RBNZ Application Requirements for Banks - March 2006

Basel II: Application requirements for New Zealand banks seeking accreditation to implement the Basel II internal models approaches from January 2008 Reserve Bank of New Zealand March 2006 Ref #2282830 v3.0

2 OVERVIEW A locally-incorporated bank seeking to use the Basel II internal models approaches 1 to determine its regulatory capital requirements starting from January 20082 will be required to submit an application to the Reserve Bank of New Zealand (RBNZ) by 3 July 2006. An application is the first step in the accreditation process for a bank’s internal models. This document sets out the information that needs to be submitted by a bank making an application by 3 July 2006. Banks that do not meet this deadline will be unable to apply for accreditation until 2 July 2007. However, the RBNZ will consider, on a case-by-case basis, whether a later application date in New Zealand is appropriate for foreign-owned subsidiaries where the home supervisor of the bank has a deadline for initial applications that would not allow the New Zealand subsidiary to meet the July 2006 deadline. The information provided in this application will allow the RBNZ to: • understand the framework (including governance and reporting structures) that the applicant has in place to calculate regulatory capital for the credit and operational risks that it faces; • understand where the applicant believes it is compliant with the Basel II framework and, where it is not, the work that it believes needs to be undertaken to become compliant; • consider the models and rating tools (internal and external) that the applicant proposes to use to calculate regulatory capital and identify what additional information we will require; and, • understand the assurance mechanisms that the applicant has in place to ensure that those models and tools are appropriate to the credit risk and operational risk characteristics of its business. The information should be provided electronically. While the information provided with this application will form the bulk of the information that we will need to consider a bank’s Basel II implementation plans, we retain the right to request additional information where compliance gaps are identified or where more specific information is needed to consider an application. Ongoing communication between the RBNZ and the applicant will ensure a smooth accreditation process.

1 Internal ratings-based (IRB) approaches to credit risk and advanced measurement approach (AMA) to operational risk 2 The application is for credit and operational risk only. RBNZ is still to consider its application requirements for other pillar one requirements. Ref #2282830 v3.0

3 NZ subsidiaries of foreign-owned banks We are aware that New Zealand subsidiaries of foreign-owned banks that are seeking accreditation to use internal models approaches in their home jurisdiction have been involved in their group’s application process. Where banks have provided us with information from their group’s application to their home supervisor we will make use of that information as appropriate. However, as the RBNZ is responsible for determining capital requirements for New Zealand banks and accrediting their internal models, banks are required to submit a separate application to the RBNZ and documentation should be presented independently of the group application. References to documents that are part of the group submission will not be acceptable, although the applicant can resubmit group documents where they are relevant to the New Zealand bank. 3

We have taken account of the contribution that New Zealand banks may have made to parent banks’ applications to home supervisors by: • Allowing the applicant to use the self assessment they may have made for the parent bank’s application as the starting point for the self assessment for this application (see section C). • Using an application layout that is similar to the approaches taken by international supervisors to allow banks to make use of the work they have done for the parent bank application. • Allowing the applicant to submit documents that were submitted for the group application, provided that they contain material relevant to the New Zealand applicant. To reduce the compliance burden on banks and optimise the use of supervisory resources, we will be working closely with home supervisors throughout the accreditation process. Information provided to the RBNZ that is material to the accreditation process undertaken by home supervisors will be communicated to them accordingly. INFORMATION REQUIREMENTS Section A: General information and scope Responses to this section will provide us with a high-level overview of the applicant’s implementation plans.

3 We have asked for documents to be resubmitted so that the applicant can arrange them in a logical order. The applicant is in the best position to arrange their documents in an easy-to-access way. Ref #2282830 v3.0

