According to the present guidelines of RBI, parallel run of
Basel II norms should commence from April 2006. The actual implementation is
scheduled for April 2007. This leaves us hardly 10 months to get ready for the
parallel run.
Many Banking software vendors are now scrambling for
"Basel II Compliance" to be embedded into their software so that their clients
are not adversely affected during the migration.
The Basel II compliance has several dimensions under what
is called Pillar I, II and III
First is the Capital adequacy based on the Credit Risk and
Operational Risk
Second is the Supervisory Review Process
Third is need for Market Discipline and relevant
Disclosures.
It is necessary for all concerned to recognize that Basel
II compliance is not all about Mathematics and that software can be relied
upon to do all the required calculations and throw up Bar charts,
histograms and Standard Deviation calculations.
The objective of this article is to highlight the
relationship between legal compliance and Basel II norms of Capital Adequacy.
( In the context of Computerized, Internet based, ATM based Banking, legal
compliance is dominated by Cyber Law Compliance).
For example, attention is drawn to the definition of the "Operationsl
Risk" as per RBI guidelines which is reproduced here.
" Operational risk is defined as the risk of loss resulting
from inadequate or failed internal processes, people and systems or from
external events. This definition includes legal risk, but
excludes strategic and reputational risk. Legal risk includes, but is not
limited to, exposure to fines, penalties, or punitive damages resulting from
supervisory actions, as well as private settlements."
It may be recalled that in the recent CitiBank-Mphasis
fraud, the Bank was exposed to a fraud of Rs 1.5 crores arising out of a Cyber
Crime. This indicates how liabilities will accumulate on Banks out of Cyber
Crimes. A few months back, Standard Chartered bank in Chennai was
imposed a penalty of RS 50,000 by a Consumer Court for having dishonoured a
Credit card commitment. Here the fraud loss was zero but the penalty was
still imposed on the Bank. Similarly in the Cyber Crime loss of the type
CitiBank faced, the actual penalty may be much larger than the fraud loss of
RS 1.5 crore.
It is the intention of Basel II guidelines to provide for
such contingencies adequately in the capital adequacy norm.
Under the Basic Indicator Approach indicated by the
Basle Committee on Banking
Supervision (BCBS) framework, the capital requirement for operational loss is
defined on the basis of the last three year's gross income.
It has been indicated that if the calculation will exclude
the negative gross income in any of the previous three years.
It is strange that the Capital Adequacy Norm for
operational risk has been defined more on the "Ability to Provide" rather than
the "Need to Provide". This is likely to be one of the biggest problems with
the guidelines in the years to come.
Prudent Bankers should therefore abandon the Basic
Indicator Approach for operational risk and adopt a higher level of solution
under the "Standardised
Approach" and "Advanced Measurement Approach." At this point of time the
details of the approaches under Standardised and Advanced measurement are not
available.
In making the risk assessment based on probability of loss
arising out of Cyber Crimes, it will be necessary to look for appropriate
"Insurance Coverage". The insurance premium however has to depend on the level
of Cyber law Compliance that the organization has undertaken as evidenced by
documented evidence of Cyber Law Compliance audit.
In case "Cyber Crime Risks" are not properly covered
and the existing Fraud risk insurance fails to provide security for the lack
of due diligence, the risk becomes an "Uncovered Exposure" under the Basel II
norms requiring higher Capital provision.
It is time therefore for banks working on Basel II
compliance to simultaneously undertake Cyber Law Compliance audits of
their systems and arrive at a documented risk assessment based on which "Fraud
Risk Insurance Premium" can be negotiated.
Naavi
May 20, 2005
Comments
are welcome
