Draft Reserve Bank Risk Management Guidelines for Non-Bank Deposit Takers

Ref #3610814 Risk Management Programme Guidelines Submissions are invited on these draft Reserve Bank risk management programme guidelines for non-bank deposit takers. Submissions should be made by 29 June 2009 and addressed to: Alistair Henry Prudential Supervision Department Reserve Bank of New Zealand PO Box 2498 Wellington 6140 or be sent by email to: alistair.henry@rbnz.govt.nz with “Risk management programme guidelines” in the subject line. Please note that submissions may be published. If you think any part of your submission should properly be withheld on the grounds of commercial sensitivity or for any other reason, you should indicate this clearly. Prudential Supervision Department Issued for consultation: June 2009

2 Ref #3610814 DRAFT CONTENTS Part 1—Introduction ................................................................................................................... 3

1. Purpose of this document ......................................................................................... 3
2. Meaning of risk ........................................................................................................ 3 Part 2—Risk management programmes ..................................................................................... 3 General matters ................................................................................................................... 3
3. Requirement for risk management programmes ...................................................... 3
4. Size and nature of deposit taker to be taken into account ........................................ 4
5. Objectives for risk management programmes .......................................................... 4 Design considerations for programmes .............................................................................. 5
6. Types of risk ............................................................................................................. 5
7. Assessment and measurement of risk ...................................................................... 5
8. Contingency planning .............................................................................................. 5
9. Review process for risk management programmes ................................................. 5 Operational considerations ................................................................................................. 6
10. Roles of governing bodies and senior management ................................................. 6
11. Staff responsibilities and accountability .................................................................. 6 Part 3—Specific risks ................................................................................................................. 7 Credit risk ........................................................................................................................... 7
12. How credit risk arises ............................................................................................... 7
13. Credit risk – elements for risk management programmes ....................................... 7 Liquidity risk ...................................................................................................................... 7
14. How liquidity risk arises .......................................................................................... 7
15. Liquidity risk – elements for risk management programmes................................... 8
16. Identify and manage funding gap ............................................................................. 8
17. Manage sources of regular funding .......................................................................... 8
18. Emergency sources of liquidity ................................................................................ 8 Market risk.......................................................................................................................... 9
19. How market risk arises ............................................................................................. 9
20. Market risk – elements for risk management programmes ...................................... 9
21. Interest rate risk ........................................................................................................ 9
22. Foreign currency risk ............................................................................................. 10
23. Equity risk .............................................................................................................. 10 Operational risk ................................................................................................................ 10
24. How operational risk arises .................................................................................... 10
25. Operational risk – elements for risk management programmes ............................. 10

3 Ref #3610814 DRAFT Part 1—Introduction

1. Purpose of this document (1) This document provides guidance to non-bank deposit takers (“deposit takers”) in relation to the risk management programmes required under section 157M of the Reserve Bank Act 1989 (“the Act”). (2) Part 2 of this document notes some considerations in relation to risk management programmes and Part 3 provides some guidelines on how to interpret the main categories of risk set out in section 157M.
2. Meaning of risk In this document, risk refers to the possibility of adverse impacts on a deposit taker including the loss of: earnings; capital; access to markets; reputation or the ability to continue in business. Part 2—Risk management programmes General matters
3. Requirement for risk management programmes (1) Under section 157M of the Act, a risk management programme must: (a) be in writing; and (b) set out the procedures that the deposit taker will use for the effective identification and management of the following risks: (i) credit risk: (ii) liquidity risk: (iii) market risk: (iv) operational risk; and (c) set out appropriate and auditable documentation and record keeping requirements; and (d) describe the steps that the deposit taker will take to ensure that the programme remains current, which must include procedures for— (i) regular review of the programme to systematically identify deficiencies in the effectiveness of the programme; and (ii) obtaining the approval of trustees to amendments to the programme that are necessary to address such deficiencies; and (e) be appropriate to the operations of the deposit taker, having regard to the factors relevant to the risks referred to in paragraph (b) (for example, the size of the deposit taker, its funding structure, the market sector in which it operates, its business strategy, and its relationship with its borrowing group).

4 Ref #3610814 DRAFT (2) From 1 September 2009, section 157M together with sections 157N and 157O of the Act require: (a) every deposit taker to have a risk management programme; (b) each deposit taker’s trustee to be satisfied that the risk management programme meets the requirements of the Act; and (c) every deposit taker to take all practicable steps to comply with its risk management programme. 4. Size and nature of deposit taker to be taken into account The breadth and scope of a deposit taker’s processes and internal controls set out in its risk management programme for managing risks should depend on the nature and size of the deposit taker’s business. 5. Objectives for risk management programmes (1) A deposit taker’s risk management programme should cover all activities affecting the deposit taker’s risk profile. (2) A deposit taker’s risk management programme should: (a) identify the risks to be managed; (b) take into account the extent to which: (i) a single transaction may give rise to multiple risks; and (ii) one type of risk could trigger other types of risk; (c) describe processes, systems and procedures to measure (where possible), monitor and control the risks identified; (d) be comprehensive enough to capture all material risks to which the deposit taker is exposed; (e) describe the roles and responsibilities for positions in the deposit taker’s organisation that: (i) manage risk for the deposit taker; or (ii) accept risk for the deposit taker; (f) prescribe information flows between operational staff and senior management; (g) provide a system to address any exceptions, or instances of non-compliance observed; (h) describe the deposit taker’s contingency plans; (i) describe the processes for reviewing risk management systems, policies and procedures on an ongoing basis; and (j) be linked to the deposit taker’s capital adequacy policy (including its policy on the amount of capital required to provide a buffer against losses arising from unanticipated events).

