alternative also serves to decrease the variability of capital outcomes across banks and provide greater certainty about future capital outcomes.

P a g e | 213


What is the deposit facility rate? The deposit facility rate is one of the three interest rates the ECB sets every six weeks as part of its monetary policy. The rate defines the interest banks receive for depositing money with the central bank overnight. Since June 2014, this rate has been negative. There are two other key interest rates: the rate for our main refinancing operations (MROs) and the rate on the marginal lending facility. The MRO rate defines the cost at which banks can borrow from the central bank for a period of one week. If banks need money overnight, they can borrow from the marginal lending facility at a higher rate. To learn more: https://www.ecb.europa.eu/explainers/tell-me/html/what-is-the-deposit-facility-rate.en.html

https://www.ecb.europa.eu/explainers/tell-me/html/what-is-the-deposit-facility-rate.en.html

https://www.ecb.europa.eu/explainers/tell-me/html/what-is-the-deposit-facility-rate.en.html

P a g e | 214


Basel Committee on Banking Supervision Regulatory Consistency Assessment Programme (RCAP) Handbook for jurisdictional assessments The Handbook for Jurisdictional Assessments (the Handbook) contains in a single document the guidance and principles for RCAP (Regulatory Consistency Assessment Programme) assessors, assessed jurisdictions and experts seeking background information on RCAP issues and implementation topics. In addition, the Handbook describes the RCAP process for conducting jurisdictional assessments. This process is closely supervised by the RCAP Peer Review Board (PRB), with feedback from the Basel Committee’s Supervision and Implementation Group (SIG), and the jurisdictional assessments are finalised by the Basel Committee. The SIG is a key part of this process as it is responsible for monitoring the implementation of the Basel III framework through the RCAP. An overview of the key actors and groups involved in RCAP assessment is provided in Annex 1. The Handbook is a flexible compendium in that guidance and principles are revised or elaborated further as the RCAP evolves. It is revised and updated periodically based on lessons learnt from jurisdictional assessments. It is also a reference for jurisdictions intending to carry out their own implementation reviews. As such, it could also help for training and preparation purposes. The Handbook presents a general framework as well as specific methodologies for assessing a regulatory framework’s quality and consistency. The framework is sufficiently general to accommodate differences in structural and institutional factors across jurisdictions.

P a g e | 215


Objectives of RCAP A key component of the Basel Committee’s work agenda is to ensure strong regulatory regimes and effective supervisory systems across its member jurisdictions. The lessons of the recent financial crisis have highlighted the need for full, timely and consistent implementation of the Basel standards to underpin public confidence in banks, prudential ratios, and a level playing field. Recognising the importance of implementation, the Committee established the Regulatory Consistency Assessment Programme (RCAP) in 2012. By means of the RCAP, the Committee’s purpose is to ensure the consistent implementation of the Basel III framework, and thus to contribute to global financial stability. The programme consists of two distinct but complementary parts: The first is based on self-reporting and is to monitor the timely adoption of Basel III standards (an overview table is provided in Annex 2). The second, which has two elements – jurisdictional peer reviews and thematic assessments of regulatory outcomes – is to assess the consistency and completeness of the adopted standards. The Handbook focuses on the jurisdictional peer reviews. The jurisdictional assessments complement the monitoring on the timely adoption of Basel standards and sit at the RCAP’s core. They review whether and to what degree domestic regulations in each member jurisdiction are aligned with the minimum requirements defined by the Committee. The aim is to promote full and consistent adoption of the Basel framework by identifying provisions in the domestic regulations applicable to internationally active banks that are not in line with the letter and spirit of the relevant Basel standards. Importantly, the assessments also help to highlight the current and potential impact of any gaps in these regulations on financial stability and on the regulatory environment for internationally active banks.

P a g e | 216


Issues relating to the functioning of regulatory frameworks and effectiveness of implementation and supervisory frameworks are not in the scope of jurisdictional assessments. One key outcome of the assessments is to help member jurisdictions to undertake the reforms needed to make them more aligned with Basel standards.

2. Jurisdictional assessments: general process and time line To strengthen the RCAP, the Basel Committee has approved a number of refinements to the RCAP methodology in recent years. The aim has been to improve both the efficiency and governance of the assessments undertaken under the programme, while retaining the continuity of the existing approach and preserving consistency across assessments. The present RCAP procedures for assessing the capital, LCR and G-SIB standards are outlined below. An overview of the key actors and groups involved is provided in Annex 1. A schematic flow-chart of the RCAP assessment process is presented in Annex 3.

2.1 Preparatory phase 2.1.1 RCAP assessment questionnaire Jurisdictions participating in an RCAP assessment start working on the RCAP self-assessment questionnaires well ahead of the actual assessment. The RCAP questionnaires for capital and LCR are available on the Basel Committee’s website and a Word version can be obtained from the Secretariat on request.

2.1.2 Establishment of the RCAP Assessment Teams Capital and LCR framework The initial selection of the RCAP Team Leader (TL) is done by the PRB, taking into account any recommendation from the Committee’s Head of

P a g e | 217


Basel III Implementation. The Secretariat, in consultation with the TL, designates an Assessment Team (AT). Once the team is selected, it is formally approved by the PRB. The size and composition of the team depends upon the scope of the assessment and the assessed jurisdiction. Teams are selected with a view mainly to (i) obtaining high-quality expertise to cover all components of the Basel capital and LCR framework; (ii) ensuring that selected members can work both as primary and secondary reviewers within the team (ensuring “four eyes” for each assessed component); and (iii) achieving appropriate geographic diversity and language skills. In forming the team, the PRB ensures that the assessment teams and review teams are independent from the assessed jurisdiction, so as to avoid potential conflicts of interest.

