Title 12

SECTION 1240.121

1240.121 Minimum requirements.

§ 1240.121 Minimum requirements.

(a) Process and systems requirements. (1) An Enterprise must have a rigorous process for assessing its overall capital adequacy in relation to its risk profile and a comprehensive strategy for maintaining an appropriate level of capital.

(2) The systems and processes used by an Enterprise for risk-based capital purposes under this subpart must be consistent with the Enterprise's internal risk management processes and management information reporting systems.

(3) Each Enterprise must have an appropriate infrastructure with risk measurement and management processes that meet the requirements of this section and are appropriate given the Enterprise's size and level of complexity. The Enterprise must ensure that the risk parameters and reference data used to determine its risk-based capital requirements are representative of long run experience with respect to its credit risk and operational risk exposures.

(b) Risk rating and segmentation systems for exposures. (1) An Enterprise must have an internal risk rating and segmentation system that accurately, reliably, and meaningfully differentiates among degrees of credit risk for the Enterprise's exposures. When assigning an internal risk rating, an Enterprise may consider a third-party assessment of credit risk, provided that the Enterprise's internal risk rating assignment does not rely solely on the external assessment.

(2) If an Enterprise uses multiple rating or segmentation systems, the Enterprise's rationale for assigning an exposure to a particular system must be documented and applied in a manner that best reflects the obligor or exposure's level of risk. An Enterprise must not inappropriately allocate exposures across systems to minimize regulatory capital requirements.

(3) In assigning ratings to exposures, an Enterprise must use all relevant and material information and ensure that the information is current.

(c) Quantification of risk parameters for exposures. (1) The Enterprise must have a comprehensive risk parameter quantification process that produces accurate, timely, and reliable estimates of the risk parameters on a consistent basis for the Enterprise's exposures.

(2) An Enterprise's estimates of risk parameters must incorporate all relevant, material, and available data that is reflective of the Enterprise's actual exposures and of sufficient quality to support the determination of risk-based capital requirements for the exposures. In particular, the population of exposures in the data used for estimation purposes, the underwriting standards in use when the data were generated, and other relevant characteristics, should closely match or be comparable to the Enterprise's exposures and standards. In addition, an Enterprise must:

(i) Demonstrate that its estimates are representative of long run experience, including periods of economic downturn conditions, whether internal or external data are used;

(ii) Take into account any changes in underwriting practice or the process for pursuing recoveries over the observation period;

(iii) Promptly reflect technical advances, new data, and other information as they become available;

(iv) Demonstrate that the data used to estimate risk parameters support the accuracy and robustness of those estimates; and

(v) Demonstrate that its estimation technique performs well in out-of-sample tests whenever possible.

(3) The Enterprise's risk parameter quantification process must produce appropriately conservative risk parameter estimates where the Enterprise has limited relevant data, and any adjustments that are part of the quantification process must not result in a pattern of bias toward lower risk parameter estimates.

(4) The Enterprise's risk parameter estimation process should not rely on the possibility of U.S. government financial assistance.

(5) Default, loss severity, and exposure amount data must include periods of economic downturn conditions, or the Enterprise must adjust its estimates of risk parameters to compensate for the lack of data from periods of economic downturn conditions.

(6) If an Enterprise uses internal data obtained prior to becoming subject to this subpart or external data to arrive at risk parameter estimates, the Enterprise must demonstrate to FHFA that the Enterprise has made appropriate adjustments if necessary to be consistent with the Enterprise's definition of default. Internal data obtained after the Enterprise becomes subject to this subpart must be consistent with the Enterprise's definition of default.

(7) The Enterprise must review and update (as appropriate) its risk parameters and its risk parameter quantification process at least annually.

(8) The Enterprise must, at least annually, conduct a comprehensive review and analysis of reference data to determine relevance of the reference data to the Enterprise's exposures, quality of reference data to support risk parameter estimates, and consistency of reference data to the Enterprise's definition of default.

(d) Operational risk - (1) Operational risk management processes. An Enterprise must:

(i) Have an operational risk management function that:

(A) Is independent of business line management; and

(B) Is responsible for designing, implementing, and overseeing the Enterprise's operational risk data and assessment systems, operational risk quantification systems, and related processes;

(ii) Have and document a process (which must capture business environment and internal control factors affecting the Enterprise's operational risk profile) to identify, measure, monitor, and control operational risk in the Enterprise's products, activities, processes, and systems; and

(iii) Report operational risk exposures, operational loss events, and other relevant operational risk information to business unit management, senior management, and the board of directors (or a designated committee of the board).

(2) Operational risk data and assessment systems. An Enterprise must have operational risk data and assessment systems that capture operational risks to which the Enterprise is exposed. The Enterprise's operational risk data and assessment systems must:

(i) Be structured in a manner consistent with the Enterprise's current business activities, risk profile, technological processes, and risk management processes; and

(ii) Include credible, transparent, systematic, and verifiable processes that incorporate the following elements on an ongoing basis:

(A) Internal operational loss event data. The Enterprise must have a systematic process for capturing and using internal operational loss event data in its operational risk data and assessment systems.

