The RBI recently released[1] a draft Master Direction, hereafter referred to as the draft guidelines, for the computation of minimum capital requirements for operational risk faced by Scheduled Commercial Banks (SCBs)[2]. The draft guidelines also outline the corresponding disclosures relating to operational risk capital. The objective of the draft guidelines is to bring greater convergence between RBI regulations and Basel III standards[3]. The draft guidelines seek to replace the existing Basic Indicator approach with the new Standardised Approach of Basel III. In our response, we commend and highlight the more risk sensitive methodology and the corresponding disclosures outlined in the draft guidelines. However, we also point out that not including conduct risk under operational risk is a major lacuna. We discuss these observations in the following paragraphs.
Conduct Risk as a part of Operational Risk
The RBI does not explicitly include conduct risk as a part of the operational risk framework. Instead, it includes one component of conduct risk, “Losses arising from an unintentional or negligent failure to meet a professional obligation”[4], while calculating operational risk capital[5]. To contextualise, the European Banking Authority (EBA) defines conduct risk as “current or prospective risk of losses to an institution arising from inappropriate supply of financial services including cases of wilful or negligent misconduct”[6] and considers this as one of the most important and increasing sources of operational risk[7].
RBI’s current approach of considering only negligent failures to meet fiduciary and suitability requirements towards customers is a step in the right direction, but it leaves out other aspects of conduct risk unaddressed. For example, this approach leaves out operational risk losses arising from wilful misconduct by the employees of the bank towards its customers.
Both types of misconduct, i.e., wilful, and negligent, could result in losses for the bank. However, there are two notable differences between the two types. Wilful failure to meet suitability and fiduciary requirements indicates the intentional performance of actions that the employee knows to be harmful to the customer. Whereas, in case of a negligent failure, though there is a harm to the customer, and thus the bank, there is no intent on the part of the employee to cause such harm. This difference in definition becomes pivotal since wilful misconducts are often symptomatic of a bank wide risk culture that is detrimental to the customer and the bank. The rampant mis-selling at Wells Fargo, between 2002 and 2016, is an example to this effect[8].
The second point of difference between wilful misconduct and negligent actions emerge from the likely impact of the two actions. In case of wilful misconduct, the employee is aware of their violation, and therefore is likely to obfuscate efforts to detect or check them. Thus, these actions are harder to detect and are therefore likely to continue for longer periods, and potentially leading to more losses. In case of negligent actions, we can safely presume that there will be no effort in obfuscation, and thus greater ease of detection and lower probability of losses. However, in cases where the employee realises that she has negligently caused harm, it is possible that they may then wilfully want to hide such details from the bank’s management, but such cases are covered under the RBI’s proposed category of defrauding the company.
Finally, it is true that an employee could wilfully neglect to follow guidelines and thus there is some overlap between the two categories. Thus, it is prudent to minimise the scope of interpretation and explicitly describe both categories. In doing so, the RBI may rely on the definition by EBA which uses the phrase “cases of wilful or negligent misconduct”, encompassing both aspects and differentiating between them, while acknowledging the potential for overlap. It is possible that the RBI considered the issue but assumed that it would be obvious to banks that if negligent misconduct poses operational risk, wilful misconduct does too. Thus, RBI may have decided not to explicitly describe wilful misconduct in the draft guidelines. However, we believe it is prudent to rely on explicit directives, rather than the expectation of an implicit understanding by the providers.
To conclude, if wilful misconduct is not monitored and checked, it will lead to continuing operational risk losses. Thus, it is important that wilful misconduct is explicitly recognised and considered in the formulation of policies to mitigate operational risk losses. It is also to be noted here that wilful misconduct by employees towards customers is different from employees defrauding the company, which is covered under the ‘Internal Fraud’ event category type. Further, the activity examples given under the ‘Internal Fraud’ category also do not include loss suffered due to defrauding of the customer. This is a significant lacuna as there is clear evidence that banks in India are actively mis-selling 3rd party products to its customers[9]. RBI also recognised this when it included complaints related to mis-selling under its Banking Ombudsman Scheme[10]. It should take note of this omission and correct the same. Aside from this oversight, the draft guidelines contain substantial improvements over the extant guidelines. We elaborate on these in the following sections.
Improvement over Extant Regulations
The draft guidelines build upon the extant regulations in terms of the sophistication and the risk sensitivity of the approach used to calculate operational risk capital. Under the extant regulations, the operational risk capital depends only on the average of the gross income of the preceding three financial years, excluding years of negative or zero gross income. Here, gross income is defined as – Net Profit + Provisions + Operating Expense – other items [11]. In contrast, the draft guidelines propose a methodology that, in addition to the income and expenses, considers the amount of interest earning assets and the historical operational loss experience of the bank[12]. This is more risk sensitive than the current approach as the level of interest earning assets more accurately correlate with the size of the banks, which, in turn, is a proxy of its operational risk exposure. Also, the methodology uses the absolute values of the difference between income and expense, without the positive or negative sign, instead of only positive gross income. This ensures that banks cannot exclude data for financial years, where their gross income was negative or zero, while calculating their operational risk capital. The draft guidelines uses the formulaic standardised approach instead of more complex model based approaches and this is in line with the policy direction in other jurisdictions to reduce the reliance on internal models for calculation of capital[13],[14].
Along with a more risk sensitive methodology, the draft guidelines also prescribe greater public disclosures, on both qualitative and quantitative aspects of the operational risk capital, in accordance with Basel Pillar III requirements. More specifically, the draft guidelines prescribe the public disclosure of annual historical losses suffered by the bank, including the number and amount of excluded losses, on an aggregate level[15]. This is a welcome change if implemented and is in line with some of our recommendations on disclosures of operational risk, wherein we recommend the disclosure of fraud and claims data related to operational risk events, in our paper assessing the level of transparency of our banking systems’ public risk disclosure regime[16].