4 The applicant is required to:

1. Provide details on the scope for the application: i.e. what approaches are being applied for and for which business lines and portfolios? Where a bank proposes to use a standardised approach4 for a business line or asset class, either permanently or on a transitional basis, outline the rationale for the approach taken.
2. Provide a breakdown of the value (New Zealand dollars – non risk weighted) of the bank’s portfolio by Basel II asset class. Convert off-balance sheet exposures to on￾balance sheet equivalents using the bank’s proposed credit conversion factors or exposure at default estimates.
3. Provide a copy of the roll-out plan for models/systems not currently in place. Include the timetable for the roll-out and of any transitional plans from less sophisticated approaches as appropriate. In addition, specify when the applicant plans to provide final documentation to the RBNZ for accreditation. Applicants should fill out table 1 in the attached spreadsheet with details of their IRB application. Table 1 is designed to provide a uniform overview of the scope of the applicant’s application. Section B: Structure and governance Responses to this section will provide us with a picture of the structures that the bank and decision-makers within the bank have in place to understand risk and how this feeds into the capital calculation process. Applicants are required to:
4. Provide a summary of the governance structures the bank has in place for credit risk and operational risk. This should clearly set out the composition and roles of management, executive, and Board committees. Include a diagram identifying the organisation of business units and reporting lines and identify where the bank uses matrix reporting.
5. Provide a summary of how the bank has approached the management of Basel II implementation, including reporting structures. Section C: Self Assessment Responses to this section will allow us to:

4 In particular, standardised approaches to credit and operational risk Ref #2282830 v3.0

5 • compare the models, systems, and arrangements that the applicant has in place or proposes to implement against the requirements specified in the Basel II framework • understand where the applicant believes it is compliant to those requirements • understand where the applicant believes it has gaps against those requirements and the projects it proposes to carry out to close those gaps • understand who has responsibility for these projects and whether the bank is completing the projects internally or relying on an external party (e.g. their parent bank) A bank seeking to implement the Basel II internal models approaches starting from January 2008 will be required to undertake a self assessment against the relevant minimum requirements. From 2008, the bank will need to be compliant with the RBNZ’s prudential requirements. However, as RBNZ prudential requirements are still being finalised the bank’s self assessment for application purposes should be undertaken against the requirements of the relevant paragraphs in the Basel II framework5 .

1. The applicant should outline the process it has gone through to assess itself against the Basel II framework.
2. The applicant should identify any gaps against the minimum requirements and outline the steps planned, and timetable for, closing those gaps. The applicant should note that while the requirements in the Basel II framework will form the basis of our prudential requirements, there may be areas where our requirements will differ from the paragraphs in the framework. Self assessment by local subsidiaries of foreign-owned banks Where the applicant is a subsidiary of a foreign banking group and it has undertaken a self assessment as part of the group’s submission to the home supervisor, we will accept that assessment as the starting point for the subsidiary’s self assessment for their RBNZ application. To increase our understanding of the self assessment carried out by the New Zealand bank and the assessment carried out on behalf of the New Zealand bank in the parent bank submission, applicants choosing to base their application to the RBNZ on the work done for a group submission to a home supervisor are required to provide the following information:

5 As per the Basel Committee’s Capital Framework released in June 2004. Ref #2282830 v3.0

6 3) Outline the self assessment process undertaken by the New Zealand bank for the group submission to the home supervisor; 4) Identify the paragraphs the New Zealand bank responded too and the asset classes the responses relate too; 5) For paragraphs that were not answered by the New Zealand bank or were answered by the group on behalf of the New Zealand subsidiary: i) Specify who carried out the self assessment on behalf of the New Zealand bank and outline the rationale for the New Zealand bank not doing the self assessment itself; ii) Outline the assurance processes undertaken by the New Zealand bank to ensure that the self assessment carried out on its behalf was accurate to the circumstances of the New Zealand. For example, these processes could involve an independent review of whether responses were accurate for the New Zealand bank or could involve workshops of New Zealand bank staff to review the accuracy of responses to the New Zealand bank’s business. 6) A summary of any material changes to the self assessment since the time it was finalised for inclusion as part of the group’s application to the home supervisor. For example, gaps that have been closed, answers that were determined as not accurate for the New Zealand bank etc. 7) As a summary of its response, the applicant should complete Table 2 attached. The RBNZ’s approach to the self assessment recognises the compliance burden on banks to complete a full self assessment against the framework over and above that included in group submissions. The approach taken by the RBNZ, which allows banks to make use of self assessments completed as part of parent bank applications to home supervisors updated for material changes, does not imply any recognition of compliance where the self assessment suggests there are no gaps. As part of the accreditation process we will also be using the full self assessment responses provided as part of the parent bank application. Compliance gaps Where the self assessment process referred to above identifies gaps, the applicant is required to: 8) Summarise the projects that it has in place to close those gaps. This should include who is undertaking the project, responsibilities and reporting lines, planned steps and the current timetable. Where the project was specified in the group application, the response should include an update on the status of the project. Ref #2282830 v3.0

