Recommendation C on Concentration Risk Management

Financial Supervision Commission Recommendation C on the management of concentration risk Warsaw, May 2016

Recommendation C Page 2 of 23

Introduction This Recommendation is issued pursuant to Article 137(1)(5) of the Banking Law Act of 29 August 1997 (consolidated text: Journal of Laws of 2015, item 128, as amended) and constitutes a set of rules regarding good practices in the management of concentration risk. In adapting its operations to this Recommendation, a bank shall take into account applicable legal provisions, in particular the provisions of Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (consolidated text: OJ EU 2013, L 176, 27.6.2013) (hereinafter: the CRR Regulation).

Concentration risk, due to its materialization during the financial crisis initiated in 2008, was a source of significant losses for European and global banks, contributing to the weakening of their financial condition and operational safety. In connection with the development of the situation in the banking sector, the acquisition of new experience by both banks and financial supervisors, and the development of European regulations over the last few years, there has been a need to amend Recommendation C, which involves updating and enriching its content with new areas. The following Recommendation replaces Recommendation C on the management of concentration risk of commitments issued by the banking supervisor in 2002.

Recommendation C is addressed to all banks, regardless of the level of consolidation. Recommendation C should be helpful in developing a comprehensive and forward-looking approach to managing concentration risk in banks. Rules relating to the bank's policy and detailed prudential requirements regarding the management of concentration risk have been specified in the subsequent chapters of the Recommendation. The Recommendation also indicates the desired direction of actions taken by the management board and the supervisory board of the bank within the process of managing concentration risk.

Concentration risk is traditionally analyzed in relation to lending activities, and such an approach to concentration risk is reflected in Recommendation C. In practice, concentration risk also concerns other areas of the bank's activity, related, for example, to the bank's activity on financial markets or to daily operational activities. As a result of disturbances in some markets, economic sectors, and countries, or within certain areas of the bank's activity, concentrations resulting, inter alia, from the dependence of the bank's activity on the same or very similar products, services, or suppliers, reliance on poorly diversified liquid assets and funding sources, holding significant exposures towards single clients or groups of connected clients, or exposures influenced by common or strongly positively correlated risk factors, may contribute to losses large enough to worsen the bank's overall risk profile and pose a threat to the continuity of operations.

In view of the above, Recommendation C formulates specific expectations for banks that meet one of the following criteria:

Recommendation C Page 3 of 23

• the bank holds a significant share in the market of deposits of the non-financial sector (deposits of the non-financial sector in the bank's balance sheet exceed 2% of the aggregated sum of these deposits in the banking sector based on data published by the KNF for the entire banking sector as of the end of the previous year),
• the bank has been identified as a systemically important institution in accordance with the relevant provisions of the Act of 5 August 2015 on macroprudential supervision of the financial system and crisis management in the financial system (Journal of Laws of 2015, item 1513).

These banks shall comply with all provisions of Recommendation C. With regard to other banks, it is possible not to apply the provisions of Recommendation 15, which relates to the management of concentration risk between different types of risk, and the following provisions: 1.6(a) first dash regarding the consideration of correlations between risk factors that may manifest only under extreme conditions, 1.6(a) second dash regarding the consideration of dependencies between risk factors, 7.7(a) regarding the consideration of interdependencies between exposures, 7.9 regarding the correlation of different risk factors, 8.14(b), 8.14(f), 8.15(e), and 12.4.

Regardless of the above, banks shall apply the provisions of other KNF Recommendations relating to the management of concentration risk within other – non-credit – types of risk, on the terms specified in those Recommendations. Banks shall also manage concentration risk arising from exposures to entities in the unregulated sector. Detailed guidelines in this respect, which have been developed by the European Banking Authority, will enter into force on 1 January 2017.1

Banks conducting specialized activities, whose business strategy involves the emergence of concentration risk with respect to certain entities, services, or markets (e.g., mortgage banks), should pay particular attention to concentration risk, as they may be potentially more exposed to it than universal banks. A similar reservation applies to banks that are subsidiaries, whose activity involves concentration risk within specific products, services, or markets in connection with the implementation of a strategy for the entire group.