G-SIB framework All jurisdictions that currently have G-SIBs are assessed for their consistency and completeness with the G-SIB framework. These jurisdictions are simultaneously reviewed by a single Assessment Team. Based on the principle of independent peer review and to avoid potential conflicts of interest, AT members should be drawn from jurisdictions that are not being assessed. The AT collects information on the implementation of the D-SIB principles (see Chapter 7). The information is used for a qualitative narrative and jurisdictions are not assessed on a graded basis.

2.1.3 Establishment of the RCAP Review Teams

P a g e | 218


A review process complements the assessment work. Alongside the establishment of the AT, the PRB also sets up a Review Team (RT) for the assessed jurisdiction. The RT is drawn from the SIG, other experts from the Committee, notably the Policy Development Group (PDG), and a senior member of the Secretariat.

2.1.4 Time line A high-level time line of the different steps for a typical RCAP assessment is provided in Section 2.10. The time required for each RCAP is about six months from the time the TL communicates the scope of the assessment and requests data and information (the preliminary self-review exercise having already been completed by the assessed jurisdiction). A detailed time line is formulated for each assessment by the TL and the Committee’s Secretariat and agreed with the assessed jurisdiction. Adjustments may be required to the time line depending on the deviations observed based on a desk review and off-site analysis by the AT.

Cutoff date At the start of an RCAP assessment, a cutoff date is agreed between the TL and the assessed jurisdiction. The AT takes into account regulations and rectifications, provided that these are issued before the cutoff date of the assessment. The cutoff date should ensure that there is sufficient time for RCAP teams to assess the consistency of the finalised regulations before submitting the report to the Review Team (RT). Principles are set out for handling any delays in the cutoff date and the date for submission of the assessment report to the Committee (see Section 2.9).

2.2 Off and on-site assessment phase 2.2.1 Capital and LCR framework The Committee’s Secretariat together with the TL prepares a “Scoping

P a g e | 219


Note” that includes specific details regarding the scope of the assessment, the assessment process and the time line for the assessment, including the cutoff date, and the sample of banks for materiality testing.

Off-site assessment phase A process for rigorous off-site review is based on work undertaken by primary and secondary assessors. As a general RCAP practice, the primary assessor identifies those parts of the domestic rules that are clearly compliant with the Basel standards while seeking to identify, without further evaluation, those parts that are super-equivalent, and to reserve for further consideration those parts that may be sub-equivalent. The second assessor’s task is to look at the sub-equivalent list, and consider whether any of the initial items should be removed. As an example: the language may differ between the local and Basel texts, but the local text achieves the same outcome (or close enough to the same outcome) to make no practical difference. The second assessor’s work may result in a shorter list of potential sub-equivalences. This second list is forwarded to the jurisdiction for further analysis and data collection for assessment of materiality. The primary assessor should take the lead on determining the data necessary, where relevant, to form a materiality view. The secondary assessor should assist particularly for those items considered potentially material and on issues requiring the use of expert judgment. This process should ensure that the focus of the RCAP is to identify substantive issues rather than narrow wording differences.

On-site assessment phase As a general principle, on-site reviews are expected to be conducted as part of the assessment process of risk-based capital and LCR standards.

P a g e | 220


On-site reviews provide the best opportunity to ensure the correct understanding of issues related to the adoption and implementation of Basel III identified during the off- site review, through face-to-face exchanges with relevant experts and the senior authorities responsible for the transposition of Basel III into domestic regulations. The length and content of each on-site review should be set based on the complexity of the domestic implementation and on the materiality of the issues identified. Domestic banking regulators and supervisors are expected to be the key counterparts of the AT during the on-site reviews, but meetings with other relevant parties (including the finance ministry or treasury, industry representatives, accounting representatives, rating agencies and analysts) may also take place to ensure that the AT collects a broad range of views and develops a sound understanding of local regulatory requirements and implementation issues. Meetings with the banking industry are expected to take place if possible without the participation of representatives of the domestic authorities. The purpose of these meetings is: • to discuss issues that could materially impact the quality and sustainability of implementation; • to understand the integrity of the implementation process in the jurisdiction and the readiness of the industry; • to give the industry an opportunity to exchange views on the broader Basel framework and any unintended hurdles in implementation; and • to inform the judgment of the team on materiality of issues where data are not available or deviations are not quantifiable.

2.2.2 G-SIB Framework Given its nature and compact scope, the G-SIBs assessment is done mostly off-site, relying upon the quality of information submitted by the assessed jurisdictions. More detail on the G-SIB assessment approach is provided in Section 5.

P a g e | 221


2.3 Drafting of the RCAP report Some parts of an RCAP report, eg the background information relating to regulations and banking system of the assessed jurisdiction, are drafted during the off-site phase. The Committee’s Secretariat sends the report template for completion to the assessed jurisdiction prior to the on-site visit.

2.4 Review phase The Review Team (RT) reviews the draft report before the draft report goes to the SIG and PRB for review and approval. Comments raised by the RT are shared with the SIG when the SIG is informed by the TL about the material findings or policy issues arising from the RCAP assessment. The comments and suggestions from the SIG are communicated to the PRB before it approves the report for submission to the Basel Committee.

2.5 Response from the assessed jurisdiction Jurisdictions being assessed have the opportunity to comment on the draft report before it is presented for the review phase. As part of this process, the assessed jurisdiction has the opportunity to present its views on the findings of the assessment and have them reflected in a separate section of the report.

