IMPLEMENTATION NOTE. Data Maintenance at IRB Institutions. Category: Capital. I. Introduction. No: A-1 Date: January 2006



Similar documents
IMPLEMENTATION NOTE. Validating Risk Rating Systems at IRB Institutions

The validation of internal rating systems for capital adequacy purposes

Part A OVERVIEW Introduction Applicability Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

CREDIT RISK MANAGEMENT

2.2 INFORMATION SERVICES Documentation of computer services, computer system management, and computer network management.

How To Write A Bank

Supervisor of Banks: Proper Conduct of Banking Business [9] (4/13) Sound Credit Risk Assessment and Valuation for Loans Page 314-1

Draft Supervisory Guidance on. Internal Ratings-Based Systems. for Corporate Credit

Regulatory Compliance Management (RCM) (formerly Legislative Compliance Management (LCM))

Assessing Credit Risk

Audit of NSERC Award Management Information System

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Report on. Office of the Superintendent of Financial Institutions. Corporate Services Sector Human Resources Payroll. April 2010

Validation of low-default portfolios in the Basel II Framework

Capital Adequacy: Internal Ratings-based Approach to Credit Risk

Prudential Practice Guide

Internal Control Deliverables. For. System Development Projects

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Basel II, Pillar 3 Disclosure for Sun Life Financial Trust Inc.

Board of Directors and Management Oversight

Data Governance Policy. Staff Only Students Only Staff and Students. Vice-Chancellor

Internal Ratings-based Approach to Credit Risk: Purchased Receivables

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

05.0 Application Development

The Western Hemisphere Credit & Loan Reporting Initiative (WHCRI)

Basel Committee on Banking Supervision. Working Paper No. 17

Checklist for Credit Risk Management

Division 9 Specific requirements for certain portfolios of exposures

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

Data Quality for BASEL II

Chapter 11 ALLOWANCE FOR LOAN AND LEASE LOSSES TABLE OF CONTENTS

AIIM & ASSUREON AN ASSUREON BRIEF

INFORMATION TECHNOLOGY CONTROLS

Guideline. Commercial Lending Criteria. No: E-2 Date: June 1992

COMMERCIAL BANK. Moody s Analytics Solutions for the Commercial Bank

Pillar 3 Disclosures. (OCBC Group As at 31 December 2014)

5 FAM 630 DATA MANAGEMENT POLICY

TD Bank Financial Group Q4/08 Guide to Basel II

Portfolio Management for Banks

MHRA GMP Data Integrity Definitions and Guidance for Industry March 2015

Project Risk and Pre/Post Implementation Reviews

Guideline. Large Exposure Limits. Category: Prudential Limits and Restrictions. No: B-2 Date: August I. Introduction

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

Request for Proposal for Application Development and Maintenance Services for XML Store platforms

The PNC Financial Services Group, Inc. Business Continuity Program

Loan impairment modeling according to IAS 39 by using Basel II parameters

Validating Enterprise Systems: A Practical Guide

Basel III Pillar 3 and Leverage Ratio disclosures of ALTERNA BANK

Corporate Property Automated Information System CPAIS. Privacy Impact Assessment

Oracle Role Manager. An Oracle White Paper Updated June 2009

Loss Given Default What is your potential loss position in the current volatile environment?

Rowan University Data Governance Policy

FusionRisk Regulation Software overview. A complete solution to changing regulatory challenges. Stay on top of the compliance game

Final Guideline B-21 Residential Mortgage Insurance Underwriting Practices and Procedures and Consequential Amendments

Workshop agenda. Data Quality Metrics and IT Governance. Today s purpose. Icebreaker. Audience Contract. Today s Purpose

Records Management and SharePoint 2013

APPENDIX A NCUA S CAMEL RATING SYSTEM (CAMEL) 1

AUDIT REPORT INTERNAL AUDIT DIVISION. Audit of the Riskmetrics system in the Investment Management Division of UNJSPF

ACCEPTANCE CRITERIA FOR THIRD-PARTY RATING TOOLS WITHIN THE EUROSYSTEM CREDIT ASSESSMENT FRAMEWORK

Table of Contents Chapter 1 Introduction Goals & Objectives Required Review Applicability...

PERFORMANCE EVALUATION AUDIT CHECKLIST EXAMPLE. EIIP Volume VI

Control Design & Implementation Week #5 CRISC Exam Prep ~ Domain #4. Bill Pankey Tunitas Group. Job Practice

Audit Quality Thematic Review

The PNC Financial Services Group, Inc. Business Continuity Program

US Department of Education Federal Student Aid Integration Leadership Support Contractor June 1, 2007

9. GOVERNANCE. Policy 9.8 RECORDS MANAGEMENT POLICY. Version 4

Capital Ratio Information (Consolidated) Sumitomo Mitsui Financial Group, Inc. and Subsidiaries

MHRA GMP Data Integrity Definitions and Guidance for Industry January 2015

FISCAL PLAN RESPONSE TO THE AUDITOR GENERAL

Compliance Management EFFECTIVE MULTI-CUSTODIAL COMPLIANCE AND SALES SURVEILLANCE

