Banks continue to adhere to new governance-related requirements on stress testing, designed to improve their risk management frameworks. This article discusses the regulatory view on governance for stress testing in the US, UK, and euro zone, as well as aspects of governance best practice and implementing an effective stress testing program.
Financial Institutions across the globe are preparing for new governance-related requirements on stress testing, which represent the latest regulatory efforts to improve banks’ risk management frameworks and the responsibilities of their senior management. From an enterprise-wide perspective, the regulators are requiring institutions to design and implement a comprehensive stress testing program and management controls with clear objectives and operational owners, and recommended actions for contingency planning. Under these frameworks, when regulatory expectations are not met, the regulators may consider a series of remedial actions, including, but not limited to, asset disposals, changes in the banks’ dividend policies and/or inability to pay dividends, mandatory issuance of new equity, leverage and growth limitations, and the mandatory conversion of contingent convertible debt (CoCos).2
Effectively, regulators want banks to use stress testing as a part of their business management process – not only for regulatory compliance – which represents a significant challenge in terms of data, systems integration, and workflow coordination.3 When designing a stress testing framework, this requirement provides a strong incentive to further integrate data management, stress testing analytics, and reporting into an enterprise-wide stress testing platform.
The Bank of England Prudential Regulation Authority (PRA) is introducing an annual stress test to assess banks’ resilience, monitor the UK financial system’s stability, and enhance capital and risk management practices at banks. This framework will be a core component of the capital and liquidity standards of the Bank of England and facilitate granular, high-quality data to the regulator for ongoing supervision.
The SS6/13 supervisory statement provides banks with an overview of the regulatory expectations for the stress testing program.4 Section 3.4 of this statement covers requirements in terms of governance and the involvement of an institution’s senior management:
“The PRA expects a firm’s senior management and governing body to be actively involved and engaged in all relevant stages of the firm’s stress testing and scenario analysis program. This would include establishing an appropriate stress testing program, reviewing the program’s implementation (including the design of scenarios) and challenging, approving and taking action based on the results of the stress tests. The PRA expects firms to assign adequate resources, including IT systems, to stress testing and scenario analysis, taking into account the stress testing techniques employed, so as to be able to accommodate different and changing stress tests at an appropriate level of granularity.”
The best policy guidance from the Federal Reserve (the Fed) that speaks to governance and frameworks for stress testing is the supervisory letter SR 12-7. This policy sets expectations in terms of governance for those institutions subject to the Comprehensive Capital Analysis and Review (CCAR) and Dodd-Frank Act Stress Test (DFAST) requirements. The regulatory expectation on stress testing is that the results of a stress testing program should be clear, actionable, well supported, and commensurate with the complexity and size of the organization.
“As noted under the new fifth principle of the final guidance, a banking organization’s stress testing framework will be effective only if it is subject to strong governance and controls to ensure that the framework functions as intended. This requirement will help ensure that the framework contains core elements, from clearly defined stress testing objectives to recommended actions. Importantly, strong governance provides critical review of elements of the stress testing framework, especially regarding key assumptions, uncertainties, and limitations. A banking organization should ensure that the stress testing framework is not isolated within a banking organization’s risk management function, but is firmly integrated into business lines, capital and asset-liability committees, and other decision-making bodies.”
In addition, the Office of the Comptroller of the Currency (OCC) has also released a proposal that would require banks with more than $50 billion in assets to form new risk governance structures, aligned with the Federal Reserve requirements.
“Banking organizations must design and implement comprehensive compliance and risk governance programs for the Volcker Rule, Dodd-Frank liquidity risk management standards, capital planning and stress testing, the changing derivatives regulatory landscape as well as other important legal and regulatory developments. The Federal Reserve and FDIC apply similar risk governance principles to large state banks and all three U.S. banking agencies apply some or all of these principles, over time, to mid-size banking organizations.”