7 9) Provide an update on the status of projects that are undertaken by the group that are relevant to the gaps of the New Zealand bank, either identified by the New Zealand bank or on its behalf. Section D: Use and Experience Responses to this section will allow us to determine how a bank’s risk management culture relates to the use and experience requirements set out by the Basel II framework. The applicant is required to:

1. Summarise how it believes its risk management processes meet the use and experience requirements set out by the Basel II framework
2. Describe the incentives in place to ensure that the bank holds the appropriate amount of capital to cover the risk in its activities Section E: Data management Responses to this section will allow us to understand: • how the bank utilises data from internal and external sources • the processes that the bank has in place to ensure the integrity of the data that is used to estimate risk parameters The applicant is required to:
3. Describe how the bank meets the IRB data requirements, how it ensures accuracy, completeness, and appropriateness of the data underlying the models used to estimate risk parameters and to calculate regulatory capital
4. Outline how the bank has got assurance (such as through the use of independent or third party review) to determine: i) the accuracy and completeness of the data (external and internal) used in the calculation of regulatory capital, and the validation of the relevant model parameters ii) the consistency of definitions used in capturing the data iii) the accuracy and completeness of the regulatory capital calculation engine Section F: Credit risk rating systems, validation, and stress testing Ref #2282830 v3.0

8 Responses to this section will allow us to build a picture of the component parts of the applicant’s IRB approach. It will increase our understanding of the models that are developed, supported, and maintained by the applicant and those that are developed, supported, and maintained externally (either within the banking group or external to the banking group). A key focus of the RBNZ will be on the ability of models and rating systems to not only meet the minimum requirements, but to be of sound theoretical foundation and relevant to the specifics of the New Zealand financial system. Overview of credit rating systems

1. The applicant should provide a map of rating systems used within the bank (include and identify where systems are in development) Detailed information
2. As a useful summary reference, the applicant is required to provide, for each relevant IRB portfolio, a comprehensive list of the models and systems (either internally or externally derived) used by the bank in assigning risk estimates. To standardise responses, we have provided a summary table for the applicant to complete (see table 3 in the attached spreadsheet). In addition to the summary table, for each model used, the applicant is required to:
3. Provide a summary of how the rating models estimate long-run PDs, and if relevant, long-run LGDs and EADs
4. Provide a summary of how stressed conditions are incorporated into LGD and EAD estimates
5. Outline what adjustments have been made to the models or their outputs to incorporate conservatism
6. Explain the process the undertaken to ensure that all of the information used to build models (internal and external) is representative of the population of the bank’s actual obligors or exposures and of the long-run experience of the bank. The applicant may include its response to these issues within any technical documentation provided they are clearly referenced. Documentation
7. The applicant will be required to provide available technical documentation that describes the modelling approach to be used, which will be referenced in the table described above. Applications should match methodology documentation to the Ref #2282830 v3.0