5 Ref #3610814 DRAFT Design considerations for programmes 6. Types of risk (1) A deposit taker’s risk management programme should cover all risks that are material to the deposit taker. (2) At a minimum the programme should cover the four types of risks typically encountered by deposit takers: credit risk, liquidity risk, market risk and operational risk. These are discussed further in Part 3. 7. Assessment and measurement of risk (1) Where possible, a deposit taker should quantify its exposure to risk. (2) If a risk is not measureable and cannot be avoided (for example, some types of operational risk), the deposit taker should use qualitative measures to identify its exposure to such risks. (3) Deposit takers should make use of both quantitative measures or risk and qualitative assessments of risk to support its decision making processes. 8. Contingency planning (1) A deposit taker’s risk management programme should include plans for managing stress events. (2) A deposit taker’s contingency plans should: (a) address stress events that could materially disrupt a deposit taker’s business and have a material probability of occurring; (b) include a process to identify stress situations before they are encountered; (c) include plans to manage stress events in a timely and effective manner; (d) include plans for disaster recovery; and (e) be appropriate and workable. 9. Review process for risk management programmes (1) A deposit taker should review its risk management programme: (a) regularly; and (b) whenever there is a significant change in its business. (2) For complex businesses a regular review should be conducted at least on an annual basis. (3) A review of a risk management programme should include: (a) a review of the assumptions underlying the risk management programme to ensure that they remain appropriate; and (b) an assessment of the rigour and robustness of— (i) the risk management programme’s methodologies for measuring risk; and (ii) the effectiveness of the risk management programme’s internal controls.

6 Ref #3610814 DRAFT (4) The results of a review should be reported, as appropriate, to: the operational areas of the deposit taker’s business, its senior management, and its governing body. (5) Where problems are identified, necessary changes to the risk management programme should be implemented in a timely way. Operational considerations 10. Roles of governing bodies and senior management (1) A deposit taker’s governing body should: (a) establish risk tolerances for the deposit taker; (b) monitor the risk exposures of the deposit taker to check that they are consistent with established risk tolerances; (c) approve the reporting requirements, policies and controls implemented by senior management; (d) have a policy on managing conflicts of interest; and (e) ensure that any exposures to, and transactions with, related parties are on arm’s length terms and conditions. (2) Senior management should: (a) ensure that risks taken are within limits set by the governing body; (b) institute the policies, procedures and reporting mechanisms set out in the risk management programme; (c) implement the controls in relation to policies, procedures and reporting mechanism established for the deposit taker set out in the risk management programme; and (d) where an action is taken contrary to a deposit takers policies, ensure: (i) it is reported to senior management; and, depending on materiality, to the governing body; and (ii) corrective measures are triggered. 11. Staff responsibilities and accountability (1) Each area of a deposit taker’s business should be accountable and responsible for the risks it exposes the deposit taker to through its operations. (2) A deposit taker should ensure that its staff are well trained and have experience appropriate to their roles. (3) A deposit taker’s operational staff should understand the risks they encounter in conducting their part of the deposit taker’s business.

7 Ref #3610814 DRAFT Part 3—Specific risks Credit risk 12. How credit risk arises (1) Credit risk is the risk of loss to a deposit taker arising from a party to a contract or transaction with the deposit taker that: (a) is not able to meet its obligations; or (b) defaults on its commitments. (2) Credit risk can arise in relation to: (a) on-balance sheet exposures (for example, lending activities); and (b) off-balance sheet exposures (for example, guarantees and other commitments). 13. Credit risk – elements for risk management programmes (1) Elements of credit risk that a deposit taker could consider for inclusion in its risk management programme include: (a) concentration risk – the risk arising from an overexposure to a borrower or a group of related borrowers in the same industry or country; (b) business cycle risk – the risk arising from changes in the business cycle; and (c) country risk – the risk arising from an exposure to a country. (2) Elements for managing credit risk that a deposit taker could consider for inclusion in its risk management programme include procedures for: (a) monitoring and reviewing its loan book with particular regard to: (i) the continuing ability of borrowers to meet their obligations; and (ii) any changes in the value of any security given for its loans; and (b) managing any loans that show signs of deteriorating credit quality. Liquidity risk 14. How liquidity risk arises (1) Liquidity risk is the risk that a deposit taker is unable to meet its financial commitments as they fall due or that it suffers material loss in doing so. (2) Liquidity risk can increase if there is: (a) a loss of confidence in the deposit taker that adversely affects its ability to raise new funding; (b) a substantial deterioration in the credit quality of its counterparties that affects their ability to pay principal or interest as it falls due; or (c) a disruption in the market for normally liquid assets, making it difficult for the deposit taker to sell them.

