Riskbased Supervisory Framework

STATE BANK OF PAKISTAN I Risk Based Supervisory Framework - July 2021 State Bank of Pakistan SBP Building, I.I Chundrigar Road, Karachi UAN: 111-727-111 Web site: www.sbp.org.pk

Foreword

SBP's Supervisory regime has evolved from compliance based supervision when CAMELS/CAELS based assessment framework was adopted in 1999. Since then, it has been continuously enhanced and updated to cope with the emerging developments and challenges of the dynamic banking system. In order to further strengthen the supervisory regime and align it with best international practices, SBP has transformed its supervisory approach and has fully moved towards Risk Based Supervisory regime.

RBS framework is applicable to all institutions under SBP's supervisory ambit. The assessment mechanism delineated in this document specifically related to Banks/DFIs/MFBs. The supervisory framework of other institutions, i.e. exchange companies, credit bureaus, PSO/PSP/EMIs etc., has also been developed on the same principles of risk based supervision but slightly modified taking into account size, complexity and nature of business of different institutions.

Introduction Statutory Framework Objectives of Supervision Key Principles Risk Based Supervision Framework Supervisory Intervention Supervisory Processes

1 1 1 2 3 6 6

Introduction

State Bank of Pakistan (SBP), being the central bank and banking supervisor, has been entrusted, inter alia, with the responsibilities of regulating the monetary and credit system of Pakistan and to foster its growth in the best national interest with a view to securing monetary stability and fuller utilization of the country's productive resources.

Under the prevalent legislative structure, the State Bank of Pakistan regulates and supervises Banks, Development Finance Institutions (DFIs), Microfinance Banks (MFBs), Exchange Companies (ECs), Payment Service Providers, Payment Systems Operators, Electronic Money Institutions and Credit Bureaus. State Bank has an elaborate and extensive supervisory framework for the supervision and regulation of these institutions. The document provides an overview of SBP's Risk Based Supervisory Framework and the processes involved in conduct of its supervisory responsibilities. This document covers SBP's statutory obligations, supervisory objectives, key principles under RBS regime, overview of supervisory assessment process and intervention.

Statutory Framework

State Bank of Pakistan regulates and supervises Banks, DFIs, MFBs, ECs, Payment Service Providers, Operators of Payment Systems, Electronic Money Institutions and Credit Bureaus in terms of powers conferred on it by the following statutes: -

1. State Bank of Pakistan Act, 1956 2. Banking Companies Ordinance, 1962 3. The Banks Nationalization Act, 1974 4. Microfinance Institutions Ordinance, 2001 5. Payment Systems and Electronic Fund Transfer Act, 2007 6. Foreign Exchange Regulation Act, 1947 7. Credit Bureaus Act, 2015 8. Anti-Money Laundering Act, 2010

Objectives Of Supervision

State Bank aims to maintain a sound and progressive financial services sector. This requires achieving i) stability of financial system, ii) safe and sound financial institutions, iii) safe and efficient financial infrastructure, iv) transparent and fair-dealing intermediaries and, v) well-informed and empowered financial consumers.

Stability Of Financial System

SBP continuously evaluates safety and soundness of financial institutions, strengthen governance and risk management standards, capital requirements and enforcement and resolution mechanism.

Safe And Sound Financial Institutions

The prime focus of SBP's regulation and supervision is on the safety and soundness of banks, DFIs, MFBs and other regulated entities. The distress or collapse of key financial institutions has more damaging consequences for systemic stability as such institutions transmit problems to another and consequently undermine public confidence.

Safe And Efficient Financial Infrastructure

State Bank envisions an enabling environment for creation of new business models and payment mechanisms in coordination with financial infrastructure providers. The platforms under financial infrastructure serve as important part of overall financial system. Their failure may amplify systemic risks by seizing up financial flows, undermining the fulfillment of obligations and transmitting shocks from one institution to another.

Transparent And Fair-Dealing Financial Institutions

SBP expects financial institutions to adopt fair business practices and high standards of disclosure when dealing with consumers. In this regard, SBP prescribes disclosure requirements, assess fitness and propriety to promote integrity among financial institutions and their representatives, set competency requirements and instill fair business practices in the marketing and distribution of financial services and products.

Well-Informed And Empowered Financial Consumers

SBP regularly issues regulations and guidelines and plays its due supervisory role in ensuring that consumers are well-informed and empowered to assume principal responsibility for their own protection.

