Pillar 2
Pillar 2 – Internal Capital Adequacy Assessment Process (ICAAP)
Updated version of this section of the Guidance to be issued.
I. Introduction and Purpose
1. All banks licensed by the Central Bank of the UAE must ensure that Pillar 1 risks - credit, market, and operational risk - are mitigated by capital, in compliance with the capital adequacy framework articulated in the document Central Bank “Regulations re Capital Adequacy” issued under Notice 60/2017 and the supporting capital standards and guidance, articulated in the document Central Bank “Standards and Guidance re Capital Adequacy of Banks in the UAE”. Incompliance with the Standards, each bank is required to quantify all risks that are not covered, or not sufficiently covered by Pillar 1 capital, and determine the additional capital required to mitigate these risks. The capital required to cover these risks is referred to as Pillar 2 capital.
2. Each bank is required to have a process to assess its overall capital adequacy as a function of its risk profile and its strategy. Each bank is required to maintain appropriate capital levels in accordance with the Central Bank Standards on Pillar 2 capital. This process is termed the Internal Capital Adequacy Assessment Process (ICAAP).
3. As part of the Supervisory Review and Evaluation Process (SREP), the Central Bank analyses the capitalisation levels of banks among other information, referring to the results of the ICAAP with regard to the internal view of capital adequacy. If the evaluation concludes that the capital levels of the individual bank are not satisfactory, the Central Bank may require a bank to meet an adjusted Minimum Capital Adequacy ratio accordingly.
4. Consequently, Pillar 2 is both a bank internal process reported under the ICAAP, and the evaluation of each bank’s compete capital adequacy includes the ICAAP in its regulatory process - the SREP. First, it is the responsibility of each bank to ensure that its ICAAP is comprehensive and proportionate to the nature, scale, and complexity of its activities. Each bank bears the responsibility for the appropriate identification, estimation, and reporting of risks, and the corresponding the calibration of capital necessary to mitigate these risks. Second, the ICAAP is a critical reference for supervision and for the supervisory dialogue between banks and Central Bank.
Purpose
5. This Guidance presents minimum expected practices to be considered by each bank in order to undertake their ICAAP, covering the process, content, outcome, and usage. It clarifies the application of the Central Bank’s expectations regarding the requirements of the Central Bank ICAAP Standards. Note, that the Central Bank plans to issue separately detailed requirements relating to the Internal Liquidity Adequacy Assessment Process (ILAAP).
6. It also intends to support each bank in the identification, measurement, reporting, and mitigation of Pillar 2 risks. This Guidance does not prescribe specific methodologies but rather, it provides a framework, within which a bank should elaborate research, analyse, and draw conclusions relevant to the risk profiles of their books. Each bank remains fully responsible for the methodology and process supporting the ICAAP.
7. All methodologies employed by a bank for its ICAAP should be relevant to its business model, risk profile, to the geographies of its exposures, and, in particular, to the features of the UAE economy. The methodologies and processes employed by the bank in its ICAAP should be fully documented, transparent and replicable. Each bank should be in a position to justify their decisions and modelling choices with historical data and benchmarking across a range of practices, which will be subject to supervisory scrutiny. Models employed for the measurement of Pillar 2 risks should comply with the Central Bank Model Management Standards and Guidance.
8. The Central Bank may apply proportionality for smaller and less complex banks when evaluating the ICAAP. This does not mean that smaller or less complex banks are exempted from the reporting requirements or from undertaking a comprehensive assessment of the risks they face. Smaller banks have to perform the whole ICAAP and address the full reporting scope. In cases where a bank’s capabilities lead them to use simpler methodologies, a more conservative capital treatment may be appropriate. However, the Central Bank expects a more sophisticated risk management approach from large banks and/ or banks with complex risk profiles in the assessment of their Pillar 2 risks.
9. For the licensed operations of foreign banks in the UAE, when this document refers to the bank’s Board, it should be comprehended as the Managing Director and/ or the highest committee in the UAE operations of the bank in which the Managing Director has to be the Chairman.
10. This Guidance serves several purposes. It
(i) Explains in more detail the Central Bank’s expectations on fulfilling the requirements of the ICAAP Capital Standards, in particular, related to the ICAAP (process) at each bank and certain aspects of the content of the ICAAP report; (ii) Covers expectations on some processual elements of the ICAAP, such as an appropriate approval process of the ICAAP report and its submission timelines; and (iii) Formulates expectations about additional sections of the ICAAP report (e.g. related to internal audit findings and changes compared to the previous ICAAP report). II. ICAAP Executive Summary
11. It is important that the executive summary of the ICAAP document produced by each bank should explain the views of Senior Management and the Board on the suitability of the bank’s capital to cover the risks faced by the bank in light of its risk profile, its risk appetite and its future business plans. These views must be supported by key quantitative results including the current and expected capital position of the bank under various economic conditions including stressed circumstances. It should also provide a clear analysis of the drivers of capital consumption, including Pillar 1 and Pillar 2 risks and stress testing. The conclusion should be unambiguous, forward-looking and consider the uncertainty of the business and economic conditions.
12. More specifically, the executive summary of the ICAAP report should contain the following elements:
(i) The main findings of the ICAAP;
(ii) A brief description of the ICAAP governance framework covering the stakeholders, the assessment process, the challenging process and the approval process;
(iii) A brief presentation of the bank’s structure, subsidiaries, businesses, material risks, risk appetite, and risk mitigating actions, where applicable;
(iv) A description of the current capital position of the bank showing the allocation of capital per risk type, covering Pillar 1 and Pillar 2 risks;
(v) Each bank should complete the ICAAP Executive Summary Table (Table 3) as indicated in Appendix 2 of this document;
(vi) A description of the current capital composition of the bank against minimum capital requirements covering at least CET1, AT1, and Tier 2 capital ratios;
(vii) A forward-looking analysis of the budgeted capital position of the bank, based on the bank’s expected business plan over the next three (3) years, reflecting the current, and expected economic conditions. This needs to cover expected dividend distribution;
(viii) An analysis of the capital position and capital ratios under several stress scenarios, the analysis of the stress scenarios should include the intended risk mitigation actions;
(ix) An assessment of the adequacy of the bank’s risk management processes including critical judgment on the areas that need improvement; and
(x) A conclusion of the ICAAP addressing the suitability of the capital to cover the bank’s current and expected risks.
13. Appendix 3.4 lists further information and documentation that is required to accompany a bank’s ICAAP report.
III. ICAAP Governance
14. Given the critical and major role of the ICAAP in banks’ sustainability and strategy, the Board of Directors is required to approve the ICAAP. The ICAAP should be subject to an effective decision-making process, by which the assumptions, projections, and conclusions are thoroughly discussed, analysed, and challenged at several levels in the organisation including (i) the relevant committees of subject matter experts, (ii) Senior Management, and (iii) the Board.
15. The Board has ultimate ownership and responsibility of the ICAAP. It is required to approve an ICAAP on a yearly basis. The Board is also expected to approve the ICAAP governance framework with a clear and transparent assignment of responsibilities, adhering to the segregation of functions, as described in Refer to Appendix 3.1. The governance framework should ensure that the ICAAP is an integral part of the bank’s management process and decision-making. The ICAAP governance framework should include a clear approach to the regular internal review and validation by the appropriate functions of the bank.
16. The policy framework should be approved by the Board. Senior Management has to implement the framework via effective procedures and systems. The framework must include measures reflected in the ICAAP report applied in day-to-day business and supported by suitable MIS at appropriate frequencies. A key aspect of this requirement is the “Use Test” principle covered in the next section. The risk framework has to be applied across the organisation.
IV. ICAAP Methodology, Scope and Use Test
Methodology
17. The ICAAP is an ongoing process. On an annual basis, every bank is required to submit a document outlining the outcome of the ICAAP to the Central Bank, usually referred to as its ICAAP document or report. The ICAAP supplements the Pillar 1 minimum regulatory capital requirements by (i) identifying risks that are not addressed or not fully addressed through Pillar 1 regulations, referred to as Pillar 2 risks, and (ii) determining a level of capital commensurate with the level of risk. The Central Bank requires each bank to adopt a Pillar 1 plus approach. According to this, the bank’s total capital requirements include the minimum Pillar 1 regulatory capital requirements, plus the capital required to cover Pillar 2 risks. As a result, the ICAAP should result in additional capital requirements specific to each bank’s business model.
18. Board and Senior Management are responsible to deliver a comprehensive, effective, and accurate assessment of capital adequacy. Each bank is consequently required to conduct an ICAAP supported by appropriate methods and procedures to ensure that adequate capital covers all material risks. Each bank should adopt progressively more sophisticated approaches in measuring risks to keep up with the business model evolvement, the risk profile, size of the bank, and appropriate market practice. The key objective is for each bank to be transparent and demonstrate the relevance of the approach taken in relation to the nature of their activities and risk profile to the Board and the Central Bank.
19. The frequency of reporting to the Board is expected to be at least quarterly, but, depending on the size, complexity, business model, risk types of the institution, and the market environment, reporting might need to be more frequent to ensure timely management actions. The quarterly reporting should comprise the internal calculation of the capital ratios (Pillar 1 and Pillar 2 under business-as-usual (BAU) and under stress scenarios), which includes determining the surplus/ shortfall of capital. Stress scenarios and internal forecasts only need to be updated on a quarterly basis, if required. Nevertheless, the ICAAP reporting to the Central Bank remains an annual exercise. However, if the quarterly results deviate significantly compared to the results of the ICAAP report as submitted to the Central Bank, then the bank should inform the Central Bank of the updated capital plan (including reasons for the deviations, capital ratios and mitigation actions).
