Skip to Content


Supervisory Guidance: Supervisory Review Process of Capital Adequacy (Pillar 2) Related to the Implementation of the Basel II Advanced Capital Framework

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


Office of the Comptroller of the Currency, Treasury (OCC); Board of Governors of the Federal Reserve System (Board); Federal Deposit Insurance Corporation (FDIC); and Office of Thrift Supervision, Treasury (OTS) (collectively, the agencies).


Final supervisory guidance.


The agencies are publishing guidance regarding the supervisory review process for capital adequacy (Pillar 2) provided in the Basel II advanced approaches final rule, which was published in the Federal Register on December 7, 2007 (advanced approaches final rule). The supervisory review process described in this guidance outlines the agencies' standards for satisfying the qualification requirements provided in the advanced approaches final rule; addressing the limitations of the minimum risk-based capital requirements for credit risk and operational risk; ensuring that each institution has a rigorous process for assessing its overall capital adequacy in relation to its risk profile and a comprehensive strategy for maintaining appropriate capital levels; and encouraging each institution to improve its risk identification and measurement techniques. This supervisory guidance applies to any bank, savings association, or bank holding company [1] implementing the advanced approaches final rule.


This guidance is effective September 2, 2008. Comments on the Paperwork Reduction Act portion of this document may be submitted on or before September 2, 2008.


Comments on the Paperwork Reduction Act portion of this document should be addressed to:

OCC: Communications Division, Office of the Comptroller of the Currency, Public Information Room, Mailstop 1-5, Attention: 1557-NEW, 250 E Street, SW., Washington, DC 20219. In addition, comments may be sent by fax to (202) 874-4448, or by electronic mail to You may personally inspect and photocopy the comments at the OCC's Public Information Room, 250 E Street, SW., Washington, DC 20219. For security reasons, the OCC requires that visitors make an appointment to inspect comments. You may do so by calling (202) 874-5043. Upon arrival, visitors will be required to present valid government-issued photo identification and submit to security screening in order to inspect and photocopy comments.

Board: You may submit comments, identified by OP-1322, by any of the following methods:

  • Agency Web Site: Follow the instructions for submitting comments at​.
  • Federal eRulemaking Portal: Follow the instructions for submitting comments.
  • Fax: (202) 452-3819 or (202) 452-3102.
  • Mail: Jennifer J. Johnson, Secretary, Board of Governors of the Federal Reserve System, 20th Street and Start Printed Page 44621Constitution Avenue, NW., Washington, DC 20551.

All public comments are available from the Board's Web site at​generalinfo/​foia/​ProposedRegs.cfm as submitted, unless modified for technical reasons. Accordingly, your comments will not be edited to remove any identifying or contact information. Public comments may also be viewed electronically or in paper form in Room MP-500 of the Board's Martin Building (20th and C Streets, NW.) between 9 a.m. and 5 p.m. on weekdays.

FDIC: You may submit comments by any of the following methods:

  • Agency Web Site:​regulations/​laws/​federal. Follow instructions for submitting comments on the Agency Web Site.
  • E-mail: Include “Basel II Supervisory Guidance” in the subject line of the message.
  • Mail: Robert E. Feldman, Executive Secretary, Attention: Comments, Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429.
  • Hand Delivery/Courier: Guard station at the rear of the 550 17th Street Building (located on F Street) on business days between 7 a.m. and 5 p.m. (EST).
  • Federal eRulemaking Portal: Follow the instructions for submitting comments.
  • Public Inspection: All comments received will be posted without change to​regulations/​laws/​federal including any personal information provided. Comments may be inspected and photocopied in the FDIC Public Information Center, 3501 North Fairfax Drive, Room E-1002, Arlington, VA 22226, between 9 a.m. and 5 p.m. (EST) on business days. Paper copies of public comments may be ordered from the Public Information Center by telephone at (877) 275-3342 or (703) 562-2200.

OTS: Information Collection Comments, Chief Counsel's Office, Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552; send a facsimile transmission to (202) 906-6518; or send an e-mail to OTS will post comments and the related index on the OTS Internet site at In addition, interested persons may inspect the comments at the Public Reading Room, 1700 G Street, NW., by appointment. To make an appointment, call (202) 906-5922, send an e-mail to, or send a facsimile transmission to (202) 906-7755. A copy of the comments may also be submitted to the OMB desk officer for the Agencies: By mail to U.S. Office of Management and Budget, 725 17th Street, NW., Room 10235, Washington, DC 20503 or by facsimile to 202-395-6974, Attention: Federal Banking Agency Desk Officer.

Start Further Info


OCC: Akhtarur Siddique, Lead Expert, Risk Analysis, (202) 874-4665; or Ron Shimabukuro, Senior Counsel, Legislative and Regulatory Activities Division, (202) 874-5090; Office of the Comptroller of the Currency, 250 E Street, SW., Washington, DC 20219.

Board: David Palmer, Senior Supervisory Financial Analyst, Credit Risk Section, (202) 452-2904 or Sabeth Siddique, Assistant Director, Credit Risk Section, (202) 452-3861; Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue, NW., Washington, DC 20551. For the hearing impaired only, Telecommunication Device for the Deaf (TDD), (202) 263-4869.

FDIC: Gloria Ikosi, Senior Quantitative Risk Analyst, (202) 898-3997, or Ryan Sheller, Capital Markets Specialist, (202) 898-6614; Capital Markets Policy Section, Division of Supervision and Consumer Protection; or Mark L. Handzlik, Senior Attorney, (202) 898-3990, or Michael B. Phillips, Counsel, (202) 898-3581, Supervision Branch, Legal Division, Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429.

OTS: Sonja White, Senior Project Manager, (202) 906-7857, Capital Policy, or Jonathan Jones, Senior Financial Economist, (202) 906-5729, Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552.

