The Taxonomy of Operational Risk (June 2022)

0 © 2022 Bank of Jamaica All Rights Reserved THE TAXONOMY OF OPERATIONAL RISK LOSS DATA COLLECTION AND HISTORICAL LOSS DATABASE

1 INTRODUCTION

1. The standardized approach for operational risk, fundamentally changes how licensees under the Banking Services Act manage their operational risk exposures. In view of that, licensees are required to compute capital charges for operational risk capital (ORC).
2. This new standard has major implications for licensees’ internal loss data wherein licensees’ internal loss data are used in the calculation of their capital charge for operational risk.
3. Licensees will need to ensure their internal loss data are as accurate, up-to-date and robust as possible to substantiate their calculated internal loss multiplier (ILM) in which the ILM may increase or decrease the operational risk capital charge. In that regard, licensees have the opportunity to reduce their ORC by better managing and reducing their operational losses.
4. Licensees must take the following into consideration to mitigate against the impact of the ILM in order to benefit from a lower capital charge: a. Licensees must improve the quality of historical loss data by formalizing definitions of operational risk events; b. Licensees must improve incident identification of operational risk events; c. Licensee must develop robust frameworks for the reporting of operational risk events; and d. Licensees must change behaviors and culture as it relates to internal operational risk events and the associated losses as unavoidable costs of doing business.
5. Licensees are required to develop a robust operational loss data set in accordance with the criteria outlined herein.
6. The historical loss data will be used to determine a licensee’s capital charges for operational risk. Therefore, licensees must ensure that the data set is capturing data that meet the criteria herein on a continuous basis.

2 LOSS DATA COLLECTION 7. Financial institutions should implement systems, processes and procedures that will enable them to identify and map risks such that they will be able to make informed decisions about effecting the most appropriate mitigants and controls. 8. Financial institutions should also develop a historical database to capture and evaluate actual losses caused by people, processes, systems and external events. 9. Effective data collection about financial institutions’ loss events depends on the ability of the institutions’ systems, processes and procedures to register and reference the instances of loss events. As such, a reliable and realistic approach to data collection should allow for an objective and quantifiable assessment of risks incurred. 10. The classification of operational loss events can be approached from three perspectives: a. The causes of operational failure; b. The resulting loss events; and c. The legal and accounting forms of losses. 11. Operational loss events occur because of failed or inadequate processes, systems, people or external events that cause or potentially could have caused a material loss or adversely affected stakeholders.1 12. The effects of operational loss events are the direct losses resulting from: a. write-down of assets; b. regulatory compliance penalties; c. legal settlements; d. customer restitution; 2 e. loss of recourse;3 and f. loss of physical assets. Specific Criteria on Loss Data Identification, Collection and Treatment 13. Financial Institutions must be guided by the following: a. If a loss event causes impact in multiple years, the impact should be reflected in the data collected for the respective years of the impact; e.g., losses arising from legal proceedings spread over a number of years;

1 External events that potentially could have caused a material loss are also known as ‘near-miss’ events. 2 Customer restitution refers to third parties’ payments resulting from operational losses for which the financial institution is legally responsible. 3 Loss of recourse means loss events occurred due to third parties not being able to meet their obligations to the financial institution.

