risk base supervision of banks

8/4/2019 Risk Base Supervision of Banks

1/52

Financial Services Author it y

Risk based

approach tosupervision of

banks

June 1998


2/52

1 Introduction 3

2 Coverage of the RATE framework 5

3 Summary of the RATE framework 7

4 The RATE framework - a step by step guide 10

Appendix 1: CAMELB & COM evaluation factors 28

Appendix 2: Format for identifying significant business units 50

Contents

Risk based approach to supervision of banks 1 The Financial Services Author ity 1998


3/52

In 1997, the Bank of England published two consultative papers on its

proposed risk based approach to supervision of banks author ised under

the Banking Act 1987 (the Act). The approaches were known as the

RATE and SCALE frameworks*.

Following publication of these papers, comments were received from

banks, accountants, industry associations, and regulators (both

domestically and overseas). A response was subsequently published and,

during the latter half of 1997, the two approaches were prototyped on 17

UK incorporated banks and five non-EEA incorporated banks with

branches in the UK. Feedback was received on the prototyping which

resulted in some changes to the frameworks as originally proposed.

This paper sets out the Financial Services Author itys risk basedapproach to the supervision of banks; it applies to banks incorporated

both in the UK and in non-EEA countries. The paper merges the RATE

and SCALE frameworks into a single risk based approach, as the two

approaches were fundamentally the same. The merged risk based

approach to supervision will be known as the RATE framework.

Further copies of this paper are available from the FSA Publications

Department (at the following address) on receipt of a cheque for 10.00

each made payable to the FSA.

The FSA

25 The North Colonnade

Canary Wharf

London E14 5HS

The paper is also available on the FSAs Web site at www.fsa.gov.uk.

* RATE is Risk Assessment, Tools of Supervision, Evaluation.

SCALE is Schedule 3 Compliance Assessment, Liaison, Evaluation.

2 Financial Services Authority


4/52

1 See The Objectives, Standards and Processes of Banking Supervision.

2 See Financial Services Authority: an outline.

1 The objective of this paper is to provide a step by step description of the FSAs

risk based framework for the supervision of both UK and non-EEAincorporated banks authorised under the Banking Act 1987 (the Act). This

paper aims to increase understanding of how the FSA will conduct its

supervision of banks. It remains the responsibility of the senior management

of a bank to ensure that its business is conducted in accordance with the

requirements set out in the Act.

2 The approach enables the FSA to carry out its responsibilities placed on it by

the Act and explained in more detail in a paper entitled The Objectives,

Standards and Processes of Banking Supervision published by the Bank of

England in February 1997.1

In the latter, the FSA is committed to assessingbanks businesses, their risk profiles and the macro-economic context and to

designing effective supervisory plans and making appropriate use of

supervisory tools.

3 A risk based framework is also consistent with the FSAs approach to its

regulatory responsibilities as out lined in the FSAs launch document issued in

October 1997.2 In this document, the FSA states that it is committed to

adopt ing a flexible and differentiated risk based approach to setting standards

and to supervision, reflecting the nature of the business activities concerned,

the extent of risk within particular firms and markets, quality of firmsmanagement contro ls and the relative sophistication of the consumers

involved.

4 The risk based supervisory regime for banks set out in this paper is consistent

with both the FSAs style of regulation and the published standards of

supervision. It ensures greater consistency in the supervisory process and

Introduction1

Risk based approach to supervision of banks 3


5/52

establishes best practice in the supervision of banks. The approach is intended

to be flexible and to allow individual supervisors to exercise their own

judgement within a systematic framework.

Benefits

5 The FSA sees a number of benefits in the framework out lined in this paper. In

particular, the FSAs supervisors should gain a better understanding of the

quality of management, the characteristics of the business and the risks a bank

faces. It also enables the FSA to d isplay more consistency in carrying out its

supervisory responsibilities and to assess more systematically whether banks

continue to meet the minimum criteria for author isation, as set out in the Act

and in the Statements of Principles issued under section 16 of the Act.

6 The banks should benefit from the improved focus of the FSAs supervision

and from the specific targeting of the tools of supervision, such as specialiston-site visits and reporting accountants reports on internal controls (section

39 reports), to the areas of greatest risk and concern in individual banks.

7 The more explicit linking of the tools of supervision to areas of risk or concern

should mean that banks management understand why a supervisor has used a

particular supervisory tool. As a banks management and supervisors have a

common interest in ensuring that risks are properly identified and that

adequate and effective control systems are established, the supervisory work

commissioned should be of value to both part ies.

8 A risk assessment will involve the commitment of resources by both the

supervisors and a banks management. In particular, the supervisors need to

spend time on-site discussing the issues with senior bank management. The

time taken to perform this work will vary from bank to bank depending on

the size and complexity of the institution. However, following a risk

assessment, the supervisor will be better placed to decide on the intensity of

the future supervision having obtained a better understanding of a banks risk

profile. The intensity of supervision and the amount and focus of supervisory

action will increase in line with the perceived risk profile of a bank. One

advantage this has for banks is that the cost of supervision, in terms of

management t ime or through direct costs (e.g. report ing accountants fees),

should be more directly related to its risk.

9 From the FSAs perspective, the allocation of its own resources according to

risk - devoting more supervisory effort to those banks that have a high risk

profile - will be more efficient and again is consistent with the published

Standards for Supervisors. It will enable the FSA to target and prioritise the

use of its own resources.



6/52

3 As set ou t in the Second Consolidated Supervision Directive (2CSD). For further details of consolidated supervision

see Policy Guidelines, Chapter CS.

UK incorporated banks

10 In order to fulfil the FSAs responsibilities under the Act and for the purposes

of consolidated supervision the risk based supervisory framework described in

this paper will be applied to all banks and, where appropriate, their

consolidated groups.3 While the FSAs supervision will be focused on the

consolidated group when undertaking its risk assessment, it also needs to

ensure that each bank, i.e. the legal entity, meets the minimum criteria for

authorisation as set out in the Act (the schedule 3 criteria). As set out in the

Policy Guidelines, the FSAs approach to consolidated supervision of UK

incorporated banks owned by an overseas bank, is to extend the group

consolidation to the highest relevant EEA parent company (except whereanother EEA supervisor performs consolidated supervision).

Non-EEA incorporated banks

11 In undertaking its supervision of non-EEA incorporated banks with branches

in the UK, the FSA will not seek to duplicate the work already conducted by

the home supervisor. It will liaise as necessary with the relevant supervisor to

obtain information and to understand its approach to supervision, including

the extent to which the home supervisor carries out consolidated supervision.

12 For these banks, the FSA will focus its supervision on the bank as a whole, of

which the branch is part , as it is the bank as a whole which is authorised not

simply the UK branch. It is, therefore, the bank which must meet the

minimum criteria for author isation and the FSA is required under the Act to

ensure that it is sufficiently well informed about the bank as a whole to judge

whether these criteria are met.

Coverage of the RATEframework

2



7/52

EEA incorporated banks ( excluding UK incorporated banks)

13 The supervisory framework described in this paper is not applied to branches

in the UK of banks incorporated elsewhere in the EEA, since supervisory

responsibility for these banks lies primar ily with their home country

supervisor.

Definitions

14 For ease of reference and unless otherwise stated, the use of the word bank

throughout this paper refers to both the UK incorporated bank and its

consolidated group, and, in addition, to the non-EEA incorporated bank,

including the UK branch.