End Further Info End Preamble Start Supplemental Information


The agencies issued a notice of proposed rulemaking (NPR) on September 25, 2006,[2] seeking comment on a new risk-based capital adequacy framework that requires some and permits other qualifying banks to use an internal ratings-based (IRB) approach to calculate regulatory capital requirements for credit risk and certain advanced measurement approaches (AMA) to calculate regulatory capital requirements for operational risk (together, the IRB and the AMA are referred to as the “advanced approaches”). On December 7, 2007, the agencies published the advanced approaches final rule.[3] The advanced approaches final rule is based largely on a series of publications by the Basel Committee on Banking Supervision (BCBS) that culminated in a comprehensive release in June 2006, titled, “International Convergence of Capital Measurement and Capital Standards: A Revised Framework” (New Accord). The New Accord presents a three-pillar framework for determining risk-based capital requirements for credit risk, market risk, and operational risk (Pillar 1); supervisory review of capital adequacy (Pillar 2); and market discipline through enhanced public disclosure (Pillar 3).

On February 28, 2007, the agencies published in the Federal Register three separate documents proposing supervisory guidance related to the implementation of the advanced approaches.[4] Two of those documents provided guidance for certain aspects of Pillar 1, that is, for the IRB systems for determining the credit risk of retail and wholesale exposures, and other systems for equity and securitization exposures, and for the AMA for determining operational risk. The third document proposed guidance for Pillar 2. This final guidance document provides supervisory guidance only for Pillar 2, and it does not provide Pillar 1 guidance on the systems for determining regulatory capital requirements for credit risk or for determining regulatory capital requirements for operational risk. This document does not differ significantly from the proposed Pillar 2 guidance.

The agencies recognize that a number of institutions may need additional guidance to implement the advanced approaches final rule. Accordingly, consistent with the proposed guidance for Pillar 2, this guidance document highlights certain aspects of existing supervisory review that are being augmented or clarified to support the implementation of the supervisory assessment of overall capital adequacy under the advanced approaches final rule. In making this assessment, the agencies will consider, among other items, whether each institution (i) has satisfied the qualification requirements for implementing the advanced approaches; (ii) has a rigorous process for assessing its overall capital adequacy in relation to its risk profile and a comprehensive strategy for maintaining appropriate capital levels (internal capital adequacy assessment process—ICAAP); and (iii) maintains a satisfactory risk management and control structure, consistent with its capital position and overall risk profile.

The agencies received ten public comments on the proposed guidance Start Printed Page 44622from banking organizations, trade associations representing the banking or financial services industry, and other interested parties. Overall, the commenters supported the principles-based orientation of the guidance. However, some commenters recommended revisions to certain sections of the guidance that they viewed as overly prescriptive. One commenter expressed concern that the guidance appeared to suggest that increases in risk should result in greater capital, even if an institution already maintains a substantial capital buffer. To address this concern, the agencies have revised the guidance to clarify that an increase in risk may not necessarily require an increase in capital where the bank already holds capital at a level exceeding what its internal processes and supervisors regard as adequate.

Other commenters expressed concern regarding the agencies' position that liquidity risk should be addressed within the ICAAP. However, the proposed guidance was consistent with the agencies' view of liquidity risk as a material risk that can affect capital adequacy. The agencies clarified this section of the guidance to indicate that, within the ICAAP, institutions should consider the capital adequacy implications of liquidity risk. One commenter expressed the concern that each bank's ICAAP measures would be compared to (and reconciled with) Pillar 1 measures and to other institutions' ICAAP results. The agencies acknowledge that there may be limited comparability to Pillar 1 measures because a bank's ICAAP under Pillar 2 should be tailored to its individual risk profile, while Pillar 1 measures are based on certain common assumptions that may not apply to each individual bank. Accordingly, there is likely to be some limit to the comparisons that can be made across institutions.

Some commenters expressed confusion about the stress testing requirement in Pillar 1 and stress testing discussed in the Pillar 2 guidance. The agencies regard stress testing as a critical component in the identification and measurement of material risks. Although there are no prescriptive stress testing requirements in Pillar 2, institutions should use stress testing or similar exercises in their ICAAP to consider the consequences of unlikely but severe events and outcomes as an input to the capital adequacy assessment process.

Finally, one commenter indicated that it might not be practical to incorporate the ICAAP into bank management's decision-making process. The agencies believe that for the ICAAP to be meaningful and relevant, it should be consistent with the bank's other risk management practices.

Paperwork Reduction Act

A. Request for Comment on Proposed Information Collection

In accordance with the requirements of the Paperwork Reduction Act of 1995, the Agencies may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number. The Agencies are requesting comment on a proposed information collection. The Agencies are also giving notice that the proposed collection of information has been submitted to OMB for review and approval.

Comments are invited on:

(a) Whether the collection of information is necessary for the proper performance of the Agencies' functions, including whether the information has practical utility;

(b) The accuracy of the estimates of the burden of the information collection, including the validity of the methodology and assumptions used;

(c) Ways to enhance the quality, utility, and clarity of the information to be collected;

(d) Ways to minimize the burden of the information collection on respondents, including through the use of automated collection techniques or other forms of information technology; and

(e) Estimates of capital or start up costs and costs of operation, maintenance, and purchase of services to provide information.

B. Proposed Information Collection

Title of Information Collection: Basel II Interagency Supervisory Guidance for the Supervisory Review Process (Pillar 2).

Frequency of Response: Event-generated.

Affected Public:

OCC: National banks.

Board: State member banks and bank holding companies.

FDIC: Insured state nonmember banks and certain subsidiaries of these entities.

OTS: Savings associations and certain of their subsidiaries.

