Competent authorities shall assess an institution's compliance with the standards relating to the use of internal data, external data, scenario analysis and BEICF ("the four elements"), as referred to in Article 322 of Regulation (EU) No 575/2013, by verifying at least the following:

1. (a)

   that the institution has internal documentation specifying in detail how the four elements are gathered, combined and/or weighted, including a description of the modelling process that illustrates the use and combination of the four elements and of the rationale for the modelling choices;

2. (b)

   that the institution has a clear understanding of how each of the four elements influence the AMA own funds requirements;

3. (c)

   that the combination of the four elements used by the institution is based on a sound statistical methodology, sufficient for estimating high percentiles;

4. (d)

   that the institution applies at least the following when collecting, generating and treating the four elements:

   1. (i)

      the criteria set out in Articles 21 to 24 relating to internal data;

   2. (ii)

      the criteria set out in Article 25, relating to external data;

   3. (iii)

      the criteria set out in Article 26, relating to scenario analysis;

   4. (iv)

      the criteria set out in Article 27, relating to BEICF.

Competent authorities shall assess an institution's compliance with the standards relating to internal data features, as referred to in point (i) of Article 20(d), by verifying at least the following:

1. (a)

   that the institution gathers all of the following elements within the group in a clear and consistent manner:

   1. (i)

      the gross loss caused by the occurrence of an operational risk event;

   2. (ii)

      the recovery.

2. (b)

   that the institution is able to separately identify the gross loss amount, the recovery from insurance and other risk transfer mechanisms (ORTM) and the recovery except from insurance and ORTM following an operational risk event, except for losses that are partly or fully recovered within five working days;

3. (c)

   that the institution implements a system for defining and justifying appropriate data collection thresholds based on the gross loss amount;

4. (d)

   that the operational risk category is reasonable and does not omit loss data that is material for effective operational risk measurement and risk management;

5. (e)

   that for each individual loss, the institution is able to identify and record at least the following elements in the internal database:

   1. (i)

      the date of occurrence or start of occurrence of the operational risk event, where available;

   2. (ii)

      the date of discovery of the operational risk event;

   3. (iii)

      the date of accounting.

1. (1)

   Competent authorities shall confirm that an institution identifies, collects and treats the loss items generated by an operational risk event, as referred to in point (i) of Article 20(d), by verifying that the institution includes at least the following within the scope of operational risk loss for the purposes of both management of operational risk and calculation of the AMA own funds requirements:

   1. (a)

      direct charges, including impairments and settlement charges, to the Profit and Loss account and write-downs due to the operational risk event;

   2. (b)

      costs incurred as a consequence of the operational risk event, including the following:

      1. (i)

         external expenses with a direct link to the operational risk event, including legal expenses and fees paid to advisors, attorneys or suppliers;

      2. (ii)

         costs of repair or replacement to restore the position prevailing before the operational risk event, in the form of either precise figures, or, where these are not available, estimates.

   3. (c)

      provisions or reserves accounted for in the Profit and Loss account against probable operational risk losses, including those from misconduct events;

   4. (d)

      pending losses, in the form of losses stemming from an operational risk event, which are temporarily booked in transitory or suspense accounts and are not yet reflected in the Profit and Loss which are planned to be included within a time period commensurate to the size and age of the pending item;

   5. (e)

      material uncollected revenues, related to contractual obligations with third parties, including the decision to compensate a client following the operational risk event, rather than by a reimbursement or direct payment, through a revenue adjustment waiving or reducing contractual fees for a specific future period of time;

   6. (f)

      timing losses, where they span more than one financial accounting year and give rise to legal risk.

2. (2)

   For the purposes of paragraph 1, competent authorities may, to the extent appropriate, confirm that the institution identifies, collects and treats for the purposes of management of operational risk any additional items where they originate from a material operational risk event, including the following:

   1. (a)

      a near miss in the form of a nil loss caused by an operational risk event, including an IT disruption in the trading room just outside trading hours;

   2. (b)

      a gain caused by an operational risk event;

   3. (c)

      opportunity costs in the form of an increase in costs or a shortfall in revenues due to operational risk events that prevent undetermined future business from being conducted, including unbudgeted staff costs, forgone revenue, and project costs related to improving processes;

   4. (d)

      internal costs including overtime or bonuses.

