ICAAP / ILAAP: what will change in 2016?

Tue 17 May 2016

Banks prepare for the reinforcement of prudential supervision via the Single Supervisory Mechanism (SSM).

After successive waves of new regulatory requirements in recent years, the outlook for the calculation of risks and Pillar 1 capital requirements is becoming clearer.

At the same time, whereas the implementation of these new requirements has and continues to mobilise significant investment on the part of the banks, in comparison Pillar 2 of the reform (prudential supervision) has advanced little in 4 years. This is, despite the fact that the associated requirements are already applicable notably in France via the administrative orders dated 3 November 2014 and, in particular, the order dealing with internal control.

In the coming months, therefore, we can expect banks to refocus on the subject of the Risk Management Framework, helped by the regulator (the ECB) which, in the framework of the SSM (Single Supervisory Mechanism), is set to regulate the functioning of financial institutions.

More specifically, the profession will be confronted with the deployment of a harmonised methodology for continuous risk assessment (the supervisory review and evaluation process or SREP) published by the European Banking Authority (EBA) on 11 December 2015 as well as the ECB’s expectations set out in Danièle Nouy’s letter dated 8 January 2016.

The methodology is designed in particular to harmonise data collection in the framework of the Internal Capital Adequacy Assessment Process (ICAAP) and Internal Liquidity Adequacy Assessment Process (ILAAP).

ICAAP and ILAAP are integral components of the financial institutions’ strategy and of the Basel Committee’s Pillar 2.

ICAAP and ILAAP constitute 2 of the 4 major focuses of SREP (1) .

The banks are responsible for implementing processes, governance and methodologies enabling them at all times to verify their internal capital adequacy and internal liquidity adequacy with regard to the risks they face.

Banks must further be able to support their assessments and structure their approach by means of complete and detailed documentation provided to the authorities at least annually and to include declarations on capital and liquidity adequacy approved by their Boards.

ICAAP, already addressed in the framework of Basel II’s Pillar 2, is not a new requirement.
The process requires each bank to measure and analyse all forms of risk (2), define a level of appetite for the risks identified (3) consistent with its business strategy, plan for and translate that degree of appetite into operating terms via its internal budgetary and operating processes (e.g. via its system of limits), and then engage in continuous monitoring of the risks identified in order to keep them under control.

With the implementation of Basel III, new metrics and risk factors must be addressed including, in the framework of the application of article 86 of directive 2013/36/EU or CRD IV, liquidity risk integrated via the ILAAP Internal Liquidity Adequacy Assessment Process.

A vital issue for banks of any size.

During the Supervisory Review and Evaluation Process, ICAAP and ILAAP information will help determine the levels of capital and liquidity required under Pillar 2.

It is important to note that the approach is intended to be applicable to all banks covered by the SSM, not just those of systemic importance. Depending on their degree of development (their real deployment within the organisation) and structuring (details provided, transparency, quality of the associated documentation, relevance etc.), ICAAP and ILAAP can provide the regulator with the criteria to enable due assessment of whether each institution possesses adequate capital and liquidity to cope with the risks associated with its activity.

Ultimately, this will be the process to determine each bank’s targeted Tier One capital and it will have direct impact on the bank’s ROE (Return On Equity) and terms of exercise (via the eventual measures imposed by the regulator).

What will change in 2016?

The Pillar 2 requirements under Basel II and Basel III are practically unchanged in their philosophy.

The quantitative criteria for risk measurement reflect the changes made under Pillar 1 of Basel III (RWA, CCR, CVA, Liquidity etc.) and quantitative measures are still considered relevant.

The real development is that both the ECB and EBA now wish to harmonise the Pillar 2 practices, which are currently applied differently from one bank to another. Their preoccupation extends in particular to ICAAP, ILAAP and the internal approach to risk management (governance, control procedures etc.). Such harmonisation has become an imperative component of SSM.

This is important as, up till now, the banks have always developed their own specific approaches to risk management based, for example, on their history, strategy, and business activities.. In future, they will have to comply with minimum requirements imposed by the regulators.

It is this reinforcement of regulatory requirements which translates into the need for a comprehensive review of banks’ ICAAP and ILAAP processes. The EBA has further insisted on the fact that the results of the banks’ stress tests for 2016 will serve as a reference to JSTs (Joint Supervisory Teams) at the individual level as a means of deepening the analysis of the risk areas identified in the framework of SREP.

Internal risk management approaches require long-term vision.

According to the Autorité de contrôle prudentiel et de résolution (ACPR), responsible for supervising the banking and insurance sectors in France, on 21 January 2016:

“(…) the additional capital requirement must not be considered as the only measure capable of coping with banking risks. It is indispensable that attention also be paid to reinforcing internal control, improving the quality of risk management, defining internal limits and applying them, as well as establishing prudent policies for provisioning and reserves. Capital cannot of itself be a substitute for the resolution of problems that are inherent to internal control or risk management.”

The message is clear. The banks must go back to work and concentrate on satisfying the minimum criteria demanded by the regulator and set out in the EBA’s guidelines.

However the regulatory constraints represented by the need to reinforce banks’ ICAAP and ILAAP processes must not veil the opportunity this development represents. It can equally provide the banks a way to review in depth their risk management processes, engage in mutual benchmarking, “modernise” their approaches by asking themselves the right questions:
• What methodological principles to adopt for ICAAP and ILAAP? How to identify material risks and measure them, and design pertinent stress tests with a view to the long term etc.
• Which processes are impacted? Is it possible or opportune to simplify or review them as a means of providing greater operating clarity and effectiveness whilst at the same time improving control over the associated risks?
• What tools for what indicators? How best to design a relevant vision of the risks to report to top management for the purposes of steering?
• What form of governance to implement?

The choices made in response to all these points are matters for Board responsibility with due regard for each bank’s specific strategies and areas of vulnerability.

In sum, the issue for the banks is to be capable of more effective management of the risks that are an integral part of the definition of profitable banking activities providing the assurance of long-term growth.

(1) The 2 others are business model analysis and internal governance and controls assessment.

(2) Credit risk, market risk, operating risk, liquidity risk, structural risk, interest rate risk (Interest Rate Risk of the Banking Book – IRRBB), business risk etc.

(3) The level of risk the bank accepts taking (or its tolerance to risk) for each category of risks identified in terms of its business.