Abstract: The notice sets forth a supervisory guidance document for implementing the supervisory review process (Pillar 2). The guidance was issued for 60 days of comment on February 28, 2007 (72 FR 9084). No comments were received on the burden estimates provided in that notice.

The Agencies believe that paragraphs 37, 41, 43, and 46 impose new information collection requirements. Section 37 states that banks should state clearly the definition of capital used in any aspect of ICAAP and document any changes in the internal definition of capital. Under section 41, banks should maintain thorough documentation of ICAAP. Section 43 specifies that boards of directors should approve the bank's ICAAP, review it on a regular basis, and approve any changes. Boards of directors are also required under Section 46 to periodically review the assessment of overall capital adequacy and to analyze how measures of internal capital adequacy compare with other capital measures (such as regulatory or accounting).

The agencies burden estimates for these information collection requirements are summarized below. Note that the estimated number of respondents listed below include both institutions for which the Basel II risk-based capital requirements are mandatory and institutions that may be considering opting-in to Basel II (despite the lack of any formal commitment by most of these latter institutions).

Estimated Burden:


Number of Respondents: 52.

Estimated Burden per Respondent: 140 hours.

Total Estimated Annual Burden: 7,280 hours.


Number of Respondents: 15.

Estimated Burden per Respondent: 420 hours.

Total Estimated Annual Burden: 6,300 hours.


Number of Respondents: 19.

Estimated Burden per Respondent: 420 hours.

Total Estimated Annual Burden: 7,980 hours.


Number of Respondents: 4.

Estimated Burden per Respondent: 420 hours.

Total Estimated Annual Burden: 1,680 hours.

The full text of the guidance follows:

Supervisory Review Process of Capital Adequacy (Pillar 2) Related to the Implementation of the Advanced Approaches Final Rule

1. This guidance supplements the final rule published jointly by the U.S. Start Printed Page 44623Federal banking agencies[1] in the Federal Register on December 7, 2007 (advanced approaches rule).[2] The advanced approaches rule implements a new risk-based capital framework encompassing three pillars:

  • Minimum risk-based capital requirements (Pillar 1);
  • Supervisory review (Pillar 2); and
  • Market discipline through enhanced public disclosures (Pillar 3).

The minimum risk-based capital requirements in Pillar 1 of the advanced approaches rule apply to a bank's calculation of minimum risk-based capital requirements for credit risk and operational risk.[3] If the bank is also subject to the market risk rule,[4] then the minimum risk-based capital requirements in that rule would apply.[5]

2. This document addresses the process for supervisory review in the advanced approaches rule. As described in this guidance, supervisory review covers three main areas:

  • Comprehensive supervisory review of capital adequacy;
  • Compliance with regulatory capital requirements; and
  • Internal capital adequacy assessment process (ICAAP).

3. The process of supervisory review described in this guidance reflects a continuation of the longstanding approach employed by the agencies in their supervision of banks. However, because implementation of the advanced approaches rule affects certain aspects of supervisory review, this guidance highlights areas of existing supervisory review that are being augmented or more clearly defined to support implementation of the advanced approaches rule by U.S. banks.

4. The supervisory review process described in this document is intended to help ensure overall capital adequacy by:

  • Confirming a bank's compliance with regulatory capital requirements;
  • Addressing the limitations of minimum risk-based capital requirements as a measure of a bank's full risk profile—including risks not covered or not adequately addressed or quantified in Pillar 1;
  • Ensuring that each bank is able to assess its own capital adequacy (beyond minimum risk-based capital requirements) based on its risk profile and business model; and
  • Encouraging banks to develop and use better techniques to identify and measure risk.

5. This guidance neither supersedes nor alters the functioning of the existing Prompt Corrective Action requirements.[6] Similarly, this guidance does not affect any other requirements for compliance with existing regulations and supervisory standards related to risk-management practices or other areas. The supervisory review process described in this guidance supports the supervisors' existing ability to:

  • Require an individual bank to take measures to prevent its capital from falling below the level needed to adequately support its risks; or
  • Otherwise intervene to ensure that the bank's capital levels are adequate.

Comprehensive Supervisory Review of Capital Adequacy

6. Capital helps protect individual banks from insolvency, thereby promoting safety and soundness in the overall U.S. banking system. Minimum risk-based capital requirements establish a threshold below which a sound bank's risk-based capital must not fall. Risk-based capital ratios permit some comparative analysis of capital adequacy across banks because they are based on certain common assumptions. However, supervisors must perform a more comprehensive review of capital adequacy that considers the risks that are specific to each individual bank, including those not incorporated in risk-based capital requirements. In short, supervisors must ensure that a bank's overall capital does not fall below the level required to support its entire risk profile.

7. Supervisors generally expect banks to hold capital above their minimum risk-based capital levels, commensurate with their individual risk profiles, to account for all material risks. Going forward under the advanced approaches rule, supervisors will continue to review the overall capital adequacy of any bank through a comprehensive evaluation that considers all relevant available information. In determining the extent to which banks should hold capital in excess of risk-based capital minimums, supervisors will consider: The combined implications of a bank's compliance with qualification requirements for regulatory capital standards; the quality and results of a bank's own process for determining whether capital is adequate (the ICAAP); and the bank's risk-management processes, control structure, and other relevant information relating to the bank's risk profile and capital level.[7] This review is consistent with current supervisory practice, under which the agencies assess a bank's overall capital adequacy through a comprehensive evaluation of all relevant information.

