XI. Appendices
Appendix 1 - ICAAP: Mandatory disclosure form (Table 2)
134. All banks are required to disclose the following information as a separate cover sheet when submitting the ICAAP report to the Central Bank:
Table 2 - ICAAP Mandatory Details
Bank XXXX Date 20XX Contact point name and contact details [name, email, phone number] Scope of ICAAP (entities included) [name, email, phone number] I (full name) in my role as CRO hereby confirm the following on the ICAAP report: (i) We have identified all material risks and allocated capital accordingly [tick box if completed] (ii) We have set out a 3-5 year forward looking capital plan based on the strategic/ financial plan of the bank [tick box if completed] (iii) We have implemented a 3-5 year forward-looking stress test and measured the impact on the capital position of the bank [tick box if completed] (iv) The ICAAP has been signed off by: [relevant details from Board committee (Managing Director /highest committee for foreign banks)] (v) The ICAAP has been challenged/ by the Board (highest committee for foreign banks) and the nature of the challenge will be communicated to the Central Bank [tick box if completed] CRO signature [signature] Date [date] Appendix 2 - ICAAP Executive Summary
Table 3 - ICAAP Executive Summary
As of the reporting date of the ICAAP Pillar 1 in AED '000 Pillar 1 in AED '000Pillar Pillar 2 in AED '000 Date Reporting date of the ICAAP, e.g. 31/12/2022 year with the most severe impact for the most severe ST scenario, e.g. 31/12/2024. year with the most severe impact for the most severe ST scenario, e.g. 31/12/2024. Effective Capital Conservation Buffer (CCB) (standard CCB of 2.5% + D-SIB Buffer + CCyB) in percentage points (in %) 2.50% 2.50% 2.50% Capital requirements under Business as Usual Total Pillar 1 - - - Top 3 Pillar 2 capital requirements Other Pillar 2 capital requirements Total Pillar 2 - Minimum regulatory CAR requirement (incl. CCB) 10.50% 10.50% 10.50% Actual CAR Ratio Total Capital Surplus/ deficit (Measured including capital buffer requirements) - - - Minimum CET1 regulatory requirement (incl. CCB) 7.00% 7.00% 7.00% Actual CET1 Ratio CET 1 capital surplus/ deficit (measure includes capital buffer requirements) - - - Stress Testing Minimum regulatory CAR requirement (excl. CCB) 10.50% 10.50% Actual CAR Ratio under ST Additive impact of ST on CAR Surplus / (Deficit, i.e., additional capital required) - - Minimum regulatory CET1 requirement (excl. CCB) 7.00% 7.00% Actual CET1 Ratio under ST Additive impact of ST on CET1 ratio CET1 capital surplus/ deficit (measure includes capital buffer requirements) - - 135. The ICAAP: Executive Summary Table (Table 3) above should be used for the ICAAP report for the FY2022 ICAAP report. Each bank is required to download the most current reporting template prior to finalizing the ICAAP report from the CBUAE IRR SYSTEM (BRF/BASEL Portal) (CBUAE IRR), in the live environment for banks:
(i) Detailed reporting template including description (this report must be available upon request); and
(ii) Executive Summary report (should form part of the ICAAP report Executive Summary).
Appendix 3 – Additional Requirements for the ICAAP
3.1 Governance and Risk Management
136. In the ICAAP report, each bank should provide high level summaries of key areas of the risk framework of the bank: organisational structure, governance framework, risk management function and the risk control function. The bank’s high level summaries should refer to the relevant policies, procedures, manuals, and limits:
3.1.1 Organisational Structure
137. Each bank is expected to describe how
(i) The bank’s Board encourages a risk culture and prudent behaviours at all levels;
(ii) The Board Risk Committee (“BRC”) provides oversight and challenges the risk exposures, risk appetite, and tolerance; and
(iii) The Risk Management Function (RMF) is structured, including reporting lines and a summary of functions and responsibilities. The RMF should have authority, responsibilities, and resources, to conduct risk related policies and the risk management framework, and committees addressing the risk function.
3.1.2 Governance Framework
138. Each bank is expected to describe
(i) Board and Senior Management oversight (i.e. ICAAP governance framework with a description of responsibilities, and the separation of functions);
(ii) Arrangements through which the Board and Senior Management define the bank-wide risk appetite;
(iii) Relevant policies and risk appetite/limits/tolerance; and
(iv) How the Chief Risk Officer (CRO) is held responsible for the methodology and utilisation of the ICAAP, including
• reporting comprehensive, comprehensible information on risks; and
• advising the Board independently and objectively, enabling them to understand the bank’s overall risk profile and to effectively discharge their responsibilities.
3.1.3 Risk Management Function (RMF) and Risk Control Function
139. With regard to the bank’s risk management and control function, the ICAAP report is expected to describe
(i) How the RMF has access to all business lines and other units that might have possibility in generating risk , and to all relevant subsidiaries, and affiliates;
(ii) RMF processes/ practices/ mechanisms through which the bank effectively identifies, measures, monitors, and reports material risks;
(iii) Mechanisms that ensure that the policies, methodologies, controls, and risk monitoring systems are developed, validated, maintained and appropriately approved;
(iv) Processes to effectively identify and review the changes in risks arising from the bank’s strategy, business model, new products, and changes in the economic environment;
(v) Capital contingency plans for surviving unexpected events;
(vi) Risk management information systems (MIS) that ensure:
• That the bank distributes regular, accurate, and timely information on the bank’s aggregate risk profile internally;
• The appropriate frequency and distribution of risk management information;
• Early warning processes for pre-empting capital limit breaches; and
• Internal decision-making process are facilitated to allow the bank’s management to authorize remedial actions before capital adequacy is compromised.
