After 15 years of substantial growth, NBFIs account for c50% of UK (and global)1 financial sector assets, while the framework for identifying any systemic risks that NBFIs may pose to financial stability and the toolkit that regulators have for responding to them are much less developed than for banks. Banks and NBFIs are deeply interconnected – through loans, securitisations, derivatives, and funding relationships. According to ECB estimates, around 20% of euro area banks’ funding is provided by NBFIs2. NBFIs are also an essential driver of profitability. Prime brokerage, for instance, accounted for more than half of the revenues from banks’ equities businesses in 20233.
Whilst policymakers around the world are progressing various workstreams targeting NBFI resilience, supervisors continue to emphasise the important role that banks’ play in maintaining financial stability through ensuring the robustness of their CCR management practices. Fundamentally, most banks get the basics of CCR right, consistent with what is required by the Capital Requirements Directive (CRD) and by the Capital Requirements Regulation (CRR). However, as laid bare by various market shocks, supervisors expect banks to develop their CCR frameworks and associated capabilities to build additional resilience against market shocks and tail events.
We have taken stock of the key messages about the deficiencies identified by the supervisors and their expectations for improvement. We have then identified five areas common to the PRA, FCA, ECB and BCBS publications where banks can expect increased supervisory scrutiny. These five priority areas are:
Below we investigate these areas in greater detail.
1. Counterparty due diligence
Supervisory expectations
In an environment where banks’ exposure to a wide variety of NBFIs is growing in complexity, the ECB, the PRA and the FCA have all noted that banks should improve their customer due diligence and understanding of client business profiles to distinguish better between different types of exposures and understand correlations and risk concentrations between clients. For example, following the LDI crisis in the UK, the PRA expects banks to differentiate between mandated and pooled LDI funds, with distinct on-boarding procedures for each.
In the past, in response to supervisory requirements, banks have been improving due diligence processes for specific types of counterparties, such as hedge funds in prime brokerage business. However, the PRA is very clear that banks should extend enhanced due diligence principles, client disclosure standards and CCR management controls to all client types in all relevant trading businesses.
In assessing the riskiness of a counterparty, supervisors expect banks to look beyond financial metrics and consider non-financial risk and other qualitative metrics such as the quality of clients’ disclosures and their reliance on third parties for the provision of critical services. A more conservative approach to risk management may be needed for counterparties which underperform in these categories.
The BCBS draft guidelines emphasise that due diligence obligations do not end with onboarding a counterparty and should be continuous, incorporating information about material counterparty developments. Any material change in a counterparty’s leverage or risk profile should trigger a revised assessment. Specifically, in the case of NBFIs, ongoing due diligence should ensure that they have sufficient shock absorbing capacity and appropriate risk policies, procedures, and controls.
Challenges and leading practice
Enhanced client on-boarding can be achieved through a deeper understanding of the economics of the underlying exposures and of the key drivers of counterparties’ performance. Banks can also improve the granularity of on-boarding processes and analysis of the inherent riskiness of underlying trades including directional market risk. To achieve this, banks need to consider excessive leverage or concentration risk, and idiosyncratic and wrong way risk (WWR). Most importantly, the information gathered during due diligence should feed directly into CCR decisions, including risk ratings, limits, contractual terms such as margin requirements and collateral haircuts, as well as risk mitigants.
The BCBS consultation suggest that banks should request additional disclosures from complex counterparties which could carry a higher risk, such as details of portfolio compositions, use of leverage, value-at-risk metrics, or stress test results. Obtaining such information could be challenging if counterparties are not willing to disclose this data due to its proprietary nature and equivalent data is not available through a third party. If this information is not available, banks could consider the use of additional risk mitigation measures.
Ensuring a common set of onboarding procedures for a particular type of counterparty across all the business units and legal entities of a banking group can also be complex and time-consuming. Similarly challenging is to differentiate adequately between the on-boarding procedures for different types of counterparties. To solve both of those challenges banks may need to enhance the capacity and capability of front office and risk management teams.
2. Governance and risk management
Supervisory expectations
Supervisors expect banks to have a dedicated CCR strategy and management framework across all three lines of defence (LoD) with well-defined responsibilities and reporting lines, approved by the Board. Most of the deficiencies identified by the supervisors relate to a lack of collaboration across the CCR management function, limited CCR coverage and siloed thinking.
Challenges and leading practice
Even in some more sophisticated banks with dedicated CCR teams in the 1LoD, the ECB found insufficient capacity to ensure full coverage of all relevant counterparties. In the 2LoD, dedicated CCR teams in more advanced banks have specialist knowledge of both market and credit risk while in less advanced institutions CCR risk managers rely on separate market and credit risk teams.