20. The ICAAP should be supported by robust methodologies and data. All models used directly or indirectly in the ICAAP should follow the bank’s model management framework, in compliance with the Central Bank Standards and Guidance. The data employed in the ICAAP should be comprehensive, reliable, follow rigorous quality checks, and control mechanisms.
Scope
21. Each bank is expected to ensure the effectiveness and consistency of the ICAAP at each level, with a special focus on the group level for local banks. The ICAAP of these banks is expected to assess capital adequacy for the bank on a stand-alone basis, at regulatory consolidated level, and for the entities of the group. The ICAAP should primarily evaluate the capital requirement and capital adequacy of the bank at group level, following the regulatory consolidation. However, each bank should analyse whether additional risks arise from the group structure of the bank. The group structure must be analysed from different perspectives. To be able to effectively assess and maintain capital adequacy across entities, strategies, risk management processes, decision-making, methodologies, and assumptions applied should be coherent across the entire group. Identified additional risks may increase the capital requirement on group level accordingly.
22. Capital transferability within the group should be assessed conservatively and cautiously, which should be considered in the ICAAP. Each bank should have a process to ensure capital transferability that addresses any restrictions on the management's ability to transfer or allocate capital into or out of the bank's subsidiaries (for example contractual, commercial, regulatory, or statutory/legal restrictions that may apply). The capital allocation or distribution and the approval process between the bank’s holding company (group/parent) and the subsidiaries in the banking group should be well defined. The analysis should also consider risks arising from structural foreign currency positions relating to assets, liabilities, and equity.
23. A bank that has domestic or foreign subsidiaries or branches is expected to evaluate the difference between the ICAAP determined for the bank (including its subsidiaries) and the ICAAP at solo level (without subsidiaries). Therefore, the bank should identify any potential and additional risks both at consolidated group level and at solo bank level. The analysis should also address international operations that have jurisdictional capital requirements or restrictions.
24. Additional risks may also arise from entities that are not consolidated under Pillar 1, e.g. investments in commercial subsidiaries, including Special Purpose Vehicles (SPV), and insurance companies. Each bank should evaluate whether the required Pillar 1 capital adequately covers all risks arising from those entities. The evaluation should consider all risk types, including credit risk, reputational risk, and step-in risk, etc. The analysis should not be limited to branches and subsidiaries but should also consider affiliates, if material. Such analysis should not be limited to local banks only, also foreign banks operating in the UAE should identify and analyse all their dependencies on parent companies through centralised risk management/ shared services etc.
Use Test
25. The ICAAP and the bank’s business strategy form a feedback process. While the ICAAP has to reflect the bank’s business strategy, and business decisions. The bank should implement a formal process to analyse whether the outcomes of the ICAAP influence the business strategy. Banks should determine which additional capital requirements under Pillar 1 and Pillar 2 in business as usual BAU and stress scenarios on the top of the minimum regulatory requirements would be adequate and whether the bank’s risk appetite is adequate or requires to be adjusted accordingly. The formal feedback process should also include links to the banks’ business decisions, risk management process (e.g. using the ICAAP methodologies, results in the approval process, limit setting, strategic processes, such as capital planning or budgeting, and performance measurement). For that purpose, the Board and Senior Management should lead and approve the assumptions, methodology, framework, and outcome of the ICAAP. The usage of the ICAAP within the organisation and its alignment with strategic decisions is referred to as the ‘Use Test’.
26. The ICAAP should have an interactive relationship with other key processes within the bank, including but not limited to, (i) business strategies, (ii) financial budgeting, (iii) risk management, (iv) risk appetite setting, and (v) stress tests. Metrics related to capital allocation and capital consumption should be included in the banks’ risk appetite. Conversely, the metrics pertaining to business management and to risk management should take into consideration the capital plan.
27. Conceptually, this circular process should be articulated according to the following illustration and guidance. Each bank should design its own iterative process:
(i) The Board, Senior Management and the business lines should provide their business plan and budget to construct the ICAAP;
(ii) The risk management function should analyse the feasibility and the risks associated to such business plan;
(iii) The ICAAP should result in an estimation of the adequate level of capital given the business and risk assumptions. This should be approved by the Board and by Senior Management; and
(iv) In return, the ICAAP and capital requirements should feed back to the business lines and the risk management function in order to steer the strategy of the bank.
28. The stakeholders should regularly interact with each other during the production of the ICAAP in order to (i) obtain consistent forward-looking capital projections, and (ii) use capital projections consistently in their own decision-making. The stakeholders should include, but not be limited to, the Board, Senior Management, the business lines, the risk management function, and the finance function.
29. Each bank should demonstrate its appropriate usage of the ICAAP via the production of thorough documentation, reporting covering the process, methodology, decision-making for capital allocation, and strategy. Each bank should document the overall ICAAP design, including key elements and the mechanism by which they interact with each other. Such components should include, but not be limited to, the business strategies, risk appetite statement, risk measurement methods, stress tests programme, and reporting across the Group.
30. Regular reporting should be constructed to measure and monitor Pillar 2 risks in addition to the annual ICAAP report exercise. Adequate metrics and associated limits should be designed in relation to the bank’s size and complexity.
31. The Central Bank shall evaluate evidence that the bank has embraced the process for business rather than regulatory reasons. Evidence should be provided that the management has, through the ICAAP, made the business more efficient or less risky.
V. Capital Planning
32. Each bank should operate above the minimum capital requirements set by the Central Bank. Each bank should have a capital plan approved by the Board. The objective of capital planning is to ensure that:
(i) Each bank is compliant with minimum regulatory requirements;
(ii) The bank is viable and able to endure external economic changes; and
(iii) Each bank’s capital is calibrated to its risk profile in order to absorb unexpected losses through time, including periods of economic downturn.
33. The ICAAP should be designed as a tool to adequately support these objectives. Each bank’s management is expected to develop and maintain an appropriate strategy that ensure the level of capital and the process to estimate such level should be commensurate with the nature, scope, scale, size, complexity, and risks of each bank.
34. The ICAAP should be forward-looking taking into account both internal and external drivers over a period covering three (3) to five (5) years. The capital planning should take into account the bank’s business plan, its strategic development and the economic environment.
35. The multi-year capital forecast should be assessed and calibrated through two perspectives:
(i) Pillar 1: The bank’s ability to fulfil all of its capital-related regulatory, supervisory requirements, and demands; and
(ii) Pillar 2: The bank’s ability to cope with capital demands beyond that of the regulatory requirements, in accordance to its risk profile.
36. Both perspectives should be function of the bank’s business plan. In addition, the second perspective should incorporate a more granular, specific, and accurate measurement of risks. Both perspectives should take into account the current, expected economic environment, and consider the occurrence of stressed events.
37. If the bank identifies a shortfall in capital pertaining to either Pillar 1 or Pillar 2. It is expected to consider measures to maintain adequate capitalisation, reverse the trend, review its strategy, and risk appetite.
38. For each internal stress test scenario for capital planning purposes, each bank is expected to consider credible, quantifiable management actions that the bank could practically take to mitigate any capital impact of stress scenarios. Such mitigating actions for ICAAP stress scenarios may differ from actions related to recovery planning. The timing and execution of these management actions should be supported by appropriate trigger points of the bank’s capital position, which may be informed by their internal risk appetite for capital adequacy. When the bank’s capital ratios fall below its internal risk appetite, it is expected that the bank is able to execute the necessary measures, i.e. the bank should explain how the capital adequacy would be ensured/ restored (e.g. via a capital contingency plan). In assessing the effectiveness of a management action, each bank should also consider the perceived reputational impact (e.g. as viewed by the market, customers, government etc.) on taking such an action in a stress. The results should be disclosed in the ICAAP report with and without those management actions that have been approved by the bank’s Board.
39. If the bank plans the increase of its capital base (e.g. capital issuances, rights issues, reduction in the equity, etc.), the bank may consider the capital increase in its capital planning. The bank should only consider capital increases that have obtained Senior Management approval and form part of the bank’s official capital plan and that have been discussed with the Central Bank. A bank that considers capital increases in it capital planning has to perform an additional stress test scenario to analyse the impact if the capital increase does not materialise.
40. The following elements should be included in the ICAAP report or related appendix:
(i) Assumptions related to business developments over the forecasted period;
(ii) Assumptions related to the economic environment over the forecasted period;
(iii) Summary of historic capital base, aggregate RWAs, and CAR ratios for a minimum of five (5) years;
(iv) Disclosure of the following forecasted financial projections:
(v) Detailed balance sheet;
(vi) Detailed statement of profit and loss;
(vii) Break down of Capital base into its regulatory components;
(viii) Break down of Risk Weighted Assets (RWAs) components;
(ix) Significant ratios (e.g. CET 1, Tier 1, and CAR);
(x) A method to calibrate capital needs to the current and expected levels of risks, in coherence with the bank’s risk appetite, business plan, and strategy;
(xi) It should include the likely future constraints on the availability and the use of capital; and
(xii) Any future regulatory and accounting changes that can potentially impact such plan.
41. Banks are required to fulfill internal risk appetite requirements in the bank’s self-assessment of Pillar 1 and Pillar 2 minimum regulatory capital requirements. Banks should fulfill the minimum capital requirements plus capital buffer requirements under business as usual (BAU) conditions. Under stress testing (ST) banks should fulfill the minimum capital requirements without the requirement to meet buffer requirements.