Although the relevant European authorities (i.e., EBA, ECB) have not published guidance for any new governance requirements specifically applicable in cases of a stress test, the Capital Requirements Directive IV (CRD IV) does introduce clear corporate governance arrangements and mechanisms for European banks that affect the design and implementation of a stress testing program.5
The CRD IV rules concern the composition of boards and their function and role in risk oversight and strategy in order to improve their effectiveness.6 In addition, the market consensus is that an additional set of specific requirements on corporate governance for stress testing programs would be introduced in the near future if a regular stress test is requested by the European Central Bank (ECB) and/or European Banking Authority (EBA).
The status and the independence of the risk management function at institutions are also enhanced under the CRD IV. For example, the CRD IV states that supervisory authorities will scrutinize the banks’ governance arrangements, their corporate culture, and the ability of their management body to perform its duties. Further, supervisory authorities are required to play an important role in monitoring the risk governance arrangements of banks, which affects the stress testing governance programs at institutions.7
Regarding remediation actions when minimum capital levels are not met by the banks under supervision, the CRD IV already prohibits banks from making distributions of dividends in relation to Common Equity Tier 1 capital to an extent that would trigger a breach of their combined buffer requirement. Under this scenario, institutions will also have to submit a capital conservation plan to their competent authorities.8 This requirement is consistent with the stress testing-related remediation actions in other jurisdictions.
In addition, the Capital Requirements Regulation (CRR) states that the EBA expects to develop draft regulatory standards for the methodologies used by the competent national supervisory authorities when assessing risk.9 The EBA will submit those standards to the European Commission by the end of 2014 (likely after the ECB releases the results from the Comprehensive Assessment – AQR and EBA stress tests). Therefore, more specific stress testing governance guidance may be published at that stage, especially if a regular stress testing exercise is established for ongoing monitoring and as an early warning indicator to minimize banking crises in Europe.
Governance has become a key tenet of stress testing programs in banks and a qualitative measure used by regulators to assess the rigor, auditability, and repeatability of the banks’ internal stress testing business processes. While all but one bank passed the quantitative assessment in the recent 2013/2014 US CCAR test, four more failed on qualitative grounds.
For example, the Fed’s 2014 CCAR objected to the capital plans of Citigroup, Santander, Royal Bank of Scotland, Zions, and HSBC due to qualitative deficiencies in their governance framework, analysis, internal controls, information systems, and assumptions when performing stress testing and creating their capital plans.10 As a consequence, these institutions cannot implement their capital plans (including increasing the pay-outs ratios or capital distributions to shareholders) until an updated plan is resubmitted and remediation actions implemented. The final result is important, but it is also crucial that banks show how stress testing-related metrics are calculated and used at the institution.
Regulators consider it a failure in management when data is not available, and a lapse in governance when data is present but a managerial team is unable to turn it into actionable information in a timely fashion. In either case, both are likely to lead to a failed stress test evaluation on qualitative grounds and the delivery of an urgent Matters Requiring Attention (MRA) letter.
It can be time consuming to set up and execute a stress testing governance program to enable oversight of the stress testing process, the construction and execution of a defined stress testing process framework, and a single point of contact with the regulatory bodies. The generation of ever-changing swathes of data can become as much of a hindrance as a help.
There are a number of considerations that leaders should focus their attentions on when considering stress testing governance programs:
- By its nature, stress testing is ubiquitous and requires cooperation, collaboration, and participation between business units. Banks should set up a single stress testing program board charged with the centralized coordination and oversight of bank-wide stress testing activities. This board should be led by the CRO and report to the executive board and CEO.
- Due to the pervasive nature of bank stress testing, the aggregation, consolidation, and ultimate control and management of bank-wide data must also be considered a priority for management teams. Without the ability to efficiently pull together a complete picture of data across the bank, baseline that data, and then run scenarios in a controlled, methodical, and repeatable manner, teams can spend all of their time on data collection and quality issues rather than on the evaluation of results.