CCR is also often embedded within the wider credit risk function and may not be recognised as a distinct risk type.
In the 3LoD, internal audits often tackle CCR from the perspective of individual business units, with only a few more sophisticated banks with internal model permission or extensive derivatives businesses having adopted a more holistic approach to CCR assurance work.
In assessing CCR governance, the ECB found only few banks had a specific CCR governance committee or dedicated fora to discuss CCR topics across business lines. In most banks CCR is generally discussed monthly or even less frequently and often in conjunction with general credit risk topics. Only a few banks have dedicated CCR MI, usually as part of credit risk reporting, and the various elements of CCR can be scattered across several reports.
To satisfy increasing supervisory expectations, banks need to ensure adequate coverage of all relevant counterparties across all business lines and develop a holistic view of CCR. This view needs to be consistently reflected in credit and market risk assessments to evaluate the overall risk to the bank. Firms with material or complex CCR exposures should have a dedicated CCR resource in both the 1LoD and 2LoD. The 3LoD should assess CCR processes and governance across business lines, legal entities and jurisdictions.
Banks should focus on breaking up siloes in CCR management and ensure that all the relevant risks are factored in before taking risk management actions. Boards should also play an active role in CCR governance by considering CCR exposures in business strategy decisions and ensuring aggregate exposures are in line with risk appetite. Boards should satisfy themselves that the scale and composition of CCR exposures are appropriate in the context of the overall risk profile of the bank.
3. Risk measurement and risk appetite
Supervisory expectations
The ECB has identified substantial room for improvement with regards to risk measurement. Supervisors expect banks to develop exposure metrics that will capture CCR across all products, business lines and legal entities, thereby providing a holistic view of the totality of CCR exposures.
The BCBS draft guidelines note that CCR metrics, supported by a clear and actionable taxonomy, should account for instances when perceived risk mitigants, or diversification benefits, may not work as intended. Whilst focusing on the holistic understanding of CCR, banks should also be able to identify, evaluate and capture idiosyncratic risks properly and understand their effect on portfolio correlations and risk concentrations.
Banks are also expected to measure the costs of CCR portfolio wind-down more accurately. While supervisors regard the use of the regulatory margin period of risk (MPOR) as a useful tool, they do not see it as sufficient to account for all such costs and expect banks to develop complementary measures. These should take into account the impact of a netting set wind-down on hedging positions with other counterparties and reflect potential additional market risk losses from any unmatched hedging positions. This is particularly relevant for less liquid collateral or hard-to-replace transactions.
Challenges and leading practice
One of the challenges for banks is developing tools for measuring CCR which capture and combine all elements of the risk, including credit and market risk, at the portfolio, counterparty, and individual risk factor level. Use of Monte Carlo Simulation models to determine counterparty exposure profiles is computationally intensive and often requires the use of simplifying assumptions for modelling the underlying risk factors. Breaking down portfolio or netting set level metrics to individual trade level for more granular analysis can also require the use of approximations.
Another challenge is to consider risk appetite comprehensively for CCR at counterparty and portfolio level. The ECB found that the level of detail for risk appetite policies varies between banks. Some banks explicitly mention CCR in their risk appetite statement (RAS) but only a few banks set global limits for CCR, general wrong way risk (GWWR) or specific wrong way risk (SWWR). CCR is often embedded within the risk appetite and metrics for credit risk, which may not fully capture all the CCR specific risks.
GWWR can be particularly challenging to identify and quantify, especially if it arises only in certain tail market scenarios. Banks may need to invest in high-quality scenario analysis of credible severity to model it accurately. Sound assessment of SWWR will likely require well-resourced and experienced teams across both 1LoD and 2LoD making the correct assessments on a case-by-case basis using their knowledge of the counterparty and its business model gained through the onboarding process and ongoing due diligence. Such practices need to be well-defined and documented with the responsibilities across 1LoDs and 2LoDs clearly delineated.
Exposure metrics, such as potential future exposure (PFE), should be complemented with additional metrics calibrated to periods of stress to capture residual and tail risks better. This is particularly relevant in the case of overcollateralised portfolios with highly leveraged counterparties, where the PFE and regulatory exposure may point to low or non-existent exposure, but where residual risk may be significant. Stress testing and scenario analysis (see section 4) can provide important complementary insights into the risk profiles of specific counterparties and can help identify GWWR.