42. The capital planning should not be limited to risk-based capital ratios but should also consider the leverage ratio of the bank. Bank should analyse and consider unaccounted foreseeable events in the capital plan, e.g. regulatory changes like the revised standardised approaches for credit, market and operational risk.
VI. Material Risks
43. As a part of its risk management practices, each bank is responsible for implementing a regular process to identify, measure, report, monitor, and mitigate risks. Such risk management process should be used as direct input into the calibration of capital demand to cover both Pillar 1 and Pillar 2 risks. The framework supporting the estimation of capital consumption for each risk type should approved by Senior Management and the Board.
44. All risks identified as material risks are expected to be addressed in the ICAAP. Risk materiality should depend on each bank’s business model and risk profile. The scope of such risk identification should cover the entire group, including all branches and subsidiaries of the bank. The Central Bank considers credit concentration risk and interest rate risk in the banking book (IRRBB) as defined in this Guidance, as material risks. Given the growing risk universe outside of traditional Pillar 1 risks, each bank must define, update, and review the applicable ICAAP risks on a continuous basis (e.g. quarterly).
45. The identification of risks should distinguish between direct risks and indirect risks. Direct risks are explicit and commonly identifiable risks, such as the credit risk associated with facility underwriting. Indirect risks are arising as second order consequences of direct risks and unforeseen events. For instance, an increase in fraud and cyber-attacks as a consequence of an economic downturn or a pandemic during which employees are forced to work from home. Other examples are the credit risk arising from derivatives during periods of high market volatility or the increase in credit risk resulting from a drop in collateral values following a real estate market crash.
46. The identification of risks should be supported by a regular and structured process. An inventory of risks should be recorded for each business activity and each portfolio on a regular basis. In addition to the regular updates (i.e. at least quarterly), it is expected to adjust the inventory whenever it no longer reflects the risks that are material, e.g. because a new product has been introduced or certain business activities have been expanded. This should support the production of ICAAP from one year to the next.
47. The measurement of risk should be transparent, documented, and supported by subject-matter experts throughout the bank. Each expert function should contribute to its area of expertise, in such way that the ICAAP is a reflection of a collective work substantiated by thorough analysis. Each dedicated risk team should provide a comprehensive assessment of the risk drivers and materiality of the risk they manage.
48. The estimation of the capital consumption associated with each risk should be based upon clear methodologies designed appropriately for each risk type. Each bank should identify the owner of such methodology either within the team responsible to manage risks or with a centralised team responsible for aggregating risk information and to construct the ICAAP. Ultimately, the process to identify, measure risks, and estimate the associated capital consumption should be approved by Senior Management and the Board.
49. In the case of vendor models, this includes the expectation that such models are not expected to be imported mechanistically, but rather they are expected to be fully understood by the bank and well suited for, and tailored to, its business and its risk profile.
50. The identification of risks should result in distinct types:
(i) Pillar 1 risks that are not fully captured and that are covered by insufficient capital. For instance, the market risk capital consumption under Pillar 1 might not incorporate sufficient basis risk; and
(ii) Risks that are not captured at all as part of the Pillar 1 framework.
51. Each bank should not develop separate methodologies for risk measurement, if those are not employed for risk management. The Use Test assumes that the method and conclusion of the ICAAP should be coherent with the bank’s internal practices.
52. To ensure an adequate assessment of high quality, each bank should establish, and implement an effective data quality framework, to deploy adequate processes, and control mechanisms to ensure the quality of data. The data quality framework should ensure reliable risk information that supports sound decision-making, covers all relevant risk data, and data quality dimensions.
53. The next sections contain explanations and expectations on certain risk types (e.g. Business Model Analysis (BMA) and strategic risk, Interest Rate Risk in the Banking Book, and Credit concentration risk).
A. Business Model Analysis (BMA) and Strategic Risk
54. Business model analysis embodies the risk that the bank has failed to structure its organisation and operations (expertise, systems, and processes) in a way that leads to achieving its primary business and strategic objectives.
55. Strategic risks arise when the bank’s business model, organisation structure, operations, and/or strategy are no longer adequate to deliver the objective of the bank as specified by the Board.
56. The bank should conduct regular business model analysis (BMA) to assess its business and strategic risks to determine:
(i) The ability of the bank’s current business model to deliver suitable results over the following 12 months;
(ii) The sustainability of the bank’s strategy and its ability to deliver suitable/ acceptable results over a forward-looking period of at least three (3) to five (5) years, based on the strategic plans and financial planning;
(iii) The sustainability and sufficient diversification of income over time (three (3) to five (5) years). This analysis should consider the sources and levels of income and expenses; and
(iv) The ability of the bank to deliver total financial data across the group and for each of its key business units (includes forward-looking performance and profitability).
57. An effective BMA contains a through-the-cycle view of the sustainability of the business model in its current state and against a projected view of the bank’s funding structure, return on equity (ROE), capital supply, and capital demand, the effect this has on the product, service pricing, and resource requirements. The business planning should be clear, aligned, and integrated with the bank’s strategy, governance, risk-appetite statement, recovery plans, internal controls, stress tests, and internal reporting (MIS).
58. Each bank should elaborate on the linkage and consistency between their strategic decisions, risk appetite, and the resources allocated for achieving those strategies. The bank should articulate the frequency of monitoring and quantifying changes in its financial projections (e.g. balance sheet, profit and loss, and concentrations) regularly to verify that they are consistent with the business model, risk appetite, and the achievement of the bank’s strategic goals.
59. An effective BMA enables banks to identify vulnerabilities at an early stage and assess their ability to adapt to changes in their specific operating environment therefore helps to promote the safety and soundness of banks. A well-designed and comprehensive BMA approach provides banks with the basis to understand, analyse, assess the sustainability of their business models, enhance proactive, forward-looking operations, and strategy evaluation.
60. Each bank’s business model should be based on analyses and realistic assumptions (stress tests, scenario analyses, and driver analyses, etc.) about the effect of strategic choices on financial and economic outcomes of operations performed. This will enable the bank and the Central Bank to understand the nature of the business model and the inherent risks. Each bank should perform an analysis that involves identifying, challenging the dependency of strategies on uncontrollable external factors, and assumptions (e.g. market interest rates, demand growth in the target customer markets, degree of competition in the markets, cost of entry, and compliance costs).
61. An effective BMA addresses the banks’ ability to produce aggregate financial data across the banking group as a whole, and the bank solo level, for each of its main business units and business lines. Moreover, to make the best use of this data and transform it into relevant inputs, banks need to develop and use analytical tools including stress tests, peer group assessments, profitability forecasts and analysis, and scenario analyses.
62. The documentation provided in support of the business model should contain an overview of the business activities of the bank and an overview of the structure/organisational details of the bank. For example a brief description of the business model, present financial condition, any expected changes in the present business model, the expected future business environment, business plans, and the projected financial condition for the following year.
63. The following additional information and documentation should be referenced (if not part of) the ICAAP report:
(i) Bank’s strategic plan(s) with current-year, forward-looking forecasts, and underlying economic assumptions;
(ii) Financial reporting (e.g. profit and loss (P&L), and balance sheet), covering the most recent period and the whole (forward-looking) ICAAP reporting period;
(iii) Internal reporting (e.g. management information, capital reporting, liquidity reporting, and internal risk reporting);
(iv) Recovery plans, including the results of resolvability assessment, if any, and identification of critical functions;
(v) Third-party reports (e.g. audit reports, and reports by equity/credit analysts), states their main concerns and issues;
(vi) A descriptive report on the main business lines generating revenues broken down by main products, services, other activities, geographies, and market position; and
(vii) Peer group analysis segregated by competitor bank, product, or business lines targeting the same source of profits and customers (e.g. credit card businesses targeting consumers at a particular economic stratum in a specific country.
64. Business model analysis may act as a base for the development of Reverse Stress Test scenarios.
B. Credit Risk
65. Credit risk is the risk of losses arising from a borrower or counterparty failing to meet its obligations as they fall due. Each bank should assess all its credit exposures and determine whether the risk weights applied to such exposures under the regulatory standardised approach for credit risk (Standardised Approach) are appropriate for the inherent risk of the exposures. Each bank should have the ability to assess credit risk at the portfolio level as well as at the exposure or counterparty level.
66. To ensure that each bank has sufficient capital allocated for credit risk, each bank should compare their capital consumption under two methods for all credit exposures across all asset classes: (i) the Standardised Approach and (ii) an estimation under the foundation internal-rating based approach (F-IRB) in the Basel Framework (“IRB approach: risk weight functions”, CRE31).
67. The Central Bank recognises that some banks may not have appropriately calibrated probability of defaults (PDs) for the calculation of the F-IRB approach. In the absence of such calibration, banks should rely on their 1-year PD used for IFRS provisioning purposes. Each bank should undertake this comparison at asset class level, where higher F-IRB numbers indicate additional required capital. Drivers of material differences between the two approaches should be explained.
68. If a bank uses credit risk mitigation techniques (CRMT), it should analyse and evaluate the risks associated to such mitigation under Pillar 2 risks measurement. The bank should analyse potential effects, the enforceability and the effectiveness of such CRMT, in particular in the case of real estate collaterals in order to estimate residual credit risk with prudence.