8. The supervisory review process assesses whether a bank has a satisfactory process to determine that its overall capital is adequate, and that the bank maintains adequate capital on an ongoing basis, as underlying conditions change. For example, changes in a bank's risk profile or in relevant capital measures are areas of particular focus that are effectively addressed through the supervisory review process. Generally, a bank should hold more capital for material increases in risk that are not otherwise mitigated, unless the bank already holds capital at a level exceeding what its internal processes and supervisors would regard as adequate. Conversely, a bank may be able to reduce overall capital (to a level still above regulatory minimums) if the supervisory review supports the conclusion that the bank's inherent risk has materially declined or that it has been appropriately mitigated.

9. As a result of its comprehensive supervisory review, a bank's primary Federal supervisor may take action if it is not satisfied that capital is adequate. The primary Federal supervisor may require the bank to take actions to address identified supervisory concerns, which may include requiring the bank to hold additional capital to bring Start Printed Page 44624capital to levels that the supervisor deems commensurate with the bank's risk profile. In addition, the primary Federal supervisor may, under its enforcement authority, require a bank to modify or enhance risk-management and internal-control processes, reduce its exposure to risk, or take any action deemed necessary to address identified supervisory concerns.

Compliance With Regulatory Capital Requirements

10. In order to use the advanced approaches rule to calculate minimum risk-based capital requirements, a bank must meet certain process and systems requirements. As part of the supervisory review process, the agencies will ensure that each bank meets these requirements. The advanced approaches rule provides an explanation of these qualification requirements for any systems and processes used.

11. A bank using the advanced approaches rule must comply with the rule's qualification requirements for both initial and ongoing qualification. A bank that falls out of compliance with the qualification requirements would be required to establish a plan to return to compliance that satisfies its primary Federal supervisor.

12. Supervisors will ensure that each bank using the advanced approaches rule complies with the qualification requirements both at the consolidated level and at any subsidiary bank that uses the advanced approaches rule. Thus, each bank that applies the advanced approaches rule must have appropriate risk-measurement and risk-management processes and systems that meet the rule's qualification requirements.


13. The qualification requirements in the advanced approaches rule state that “a bank must have a rigorous process for assessing its overall capital adequacy in relation to its risk profile and a comprehensive strategy for maintaining an appropriate level of capital.” [8] Because minimum risk-based capital requirements are based on certain assumptions and address only a subset of risks faced by an individual bank, each bank must conduct an internal assessment of whether its capital is adequate, given its risk profile. A bank must conduct this assessment, using the ICAAP, in addition to its calculation of minimum risk-based capital requirements.[9] Accordingly, a bank's capital should exceed the level required by its minimum risk-based capital requirements, and also should be adequate according to its own ICAAP.

14. The fundamental objectives of a sound ICAAP are:

  • Identifying and measuring material risks;
  • Setting and assessing internal capital adequacy goals that relate directly to risk; and
  • Ensuring the integrity of internal capital adequacy assessments.

15. Assessing overall capital adequacy through the ICAAP requires thorough identification of all material risks, measurement of those that can be reliably quantified, and systematic assessment for the limitations of minimum risk-based capital requirements. The ICAAP should address the capital implications arising from both on- and off-balance sheet positions, as well as from provisions of explicit or implicit support. Material risks include those that in isolation do not appear to be material at first, but when combined with other risks could lead to material losses. In this manner, the ICAAP should contribute broadly to the development of better risk management within the organization at both the individual entity and consolidated levels.

16. Each bank implementing the advanced approaches rule should have an ICAAP that is appropriate for its unique risk characteristics and should not rely solely upon the assessment of capital adequacy at the parent company level. This does not preclude the use of a consolidated ICAAP as an important input to a subsidiary bank's own ICAAP, provided that each entity's board and senior management ensure that the ICAAP is appropriately modified to address the unique structural and operating characteristics and risks of the subsidiary bank.

17. In general, the ICAAP will likely go beyond the assumptions built into minimum risk-based capital requirements. However, in certain instances a bank's ICAAP—when supported by proper justification and evidence—may build upon and utilize the methods, practices, and results it uses to determine minimum risk-based capital requirements. For example, in developing the ICAAP, a bank may choose to use data, ratings, or estimates from internal ratings-based approaches for credit risk; or a bank may choose to use the advanced measurement approaches as the basis for its internal assessment of operational risk. Furthermore, although the ICAAP should be a distinct and comprehensive process that produces its own capital measures, in some cases a bank may be able to demonstrate that minimum risk-based capital measures appropriately reflect certain aspects of a bank's risk profile and thus are appropriate for use in its ICAAP.

18. The design and operation of any systems used to meet the ICAAP requirements will likely differ, depending on the complexity of each bank's operations and risk profile. Many banks employ “economic capital” measures for some elements of risk management, such as limit setting, or for evaluating performance or determining aggregate capital needs.[10] In some cases, economic capital measures may relate directly to a bank's assessment of capital adequacy under the ICAAP; however, in other cases, a bank may be using economic capital measures that are not intended for capital adequacy assessments. In the latter case, a bank does not necessarily need to change its existing process or systems, but it may need to build upon or adjust its economic capital measures for use in the ICAAP and the bank would have to demonstrate clearly how it does so. Notably, economic capital is not the only means to meet the ICAAP requirement. Regardless of the specific implementation method(s) chosen, the bank's ICAAP should address the three ICAAP objectives listed in paragraph 14.

Identifying and Measuring Material Risks

19. The first objective of the ICAAP is to identify all material risks. Risks that can be reliably measured and quantified should be treated as rigorously as data and methods allow. The appropriate means and methods to measure and quantify those material risks are likely to vary across banks. The key point is for a bank to be able to identify all material risks and measure those that can be reliably quantified in order to determine how those risks affect the bank's overall capital adequacy.

20. Some of the risks to which a bank may be exposed include credit risk, Start Printed Page 44625market risk, operational risk, interest rate risk in the banking book, and liquidity risk (as outlined below).[11] Other risks, such as reputational risk, business or strategic risk, and country risk may also be material for a bank and, in such cases, should be given equal consideration to the more formally defined risk types.[12] Additionally, if a bank employs risk mitigation techniques it should understand the risk to be mitigated and the potential effects of that mitigation (including enforceability and effectiveness).