2.6 Approval of the report and publication The Basel Committee has the final responsibility for approving jurisdictional assessment reports. Assessments are approved by consensus. If full consensus cannot be reached during the Committee meeting to which the report is presented, minority views are footnoted in the report. Jurisdictions being assessed have opportunity to comment on the draft report during the Committee meeting but do not take part in the decision-making.

P a g e | 222


After formal approval by the Committee, the report, including the response from the assessed jurisdiction, is published on the Committee’s website. The Committee member from the assessed jurisdiction is also invited to publish the report on its website.

2.7 Follow-up of RCAP jurisdictional reports The Basel Committee has established a system to keep abreast of the continuing efforts by its members to implement Basel III standards. The aim is to provide some continuity between assessments as well as to serve as a foundation for targeted implementation follow-up. Further, this improves the quality of reporting to stakeholders on actual progress with implementation of the Basel framework. Above all, the process is intended to help member jurisdictions to systematise and communicate their own monitoring efforts at the national level. The issues for follow-up RCAP assessments are listed in the jurisdictional reports and limited to the deviations that have a material or a potentially material impact. Follow-up assessments focus on re- assessing the materiality of these deviations and assessing any rectifications or amendments undertaken by the jurisdiction following the publication of the assessment report. Findings that relate to domestic implementation issues are not in the scope of follow-up assessments. Based on a monitoring template completed by jurisdictions whose assessments were completed and published two years prior, a yearly report is presented to the Committee on the follow-up actions taken by those jurisdictions (eg 2013 and 2014 RCAPs are covered in the 2015 and 2016 follow-up reports, respectively, 2015 RCAPs are covered in the 2017 follow-up report etc). This report explains how the deviations from the Basel requirements identified for follow-up work in the RCAP report were addressed or what proposals have been made to address them.

P a g e | 223


The report includes new or amended Basel-based requirements or regulatory changes that have been enacted by the assessed jurisdiction. The individual submissions are published on the Basel Committee website along with the original RCAP assessment report and the self-reported follow-up actions may be subject at some later stage to a formal assessment under the RCAP programme.

2.8 Confidentiality arrangements around the RCAP process The Assessment Team (AT), Review Team (RT), SIG and PRB follow the confidentiality arrangements of the Committee. The AT, TL and the Committee’s Secretariat staff who are directly involved with the assessment are subject to a specific RCAP confidentiality agreement that is agreed with the assessed jurisdiction.

2.9 Principles for handling delays of an RCAP jurisdictional assessment report Since the adoption of the RCAP, there have been a limited number of situations in which a Committee discussion of a draft RCAP jurisdictional assessment report has been delayed beyond the scheduled expected timeframe to accommodate amendments in domestic regulations. The “scheduled expected timeframe” for completing the assessment and presenting the findings for a Committee discussion is the one agreed between the AT and the assessed jurisdiction in the Scoping Note. The tentative publication month for publication of the assessment report is made public on the Basel Committee’s implementation webpage and in the Basel III implementation progress reports to the G20. Ordinarily when there is no delay, follow-up on amendments that are made after the scheduled cutoff date should take place during the RCAP assessment follow-up programme. In these cases, such amendments do not affect the assessment findings. In exceptional cases, however, a small delay can materially improve the prudential outcome. The principles to be followed while handling any delay in the cutoff date or

P a g e | 224


the date for submission of the assessment report to the Committee are set out below.

Principles When a member jurisdiction plans to amend its domestic regulations but cannot do so in the scheduled expected timeframe, the member can formally request a delay in the cutoff date and the date for submission of the assessment report to the Committee. Responsibility for recommending a delay to the Committee rests with the PRB. The principal considerations the PRB should weigh are: (i) Promoting better outcomes; (ii) Making a case for a delay; (iii) Limiting the delay and the scope of the amendments; and, (iv) Meeting public commitments made by the Committee.

2.10 General time line for RCAP-Capital and RCAP-LCR For both the RCAP-Capital and LCR assessments, the AT follows the general timeline detailed below. Exact timings are tailored to each RCAP:

P a g e | 225


2.11 Amendments or extensions of the RCAP methodology In the course of a jurisdictional assessment, methodological questions may arise.

P a g e | 226


Examples from previous assessments include: (i) determining criteria to assess the “bindingness” of domestic regulatory documents; (ii) establishing a process to allow more time for jurisdictions to rectify deviations; and (iii) designing an approach for assessing quantifiable and non-quantifiable deviations. In such a case, the Committee’s Secretariat and the Team Leader, after discussion with the Committee’s Head of Basel III Implementation, propose a course of action to the PRB for discussion. The PRB then determines the course of action or signs-off of the proposed process or criteria for the purposes of the current assessment. If there is sufficient time and the issue does not need to be closely held, feedback from SIG should be requested before submitting the draft assessment report to the Basel Committee. Otherwise, the PRB can decide to raise the matter directly at the Basel Committee.

2.12 Approach for assessing revised Basel standards When a jurisdiction has implemented, or is in the process of implementing, a revised Basel standard ahead of the agreed implementation deadline for that standard, it may request the assessment to be based on the revised Basel standard instead of the existing – to-be-superseded – Basel standard. Once the agreed implementation deadline of a revised Basel standard has passed, a jurisdictional RCAP assessment is automatically based on the revised Basel standard. Basel standards that are under revision and/or in consultation cannot be part of the scope of a jurisdictional RCAP assessment.