The draft guidelines also cover a growing and important aspect of the banking business in India – the outsourcing of activities. We elaborate on this in the following section.
Losses from Outsourced Activities
Outsourcing of activities is an important strategy employed by banks to not only better serve their customers but also efficiently manage certain internal processes. Such a strategy exposes banks to potential losses due to operational failures by their third-party vendors. In certain forms of digital and non-digital lending, banks are exposed to both credit and operational risk from the same third party. This can occur when the vendor not only originates credit on behalf of the bank but also provides any form of credit enhancement on the portfolio it originates. We have touched upon this in our response to the Report of the Working Group on Digital Lending including Lending through Online Platforms and Mobile Apps and elaborated on how regulation can address these aspects separately. Specifically, we have outlined potential regulatory approaches depending on whether the bank is exposed to only operational or operational and credit risk from the third party[17]. The draft guidelines adopt a similar approach but articulate it at the level of principles. The draft guidelines require banks to include all operational losses from outsourced activities, for which the bank is financially responsible, in their operational loss dataset[18]. Concomitantly, it also requires banks to account for operational loss events that relate to credit risk but are not accounted for in the credit risk weighted assets[19]. We welcome these inclusions.
Conclusion
The draft guidelines are a major improvement over the extant regulations and would strengthen the banks’ internal operational risk measurement and management process while also improving market discipline through enhanced disclosures. The mandate on the usage of a single approach for the calculation of risk capital will enable better comparability of disclosures among banks. However, the categories of operational risk losses should be expanded to include those arising from wilful misconduct by bank employees towards the customers of the bank. This would not only make the estimation of operational risk losses more accurate but could also enable a risk culture within the bank that dissuades such actions.
[1] See the Press Release of RBI’s Draft Master Direction on Minimum Capital Requirements for Operational Risk – https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=52725
[2] Small Finance Banks, Local Area Banks, Regional Rural Banks and Payments Banks are excluded from the purview of this regulation
[3] RBI’s Draft Master Direction on Minimum Capital Requirements for Operational Risk – https://rbidocs.rbi.org.in/rdocs/content/pdfs/DraftMDMCRO15122021.pdf
[4] The full definition reads – “Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product.”
[5] Annex 4, RBI’s Draft Master Direction on Minimum Capital Requirements for Operational Risk – https://rbidocs.rbi.org.in/rdocs/content/pdfs/DraftMDMCRO15122021.pdf
[6] Guideline 3, Guidelines on common procedures and methodologies for supervisory review and evaluation process, Dec 2014 – https://eba.europa.eu/documents/10180/935249/EBA-GL-2014-13+%28Guidelines+on+SREP+methodologies+and+processes%29.pdf/4b842c7e-3294-4947-94cd-ad7f94405d66
[7] Point 85, Policy Advice on the Basel III Reforms: Operational Risk, EBA, Aug 2019
[8] See https://www.americanbanker.com/news/wells-fargo-employees-feared-for-their-jobs-consumer-banking-head-says – retrieved on 31-01-2022
[9] Halan, M, et al. “Misled and Mis-sold: Financial Misbehaviour in Retail Banks?”, 2016, NIPFP Working Paper Series
[10] See Press Release from RBI, June 2017 – https://www.rbi.org.in/commonman/English/Scripts/PressReleases.aspx?Id=2263
[11] Section 9.3, RBI Master Circular on Basel III Capital Regulations, July 2015
[12] Section 4.5, RBI’s Draft Master Direction on Minimum Capital Requirements for Operational Risk – https://rbidocs.rbi.org.in/rdocs/content/pdfs/DraftMDMCRO15122021.pdf
[13] See Speech by Elizabeth McCaul, Member of the supervisory Board of the European Central Bank (ECB), “The final leap: implementing the Basel III reforms in Europe”, Sep 2021 – https://www.bankingsupervision.europa.eu/press/speeches/date/2021/html/ssm.sp210908_1~2f82d84760.en.html
[14] See Basel III: Finalising post-crisis reforms, Dec 2017 – https://www.bis.org/bcbs/publ/d424.htm . This was adopted by the EBA, though it has not been implemented yet – https://www.eba.europa.eu/regulation-and-policy/implementing-basel-iii-europe
[15] Annex 3, RBI’s Draft Master Direction on Minimum Capital Requirements for Operational Risk – https://rbidocs.rbi.org.in/rdocs/content/pdfs/DraftMDMCRO15122021.pdf
[16] Section 4.1.2, Srinivas, Madhu, et al. “Assessing Transparency of Indian Banking System’s Public Risk Disclosure Regime – A Regulation Based Approach”. 2021. Dvara Research
[17] Section 2.4, Prasad, Srikara, et al. “Comments to the Reserve Bank of India on the Report of the Working Group on Digital Lending including Lending through Online Platforms and Mobile Apps dated 18 November 2021.” 2022. Dvara Research
[18] Section 4.1(c), Annex 2, RBI’s Draft Master Direction on Minimum Capital Requirements for Operational Risk – https://rbidocs.rbi.org.in/rdocs/content/pdfs/DraftMDMCRO15122021.pdf
[19] Section 4.1(f), Ibid
Cite this Item:
APA
Srinivas, Madhu. 2022. “Comments on RBI’s Draft Master Direction on Minimum Capital Requirements for Operational Risk.” Dvara Research.
MLA
Srinivas, Madhu. “Comments on RBI’s Draft Master Direction on Minimum Capital Requirements for Operational Risk.” 2022. Dvara Research.
Chicago
Srinivas, Madhu. 2022. “Comments on RBI’s Draft Master Direction on Minimum Capital Requirements for Operational Risk.” Dvara Research.