15 In some circumstances, it has been necessary to differentiate further. Where the

word branch is used, this refers to the UK branch of a bank incorporated in a

non-EEA country. Where the word wholebank is used, this refers to the non-

EEA bank as a whole, including the UK branch, i.e. the legal entity.



8/52

Overview

16 An overview of the RATE framework is shown in Diagram 1. This describes

the RATE process as if it were self-contained and as if each of the three phases

(RiskAssessment, Tools and Evaluation) were separate. In practice, the

process is not self contained but rather is dynamic because new information

will be received throughout the process which may require adaptation or

revision of supervisory actions and initiatives at any stage. However, for ease

of presentation the following sections analyse the three phases separately.

17 Each of the phases takes place during a supervisory period, which is the

length of time between undertak ing formal risk assessments on a part icular

bank. The period will vary according to the business and control risk profile of

the bank concerned, from six months for a bank whose overall risk profile is

classified as very high or for a bank undergoing major change, up to two

years, or possibly longer, for a bank whose overall risk profile is low and

whose business and control framework are stable.

18 In each supervisory period, the FSA will undertake a formal risk assessment

using nine evaluation factors. This assessment will be performed by analysing

information which the FSA already has available and from a series of meetings

(which will normally take place in a short, discrete period) with senior

management of the bank. In addition, for non-EEA incorporated banks, the

FSA will liaise with the home country supervisor to understand its approach to

supervision and to obtain relevant information on these banks in order to

perform a risk assessment on both the wholebank and branch. The objective

of this phase is to identify, in a systematic manner, the business or inherent

risks of a bank and to assess the adequacy and effectiveness of its controls,

organisation structure and management in order to establish the supervisory

programme. Through this risk based approach to supervision, the FSA will be

well placed to judge whether banks meet the minimum criteria for

authorisation.

Summary of the RATEframework

3



9/52

19 After each risk assessment the FSA will feed back its views on the banks risk

profile in a letter to the bank and, where appropriate, the home country

supervisor. The letter will also contain details of any remedial action the FSA

requires the bank to take, and of the supervisory programme comprising the

tools of supervision (such as section 39 reports, use of specialist resources and

liaison with overseas supervisors) which the FSA intends to apply. These toolswill be targeted at areas considered to be of higher risk and will be used to

investigate other potentially higher risk areas identified during the risk

assessment. The results of the tools will be examined as they become available,

which may require the FSA to reassess the risk profile of the bank, require the

bank to take remedial actions or for the FSA to take appropriate supervisory

action.

Diagram 1


RiskAssessment

Evaluation

Stocktake of supervisoryaction and results.

Risk assessment usingnine evaluati on f actors;

devise supervisory action plan; formalfeedback to banks (and other regulators) .

Execute supervisory planincluding tools of supervision;

ensure appropriateremedial action.

Tools ofsupervision

Supervisoryperiod

Normal supervisory practices


10/52

20 During the course of the supervisory period the FSA will constantly evaluate

the informat ion it receives, including that from the bank and home supervisor.

In addition, the FSA will undertake a formal evaluation to ensure that the

bank has implemented any agreed remedial actions, that the FSA has

completed its original work plan; that the findings of the supervisory tools

have been acted upon and to assess the effectiveness of its own supervision.The conclusions from the evaluation will be a key input into the next r isk

assessment.

21 Where the FSA identifies significant concerns, either from the risk assessment

or a t any time during the supervisory period, it will seek appropriate and

timely remedial action from the bank. Where these concerns relate to a non-

EEA incorporated bank, appropriate remedial action will be discussed and

sought in consultation with the home country supervisor. If these issues are

not resolved promptly and to the FSAs satisfaction, action may be initiated.

Actions available to the FSA include:

Increasing the banks capital requirement- the FSA can require an increase

in the capital a UK incorporated bank must hold relative to its assets;

Ring fencing of the bank - this involves the protection of a UK incorporated

bank from other parts of its wider group. This could mean limiting its

financial exposure to the rest of the group, or limiting the control exercised

over the bank by the parent o r shareholders. In the case of a UK branch of a

non-EEA incorporated bank, this might entail the establishment of a UK

incorporated company, i.e. subsidiarisation of the UK operations;

Formal supervisory action under the A ct- such action may be in the form of

restrictions on a banks business, either formal or informal, or revocation of

a banks authorisation if there is reasonable doubt whether one or more of

the minimum criteria for authorisation are being met.



11/52

22 In each supervisory period, the FSA will perform a r isk assessment, take

appropriate supervisory action, apply the tools of supervision and undertake aformal evaluation. Although these are described in this paper as discrete

phases, there will be considerable interaction among them.

23 The FSA will determine the length of the supervisory period after completing

each risk assessment. During the supervisory period, banks management

should be proactively contacting the FSA to explain any significant changes to

the business risk profile or control environment. In addition, the FSA will use

the tools of supervision to ensure that it is aware of significant developments

and changes to the banks risk profile, business or control structure. The FSA

may alter the length of the supervisory period a t any time.

24 Where a non-EEA incorporated bank has both a UK branch and an UK

incorporated subsidiary, line supervisors will seek to understand the linkages

between the two and to minimise supervisory duplication. The approach

adopted will vary according to the supervision undertaken by the home

supervisor. Where there are dual presences, the risk assessment will usually be

done simultaneously with meetings with key personnel covering issues relating

to both entities.

Risk assessment phase

25 In performing a risk assessment, the FSA will undertake the following steps,

which are summarised in Diagram 2.

Step 1: Identifying key units to be risk assessed

The objective of th is step is for the FSA to identify signifi cant business units

within the bank ing group so the FSA can focus its work during the risk

assessment phase and determine whom it should m eet w hen carrying out its

on-site work. A slightly different approach w ill be adopted for UK and n on-

EEA incorporated banks.

The RATE framework -a step by step guide

4



12/52

Diagram 2

The risk assessment - step by step

UK incorporated banks

26 Banking groups may have a management structure which operates in adifferent way from the legal organisation of the group. In performing a risk

assessment, the FSA will seek to understand how the banks own management

runs the banking group from both a business and control perspective. In

identifying business areas or units that should be covered in the risk assess-

ment, the FSA will normally adopt the approach used by the banks own

management in breaking down the group. However, as the FSA has a statu-

tory responsibility for supervising the legal entity it has authorised under the

Act, it will also be looking to management to demonstrate how it reconciles

running the group on business lines with the need to ensure that legal entities

remain in full compliance with supervisory and other statutory requirements.


Identi fy key unitsStep 1

Obtain pre-visitinformation

Step 2

Preliminary riskassessment

Step 3

Undertake on-site visitStep 4

Final risk assessmentStep 5

Prepare supervisoryprogramme

Step 6

Ensure consistencyStep 7

Formal feedback t o bank(and overseas regulators)

Step 8


13/52

4 For fur ther d etails, see Policy Guidelines, Ch apter CS, Section 8.

5 For further details, see Policy Guidelines, Chapter PB, Section 3.

27 In order to identify significant units, the FSA requires banks subject to

consolidated supervision to provide information on units (legal entities,

business units, geographical units or group counterparties) that are considered

to be significant: that is, if they use more than 5% of a groups regulatory

capital; or generate more than 5% of a groups gross revenues or profits; or

involve a financial exposure of more than 10% of a banks capital.4 Thesethresholds are consistent with those used in the FSAs implementation of the

Post-BCCI Directive.5 A suggested format for how this information might be

provided to FSA is shown in Appendix 2.

28 Discussions of which units are significant will normally take place annually

and certainly in advance of each risk assessment. The thresholds will also be

used to establish significant units for banks which are not part of a

consolidated group, and so are only subject to supervision of the legal entity.