3. Basel risk-based capital standards: scope, design and methodology of assessment 3.1 Scope

P a g e | 227


The RCAP assessments of risk-based capital regulations cover the full scope of Basel standards, ie Basel II, 2.5 and III. The assessment covers 14 components (see below). These assessments cover all Committee member jurisdictions. The assessments are carried out with reference to Basel capital standards enumerated in Annex 4 and are based, whenever possible, on the final domestic regulations that are binding in nature. The following table contains the 14 key components of the Basel framework that are currently within the scope of risk-based RCAP jurisdictional assessments. Assessed jurisdictions receive a grade for each of these components individually as well as an overall grade.

3.2 Design

P a g e | 228


The RCAP assessments are designed as peer reviews undertaken by technical experts selected from jurisdictions. This approach is reflected throughout the assessment process, and due care is taken in balancing the composition of the AT and the RT.

3.3 Assessment methodology The assessment methodology for capital standards has evolved over the past years. It deals with the classification of findings into quantifiable and non-quantifiable deviations, assessment of materiality and potential materiality of the deviations at the key component level, assignment of grades to key components, determination of an overall grade, and the identification and treatment of Basel provisions that are open to different interpretations. The general principles underlying the assessment methodology are the following: (i) The jurisdictional assessments focus on reviewing the content of domestic regulations. The assessment of compliance with the Basel rules is based on: • a comparison of domestic regulations with the international agreements to identify if all the required provisions of Basel III have been adopted (completeness of the regulations); and • notwithstanding the form of local requirements, whether there are any differences in substance between the domestic regulation and the Basel rules (consistency of the regulations). (ii) The assessment is not a “word for word” comparison. The objective is to ensure that substance of the every Basel provision exists somewhere in the domestic regulation. (iii) When a gap or difference is identified, a key driver for assessing compliance is its materiality and impact. The component grades and overall grade are based on the aggregate impact

P a g e | 229


on the reported risk-based capital ratios or risk-weighted assets (RWA) of (i) all deviations that are considered currently or potentially material and (ii) all non-material deviations where the impact has been quantified. (iv) The assessment also seeks to clarify the rationale for any identified gaps and differences between the domestic provisions and the corresponding Basel rules, with a view to ensuring a firm understanding of the specificities and drivers of local implementation. This helps various stakeholders view the assessment in proper perspective. However, these elements are not taken into account when assessing compliance beyond the scope of national discretion already specified within Basel III. (v) Domestic measures that are stricter than the minimum Basel requirements are fully in line with the nature of the international agreements, which are intended to set minimum requirements, and are therefore considered as compliant. However, they are not considered as compensating for inconsistencies or gaps identified elsewhere, unless they fully and directly address the identified inconsistencies or gaps. (vi) Consistent with the scope of the jurisdictional assessments, the AT is not expected to verify the actual implementation at the ground level if a regulation is prima facie compliant with the Basel provision. (vii) A distinction can be made between assessment findings, such as deviations and gaps, and observations. Observations highlight certain special features of the regulatory implementation of the Basel standards in the assessed jurisdiction. Observations are presented separately in the assessment report for contextual and informational purposes. They do not indicate sub- equivalence, but are considered compliant with the Basel standard and do not have a bearing on the assessment outcome.

3.4 Bindingness of the regulatory documents

P a g e | 230


Laws and regulations provide a framework to set and enforce prudential requirements for banks. While legal and regulatory structures could differ across jurisdictions, the general expectation is that the Basel minimum prudential standards are implemented through laws and regulations that are legally binding and can be enforced effectively. It is important that these laws and regulations are clearly distinguishable from instruments used to provide any guidance that are not strictly binding on banks. The following are the main principles and criteria for the eligibility of instruments, other than laws and regulations, in RCAP assessments. The list below helps establish their legitimacy and “bindingness” for assessing the completeness and consistency of the regulatory regime: 1. The instruments used are part of a well defined, clear and transparent hierarchy of a legal and regulatory framework; 2. They are public and easily accessible; 3. They are properly communicated and viewed as binding by banks as well as by the supervisors; 4. They would generally be expected to be legally upheld if challenged, and are supported by precedent; 5. Consequences of failure to comply are properly understood and carry the same practical effect as for the primary law or regulation; 6. The regulatory provisions are expressed in clear language that complies with the Basel provisions in both substance and spirit; and, 7. The substance of the instrument is expected to remain in force for the foreseeable future. Key elements of Basel III standards should be implemented through laws and regulations. Only interpretative issues and clarifications should be conveyed via Q&As, FAQs or supervisory guidance, or other ad hoc instruments.

P a g e | 231


3.5 Assessment of materiality The RCAP team should classify any identified gaps as quantifiable or non-quantifiable deviations. As regards quantifiable deviations, the assessment of materiality is performed. The basis of the materiality assessment for identified deviations is the impact on the reported capital ratios and RWAs of the banks in the sample agreed between the AT and the assessed jurisdiction. Normally, this sample should embrace a minimum of 60% of the total banking assets of all banks in the assessed jurisdiction that are subject to the Basel standard. The sample should also be representative of the various types of bank operating in the jurisdiction. The assessment takes into account both the current impact and consequences, and the potential future impact. For quantifiable deviations, when materiality thresholds are used, these thresholds are also meant as guidelines, not as hard limits. Assessors need to apply judgment when assessing the materiality of deviations and in exceptional cases, may deviate from the thresholds based on expert judgment. In all cases, the team should justify the materiality assessment and provide a clear underpinning of the materiality assessment. In evaluating the impact of the non-quantifiable deviations and integrating this analysis with the quantitative impact of other deviations, the RCAP teams should apply expert judgment in a consistent manner.