3 b. Gross loss is a loss before recoveries of any type; c. Net loss occurs after taking into account the impact of recoveries; d. The recovery is an independent occurrence related to the original loss event in which funds or inflows of economic benefits are received from a third party. Examples of recoveries are: payments received from insurers; repayments received from perpetrators of fraud; and recoveries of misdirected transfers; e. Insurance recoveries are treated as such only after financial institutions are paid by the insurance company; f. Recoveries are used to reduce losses only after the financial institution receives payment; and g. Receivables do not count as recoveries. 14. The following items must be excluded from the gross loss computation of the loss data set: a. Costs of general maintenance contracts on property, plant or equipment; b. Internal or external expenditures to enhance the business after the operational risk losses: upgrades, improvements, risk assessment initiatives and enhancements; and c. Insurance premiums. 15. The following items must be included in the gross loss computation of the loss data set: a. Direct charges including impairments and settlements to financial institution’s profit and loss accounts and write-downs due to the operational risk event; b. Costs incurred as a consequence of the event including external expenses with a direct link to the operational risk event, e.g., legal expenses directly related to the event and fees paid to advisors, attorneys or suppliers and costs of repair or replacement incurred to restore the position that was prevailing before the operational risk event; and c. Provisions or reserves accounted for in the profit and loss against the potential operational loss impact. LOSS EFFECT CLASSIFICATIONS 16. Legal Liability: means judgments, settlements and other legal costs, which include: a. costs incurred in connection with litigation in a court proceeding or arbitration including external attorneys’ fees, settlements and judgments paid; and

4 b. external legal costs directly associated with an event mishap. 17. Regulatory Action: means fines or the direct payment of any other penalties, such as license revocations, which include: a. fines paid for regulatory violation; and b. attorneys’ fees paid for representation at hearing on regulatory violation. 18. Loss or Damage to Assets: means any direct reduction in the value of physical assets due to incidents such as fires, earthquakes and negligence, which include: a. the cost to temporarily relocate for business continuity; b. the use of a third-party supplier to continue business; c. the costs associated with making premises fit for business after a fire, flood or other disasters; d. write-downs or write-offs of assets due to fires, floods or other natural disasters; and e. loss or destruction of intangible property (e.g., data). 19. Restitution: means payments to third-parties on account of operational losses for which the financial institution is legally responsible, which include: a. claim from client for compensation due to business interruption losses for which the financial institution is responsible; b. claim from client for compensation associated with pricing error; c. claim from client for compensation for loss suffered due to theft of confidential client information; d. net interest cost due to delays in settlement; e. replacement of lost client assets arising from employee fraud; and f. payment to client due to external fraud resulting in loss of client funds. 20. Loss of Recourse: means losses incurred when a third-party does not meet its obligations to the financial institution and losses are attributable to an operational mistake or event. Such losses could have been avoided even though the counterparty refused or was unable to pay. These include: a. funds transferred by mistake to incorrect account or duplicate payments made; and b. funds transferred by mistake and were unrecoverable. 21. Write-down means any direct reduction in the value of assets due to theft, fraud, unauthorized activity, market or credit losses that occurred as a result of operational events. These include: a. pricing error that result in lower-than-expected revenue; b. employee fraud that results in financial institution writing-off the loss; c. external fraud or theft that results in loss of bank assets or revenues; and

5 d. external security breach that results in the hiring of consultants to determine the nature of the problem and to resolve it. 22. Further Considerations (not category specific) including costs related to engaging consultants/ third parties to investigate/resolve problems (may be in various categories), costs associated with failed outsourcing assignment (may be in various categories), control breakdown that leads to an operational loss requiring consultants to identify the cause of the problem and to propose remedies (may be in various categories). THE RECOGNITION OF SINGLE AND MULTIPLE OPERATIONAL LOSS EVENTS 23. Internal Fraud - Multiple dishonest or fraudulent acts committed by the same employee and classified in the same category shall be counted as a single event. 24. External Fraud - Multiple criminal acts committed by the same person or party and classified in the same category shall be counted as a single event. A series of losses involving unidentified persons or parties, but arising from the same method of operation shall be deemed to involve the same persons or parties. 25. Employment Practices and Workplace Safety and Clients, Products & Business Practices - Claims, litigation and payments of restitution arising from the same cause shall be counted as a single event. 26. Loss or Damage to Physical Assets - Two or more natural disasters such as earthquakes, typhoons, hurricanes, windstorms and floods occurring within 72 hours shall be deemed as a single event except in the case where the affected areas do not coincide entirely. 27. Business Disruption and System Failure - Any one event or a sequence of events resulting from the same circumstances shall be deemed as a single event (for example, any mechanical failure of the same section, error in the specific program.) TYPES OF OPERATIONAL LOSS EVENTS 28. Internal Fraud - Losses due to acts intended to defraud, misappropriate property or to circumvent regulations, the law or company policy; excluding diversity/ discriminatory events which involve at least one internal party. These include: a. unauthorized activities as a result of intentional and deliberate misunderstanding, misinterpretation, mis-decision, indecision, incorrect action, inaction or over‐ extension of authority by a teammate. This includes transactions not reported (intentional), unauthorized transactions (with monetary loss) and mismarking of position (intentional); b. theft and fraud including worthless deposits; extortion; embezzlement; misappropriation of assets; malicious destruction of assets; forgery; check kiting; smuggling; account take-over / impersonation; bribery; tax non-compliance / evasion (willful) (e.g. fines or the direct cost of any other penalties).