29 A unit of a bank may not be caught by these thresholds even though it givesrise to significant business or control risk; for example any unit that is likely to

breach one of the quantitative thresholds in the coming year or attracts

significant reputational r isk. The FSA may, therefore, decide to include such

units in the risk assessment. The FSA will also need to ensure sufficient

coverage of the banking group, if those units deemed to be significant by

management do not together cover the major part of the bank, e.g. if the sum

of profits of all significant units is well below the banks total profit.

30 The first step in the RATE process will be to agree with banks exactly which

units are significant and should, therefore, be covered in the risk assessment.For those companies within the scope of the FSAs consolidated supervision,

the following principles will be applied.

(i) Consolidated groups incorporating fin ancial companies - Non-banking

financial businesses within the consolidated group (e.g. fund

management, corporate finance and investment services) are included in

the usual consolidated prudential returns submitted to the FSA. These

companies will be included in the risk assessment if they meet the

significance tests set out above. Where these financial companies are

regulated by the FSA, for example under the Financial Services Act, the

line supervisor will draw on the work already undertaken elsewhere in

the FSA in order to avoid any duplication . Similarly, the FSA would

expect to be able to take into account the work undertaken by overseas

regulators if the banking group had overseas operations that were

subject to regulation.



14/52

(ii) Consolidated groups incorporating non-fi nancial companies -

Companies considered not to be financial (e.g. manufacturing and estate

agencies) are not generally included in the FSAs consolidated prudent ial

returns. In such cases, the investment of the parent in a non-financial

company is deducted from the capital base of the group. H owever,

within its consolidated supervision, the FSA takes account of theactivities of these companies to the extent that they may have a material

bearing on the reputat ion and financial soundness of the bank.

Therefore, the FSA considers that such companies should be included in

its risk assessment if they meet the significance tests. In such cases, the

risk assessment will normally focus on the risks and controls within each

company and the controls exercised by the parent company.

(iii) Wider group - Where a UK incorporated bank forms part of a group

which goes wider than the banks consolidated prudential returns, the

FSA clearly needs to understand the potential impact on the bank of

other group companies. An example of such a group would be where a

bank is owned by an industrial company and therefore the bank forms

part of a much wider group whose business activities are diverse. It is not

intended to perform risk assessments on these companies (as the links

between them and the bank tend to be less close than those referred to

above) but, as at present, the FSA will wish to understand the nature and

scale of these businesses by obtaining relevant information (e.g. annual

accounts). In some instances, the FSA may wish to meet with individuals

outside the UK banking group to discuss the potential impact of suchcompanies on the bank and to understand the wider group strategy. This

assessment will be considered when evaluating the external risks of a

bank under the Business evaluation factor (see Step 3).

Non-EEA incorporated banks

31 For the risk assessment of a non-EEA incorporated bank, including the UK

branch, a slightly different approach will be taken. Whilst it will still be

necessary to understand which par ts of the wholebank a re material in order to

focus the risk assessment, it is important to avoid duplication with the home

country supervisor. Therefore, the FSA will begin its risk assessment by

understanding the methodology employed by the home supervisor in

identifying significant units of risk or its approach to materiality.

32 If the home supervisor does not use such a methodology to identify material

parts of the wholebank, the FSA will seek to obtain such information from

other sources, for example by using the annual accounts, management

information or group organograms. Based on this information, the FSA will

assess whether there are any areas of the wholebank which are significant in

terms of risk in order to focus its discussions with the home supervisor. This



15/52

6 Mo Us establish a clear mechanism for t he exchange of informat ion between supervisors, setting out each part ys

needs and expectations.

will also enable the FSA to assess the materiality of the UK branch in terms of

the legal entity.

33 For the UK branch, similar criteria to that used for UK incorporated banks

e.g. revenue, profits, will be used to determine the significant areas of risk.

Step 2: Obtaining pre-visit information, including liaison with overseasregulators

The objective of th is step is for the FSA to obtain further information direct

from the bank , where necessary. In add ition, the FSA needs to u nderstand the

approach to supervision adopted by overseas regulators and to obtain

relevant informat ion to ensure that it draws as far as possible on w ork

already undertaken, thus min imising duplication in supervision.

34 Pre-visit preparation is crucial to the success of the on-site work. The

background information necessary will vary from bank to bank, but will

generally include management accounts, strategy documents, business plans

and budgets and organograms of the legal and management structure. As most

of these documents are already submitted to the FSA, requests for additional

information should be limited.

35 Where overseas regulators are involved in the supervision of the operations of

UK incorporated banks in their country, or where they are the home

supervisor of a non-EEA incorporated bank, the FSA will contact the regulator

to obtain additional information and will draw on work already undertaken

by them to minimise duplication in supervision. Exchange of information will

either take place under existing Memorandum of Understandings6 which have

been established with a number of regulators, or on an ad hoc basis where

these have yet to be formalised. In order to use the information provided, the

FSA will need to understand what other regulators do in general and how this

is applied to a specific legal entity or business unit. To do this, the FSA will

carry out an assessment of the supervision undertaken in order to identify any

additional work the FSA will need to do in order to make good any short falls

in information.

36 In undertaking an assessment of the supervision of an overseas regulator, the

FSA will consider whether locally incorporated banks are required to meet

minimum standards of authorisation similar to those set out in the Act. To do

this, the FSA will seek to understand the legal framework, including whether

overseas regulators undertake consolidated supervision and have supervisory

guidelines covering issues such as capital, large exposures and liquidity.

Included in this assessment will be the extent to which the regulator focuses on



16/52

the risks in overseas operations, the amount of on- and off-site work, the

reliance placed on external auditors and the level of supervisory resources. In

relation to its supervision of UK banks, the FSA may also need to understand

the supervisory approach adopted for branches of overseas incorporated

banks operat ing in that country.

37 For UK incorporated banks, the FSA will identify which units (legal entities or

business units) are supervised by overseas regulators through the information

provided on significant units (see Step 1). The FSA will contact these

regulators to discuss any areas of concern and to obtain any information

which might be of assistance in performing its risk assessment of the bank. In

particular, where other regulators perform their own risk assessments, the FSA

will seek to obtain a summary of their findings.

38 For non-EEA incorporated banks, the home supervisor has primary

responsibility for their supervision and is likely to be better placed than theFSA to obtain and evaluate relevant information. Where the FSA is satisfied

that the scope of home country supervision encompasses those issues

considered under the minimum criteria for authorisation, the FSA will not

seek to duplicate supervision. In such cases, the FSA will utilise the

information and judgement of the home supervisor, including information on

the UK branch, in forming its own view on whether the minimum criteria are

met.

39 Where the FSA is unable to obtain sufficient information from the home

supervisor on the wholebank, it will be necessary to consider other ways tomake good the short fall, such as greater contact with the H ead Office. Where

the informat ion short fall relates to the UK branch, the FSA will aim to address

this by direct contact with the branch.

Step 3: Preliminary risk assessment

The objective of this step is for the FSA to undertake a preliminary risk

assessment using information already available, to assess what the k ey

business and controls risks are, where there are information gaps and withwhom the line supervisor needs to meet to discuss these risks and garner

further information.

40 For most banks, the on-site work (undertaken during the risk assessment

phase) will take place within a short time-frame, which could last from two or

three days up to a few weeks. To prepare for these meetings, the FSA will

undertake the preliminary risk assessment off-site which will assist in

determining the amount of on-site work required, the appropriate personnel to

see and the issues to be discussed.



