BPR151 AMA Operational Risk

Ref #21327593 v1.0

BPR151 AMA Operational Risk Purpose of document This document sets out the requirements that apply to a bank’s use of the Advanced Measurement Approach (AMA) in determining its capital requirements for operational risk. This is part of the calculation of capital ratios, as defined in BPR100, which a bank must carry out to determine its compliance with minimum regulatory capital requirements. This document only applies to a bank that has been accredited by the Reserve Bank to use the AMA for operational risk. Banking Prudential Requirements July 2024

BPR151 1 Document version history 1 July 2021 First issue date 1 July 2024 Revised for minor correction Conditions of registration The Banking (Prudential Supervision) Act 1989 (the Act) permits the Reserve Bank to impose conditions of registration (conditions) on registered banks1 . This document BPR151: AMA Operational Risk forms part of the requirements for the following conditions:*  A New Zealand-incorporated registered bank is normally subject to a condition requiring it to maintain capital ratios above specified minimum levels, and also to a condition imposing restrictions on its dividend payments when its prudential capital buffer ratio falls below specified levels2 . This document sets out the operational risk capital methodology that will be needed by such a bank, if it is accredited to use the AMA methodology, to allow it to calculate its day-to-day values for the capital ratios and the capital buffer ratio, and hence monitor its compliance with these capital adequacy conditions.  An AMA-accredited bank is also subject to a standard condition of registration requiring it to comply with the minimum qualitative requirements for managing operational risk set out in this document3 .

• All of the material set out in this document forms part of the requirements of the applicable condition, except material that is expressly identified as guidance by being included in a shaded box like this.

---

1 The conditions can relate to any of the matters referred to in sections 73 – 73B, 78 and 81. The standard conditions are contained in Appendix 1 of document BS1: Statement of Principles. 2 These conditions of registration relate to the matter referred to in: section 78(1)(c) (capital in relation to the size and nature of the business). 3 This condition relates to the matters referred to in: section 78(1)(fa) (risk management systems and policies).

BPR151 2 BPR131: Standardised Credit Risk RWAs Part A: Introduction Part B: Qualitative and quantitative requirements Contents Part A: Introduction A1 Overview, definitions, and general requirements A1.1 Overview A1.2 Regulatory capital requirement for operational risk A1.3 Requirements for banks using AMA for operational risk Part B: Qualitative and quantitative requirements B1 Qualitative requirements B1.1 Purpose of subpart B1 B1.2 Role of the board of directors B1.3 Sufficient resources B1.4 Independent operational risk management function B1.5 Compliance arrangements B1.6 Documentation B1.7 Internal reporting of operational risk information B1.8 Integration of operational risk measurement system into day-to-day operational risk management B1.9 External/internal audit B2 Quantitative requirements B2.1 Purpose of subpart B2 B2.2 AMA soundness standard B2.3 Treatment of inter-jurisdictional diversification benefits B2.4 Detailed criteria B2.5 Internal loss data: general requirements B2.6 Internal loss data: standards B2.7 External data B2.8 Scenario analysis B2.9 Business environment and internal control factors B2.10 Operational risk mitigation B2.11 Principles applying for mapping to Appendix 2 business lines

BPR151 3 Part A: Introduction A1 Overview, definitions, and general requirements A1.1 Overview This document sets out the Advanced Measurement Approach (AMA) for determining capital requirements for operational risk. Guidance: A bank’s operational risk capital requirement forms part of the calculation of its capital ratios, as specified in Part B2 of BPR100. Operational risk has the meaning given in the Glossary. A1.2 Regulatory capital requirement for operational risk

