Operational Risk Guidelines

RESERVE BANK OF MALAWI OPERATIONAL RISK GUIDELINES Bank Supervision Department March 2013

1 Table of Contents PART I- PRELIMINARY ....................................................................................................2 1 MANDATE ................................................................................................................2 2 OBJECTIVE ..............................................................................................................2 3 SCOPE .......................................................................................................................2 4 APPLICABILITY OF OPERATIONAL RISK CAPITAL REQUIREMENTS ....2 5 DEFINITIONS ...........................................................................................................3 PART II - MEASUREMENT APPROACHES TO OPERATIONAL RISK ....................4 6 MEASUREMENT FRAMEWORK ..........................................................................4 7 BASIC INDICATOR APPROACH ..........................................................................4

2 PART I- PRELIMINARY 1 MANDATE These guidelines are issued pursuant to section 96 of the Financial Services Act 2010 and implement Part III of the Financial Services (Capital Adequacy for Banks) Directive, 2012. 2 OBJECTIVE The objectives of these guidelines are to: (a) ensure that banks maintain adequate capital to support their operational risk exposure; (b) supplement and adjust the credit risk-based capital ratio calculations under which bank capital has been regulated; and (c) set out the Registrar’s approach in determining the adequacy of capital to support potential losses arising from operational risk. 3 SCOPE These guidelines pertain to operational risks affecting banks. 4 APPLICABILITY OF OPERATIONAL RISK CAPITAL REQUIREMENTS The operational risk capital requirement applies to all banks.

3 5 DEFINITIONS “operational risk” means the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events includes legal risk, but excludes strategic and reputational risk. “adjusted gross income” - is equal to total operating income from continuing operations excluding income and excluding items for which operational risk regulatory capital is separately calculated; “Gross income” means net interest income plus net non-interest income. It is intended that this measure should: (i) be gross of any provisions (e.g. for unpaid interest); (ii) be gross of operating expenses, including fees paid to outsourcing service providers; (iii) exclude realized profits/losses from the sale of securities in the banking book; and (iv) exclude extraordinary or irregular items as well as income derived from insurance. Outsourcing fees paid by a bank to a service provider do not reduce the Gross Income. Similarly, outsourcing fees received by a bank for providing outsourcing services are included in the definition of Gross Income.; “Operational risk regulatory capital (ORRC)” means regulatory capital that a banking institution is required to hold against its exposure to operational risk.

4 PART II - MEASUREMENT APPROACHES TO OPERATIONAL RISK 6 MEASUREMENT FRAMEWORK 6.1 All banks must adopt the Basic Indicator Approach for the measurement of a bank’s exposure to operational risk. 6.2 A bank wishing to migrate from the Basic Indicator Approach to the Standardised Approach must obtain the prior written approval of and comply with such conditions as may be specified by the Registrar. 6.3 A bank must obtain prior approval of the Registrar before adopting the Advanced Measurement Approach. 7 BASIC INDICATOR APPROACH 7.1 A bank must comply with the Basic Indicator Approach unless permission is granted by the Registrar to migrate to the Standardised Approach. 7.2 A bank must, at the end of each quarter , determine the gross income for the three year period (last three years) ending on that quarter by: (a) aggregating the gross income recognized by the bank in the calendar quarter ending on the calendar quarter end date and in each of the immediately preceding 3 calendar quarters (“first year”); (b) aggregating the gross income recognized by the bank in the four calendar quarters proceeding the first year (“second year”).

5 (c) aggregating the gross income recognized in the 4 calendar quarters immediately preceding the second year (“third year”). (d) multiplying the gross income for the bank for the last three years, by a capital charge factor of 15 per cent (denoted alpha, α), provided that: (i) when the annual gross income for a particular year was negative or equal to zero, the bank shall exclude the relevant amount for that particular year from the numerator and exclude the given year(s) in the denominator during which gross income was negative, when the bank calculates the relevant average amount of gross income; and (ii) newly established bank that does not have the required gross income data to calculate the required gross income figures may with the prior written approval of and subject to such conditions as may be specified by the Registrar, use gross income projections for all or part of the three year period. These projections shall be reasonable in relation to the expected risk profile of such a bank 7.3 The following formula shall be used to calculate capital charge for operational risk under basic indicator approach K BIA = [ ∑ (GI1….n x α ) ] / n Where: KBIA = the capital charge under the basic indicator approach for calculating operational risk;