17/52

41 The preliminary risk assessment will take place using nine evaluation factors

(Capital, Assets, Market risks, Earnings, Liabilities, Business, Internal

Controls, O rganisation, Management). These factors incorporate all the

minimum criteria for authorisation under the Act and the FSAs interpretation

of these criteria, as set out in the Statements of Principles. The factors are

described in more detail in Appendix 1, which forms guidance to thesupervisor. However, other factors may be considered in particular

circumstances and changes to the existing factors may be made over time.

42 The evaluation factors will be assessed using information which the FSA

already has available or is obtainable from other sources, including overseas

regulators (see Step 2). In addition, the FSA will take into consideration the

external auditors views of the bank. These will normally be obtained at the

meeting which is held with a bank and its external auditors to discuss the

annual audit or section 39 report.

43 The factors to be evaluated can be split between those that help to identify the

business or inherent r isk of the bank and those that focus on the adequacy and

effectiveness of the banks internal controls, organisation structure and

management.

44 Business risks - The analysis of the business risk will be performed using the

following factors: Capital, Assets, Market Risk, Earnings and Liabilities and

Business. This review will comprise an analysis of the financial position of the

bank, the banks overall business and external environment and its future

strategy. This will facilitate a historical, current and forward-lookingassessment of the banks key business risks, including credit, market, liquidity,

operational, litigation and reputat ional risks. This analysis will be undertaken

using prudential data, management accounts, trends in key ratios and peer

group analysis, strategic plans, together with information a lready held on the

FSAs files.

45 Control risks - In analysing the controls over the business, the FSA will

undertake an assessment using three factors: Controls, O rganisation and

Management. As mentioned above, most of the information for this analysis

will come from information a lready held on the FSAs files, including

section 39 reports and on-site visits.

46 For non-EEA incorporated banks, a preliminary risk assessment will be

conducted at two levels: the wholebank and the branch. The wholebank

assessment will primarily draw on the information obtained from the home

supervisor although where there are gaps in information, the FSA will have to

consider the most appropr iate method of making good this short fall. Where

the FSA can place significant reliance on the work undertaken by the home

supervisor, in particular where its supervision covers issues that the FSA needs

to assess under the minimum criteria for author isation, then a full risk

assessment using the CAMELB and COM factors will not be performed at the



18/52

wholebank level. However, a general assessment of the key business and

control risks will still be performed.

47 In undertaking a preliminary risk assessment of a UK branch, the FSA will

again draw on any work conducted by the home supervisor. The nine

evaluation factors will be used to perform th is assessment a lthough the Capital

factor is clearly not applicable at this level. Furthermore, where the FSA is

satisfied that limits and guidelines on particular business activities e.g. liquidity

are managed globally by the bank and are supervised effectively on a

consolidated basis by the home country supervisor, the FSA will not include

such activities in its assessment of the branch.

48 During the preliminary risk assessment stage, the FSA will identify where there

are information gaps, how to fill them and with whom the line supervisor

needs to meet when carrying out its on-site work (See Step 4).

Step 4: Undertaking the on-site visits

The objective of undertaking the on-site work is to improve the FSAs

understand ing of the business and control risks run by the bank, focusing in

particular on those units deemed to be significant.

49 The risk assessment visits are led by the line management responsible for the

day-to-day supervision of the bank. The visit provides an oppor tunity to

clarify any points arising from the preliminary risk assessment and to gain a

better understanding of the business undertaken by the bank. H owever, the

main focus of the meetings will be on the internal controls within the bank, to

assist in the evaluation of the CO M factors.

50 The on-site work will typically be undertaken at a high level. For most UK

incorporated banks this will involve meeting the Chief Executive, other

executive and some non-executive directors (including the Chairman of the

Audit Committee), the Chief Financial Officer and heads of significant units.

In addition, heads of control and suppor t functions such as risk management,

internal audit, IT and Human Resources will also be seen. For most branches

the on-site work will involve meeting the General Manager, other seniormanagement and, if necessary, depending on the size of the branch and the

level of supervision undertaken by the home supervisor, heads of key business

units and heads of control and support functions. In addition, and after

consultation with the home supervisor, the FSA may also meet with senior

personnel at head office or others who have responsibility for overseeing the

banks UK operations.

51 Discussions with top level management and personnel involved in support and

control functions will focus on high-level systems and controls (including the

risk management framework), strategy, the organisation structure andmanagement issues. Discussions with heads of business units will focus on



19/52

7 Although the Ch airman, Chief Executive and General Ma nager should be ab le to cover all nine evaluation factors, it

is likely that meetings with these individuals will focus on o nly a few of the factors.


strategies (including consistency with the banks overall strategy), controls

over the unit, quality and style of management, risk and earnings profile, and

the contro l framework established within the unit, including the adequacy of

segregation of duties. For non-EEA incorporated banks, the amount of on-site

work undertaken will depend on the supervision undertaken by the home

supervisor. Sufficient work needs to be done to enable the FSA to assesswhether the wholebank meets the minimum criteria for authorisation and that

the UK branch meets minimum standards.

52 An indication of the senior personnel the FSA are likely to meet during the on-

site work and the range of the evaluation factors that are likely to be discussed

with each of these people are set out below. The precise range of factors to be

discussed will depend on the business and control risk profile of the bank.

53 No performance testing of controls will be undertaken during the risk

assessment phase, since this should be covered by internal audit. This is one of

the main reasons for meeting with internal audit, namely to make an

assessment of the adequacy and effectiveness of the work undertaken by this

Evaluation factors by interviewee

C A M E L B C O M

Chairman7

CEO/General Manager7

Finance Director

Treasurer

Head of business unit

Head of risk management

Head of internal audit

Head of compliance

Head of IT

Head of personnel

Non-executive director


20/52

function. If detailed performance testing is considered necessary this will be

undertaken using the tools of supervision.

54 At the beginning and at the close of the on-site work there will be meetings

with the Chief Executive, Finance Director or General Manager, depending on

the structure of the bank. This will allow the FSA to share initial views and, if

necessary, to clarify issues.

Large and diverse banks

55 For some UK banking groups, it will be difficult to complete the risk

assessment stage, in particular to conduct all the on-site work, in a few weeks.

The FSA will seek to be flexible in its approach to such banks. For example,

this may involve discussing the controls exercised over significant units with

the appropriate personnel in the head office or the parent company; or

scheduling meetings regarding lower risk areas of the business during thesupervisory period.

56 Where a UK banking group has overseas units which are significant and which

undertake financial services business regulated by an overseas regulator, the

line supervisor may still wish to meet with the head of the unit. Where

possible the FSA will take into account the supervision undertaken by the

overseas regulator, to the extent that it is satisfied with the work performed

and that the other regulators findings are shared with the FSA. In such

circumstances, the FSA will communicate to the regulator the amount of work

it intends to undertake, focusing on the controls exercised over the overseasunit, the business risks and strategy. Where the FSA considers that only limited

account can be taken of the work of the overseas regulator or where the

overseas unit is not supervised, a more thorough risk assessment and

discussion will take place with the unit head.

Step 5: The final risk assessment

The objective of this step is for the FSA to finalise its assessment of the

business and control risks in the bank, to identify how it expects the risk

profile to change over the supervisory period and to consider whether the

bank continues to meet the min imu m criteria for authorisation.

57 On return from the on-site work, the FSA will use the off- and on-site

information to undertake a formal evaluation of the CAMELB and COM

factors. As mentioned earlier, the assessment will be undertaken for the bank

or, where appropriate, the consolidated group , and for the wholebank and

branch.