C. Market Risk
69. Market risk is the risk of losses in on- and off-balance sheet positions arising from movements in market factors such as interest rates, foreign exchange rates, equity prices, commodities prices, credit spreads, and options volatilities. Each bank should have methodologies and limits that enable it to assess and actively manage all material market risks, at several levels of granularity including position, desk, business line, or firm-wide level.
70. Under its ICAAP, each bank should assess its capital adequacy for market risk by considering methods other than the regulatory standardised approach for market risk. Each bank should start this assessment with the metrics already employed to measure market risk as part of regular risk management, including net open positions (NOP), value-at-risk (VaR), stressed VaR, and economic stress tests. The calibration of capital associated to Pillar 2 risks should be undertaken with prudence and should include risks such as concentration risk, market illiquidity, basis risk, and jump-to-default risk.
71. Ultimately, market risk capital should be designed to protect the bank against market risk volatility over the long term, including periods of stress and high volatility. Therefore, each bank should ensure that such calibration include appropriate stressed periods. The analysis should be structured based on the bank’s key drivers of market risk, including portfolios, asset classes, market risk factors, geographies, product types and tenors.
72. Each bank should analyse its amortised cost portfolio under Pillar 2, considering the difference between the market value against the book value.
D. Operational Risk
73. Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, or systems, or external events. This definition includes legal risk and compliance risk but excludes strategic and reputational risk. The framework for operational risk management should cover the bank’s appetite and tolerance for operational risks, and the manner and extent to which operational risk is transferred outside the bank.
74. Operational risk is a recurrent and a material source of losses for many banks but the existing approaches (the Basic Indicator Approach (BIA), the Standardised Approach (SA), and the Alternative Standardised Approach (ASA)) for calculating Pillar 1 operational risk capital may not reliably reflect the nature and scale of potential operational risk losses. The Pillar 1 Standardised Approach for operational risk uses gross income as a measure of capital. Gross income is a risk-insensitive proxy for operational risk capital, which may lead banks to underestimate the risk. This was evident during the economic downturn in 2009, when banks’ income dropped, lowering their regulatory operational risk capital requirement, yet operational risks were either constant or even elevated in some cases. Therefore, banks should ensure that their Pillar 2 capital charge covers operational risks that are not captured by regulatory capital methodologies. The analysis should include a robust and conservative forecast of operational risk losses and respective capital requirements (at least split into conduct and non-conduct risks).
75. Legal risk is considered an operational risk. Each bank is required to analyse, assess, and quantify the impact of legal risk failures on its capital structure. Examples of legal risk include inadequate documentation, legal, regulatory incapacity, the insufficient authority of a counterparty, and contract invalidity/ unenforceability. The Legal department of each bank bear responsibility for the identification and management of this risk. They must consult with internal and external legal counsel. Subsidiaries and branches of major international banking groups typically have in-house legal departments, acting under the guidance of the group, which aims to facilitate the business of the group, by providing proactive, business-oriented advice. The outcome of legal and/or regulatory issues to which the bank is currently exposed, and others, which may arise in the future, is difficult to predict and, consequently, there can be no assurance that the outcome of a legal matters will not be material to the financial condition of the bank.
76. Given the potential impact from operational risk, each bank should evaluate under Pillar 2 risks arising from business conduct risks and money laundering / financing of terrorism. In addition, each bank should consider internal and external operational risks faced by it, including but not limited to operational cyber risk, IT risks, and outsourcing, and each bank is expected to consider ways in which it can improve its operational resilience. Each bank should provide details in the ICAAP report on the outcome of its Risk Control Self-Assessment (RCSA) process to collate bottom-up operational risk drivers across businesses.
77. Each bank should undertake quantitative stress testing based on its historical loss data and operational risk profile.
E. Credit Concentration Risk
78. Section V.D of the ICAAP Standard requires banks to address weaknesses at the portfolio level including credit concentrations risk. Credit concentration risk is the incremental credit loss in a portfolio of credit exposures, caused by high correlation between the credit risk drivers of those exposures. Such concentration risk arises mostly due to high correlations and dependencies between individual obligors (name concentration) or between economic sectors (sectoral concentration). Credit concentration risk can affect a bank’s health or core operations, liquidity, earnings and capital ratios. The Central Bank considers concentration risk as a key material Pillar 2 risk for all UAE banks.
79. Consequently, credit concentration arises when large exposures are associated with a small number of obligors or a small number of sectors, but not only. Credit concentration risk can arise from a seemingly granular portfolio but with high correlation between the obligors’ risk drivers.
80. In accordance with the Central Bank re Large Exposures - Credit Concentrations Limits (Notice No.226/2018), an exposure is deemed large if it accounts for more than 10% of a bank’s capital. Such threshold has been implemented for regulatory purposes. The measurement of concentration risk for risk management purposes and for determining Pillar 2 risk capital requirements should refer to the wider definition of concentration risk. Each bank is exposed to a degree of concentration risk, even when complying with the Large Exposure Regulation.
81. Each bank should perform a detailed risk analysis specific to the Real Estate exposures (RE) of the bank and the Central Bank re Standards for Real Estate Exposures (Notice No. 5733/2021).
82. Credit concentration risk is a common feature of UAE banks, but currently the Central Bank regulations for banks do not include an explicit Pillar 1 capital requirement for name and sector concentration risk. Credit concentration risk is a key prudential risk for which the capital requirement is at the discretion of banks, and it should be held under Pillar 2. This risk should warrant particular attention from each bank. In particular:
(i) For the purpose of risk management, each bank should ensure that credit concentration risk is pro-actively and efficiently addressed. Each bank should develop policies and procedures for the identification, measurement, monitoring, and reporting of credit concentration risk. Credit concentration risk arises from exposures to obligors structured as conglomerates. Therefore each bank should have a mechanism in place to identify and aggregate exposures across related entities based on their legal relationships. Data should be aggregated across systems operated by different business units or entities. This should be indicated through the bank’s management information system (MIS);
(ii) For the purpose of estimating the Pillar 2 capital associated with credit concentration risk, each bank should build upon the methodologies employed for risk management. These methods should be developed further, as deemed appropriate, in order to fully measure the additional capital. Each bank should compare several methodologies and propose a choice based on clear and documented justification. At a minimum, each bank should calculate and report the additional capital using the Herfindahl-Hirschman Index (HHI) methodology; and
(iii) For the purpose of capital planning, each bank should ensure that concentration risk is taken into account adequately within its ICAAP. Each bank should assess the amount of capital, which it consider adequate to hold given the level of concentration risk in their portfolios and given their business plan and the expected economic environment.
F. Interest Rate Risk in the Banking Book (IRRBB)
83. IRRBB is the risk of loss in the banking book caused by changes in interest rates. Interest rate risk can arise both in the banking book and/or the trading book. While interest rate risk in the trading book is addressed under the Pillar 1 market risk framework, the interest rate risk in the banking book should be addressed under Pillar 2. Conventional banks refer to this risk as IRRBB while Islamic banks are exposed to the analogous risk called profit rate risk in the banking book (PRRBB).
84. Each bank should define a risk appetite pertaining to IRRRB that should be approved by the Board and implemented through a comprehensive risk appetite framework, i.e. policies and procedures for limiting and controlling IRRBB. Each bank should have a process supported by adequate policies to manage IRRBB appropriately. This involves, as for any other risk, comprehensive identification, measurement, reporting, monitoring, and mitigation.
85. The measurement process should be based upon several existing Standards and Guidance:
(i) Central Bank “Standards re Capital Adequacy of Banks in the UAE - ICAAP Standards”;
(ii) Central Bank “Regulation and Standards re Interest Rate & Rate of Return Risk in the Banking Book” in 2018 (Notice 3021/2018 and Circular 165/2018);
(iii) Central Bank Model Management Standards and Guidance in 2022 (Notice 5052/2022); and
(iv) Basel Framework - Interest Rate Risk in the Banking Book (SRP 31).
Measurement
86. The assessment should include all positions of each bank’s potential basis risk, re-pricing gaps, commercial margins, gaps for material currencies optionality, and non-maturing deposits. The quantitative impact analysis should be supported by description and analysis of the key assumptions made by the bank, in particular, assumptions regarding loan prepayments, the behaviour of non-maturity deposits (CASA), non-rated sensitive assets, contractual interest rate ceilings or floors for adjustable-rate items, and measuring the frequency of the interest rate risk in the banking book.
87. DSIBs and other banks with significant interest rate risk (IRR) exposure should compute the economic value of equity (EVE) at a granular facility level, while non-DSIBs may compute EVE at exposure level, which is based upon the summation of discounted gap risk across time buckets, rather than a granular net present value (NPV) estimation at exposure level.
Scenarios
88. For the purpose of capital calibration, each bank should employ the interest rate shock scenarios corresponding to Table 12 of Central Bank Model Management Guidance and table 2 of the SRP 31 for their AED and non-AED positions respectively.
89. In addition to the standard shocks prescribed above, DSIBs and other banks with significant exposure to interest rate risk are expected to apply further shocks/ idiosyncratic scenarios, which will take into account:
• The bank’s inherent risk profile;
• Historical shocks experienced by the bank due to market sentiment and corresponding to macro-financial factors; and
• Additional scenarios prescribed by the Central Bank specifically through supervisory interactions or financial stability processes.
