Basel II and UAE Banks: Internal Risk Regulation a Weak Link
With the publication of the text of the new Basel II bank supervisory framework in June 2004, a development regarded as a watermark in the evolution of the new banking regulatory model, the urgency to initiate steps to incorporate elements of the new system into the supervisory regimes of Gulf bank regulators is far more pressing than before.
Basel II has implications for banks not only on their day-to-day operations, but also on their longer-term investment and growth strategies. Issues of critical importance that need insight include the rules and regulations themselves, the preparatory processes and their regional implications. Also requiring deeper understanding are issues such as discretions and market-based incentives, which form an important part of the new model, as do the requirements to counter the constantly changing operational risks.
The new norms represent a major revision of the international standard on bank capital adequacy that was introduced in 1988. Basel II aligns the capital measurement framework with sound contemporary practices in banking, promotes improvements in risk management, and is intended to enhance financial stability of not just the individual bank, but the whole banking community.
In its simplest explanation, Basel II seeks to take care of the various operational risks that can decide a bank’s performance in view of a number of uncertainties that may once have been extraneous to their operations. A large part of this may relate to factors such as technology and online fraud, etc. Basel II combines three major elements – supervisory review of capital adequacy, self-regulation through internal assessment and market discipline.
The cardinal thought behind the new standards is that issues such as credit risk, market risk, operational risk, and other risks need to be handled in a professional manner and must not be allowed to destabilise the markets. While ensuring that the banks maintain levels of capital that are in line with their risk exposures, Basel II regulations also require banks to control risk properly and to justify the risks they have taken. This means that data that was previously available only to the risk manager of the bank will in the future be disclosed, placing on the bank the obligation to meet tough standards of regulators, stakeholders, and the market.
For banks in most parts of the world, Basel II will mean significant additions to their capital as the new standards make it mandatory for them to realign their minimum capital requirements to their changing risk profiles. For the UAE banks, all of which are already capitalised at higher levels than those stipulated by the Basel standards, this may not be as serious an issue as it is for banks in other parts of the world, where they would be required to add significantly to their capital.
There are of course questions about the mandatory status of some of the provisions that Basel II standards entail. The US regulators, for instance, have taken the position that many of the new stipulations are more relevant in the case of global banking giants whose success or failure can determine the course of the global banking and financial industry. The other side of the argument is that since smaller banks in emerging markets, such as the ones in the UAE, have little influence on the global industry, a problem here is most likely to remain localised and therefore their international implications may be limited. Approaches along these lines have led to the interpretation that the new capital adequacy norms could, in fact, leave some of these players untouched. This has even put the Basel II proposals under the cloud of controversy, leading to delays in the finalisation of the new standards.
According to current indications, the standardised and foundation approaches of the new supervisory model will be implemented from the end of 2006. A further year of impact analysis and parallel running may be needed for the most advanced approaches, which means that the implementation can start only at the end of 2007. This will also provide additional time for supervisors and the industry to develop a consistent approach for implementation.
Irrespective of the doubts on the mandatory applicability of the norms in the region, Gulf central banks have, in general, shown no reservations about the new model. Having strictly implemented the earlier standards, most Gulf countries have indicated that a raise in the capital adequacy levels in accordance with Basel II is in the offing.
There are very important issues that banks here will need to pursue vigorously so that they do not end up short of the required levels of caution and safeguards. Basel II introduces a far more comprehensive framework for regulatory capital and risk management than we have ever known. The new standards present a plethora of operational and technological challenges for individual banks as well as their central bank regulators. To begin with, credit risk reporting under the new Basel II recommended amendments will differ greatly from its present form. Today, regulators focus more on the expected losses and process that determine the quality of the various parts of the portfolio. The requirements for capital adequacy calculations under the proposed internal models method for market risk are much more complicated than the current credit risk calculations.
Most major financial institutions across the world have implemented enterprise risk systems to assess and report on levels of risk exposure across the institution. Few systems, however, can automatically generate regulatory reporting. Reporting systems, for any purpose, still leave a lot to be desired. Regulatory reporting has three major components.
Many of the enterprise risk systems that manage market risk have the requisite data and can perform these calculations. But because the systems supporting regulatory reporting today are a rather motley collection of vendor and home-grown technologies, often held together by a great deal of manual intervention, any changes to regulatory reporting requirements are very painful. They require a reconfiguring of the process and can be time-consuming and costly.
According to some experts, it is difficult to sit down and define a risk architecture that successfully meets regulators’ requirements. Because previous incarnations of regulatory requirements have been relatively straightforward, institutions have successfully created regulatory reporting with minimal investment in actual systems or technology dedicated to this purpose.
But the latest round of changes in the credit and operational risk capital adequacy guidelines are expected to change all this. The new Basel proposals on capital allocation for credit risk are set up with the basic idea that there has to be more differentiation in capital allocated to credit risks so as to adequately reflect the difference between credit quality and assets. The Bank for International Settlements (BIS) has designed two approaches for determining capital allocated to credit risks such that even smaller institutions can comply, but they are clearly angled to persuade banks that can use more sophisticated credit practices. This is expected to challenge the internal regulatory capabilities of individual banks, particularly those in the UAE and the rest of the Gulf, whose current systems may be woefully inadequate to handle the task.