8 Ref #3610814 DRAFT 15. Liquidity risk – elements for risk management programmes As part of its risk management programme for liquidity risk, a deposit taker should: (a) identify any funding gaps; (b) manage its sources of regular funding; and (c) maintain sources of emergency back-up liquidity. 16. Identify and manage funding gap (1) A deposit taker should forecast its future cash flows to identify the scale of the funding gaps that it will need to fill over a range of maturities and in doing so should: (a) base its forecast on realistic assumptions about: (i) the amounts of cash due to be received that will be received; and (ii) the rates of withdrawal of cash that can contractually be withdrawn; and (b) cover all material cash flows including, for example, those arising from off￾balance sheet instruments. (2) A deposit taker should consider whether it can reduce the size of its expected funding gaps at various time horizons by altering the relative contractual maturities of its funding and its lending. 17. Manage sources of regular funding (1) A deposit taker should understand its funding markets and regularly monitor each market for any signs of specific resistance to its own name or more general declining confidence in that market. (2) A deposit taker should manage the risk of concentrated funding, that is, the risk arising from a substantial proportion of its funding originating from one depositor or from a number of depositors who might be likely to act together. 18. Emergency sources of liquidity (1) A deposit taker should have alternative emergency sources of liquidity sufficient to enable it to survive for a planned period when it is temporarily unable to raise money in its usual funding markets. (2) As its principal source of emergency liquidity, a deposit taker should hold a portfolio of reliably marketable liquid assets that is diversified as far as possible across a range of instruments and issuers. (3) If a deposit taker relies on one or more standby lines of credit as part of its emergency liquidity, for each such line of credit the deposit taker should: (a) negotiate terms as far as possible to minimise the likelihood that the provider can refuse to provide funds when called upon; and (b) regularly assess whether it is likely to breach any covenants or trigger any material adverse change clauses.

9 Ref #3610814 DRAFT Market risk 19. How market risk arises (1) Market risk is the risk of loss arising from adverse movements in market prices or rates. (2) Market risk can arise in relation to a deposit taker’s: (a) on-balance sheet positions; and (b) off-balance sheet positions. 20. Market risk – elements for risk management programmes Elements of market risk that deposit takers should consider for inclusion in their risk management programmes include: (a) interest rate risk; (b) foreign currency risk; and (c) equity risk. 21. Interest rate risk (1) Interest rate risk is the risk that the value of assets or liabilities will change because of changes in interest rates. (2) Elements of interest rate risk that a deposit taker could consider for inclusion in its risk management programme include: (a) repricing risk – the risk arising from a change in the price of a financial instrument; (b) basis risk – the risk arising from changes in the relationships between different yield curves; (c) yield curve risk – the risk arising from a change in the shape of the yield curve; and (d) option risk – the risk arising from options embedded in a deposit taker’s balance sheet exposures. 1 (3) A deposit taker could consider including procedures in its risk management programme to: (a) measure the effect of changes in interest rates on net interest income; and (b) estimate the effect of changes in interest rates on the value of the deposit taker based on the present value of future cash flows of its on-balance sheet and off￾balance sheet exposures.

1 An embedded option is an option attached to another instrument that affects its redemption date. Embedded options effectively mean that there is uncertainty about whether or not the deposit taker will pay or receive a specified rate of interest on or from a specified date. Examples include put and call features of bonds and early termination options of securities.

10 Ref #3610814 DRAFT 22. Foreign currency risk (1) Foreign currency risk is the risk arising from a change in an exchange rate. (2) The circumstances in which currency risk can arise include: (a) open foreign currency positions; (b) interest rate mismatch positions; (c) credit exposures that do not settle; and (d) time zone differences, where settlement in one currency occurs before settlement in another time zone. 23. Equity risk (1) Equity risk is the risk arising from changes in the prices of equity instruments. (2) The price risk associated with equities may include elements of: (a) systematic risk; and (b) firm specific risk. (3) Equity risk may be embedded in credit exposures. Operational risk 24. How operational risk arises (1) Operational risk is the risk arising from human error, system failures, and inadequate procedures and controls. (2) For example, operational risk can arise from: (a) deficiencies in information systems; (b) technological or physical failures; (c) breaches in internal controls; or (d) fraud or other criminal activities. (3) Operational risk includes, among other things, legal risk (including, for example, a deposit taker’s exposure to fines, penalties or damages), risks arising from money laundering and regulatory risk. 25. Operational risk – elements for risk management programmes A deposit taker should consider including processes in its risk management programme to: (a) identify its operational vulnerabilities; and (b) mitigate its operational risk exposure.