1. A bank approved by the Reserve Bank to use the AMA for operational risk– a. must use its own internal model to determine its banking group operational risk regulatory capital requirement; and b. may seek approval from the Reserve Bank to apply the AMA to the calculation of its solo operational risk capital requirement.
2. For the purpose of calculating its solo capital adequacy ratios, a bank approved by the Reserve Bank to use the AMA must calculate its operational risk solo capital requirement as follows: a. if the bank has obtained approval from the Reserve Bank to apply the AMA to the calculation of its solo operational risk capital requirement, the bank must use its own internal model to determine its solo operational risk regulatory capital requirement; but b. in all other cases, the bank must use the formula in subsection (3).
3. If subsection (2)(b) applies, the bank must calculate its solo operational risk capital requirement as follows: SolOp = (GrpOp) x (Solo NonOp) (Group NonOp) Where– SolOp is the solo operational risk capital requirement GrpOp is the group operational risk capital requirement calculated in accordance with subsection (1)(a) NonOp is the capital requirement for risks other than operational risk, calculated in accordance with subsection (4) on a solo or group basis, as applicable.
4. The non-operational risks capital requirement NonOp is calculated as follows: NonOp = 8% x (total RWAs for credit risk) + total capital requirement for market risk exposure + 8% x (supervisory adjustment)

BPR151 4 where the terms in the formula have the meanings given in sections B2.5 and B2.7 of BPR100. A1.3 Requirements for banks using AMA for operational risk A bank using the AMA for operational risk is subject to a standard condition of registration that requires it to meet the qualitative and quantitative requirements set out in Part B (see BPR100, section C1.5).

BPR151 5 Part B: Qualitative and quantitative requirements B1 Qualitative requirements B1.1 Purpose of subpart B1 This subpart sets out the qualitative requirements for banks using the AMA for operational risk. B1.2 Role of the board of directors The board of directors must be responsible for overseeing the bank’s overall operational risk profile and for approving the operational risk management framework. B1.3 Sufficient resources The bank must have sufficient resources in major business lines, control, and audit to ensure that its operational risk management framework operates effectively on a continuing basis. B1.4 Independent operational risk management function

1. Responsibility for the design and implementation of the bank’s operational risk management framework must reside with an operational risk management function that is independent of the business units that use the framework.
2. The operational risk management function is responsible for– a. modification of firm-level policies and procedures relating to operational risk management and control; and b. design and implementation of a risk reporting system for operational risk.
3. The bank must develop sound methodologies to identify, measure, monitor, control, and mitigate operational risk. B1.5 Compliance arrangements The bank must have arrangements in place to ensure compliance with internal policies, controls, and procedures. B1.6 Documentation
4. The bank’s operational risk management framework must be clearly documented.
5. The documentation referred to in subsection (1) must include– a. a definition of operational risk which is consistent with the definition in the Glossary; and b. a set of internal policies, controls, and procedures for operational risk management, including policies for the treatment of non-compliance. B1.7 Internal reporting of operational risk information
6. The bank must have a formal process for regular reporting of operational risk exposures and loss experience to business unit management, senior management, and the board of directors.

BPR151 6 2. The bank must have procedures for taking appropriate action on the basis of the information in these reports. B1.8 Integration of operational risk measurement system into day-to-day operational risk management

1. The bank’s operational risk measurement system must be closely integrated into the practical day-to-day risk management processes of the bank.
2. The outputs from the bank’s operational risk measurement system must help inform the bank’s decision-making, corporate governance, risk management, and internal capital allocation processes.
3. The bank’s operational risk measurement system must– a. include techniques for allocating operational risk capital to all material business lines; and b. create incentives for improving operational risk management. B1.9 External/internal audit
4. The bank’s operational risk management processes and measurement systems must be subject to annual review by external or internal auditors or by a suitably qualified independent reviewer.
5. The AMA annual reviews must include– a. verification that internal validation processes are operating in a satisfactory manner; and b. checking that data flows and processes associated with the risk measurement system, including system parameters and specifications, are transparent and accessible. B2 Quantitative requirements B2.1 Purpose of subpart B2 This subpart sets out the quantitative requirements for banks using the AMA for operational risk. B2.2 AMA soundness standard
6. The bank’s approach to operational risk measurement must capture potentially severe low￾frequency, high-impact, loss events.
7. Specifically, the operational risk measure must meet a soundness standard comparable to a one-year holding period and a 99.9% confidence level of the total operational loss distribution. Guidance: This is comparable to the soundness standard used for the IRB approach to credit risk, set out in BPR133.
8. The bank must have rigorous procedures for operational risk model development and independent model validation.