Capital Calculation
90. The capital requirement should be aggregated across all currencies and scenarios conservatively.
91. The estimation of the Pillar 2 capital corresponding to IRRBB should be based on the most conservative loss arising from (i) the change in the economic value of equity (ΔEVE), and (ii) the change in net interest income (ΔNII). The most conservative result should be considered across all the scenarios calibrated by the bank. (In avoidance of doubt, the allocated capital for IRRBB should not be lower than the maximum of the absolute EVE impact and the absolute NII impact: Max(abs(EVE impact), abs(NII impact).
92. The Central Bank considers a bank as an outlier when the IRRBB EVE impact based on the standard parallel shock leads to an economic value decline of more than 15% of its Tier 1 capital. The Central Bank may request an outlier bank to:
(i) Reduce its IRRBB exposures (e.g. by hedging);
(ii) Raise additional capital;
(iii) Set constraints on the internal risk parameters used by a bank; and/ or
(iv) Improve its risk management framework.
93. Irrespective of the approach or model chosen by the bank, at a minimum each bank should calculate and report IRRBB using the methodology described by the Central Bank Model Management Standards and Guidance.
G. Model Risk
94. Models have become an integral part of decision-making in the banking sector for risk management, business decisions, and accounting. Inaccurate model results, e.g. based on wrong assumptions or valuations, may lead to actual or potential financial losses or an underestimation of risks. Therefore, the Central Bank considers model risk a significant risk type.
95. Simple models should not be confused with poorly designed models. Poorly designed models can be misleading and interfere with sound decision-making. Small and/or unsophisticated banks can employ simple models. However, they cannot employ poorly designed models. Each bank should manage model risk in accordance to the Central Bank Model Management Standards and Guidance.
96. Model risk should be incorporated in each banks’ risk framework alongside other key risks, as inherent consequences of conducting their activities (refer to Appendix 3.2). Consequently, model risk should be managed through a formal process incorporating the bank’s appetite for model uncertainty. The framework should be designed to identify, measure, monitor, and mitigate this risk. A bank should mitigate a large appetite for model risk by counter-measures such as conservative buffers on model results and/ or additional allocated Pillar 2 capital.
97. The Central Bank recognises that the estimation of model risk is challenging. However, each bank should demonstrate that they have implemented steps to measure the potential losses arising from model risk. At minimum, each bank should implement a grouping approach to categorise models according to their associated model risk. The uncertainty and losses arising from models should be estimated by using a range of different techniques, including:
(i) Internal and external validations;
(ii) Comparison against alternative models;
(iii) Sensitivity analysis; and
(iv) Stress tests.
98. Each bank should also consider the quality of its model risk management in the model risk analysis, including but not limited to the quality of model documentation, data, assumptions, validation, staff, implementation, and usage.
Risk Diversification Effects
99. Each bank is expected to take a prudent approach whenever assuming risk diversification effects. Furthermore, each bank should be aware that the Central Bank as a matter of principle will not take into account inter-risk diversification in the SREP. Banks should be cognisant of this when applying inter-risk diversification in its ICAAP.
H. Financial Risks from Climate Change
100. Banks are expected to build up Board awareness and understanding of the financial risks arising from climate change and how they will affect their business models. Each bank should use scenario analysis and stress tests to improve the risk identification process, to understand the short- and long-term financial risks to their business model from climate change, and to develop appropriate strategies accordingly.
I. Liquidity Risk and Funding Cost
101. Though capital is not a direct mitigation for liquidity risk and liquidity is not a mitigation for capital risk, both risk types are interlinked. The Internal Capital Adequacy Assessment Process (ICAAP) and the Internal Liquidity Adequacy Assessment Process (ILAAP) are expected to inform each other; with respect to the underlying assumptions, stress test results, and forecasted management actions. Each bank is expected to assess the potential impact of scenarios, integrating capital and liquidity impacts, and potential feedback processes, taking into account, in particular, losses arising from the liquidation of assets, increased funding costs or availability of funding during periods of stress.
102. For example, each bank is expected to assess the impact of deteriorating capital levels, as projected in the ICAAP, on their liquidity. A downgrade by an external rating agency could, for example, have direct implications for the refinancing ability of the bank. Vice versa, changes in funding cost could impact capital adequacy.
VII. ICAAP Stress Test and Reverse Stress Test
103. Stress test helps to improve the bank’s understanding of the vulnerabilities that it faces under exceptional, but plausible events, and provide the bank with an indication of how much capital might be needed to absorb losses if such events occur, which supplements other risk management approaches and measures. These events can be financial, operational, legal, or relate to any other risk that may have an economic impact on the bank. The results derived from stress tests can also assist the bank in determining the appropriate appetite for different types of risks and in estimating the amount of capital that should be set aside to cover them.
104. Each bank is required to implement a stress testing framework to address both the needs of the ICAAP and broader risk management. Stress tests and the stress test outcome analysis should not be confined to the ICAAP. It should be designed to support decision-making across the bank as explained in this section.
105. Each bank should perform an in-depth review of its potential vulnerabilities, capturing all material risks on a bank-wide basis that result from its business model and operating environment in the context of adverse events, stressed macroeconomic (e.g. economic cycle risk), and financial conditions.
106. As part of the ICAAP exercise, each bank should carry out integrated, regular, rigorous, and forward-looking stress tests that are appropriate to the nature of the bank’s business model and major sources of risk. The frequency should be annually and more frequently, when necessary, depending on the individual circumstances.
107. The Central Bank may challenge the key assumptions and their continuing relevance to ensure that there is sufficient capital to withstand the impact of possible adverse events and/ or changes in market conditions.
Governance
108. The Board is responsible for the effective implementation of the stress tests framework through appropriate delegation to Senior Management and subject-matter experts across the bank. This framework should be supported by robust governance, processes, methods, and systems with associated policies and procedures approved by the Board. The Board is not only responsible for the stress testing policies, but also for oversight of the stress testing execution. It is also responsible for the potential measures to mitigate stress scenario outcomes and the key decisions and actions taken based on the stress testing results, such as the consideration of stress testing outcomes in strategy and capital planning.
109. The stakeholders involved in a particular stress testing framework depend on the type of stress tests. The scenario design, quantification of impact and the identification of mitigating actions will involve a range of subject matter experts across the bank. Stress test-related activities are not the sole responsibility of the team in charge of preparing the ICAAP or in charge of the stress testing programme. Rather, the execution of stress tests is a collective exercise, whereby numerous stakeholders contribute to the design, measurement, reporting and analysis of stress tests. Stakeholders should include Senior Management and the Board.
Types of stress test exercises
110. Each bank is required to establish several distinct forms of stress test exercises as described hereunder, however for the purposes of an ICAAP the minimum expectation is to conduct internal enterprise-wide stress tests and portfolio-level stress tests. Regulatory stress tests are not acceptable as the only form of internal stress tests:
a) Internal enterprise-wide stress tests: The purpose of these exercises to analyse the impact of stress events on the entire bank’s solvency, profitability, stability, and capital. The methodology and scope of such stress tests should be designed to address the specific risk profile of each bank, and will thus differ from regulatory stress tests. These exercises are generally executed as top-down exercises, with the objective to capture a wide scope of risks and portfolios. Such exercise should support strategic decision related to the risk appetite of the bank, its risk profile, and its portfolio allocation. Each bank should employ at least three (3) scenarios in the execution of internal enterprise-wide stress tests.
b) Internal portfolio-level stress tests: The purpose of these exercises to execute frequent, variable and proactive stress tests on the various portfolios of the bank. These stress tests are generally executed as bottom-up exercises, with the objective to measure the stress impact at portfolio level accurately. The scenarios and the methodologies should be granular and fully tailored to the risk profile of each portfolio. Deteriorating economic circumstances are typically the drivers for conducting unscheduled stress tests on a particular portfolio, for example a declining outlook in the residential real estate sector would motivate a stress tests on the commensurate portfolio. These stress tests can result in the identification of risks that were not captured by the enterprise-wide stresses. Consequently, these exercises should support, motivate strategic, and tactical decisions at portfolio and/or facility level.
c) Regulatory stress tests: These exercises are commissioned by the Central Bank or other supervisors, to whom banks’ foreign subsidiaries are accountable. These exercises follow the scenarios and methodologies prescribed by supervisors, which cover most of the bank’s portfolio. The purpose of such an exercise is to analyse the impact of stress events on the entire bank in order to assess its solvency, profitability, stability, and ultimately the suitability of its capital. While these exercises are originally designed to inform regulators for supervision purposes, they should also inform Senior Management and steer internal decision-making.
111. The frequency of stress test exercises should depend on their type, scope, depth, and on the wider economic context. Each bank should execute enterprise-wide stress tests based on a set of scenarios regularly at least quarterly is recommend. Each bank should execute portfolio-level stress tests more frequently depending on the needs of risk management and the business functions. Market risk stress tests in particular may have to be performed more frequently.
112. The capital impact results of these stress tests should be analysed, compared, incorporated, and presented in the ICAAP. One or several internal enterprise-wide stress test outcomes should be explicitly incorporated in the capital planning, and presented accordingly in the ICAAP capital planning section. The results from all types of stress tests exercise should be employed by Senior Management and the Board to assess the suitability of the bank’s capital.
Scenarios
113. Stress test scenarios should be designed to capture the risks and potential losses appropriately, in coherence with the characteristics of each bank’s risk profile and portfolio. The scope of these scenarios should cover all the risks identified as part of the identification process documented in the ICAAP. At a minimum, the scope of risks should cover strategic risk, credit risk, market risk, counterparty risk, operational risk, liquidity risk, IRRBB, credit concentration risk, funding risk, reputational risk, and climate risk.