  • Credit risk: A bank should have the ability to assess credit risk at the portfolio level in addition to the exposure or counterparty level. In making this assessment, the bank should be particularly attentive to identifying any credit risk concentrations and ensuring that their effects are adequately assessed. The bank should consider the various types of dependence among exposures, and the credit risk effects of extreme outcomes, stress events, and shocks to assumptions about portfolio and exposure behavior. The bank also should carefully assess concentrations in counterparty credit exposures, including those that result from trading in less liquid markets, and determine the effect that these exposures might have on capital adequacy.
  • Market risk: A bank should be able to identify risks in trading and capital markets activities resulting from a movement in market prices and rates. This determination should consider factors such as illiquidity of instruments, leverage, concentrated positions, one-way markets, non-linear or deep out-of-the money option positions as well as embedded optionality, and the potential for significant shifts in correlations or other types of dependence structures. Assessments that incorporate extreme events, idiosyncratic variations, credit migrations or changes in credit spreads, defaults, and shocks should also be tailored to capture key portfolio vulnerabilities.
  • Operational risk: A bank should be able to assess the potential risks resulting from inadequate or failed internal processes, people, and systems, as well as from events external to the bank.[13] This assessment should include the effects of extreme events and shocks relating to operational risk. Extreme events could include a substantial or sudden increase in failed processes across business units or a significant incidence of failed internal controls.
  • Interest rate risk in the banking book: A bank should incorporate interest rate risk in the banking book into its assessment of capital adequacy. In making this assessment, the bank should identify the risks associated with changes in interest rates that impact both on- and off-balance sheet exposures in the banking book from a short- and long-term perspective. This might include the impact of changes due to parallel yield curve shocks, yield curve twists, yield curve inversions, changes in the adjustment of rates earned and paid on different financial instruments with otherwise similar repricing characteristics (basis risk), and other relevant scenarios including some that incorporate stress events, extreme outcomes, and shocks to assumptions. The bank should be able to support any assumptions it has made with respect to the behavioral characteristics of servicing rights, non-maturity deposits, positions subject to prepayment risk, and other assets and liabilities, especially for those exposures characterized by embedded optionality.
  • Liquidity risk: A bank should incorporate liquidity risk into the assessment of its capital adequacy. A bank should evaluate whether capital is adequate given its own funding liquidity profile and given the liquidity of the markets in which it operates. This assessment should incorporate various types of liquidity environments and include an evaluation of the potential for a material disruption in the sources of liquidity typically relied on by the bank as a result of bank-specific as well as systemic events. A bank should consider the capital adequacy implications of lacking a well-diversified funding base, relying predominantly on wholesale credit markets for its funding, or relying heavily on volatile funding sources. A bank involved in securitization activities should consider the capital adequacy implications of relying on market liquidity to distribute warehoused assets, including the potential for disruptions that would cause a bank to bring certain items onto its balance sheet. In its assessment of the impact of liquidity risk on capital adequacy, the bank should also challenge assumptions built into its definition of liquid products.

The risk factors discussed above are not an exhaustive list of those affecting any given bank. A well-developed ICAAP should include an assessment of all relevant factors that present a material source of risk to capital, and should account for concentrations within each risk type.

21. A bank should assess whether its capital is sufficient to absorb any losses that may arise from activities that expose the bank to multiple risks within and across business lines or create concentrations across risk types.[14] A bank should recognize that losses could arise in several risk dimensions at the same time, stemming from the same event or a common set of factors. For example, a localized natural disaster could generate losses from credit, market, and operational risks. Additionally, the ICAAP should focus on any complex activities that give rise to multiple risks, and to their interaction. These activities can involve instruments that may be complex, illiquid, or difficult to value. For example, securitization activities expose a bank to a variety of risks that can affect capital adequacy at the same time, including credit, market, liquidity, and reputational risks; structured products can have multiple embedded risks that interact in complex ways and can present losses in multiple risk areas across different business lines at the same time. In general, the ICAAP should include an assessment of the potential effects of convergence of risks within and across business lines and their combined impact on capital adequacy.

22. The ICAAP should take into consideration the linkage between capital adequacy and damage or potential damage to a bank's reputation. A bank might incur losses affecting capital adequacy because of damage to its reputation, or the bank might incur losses trying to prevent or mitigate damage to its reputation. In assessing the linkage between reputational risk and capital adequacy, a bank should assess risks associated with both on-balance sheet and off-balance sheet exposures and activities, as well as risks associated with affiliates, subsidiaries, Start Printed Page 44626counterparties, clients, or other third parties. The assessment should include activities for which the bank acts as a sponsor or advisor, and cases in which the bank provides explicit or implicit support. A bank should also assess the risk of having to assume the losses of a third party to prevent or mitigate damage to the bank's reputation.

23. The bank's ICAAP should assess risks associated with new products, markets and activities. In making this assessment, the bank should account for any uncertainty in the valuation of new products, whether by the bank or a third party, which could be more challenging if the new products are particularly complex or do not have liquid markets. The ICAAP should take into consideration changing dynamics in markets for new products and uncertainty as to how new markets might respond to stress conditions. The ICAAP should also assess the challenges presented by new business lines or strategic acquisitions in terms of their impact on capital adequacy.

24. All measurements of risk should incorporate both quantitative and qualitative elements. Generally, a quantitative approach should form the foundation of a bank's measurement framework. Quantitative approaches that focus on most likely outcomes for budgeting, forecasting, or performance measurement purposes may not be fully applicable for assessing capital adequacy, which also should take less likely outcomes into account.