Validation of Internal Rating and Scoring Models

Understanding SAS 70 Reports on Internal Control

GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS

New supervisory guidance on model Overview, analysis, and next steps

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

IBM DB2 CommonStore for Lotus Domino, Version 8.3

Domain 1 The Process of Auditing Information Systems

Guideline. Outsourcing of Business Activities, Functions and Processes. Category: Sound Business and Financial Practices

The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act*

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

INFORMATION TECHNOLOGY STANDARD

Instructions for Completing the Information Technology Officer s Questionnaire

TIBCO Spotfire and S+ Product Family

Classification and Impairment Provisions for Loans/Financing

DAIDS Appendix 2 No.: DWD-POL-DM-01.00A2. Data Management Requirements for Central Data Management Facilities

Retention & Disposition in the Cloud Do you really have control?

TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL

OUTSOURCING INVOLVING SHARED COMPUTING SERVICES (INCLUDING CLOUD) 6 July 2015

Basel Committee on Banking Supervision

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

Transcription:

IMPLEMENTATION NOTE Subject: Category: Capital No: A-1 Date: January 2006 I. Introduction This implementation note elaborates on the data management requirements for institutions 1 adopting the internal ratings-based (IRB) approach as outlined in OSFI s Capital Adequacy Requirements (CAR) Guideline A-1, Chapter 5. All relevant and material quantitative and qualitative data used to assess and manage credit risk should be adequately maintained. Institutions will need to maintain comprehensive historical data across legal entities and geography. This data will include, but not be limited to, borrower information, credit transaction details, portfolio risk characteristics, ratings, rating migration, default, and collateral. Data management and timely execution of underlying information technology initiatives are major challenges that institutions need to address in order to successfully implement the IRB methodology under CAR. CAR outlines the scope and certain characteristics of data maintenance; however, there is limited description of expectations on the data maintenance (or generic data management ) process itself. This note provides general guidance on data maintenance and principles for institutions to apply when establishing an enterprise-wide IRB framework. These principles are not intended to be prescriptive or limiting in any manner. Adherence to the broad principles outlined in this implementation note will be an important consideration in OSFI s initial IRB approval and for monitoring ongoing compliance. The term data maintenance incorporates the key components of the data management process, including data collection, data processing, data access/retrieval and data storage/retention. 1 Banks and bank holding companies to which the Bank Act applies and federally regulated trust or loan companies to which the Trust and Loan Companies Act applies are collectively referred to as institutions. 255 Albert Street Ottawa, Canada K1A 0H2 www.osfi-bsif.gc.ca

Table of Contents I. Introduction... 1 II. Data Maintenance Principles... 3 1. Senior Management and Oversight... 3 2. Data Collection... 4 3. Data Processing... 4 4. Data Access/Retrieval... 5 5. Data Storage/Retention... 5 Appendix I: Data Life Cycle Management... 7 January 2006 Page 2 of 7

II. Data Maintenance Principles 1. Senior Management and Oversight Institutions seeking IRB approval should adopt an approach to managing their information technology initiatives and data management processes appropriate to the nature, scope and complexity of their data maintenance requirements. Institutions should have appropriate processes and procedures in place supported by effective Senior Management oversight to ensure successful completion of their programs related to IRB data maintenance for IRB approval and ongoing compliance with the IRB approach. In particular, institutions Senior Management should assess the scope, plans and risks associated with timely execution of data maintenance projects, and take effective measures to mitigate these risks. The accountabilities of Senior Management will include, but are not limited to: a) Reviewing and approving organizational structure and functions to facilitate development of appropriate data architecture to support implementation of CAR; b) Establishing an enterprise-wide data management framework defining, where appropriate, the institution s policies, governance, technology, standards and processes to support the data collection, data maintenance, data controls and distribution of processed data, i.e., information; c) Ensuring data maintenance processes provide security, integrity and auditability of the data from its inception through to its archival and/or logical destruction; d) Instituting internal audit programs, as appropriate, to provide for periodic independent audits of data maintenance processes and functions; and e) Ensuring the appropriate policies, procedures and accountabilities are in place to monitor the enterprise-wide observance of the data management framework, including ongoing updates to procedures and documentation, as necessary. January 2006 Page 3 of 7