114. Stress scenarios should lead to a reliable measurement of loss under extreme but plausible events. Such scenarios are essential tool to support risk quantification in providing impact on Pillar 1 and Pillar 2. Consequently, the scenario design should be supported by a clear choice of risk factors and associated shocks. Several types of design are commonly employed:
(i) Sensitivity analysis involve shifting the values of an individual risk factor or several risk factors by using standardised shocks. Sensitivity analysis is employed to estimate the P&L profile and risks to the bank from a range of shocks. This is particularly useful to identify non-linear response in the loss profile. For instance, this could include measuring NII with parallel shifts of +/-50bp, +/-100bp, +/-150bp and higher shocks applied to a yield curve. It also includes measuring expected credit loss (ECL) and capital requirements with standard parallel shocks of +/-100bp, +/-200bp, +/-300bp applied to the PD term structure of a given portfolio (e.g. worsening of credit spreads, adverse changes in interest rates, other macroeconomic or idiosyncratic variables).
(ii) Scenario analysis involves measuring the combined effect of several risk factors with shocks designed in coherence with an economic narrative affecting the bank’s business operations simultaneously. Such narrative should be based on an analysis of the current economic conditions, the business environment and the operating conditions of the bank. The scope of events should be broad, consider an appropriate range of risk types, and geographies. The narrative should be constructed with a clear sequence of unfolding events leading to (a) direct risks, (b) second-order risks, and/or (c) systemic risks, and how these risks affect the profit and loss profile and risks of the bank based on a scale of shocks (e.g. an economic recession coupled with a tightening of market liquidity and declining asset prices). The scope of the narrative should take into account the economic environment and the features of each portfolio in scope. The calibration of shocks should be supported by rigorous methodologies using (a) historical data and past events, and/or (b) forward-looking assumptions. Practitioners refer to ‘historical scenarios’ and ‘hypothetical scenarios’.
115. Each bank is expected to continuously monitor and identify new threats, vulnerabilities and changes in the environment to assess whether its stress testing scenarios remain appropriate at least quarterly and, if not, adapt them to the new circumstances. The impact of the scenarios is expected to be updated regularly (e.g. quarterly). In case of any material changes, the bank is expected to assess their potential impact on its capital adequacy over the course of the year.
116. If the bank forecasts the increase of its capital base (e.g. capital issuances, rights issues, reduction in the equity, etc.) and the capital planning reflects the proposed changes, the bank must perform an additional stress scenario. In these additional stress scenarios the bank should analyse the impact under the assumption that the capital increase does not materialise. The impact analysis should include management actions and formal trigger points.
Methodology
117. The process of stress tests should be supported by robust and documented methodologies. All models employed in the quantification of stress results should comply with the requirements presented in the Central Bank Model Management Standards and Guidance.
118. For the measurement of capital under stress, each bank should employ a dedicated financial model to forecast their financial statements under several economic conditions. Such projection should be constructed over a minimum of three (3) years, in coherence with the most recent capital plan and with the Central Bank regulatory exercise.
119. Stress scenarios may be derived from stochastic models or historical events, and can be developed with varying degrees of precision, depth, and severity, particularly the impact on asset quality, profitability, and capital adequacy. Each bank should consider three (3) to five (5) scenarios (each scenario can have multiple severity levels (i.e. Low, medium, and high). Although it is expected to consider the supervisory stress tests (“stress test exercise of the Financial Stability Department (FSD)”) as one scenario, it is the bank’s responsibility to define scenarios and sensitivities in the manner that best addresses its situation and to translate them into risk, loss, and capital figures.
Use Test
120. Stress tests should support decision-making throughout the bank effectively. Stress tests should be embedded in banks’ business decision-making and risk management process at several levels of the organisation. Senior Management and the Board should lead and approve all assumptions, the methodology framework and authorise the use of stress test results.
121. Stress tests do not stop with the production of results. Risk mitigations should always be considered in light of the stress severity and likelihood. If no action is deemed necessary, this should be documented and clearly justified.
Reverse Stress Test
122. In addition to normal stress testing, each bank is expected to conduct reverse stress tests. Reverse stress tests start with the identification of a pre-defined outcome where the bank’s business model becomes non-viable (e.g. through insolvency), or it breaches supervisory compliance minima, e.g. by breaching minimum capital requirements (i.e. the bank will breach the regulatory capital buffer and minimum capital requirements). The next step is to assess which scenarios and shocks lead to that identified outcome. Finally, the objective is to assess whether the likelihood of occurrence is realistic and the impact warrants mitigating actions. If a bank considers mitigation strategies, e.g. hedging strategies, the bank should consider if such strategies would be viable. For example, a market that is stressed at a financial system level may be characterised by a lack of market liquidity and increased counterparty credit risk.
123. Effective reverse stress testing is a challenging exercise that requires the involvement of all material risk areas across the bank’s subject matter experts, Senior Management, and the Board.
124. Each bank should conduct a reverse stress test at least once a year. A well-designed reverse stress test should also include enough diagnostic information to allow the identification of the sources of potential failure. This enables proactive risk management actions and implementation of an appropriate strategy for refined risk monitoring, prevention, and mitigation. The reverse stress test requires each bank to consider scenarios beyond normal business forecasts and aids identification of events linked to contagion with potential systemic implications. Reverse stress testing has important quantitative and qualitative uses, through informing Senior Management of vulnerabilities, and supporting measures to avoid them. (Please refer to Appendix 3.3).
VIII. ICAAP Submission and Approval
Submission of the ICAAP report
125. The annual ICAAP report should be submitted to the Central Bank on or before the submission dates addressed in Table 1.
126. All documents have to be submitted to the respective Central Bank reviewer by softcopy (submitted in word or pdf format), sending a copy to bsed.basel@cbuae.gov.ae.
127. The submission dates below as per Notice 2940/2022 differentiate between (i) national banks and foreign bank and (ii) size and importance of the banks: (Table 1)
Table 1 - Submission date for ICAAP Report
Banks Report for FY 2022 Report for FY 2023 onwards Large banks: FAB, ENBD, ADCB, DIB, Mashreq, ADIB, CBD 15/03/2022 01/03 Other local banks and HSBC, Standard Chartered Bank, Citibank, Arab Bank, and Bank of Baroda 31/03/2022 31/03 Other Foreign Banks 15/04/2022 15/04 Approval of the ICAAP report:
128. The ICAAP report should be approved by:
(i) Senior Management (including the CRO): The bank should use Appendix 1 – ICAAP – Mandatory disclosure form (Table 2) and include it as an attachment to the ICAAP report;
(ii) Board approval: For all local banks, the ICAAP document must be approved by the Board or Board risk committee, and Senior Management prior to submission to the Central Bank. The meeting minutes of the Board of Directors meeting should state the approval of the ICAAP document and challenges that have taken place; and
(iii) For foreign branches, the ICAAP document should be approved by (a) the managing director and/ or relevant highest committee of the bank in the UAE, and by (b) their head office, stating that the ICAAP assumptions and forecasts are in line with the group’s assumptions, forecasts, and that the group’s Board approves/ endorse the results of the ICAAP.
IX. Internal Control Review
129. The bank’s internal control structure is essential to the capital assessment process. Effective control of the internal capital adequacy assessment process should include an independent review and the involvement of both internal audit and external audit (refer to Appendix 3.1). Senior Management has a responsibility to ensure that the bank establishes a system for assessing the full scope of its risks, develops a system to relate risk to the bank’s capital level, and establishes a method for monitoring compliance with internal policies.
130. Internal Audit should perform an audit on the bank’s ICAAP report annually. The report has to be submitted no later than three (3) months after the submission of the ICAAP report to the bank’s reviewer and in copy to bsed.basel@cbuae.gov.ae.
131. Internal control functions should perform regular reviews of the risk management process to make sure its coherence, validity, and rationality. The review of the ICAAP should cover the following:
(i) Ensuring that the ICAAP is complete and suitable as of the bank’s context , operational conditions, the reliability of controls behind it;
(ii) The process of identifying all material risks;
(iii) Efficiency of the information systems that support the ICAAP;
(iv) Ensuring that the measurement methodologies in use are suitable to support the ICAAP valuation,
(v) Ensuring the accuracy, and comprehensive of the data input to the ICAAP;
(vi) Rational behind the ICAAP output and assumptions in use;
(vii) Rational and suitability of stress tests and analysis of assumptions;
(viii) Consolidation of the ICAAP outcomes with the risk management (e.g., limit setting and monitoring); and
(ix) Rational of the capital plan and internal capital targets.
132. In addition, the review should cover the integrity and validity of regulatory data submitted to the Central Bank during the course of the year relating to Pillar 1 capital requirements, which should address, but not be limited to the following:
(i) Appropriate classification of risk-weighted assets (RWA);
(ii) Appropriate inclusion of the off-balance sheet values and the application of credit conversion factors (CCF); and
(iii) Appropriate credit risk mitigation (CRM) methodology application and values.
133. The role and validity of internal control functions are also important and should be verified with regard to other topics. For example:
(i) All risk quantification methodologies and models must be subject to independent validation (internal/ external); and
(ii) Internal Audit should perform an independent review of the bank’s capital framework implementation every year in accordance with the Capital Standards. If the Central Bank is not satisfied with the quality of work performed by the bank’s Internal Audit function, the Central Bank may require an external review.
X. Frequently-Asked Questions (FAQ)
Question 1: What defines independent validation?