According to experts, fulfilling the requirements of the three-pillar Basel Accord will require even the most sophisticated banking institutions to make a significant investment. Estimates put the requirement of an average-sized bank to about AED200m. This makes it incumbent on the banks to try to achieve the fullest return on the investment and inability to do this would make implementation cost a real burden. Since regulators will expect Basel II risk measurement to fuel management decision-making, viewing Basel II as a technical compliance matter will, ironically, only increase the risk of the bank’s being judged by its regulators to be noncompliant, it is pointed out. On the other hand, institutions that approach the requirements as part of a broader mandate to strengthen risk measurement and management are expected to gain through increased capability to compete.
Leading institutions are incorporating the Basel II requirements into credit risk infrastructure development initiatives that are already under way. In some cases, too, they are using Basel II as a springboard for launching risk measurement and management initiatives that seek to accomplish the broader business objectives.
Some commentators have indicated the possibility of the new capital adequacy norms, tied inextricably as they are to risk perceptions, increasing the cost of borrowing for regional corporates and other customers, particularly the ones with lower ratings. They point out that if the regulators consider lending in the local markets more risky and therefore insist on a raise in capital adequacy, it would amount to penalizing the banks for doing business with the low-rated customers, who might be forced to pay more for their funds.
Another key element that will have a bearing on the local banks is Basel II’s view of growing personal borrowings and their larger economic implications. Household borrowing has grown considerably in many countries over the past two decades, both in absolute terms and relative to household incomes. The standard setters are inclined to view much of the increase as a rational response by households to the effects of easing liquidity constraints on households, and lower inflation and borrowing rates. But they argue that regardless of whether the increase in debt is sustainable, it has important macroeconomic implications. The household sector will be more sensitive to shocks to interest rates and household incomes, and consumption spending will be more sensitive to changes in expectations of future income. The increased sensitivity will depend crucially on the distribution of debt across the household sector.
For its part, the UAE central bank has of late been upgrading its risk management system as the new Basel standards make understanding and managing risk the two most important issues for the supervision of the banking industry. The central bank has already introduced a risk-based supervisory model for banks in the country through a pilot project undertaken for over a year. The scheme was piloted in 17 banks over a period of 18 months before it became operational in March this year. As part of the new system, skilled personnel have replaced the traditional risk managers of the past five years.
According to Mark Markani, head of the Business Risk Review team, which developed the new risk process in-house at the UAE central bank, the new process would ensure that the central bank is positioned among the leading world-class regulators globally. The new methodology reviews management of credit, market and of operational risks covering end-to-end process and quality drivers across the bank to enable identification of high-level risk in a timely and efficient manner using a balanced scorecard approach. “It is a truly holistic, integrated forward-looking and process-oriented approach that aligns strategy, processes, people, technology and knowledge. The process starts with a comprehensive top down view to target the most significant areas. The key tools of this process are the balanced scorecards, risk maps and quarterly dashboards,” he said.
The risk map encapsulates the risks for each area of the business and identifies areas of high risk. The identification of the risk is expected to drive the action to be taken by the central bank as the regulator in terms of increased supervision.
The dashboards that will help the banks and the central bank to do gap analyses would consist of numerous key risk indicators based on criteria defined by banking supervision and examination department. It will have information from many sources: trading systems, risk systems, human resources and technology, among others. Any issues arising from the dashboards would be dealt with by the central bank supervisors as and when they occur.
According to the BIS Sound Practices for Management and Supervision of Operational Risk, the risk map should cover issues thrown up as a result of the new technologies and new delivery channels like the internet and transactions through e-commerce. The banks would also need to look out for risks emerging from risk mitigation techniques being employed by other players. “Banks may engage in risk mitigation techniques to optimise their exposure to market risk and credit risk, but which in turn may produce other forms of risks.” The norms also call upon banks to make sufficient public disclosure to allow market participants to assess their approach to operation risk management.
According to these, the timely and frequent public disclosure of relevant information can lead to enhanced market discipline and therefore, more effective risk management. Also emphasised is the role of supervisors who should see to it that all banks, regardless of size, have an effective framework in place to identify, assess, monitor and mitigate operational risks.
Most large banks in the region do major business with governments, which will need to be assigned risk weights according to the new framework. This is expected to bring in some change to the current capital cover levels of many banks in the region. As size of the capital of a bank would be a very big factor, banks that are not required to commit capital while booking government assets might have to do so under the new framework. In particular, the government of a country with a low credit rating will find that the capital requirements are more severe.
The new framework, however, would also provide lots of scope for banks to create special purpose vehicles and spin off some of their low risk but high-weighted assets into these vehicles. According to experts, asset securitisation would play a major role in the banking industry that would try to keep capital adequacy within the norms, a development that could also test the new framework.
It is clear that the new standards will involve the use of IT systems in the risk management processes. For the first time, BIS has included a requirement of IT in its recommendations. Although the recommendations stop short of detailing the type of systems that may be required, the credit risk management stipulations cover data aggression tools, database for ratings and other inputs, capital allocation tools, analytical tools and regulatory reporting and disclosure documentation.
The guidelines make it clear that the entire process must be integrated and the information used to determine creditworthiness and capital must be the basis for credit decisions. According to a white paper on the subject, this implies a level of automation that flows all the way from credit authorization to portfolio management.
This means that even the institutions with credit decision-making tools would be required to enhance their processes and systems to comply with the new standards. According to the paper, although most large institutions have some portions of the required elements, even the very largest will need to invest in credit risk technologies over the next few years. The paper estimates that the investments will add up to hundreds of millions of dollars. Banks will also need to invest considerable additional amounts in staffing and defining internal credit processes before they can use these tools for decision-making. The UAE banks may have to travel some good distances before they can see the target in clearer terms.