(1) The Enterprise's operational risk data and assessment systems must include a historical observation period of at least five years for internal operational loss event data (or such shorter period approved by FHFA to address transitional situations, such as integrating a new business line).

(2) The Enterprise must be able to map its internal operational loss event data into the seven operational loss event type categories.

(3) The Enterprise may refrain from collecting internal operational loss event data for individual operational losses below established dollar threshold amounts if the Enterprise can demonstrate to the satisfaction of FHFA that the thresholds are reasonable, do not exclude important internal operational loss event data, and permit the Enterprise to capture substantially all the dollar value of the Enterprise's operational losses.

(B) External operational loss event data. The Enterprise must have a systematic process for determining its methodologies for incorporating external operational loss event data into its operational risk data and assessment systems.

(C) Scenario analysis. The Enterprise must have a systematic process for determining its methodologies for incorporating scenario analysis into its operational risk data and assessment systems.

(D) Business environment and internal control factors. The Enterprise must incorporate business environment and internal control factors into its operational risk data and assessment systems. The Enterprise must also periodically compare the results of its prior business environment and internal control factor assessments against its actual operational losses incurred in the intervening period.

(3) Operational risk quantification systems. The Enterprise's operational risk quantification systems:

(i) Must generate estimates of the Enterprise's operational risk exposure using its operational risk data and assessment systems;

(ii) Must employ a unit of measure that is appropriate for the Enterprise's range of business activities and the variety of operational loss events to which it is exposed, and that does not combine business activities or operational loss events with demonstrably different risk profiles within the same loss distribution;

(iii) Must include a credible, transparent, systematic, and verifiable approach for weighting each of the four elements, described in paragraph (d)(2)(ii) of this section, that an Enterprise is required to incorporate into its operational risk data and assessment systems;

(iv) May use internal estimates of dependence among operational losses across and within units of measure if the Enterprise can demonstrate to the satisfaction of FHFA that its process for estimating dependence is sound, robust to a variety of scenarios, and implemented with integrity, and allows for uncertainty surrounding the estimates. If the Enterprise has not made such a demonstration, it must sum operational risk exposure estimates across units of measure to calculate its total operational risk exposure; and

(v) Must be reviewed and updated (as appropriate) whenever the Enterprise becomes aware of information that may have a material effect on the Enterprise's estimate of operational risk exposure, but the review and update must occur no less frequently than annually.

(e) Data management and maintenance. (1) An Enterprise must have data management and maintenance systems that adequately support all aspects of its advanced systems and the timely and accurate reporting of risk-based capital requirements.

(2) An Enterprise must retain data using an electronic format that allows timely retrieval of data for analysis, validation, reporting, and disclosure purposes.

(3) An Enterprise must retain sufficient data elements related to key risk drivers to permit adequate monitoring, validation, and refinement of its advanced systems.

(f) Control, oversight, and validation mechanisms. (1) The Enterprise's senior management must ensure that all components of the Enterprise's advanced systems function effectively and comply with the minimum requirements in this section.

(2) The Enterprise's board of directors (or a designated committee of the board) must at least annually review the effectiveness of, and approve, the Enterprise's advanced systems.

(3) An Enterprise must have an effective system of controls and oversight that:

(i) Ensures ongoing compliance with the minimum requirements in this section;

(ii) Maintains the integrity, reliability, and accuracy of the Enterprise's advanced systems; and

(iii) Includes adequate governance and project management processes.

(4) The Enterprise must validate, on an ongoing basis, its advanced systems. The Enterprise's validation process must be independent of the advanced systems' development, implementation, and operation, or the validation process must be subjected to an independent review of its adequacy and effectiveness. Validation must include:

(i) An evaluation of the conceptual soundness of (including developmental evidence supporting) the advanced systems;

(ii) An ongoing monitoring process that includes verification of processes and benchmarking; and

(iii) An outcomes analysis process that includes backtesting.

(5) The Enterprise must have an internal audit function or equivalent function that is independent of business-line management that at least annually:

(i) Reviews the Enterprise's advanced systems and associated operations, including the operations of its credit function and estimations of risk parameters;

(ii) Assesses the effectiveness of the controls supporting the Enterprise's advanced systems; and

(iii) Documents and reports its findings to the Enterprise's board of directors (or a committee thereof).

(6) The Enterprise must periodically stress test its advanced systems. The stress testing must include a consideration of how economic cycles, especially downturns, affect risk-based capital requirements (including migration across rating grades and segments and the credit risk mitigation benefits of double default treatment).

(g) Documentation. The Enterprise must adequately document all material aspects of its advanced systems.

---