3. (3)

   For the purposes of paragraph 1, competent authorities shall also confirm that the institution excludes the following items from the scope of operational risk loss:

   1. (a)

      costs of general maintenance contracts on property, plant or equipment;

   2. (b)

      internal or external expenditures to enhance the business after the occurrence of an operational risk event, including upgrades, improvements, risk assessment initiatives and enhancements;

   3. (c)

      insurance premiums.

1. (1)

   Competent authorities shall confirm that an institution records the loss amount generated by an operational risk event, as referred to in point (i) of Article 20(d), by verifying at least the following:

   1. (a)

      that the whole amount of the incurred loss or expenses, including provisions, costs of settlement, amounts paid to make good the damage, penalties, interest in arrears and legal fees, is considered as recorded loss amount for the purposes of both management of operational risk and calculation of the AMA own funds requirements, unless otherwise specified;

   2. (b)

      that, where the operational risk event relates to market risk, the institution includes the costs to unwind market positions in the recorded loss amount of the operational risk items; and that, where the position is intentionally kept open after the operational risk event is recognized, any portion of the loss due to adverse market conditions after the decision to keep the position open is not included in the recorded loss amount of the operational risk items;

   3. (c)

      that, where tax payments relate to failures or inadequate processes of the institution, the institution includes in the recorded loss amount of the operational risk items the expenses incurred as a result of the operational risk event, including penalties, interest charges, late-payment charges, and legal fees, with the exclusion of the tax amount originally due;

   4. (d)

      that, where there are timing losses and the operational risk event directly affects third parties, including customers, providers and employees of the institution, the institution includes in the recorded loss amount of the operational risk item also the correction of the financial statement.

2. (2)

   For the purposes of paragraph 1, where the operational risk event leads to a loss event, which is partly rapidly recovered, competent authorities shall consider appropriate the inclusion, on behalf of the institution, in the recorded loss amount of only that part of the loss which is not rapidly recovered in accordance with point (b) of Article 21.

1. (1)

   Competent authorities shall confirm that an institution identifies, collects and treats operational risk losses that are related to credit risk, as referred to in point (i) of Article 20(d), by verifying that the institution includes within the scope of operational risk loss, for the purposes of management of operational risk, at least the following:

   1. (a)

      frauds committed by a client of the institution on its own account, occurring in a credit product or credit process at the initial stage of the lifecycle of a credit relationship, including inducement to lending decisions based on counterfeit documents or miss-stated financial statements, such as non-existence or over-estimation of collaterals and counterfeit salary confirmation;

   2. (b)

      frauds committed by means of another, ignorant person's identity, including loan applications through electronic identity fraud using clients' data or fictitious identities or fraudulent use of clients' credit cards.

2. (2)

   For the purposes of paragraph 1, competent authorities shall confirm that the institution takes at least the following actions:

   1. (a)

      adjusts the data collection threshold relating to the loss events described in paragraph 1 up to comparable levels as those of the other operational risk categories of the AMA framework, where appropriate;

   2. (b)

      includes within the gross loss of the events described in paragraph 1 the total outstanding amount at the time or after the discovery of the fraud, and any related expenses, including interest in arrears and legal fees.