In the case of cooperative banks operating in an association or in a protection system within the meaning of the Act of 7 December 2000 on the functioning of cooperative banks, their association, and affiliated banks (i.e., Journal of Laws of 2015, item 2170), the supervisor expects that provisions regarding the adopted policy are developed with the support of affiliated banks or units managing the protection system, taking into account the individual specificity and risk profile of each affiliated bank and the principle of proportionality. The scope and degree of advancement of adopted procedures should be decided by the scale of activity. The process of creating internal regulations in these banks, despite the active role of the affiliated bank, must not, however, contradict the scope of duties and statutory responsibilities of the governing bodies of the affiliated cooperative banks defined in the respective recommendations.

Affiliated banks and units managing protection systems should support affiliated cooperative banks in developing analytical tools for measuring the level of concentration risk, as well as preparing and conducting stress tests. Additionally, it is expected of units managing protection systems to monitor and control concentration risk at the level of entities co-creating these systems.

The KNF expects that Recommendation C on the management of concentration risk, constituting an annex to Resolution No. 351/2016 of the Financial Supervision Commission of 24 May 2016 (Journal of Decisions of the KNF item ...), will be implemented no later than by 1 January 2017.

Recommendation C Page 4 of 23

Glossary of Terms

1. Risk appetite – the current and future willingness of the bank to take on risk.
2. Exposure – exposure as understood in accordance with Article 389 of the CRR Regulation.
3. Large exposure – exposure as understood in accordance with Article 392 of the CRR Regulation.
4. Large exposure limits – limits specified in Article 395(1) of the CRR Regulation.
5. Second-round effects – effects resulting from the deterioration of economic conditions in the real economy, which with a certain delay, indirectly, negatively affect the balance sheets of banks, causing a deterioration in the financial condition of the entire banking sector, inter alia, by lowering asset quality, increasing impaired receivables, lowering profitability, or increasing the risk of bank insolvency.
6. Recommendation W – Recommendation W on the management of model risk in banks, Financial Supervision Commission, Warsaw, July 2015.
7. Model – as understood in accordance with the definition contained in Recommendation W.
8. Concentration risk – the threat resulting from excessive concentrations arising from exposures towards individual clients, groups of connected clients, clients operating in the same economic sector, geographic region, conducting the same business, or trading in the same goods, entities belonging to the bank's capital group (both cross-border and domestic), exposures denominated in the same currency or indexed to the same currency, arising from the use of credit risk mitigation techniques, and large indirect credit exposures, such as a single collateral provider, characterized by the potential to generate losses large enough to threaten the bank's financial condition or ability to conduct basic operations or to cause a significant change in the bank's risk profile.
9. Scenario analysis – involves conducting an analysis assuming scenarios of simultaneous change in multiple co-occurring risk factors and studying their impact on the bank's situation.
10. Sensitivity analysis – involves conducting an analysis assuming changes in individual risk factors, as well as combinations of such changes, and statically analyzing their impact on the bank's situation.
11. Reverse stress test – involves conducting an analysis assuming the occurrence of negative consequences from the materialization of risk and determining scenarios within scenario analysis that could lead to such situations.
12. Organizational unit – a basic element of the organizational structure separated due to functions in the organization or according to other criteria (e.g., geographical or product-based); organizational units include, for example: headquarters, branches, regions, brokerage office; organizational units can also be separated within the organizational structure of higher-level organizational units – e.g., sub-branches within branches, cash points, representative offices within branches or sub-branches.
13. Group of connected clients – as understood in accordance with Article 4(1)(39) of the CRR Regulation.

Recommendation C Page 5 of 23

List of Recommendations I. Management Board and Supervisory Board Recommendation 1 The bank's management board should develop and implement a written policy for managing concentration risk. This policy should stem from the risk management strategy approved by the supervisory board and reflect the risk appetite accepted by the supervisory board.

Recommendation 2 The bank should develop in written form and implement procedures for managing concentration risk resulting from the concentration risk management policy.

Recommendation 3 The bank's management board should appoint persons responsible for implementing and executing the concentration risk management policy.

Recommendation 4 The bank's management board should assess the adopted concentration risk management policy at least once a year regarding the manner of its application and the possible need to introduce changes. The bank's management board should inform the supervisory board of the assessment results.

Recommendation 5 The supervisory board, within the scope of fulfilling its functions and responsibility for the risk management process in the bank, should supervise the implementation of the concentration risk management policy.