9 results from that methodology (e.g. PD, LGD, or EAD estimates). Such linkages could be done, for example, by referencing the results in methodology documentation, or using a document register to match methodology documents with documents outlining results. 8) The applicant should describe any independent assurance work that was undertaken relating to the theoretical or practical soundness of the models used. Validation and stress testing 9) The applicant is required to summarise its approach to validating models covering: i) The accuracy of inputs ii) The accuracy of models iii) The appropriateness of external models and outturns to the bank’s circumstances 10) If no validation has been carried out, outline what validation is planned 11) Summarise any stress testing carried out by the bank. If no stress testing has been carried out, the applicant should provide a summary of its planned stress testing approach. The applicant may include its approach to validation and stress testing within the technical documentation provided it is clearly referenced. The use of external models and external data The RBNZ recognises that there may be benefits to be gained from banks centralising their quantitative resources and that banks may use externally-derived models to estimate risk parameters and external data to build and/or validate their own models. However, where the applicant has used externally-derived models or external data, it will be important for them to demonstrate that they have identified the risks that accompany the use of these models. The applicant is required to: 12) Summarise the assurance process carried out to ensure: i) that externally-derived models are appropriate to the business of the NZ bank ii) that the external data used to build or validate models is accurate, consistent, and complete iii) that the bank understands the basic constructs of the external models used iv) that any external models used perform effectively on the bank’s own portfolio The applicant is reminded that where functionality (such as the capital calculation engine) is outsourced it will need to comply with the RBNZ’s outsourcing requirements. Ref #2282830 v3.0

10 Section G: Advanced Measurement Approach to operational risk Responses to this section will allow us to build a picture of the applicant’s approach to measuring operational risk and determining capital requirements using the Advanced Measurement Approach. We will be particularly interested in: • The role of different models and data sources (internal, external, scenario, and risk drivers and controls) in the operational risk estimation process of the New Zealand bank and how the applicant ensures that data is relevant to its business • The assumptions around correlations between different operational risk event types that are, either explicitly or implicitly, used to derive the operational risk capital requirement • How the approach to operational risk applied by the applicant ensures that the capital requirement generated is a “stand alone” capital requirement (i.e. includes no group-wide diversification benefits outside those available within the New Zealand banking group) Overview The applicant is required to:

1. Provide an overview of its approach to operational risk measurement and management that includes operational risk governance and reporting structures
2. Demonstrate how the information used to build operational risk models (internal, external, scenario, and risk drivers and controls) is representative of the operational risks faced by the New Zealand bank
3. Specify how the approach to measuring operational risk and calculating operational risk capital ensures that the capital requirement generated is a “stand alone” capital requirement (i.e. includes no group-wide diversification benefits outside those available within the New Zealand banking group) Detailed information The applicant is required to:
4. Provide detail of the modelling approaches taken to measure operational risk and operational risk capital that covers: i) When the model was implemented or will be implemented if it is still under development ii) The analytics and relevant theory behind the model Ref #2282830 v3.0

11 iii) Key parameters and assumptions used in calculating the operational risk capital requirement, particularly in relation to the correlation between operational risk event types and operational risk in different business units iv) How the model meets the AMA soundness standard v) The sources and span of data used and the relative importance of internal data, external data, scenarios, and risk drivers and control in calculating the capital requirements vi) The responsibilities of different parties for the calculation of the operational risk capital requirement, including if relevant the parent bank and third party service providers vii) If the bank’s regulatory capital requirement only includes unexpected loss and not expected loss, how expected loss is measured and accounted for and how it is captured in internal business practices viii) If the risk mitigating effects of insurance are recognised for regulatory capital purposes, the methodology for doing so. 5) The applicant should provide to the RBNZ available technical documentation that describes the modelling approach to be used. Validation 6) The applicant is required to summarise the approach to model validation covering: i) Accuracy of inputs ii) Accuracy of models iii) Appropriateness of external models and outturns to the New Zealand exposures 7) If no validation has been done, outline what validation work is planned The applicant may include their approach to validation within the technical documentation provided it is referenced clearly. Assurance The applicant should be satisfied that the models used to calculate operational risk capital are appropriate for the circumstances of the bank and that they meet the operational risks that the bank is faced with. 8) The applicant is required to outline how it has assurance that the operational risk methodology applied takes sufficient account of the bank’s environment and is sound. For example, it could include any independent assurance that was undertaken relating to the theoretical or practical soundness of the models used. Section H: Quantitative Estimate Analysis Ref #2282830 v3.0