Competent authorities shall assess an institution's compliance with the standards relating to external data features, as referred to in point (ii) of Article 20(d), by verifying at least the following:

1. (a)

   that, where the institution participates in consortia initiatives for the collection of operational risk events and losses, the institution is able to provide data of the same quality, in terms of scope, integrity and comprehensiveness, as internal data meeting the standards referred to in Articles 21, 22, 23, and 24 and that it does so consistently with the type of data requested by the consortia reporting standards;

2. (b)

   that the institution has a data filtering process in place which allows the selection of relevant external data, based on specific established criteria and that the external data being used is relevant and consistent with the risk profile of the institution;

3. (c)

   that, in order to avoid bias in parameter estimates, the filtering process results in a consistent selection of data regardless of the loss amount, and that, where the institution permits exceptions to this selection process, it has a policy providing criteria for exceptions and documentation supporting the rationale for those exceptions;

4. (d)

   that, where the institution adopts a data scaling process involving the adjustment of loss amounts reported in external data, or of the related distributions, to fit the institution's business activities, nature and risk profile, the scaling process is systematic and statistically supported and that it provides outputs that are consistent with the institution's risk profile;

5. (e)

   that the institution's scaling process is consistent over time and its validity and effectiveness are regularly reviewed.

1. (1)

   Competent authorities shall assess an institution's compliance with the standards relating to scenario analysis, as referred to in point (iii) of Article 20(d), by verifying at least the following:

   1. (a)

      that the institution has a robust governance framework in place relating to the scenario process that generates credible and reliable estimates, irrespective of whether the scenario is used for evaluating high severity events or the overall operational risk exposures;

   2. (b)

      that the scenario process is clearly defined, well documented, repeatable and designed to reduce as much as possible subjectivity and biases, including:

      1. (i)

         the underestimation of risk due to the number of observed events being small;

      2. (ii)

         the misrepresentation of information due to scenario assessors' interests in conflict with the goals and consequences of the assessment;

      3. (iii)

         the overestimation of events with temporal proximity to the scenario assessors;

      4. (iv)

         the distortion of assessment due to the categories within which the responses are represented;

      5. (v)

         the bias in the information presented in background materials to survey questions or within the questions themselves.

   3. (c)

      that qualified and experienced facilitators provide consistency in the process;

   4. (d)

      that the assumptions used in the scenario process are based, to the maximum extent, on the relevant internal data and external data with an objective and unbiased selection process;

   5. (e)

      that the chosen number of scenarios, the level at, or units in, which scenarios are studied, are realistic and properly explained, and that the scenario estimates take into account relevant changes in the internal and external environments that can affect the institution's operational risk exposure;

   6. (f)

      that the scenario estimates are generated taking into account potential or probable operational risk events that have not yet, fully or partly, materialised in an operational risk loss;

   7. (g)

      that the scenario process and estimates are subject to a robust independent challenge process and oversight.

Competent authorities shall assess an institution's compliance with the standards relating to the BEICF as referred to in point (iv) of Article 20(d) by verifying at least the following

1. (a)

   that the institution's BEICF are forward looking and reflect potential sources of operational risk, including rapid growth, the introduction of new products, employee turnover and system downtime;

2. (b)

   that the institution has clear policy guidelines that limit the magnitude of reductions in the AMA own funds requirements resulting from BEICF adjustments;

3. (c)

   that the BEICF adjustments referred to in point (b) are justified and that the appropriateness of their level is confirmed by comparison, over time, with the direction and magnitude of actual internal loss data, conditions in the business environment and changes in the validated effectiveness of controls.

Competent authorities shall assess an institution's standards relating to the core modelling assumptions of the operational risk measurement system, as referred to in points (a) and (c) of Article 322(2) of Regulation (EU) No 575/2013, by verifying at least the following:

1. (a)

   that the institution develops, implements and maintains an operational risk measurement system that is methodologically well founded, effective in capturing the institution's actual and potential operational risk, and reliable and robust in generating AMA own funds requirements;

2. (b)

   that the institution has appropriate policies on the building of the calculation data set, in accordance with Article 29;

3. (c)

   that the institution applies the appropriate level of granularity in its model, in accordance with Article 30;

4. (d)

   that the institution has in place an appropriate process for the identification of loss distributions, in accordance with Article 31;

5. (e)

   that the institution determines the aggregate loss distributions and risk measures in an appropriate manner, in accordance with Article 32.