58 After completing the CAMELB and COM analyses, the FSA will formulate a

risk profile of the bank. An overall assessment of both the business risks and



21/52

the controls risks will be made. At the same time, the FSA will assess whether

the bank continues to meet the minimum criteria for au thor isation.

59 In addition, the FSA will consider how the banks risk profile is likely to

change over the next period. Such an assessment will be made using the

information supplied to the FSA together with the FSAs own forecast of

market developments; part icular account will be taken of the economic and

financial conditions in the countr ies in which the bank operates . This means

that the FSA will indicate whether the business and the control risk profile is

increasing, decreasing, or remaining the same. For example, the business

strategy will impact on the future business risk profile of the bank , as would

forecast changes to the economic environment. On the other hand, whether

the bank has sufficient resources to implement the strategy will be reflected in

the outlook for the banks control risk.

Step 6: Supervisory programme

The objective of this step is to prepare a supervisory programme which will

set out the work that the bank and the FSA w ill undertake during the

supervisory period. This work will focus on issues or concerns identified

during the risk assessment.

60 After undertaking the risk assessment, the FSA will prepare a supervisory

programme, which will contain details of remedial action that the bank is

required to undertake within a specified period. In addition, it will set out the

tools of supervision that will be applied during the forthcoming supervisoryperiod. The programme will be explicitly linked to the areas of greatest risk

and concern and should enable management to understand fully why

part icular action has been requested or tools are going to be applied. The

programme will first be discussed in draft with the bank before being finalised.

61 For UK banking groups containing multiple authorisations only one

supervisory programme will be drawn up, but the tools of supervision to be

applied to each bank within the group will be identified separately. For those

banks in larger banking groups which fall below the significance thresholds,

the FSA will still wish to hold an annual prudential meeting where it will

discuss issues which would normally have been covered during the risk

assessment phase, in addition to other prudential issues. The FSA may,

however, decide that a section 39 report does not need to be commissioned

annua lly for such banks.

62 For non-EEA incorporated banks, the programme will primarily cover the

branch. The nature of the programmes will depend on a number of factors,

including the scale and scope of supervision undertaken by the home

supervisor. In general, the more comprehensive the supervision of the branch

by the home supervisor, the less the FSA will need to undertake local (UK)

supervision; work carried out will be co-ordinated with the home supervisor.



22/52

63 In drawing up the supervisory programme, the FSA will first develop its

supervisory objectives for each bank consistent with the FSAs overall

objectives and standards of supervision. The FSA will then formulate actions

to meet the objectives set for individual banks, together with the likely timing.

These objectives are discussed in more detail below:

Objectives

Objectives define the goals of supervision for each bank and will form the

foundation for all actions. The objectives will be clear, attainable, specific, and

action-oriented and will be centred around one of three themes:

Correction - this is the process of addressing concerns identified in the risk

assessment. Correction is generally focused on ensuring that appropriate

action is taken by bank management and verifying that remedial action has

occurred. In the extreme, correction may involve the FSA taking supervisoryaction under the Banking Act.

Discovery - this is the process of gaining a more in-depth knowledge of the

banks risk profile, by undertaking further work in higher r isk areas as

determined by the risk assessment.

Monitoring - this is the process of identifying current and prospective issues

that could impact on the risk profile or overall condition of the bank.

Additionally, monitoring can be associated with observing and measuring

the banks progress toward correcting identified concerns.

Actions

Actions are the steps needed to achieve the supervisory objectives. This

includes the specific remedial work required by bank management to address

concerns identified in the risk assessment. Action also includes the submission

of documents by the bank and the tools of supervision that the FSA intends to

apply.

64 In order to give an indication of the content of the supervisory programme

and the length of the supervisory period, the following matrix summarises the

likely intensity and focus of supervision resulting from a particular risk profile.

65 Quadrant A of matrix 1 (overleaf) is indicative of a bank with a low level of

business risk and a low level of control risk (well controlled). A bank in this

quadrant would only need a limited amount of on-going monitoring for the

FSA to be aware of changes to its risk profile. Some discovery work may also

be necessary to confirm the risk profile as determined in the formal risk

assessment. The intensity of supervision is likely to be low. Prior to

determining the length of the supervisory period, the FSA will still consider



23/52

whether the bank intends to make any changes to either the business or

control r isk profile but the period is likely to be in the region of 18-24 months,

or even longer.

Matrix 1

66 Quadrant B is indicative of a bank that is well controlled, but has a high level

of business risk. Although good controls are in place, a fair level of on-going

monitoring may be necessary to ensure that the high level of risk remains

effectively controlled and that the risk profile does not increase beyond

supportable levels. Further discovery work is also likely to gain a better

knowledge of the control environment, in par ticular in the high r isk business

activities. The length of the supervisory period is likely to be around 12-18

months.

67 Quadrant C is indicative of a bank with high business risk and poor controls.The focus will be on determining the immediate remedial actions necessary to

resolve the situation (e.g. enhancing control systems, reducing the business

risk, or both). The supervisory programme will be very well defined in these

instances and will require urgent remedial work by the bank under close

supervision by the FSA. The FSA will focus on determining managements

ability to resolve the problems and establish milestones to monitor progress.

The FSA would probably make high usage of the tools of supervision for an

institution in this quadrant, in particular to ensure that remedial work has

been undertaken. The length of the supervisory period for an institution of this

nature will vary depending upon managements response, but is likely to be at

the shorter end of the spectrum (i.e. six months to one year).


B

High monitoring, l it tl e remedial

action unless risk is deemed excessive

A

Low monitoring, little remedial action

necessary.

C

High monitoring. Need for immediate

remedial act ion to improve risk

profile.

D

Moderate monit oring. Need for a

remedial programme to improve

controls.

High

Business

Risk

Low

High

Low

Control Risk


24/52

68 Quadrant D is indicative of a bank with low business risk, but high control

risk (poor control systems). Remedial action by the bank is likely to be

necessary in this case to ensure that proper controls are in place to support the

level of risk undertaken. The FSA recognises that the control systems for a

bank with low business risk will differ from that of a bank with high business

risk. Therefore, the FSA will focus on determining the adequacy of the controlsystems in light of the level of business risk undertaken. The supervisory

programme will focus on the corrective measures agreed with the bank, and

will include use of the tools of supervision to that end. The supervisory period

in this case will vary considerably depending upon managements response,

but is likely to be around one year.

69 As stated above, a bank or branch with a low risk profile will normally be

subject to a less intensive supervisory programme, although a minimum level

of supervision is required to keep abreast of changes in the business. For

example, on an annual basis, most banks will either have a prudential meeting

or a formal risk assessment. Section 39 reports will also generally continue to

be commissioned annually. However, for those banks considered to be lower

risk, the FSA may decide not to commission such a report every year.

Step 7: Consistency

The objective of th is step is to ensure that FSA applies its supervisory

approach in a consistent m anner and that the intensity of supervision is

broadly the same for bank s with similar risk profiles.

70 The FSA will maintain a careful check on the consistency of the work being

carried out by its supervisors. This will be achieved in two ways, a RATE

Panel and a Quality Assurance function.

( i) RATE Panel

71 The objectives of the RATE Panel are to perform an independent review of the

final risk assessment completed by the line supervisor and to ensure

consistency in implementing risk based supervision across the banks

supervised in the Complex Groups and Banking and Building Societies

Divisions within FSA. A further role of the Panel is to identify trends or

particular current issues arising from the risk assessments of banks.