12 Responses to this section will allow us to understand the capital implications from implementing the proposed approaches to credit and operational risk and focus our examination of different risk types and asset classes. It will also form the basis for developing our requirements for the parallel run period. Where the applicant is a subsidiary of a foreign-owned bank and has contributed to group parallel run estimates or to the group’s response to QIS5, it should provide us with an updated estimate of its capital requirements under the internal models approaches using the same approach applied to the groups’ parallel run estimates or to QIS5. Where the applicant has not contributed to QIS 5 or is not participating in a wider group parallel run, it will need to discuss with the RBNZ the sort of quantitative estimate analysis it should provide. Section I: Director attestation Consistent with the RBNZ’s approach to banking supervision, Directors are ultimately responsible for approving and overseeing their bank’s risk measurement and management systems and for the integrity of this application. As a result, the Board Chair, on behalf of the board, will have to attest that, after reasonable inquiry, the Board believes that information provided in the application is accurate and fairly presents the bank’s state of readiness to implement Basel II’s internal models approaches. Self assessment In addition, the Board Chair, on behalf of the board, will have to attest: • That a self assessment process was carried out by the New Zealand bank, either specifically for the application to the RBNZ or as part of the parent bank’s application to a home supervisor, and that the board is satisfied with the adequacy of that process • That, if parts of the self assessment have been performed on its behalf, the Board is satisfied that the New Zealand bank has taken appropriate steps to ensure those parts of the self assessment accurately reflect the situation in the NZ bank • That, on the basis of its review, the Board is satisfied that the bank meets the requirements set out in the Basel II framework except where those requirements have been noted as exceptions in the self assessment document Ref #2282830 v3.0

13 Table 1: Scope of IRB Application Business line / portfolio e.g. Bank-originated residential mortgages e.g. Other retail Approach applied for (standardised, FIRB, or AIRB) AIRB Standardised If standardised, is the application for a temporary or permanent exemption from an IRB approach? If a permanent exemption, on what basis is it being asked for?

• Permanent on the basis of immateriality If an IRB approach, is the business line currently: (a) fully compliant with the Framework, or (b) partially compliant. If partially compliant, state when full compliance is expected Partially compliant, with compliance expected 06Q3

Value of assets in the business line (off balance sheet exposures converted to on balance sheet exposures using Basel I credit conversion factors or proposed Basel II credit conversion factors and EAD estimates) NZ$5 billion NZ$70 million Percentage of total assets the business line makes up 35% 1% Table 2: Self Assessment Paragraph no. Asset class Response by Compliant (y/n) 464 Retail NZ bank Retail division Y Ref #2282830 v3.0

14 Table 3: Summary of credit risk rating systems and tools Name of rating system e.g. Mouse catcher e.g. Bull runner Type of rating PD LGD IRB segment / asset classes that the system relates to Personal credit cards (QRR) Residential mortgages Size of the segment / asset class rated by the tool (use the approach in table 1) NZ$100million / 5% of total assets NZ$6billion / 40% of total assets Number of obligors or transactions rated by the system and number of rated obligors who have defaulted On average 600 rated per year, of which 10 typically default per year On average 8000 rated per year, of which 50 typically default per year Proportion of the segment / asset-class / sub-asset class that is covered by the rating tool 100% 60% When the rating model or tool was/will be implemented, and when was its most recent update Built 1997, latest update 2004 Built 2003 Date of last formal validation or performance check of the rating system and who performed it 2004 Model Review 2004 External vendor Was the model or tool developed internally, developed by a related party (e.g. parent bank), or third party vendor? Largely developed by parent bank, with some customisation and refinement by us Developed internally Span and source (internal or external) of data used in model development / estimation Internal data 2001-2004, external data 1995-2003 Internal data 1996- 2004, external information 1990-1994 Type of rating model or tool (e.g. statistical model, expert judgement based, benchmark characteristics, hybrid) Hybrid using expert judgement and a statistical model Statistical model Ref #2282830 v3.0

15 Can the output of the rating system / model be overridden? Is so, what is the typical frequency that It is overridden Yes. Over the last 3 years in 0.5% of cases the rating model has been overridden No Key methodology reference document(s) on the rating system / model #007 - Personal credit card PD rating model #24 - Residential mortgages LGD and EAD methodology Key validation reference document(s) on the rating system / model #86 - Validation of personal credit card PD rating model #7 - Validation of residential mortgages LGD and EAD methodology Ref #2282830 v3.0