BPR151 7 B2.3 Treatment of inter-jurisdictional diversification benefits Where a bank is a subsidiary of an overseas bank, diversification benefits derived from being part of a larger banking group must not be incorporated into that bank’s AMA capital calculations unless specifically approved by the Reserve Bank. B2.4 Detailed criteria

1. The following quantitative standards apply to internally generated operational risk measures for the purposes of regulatory capital calculations: a. the internal operational risk measurement system must be consistent with the definition of operational risk in the Glossary and the operational loss event types defined in Appendix 1; and b. the bank must measure the regulatory capital requirement for operational risk as the sum of both expected loss (EL) and unexpected loss (UL) unless the Reserve Bank has agreed that the bank can base its minimum regulatory capital requirement on UL alone; and c. the bank’s operational risk measurement system must be sufficiently granular to capture the major drivers of operational risk affecting the distribution of low￾frequency, high-impact, losses; and d. risk measures for different operational risk estimates must be added together for the purposes of calculating the overall regulatory minimum capital requirements, unless the Reserve Bank has approved the use of internally determined correlations in operational risk losses across individual operational risk estimates.
2. The bank’s internal operational risk measurement system must have a reasonable mix of the following features, to help ensure compliance with the AMA soundness standard: a. the bank’s operational risk measurement system must include the following four features: i. use of internal loss event data; and ii. use of relevant external loss event data; and iii. scenario analysis; and iv. factors reflecting the business environment and internal control systems; and b. the bank must have a credible, transparent, well-documented, and verifiable approach to weighting the above features in its overall operational risk measurement system; and Guidance: For example, there may be cases where estimates of the 99.9th percentile confidence interval based primarily on internal and external loss event data would be unreliable for business lines with a heavy-tailed loss distribution and a small number of observed losses. In such cases, scenario analysis may play a more dominant role in the risk measurement system. Conversely, operational loss event data may play a more dominant role in the risk measurement system

BPR151 8 for business lines where estimates of the 99.9th percentile confidence interval based primarily on such data are considered reliable. c. in all cases, the bank’s approach to weighting the four features specified in paragraph (a) should be internally consistent and avoid the double-counting of qualitative assessments or risk mitigants already recognised in the other elements of its operational risk management framework. B2.5 Internal loss data: general requirements

1. The bank must– a. track internal loss data according to the criteria set out in this section so that it can link its operational risk estimates to its actual loss experience; and b. have well-documented procedures for assessing the ongoing relevance of historical loss data.
2. The documentation referred to in subsection (1)(b) should cover situations in which judgemental overrides, scaling, or other adjustments to the internal data may be used, the extent to which they may be used, and who is authorised to make such decisions.
3. Internally generated operational risk measures used for regulatory capital calculations must be based on a minimum 5-year observation period of internal data, regardless of whether the internal dataset serves as a direct input to build the loss measure or as a basis for validation. Guidance: However, despite the 5-year period referred to in subsection (3) the Reserve Bank may, at the time at which a bank first moves to the AMA, allow it to use a 3-year observation period for an initial period. B2.6 Internal loss data: standards
4. The bank’s internal loss collection processes must meet the standards set out in subsection (2).
5. The standards are as follows: a. the bank must– i. be able to map its historical internal loss data to the relevant Level 1 loss event types described in Appendix 1 and to the Level 1 business lines described in Appendix 2; and ii. have well-documented and objective criteria for the mapping referred to in subparagraph (i); and b. the bank’s internal loss data must capture all material activities and exposures from all operational systems and geographic locations; and c. the bank must collect information about– i. gross loss amounts; and ii. the date of the loss event; and iii. any recoveries of gross loss amounts; and