Answer: Independent validation can be performed by an independent function of the bank. However, in some instances an external validation/ review is required. For large banks, external validations are strongly encouraged, if not explicitly required.
Question 2: What are sustainable business model criteria?
Answer: Sustainable business models may be defined in different ways. For the purpose of this guidance, a bank will be considered to have a sustainable business model if it meets all the following criteria:
(i) The bank generates strong and stable returns, which are acceptable given its risk appetite and funding structure;
(ii) The bank does not have any material asset concentrations or unsustainable concentrated sources of income;
(iii) The bank has a strong competitive position in its chosen markets and its strategy is likely to reinforce this strength;
(iv) The bank’s forecasts are based on plausible assumptions about the future business environment; and
(v) The bank’s strategic plans are appropriate given the current business model and management’s execution capabilities.
Question 3: What is the definition of model?
Answer: A quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.
Question 4: Who should be the owner of ICAAP, Finance or Risk Management?
Answer: Multiple committees and working groups have to be involved in the ICAAP. However, Risk Management should have the ultimate responsibility for the final ICAAP outcome report, the ICAAP being in substance a risk evaluation process. The Board must approve the ICAAP, its outcomes, and the proposed mitigation actions.
Question 5: The bank uses multi-period ST scenarios over three years. Which reporting year (Y1/2/3) shall be reported in the Pillar 2 template in Appendix 2 – ICAAP: Executive summary table (Table 3)?
Answer: Banks using multi-period stress scenarios should include the most severe period of the most severe stress test results (reverse stress scenarios not considered). All other banks that perform a simpler point in time or 1-period stress scenario should include the most severe ST results (reverse stress scenarios not considered). In addition, the evaluation of Pillar 2 risks and stress test impact as of the reporting date is mandatory for all banks.
Question 6: Does the bank have to present the capital contingency plan as part of ICAAP report?, If the bank plans to inject capital, is it required to have two capital plans, one with and a second plan without capital injection?
Answer:
(i) The bank must have a Board-approved capital contingency policy. The actual capital contingency plan as a response to the ICAAP results has to be in line with the capital contingency policy and the ICAAP report should contain at least an overview of the capital contingency plan.
(ii) If the bank plan to change its capital base, the bank should have one capital plan, which reflects the capital injections (and reflects the source of injection). Injections can be considered if approved by Senior Management, if part of the official bank’s capital plan and if the Central Bank is informed on the planned capital injections. A stress test scenario has to show the impact if the injections do not materialise.
Question 7: What is the ICAAP submission timeframe and can an extension be granted?
Answer: The ICAAP submission should comply with the schedule specified in Section VIII - ICAAP Submission and Approval. An extension of the ICAAP report submission date will only be granted in exceptional cases, by the bank’s Central Bank reviewer.
Question 8: Can banks implement the IRB methodology in full (i.e. A-IRB) while reporting credit risk under the ICAAP, and is it mandatory?
Answer: The bank should apply whichever approach is deemed appropriate for their size and complexity, as the ICAAP is an internal process. The evaluation of whether the Pillar 1 capital is adequate for the bank's risk is mandatory. The F-IRB approach is an accepted approach. With the implementation of IFRS9 banks have a PD for every exposure, which may be used to calculate the F-IRB capital. It is, however, not mandatory to fully implement the F-IRB approach. Comparing regulatory capital requirements with those determined using the F-IRB does indicate to what extent regulatory Pillar 1 capital requirements may be insufficient. The comparison between the F-IRB approach and the regulatory standardised approach for credit risk has to be performed on an asset class level and the greater capital requirement should be applied in the ICAAP.
The F-IRB should follow the floor on the PD of 0.03% and apply a fixed 45% LGD. The bank may consider certain eligible collateral to reduce the LGD accordingly. The bank shall not use own estimations of the LGD under the F-IRB.
Question 9: Is it required to calculate a capital charge against the financial risks from climate change in the ICAAP? Is any calculation methodology prescribed for this?
Answer: The bank should understand risks related to climate change and their impact on the sustainability of the bank and the risks of its business strategy. Banks should develop adequate methodologies to quantify the risk with models sophistication depending on size and business model. Stress tests and scenario analysis should be explored. Banks should consider assessing their green asset ratio (GAR) which measures a bank's “green assets” as a share of its total assets as an initial tool. The risk identification process should determine whether the risk arising from climate change is a material capital risk for the bank.
Question 10: How commercial / non-commercial subsidiaries have be treated as part of the ICAAP exercise? And how to treat investments in insurance subsidiaries?
Answer: One of the key components of the ICAAP is to determine whether the capital requirement under the Standardised Approach is adequately reflecting the risk. Additional risks arising from investment in subsidiaries should be addressed and assessed in the ICAAP. The bank should consider any subsidiary including commercial, non-commercial, and insurance subsidiaries.
Question 11: The ICAAP has to be performed on consolidated level. Is it an additional requirement to perform the ICAAP also at solo level or should the ICAAP also have a solo-level analysis?
Answer: The ICAAP needs to address additional risks that are not covered (or not fully covered) under Pillar 1. The ICAAP is expected to assess capital adequacy for the bank on a stand-alone basis, at regulatory consolidated level, and for the entities of the group. The ICAAP should evaluate the capital requirement and capital adequacy of the bank at group level, following the regulatory consolidation. However, each bank should analyse whether additional risks arise from the group structure of the bank. The ICAAP guidance lays out the importance to consider the group structure when evaluating the banks' capital adequacy, in Section IV "ICAAP Methodology, Scope and Use Test”. The bank should be in a position to report, measure and manage risks arising from its subsidiaries, branches, group entities and from the consolidation process. The ICAAP should reflect the results of the bank’s analysis. Consequently, the analysis should consider all relevant levels of the group structure (consolidated, solo, entity level, and including significant affiliate investments). Additional risks may have to be addressed as a specific additional capital add-on.
Question 12: Does the bank require a separate capital plan approved by the Board, or is it sufficient to have the approved ICAAP that includes the capital plan?
Answer: The capital management policy and the ICAAP complement each other. The policy sets the framework and the capital management plan describes the capital management strategy and the steps to achieve it in compliance with the policy. The capital management plan can be a separate document. However, the ICAAP report should display the full picture, including an overview of the capital management policy and the capital management plan related to the ICAAP outcomes.
Question 13: If a bank reports regulatory operational risk capital requirements using the BIA, can the Standardised Approach be used to quantify the potential additional operational risk charge under Pillar 2 if the capital requirement is higher under the SA compared to the BIA?
Answer: The ICAAP is an internal process and the bank must determine the most adequate methodology to quantify the extent to which regulatory capital requirements for operational risk fail to adequately address the true extent of its potential operational risk losses.
Question 14: Can the bank use the market risk stress test template as shared for Central Bank Econometric Stress test exercise in its ICAAP?
Answer: The bank should determine the most adequate approach to quantify its risks. The quantification methodology should obtain internal approval. The methodology needs to be explained, validated and reasoned in detail as part of the methodology development and continuous model monitoring process.
Question 15: Does the Internal Audit (IA) review required under Section IX - Internal Control Review contradict the requirement in Appendix 3.4, which requires banks to disclose the Internal Audit findings in the ICAAP report?
Answer: The Central Bank is of the opinion that IA is not suffering a conflict of interest by reviewing a bank’s ICAAP and by disclosing its general findings and findings specific to the ICAAP in the ICAAP report. IA is involved twofold in the ICAAP report:
(i) IA has to perform a review of the ICAAP (process) periodically as part of the audit function.
(ii) IA has to perform the prescribed review for each ICAAP, to be submitted within 3 months of the submission.
The ICAAP report shall contain the most recent (available) audit findings, their status, and actions taken. (Note, that in the Capital Standards, para 13 under Introduction and Scope requires an annual review of the capital framework.)
Question 16: Why does the Standard/ Guidance not address any specifics related to Islamic banking?
Answer: The ICAAP is an internal process and the bank should determine the most adequate methodology to quantify risks arising for Islamic banks in general and Islamic banking products specifically.
Question 17: Being a branch of an international bank, is a third party validation required, as this is already conducted at the parent company/ group level covering risk frameworks, systems and models?
Answer: Branches and subsidiaries of foreign banks are required to validate the risk valuation methodologies deployed in their UAE operations. If the branch or subsidiary is applying head office methodologies, these should nevertheless be validated on branch or subsidiary level. In addition, the branch or subsidiary has to have a full understanding of the applied methodologies as it cannot fully rely on the head office.