3.6 Compliance scale All assessments are summarised according to a four-grade scale: compliant, largely compliant, materially non-compliant and non-compliant. • Regulation is compliant with Basel standards: a regulation is considered compliant if all minimum provisions of the international framework have

P a g e | 232


been satisfied and if no material differences have been identified which would give rise to prudential concerns or provide a competitive advantage to internationally active banks. • Regulation is largely compliant with Basel standards: a regulation is considered largely compliant with Basel standards if only minor provisions of the international framework have not been satisfied and if only differences that have a limited impact on financial stability or the international level playing field have been identified. • Regulation is materially non-compliant with Basel standards: a regulation is considered materially non-compliant with Basel standards if key provisions of the international framework have not been satisfied or if differences that could materially impact financial stability or the international level playing field have been identified. • Regulation is non-compliant with Basel standards: a regulation is considered non-compliant if Basel standards have not been adopted or if differences that could severely impact financial stability or the international level playing field have been identified. The outcome of the assessment process takes the form of an overall assessment of the compliance of the jurisdiction’s regulation with Basel standards and assessments of the compliance of the jurisdiction’s regulation for each of the key components of the capital framework as listed in Annex 5.

3.7 Assessment grading Assessment grades are assigned largely according to the materiality of identified deviations; that is, the current and potential impact of the identified deviation of the formal published texts of local rules or regulations from the Basel standards. The assessment team identifies the gaps for each of the key components of the risk-based capital framework. Once the gaps have been determined, they are classified as quantifiable or non-quantifiable. The materiality of quantifiable gaps is measured in terms of the current and potential impact on risk-based capital ratios and RWAs.

P a g e | 233


In some cases, data limitations may hamper materiality assessments of quantifiable gaps. Where a direct estimate of the impact is not possible, the assessment team attempts to assess materiality based on proxies such as the level of exposure to the affected asset class, the number of banks engaged in specific business activities, data from public sources, results of impact studies, or other similar types of information made available by the assessed jurisdiction. In these cases, teams use their collective expertise to form a best-efforts estimate of the impact on banks’ capital ratios and RWAs. Some aspects of the Basel framework are, by nature, non-quantifiable. For instance, gaps in Pillar 1 involving issues related to governance of the use of internal models, or gaps in Pillar 2 or Pillar 3 would fall in this category. The materiality of such gaps is assessed based on the degree of uncertainty these gaps are likely to cause, at present or in the future, regarding the accuracy of the capital measurement process and/or the quality of risk management when that is relevant. For instance, in the case of Pillar 2, the materiality of risks not captured under the RCAP is judged within the context of the importance of these risks for financial stability and the level playing field. Once the materiality of the individual gaps is determined, the RCAP team proceeds to determine the assessment grades for each component of Basel capital standards using one of the four grades defined above in Section 3.6. The following three step approach should guide this process: Step 1: For each component, the cumulative impact of the quantifiable gaps is calculated in terms of both capital ratios and RWAs (where applicable). This forms the basis for a preliminary component-level grade. Step 2: For each component, the cumulative impact of non-quantifiable gaps is also evaluated. As the focus is on the cumulative materiality of the gaps, the RCAP team does not average out between the quantifiable and non-quantifiable gaps.

P a g e | 234


The grade derived in Step 1 can be lower but cannot be improved once non-quantifiable gaps are taken into consideration. Step 3: A final judgmental check is applied to ensure that the resulting component grade is consistent with the description of the grade. Any new consideration affecting this judgment is documented and explained in the assessment report. Finally, the RCAP team determines the overall grade following these four steps below: Step 1: The cumulative impact of all quantifiable gaps is calculated. This calculation forms the basis for the overall preliminary grade. Step 2: The cumulative materiality of all non-quantifiable gaps is assessed. Again, the grade derived under Step 1 can only be kept at the same level or lowered, but not improved. Step 3: The overall grade cannot be more than one notch higher than the worst component grade. Step 4: A final judgmental check is applied to assess whether the resulting overall grading is consistent with the description of the grade. Any new consideration that is relevant to the assignment of the final grade is appropriately documented and explained in the assessment report.

4. Basel Liquidity Coverage Ratio: scope, design and methodology of assessment 4.1 Scope As with the risk-based capital standards, the RCAP-LCR assessment focuses on the completeness and consistency of local regulations with respect to the Basel standards. The RCAP assessments of Basel liquidity standards (LCR) cover implementation of the LCR and the related LCR disclosure standards. The assessment assigns an overall grade for LCR implementation and for four components of the LCR:

P a g e | 235


(i) high- quality liquid assets, (ii) outflows, (iii) inflows, and (iv) LCR disclosure standard (Annex 5).

The assessment focuses on the completeness of the local regulations adopted and the consistency of local implementations of the LCR with the standards established by the Committee. The assessment determines any gaps or deviations from the Basel framework and evaluates their materiality on the LCR and on the resulting liquidity risks more broadly. The assessment is based on the following documents: (i) Basel III: The Liquidity Coverage Ratio and liquidity risk monitoring tools (January 2013), including any published frequently asked questions (eg Frequently Asked Questions on Basel III’s January 2013 Liquidity Coverage Ratio framework, issued in April 2014); (ii) Liquidity Coverage Ratio disclosure standards (January 2014); The liquidity monitoring tools and the principles for sound liquidity risk management are outside the scope for grading. The following Basel documents are therefore reviewed for information purposes only: (i) Basel III: The Liquidity Coverage Ratio and liquidity risk monitoring tools (January 2013) (part of liquidity risk monitoring tools); (ii) Monitoring tools for intraday liquidity management (April 2013); and,

P a g e | 236


(iii) Principles for sound liquidity risk management and supervision (September 2008). In addition, the RCAP-LCR assessment collects information on implementation issues that are subject to prudential judgment or discretion (Annex 6).