For the purposes of assessing that an institution has appropriate policies on the building of the calculation data set, as referred to in point (b) of Article 28, competent authorities shall confirm at least the following:

1. (a)

   that specific criteria and examples for the classification and treatment of operational risk events and losses within the calculation data set are defined by the institution, and that such criteria and examples provide a consistent treatment of loss data across the institution;

2. (b)

   that the institution does not use loss net of insurance and ORTM recoveries in the calculation data set;

3. (c)

   that the institution has adopted, for operational risk categories with low frequency of events, an observation period greater than the minimum referred to in point (a) of Article 322(3) of Regulation (EU) No 575/2013;

4. (d)

   that the institution, in the course of building the calculation data set for the purposes of estimating frequency and severity distributions, uses the date of discovery or the date of accounting only, and uses a date no later than the date of accounting for including losses or provisions related to legal risk into the calculation dataset;

5. (e)

   that the institution's choice of the minimum modelling threshold does not adversely impact the accuracy of the operational risk measures and that the use of minimum modelling thresholds that are much higher than the data collection thresholds is limited and, where applied, is properly justified by sensitivity analysis of various thresholds performed by the institution;

6. (f)

   that the institution includes all operational losses above the chosen minimum modelling threshold in the calculation data set and that it uses them, irrespective of their level, for generating the AMA own funds requirements;

7. (g)

   that the institution applies appropriate adjustment rates on the data where inflation or deflation effects are material;

8. (h)

   that losses caused by root event in the form of a common operational risk event or by multiple events linked to an initial operational risk event generating events or losses are grouped and entered into the calculation data set as a single loss by the institution;

9. (i)

   that any possible exceptions to the treatment laid down in point (h) are properly documented and justified to prevent undue reduction of the AMA own funds requirements;

10. (j)

    that the institution does not discard from the AMA calculation data set material adjustments to operational risk losses of single or linked events, where the reference date of these adjustments falls within the observation period and the reference date of the initial, single event or root event referred to in point (h) falls outside such a period;

11. (k)

    that the institution is able to distinguish, for each reference year included in the observation period, the loss amounts pertinent to events discovered or accounted for in that year from the loss amounts pertinent to adjustments or grouping of events discovered or accounted for in previous years.

For the purposes of assessing that an institution applies the appropriate level of granularity in its model, as referred to in point (c) of Article 28, competent authorities shall confirm at least the following:

1. (a)

   that the institution takes into account the nature, complexity and idiosyncrasies of its business activities and the operational risks which it is exposed to, where grouping together risks sharing common factors and defining the operational risk categories of an AMA;

2. (b)

   that the institution justifies its choice of level of granularity of its operational risk categories on the basis of qualitative and quantitative means, and that it classifies operational risk categories based on homogeneous, independent and stationary data;

3. (c)

   that the institution's choice of level of granularity of its operational risk categories is realistic and does not adversely impact the conservatism of the model outcome or of its parts;

4. (d)

   that the institution reviews the choice of level of granularity of its operational risk categories on a regular basis with the view to ensuring that it remains appropriate.

For the purposes of assessing that an institution has an appropriate process for the identification of frequency and severity of the distributions of loss, as referred to in point (d) of Article 28, competent authorities shall confirm at least the following:

1. (a)

   that the institution follows a well specified, documented and traceable process for the selection, update and review of loss distributions and the estimate of their parameters;

2. (b)

   that the process for the selection of the loss distributions results in consistent and clear choices by the institution, properly captures the risk profile in the tail and includes at least the following elements:

   1. (i)

      a process of using statistical tools, including graphs, measures of centre, variation, skewness and leptokurtosis to investigate the calculation data set for each operational risk category with the view to better understand the statistical profile of the data and selecting the most suitable distribution;

   2. (ii)

      appropriate techniques for the estimation of the distribution parameters;

   3. (iii)

      appropriate diagnostic tools for evaluating the distributions to the data, giving preference to those most sensitive to the tail;