25. In some cases, quantitative tools can include the use of large historical databases. These databases are most applicable when they are fully reflective of all relevant risk characteristics, incorporate appropriate variability, and have adequate granularity and history; for example, they should include data based not just on benign but also more stressful economic periods or operating environments. When internal data are not available or do not reflect a bank's risk profile, a bank may rely on external data for risk measurements, but should ensure that external data have applicability to the bank's own activities and risk profile.

26. The confidence a bank places in the results of its ICAAP should depend on the quality and robustness of the associated risk assessments. When measuring risks, a bank should understand that estimation and measurement errors are common, and in many cases are themselves difficult to quantify. In general, the bank's ICAAP should reflect an appropriate level of conservatism to account for uncertainty in risk identification, risk mitigation or control, and risk quantification. In most cases, appropriate conservatism will result in greater capital needs.

27. In many cases, risk assessments may rely to a significant degree on models that use both qualitative and quantitative inputs. The use of models can enhance the ICAAP, but it can also introduce challenges. Specifically, models may fail to work as intended or expected, or they may be used inappropriately for purposes not considered in their initial design. These concerns apply to models purchased from third-party vendors, as well as to models that are internally developed. A bank using models as part of the ICAAP should recognize these possibilities and ensure that appropriate controls, such as rigorous initial and ongoing validation and independent review, are in place to mitigate and manage any risks related to model use. A bank should apply appropriate conservatism to compensate for any risks associated with models. Additional conservatism may be necessary to account for any uncertainties in the use of models to value on- or off-balance sheet exposures or for imperfections and volatility in market-based valuations. Additional conservatism may be necessary to compensate for increased risk, for example, when models or applications are more complex, or when they have a more significant influence on the ICAAP's results.

28. To gain a fuller understanding of the risks beyond more typical quantitative measures—such as those based on certain parameter behavior or distributional assumptions—a bank should also rely on other types of quantitative exercises. For example, stress testing, including scenario analysis and sensitivity analysis, is an additional quantitative exercise that a bank should regularly apply to complement more typical quantitative measures. A bank may need to rely more heavily on such exercises when internal or demonstrably relevant external data are scarce. These exercises can help gauge the consequences of outcomes that are unlikely, but would have a considerable impact on safety and soundness.

29. In addition to quantitative approaches for assessing risk, a bank should also employ qualitative approaches that incorporate management experience and judgment. Qualitative measures should be employed not only for those cases in which scarce data or unproven quantitative methods limit a full assessment of risk, but also more generally to complement even sophisticated quantitative estimates based on extensive and high-quality data.

30. A bank should be cognizant that both quantitative and qualitative approaches have their own inherent biases and assumptions that affect risk assessment. Accordingly, a bank should recognize the biases and assumptions embedded in, and the limitations of, the approaches used.

31. An effective ICAAP is comprehensive, assessing material risks across the entire bank. Each bank should have systems capable of aggregating across risk types. A bank should understand the challenges presented by risk aggregation and the inherent uncertainty in quantitative estimates used to aggregate risks (including the difficulty in estimating concentrations across risk types as noted in paragraph 21). For example, a bank is encouraged to consider the various interdependencies among risk types, the different techniques used to identify such interdependencies, and the channels through which those interdependencies might arise—across risk types, within the same business line, and across different business lines. Consistent with paragraph 26, any associated uncertainty in aggregating capital estimates across risk types and business lines should translate into greater capital needs.

32. Management should be systematic and rigorous in considering possible effects of diversification. Assumptions about diversification should be identified at each level where diversification is recognized, supported by analysis and evidence, and remain robust over time and under different market environments, including stressed market conditions. For example, a bank calculating the dependence structure within or among risk types should consider data quality and consistency, such as the volatility of correlations over time and during periods of market stress. In general, a bank should consider a wide range of possible adverse outcomes that have the potential to affect multiple risks at the same time and to limit expected diversification benefits. Consistent with paragraph 26, uncertainty in diversification estimates should translate into greater capital needs.

Setting and Assessing Capital Adequacy Goals That Relate to Risk

33. The second objective of the ICAAP is to set and assess capital adequacy goals in relation to all material risks. Under this objective, a bank should have a well-defined process to translate estimates of risk into an assessment of capital adequacy. In practice, capital Start Printed Page 44627adequacy goals may be reflected in various ways. A bank may choose to hold capital in excess of the level internal processes would regard as adequate for any number of business or strategic reasons. Excess capital may fluctuate over time. Each bank should recognize that minimum risk-based capital requirements represent a floor below which the bank's overall capital level must not fall, even if bank management believes that there is justification to maintain less capital.

34. A bank may establish its risk-tolerance level to reflect a desired level of risk coverage and/or a certain degree of creditworthiness, such as an explicit solvency standard. Accordingly, assessments of risk and capital adequacy should reflect the chosen risk tolerance of the bank. Because risk profiles and choices of risk tolerance may differ across banks, capital targets may also differ. However, if for internal capital adequacy purposes a bank were to choose to apply a level of risk coverage or a solvency standard that is less than that implied by minimum risk-based capital requirements, the bank would have to be able to: Identify and support the rationale for a lower solvency standard; demonstrate clearly that its ICAAP adequately addresses low-probability, high-severity events; and ensure that there is sufficient capital to absorb losses associated with such extreme events. Regardless of the solvency standard used, supervisors expect banks to hold capital at a level above that established by minimum risk-based capital requirements.