(vii) The bank’s risk appetite as defined and used in the preparation of the ICAAP, which should be consistently referenced for taking business decisions;
(viii) Risk quantification methodologies that are clearly articulated and documented, including high-level risk measurement assumptions and parameters;
(ix) The approaches used to assess capital adequacy, which should include the stress test framework and a well-articulated definition of capital adequacy;
(x) The capital planning process objectives, which should be forward-looking and aligned to the bank’s business model and strategy;
(xi) Capital allocation processes including monitoring among business lines and identified risk types (e.g. risk limits defined for business lines, entities, or individual risks should be consistent to ensure the overall adequacy of the bank’s internal capital resources); and
(xii) The boundary of entities included,
(xiii) The process of risk identification, and
(xiv) The bank’s risk inventory and classification, reflecting the materiality of risks and the treatment of those risks through capital.
140. The internal control functions should play a vital role in contributing to the formation of a sustainable business strategy. The ICAAP report should describe the following with regard to internal control functions:
(i) The responsibilities of Internal Audit and Compliance concerning risk management;
(ii) Any relevant internal and external audit reviews of risk management and the conclusions reached; and
(iii) Outsourcing arrangements that have a material effect on internal capital adequacy management, if any. This should elaborate the bank’s reliance on, or use of, any third parties such as external consultants or suppliers. The bank should provide a high-level summary reports or reviews of the outsourced functions’ related policy documentation and processes.
3.2 Models
141. The ICAAP report is required to address models used to comply with regulatory and accounting requirements, and those used for internal capital management, including but not limited to models used for:
(i) IFRS9 accounting requirements;
(ii) The appropriate assessment of Pillar 1 risks for capital requirements under the Pillar 2;
(iii) The appropriate assessment of Pillar 2 risks for capital requirements;
(iv) Regulatory stress tests requirements;
(v) Risk Management Regulations;
(vi) Valuation adjustments; and
(vii) Pricing models, capital allocation models, and budgeting models.
3.3 Reverse Stress Testing
142. In addition to normal stress testing, each bank is expected to conduct reverse stress tests and document the process and outcomes of the process in the ICAAP report.
143. Banks are expected to apply a mix of qualitative analyses and quantitative analyses, which may vary in relation to the nature, scale, and complexity of the banks’ business activities and the risks associated with those activities. Accordingly, it may be acceptable for smaller and less complex banks to develop reverse stress tests that focus more on qualitative analyses, while larger and more banks that are complex should include more quantitative elements alongside the qualitative analyses. Appropriate scenarios differ based on each bank economic circumstances, business model and risk drivers.
144. A bank may consider implementing the following steps, which are presented purely for illustrative purposes:
(i) Define specific trigger points that could threaten the bank’s viability or solvency. Such trigger points may involve situations in which:
• The bank’s capital or liquidity positions fall below the minimum regulatory requirements;
• Specific indicators which, if hit, reflect a loss of confidence by the bank’s counterparties (e.g. access to wholesale funding markets denied) or by depositors (e.g. deposit run-off rates reach a significant level); or
• The bank is unable to repay its debt obligations. Some of the indicators may render the banks unviable (e.g. due to illiquidity resulting from a substantial and rapid deposit run) before it becomes insolvent.
(ii) Reverse-engineering the bank’s business model to the point that the trigger points are breached. In this way, it is possible to identify what adverse but plausible financial or non-financial events, either independently or combined, cause the bank to reach those trigger points notwithstanding existing management actions. That is, for reverse stress testing purposes, the bank is to tweak the parameters of a stress scenario until the point at which current systems and controls (e.g. accepted risk limits, controls, exposures and collaterals, etc.) are not able to prevent the bank from hitting the trigger point(s). The bank should understand the parameters and conditions in the scenario that precipitate a failed reverse stress test to analyse its risks and weaknesses. Feasible remedial actions should be designed that could prevent the consequences of such a scenario. For example, the bank could amend its business strategy regarding a specific sector.
3.4 Supplementary Content Required in an ICAAP Report
145. The following supplementary topics should be documented in the ICAAP report.
(a) Summary of outstanding findings and required management actions from pertinent assessments, examinations and audits (e.g. current outstanding actions emanating from internal audits, external audits, risk management assessments, capital management reviews, Central Bank examinations, and Pillar 3, etc.), including the status of official actions;
(b) Key items which warrant immediate Central Bank attention, such as a projected shortfall in regulatory minimum capital amount; a breach in outlier status under IRRBB, and any other material risks;
(c) A list of the major changes compared to the previous ICAAP report, e.g. changes in data, MIS, organisation, process, and methodology; and
(d) Key actions resulting from ICAAP discussions with the Board of Directors, in the form of meeting minutes included as an Appendix. (Relevant evidence should be made available upon request).