- On an enterprise-wide scale, this can lead to chaos, confusion, and hugely inefficient and expensive processes. We estimate that a quarter of banks still rely heavily on obsolete technology, such as Excel spreadsheets and email systems, to provision their stress testing.
- It is absolutely essential that banks implement stress testing-specific business information systems that can institutionalize their stress testing framework and provide the functionality to manage data, control and orchestrate workflows, run scenario analysis while seamlessly integrating the banks’ models, and automate the generation of regulatory and management reports.
- It is likely that complex banks with foreign banking operations in multiple geographies will be required to execute simultaneous tests by different regulatory bodies using different scenarios in different territories. When reviewing options for the infrastructure to support governance and control across geographies, banks must consider the ability to quickly adapt to international standards and languages while providing results consistent with their other territories.
- Most banks typically take between one and four months to run their stress test. With automation and improved efficiency, comes the opportunity to reduce the time required and more frequently run stress tests. Banks that embrace this opportunity will reduce costs and reap long-term business benefits. Stress testing then has the potential to move from a typically regulatory-driven exercise to a business-as-usual activity that contributes an additional dimension to the banks’ risk appetite measurement and capital planning and budgeting analysis.
Regulators have increased their focus and expectations on documentation, workflow, processes, and unstructured information to emphasize the importance of stress testing as both a risk management and supervisory tool. The coordination with other relevant regulatory processes (e.g., Internal Capital Adequacy Assessment Process, or ICAAP) and requirements by jurisdictions is also critical when operationalizing a stress testing program – especially for global banks that may be subject to the CCAR in the US, Bank of England PRA in the UK, and EBA/ECB stress tests in Europe.
A stress testing program should focus on automating and streamlining the workflow process across the enterprise, identifying dependencies, and maximizing the return-on-investment by addressing key elements (see Figure 2).
The roles and responsibilities of the institution’s board of directors and senior management in the stress testing program are important. For example, in its discussion paper, the Bank of England stresses the need for senior management and the board to be closely engaged with the stress testing exercise. In the US, banks’ senior management must provide the board of directors with sufficient information to facilitate their understanding of the firm’s stress testing for capital planning purposes.
From an operational perspective, a stress testing program requires close collaboration among different stakeholders at a bank (e.g., finance, technology, risk, auditing, and business lines). Therefore, designing a proper stress testing governance framework is a necessary condition to successfully operationalize the stress testing requirements (internal and regulatory-driven) and set an effective, consistent view across the organization. Some of the questions that institutions must answer to properly design a stress testing framework are:
- Technology and workflow design: How to best operationalize the stress testing program at the bank?
- Governance: Who are the owners of the respective tasks? Which body is responsible for the validation of results? What internal controls are needed? What framework is requested for each jurisdiction where the bank is subject to regulatory supervision?
- Policies and communication practices: Which policies and practices should banks use for the enterprise-wide stress testing function? How should banks build effective communication flows across divisions and business units?
- Consistency: Is there an alignment between internal/business units and regulatory stress testing requirements under applicable jurisdictions?
- Dependencies: What are the key dependencies across the areas affected by the stress testing program, especially reporting, architecture and IT, modeling, data, and regulatory processes (e.g., ICAAP, ILAAP)?
- Key performance and risk indicators: What are the KPIs linked to the stress testing program? How should banks reconcile these with the regulatory indicators and regulatory process?
- Modeling: Are the models properly designed and aligned with the goals of the stress testing program at the institution (e.g., level of granularity, top-down vs. bottom-up, etc.)?
- Contingency planning: Are the results of the stress testing program used for contingency planning? Does the stress testing program provide actionable results for the business?
- Documentation: Is the documentation solid and complete? Does the documentation meet the regulatory expectations on stress testing?