Key Principles Of Sbp'S Supervisory Approach Sbp'S Supervisory Framework Is Based On Following Key Principles:

Forward-Looking The risk assessment is forward looking and dynamic. This process of risk assessment takes account both activities of the institutions and impact of external environment for early identification and prompt intervention. Judgement Based Risk profiling of regulated institutions is primarily based on supervisory judgment, supported by evidence and analysis. However, the supervisor's judgement may vary from regulated institutions' own assessment. Structured Assessment Distinct evaluation of risks and risk management processes including controls and governance, which enables identification of high risk or weak control areas.

Risk Focused Supervisory focus is on key issues that pose greatest risk to the safety and soundness of the individual institutions and the stability of the financial system. Proportionality Supervisory intensity and allocation of resources is sensitive to both, level of risk within and amongst regulated institutions. Ongoing Supervision Risk-based supervision emphasizes on evaluation of risks in a continuum. It involves monitoring how risks are evolving, identifying emerging risks and engaging with FI for prompt corrective actions.

Sbp'S Risk Based Supervision Framework

SBP's RBS framework follows the international best practices, aligned with local industry dynamics. The ultimate responsibility for managing the risks of FIs rests with the BoD and management of the respective FIs. The assessment under RBS regime is a dynamic process, which is based on all encompassing supervisory activities including off-site monitoring, on-site assessments and enhanced engagements with management of FIs. The broad contours of SBP's RBS framework include:

Significant Activities

The risk assessment process starts with identification of individual activities that are material to the institution and are known as "Significant Activities (SA)". A significant activity is fundamental to the institution's business model and its ability to meet its overall business objectives. The assessment of dynamic environment also acts one of the factors for identification of SAs of financial institutions.

Inherent Risks

Inherent risk is intrinsic to an activity or process in the absence of any mitigating controls. It is the probability of loss to current and potential future exposure/position, of significant activity, due to any adverse events. The relevant inherent risk(s) of significant activities are identified and assessed as Low, Moderate, Above Average or High. The categories of risks include Credit, Market, Operational, Strategic and Legal & Regulatory risk.

Quality Of Controls And Governance Operational Management

Operational management (OM) is the first line of defense for risk mitigation and controls in a financial institution and is also known as the 'day-to-day controls'. Operational Management is responsible for planning, directing and controlling day-to-day operations for business/operational activities of a FI. The essence of an effective and efficient operational management function is that it is "self-sufficient" in people, policies, processes and systems to adequately conduct the day to day business of an activity.

Control Functions

Internal Audit, Compliance and Risk Management are referred as entity level control functions, while Finance has a key role to play in financial reporting and supporting both business and control functions.

Compliance and Risk Management are considered second line of defense, while Internal Audit is considered as third line of defense. Assessment of control functions focuses on both Characteristics and Performance of the respective functions. Characteristics include factors such as mandate, structure, resources, policies and practices, reporting and coordination. Overall effectiveness of any control function is evaluated on the basis of characteristics and performance.

Governance Functions

Effective Governance is pivotal in helping the financial institution to achieve its objectives while generating sustainable shareholders value and balancing competing demands of other stakeholders. It evolves around the basic principles of fairness, integrity, transparency and accountability with prime focus on the role of the Board of Directors and Senior Management. Akin with internal control functions, assessment of Board of Directors and Senior Management focus largely on assessment of Characteristics and Performance of Governance Functions.

Each control and governance function will be assessed as Effective, Acceptable, Needs Improvement or Weak.

Net Risk And Its Direction

Net Risk is one of the key component of the RBS risk matrix. The inherent risks mitigated by the operational management, internal control functions and governance (QCG) results in net risk of a significant activity and is illustrated as under:

Inherent	Mitigated	Quality of	Equals	Net Risk/ Direction
by	Controls & Governance	of Risk
Risk

The direction of net risk is determined on the basis of expected impact of potential changes in inherent risks and effectiveness of control and governance function, business and economic climate on the significant activity, nature and pace of planned changes within the institution.

Importance

Importance of an activity indicates the relative contribution of that significant activity towards achieving business objectives of the entity. It also plays an important role in determining the overall net risk. The importance of a significant activity can be assigned as Low, Medium or High.

Overall Net Risk

Overall Net Risk (ONR) depicts the consolidated risk rating of all the significant activities of the financial institution. ONR is determined by considering net risks of significant activities taking into account their Importance and entity level assessment of control and governance. Direction of ONR is derived from directions of net risk of activities, which are more important to the institution and considered for assessing ONR. ONR is rate as Low, Moderate, Above Average or High.

Capital

Capital is a source of financial support to protect the FI against unexpected losses in both normal and stressed scenarios, and is, therefore, a key contributor to its safety and soundness. The primary function of a FI's capital account is to support its operations and act as a cushion to absorb unanticipated losses and provide protection to depositors and debt holders in the adverse scenarios. Assessment of capital is carried out by assessing capital adequacy, capital management processes and practices.