35. A bank should consider external conditions and other factors that influence its overall capital adequacy, including the potential impact of contingent exposures and changing economic and financial environments. The ICAAP should address the potential impact of broader market or systemic events, which could cause risk to increase beyond the bank's chosen risk-tolerance level, and have appropriate contingency plans for such outcomes. Such exercises may include stress testing, such as scenario and sensitivity analysis; however, in all cases they should incorporate both quantitative and qualitative methods.[15]

36. Through the ICAAP, a bank should ensure that adequate capital is held against all material risks, and that capital remains adequate not just at a point in time, but over time, to account for changes in a bank's strategic direction, evolving economic conditions, and volatility in the financial environment. A bank should be cognizant of the impact of market-driven valuations on the volatility of capital. Moreover, recognizing the sensitivity of capital to economic and financial cycles should be a critical component of a bank's planning for current and future capital needs. For example, a bank should consider the potential effects of a sudden, sustained economic downturn. The level of capital deemed adequate by a bank given its ICAAP might also be influenced by the bank's intention to hold additional capital to mitigate the impact of volatility in capital requirements, its need to support acquisition plans, or its decision to accommodate market perceptions of capital adequacy and their impact on funding costs.

37. In analyzing capital adequacy, a bank should evaluate the capacity of its capital to absorb losses. Because various definitions of capital are used within the banking industry, each bank should state clearly the definition of capital used in any aspect of its ICAAP. Since components of capital are not necessarily alike and have varying capacities to absorb losses, a bank should be able to demonstrate the relationship between its internal capital definition and its assessment of capital adequacy. If a bank's definition of capital differs from the regulatory definition, the bank should reconcile such differences and provide an analysis to support the inclusion of any capital instruments that are not recognized under the regulatory definition. Although common equity is generally the predominant component of a bank's capital structure, a bank may be able to support the inclusion of other capital instruments in its internal definition of capital if it can demonstrate a similar capacity to absorb losses. The bank should document any changes in its internal definition of capital, and the reason for those changes.

38. An effective capital plan recognizes a bank's short- and long-term capital needs and objectives. Accordingly, a bank should evaluate whether long-run capital targets are consistent with short-run goals, based on current and planned changes in risk profiles. In developing its capital plan, the bank also should recognize that accommodating additional capital needs can require significant lead time, can be costly, or can be quite difficult, especially during downturns or other times of stress. A bank should have contingency plans to address unexpected capital needs.

Ensuring Integrity of Internal Capital Adequacy Assessments

39. A satisfactory ICAAP comprises a complete process with proper oversight and controls, and not just an ability to carry out certain capital calculations. The various elements of a bank's ICAAP should complement and reinforce one another to achieve the overall objective of assessing capital adequacy, taking into account the bank's risk profile.

40. A bank should maintain adequate internal controls to ensure the integrity, objectivity, and consistent application of the ICAAP. Decisions regarding the design and operation of the ICAAP should reflect sound risk management, and should not be unduly influenced by competing business objectives. A bank should identify any deficiencies in its ICAAP and plan and take remedial actions to address the deficiencies in a timely manner. The principles underlying a bank's ICAAP should be incorporated into policies that are reviewed and approved at appropriate levels within the organization.

41. A bank should maintain thorough documentation of its ICAAP to ensure transparency. At a minimum, this should include a description of the bank's overall capital-management process, including the committees and individuals responsible for the ICAAP; the frequency and distribution of ICAAP-related reporting; and the procedures for the periodic evaluation of the appropriateness and adequacy of the ICAAP. In addition, where applicable, ICAAP documentation should demonstrate the bank's sound use of quantitative methods (including model selection and limitations) and data-selection techniques, as well as appropriate maintenance, controls, and validation. A bank should document and explain the role of third-party and vendor products, services and information—including methodologies, model inputs, systems, data, and ratings—and the extent to which they are used within the ICAAP. A bank should have a process to regularly evaluate the performance of third-party and vendor products, services and information. As part of the ICAAP documentation, a bank should document the assumptions, methods, Start Printed Page 44628data, information, and judgment used in its quantitative and qualitative approaches.

42. The ICAAP should be enhanced and refined over time, with learning and experience (both quantitative and qualitative) contributing to its improvement. The ICAAP should evolve with changes in the risk profile and activities of the bank, as well as with advances in risk measurement and management practices. For example, a bank should incorporate in its ICAAP the introduction of new products and business lines and activities to ensure that the bank's capital plan is responsive to changes in the operational and/or business environment.

43. The board of directors and senior management have certain responsibilities in developing, implementing, and overseeing the ICAAP. The board should approve the ICAAP and its components. The board or its appropriately delegated agent should review the ICAAP and its components on a regular basis, and approve any revisions. That review should encompass the effectiveness of the ICAAP, the appropriateness of risk tolerance levels and capital planning, and the strength of control infrastructures. Senior management should continually ensure that the ICAAP is functioning effectively and as intended, under a formal review policy that is explicit and well documented. Additionally, a bank's internal audit function should play a key role in reviewing the controls and governance surrounding the ICAAP on an ongoing basis.

44. Each bank should ensure that the components of its ICAAP, including any models and their inputs, are subject to the bank's validation policies and procedures. Validation should be independent of the development, implementation, and operation of the ICAAP components, or the validation process should be subject to an independent review of its adequacy and effectiveness. Validation is generally defined as an ongoing process that includes, but is not limited to, the collection and review of developmental evidence, process verification, benchmarking, outcomes analysis, and monitoring activities used to confirm that processes are operating as designed. Validation policies and procedures should reflect the bank's business, structure, and sophistication, as well as the relative importance of each component of the ICAAP. Accordingly, a bank is encouraged to consult the agencies' existing guidance on validation.

45. A bank's ICAAP should be aligned with and be a part of the bank's wider internal governance structure and overall risk-management processes. The ICAAP should not be viewed as simply a compliance exercise. Rather, it is a dynamic and evolving process that is used by a bank to provide internal assurance that capital is adequate given the bank's risk profile. Management is responsible for ensuring that the ICAAP is fully consistent with the overall risk management framework of the bank. Information derived through the ICAAP process should influence decision making at both the consolidated and individual business-line levels, and be used to inform other management processes related to risk assessment, business planning and forecasting, pricing strategies, and performance measurement.