Recommendation 6 The bank's organizational structure, in a manner corresponding to the scale of activity and risk profile, should ensure the separation of functions between organizational units: a) conducting operations affecting concentration risk, b) responsible for monitoring and controlling concentration risk.

II. Identification, measurement, or estimation of concentration risk and tools supporting the concentration risk management process Recommendation 7 The bank should have a reliable and effective process for identifying and measuring or estimating concentration risk.

Recommendation 8 The bank should conduct stress tests serving to assess the impact of factors from the bank's internal and external environment on concentration risk.

III. Counteracting and limiting concentration risk

Recommendation C Page 6 of 23

Recommendation 9 The bank should apply management-approved limits limiting concentration risk. These limits should reflect the risk appetite, systemic importance, character, scale, and complexity of the bank's activity.

Recommendation 10 The bank should ensure that the applied risk mitigation mechanisms are adequate, feasible, and fully understandable by the appropriate employees. The bank should ensure that during concentration risk mitigation, taking into account the character and quality of the risk mitigation mechanisms, it does not rely excessively on these mechanisms, thereby replacing one type of concentration with another.

Recommendation 11 The bank should assess the appropriateness of considering concentration risk in the internal capital estimation process.

IV. Monitoring and reporting on concentration risk Recommendation 12 The bank should have a concentration risk monitoring system enabling the rapid acquisition of managerial information and the bank's quick reaction to existing threats.

Recommendation 13 The bank should have a reliable and trustworthy managerial information system in the area of concentration risk.

V. Internal Control System Recommendation 14 The internal control system in the bank should ensure compliance with the rules of concentration risk management.

VI. Management of risk arising from interactions between concentrations within the same and different types of risk Recommendation 15 The bank should apply an integrated approach to managing concentration risk, taking into account risk arising from interactions between individual concentrations within the same type of risk and risk arising from interactions between concentrations within different types of risk.

Recommendation C Page 7 of 23

I. Management Board and Supervisory Board Recommendation 1 The bank's management board should develop and implement a written policy for managing concentration risk. This policy should stem from the risk management strategy approved by the supervisory board and reflect the risk appetite accepted by the supervisory board.

1.1. The bank should establish a concentration risk management process, which will be part of the bank's risk management process. 1.2. In managing concentration risk, the bank should analyze and assess the impact of concentration risk on the bank's capital, liquidity, and financial results (both separately and jointly). 1.3. The bank's management board should clearly define the risk appetite with respect to concentration risk, adequate to the systemic importance, character, scale, and complexity of the bank's activity. 1.4. The concentration risk management policy should be adapted to the systemic importance, character, scale, and complexity of the bank's activity. 1.5. The concentration risk management policy should be appropriately documented and specify the rules for managing concentration risk at both the individual and consolidated levels, taking into account clearly assigned responsibilities, consistent with the rules specified in the credit policy, capital investment policy, and off-balance sheet transaction policy. 1.6. It is recommended that the concentration risk management policy include in particular: a) in the scope of identification and measurement or estimation of concentration risk, the following rules:

• consideration of all risk factors significant for the bank, taking into account possible correlations between them – including those that may manifest only under extreme conditions,
• conducting stress tests examining the impact of factors from the bank's internal and external environment on concentration risk, allowing for the consideration of dependencies between risk factors, b) in the scope of acceptance and limitation of concentration risk, the following rules:
• acceptance of assumptions and parameters adopted in the process of measuring or estimating concentration risk,
• determination of a level of concentration risk within the risk appetite,
• consideration in the concentration risk management process of risk resulting from the product specificity of exposures,
• consideration of concentration risk in the process of planning new activities,
• treating concentrations related to involvement in derivative transactions, including, inter alia, considering the impact of involvement with a single clearing house on the level of concentration risk incurred, especially in the event of potential inability of the clearing house to meet its obligations,
• consideration of concentration risk in the internal capital estimation process,
• adequate selection of concentration risk mitigation mechanisms, including in particular limits limiting concentration risk,
• permissibility of netting exposures. c) in the scope of monitoring and reporting on concentration risk, the following rules:
• monitoring concentration risk at the individual and consolidated levels, taking into account the character of business lines, geographical scope of activity, and organizational units of the bank,
• monitoring compliance with limits limiting concentration risk,
• determining the scope and frequency of reporting, recipients of reports, and cells responsible for their preparation. 1.7. Rules for managing concentration risk should be specified in a separate document or constitute part of the credit risk management rules.