6 GI = positive gross income of the last 3 years; n = number of the last three years for which gross income is positive; and α = 15% 8 THE STANDARDISED APPROACH This approach measures risk in the standardised manner and a bank’s activities must be divided into a maximum of eight business lines as follows: (a) corporate finance; (b) trading and sales; (c) retail banking; (d) commercial banking; (e) payment and settlement; (f) agency services; (g) asset management; and (h) retail brokerage. 8.1 Within each business line, gross income is the indicator that serves as a proxy for the scale of business operations and thus the likely scale of operational risk exposure within each of the eight (8) business lines.

7 8.2 Gross income shall be measured for each business line, and not the whole bank, i.e. in corporate finance, the indicator is the gross income generated in the corporate finance business line. 9 CALCULATION OF CAPITAL CHARGE UNDER THE TSA 9.1 A bank shall, at the end of each quarter, determine the capital charge for each standardised business line for the three years (“last 3 years”) ending on the relevant quarter by: (a) aggregating the gross income recognized by the bank in respect of each of the standardised business lines in the calendar quarter ending on the calendar quarter end date and the gross income recognized by the bank in respect of each of the standardised business lines in each of the preceding 3 calendar quarters (“first year”); (b) aggregating the gross income recognized by the bank in respect of each of standardised business lines in the 4 calendar quarters immediately preceding the first year (“second year”); (c) aggregating the gross income recognized by the bank in respect of each of the standardised business lines in the 4 calendar quarters immediately preceding the second year (“third year”); and (d) multiplying the gross income of the bank for each standardised business line in each of the first, second and third years calculated in sub paragraphs (a),(b) and (c) above by a capital charge factor (denoted beta value) assigned to each individual business line set out in the table below:

8 TABLE 1: OPERATIONAL RISK BUSINESS LINES Business line Activities to be included Beta factor Corporate Finance Corporate finance Mergers and acquisitions, underwriting, privatizations, securitization, research, debt (government or high yield), equity, syndications, IPO, secondary private placements, Municipal/ Government finance, Merchant banking, Advisory services β1 =18% Trading and Sales Sales Fixed income, equity, foreign exchanges, commodities, credit, funding, own position securities, lending and repurchase/resale agreements, brokerage, debt, prime brokerage, Market making, Proprietary positions, Treasury β2=18% Retail Banking Retail banking Retail lending and deposits, banking services, trust and estates, Private banking Private lending and deposits, banking services, trusts and estates, investment advice, Card services, Merchant/commercial/corporate cards, private labels β3=12% Commercial Banking Commercial banking, Project finance, real estate, export finance, trade finance, factoring, leasing, lending, guarantees, bills of exchange β4=15% Payment and External clients Payments and collections, β5=18%

9 settlement funds transfer, clearing and settlement Agency services Custody Escrow, depository receipts, securities lending (customers) corporate actions, Corporate agency Issuer and paying agency (Agency Banking), Corporate trust, Agent Banking β6=15% Asset Management Discretionary fund management, Pooled, segregated, retail, institutional, closed, open, private equity, Non-discretionary fund management, Pooled, segregated, retail, institutional, closed, open, private equity β7=12% Retail Brokerage Retail brokerage Execution and full service β8= 12% 9.2 A bank shall then calculate the capital charge for operational risk by : (a) adding the eight (8) individual business lines calculated in respect of each of the standardised business lines for each of the last three (3) years; and (b) aggregating the capital charges calculated for the last three years; and (c) obtaining the mean of the aggregate capital charges for the last three years.