- Auditing and regulatory compliance: Can the results, models, data, and systems be audited? Does the data infrastructure meet the BCBS principles on data aggregation and management?11
Finally, enterprise stress testing programs must be integrated into financial institutions’ management and governance frameworks to guarantee a consistent view across businesses, jurisdictions, regulatory requirements, and budgeting/accounting projections at both a group and subsidiaries level. Therefore, the institutions’ process and governance framework for stress testing calculations and workflows is becoming even more important than the calculation itself.
1 European Banking Authority (EBA), European Central Bank (ECB), National Competent Authorities (NCA), Bank of England (BoE), Prudential Regulation Authority (PRA), Asset Quality Review (AQR), Advanced data collection (ADC), Transparency (TR) and Calculation, Validation & Support (CSV) Templates, Firm Data Submission Framework (FDSF), Financial Policy Committee (FPC), Capital Requirements Directive IV (CRD IV), Bank Holding Companies (BHC), Foreign Banking Organizations (FBO).
2 Under the Comprehensive Review being performed by the European Central Bank, the trigger is set at 5.5% Common Equity Tier 1 Capital. Under the Capital Requirements Regulation, banks can generate up to 1.5% of additional Tier 1 equity by issuing CoCos.
3 For example, the Fed’s Comprehensive Capital Analysis and Review and the Bank of England PRA.
4 Stress testing, scenario analysis, and capital planning, Bank of England, December 2013.
6 From November 4th, 2014 on, the Single Supervisory Mechanism (SSM) will be responsible for the supervisory function in Europe.
7 Art. 91 CRD IV and Art. 88 CRD IV, respectively.
8 Art. 74 I CRD IV and CRD IV, Art 98 VII, Art 117 I (a) CRD IV, respectively.
9 Art. 141 CRD IV.
10 Deutsche Bank and Barclays will likely be subject to the CCAR upon the implementation of the Fed’s Foreign Banking Organizations proposal by July 1st, 2016.
11 Principles for Effective Risk Data Aggregation and Risk Reporting, Basel Committee on Banking Supervision, January 2013.
Scott is a Director in the Regulatory and Accounting Solutions team responsible for providing accounting expertise across solutions, products, and services offered by Moody’s Analytics in the US. He has over 15 years of experience leading auditing, consulting and accounting policy initiatives for financial institutions.
Details how global risk managers can comply with new regulations, better manage risk, and meet business and industry demands.
Next ArticleData: The Foundation of Risk Management
In this article, we examine the role of new and emerging technologies in the rapidly evolving financial technology space.
This article provides an overview of the new standard and analyzes the major challenges financial institutions will face in ensuring IFRS 9 compliance.
Banks should prepare for a new business ecosystem driven by the financial technology (FinTech) revolution. Learn how the industry can adapt to disruptions.
International Financial Reporting Standard 9 (IFRS 9) will soon replace International Accounting Standard 39 (IAS 39). The change will materially influence banks’ financial statements, with impairment calculations affected most.
This article discusses the importance of effective resolution plans, given their impact throughout a business.
On October 26th, the European Central Bank (ECB) published the results of the Comprehensive Assessment (CA – AQR and Stress Test). This article discusses the results, next steps such as the timeline and capital plan to meet the capital shortfall, other potential areas of enhancement at banks, and future expectations.
Preparing for the 2014 EBA Stress Test - Best Practices for Regulatory Stress Testing & Capital Modeling
This Moody's Analytics and PRMIA webinar-on-demand provides an overview of EU stress testing regulatory requirements and the Moody's Analytics capabilities and solutions that will help you meet them.
This article discusses the importance of managing and measuring liquidity risk, regulatory guidelines and implications, and how an effective enterprise-wide stress testing program requires and integrates liquidity risk.
Forecasting revenue, expense, portfolio losses, and capital ratios plays an essential part in a stress testing framework. We examine the current state of stress testing and how institutions can prepare for upcoming regulatory requirements, such as the AQR.
This article outlines the steps to perform reverse stress testing, which explores tail risks and reveals hidden vulnerabilities and scenarios not reflected through traditional stress testing analysis.