XI. Appendices
Appendix 1 - ICAAP: Mandatory disclosure form (Table 2)
134. All banks are required to disclose the following information as a separate cover sheet when submitting the ICAAP report to the Central Bank:
Table 2 - ICAAP Mandatory Details
Bank XXXX Date 20XX Contact point name and contact details [name, email, phone number] Scope of ICAAP (entities included) [name, email, phone number] I (full name) in my role as CRO hereby confirm the following on the ICAAP report: (i) We have identified all material risks and allocated capital accordingly [tick box if completed] (ii) We have set out a 3-5 year forward looking capital plan based on the strategic/ financial plan of the bank [tick box if completed] (iii) We have implemented a 3-5 year forward-looking stress test and measured the impact on the capital position of the bank [tick box if completed] (iv) The ICAAP has been signed off by: [relevant details from Board committee (Managing Director /highest committee for foreign banks)] (v) The ICAAP has been challenged/ by the Board (highest committee for foreign banks) and the nature of the challenge will be communicated to the Central Bank [tick box if completed] CRO signature [signature] Date [date] Appendix 2 - ICAAP Executive Summary
Table 3 - ICAAP Executive Summary
As of the reporting date of the ICAAP Pillar 1 in AED '000 Pillar 1 in AED '000Pillar Pillar 2 in AED '000 Date Reporting date of the ICAAP, e.g. 31/12/2022 year with the most severe impact for the most severe ST scenario, e.g. 31/12/2024. year with the most severe impact for the most severe ST scenario, e.g. 31/12/2024. Effective Capital Conservation Buffer (CCB) (standard CCB of 2.5% + D-SIB Buffer + CCyB) in percentage points (in %) 2.50% 2.50% 2.50% Capital requirements under Business as Usual Total Pillar 1 - - - Top 3 Pillar 2 capital requirements Other Pillar 2 capital requirements Total Pillar 2 - Minimum regulatory CAR requirement (incl. CCB) 10.50% 10.50% 10.50% Actual CAR Ratio Total Capital Surplus/ deficit (Measured including capital buffer requirements) - - - Minimum CET1 regulatory requirement (incl. CCB) 7.00% 7.00% 7.00% Actual CET1 Ratio CET 1 capital surplus/ deficit (measure includes capital buffer requirements) - - - Stress Testing Minimum regulatory CAR requirement (excl. CCB) 10.50% 10.50% Actual CAR Ratio under ST Additive impact of ST on CAR Surplus / (Deficit, i.e., additional capital required) - - Minimum regulatory CET1 requirement (excl. CCB) 7.00% 7.00% Actual CET1 Ratio under ST Additive impact of ST on CET1 ratio CET1 capital surplus/ deficit (measure includes capital buffer requirements) - - 135. The ICAAP: Executive Summary Table (Table 3) above should be used for the ICAAP report for the FY2022 ICAAP report. Each bank is required to download the most current reporting template prior to finalizing the ICAAP report from the CBUAE IRR SYSTEM (BRF/BASEL Portal) (CBUAE IRR), in the live environment for banks:
(i) Detailed reporting template including description (this report must be available upon request); and
(ii) Executive Summary report (should form part of the ICAAP report Executive Summary).
Appendix 3 – Additional Requirements for the ICAAP
3.1 Governance and Risk Management
136. In the ICAAP report, each bank should provide high level summaries of key areas of the risk framework of the bank: organisational structure, governance framework, risk management function and the risk control function. The bank’s high level summaries should refer to the relevant policies, procedures, manuals, and limits:
3.1.1 Organisational Structure
137. Each bank is expected to describe how
(i) The bank’s Board encourages a risk culture and prudent behaviours at all levels;
(ii) The Board Risk Committee (“BRC”) provides oversight and challenges the risk exposures, risk appetite, and tolerance; and
(iii) The Risk Management Function (RMF) is structured, including reporting lines and a summary of functions and responsibilities. The RMF should have authority, responsibilities, and resources, to conduct risk related policies and the risk management framework, and committees addressing the risk function.
3.1.2 Governance Framework
138. Each bank is expected to describe
(i) Board and Senior Management oversight (i.e. ICAAP governance framework with a description of responsibilities, and the separation of functions);
(ii) Arrangements through which the Board and Senior Management define the bank-wide risk appetite;
(iii) Relevant policies and risk appetite/limits/tolerance; and
(iv) How the Chief Risk Officer (CRO) is held responsible for the methodology and utilisation of the ICAAP, including
• reporting comprehensive, comprehensible information on risks; and
• advising the Board independently and objectively, enabling them to understand the bank’s overall risk profile and to effectively discharge their responsibilities.
3.1.3 Risk Management Function (RMF) and Risk Control Function
139. With regard to the bank’s risk management and control function, the ICAAP report is expected to describe
(i) How the RMF has access to all business lines and other units that might have possibility in generating risk , and to all relevant subsidiaries, and affiliates;
(ii) RMF processes/ practices/ mechanisms through which the bank effectively identifies, measures, monitors, and reports material risks;
(iii) Mechanisms that ensure that the policies, methodologies, controls, and risk monitoring systems are developed, validated, maintained and appropriately approved;
(iv) Processes to effectively identify and review the changes in risks arising from the bank’s strategy, business model, new products, and changes in the economic environment;
(v) Capital contingency plans for surviving unexpected events;
(vi) Risk management information systems (MIS) that ensure:
• That the bank distributes regular, accurate, and timely information on the bank’s aggregate risk profile internally;
• The appropriate frequency and distribution of risk management information;
• Early warning processes for pre-empting capital limit breaches; and
• Internal decision-making process are facilitated to allow the bank’s management to authorize remedial actions before capital adequacy is compromised.
(vii) The bank’s risk appetite as defined and used in the preparation of the ICAAP, which should be consistently referenced for taking business decisions;
(viii) Risk quantification methodologies that are clearly articulated and documented, including high-level risk measurement assumptions and parameters;
(ix) The approaches used to assess capital adequacy, which should include the stress test framework and a well-articulated definition of capital adequacy;
(x) The capital planning process objectives, which should be forward-looking and aligned to the bank’s business model and strategy;
(xi) Capital allocation processes including monitoring among business lines and identified risk types (e.g. risk limits defined for business lines, entities, or individual risks should be consistent to ensure the overall adequacy of the bank’s internal capital resources); and
(xii) The boundary of entities included,
(xiii) The process of risk identification, and
(xiv) The bank’s risk inventory and classification, reflecting the materiality of risks and the treatment of those risks through capital.
140. The internal control functions should play a vital role in contributing to the formation of a sustainable business strategy. The ICAAP report should describe the following with regard to internal control functions:
(i) The responsibilities of Internal Audit and Compliance concerning risk management;
(ii) Any relevant internal and external audit reviews of risk management and the conclusions reached; and
(iii) Outsourcing arrangements that have a material effect on internal capital adequacy management, if any. This should elaborate the bank’s reliance on, or use of, any third parties such as external consultants or suppliers. The bank should provide a high-level summary reports or reviews of the outsourced functions’ related policy documentation and processes.
3.2 Models
141. The ICAAP report is required to address models used to comply with regulatory and accounting requirements, and those used for internal capital management, including but not limited to models used for:
(i) IFRS9 accounting requirements;
(ii) The appropriate assessment of Pillar 1 risks for capital requirements under the Pillar 2;
(iii) The appropriate assessment of Pillar 2 risks for capital requirements;
(iv) Regulatory stress tests requirements;
(v) Risk Management Regulations;
(vi) Valuation adjustments; and
(vii) Pricing models, capital allocation models, and budgeting models.
3.3 Reverse Stress Testing
142. In addition to normal stress testing, each bank is expected to conduct reverse stress tests and document the process and outcomes of the process in the ICAAP report.
143. Banks are expected to apply a mix of qualitative analyses and quantitative analyses, which may vary in relation to the nature, scale, and complexity of the banks’ business activities and the risks associated with those activities. Accordingly, it may be acceptable for smaller and less complex banks to develop reverse stress tests that focus more on qualitative analyses, while larger and more banks that are complex should include more quantitative elements alongside the qualitative analyses. Appropriate scenarios differ based on each bank economic circumstances, business model and risk drivers.
144. A bank may consider implementing the following steps, which are presented purely for illustrative purposes:
(i) Define specific trigger points that could threaten the bank’s viability or solvency. Such trigger points may involve situations in which:
• The bank’s capital or liquidity positions fall below the minimum regulatory requirements;
• Specific indicators which, if hit, reflect a loss of confidence by the bank’s counterparties (e.g. access to wholesale funding markets denied) or by depositors (e.g. deposit run-off rates reach a significant level); or
• The bank is unable to repay its debt obligations. Some of the indicators may render the banks unviable (e.g. due to illiquidity resulting from a substantial and rapid deposit run) before it becomes insolvent.
(ii) Reverse-engineering the bank’s business model to the point that the trigger points are breached. In this way, it is possible to identify what adverse but plausible financial or non-financial events, either independently or combined, cause the bank to reach those trigger points notwithstanding existing management actions. That is, for reverse stress testing purposes, the bank is to tweak the parameters of a stress scenario until the point at which current systems and controls (e.g. accepted risk limits, controls, exposures and collaterals, etc.) are not able to prevent the bank from hitting the trigger point(s). The bank should understand the parameters and conditions in the scenario that precipitate a failed reverse stress test to analyse its risks and weaknesses. Feasible remedial actions should be designed that could prevent the consequences of such a scenario. For example, the bank could amend its business strategy regarding a specific sector.
3.4 Supplementary Content Required in an ICAAP Report
145. The following supplementary topics should be documented in the ICAAP report.
(a) Summary of outstanding findings and required management actions from pertinent assessments, examinations and audits (e.g. current outstanding actions emanating from internal audits, external audits, risk management assessments, capital management reviews, Central Bank examinations, and Pillar 3, etc.), including the status of official actions;
(b) Key items which warrant immediate Central Bank attention, such as a projected shortfall in regulatory minimum capital amount; a breach in outlier status under IRRBB, and any other material risks;
(c) A list of the major changes compared to the previous ICAAP report, e.g. changes in data, MIS, organisation, process, and methodology; and
(d) Key actions resulting from ICAAP discussions with the Board of Directors, in the form of meeting minutes included as an Appendix. (Relevant evidence should be made available upon request).