BPR151 9 iv. descriptive information, at a level of detail commensurate with the size of the gross loss amount, about the drivers or causes of the loss event; and d. the bank must, for the purposes carrying out the mapping referred to in paragraph (a), have specific criteria for– i. assigning loss data resulting from an event in a centralised function or an activity that spans more than one business line; and Guidance: A centralised function will include, for example, an information technology department. ii. assigning loss data from related operational loss events over time; and e. in respect of operational losses that are related to credit risk and/or have been included in the bank’s credit risk databases, the bank must– i. treat such losses as credit risk for regulatory capital calculations; and ii. not reflect such losses in its operational risk capital charge; but iii. include any such loss, if material, in its internal operational risk database. f. the bank must treat operational losses that are related to market risk as operational risk for regulatory capital calculations. B2.7 External data

1. The bank’s operational risk measurement system must use relevant external data. Guidance: The external data may be public data and/or pooled industry data. The inclusion of external loss data is important because banks may be exposed to infrequent, but potentially severe, operational loss events that are not captured in internal data.
2. The bank’s external operational-loss data should include– a. data on the actual loss amounts; and b. information about– i. the scale of business operations where the loss event occurred; and ii. the causes and circumstances of the loss events; and iii. any other matters that could help assess the relevance of the loss event for the bank.
3. The bank must have a systematic process for determining the situations for which external data must be used and the methodologies used to incorporate the data. Guidance: The processes might include, for example, scaling, qualitative adjustments, and/or informing the development of improved scenario analysis.

BPR151 10 4. The bank must– a. regularly review and document the conditions and practices for external data use; and b. ensure that these reviews, and the documentation, are subject to periodic independent review. B2.8 Scenario analysis

1. The bank must use scenario analysis, using expert opinion in conjunction with external data, to evaluate its exposure to infrequent, high-severity, operational loss events. Guidance: Scenario analysis should be used to help assess the impact of deviations from the correlation assumptions that are embedded in the bank’s operational risk measurement system. In particular, this analysis should help evaluate potential losses arising from multiple simultaneous operational events.
2. This analysis must draw on the knowledge of both experienced business managers and risk management experts to derive reasoned assessments of plausible severe losses.
3. The bank must, over time, validate and re-assess the expert assessments referred to in subsection (2), by comparing them to actual loss experience and ensuring the reasonableness of those assessments. B2.9 Business environment and internal control factors
4. The bank’s firm-wide operational risk assessment methodology must capture key business environment and internal control factors that can impact on its operational risk profile.
5. The use of the factors in the operational risk measurement system must meet the following standards: a. each factor chosen must– i. be justified as a meaningful driver of risk, based on experience and involving the expert judgement of the affected business areas; and ii. where possible, be translatable into a quantitative measure that lends itself to verification; and b. the sensitivity of the bank’s risk estimates to changes in the risk factors and the relative weighting of the various risk factors must be well reasoned; and c. the bank’s risk measurement framework must capture changes in risk due to improvements in risk controls and potential increases in risk arising from increased volumes of business or greater complexity of activities; and d. the risk measurement framework and each instance of its application, including the rationale for any adjustments to empirical estimates, must be documented and subject to independent review within the bank; and e. the process and outcomes must be validated through comparison with actual internal loss experience and relevant external data, and appropriate adjustments made as necessary.

BPR151 11 B2.10 Operational risk mitigation

1. The bank may recognise the risk-mitigating effect of insurance in the operational risk measures used for regulatory capital calculations.
2. However, subsection (1) is subject to– a. the limitation specified in subsection (3); and b. the bank meeting the requirements specified in subsections (4) to (6).
3. The recognition of insurance is limited to 20% of the total regulatory operational risk capital charge calculated under the AMA.
4. The bank may recognise risk mitigation from insurance in regulatory capital calculations only if the following criteria are met: a. the insurance provider must have a minimum claims-paying ability rating of A under Standard & Poor’s Insurer Financial Strength Ratings, A2 under Moody’s Insurance Financial Strength Ratings, or A under A.M.Best’s Financial Strength Ratings; and Guidance: These are the insurer rating agencies that the Reserve Bank has approved for the purposes of section 62 of the Insurance (Prudential Supervision) Act 2010. The Reserve Bank may approve additional credit rating agencies for this purpose: see the Reserve Bank document “Rating Agency Approval Guidelines: Insurance Sector”, December 2010. b. the insurance policy must have– i. an initial term of no less than a year; and ii. a minimum notice period for cancellation of 90 days; and c. the insurance policy must have no exclusions or limitations of liability that: i. are triggered by any regulatory or supervisory action taken against the bank, except that cover under the insurance policy may exclude any fine, penalty, or punitive damages resulting from supervisory action; and ii. in the case of the failure of the bank, prevent the bank, or its statutory manager, liquidator, receiver, or administrator (as the case may be), from recovering, under the policy, damages suffered or expenses incurred by the bank as a result of a loss event, provided that the loss event occurred at, or prior to, the point of failure of the bank; and d. the bank must, in relation to the operational losses that it uses in the overall calculation of its capital requirement for operational risk, reflect the risk mitigating effect of the insurance in a manner that is both transparent in its relationship to, and consistent with, the likelihood, and financial impact, of those losses; and e. the insurance must be provided by a third party; and