4.2 Design As in the case of assessment of Basel capital standards, the RCAP-LCR assessments are also designed as peer reviews undertaken by technical experts selected from jurisdictions.

4.3 Assessment methodology The aims of the methodology are to achieve as much consistency as possible across jurisdictions, to support a rigorous analysis by the AT and to make efficient use of resources. The RCAP-LCR assessment methodology reflects the fact that the LCR standard is a “standardised approach” based on a predefined weighting scheme. Further, there is a significant qualitative element underlying the computation of the LCR, which requires implicit or explicit regulatory and supervisory treatment (often by taking into account the situation in the respective jurisdiction and/or market specific circumstances). A key challenge of the LCR assessment is thus to ensure that, within the scope of differences in regulatory and supervisory treatments provided for by the LCR standard, bank assets and liabilities are mapped consistently to the appropriate LCR categories on both sides of the balance sheet. As a general principle, mirroring the established RCAP assessment methodology, the RCAP-LCR materiality assessment is based on both quantitative impact and qualitative factors. Similar to capital assessments, teams may list contextual observations regarding the regulatory implementation of the Basel LCR standard separately in the assessment report. Observations do not indicate sub-equivalence, but are considered compliant with the Basel standard and do not have a bearing on the

P a g e | 237


assessment outcome.

4.4 Bindingness of the regulatory documents The main principles and criteria for the eligibility of instruments, other than laws and regulations, in RCAP assessments, are the same as those used for assessing risk-based capital standards.

4.5 Data collection The data collection includes specific materiality data requests required for the LCR assessment. In addition to the assessment team’s interaction with the supervisory authority of the assessed jurisdiction, the team would also establish contact with the central bank on a need-to-know basis, eg in the context of the data collection and in terms of their role as lenders of last resort, provision of R-CLF facilities etc. Meetings with the banking sector and other representatives from the private sector (such as audit firms, consultants and experts for a specific jurisdiction) provide the AT with a more comprehensive view on implementation, and help to verify findings, but are not usually used for the assessment.

4.6 Compliance scale and assessment grading The assessment outcome follows one of the four grades used in the RCAP-Capital: compliant (C), largely compliant (LC), materially non-compliant (MNC), and non-compliant (NC). As in the case of the assessment of the risk-based capital standards, the grading is, to the extent possible, based on quantitative materiality analysis, supplemented by qualitative analysis for non- quantifiable factors. Also, the overall grade cannot be more than one notch higher than the worst component grade. For example, a jurisdiction that has one of the components assessed as “materially non- compliant” cannot receive an overall grade that is higher than “largely compliant”.

5. Basel framework for global systemically important banks

P a g e | 238


(G-SIBs): scope, design and methodology of assessment 5.1 Scope Consistent with the general RCAP monitoring and assessment methodology for risk-based capital standards and the LCR, the RCAP-SIB assesses the completeness and consistency of domestic implementation with the Basel standards The RCAP assessment of the Basel framework for G-SIBs covers the 12 provisions of the Basel G- SIB framework. These deal with (i) reporting and public disclosure requirements, and (ii) the higher loss absorbency requirement and its composition, and coordination with other regulatory requirements. Alongside, as part of the half-yearly monitoring of the adoption of Basel III standards, all Committee member jurisdictions with banks having a size indicator (measured as exposure for leverage ratio computation) above the EUR 200 billion threshold are required to monitor their own adoption of G- SIB reporting and disclosure requirements. These banks form the core of the main sample for deciding G- SIB status. Jurisdictions can add banks to the main sample based on supervisory judgment and then they must also self-monitor. The focus of that monitoring is on completeness and timeliness. The G-SIB framework has several key requirements, namely: (i) reporting requirements (including reporting data to the Committee) and public disclosure by banks; (ii) the level and composition of the HLA requirement and coordination with other regulatory requirements (both domestic and cross-border). At this time, only the G-SIB home jurisdictions are subject to a formal G-SIB RCAP assessment.

P a g e | 239


When a jurisdiction has implemented the full G-SIB requirements but has no designated G-SIB, it can also volunteer for such an assessment. However, in this case, the assessment is not graded. Jurisdictions with banks in the main sample, but without designated G-SIBs, report the status of adoption (timeliness and completeness) of the G-SIB reporting and disclosure standards as part of the half-yearly Basel III implementation monitoring exercise. These member jurisdictions are not assessed for any of the G-SIB requirements. If a jurisdiction has a bank that becomes a designated G-SIB, it becomes subject to an assessment of the G-SIB framework. In this context, the Basel G-SIB framework provides some leeway for jurisdictions, as banks are required to meet the additional requirement within 12 months after progressing to a higher bucket. If a jurisdiction has a bank that exceeds the EUR 200 billion threshold, or includes a bank in the sample based on its supervisory judgment, it becomes subject to the monitoring of the adoption status of reporting and disclosure requirements.

5.2 Design The assessment is carried out on a cross-jurisdictional basis covering the five member jurisdictions that currently have G-SIBs. It is designed so that most of the work is based on desk analysis.