6 29. External Fraud - Losses due to acts intended to defraud, misappropriate property or circumvent the law, by a third party. These include: a. theft and fraud including robbery, check kiting and forgery; b. computer fraud including hacking damage and theft of information with monetary loss. 30. Employment Practices and Workplace Safety - Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity / discriminatory events. a. Employee Relations consists of compensation, benefits and termination issues and organized labor activities. b. Safe Environment consists of general liability (slip and fall, etc.), employee health and safety rules events, and workers compensation. c. Diversity and Discrimination consists of liability arising from all types of discrimination. 31. Clients, Products and Business Practices - Losses arising from an unintentional act, negligence or failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product. Including: a. Suitability, Disclosure and Fiduciary consists of fiduciary breaches or guideline violations; suitability / disclosure issues (KYC, etc.); retail consumer disclosure violations; breach of privacy; misuse of confidential information; and lender Liability. b. Improper Business or Market Practices consists of antitrust, improper trade or market practices; market manipulation; unlicensed activity; and money laundering. c. Product Flaws consists of product defects (cross-selling of third-party products such as insurance and mutual funds; mismatch of the suitability and appropriateness of products to the requirements or profile of the customer.); pricing error resulting in claim from client for compensation by financial institution; and net interest cost due to delays in settlement. d. Selection, Sponsorship and Exposure consists of failure to investigate client per guidelines; and exceeding client exposure limits. e. Advisory Activity means disputes over performance of advisory activities. 32. Damage to Physical Assets - Losses arising from impairment to physical assets from natural disasters, vandalism or other mishaps, including: a. natural disaster losses or weather conditions such as floods, winds or storms that have an impact on business continuity; and b. human losses from external sources (terrorism, vandalism). 33. Business Disruption and System Failures - Losses arising from disruption of business or system failures including hardware, software, telecommunications and utility outages or disruptions.

7 34. Execution, Delivery and Process Management - Losses arising from failed transaction processing or process management, from relations with trade counterparties and vendors. Included are: a. Transaction Capture, Execution, and Maintenance - consists of miscommunication, data entry, maintenance or loading error (losses resulting from certain upgrade, patches and enhancements not done.). Including missed deadline or responsibility, model or system mis-operation, accounting error; other task mis-performance, delivery failure and collateral management failure. b. Monitoring and Reporting - consists of failed mandatory reporting obligation and inaccurate external report (loss incurred). c. Customer Intake and Documentation - consists of client permissions or disclaimers missing and legal documents missing or incomplete. d. Customer/Client Account Management - consists of unapproved access given to accounts in relation to incorrect client records (loss incurred) and negligent loss or damage of client assets. 35. Bank of Jamaica has the authority to vary the list and criteria for the categories of operational loss events identified above. 36. Financial institutions should include in their historical loss database other operational loss events that are material to their operations but not reflected in this document. 37. Financial institutions should be guided by this Taxonomy, as well as by the data collection criteria outlined in the Standard of Sound Practices on the Capital Adequacy Framework in relation to the Standardized Approach for Capital Charges for Operational Risk for the collection and reporting of operational loss events.