3. (c)

   that, in the course of selecting a loss distribution, the institution carefully considers the positive skewness and leptokurtosis of the data;

4. (d)

   that, where the data are much dispersed in the tail, empirical curves are not used to estimate the tail region, but that instead sub-exponential distributions whose tail decays slower than the exponential distributions are used, unless exceptional reasons exist to apply other functions, which are in any case properly addressed and fully justified to prevent undue reduction of AMA own funds requirements;

5. (e)

   that, where separate loss distributions are used for the body and for the tail, the institution carefully considers the choice of the body-tail modelling threshold;

6. (f)

   that documented statistical support, supplemented as appropriate by qualitative elements, is provided for the selected body-tail modelling threshold;

7. (g)

   that, in the course of estimating the parameters of the distribution, the institution either reflects the incompleteness of the calculation data set due to the presence of minimum modelling thresholds in the model or that it justifies the use of an incomplete calculation data set on the basis that it does not adversely impact the accuracy of the parameter estimates and AMA own funds requirements;

8. (h)

   that the institution has in place methodologies to reduce the variability of estimates of parameters and provides measures of the error around these estimates including confidence intervals and p-values;

9. (i)

   that, where the institution adopts robust estimators in the form of generalisations of classical estimators, with good statistical properties including high efficiency and low bias for a whole neighbourhood of the unknown underlying distribution of the data, it can demonstrate that their use does not underestimate the risk in the tail of the loss distribution;

10. (j)

    that the institution assesses the goodness-of-fit between the data and the selected distribution by using diagnostic tools of both a graphical and a quantitative nature, which are more sensitive to the tail than to the body of the data, especially where the data are very dispersed in the tail;

11. (k)

    that, where appropriate, including where the diagnostic tools do not lead to a clear choice for the best-fitting distribution or to mitigate the effect of the sample size and the number of estimated parameters in the goodness-of-fit tests, the institution uses evaluation methods that compare the relative performance of the loss distributions, including the Likelihood Ratio, the Akaike Information Criterion, and the Schwarz Bayesian Criterion;

12. (l)

    that the institution has a regular cycle for controlling assumptions underlying the selected loss distributions, and that where assumptions are invalidated, including where they generate values outside established ranges, the institution has tested alternative methods and that it has properly classified any changes made to the assumptions, in accordance with Commission Delegated Regulation (EU) No 529/2014.

For the purposes of assessing that an institution determines the aggregated loss distributions and risk measures in an appropriate manner, as referred to in point (e) of Article 28, competent authorities shall confirm at least the following:

1. (a)

   that the techniques elaborated by the institution for that purpose ensure appropriate levels of precision and stability of the risk measures;

2. (b)

   that the risk measures are supplemented with information on their level of accuracy;

3. (c)

   that, irrespective of the techniques used to aggregate frequency and severity loss distributions, including Monte Carlo simulations, Fourier Transform-related methods, Panjer algorithm and Single Loss Approximations, the institution adopts criteria that mitigate sample and numerical related errors and provides a measure of the magnitude of these errors;

4. (d)

   that, where Monte Carlo simulations are used, the number of steps to be performed is consistent with the shape of the distributions and with the confidence level to be achieved;

5. (e)

   that, where the distribution of losses is heavy-tailed and measured at a high confidence level, the number of steps is sufficiently large to reduce sampling variability to an acceptable level;

6. (f)

   that, where Fourier Transform or other numerical methods are used, algorithm stability and error propagation issues are carefully considered;

7. (g)

   that the institution's risk measure generated by the operational risk measurement system fulfils the monotonic principle of risk, which can be seen in the generation of higher own fund requirements where the underlying risk profile increases and in the generation of lower own funds requirements where the underlying risk profile decreases;

8. (h)

   that the institution's risk measure generated by the operational risk measurement system is realistic from a managerial and economical perspective, and more that the institution applies appropriate techniques to avoid capping the maximum single loss, unless it provides a clear objective rationale for the existence of an upper bound, and to avoid implying the non-existence of the first statistical moment of the distribution;

9. (i)

   that the institution explicitly evaluates the robustness of the outcome of the operational risk measurement system by performing appropriate sensitivity analysis on the input data or its parameters.