5.3 Assessment methodology A distinction must be made between the identification part of the G-SIB framework and the consequences part (ie the requirements for banks that are designated G-SIBs). For the identification part, the Assessment Team does not make a line-by-line assessment of the G-SIBs reporting instructions (that aim at collecting the data necessary to assess the systemic importance of banks). For the consequences part, jurisdictions are free to be more conservative

P a g e | 240


than prescribed by the Basel framework. In this case, areas of super-equivalence are noted in the assessment report, as is done for the RCAP-Capital and RCAP-LCR assessments.

5.4 Assessment of reporting and disclosure requirements The aim of the reporting and disclosure requirements is to assess whether the national implementation ensures that the 12 indicators are reported and disclosed by banks as per the agreed Basel instructions and that the data submission is of high quality. Therefore, in their self-assessment, jurisdictions should indicate how they have implemented the reporting and disclosure requirements for each of the 12 indicators. To support the assessment, additional questions regarding the implementation and enforcement of the reporting instructions are included in the self-assessment questionnaire.

5.5 Assessment of materiality The existing RCAP-Capital materiality approach is used where possible. For quantifiable deviations, the impact is measured with the help of data publicly available or submitted by the RCAP counterparty agency on an only-where-needed basis. For such deviations, when materiality thresholds are used, these thresholds are also meant as guidelines, not as hard limits. Assessors need to apply judgment when assessing the materiality of deviations and may deviate from the thresholds based on expert judgment. In all cases, the team should justify the materiality assessment and provide a clear underpinning of the materiality assessment. In general, for quantifiable deviations, bank-specific data are requested to support the analysis of materiality. The data should reflect the full implementation of the Basel standards and should not take into account phase-in arrangements.

P a g e | 241


Where local regulations are assessed to be in line with the Basel rules, there is no requirement to provide data for materiality testing. Likewise, where the domestic regulations impose requirements on banks over and above the requirements in the Basel text, the provision of supporting data is optional.

5.6 Compliance scale and assessment grading As in the case of the RCAP-Capital and RCAP-LCR, the formal G-SIB assessment is graded (applicable only to those jurisdictions that are assessed for the full G-SIB framework). There is one overall grade, and two component grades (Annex 5): • A grade for the implementation of the HLA requirements. This includes the phase-in arrangements, instruments to meet the HLA and the interaction with other elements of the Basel III framework; and, •A grade for the disclosure requirements.

6. Basel framework for domestic systemically important banks (D-SIBs): scope, design and methodology of review The implementation of the D-SIB principles of member jurisdictions is not formally assessed on a graded basis. Instead, the AT collects information on the implementation of the D-SIB standards in the assessed member jurisdictions, which is used for a qualitative narrative. This approach is broadly consistent with the Committee’s objectives; while the Committee collects valuable information on implementation, a narrative respects the high-level, principles-based nature of the D-SIB framework.

7. Interpretative issues: process for clarifying Basel standards Jurisdictional assessments usefully inform the Basel Committee about implementation challenges and interpretative issues that member jurisdictions and assessment teams come across when assessing the consistency of the domestic regulatory frameworks.

P a g e | 242


Specifically, the assessments identify areas where further clarification is needed to ensure consistent implementation. To provide clarifications in a timely and consistent manner, a process has been established to complement the existing Basel FAQ process. The process is based on an escalation ladder while at the same time ensuring leeway for the assessment team to form its own view and apply expert judgment. If an interpretative issue cannot be resolved during the assessment, the issue is taken out of the scope of the assessment and submitted to the relevant Basel Committee’s working group for further guidance and clarification. The Basel Committee approves the proposed clarification before its publication as an FAQ.

Annexes Annex 1: Composition, terms of reference and mandate of RCAP governing bodies

P a g e | 243


Annex 2: Monitoring regulatory adoption The aim of the monitoring effort undertaken as part of the RCAP is to ensure that relevant Basel standards are transposed into domestic laws or regulations according to the internationally agreed timeline. The monitoring framework put in place by the Committee’s Secretariat keeps a regular watch on the adoption of the Basel standards by member jurisdictions.

P a g e | 244


Based on information provided by each jurisdiction, the monitoring output comprises a half-yearly report (“Progress report on the adoption of the Basel regulatory framework”) for the Committee’s approval and publication. Initially focused on the Basel capital standards, the monitoring framework has been progressively extended to cover the adoption progress of all Basel III standards that will become effective by 2019. The revised progress report then provides a consolidated overview of the progress made by member jurisdictions in adopting the Basel III capital standards, Liquidity Coverage Ratio (LCR), Net Stable Funding Ratio (NSFR), leverage ratio, SIBs requirements, revised Pillar 3 disclosure framework and large exposure framework. Progress is evaluated according to numerical grades with an overlay of colour codes (see below).

Numerical grades 1 = draft regulation not published; 2 = draft regulation published; 3 = final rule published (but not yet implemented by banks); 4 = final rule in force (published and implemented by banks).

Colour codes Green = adoption completed; Yellow = adoption in process; Red = no adoption; No colour = Rules are not due for implementation as of date of assessment.

Overview table The following table is used to summarise the status of adoption of Basel standards by member jurisdictions. The latest updated table is available at the website of the Basel Committee. The table is typically updated twice a year, in April and October. The table below includes hypothetical scores and colours for illustrative purposes only.