72 The RATE Panel will generally comprise senior FSA staff not directly involved

with the supervision of the bank under review.

73 The Panel will review a summary of the risk assessment and will consider the

appropriateness of the supervisory action and programme, in particular the

intensity of supervision proposed. In addition, the panel will review the

numerical rating which line supervisors attach to the individual CAMELB andCOM factors and the composite rating. The numerical rating system is purely



25/52

an internal tool which the FSA uses to undertake peer group comparisons, to

assess trends in risk profiles, to determine the timing of risk assessments and to

help determine FSAs resource allocation. The numerical rating system itself

and the par ticular rat ings will not be disclosed to banks.

( ii ) Qualit y Assurance unit ( QA)

74 The FSAs QA function will focus on the extent to which line management

have followed the internal processes laid down in the risk based supervisory

framework. It will review a selection of banks to check that the work done is

appropriate for the bank and in line with the internal processes to enable line

management to exercise reasonable supervisory judgement, in particular that

all relevant issues have been properly identified.

Step 8: Formal feedback

The objective of this step is for the FSA to communicate the results of its risk

assessment an d the resultant supervisory programm e to the bank .

75 Once the supervisory programme has been developed and the RATE Panel has

considered the risk assessment, the FSA will give formal feedback of its

findings. A meeting will normally be held with the Chief Executive, Finance

Director or General Manager of the bank or branch.

76 In advance of this meeting, a draft letter will be sent to the bank setting out

the FSAs views on both the business and control risks of the bank or branch,

outlining any areas of specific concern and remedial action sought from the

bank. The letter will explain whether it expects the business and the control

risk run by the bank to increase, decrease or remain the same. In addition to

the letter, the supervisory programme will contain an action plan and a

supervisory timetable as appendices.

The format of the action plan is:


Issue Risk/ Observation Action Timing Date

concerns required completed

Business Risk

Cont rol Risk


26/52

The format of the supervisory timetable is:

77 For UK incorporated banks, the letter will be finalised after the meeting and

sent to the Board of Directors. In some instances, the FSA may also present its

findings to the Board. In the case of a non-EEA incorporated bank, the finalletter will be sent to the General Manager and copied to the Head Office. A

further letter setting out supervisory issues pertinent to the wholebank will be

sent to the H ead O ffice, which will raise any issues which the FSA wishes to

follow up either with the H ead Office or the home country supervisor. Both

the Head Office and branch letters will be copied to the home country

supervisor.

78 For those banks that are considered to be lower risk and, therefore, for whom

the period between risk assessments is longer than a year, the FSA will write

annually to the Chief Executive or General Manager setting out thesupervisory work it plans to undertake in the coming year. The plan will be

consistent with that set out in the supervisory programme sent following the

last risk assessment, assuming there has been no material change in the bank.

79 The final letter will also be copied to the banks reporting accountants and

feedback on the risk assessment will also be given to them at the meeting

where the next annual audit or section 39 report is discussed, or earlier if

specific issues have been identified which require more rapid communication.

Tools of supervision phase

80 During the tools of supervision phase, the FSA will ensure that the

supervisory programme is implemented, as set out in the final letter to the

bank. In particular, the FSA will track any significant developments, ensure

remedial action is undertaken and that the too ls of supervision are applied. In

addition, for non-EEA incorporated banks, the FSA will maintain

communication with the home supervisor and the head office to ensure that

any factors which might have an adverse impact on the banks risk profile or

continued compliance with the minimum criteria are identified. Through its


Supervisory tool/ Action required Purpose/ reason

Q3 1998

Q4 1998

Q1 1999

Q2 1999


27/52

contact with the home supervisor, the FSA will also seek to ensure that no

duplication or gaps emerge in the supervisory approach to the wholebank.

81 Tools of supervision available to the FSA include:

Reporting Accountants (Section 39) Report- a report prepared by the

reporting accountants (usually the banks external auditors) assessing thebanks internal systems and the adequacy and effectiveness of the controls in

place. The scope of the report as specified by the FSA generally focuses on

specific areas of the bank, though it may cover all of the banks systems (a

full scope report);

Traded Markets Team Visit- a visit by the FSAs specialist treasury staff

focusing on the treasury areas of the bank , with an emphasis on r isk

management, systems and the adequacy of related controls. The visit is

followed by a letter detailing areas of specific concern and remedial action

required;

Credit Review Visit- again, a visit by the FSAs specialist staff but with the

focus on the assessment of the systems and adequacy of controls in areas of

the bank other than treasury, such as credit. The visit is followed by a letter

detailing areas of specific concern and remedial action required;

Liaison with overseas regulators - a visit to the overseas country, telephone

or written communication to obtain further information or to discuss

supervisory issues or action that might be taken by the appropriate

regulator;

Prudent ial meetings - meetings with senior management of the bank to

discuss the banks financial performance, its business and risk profile, its

strategy and the wider market environment in which it operates;

Ad hoc m eetings - meetings either a t the FSA or on-site to discuss business

developments or plans, and issues or concerns arising from the risk

assessment process.

82 During the supervisory period, the findings from each of the tools that have

been applied will provide the FSA with new and more detailed information

about the areas of risk or concern identified during the risk assessment stage.

This information will be discussed in follow up meetings that banks are

familiar with, allowing the FSA to feed back its conclusions, highlight

recommendations and discuss remedial plans.

83 At any time during the supervisory period the FSA may need to seek remedial

action from the bank or take action itself to deal with issues of serious

supervisory concern. In addition, a banks circumstances may change because

it is entering new markets, making an acquisition or is affected by market

developments. The FSA will address first those areas which it considers to be

of higher risk or concern.



28/52

84 If such events occur, the supervisory programme may need to be revised.

Alternatively, the FSA may decide that it should undertake another risk

assessment as the profile of the bank may have changed significantly.

Evaluation phase85 At least annually and before the next risk assessment, the FSA will undertake

an evaluation of the risk assessment, the supervisory programme and its use of

the tools of supervision; this is purely an internal FSA process. The evaluation

will constitute a review of the risk profile of the bank and the progress made

against the FSAs supervisory objectives. It will also involve a stock take of the

original work plan to ensure that the bank has successfully completed any

necessary remedial work and, that FSA has completed the work set out in the

supervisory programme and that the findings from all of the supervisory too ls

that have been applied have been properly assessed and acted upon. In

addition, dur ing the evaluation phase the FSA will assess the effectiveness of

the work it has carried out by considering what it has achieved during the

supervisory period in terms of understanding or improving the risk profile of

the bank.

86 The evaluation phase will be an integral part of the FSAs annual procedures,

which also include the formal review of the banks adherence to the minimum

criteria for authorisation and the annual letter that will be sent to all banks

and branches to confirm (or change) the supervisory programmes.



29/52

Capital 29

Asset quality 31

Market risk 33

Earnings 35

Liabilities 36

Business 37

Internal Controls 40

Organisation 45

Management 47

Appendix 1


CAMELB & COM evaluation factors


30/52

Capital

Objective:

To determine whether the banks capital position is adequate to support the

level of current and anticipated business activities and associated risks.

In order to achieve the above objective, the FSA will assess the following:

Com position and quality of capital

Adequacy of capital

Access to capital

Repayment of capital

Composit ion and quality

In assessing composition and quality, the FSA will consider:

split between each of the three tiers, and

component parts of capital.