Recommendation 2 The bank should develop in written form and implement procedures for managing concentration risk resulting from the concentration risk management policy.

2.1. The implemented procedures should, inter alia, specify the method and methods for: a) identification and measurement or estimation of concentration risk, b) counteracting concentration risk and limiting concentration risk through appropriate selection of mechanisms, including in particular early warning indicators and limits limiting concentration risk, c) monitoring the concentration risk management process, with special regard to procedures ensuring compliance with requirements specified in applicable legal provisions and internal regulations, d) reporting (including scope, frequency, recipients of reports, cells responsible for their preparation) in the area of assessment of incurred concentration risk, utilization and compliance with limits, as well as results of actions of models serving to assess exposure to concentration risk, e) utilization (including description, scope, and manner of utilization) of information systems used in concentration risk management, f) conducting stress tests, taking into account all risk factors identified by the bank as significant. 2.2. Adopted procedures regarding concentration risk management should be presented to appropriate bank employees in a manner and timeframe specified by the bank.

Recommendation C Page 8 of 23

Recommendation 3 The bank's management board should appoint persons responsible for implementing and executing the concentration risk management policy.

3.1. The management board and supervisory board, within the scope of their competencies, are responsible for the concentration risk to which the bank is exposed, and for the principles of managing this risk adopted in the bank. 3.2. The bank's management board may delegate functions related to the day-to-day management of concentration risk to persons appointed by itself. 3.3. Persons appointed by the bank's management board should be responsible for preparing, implementing, and correctly applying internal procedures related to all elements of the concentration risk management process.

Recommendation 4 The bank's management board should assess the adopted concentration risk management policy at least once a year regarding the manner of its application and the possible need to introduce changes. The bank's management board should inform the supervisory board of the assessment results.

4.1. The assessment of the adopted concentration risk management policy should consist, in particular, in checking the effectiveness and adequacy of the implementation of concentration risk management policy rules in the conducted activity.

Recommendation 5 The supervisory board, within the scope of fulfilling its functions and responsibility for the risk management process in the bank, should supervise the implementation of the concentration risk management policy.

5.1. The supervisory board should analyze reports on the concentration risk incurred by the bank, utilization of limits, and consequences of decisions regarding concentration risk management at least once every six months, and ensure that, if necessary, the bank's management board takes appropriate remedial actions. 5.2. The supervisory board should receive reports from the management board at least once a year containing information on the effectiveness and adequacy of the implementation of concentration risk management policy rules, along with an assessment of the need to introduce necessary changes.

Recommendation 6 The bank's organizational structure, in a manner corresponding to the scale of activity and risk profile, should ensure the separation of functions between organizational units: a) conducting operations affecting concentration risk, b) responsible for monitoring and controlling concentration risk.

II. Identification, measurement, or estimation of concentration risk and tools supporting the concentration risk management process

Recommendation C Page 9 of 23

Recommendation 7 The bank should have a reliable and effective process for identifying and measuring or estimating concentration risk.

7.1. The bank should identify the concentration risk to which it is exposed: a) taking into account all concentration risk factors significant for the bank, b) assessing all significant concentrations in balance sheet and off-balance sheet positions, c) conducting analyses across different business lines and organizational units, d) applying methods and tools enabling systematic identification of concentration risk, e) taking into account concentration risk resulting from the product specificity of exposures, e.g., risk of complex structured products such as securitization products, f) taking into account concentration risk resulting from exposures in the banking book and trading book, and risk resulting from the combination of these two types of risk, g) taking into account the development of the economic situation and the situation on financial markets, as well as the actions of their participants, taking into account factors of a systemic nature, h) taking into account second-round effects to achieve a forward-looking view on concentration risk management, i) using stress tests. 7.2. Due to the fact that information required to identify groups of connected clients, especially based on the...

1 EBA, Limits on exposures to shadow banking entities which carry out banking activities outside a regulated framework under Article 395(2) of Regulation (EU) No 575/2013, EBA/GL/2015/20, 14 December 2015. Guidelines will be translated by the EUNB into the official languages of the European Union countries.