P a g e | 245


Annex 4: Reference and supporting documents for RCAP-Capital assessments

P a g e | 246


The following list constitutes the Basel documents that are in scope of the assessment as of date. It may be noted that the published Basel FAQs that clarify the interpretation of published Basel II, 2.5 and III documents are also within the scope of this assessment. Further, annexes referred to in the Basel documents are also within the scope of the assessment. This list is automatically updated once the implementation of a Basel standard has passed. 1. Basel II: International Convergence of Capital Measurement and Capital Standards: A Revised Framework – Comprehensive Version (June 2006) 2. Enhancements to the Basel Framework (July 2009) 3. Guidelines for computing capital for incremental risk in the trading book (July 2009) 4. Final elements of the reforms to raise the quality of regulatory capital issued by the Basel Committee (January 2011) 5. Revisions to the Basel II market risk framework – updated as of 31 December 2010 (February 2011) 6. Basel III: A global regulatory framework for more resilient banks and banking systems – revised version (revised June 2011) 7. Pillar 3 Disclosure Requirements for Remuneration (July 2011) 8. Treatment of trade finance under the Basel capital framework (October 2011) 9. Interpretive issues with respect to the revisions to the market risk framework (November 2011) 10. Composition of capital disclosure requirements – Rules text (June 2012) 11. Capital requirements for bank exposures to central counterparties (July

P a g e | 247


2012) 12. Regulatory treatment of valuation adjustments to derivative liabilities: final rule issued by the Basel Committee (July 2012); and 13. FAQs published by the Committee including those that would solve any interpretative issue arising during the assessment.

Annex 5: Overview of graded components of the Basel framework

P a g e | 248


P a g e | 249


P a g e | 250


Disclaimer The Association tries to enhance public access to information about risk and compliance management. Our goal is to keep this information timely and accurate. If errors are brought to our attention, we will try to correct them. This information: - is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity; - should not be relied on in the particular context of enforcement or similar regulatory action; - is not necessarily comprehensive, complete, or up to date; - is sometimes linked to external sites over which the Association has no control and for which the Association assumes no responsibility; - is not professional or legal advice (if you need specific advice, you should always consult a suitably qualified professional); - is in no way constitutive of an interpretative document; - does not prejudge the position that the relevant authorities might decide to take on the same matters if developments, including Court rulings, were to lead it to revise some of the views expressed here; - does not prejudge the interpretation that the Courts might place on the matters at issue. Please note that it cannot be guaranteed that these information and documents exactly reproduce officially adopted texts. It is our goal to minimize disruption caused by technical errors. However some data or information may have been created or structured in files or formats that are not error-free and we cannot guarantee that our service will not be interrupted or otherwise affected by such problems. The Association accepts no responsibility with regard to such problems incurred as a result of using this site or any linked external sites. The Basel iii Compliance Professionals Association (BiiiCPA) is the largest association of Basel iii Professionals in the world. It is a business unit of the Basel ii Compliance Professionals Association (BCPA), which is also the largest association of Basel ii Professionals in the world.

P a g e | 251


Basel iii Compliance Professionals Association (BiiiCPA) 1. Membership - Become a standard, premium or lifetime member. You may visit: www.basel-iii-association.com/How_to_become_member.htm 2. Monthly Updates - Subscribe to receive (at no cost) Basel II / Basel III related alerts, opportunities, updates and our monthly newsletter:

http://forms.aweber.com/form/34/847642534.htm 3. Training and Certification - Become a Certified Basel iii Professional (CBiiiPro). You must follow the steps described at: www.basel-iii-association.com/Basel_III_Distance_Learning_Online_Certification.html Become a Capital Requirements Directive IV / Capital Requirements Regulation Professional (CRDIV/CRR/Pro). You may visit: www.basel-iii-association.com/CRD_IV_Distance_Learning_Online_Certification.html For instructor-led training, you may contact us. We can tailor all programs to your needs. We tailor Basel III presentations, awareness and training programs for supervisors, boards of directors, service providers and consultants. 4. Authorized Certified Trainer, Certified Basel iii Professional Trainer Program (BiiiCPA-ACT / CBiiiProT) - Become an ACT. This is an additional advantage on your resume, serving as a third-party endorsement to your knowledge and experience. Certificates are important when being considered for a promotion or other career opportunities. You give the necessary assurance that you have the knowledge and skills to accept more responsibility.

http://www.basel-iii-association.com/How_to_become_member.htm

http://forms.aweber.com/form/34/847642534.htm

http://www.basel-iii-association.com/Basel_III_Distance_Learning_Online_Certification.html

http://www.basel-iii-association.com/Basel_III_Distance_Learning_Online_Certification.html

http://www.basel-iii-association.com/CRD_IV_Distance_Learning_Online_Certification.html

http://www.basel-iii-association.com/CRD_IV_Distance_Learning_Online_Certification.html

P a g e | 252


To learn more you may visit: www.basel-iii-association.com/BiiiCPA_ACT.html 5. Approved Training and Certification Centers (BiiiCPA-ATCCs) - In response to the increasing demand for Basel III training, the Basel iii Compliance Professionals Association (BiiiCPA) is developing a world-wide network of Approved Training and Certification Centers (BiiiCPA-ATCCs). This will give the opportunity to risk and compliance managers, officers and consultants to have access to instructor-led Basel III training at convenient locations that meet international standards. ATCCs deliver high quality training courses, using the BiiiCPA approved course materials and having access to BiiiCPA Authorized Certified Trainers (BiiiCPA-ACTs). To learn more: www.basel-iii-association.com/Approved_Centers.html

http://www.basel-iii-association.com/BiiiCPA_ACT.html

http://www.basel-iii-association.com/Approved_Centers.html

basel iii news, from the basel iii compliance professionals association

Documents