Adequacy

In assessing capital adequacy, the FSA will consider: current and projected business activities and associated risks,

trigger and target ratio adequacy in light of the banks risk profile,

risk asset ratio in comparison to t rigger and target ratios,

capital trends and projections, and

trends and projections in balance sheet growth and quality, as well as off-

balance sheet activities.

Access to capital

In assessing access to capital, the FSA will consider:

ability to ra ise additional tier 1 capital from existing or new shareholders,

including the financial strength of shareholders,

market conditions (prevailing and institution-specific) for raising new

capital,

current level of headroom available to issue tier 2 or 3 capital, and

track record for raising capital funds in the past.



31/52

Repayment of capital

In assessing repayment of capital, the FSA will consider:

ability to meet scheduled repayment terms (principal and interest), and

impact of amortisation of tier 2 and 3 capital.



32/52

Asset quality

Objective:

To determine the quality of assets (both on- and off-balance sheet).


Composit ion

Concentrations

Provisioning

Composition

In assessing a banks on- and off-balance sheet assets, the FSA will consider:

size, maturity, currency, marketability, complexity, sources of repayment,

and geographic dispersion,

range and type of products,

trends in volume and growth, ar rears, non-performing assets, problem

assets, and write-offs,

quality of counterparties and trends in counterparty credit risk,

collateral (type, quality, margins, marketability, documentation),

netting arrangements,

amount of daylight exposure and settlements, and

methods for offsetting risk (e.g., credit derivatives).

Concentrations

In determining the overall quality of the asset portfolio, the FSA will

determine the potential impact to the bank on exposures with similar riskcharacteristics. The issues the FSA will consider include:

exposure to connected entities, groups, industries, markets, geographic

regions,

concentrations in tenor, credit risk or collateral type, and

volume of exposures greater than 10% of the capital base.



33/52

Provisioning

The FSA will determine whether the banks level of provisioning is reasonable.

The issues the FSA will consider include:

level of problem assets,

adequacy of loss provision levels (both general and specific), and

timely recognition of losses.



34/52

Market risk

Objective:

To determine the amount of market risk in the trading and banking book.


Key products and markets

Market risk in the trading book

Interest rate risk in the banking book

Foreign exchange risk

Market risk exists in both the trading bookand the banking book. Within thetrad ing book, market risk is measured as changes in the value of financial

instruments or currencies. Within the banking book , market risk is measured

in terms of exposure to interest rate risk and/or foreign exchange risk.

Key products and markets

In order to determine the banks exposure to market risk, the FSA will

consider:

types of products traded (diversity and complexity),

active markets utilised, and

counterparties.

Market risk in the trading book

Market risk generally arises from market-making, dealing, and position-taking

activities in active markets. In assessing market r isk, the FSA will consider:

liquidity of market(s) for products (e.g., is there a liquid and ready market),

size, tenor, and complexity of open positions (including options),

stability of trad ing revenues (historical track record and trends),

output of internal models of sensitivity to r isk factors,

vulnerability under various scenarios and environments (modelling and

stress-testing),

ability to close or exit positions at a reasonable cost and in a reasonable

timeframe, and



35/52

size of open positions versus revenues generated and expected (i.e., risk

versus reward).

Interest rate risk in the banking book

In assessing interest rate risk in the banking book, the FSA will consider:

sources of interest ra te exposure as well as the complexity of positions,

character of risk such as volume and repricing sensitivity, and

interest rate risk position over both the tactical and strategic horizons

(short - and long-term) as available in gap reports or through modelling.

Foreign exchange risk

In assessing foreign exchange risk, the FSA will consider:

volume of business subject to revaluation from currency translation

requirements,

composition of the port folio, including an assessment by:

- currency and anticipated durat ion of positions,

- size and maturity of cash flow mismatches, and

output of internal risk models.



36/52

Earnings

Objective:

To determine the profitability and earnings profile of the bank and evaluate

the quality and reliability of banks earnings.


Profitability and earnings performance

Profit plan & budget

Profitability and earnings performance

The FSA will focus on ratio and trend analysis to assess the quality of banks

earnings and profits. The issues the FSA will consider include:

overall level of profitability,

volatility of profits,

sources and distribution of income (by products, businesses, geographic

location),

margins, spreads, and fee income,

reliance on non-recurring income sources,

overheads and expenses,

impact of non-recurring expenses,

impact of taxation and dividends on profit retention, and

prudence of accounting practices (e.g., accruals).

Profit plan and budget

In addition to an analysis of the banks past earnings, the FSA will look atprojected profitability. In assessing the profit plan and budget, the FSA will

consider:

sustainability of income sources,

previous results to budgeted amounts,

impact of any strategic initiatives, and

anticipated operating environment, including economic and competitive

pressures.



37/52

Liabilities

Objective:

To determine the liability and liquidity profile of the bank.


Liquidity

Composit ion

Concentrations

Liquidity

In assessing liquidity, the FSA will consider: liquidity mismatch position and ability to meet liquidity needs,

compliance with liquidity mismatch guidelines,

compliance with the stock approach to liquidity (for those UK incorporated

banks which have significant retail activities in the UK),

access to funds and/or lines of credit (advised or committed), and

quality of liquid assets.

Composition

In assessing the composition of a banks liabilities, the FSA will consider:

funding structure - wholesale versus retail,

volatility,

diversification of funding sources,

funding costs,

views of rating agencies and market perception,

trends and projections in the deposit structure with respect to growth

patterns, stability, and costs, and

type of borrowing (e.g., size, tenor, counterparty).

Concentrations

In assessing the level of concentrations, the FSA will consider:

funding from connected entities, and

significant fund providers (wholesale or retail).



38/52

Business

Objective:

To assess other influences on the banks business risk profile, not already

covered under the CAMEL evaluation factors.


External environment

Strategic business initiatives

Customer base & competitive differentiation

W ider group issues

IT systems

Key staf f

O ther business risks

External environment

In assessing a banks strategic fit within its external environment and

managements effectiveness in responding to external influences, the FSA will

consider the:

strengths, weaknesses and volatility of the economic and political

environment in the banks geographic locations,

potential impact of changes in economic conditions or the political

environment on the banks business,

potential impact of significant events (e.g., financial crisis, natural disasters),

and

ability to identify external risk(s) or other systemic issues inherent in the

various geographic locations.

Strategic business initiatives

The FSA will consider the underlying assumptions of the banks business

strategy and assess its viability, riskiness, and the probability of achieving

targets. This analysis will include all the significant business units, in that the

FSA will want to understand and assess the internal and external threats and

risks to those businesses. The issues the FSA will consider include:

viability of the strategic plan from a business perspective, includingimplementation plans,



39/52

resources and skills necessary to execute the strategic plan,

success in merging elements of the strategic plan into the business or

operating plan,

intended launch into new markets and planned diversification,

appropriateness of the IT strategy to support business objectives and

priorities, and

frequency of changes to strategic direction.

Customer base & competitive differentiation

In assessing the banks existing customer base and market share, including

potential threats or oppor tunities, the FSA will consider:

wholesale Vs. retail customer base,

customer stability and loyalty,

ability to attract and retain customers,

price sensitivity and sophistication of customer base,

ability to capitalise on core competencies through product or service

differentiation,

position relative to being a product leader (innovator) or follower, and

market share and market volatility.