Earnings

Earnings acts as a buffer to absorb normal and expected losses from ongoing operations of the FI. It is the most important source of internal capital generation that support growth or replenish reserves in case of unexpected losses. The continued viability of a FI depends on its ability to earn an appropriate return on its assets and capital. Assessment of earnings is based on the level, sustainability and quality of FI's earnings, sufficiency to support organization's operations and ability to meet the capital and provision requirements.

Liquidity

Liquidity refers to the capacity of an institution to generate or obtain sufficient cash or its equivalent in a timely manner at a reasonable price to meet its commitments as they fall due and to fund new business opportunities as part of going-concern operations. The level of liquidity depends on the balance sheet composition, funding sources, liquidity strategy, market conditions and events. Assessment of liquidity is carried out by assessing adequacy of liquidity and its management function.

The ratings assigned to capital, earnings and liquidity are Strong, Fair, Marginal or Unsatisfactory, while their direction is determined as Improving, Stable or Deteriorating.

Composite Risk Rating And Its Direction

The Composite Risk Rating (CRR) is an assessment of the FI's overall risk profile, after considering the assessments of capital, earning and liquidity in relation to the Overall Net Risk from its significant activities.

The CRR depicts the supervisory assessment of the safety and soundness of the institution. The assessment is over a time horizon that is appropriate for the FI, given the changes in internal and external environment. CRR is rated out of four categories of ratings i.e. Low, Moderate, Above Average and High.

The assessment of CRR is supplemented by its direction. This is the supervisory assessment of the most likely direction in which the CRR may move in the future time horizon depending on the business and economic environment. The direction of CRR is assigned as Decreasing, Stable, or Increasing. In combination with CRR, the direction of CRR is important in determining the intervention stage of the institutions.

Supervisory Intervention

Intervention stage is the outcome of CRR and its direction assigned to each financial institution.

Intervention stage determines how supervisory concerns, highlighted through the supervisory assessment, should be acted upon. Upon assignment of intervention stage, an overall supervisory strategy for the FI is formulated using a range of possible supervisory responses and interventions. The levels of interventions stages are Normal, Enhanced, Mandated Action, Remediation and Resolution. Supervisory actions associated with each intervention level are summarized below:

Intervention Level	Supervisory Response
Normal	Regular supervisory activities as per supervisory strategy developed for the FI would be conducted.
Enhanced	Enhanced frequency and intensity of normal supervisory activities along with increasing reporting requirements.
Mandated Action	Use of more coercive powers communicating mandated actions along with imposition of certain restrictions.
Remediation	More severe invasive actions and restrictions to address material risks.
Resolution	Measures to restructure, wind up or liquidate the FI using legal powers vested with SBP.

SBP endeavors all FIs to be under Normal intervention level. If intervention level of any FI escalates, SBP aims to collaborate with the management of respective FI to enable it to descend to Normal intervention level.

Supervisory Processes

In order to execute the RBS framework, SBP has formulated detailed supervisory processes, which entail both off-site analysis, monitoring and on-site assessments. SBP has augmented the Risk based approach by scaling the supervisory work proportional to the size, complexity and riskiness of the institution.

Supervisory processes under RBS regime are illustrated as:

Supervisory Planning

The goals of the supervisory planning is to identify the key supervisory activities for the next year, e.g. areas and risks that the supervisors will analyze in depth and issues that will be the key focus both at individual FI level and industry level.

Off-Site Analysis

The supervisory teams monitor the affairs of FIs on an ongoing basis through data analysis, meetings with FI's management and review of other information submitted periodically or event based basis. The results of off-site analysis have multi-pronged utility as risk profile and/or supervisory strategy of the FIs may be subject to revision.

On-Site Assessment

The objective of supervisory assessment is to obtain a thorough understanding of the inherent risks and effectiveness of the quality of controls and governance of institutions. Supervisory assessment also leads to an assessment of the institution against regulatory or industry standards, its policies or peer practices.

Supervisory Ratings & Updation Of Risk Matrix

Ratings are important supervisory outputs because they help communicate supervisors' views of the FI to its management and BOD. On the basis of ratings derived through either continuous monitoring and/or onsite supervisory assessment (FI specific or horizontal), the risk matrix of the institution is updated.

Environment, economy, industry dynamics, FI's strategy & plan, inherent risks, control, governance, buffers, etc. are the determining factor(s) for updation of risk matrix of the bank(s). Level of intervention and supervisory recommendations, commensurate to the magnitude of problems, is then finalized.