46. As part of the ICAAP, the board or its delegated agent, as well as appropriate senior management, should periodically review the resulting assessment of overall capital adequacy. This review, which should occur at least annually, should include an analysis of how measures of internal capital adequacy compare with other capital measures (such as regulatory, accounting-based or market-determined). Upon completion of this review, the board or its delegated agent should determine that, consistent with safety and soundness, the bank's capital takes into account all material risks and is appropriate for its risk profile. However, in the event a capital deficiency is uncovered (that is, if capital is not consistent with the bank's risk profile or risk tolerance) management should consult and adhere to formal procedures to correct the capital deficiency.

Start Signature

Dated: July 14, 2008.

John C. Dugan,

Comptroller of the Currency.

By order of the Board of Governors of the Federal Reserve System, July 15, 2008.

Jennifer J. Johnson,

Secretary of the Board.

Dated at Washington, DC, the 15th day of July, 2008.

By order of the Federal Deposit Insurance Corporation.

Robert E. Feldman,

Executive Secretary.

Dated: July 14, 2008.

By the Office of Thrift Supervision.

John M. Reich,


End Signature End Supplemental Information


1.  Collectively referred to in the guidance as “banks”.

Back to Citation

1.  The Federal banking agencies are the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Office of the Comptroller of the Currency; and the Office of Thrift Supervision; and are collectively referred to as “the agencies,” “supervisors,” or “regulators” in this guidance.

Back to Citation

2.  72 FR 69288. The advanced approaches rule as codified at 12 CFR part 3, Appendix C (national banks); 12 CFR part 208, Appendix F (state member banks); 12 CFR part 225, Appendix G (bank holding companies); 12 CFR part 325 Appendix D (state nonmember banks); 12 CFR part 567, Appendix C (savings associations).

Back to Citation

3.  The term “bank” as used in this guidance includes banks, savings associations and bank holding companies. The terms “bank holding company” and “BHC” refer only to bank holding companies regulated by the Federal Reserve Board and do not include savings and loan holding companies regulated by the Office of Thrift Supervision.

Back to Citation

4.  12 CFR part 3, Appendix B (national banks), 12 CFR part 208, Appendix E (state member banks), 12 CFR part 225, Appendix E (bank holding companies), 12 CFR part 325, Appendix C (state nonmember banks). OTS intends to codify a market risk capital rule for savings associations at 12 CFR part 567, Appendix D.

Back to Citation

5.  If a bank is subject to both the advanced approaches rule and the market risk rule, then the bank is subject to this guidance. If a bank is subject only to the market risk rule, it is not subject to this guidance.

Back to Citation

6.  See 12 CFR part 6 (national banks); 12 CFR part 208 (state member banks); 12 CFR 325.103 (state nonmember banks); 12 CFR part 565 (savings associations). In addition, savings associations remain subject to the tangible capital requirement at 12 CFR 567.2(a)(3) and 567.9.

Back to Citation

7.  See Part III, section 22(a)(1)-(3) of the advanced approaches rule.

Back to Citation

8.  Part III, section 22(a) (1) of the advanced approaches rule.

Back to Citation

9.  Should the primary Federal supervisor exempt a bank from application of the advanced approaches rule based upon a written determination that the application of the rule is not appropriate in light of the bank's asset size, level of complexity, risk profile, or scope of operations, such exemption would likewise apply to the advanced approaches requirement that the bank have an ICAAP, but would not automatically exempt the bank from other regulatory requirements or supervisory expectations to maintain a satisfactory internal process to assess capital adequacy.

Back to Citation

10.  The term “economic capital” generally refers to the capital attributed to cover the economic effects of a bank's risk taking activities. Within the banking industry, economic capital takes on a variety of definitions and is applied in a number of ways at the product, business-line, and consolidated institution level.

Back to Citation

11.  Examination policies and procedures from each agency provide extensive guidance on the major risk categories. A bank's risk management processes, including its ICAAP, should be consistent with each corresponding agency's existing body of guidance, as well as with relevant interagency guidance.

Back to Citation

12.  For example, a bank may be engaged in businesses for which periodic fluctuations in activity levels, combined with relatively high fixed costs, have the potential to create unanticipated losses that must be supported by adequate capital. Additionally, a bank might be involved in strategic activities (such as expanding business lines or engaging in acquisitions) that introduce significant elements of risk and for which additional capital would be appropriate.

Back to Citation

13.  In many cases, a bank may capture legal risk within operational risk. Regardless of whether it is classified as its own risk type or included within another risk type, a bank should understand the impact of legal risk on capital adequacy.

Back to Citation

14.  Concentrations may include exposures or groups of exposures that have the potential to produce losses large enough to threaten an institution's health or materially change its risk profile.

Back to Citation

15.  The use of stress testing in identifying and measuring risk exposures and assessing capital adequacy in the ICAAP is not the same as the Pillar 1 stress testing requirement related to minimum risk-based capital requirements and qualification requirements (as described in the advanced approaches rule). The stress testing encouraged in the ICAAP guidance is intended to focus on overall capital needs and their possible fluctuations, not just fluctuations in minimum risk-based capital requirements. However, work conducted to meet the stress testing requirement under Pillar 1 may have application to or may provide a starting point for any stress testing banks decide to conduct as part of the ICAAP.

Back to Citation

[FR Doc. E8-17555 Filed 7-30-08; 8:45 am]

BILLING CODE 4810-33-P, 6210-01-P, 6714-01-P, 6720-01-P