2. Data Collection In the context of CAR, the data collection component (also referred to as data acquisition or data capture) would typically involve determining requisite data elements in various internal/external source systems, and their validation and extraction to appropriate operational data stores or data repositories. Institutions data collection processes should: a) Establish clear and comprehensive documentation for data definition, collection and aggregation, including data mapping to source/aggregation routines, data schematics where necessary, and other identifiers, if any; b) Establish standards for data accuracy, completeness, timeliness and reliability; c) Ensure that data elements collected encompass the necessary scope, depth and reliability to substantiate rating definitions, rating assignment, rating refinement, risk parameters, overrides, back-testing and other processes, capital ratio computations, and relevant management and regulatory reporting; d) Identify and document data gaps and, where applicable, document the manual or automated workarounds used to close data gaps and meet data requirements; e) Establish standards, policies and procedures around the cleansing of data through reconciliation identifiers, field validation, reformatting, decomposing or use of consistent standards, as appropriate, and; f) Establish procedures for identifying and reporting on data errors and data linkage breaks to source, downstream and/or external systems. 3. Data Processing The data processing component covers a wide range of data management tasks, including its conversion through multiple systems (or manual) processes, transmissions, source/network authentication, validation, reconciliation, etc. Institutions data processing should: a) Limit reliance on workarounds and manual data manipulation in order to mitigate the operational risk related to human error and dilution of data integrity; b) Establish standards and data processing infrastructure for life-cycle tracking of credit data including, but not limited to, relevant history covering borrowers, obligors, credit facilities, transactions, repayments, rollovers, restructuring, and sale and error trails, as appropriate; January 2006 Page 4 of 7

c) Ensure appropriate levels of front-end validation/data cleansing for each process and reconciliation to related processes as applicable, e.g., accounting and general ledger, line of business management information system; d) Establish adequate controls to ensure processing by authorized staff acting within designated roles and established authorities; e) Institute appropriate change control procedures for changes to the processing environment, including, where applicable, change initiation, authorization, program modifications, testing, parallel processing, sign-offs, release, library controls; and, f) Provide appropriate levels of disaster back-up, process resumption and recovery capabilities to mitigate loss of data and/or data integrity. 4. Data Access/Retrieval From OSFI s supervisory perspective, a key component of data maintenance is the continued availability of institutions data and information for the purpose of IRB approval and ongoing monitoring of IRB compliance, such as back-testing, replication, historical or other trend analyses. Institutions should ensure that: a) Data repositories and underlying extract, query and retrieval routines are designed and built to support the institutions own data requirements as well as ongoing needs for supervisory assessments of various data as appropriate, including credit portfolios, history, borrower/industry profiles, exposures, process quality, asset class analyses; b) Access controls and data/information distribution are based on user roles/responsibilities and industry best practices in the context of effective segregation of duties, need to know, as validated by institutions internal compliance and audit functions; and c) Access to data/information is not restricted in any arrangements where data maintenance is outsourced to external service provider(s). Notwithstanding these arrangements, institutions should be able to provide data/information at no additional cost. 5. Data Storage/Retention The data storage/retention component of data maintenance addresses the dual expectations of electronic data retention and archival to meet the minimum historical retention criteria established under CAR, as well as the requirements of institutions and OSFI to ensure ongoing IRB compliance and credit risk management data/information calls. CAR requires institutions to use all relevant data in the development of IRB internal estimates. In order to support internal estimates and ensure that all relevant risks are considered, data may be needed for a long period of time. For corporate, sovereign and bank exposures, a minimum of January 2006 Page 5 of 7

five years of underlying history for PD 2 estimates, and a minimum of seven years underlying history for LGD and EAD estimates should be maintained. For retail exposures, a minimum of five years of underlying history for PD, LGD and EAD estimates is required. On implementation, institutions may not be able to meet this standard, but they should have IRB data going back to at least October 31, 2004. In addition, institutions should: a) Establish documented policies and procedures addressing storage, retention and archival, including, where applicable, the procedures for logical/physical deletion of data and destruction of data storage media and peripherals; b) Maintain back-ups of relevant data files/stores and data bases in a manner that can facilitate ready availability of the data/information to meet information calls on IRBcompliance and ongoing supervisory assessments; and c) Ensure that availability of electronic versions for all relevant and material data/information is in a machine-readable format and can be made accessible. 2 Probability of default ( PD ), loss given default ( LGD ) and exposure at default ( EAD ). January 2006 Page 6 of 7

Appendix I: Data Life Cycle Management Data Collection Data Processing Data Retrieval Data Storage Establish thorough documentation, including data definitions/identifiers Capture accurate, complete, and timely data from reliable sources Ensure collected data encompass the scope, depth and reliability to substantiate all processes and purposes Identify and document data gaps Document the manual/automated workarounds used to close data gaps Pre-cleanse data using reconciliation identifiers, field validation, reformatting, decomposing, etc. Ongoing process to identify and report data errors and data linkage breaks to source Limit reliance on manual workarounds/manipulation Establish standards and data process infrastructure for lifecycle tracking, including relevant history Ensure appropriate levels of front-end validation at each process and reconciliation to related processes Establish adequate controls to ensure authorization Establish change control procedures for changes to environment Provide appropriate levels of disaster back-up, process resumption and recovery capabilities MANAGEMENT OVERSIGHT Data repositories should support institution s own data requirements and ongoing supervisory needs Access controls and data distribution are based on user roles and industry best practices Data In Transit OSFI s access to data is not restricted in any way Institution to provide data at no cost to OSFI Data In Transit Meet minimum historical data retention/archival criteria as per CAR Maintain back-ups Electronic versions of data are in machine readable format Data At Rest Archived Data Data Deletion January 2006 Page 7 of 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information