Competent authorities shall assess an institution's standards relating to expected losses, as referred to in point (a) of Article 322(2) of Regulation (EU) No 575/2013, by confirming that where the institution calculates the AMA own funds requirements only in relation to unexpected losses, it complies with at least the following requirements:

1. (a)

   that the institution's methodology for the estimate of expected losses is consistent with the operational risk measurement system for the estimate of the AMA own funds requirements that comprises both expected losses and unexpected losses, and that the expected loss estimation process is done by operational risk category and is consistent over time;

2. (b)

   that the institution defines the expected loss using statistics that are less influenced by extreme losses, including median and trimmed mean, especially in the case of medium- or heavy-tailed data;

3. (c)

   that the maximum offset for expected loss applied by the institution is bound by the total expected loss and that the maximum offset for expected loss in each operational risk category is bound by the relevant expected loss calculated according to the institution's operational risk measurement system applied to that category;

4. (d)

   that the offsets the institution allows for expected loss in each operational risk category are capital substitutes or that they are otherwise available to cover expected loss with a high degree of certainty over the one-year period;

5. (e)

   that where the offset is something other than provisions, the institution limits the availability of the offset to those operations with highly predictable, stable and routine losses;

6. (f)

   that the institution does not use specific reserves for exceptional operational risk loss events that have already occurred as expected loss offsets;

7. (g)

   that the institution clearly documents how its expected loss is measured and captured, including how any expected loss offsets meet the conditions outlined in points from (a) to (f).

Competent authorities shall assess an institution's standards relating to correlation, as referred to in point (d) of Article 322(2) of Regulation (EU) No 575/2013, by confirming that where the institution calculates the AMA own funds requirements by recognising less than full correlation across individual operational risk estimates, it complies with at least the following requirements:

1. (a)

   that the institution carefully considers any form of linear or non-linear dependence, relating to all the data, either to the body or to the tail, across two or more operational risk categories or within an operational risk category;

2. (b)

   that the institution supports its correlation assumptions, to the greatest extent possible, on an appropriate combination of empirical data analysis and expert judgement;

3. (c)

   that losses within each operational risk category are independent of each other;

4. (d)

   that where the condition of point (c) is not met, dependent losses are aggregated together;

5. (e)

   that, only where neither of the conditions of points (c) or (d) can be met, dependence within the operational risk categories is appropriately modelled;

6. (f)

   that the institution carefully considers dependence between tail events;

7. (g)

   that the institution does not base the dependence structure on Gaussian or Normal-like distributions;

8. (h)

   that all assumptions regarding dependence used by the institution are conservative given the uncertainties relating to dependence modelling for operational risk, and that the degree of conservatism used by the institution increases as the rigour of the dependence assumptions and the reliability of the resulting own funds requirements decrease;

9. (i)

   that the institution properly justifies the dependence assumptions it uses and that it regularly performs sensitivity analyses with the view to assessing the effect of the dependence assumptions on its AMA own funds requirements.

Competent authorities shall assess an institution's standards relating to the internal consistency of the operational risk measurement system, as referred to in point (e) of Article 322(2) of Regulation (EU) No 575/2013, by confirming at least the following:

1. (a)

   that the institution's capital allocation mechanism is consistent with the institution's risk profile and with the overall design of the operational risk measurement system;

2. (b)

   that allocation of the AMA own funds requirements takes into account potential internal differences in risk and quality of operational risk management and internal control between the parts of the group to which the AMA own funds requirements are allocated;

3. (c)

   that there is no observable current or foreseen practical or legal impediment to the prompt transfer of own funds or repayment of liabilities;

4. (d)

   that the allocation of the AMA own funds requirements from the consolidated group level downwards to the parts of the group involved in the operational risk measurement system relies on sound and to, the maximum extent, risk sensitive methodologies.