BPR151 12 Guidance: This means that insurance provided by a captive or affiliated insurer (that is, self-insurance) is not eligible for risk mitigation in the operational risk capital calculation. f. the bank’s framework for recognising insurance must be well documented. 5. The bank’s inclusion of insurance risk mitigation in its regulatory capital measurement must capture the following elements through appropriate discounts and/or haircuts in the value of insurance recognition: a. the insurer’s ability to cancel the policy, if the notice period for cancellation is less than a year; and b. the uncertainty of payment as well as mismatches in coverage of insurance policies. 6. If an insurance policy used by the bank to mitigate its operational risk has a residual term of less than one year, the bank must multiply the value of the risk mitigation recognised in the calculation of its operational risk capital charge by the following amount: Max [0, (R – 0.25)/0.75] where R is the residual term of the policy expressed as a portion of a year. Guidance: The effect of applying this formula is that the allowed mitigation benefit of the insurance declines as the residual maturity of the policy declines from 1 year to 3 months, at which point it is no longer recognised. B2.11 Principles applying for mapping to Appendix 2 business lines A bank must apply the following principles when mapping business lines in accordance with section B2.6(2)(a) and Appendix 2: a. all activities must be mapped into the eight level 1 business lines in a mutually exclusive and jointly exhaustive manner; and b. a banking or non-banking activity must be allocated to the business line it supports if it– i. cannot be readily mapped into the business line framework; and ii. represents an ancillary function to an activity included in the framework; and c. if, in relation to paragraph (b), the ancillary activity supports more than one business line, the bank must use objective criteria for mapping the activity to those business lines; and d. subject to paragraph (e), the mapping of activities into business lines for operational risk capital purposes must be consistent with the definitions of business lines used for the other categories of risk in the regulatory capital calculations, namely credit and market risk; and

BPR151 13 e. however, a bank may depart from the principle of consistent mapping in paragraph (d) if the departure is clearly justified and documented; and f. the mapping process used must be clearly documented; and g. written business line definitions must be clear and detailed enough to allow third parties to replicate the business line mapping; and h. documentation must, among other things, clearly justify any exceptions or overrides and be kept on record; and i. processes must be in place to define the mapping of any new activities or products; and j. the bank’s senior management is responsible for the mapping policy; and k. the mapping policy used by the bank must have been approved by the bank’s board of directors; and l. the mapping process to business lines must be subject to independent review.

BPR151 14 Appendix 1 Detailed Loss Event Type Classification See sections B2.4(1)(a) and B2.6(2)(a). Event-Type Category (Level 1) Definition Categories (Level 2) Activities Examples (Level 3) Internal fraud Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/ discrimination events, which involve at least one internal party Unauthorised Activity Transactions not reported (intentional). Transaction type unauthorised (with monetary loss). Mismarking of position (intentional). Theft and Fraud Fraud, credit fraud, worthless deposits. Theft, extortion, embezzlement, robbery. Misappropriation of assets. Malicious destruction of assets. Forgery. Cheque kiting. Smuggling. Account take-over, impersonation, etc. Tax non-compliance/evasion (wilful). Bribes, kickbacks. Insider trading (not on firm’s account). External fraud Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party Theft and Fraud Theft, robbery. Forgery. Cheque kiting. Systems Security Hacking damage.