Wider group issues

Along with the need to consider external influences, the FSA will also assess

the impact o f interna l influences on the banks business activities. This includes

the influence of shareholders, the parent company and other a ffiliated

companies within the group. The issues the FSA will consider include:

degree of wider group influence on directing business activities,

relationships and impact of wider group on business activities (e.g. source of

business introductions, reputat ional risk),

history of complaints and litigation against the bank or wider group,

volume and type of inter-group business and degree of connected lending,

perspective of shareholder controllers - short-term versus long-term goals,

and

dividend practices, debt repayment to wider group, or any other pressures

which might adversely affect profit retention.



40/52

IT systems

In assessing whether the IT infrastructure is appropriate to meet the business

needs of the bank, the FSA will consider:

extent to which IT supports the current business or restricts planned

business initiatives,

extent to which IT systems have been assessed in terms of threats to the

confidentiality, integrity and availability of key information,

adequacy and viability of the IT stra tegy for the planned business initiatives,

including implementat ion plans, and

flexibility to deal with external events (e.g. Year 2000 and EMU).

Key staff

A banks core competencies may be tied to the talent(s) of one or more

individuals within a group. Often, these competencies come from either their

reputat ion in the market or their pre-established customer network. In either

case, the loss of one or all of these individuals could have a negative impact on

the banks ability to compete. The FSA will assess managements success in

dealing with key staffing issues by considering:

identification of key management and staff,

identification of business core competencies tied to an individual or group of

individuals, and

history of ability to retain management and staff.

Other business risks

The bank may offer services which are not readily captured within the

CAMEL factors. These services (e.g., global custody, corpora te finance)

generate fee income for the bank, without necessarily generating balance sheet

or off-balance sheet exposure. The risks associated with such businesses or

provision of services relate to problems with service delivery (either in terms ofoperational or legal requirements).

Although the primary risk relates to the control environment (and will be

assessed under the control factor), there can be a knock-on effect to the banks

reputation. In assessing the other business risks, the FSA will consider:

reputat ional risks in key business units (e.g. business undertaken, bad

publicity, reliance on third parties),

track record of problems with service delivery, and

concerns identified in the control environment which could have a negative

effect on the banks reputation and ultimately impact business initiatives.



41/52

Internal Controls

Objective:

To determine the adequacy of the internal control framework.


Decision m aking framework

Risk management framework

Limits and standards

Information technology

Financial and management reporting

Staff policies

Segregation o f responsibilities

Audit and compliance functions

Money laundering controls

The sophistication of internal controls will depend on the size, complexity, and

geographic diversity of a bank. The FSA will therefore identify the nature of

the business to be controlled before determining whether the process controlsin place are fit for purpose.

Decision making framework

In order to determine whether the decision making framework is appropriate

with delegated authorities and clear accountability at all levels, the FSA will

consider:

level of delegation,

adequacy of communication mechanism,

means to prohibit individuals without authority from taking decisions or

committing the bank to a transaction, and

adequacy of documentation.

Risk management framework

The FSA will assess the adequacy of systems in place to identify, measure,

monitor, and control risk in an appropr iate and timely manner. In this context,

the FSA is focusing on the risks associated with all products and servicesoffered by the bank. The risks include, but are not be limited to: operational,



42/52

credit, price, foreign exchange, interest rate, liquidity, strategic, reputational,

legal, and information technology. In assessing the risk management

framework the FSA will consider:

Risk identification

responsibility for r isk identification,

process for risk identification, including existing and new products, and

regularity of review for identifying new risks within business units.

Risk measurement

frequency of risk measurement,

sources of data (e.g., market prices, position information),

sophistication of risk measurement tools, given the complexity and level of

risk assumed,

frequency of verification or validation of risk measurement tools used, and

ability to measure risk at both transactional and portfolio levels.

Risk monitoring

methodology to ensure all identified risks are monitored,

frequency, timeliness, accuracy, and clarity of monitor ing report s,

report distribution to management and staff, and

comparability of output against predetermined limits.

Risk control

independence of the risk control process,

experience, qualification and skills of the personnel within the risk control

function,

reporting lines from the risk control function to senior management,

actions taken to ensure that risks are maintained within pre-established

limits,

exception reports and follow-up, and

contingency planning.



43/52

Limit and standards

The FSA will focus on assessing the Board and managements risk tolerance

and the adequacy of methods used to convey that risk tolerance to staff. In

doing so, the FSA will consider:

experience, background and authority of individuals involved in settinglimits,

policy and procedural guidance for all products and services, and

processes for setting and changing limits, including underwriting standards.

Information technology

The FSA will assess whether controls over the IT infrastructure are

appropriate. In assessing information technology, the FSA will consider:

adequacy of IT resources, prioritisation, planning and development,

procedures for IT procurement, project management,

procedures for the development, testing and implementat ion of new

hardware and software,

effectiveness of the information security framework and processes, and

adequacy of the business continuation plan.

Financial and management reporting

In assessing financial and management reporting, the FSA will consider:

adequacy, accuracy and timeliness of financial and management report ing,

[for businesses engaged in market activities] ability to value positions

independently of the front office,

ability to assess the quality of assets and maintain an effective level of

provisioning,

effectiveness and efficiency of distribut ion, including information sent to

NEDs,

frequency of budget preparat ion and appropriateness of budgeting process,

and

explanation of variances.

Staff policies

In assessing the various staff policies, the FSA will consider:

quality and depth of recruitment, training and staff retention policies,



44/52

succession plans and/or contingency plans for loss of staff,

link with business strategy;

remuneration policy (including bonuses) and practices to support staff

retention, without encouraging excessive risk taking,

ability to effectively monitor and control the risks rewarded by the bonus

scheme,

tra ining initiatives to ensure compliance with explicit or implied prudential

and ethical standards, and

adequacy of disciplinary procedures.

Segregation of responsibilities

The FSA will assess whether the bank has adequate distinction at all levelsbetween those committ ing the institution to a transaction, recording it, settling

it and controlling it. In assessing segregation of responsibilities, the FSA will

consider:

independence of reporting lines,

segregation of responsibilities,

interaction between the front, middle, and back offices;

interaction of front, middle and back offices with financial control and risk

management,

adequacy of the segregation of IT operational and development activities,

quality and experience of staff, and

adequacy of cover arrangements.

Audit and compliance functions

In assessing the audit and compliance functions, the FSA will consider:

responsibility and reporting lines, including their independence,

adequacy of methodology and extent of coverage,

adequacy of processes for addressing exceptions or recommendations on a

timely basis,

quality and experience of internal audit and compliance management and

staff, and

links between external audit, internal audit, and compliance.



45/52

Money laundering

The FSA will determine whether the bank has established operating standards

and audit procedures that ensure compliance with M oney Laundering

legislation and guidelines. In doing so, the FSA will consider:

adequacy of policies, procedures, and training programmes, and

designation of responsibility for co-ordinating and monitor ing day-to-day

compliance.



46/52

Organisation

Objective:

To understand the organisational structure and determine its effectiveness.


Legal structure

Relationship w ith other parts of the group

Reporting lines

In determining adequacy of the organisational structure, the FSA will consider

whether the documented structure accurately reflects the real and perceived

lines of control and influence within the organisation.

Legal structure

In assessing the legal structure, the FSA will consider:

legal organisation and position of the bank within the group,

complexity of structure and rationale,

indication that the structure is understood,

frequency of changes to the organisational structure, and

close links and shareholder controllers.

Relationship with other parts of the group

The FSA will assess the independence and/or inter-relationship of the bank

with other parts of the group. In assessing the relationship with the group, the

FSA will consider:

control linkages and rationale,

centralised functions (e.g., treasury, risk management), and

degree of control and influence exercised by the parent or any part o f

risk base supervision of banks

Documents