10 9.3 The following formula shall be used to calculate capital charge for operational risk under the TSA: K TSA = {∑years 1-3 max [∑(GI1-8 x β1-8), 0]} / 3 Where: K TSA = represents the capital charge under the standardised approach for operational risk; GI 1-8 = the gross income for each of the standardised business lines for each of the last three years; and β 1-8 = the capital charge factor assigned to each of the standardised business lines as specified in table 1 above 10 PROVISIONS FOR TSA 10.1 A bank may, in any given year of the last 3 years, off-set a positive capital charge for any standardised business line in the given year with a negative capital charge for any other standardised business line in that year. 10.2 A bank shall not off-set positive or negative capital charges for standardized business lines between any of the last 3 years. 10.3 Where the aggregate capital charge for all the standardised business lines in any given year of the last three years is negative, a bank shall assign a zero (nil) value to that aggregate capital charge and exclude the given year (s) in which the negative gross income occurred in the denominator when calculating the last 3 years mean average.

11 11 QUALIFYING CRITERIA FOR STANDARDISED APPROACH 11.1 A bank intending to adopt the Standardised Approach must demonstrate to the satisfaction of the Registrar that the bank has: (a) a board of directors and senior management that are actively involved in the oversight of the operational risk management framework; (b) an operational risk management system that is conceptually sound and is implemented with integrity; (c) sufficient resources in the use of the Standardised Approach in the major business lines as well as the bank’s control and audit areas; (d) in place adequate policies and documented criteria to map its gross income into the designated business lines indicated in Table 1 above. 11.2 In addition to the requirements specified in subparagraph 11.1, a bank with internationally active branches or subsidiaries that wishes to adopt the Standardized Approach for the measurement of the bank’s exposure to operational risk must: (a) have in place an adequate operational risk management system with clear responsibilities being assigned to an operational risk management function. This function must among others be responsible for - (i) development of strategies to identify, assess, monitor and control/mitigate the bank’s exposures to operational risk; (ii) development of comprehensive policies and procedures relating to operational risk management and controls, including policies to address areas of non-compliance;

12 (iii) designing and implementing a methodology that comprehensively assesses the bank’s exposure to operational risk; (iv) designing and implementing a risk reporting system in respect of operational risk; (v) developing and implementing techniques that create incentives for improving the management and control of operational risk throughout the bank. (b) as part of its internal operational risk management system track relevant operational risk data, including material losses by business lines. (c) have a risk management process in place which must be subject to regular validation and independent review, the output of which must form an integral part of the process to monitor and control the bank’s operational risk profile, including any risk reporting, management reporting and risk analysis. (d) on a regular basis report to the relevant management of the bank business units, its senior management and the board of directors on its exposures to operational risk, including material losses in respect of operational risk. (e) duly document the bank’s operational risk management systems (f) have in place policies and procedures to take appropriate action based on information contained in the reports submitted to the management of the bank’s business units, its senior management and the board of directors.

13 (g) have a robust process to ensure compliance with its documented set of internal policies, controls and procedures concerning the operational risk management system. 12 A newly established bank may adopt the Standardised Approach for the measurement of its exposures to operational risk if the bank: (a) obtains prior written approval of and complies with such conditions as may be specified by the Registrar; (b) complies with the relevant criteria specified above; (c) divides its activities along the designated eight business lines specified in Table 1 above; and (d) calculates its capital requirements in accordance with the relevant provisions as specified above. 13 A bank wishing to revert to the basic indicator approach, after being approved to use the standardised approach, must seek prior approval of the Registrar. 14 EXCEPTIONS 14.1 Where a bank has been in operation for less than 18 months in any calendar quarter end date subsequent to the date on which this determination comes into operation or where it is undergoing a merger, acquisition or major restructuring, the bank: -

14 (a) shall not adopt the Standardised Approach to calculate operational risk, except with the prior written approval of the Registrar; and (b) may with the prior written approval of the Registrar adopt the basic indicator approach. 14.2 Where a bank has recorded negative gross income for the last 3 years immediately preceding that date, it will be subject to remedial measures to be determined by the Registrar. 15 RISK MANAGEMENT FRAMEWORK FOR OPERATIONAL RISK All banks are required to have in place a comprehensive risk management framework for operational risk in accordance with the provisions of these Guidelines.

FEEDBACK For further enquiries please contact: The Director Bank Supervision Reserve Bank of Malawi P. O. Box 565 Blantyre Tel: +265 (0) 1 820 299/444 Fax: 265 (0) 1 822 118 Email: basu@rbm.mw