BPR151 15 Event-Type Category (Level 1) Definition Categories (Level 2) Activities Examples (Level 3) Theft of information (with monetary loss). Employment Practices and Workplace Safety Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity / discrimination events Employee Relations Compensation, benefit, termination issues. Organised labour activity. Safe Environment General liability. Employee health & safety rules events. Workers compensation. Diversity & Discrimination All discrimination types. Clients, Products, and Business Practices Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product. Suitability, Disclosure & Fiduciary Fiduciary breaches, guideline violations. Suitability, disclosure issues (know your customer, etc). Retail customer disclosure violations. Breach of privacy. Aggressive sales. Account churning. Misuse of confidential information. Lender liability. Clients, Products, and Business Practices (continued) Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product. Improper Business or Market Practices Antitrust Improper trade / market practices Market manipulation Insider trading (on firm’s account) Unlicensed activity Money laundering Product Flaws Product defects (unauthorised, etc.)

BPR151 16 Event-Type Category (Level 1) Definition Categories (Level 2) Activities Examples (Level 3) Model errors Selection, Sponsorship & Exposure Failure to investigate client per guidelines Exceeding client exposure limits Advisory Activities Disputes over performance of advisory activities Damage to Physical Assets Losses arising from loss or damage to physical assets from natural disaster or other events. Disasters and other events Natural disaster losses Human losses from external sources (terrorism, vandalism) Business disruption and system failures Losses arising from disruption of business or system failures Systems Hardware Software Telecommunications Utility outage / disruptions Execution, Delivery, and Process Management Losses from failed transaction processing or process management, from relations with trade counterparties and vendors Transaction Capture, Execution & Maintenance Miscommunication Data entry, maintenance or loading error Missed deadline or responsibility Incorrect operation of model / system Accounting error / entity attribution error Other task misperformance Delivery failure Collateral management failure Reference Data Maintenance Monitoring and Reporting Failed mandatory reporting obligation

BPR151 17 Event-Type Category (Level 1) Definition Categories (Level 2) Activities Examples (Level 3) Inaccurate external report (loss incurred) Customer Intake and Documentation Client permissions / disclaimers missing Legal documents missing / incomplete Customer / Client Account Management Unapproved access given to accounts Incorrect client records (loss incurred) Negligent loss or damage of client assets Trade Counterparties Non-client counterparty misperformance Misc. non-client counterparty disputes Vendors & Suppliers Outsourcing Vendor disputes

BPR151 18 Appendix 2 Mapping of Business Lines See sections B2.6(2)(a) and B2.11 Mapping of Business Lines Level 1 Level 2 Inactive Activity Groups Corporate Finance Corporate Finance Mergers and acquisitions, underwriting, privatisations, securitisation, research, debt (government, high yield), equity, syndications, IPO, secondary private placements. Municipal/Government Finance Merchant Banking Advisory Services Trading & Sales Sales Fixed income, equity, foreign exchange, commodities, credit, funding, own position securities, lending and repos, brokerage, debt, prime brokerage. Market Making Proprietary Positions Treasury Retail Banking Retail Banking Retail lending and deposits, banking services, trust and estates. Private Banking Private lending and deposits, banking services, trust and estates, investment advice. Card Services Merchant, commercial, corporate, and retail cards. Commercial Banking Commercial Banking Project finance, real estate, export finance, trade finance, factoring, leasing, lending, guarantees, bills of exchange. Payment and Settlement External Clients Payments and collections, funds transfer, clearing and settlement. Agency Services Custody Escrow, depository receipts, securities lending (customers), corporate actions. Corporate Agency Issuer and paying agents. Corporate Trust Asset Management Discretionary (Active) Fund Management Pooled, segregated, retail, institutional, closed, open, private equity. Non-Discretionary (Passive) Fund Management Pooled, segregated, retail, institutional, closed, open. Retail Brokerage Retail Brokerage Execution and full service.

BPR151 19 Guidance: In relation to the Level 1 business line “payment and settlement”, losses related to a bank’s own activities would be incorporated in the loss experience of the affected business line.