In addition, the ECB has also noted4 that banks using the internal model method (IMM) for calculating the CCR need to consider if their models are sufficient to cover all aspects of CCR risk. The ECB expects banks to apply a “risk not in effective expected positive exposure” (RNIEPE) add-on for the risks that are not adequately captured as part of IMM exposure value.
Banks should set the risk appetite for CCR distinctly in policies and RAS, differentiating by exposure and counterparty type, client rating and potentially other terms of business. Risk management frameworks need to be dynamic and able to absorb non-standard inputs, such as the outcome of a non-financial risk assessment.
4. Stress testing
Supervisory expectations
The CRR requires banks to incorporate CCR into their stress testing frameworks. However, supervisors do not consider these practices to be sufficiently developed, especially with regards to exposures to high-risk counterparties vulnerable to tail risk events and potential close-out risk.
Supervisors expect banks to incorporate new and broader stresses into their CCR stress testing framework. These stress scenarios should leverage lessons learned from various market events and a better understanding of client profiles, including their vulnerability to market shocks via WWR, leverage and maturity mismatches, and their potential exposure to tail events. Risk managers should challenge themselves to consider risks that were previously deemed improbable including hypothetical geopolitical and natural disaster scenarios and apply market shocks simultaneously to trades and collateral. Stress tests should be granular enough to capture exposure to material risk factors and idiosyncratic risk.
Supervisors also focus on the prominence of stress testing for risk management processes and decision making. The ECB found that a few banks do assess stress testing results, but none use this information as a mandatory call for action. Supervisors expect banks to integrate stress test results fully into their risk management processes and use them when setting business terms and margin requirements. This is especially relevant for exposures to NBFIs for which “stress testing may be the only systemic approach to identify and quantify main portfolio vulnerabilities”5.
Challenges and leading practice
The ECB highlighted establishing a comprehensive stress testing programme for CCR as one of the key challenges for banks. Although the majority of banks conduct regular stress testing at a portfolio and counterparty level, only half of the reviewed banks regularly use risk factor-specific stress tests to identify vulnerabilities in their CCR portfolio.
Performing regular stress tests at different levels of aggregation (portfolio, counterparty, risk factor) requires high quality data and systems infrastructure to provide timely and actionable insights into counterparties’ risk profiles. In the case of NBFI counterparties, there may be a lack of historical loss data, as trading with these counterparties may be relatively recent. A clear and documented stress testing framework should be implemented consistently across business lines and the frequency of stress testing should be continually revised to reflect material changes in the risk environment.
Leading practice includes performing a number of separate CCR stress tests at different frequencies (daily, monthly, quarterly, annually) and with different stress scenarios and shocks. In the absence of historical data on periods of stress and losses, banks should determine forward-looking hypothetical stress scenarios. Some banks use daily stress testing to set CCR limits for 1LoD trading desks at an individual counterparty level. The nature of each stress test should complement the others, and the assumptions and limitations of each stress test should be clearly communicated to senior management.
5. Data and reporting
Supervisory expectations
CCR reporting is subject to general risk reporting and risk data aggregation standards, first outlined in the BCBS principles for effective risk data aggregation and risk reporting (BCBS 239) and therefore should be timely, accurate and of sufficient specificity. The BCBS draft guidelines are clear that banks should avoid a fragmented reporting environment for CCR.
The PRA expects banks to flag all relevant transactions and exposure data systematically, together with the respective collateral pledges, enabling risk managers to identify and consolidate relevant CCR information. The resulting CCR MI should provide a holistic view of CCR exposure, recognising and measuring the presence of overlapping credit exposures, collateral pledges, and financial claims where the performance and recovery values are interlinked. Supervisors encourage additional focus on potentially concentrated positions and illiquid collateral.
Challenges and leading practice
Building comprehensive data capabilities, overarching exposure measures, and reporting to senior management are particularly challenging if information is not easily transferable between different systems in various business lines and legal entities. In many cases banks are using bespoke technology and systems for particular business units or activities with no alignment of data formats and metrics across the group as a whole, resulting in a fractured CCR data landscape.
Banks should have capabilities to aggregate and measure risk exposure seamlessly across products, businesses, legal entities, geographies and risk factors to ensure effective monitoring of concentrations at counterparty and portfolio level. It is important that data related controls, including over the data feed process, are integrated into CCR governance and control frameworks rather than being managed in silos by operational teams. A central data warehouse with common data formats and definitions can facilitate the aggregation of the data and the calculations required for the different CCR metrics.
Policymakers are busy developing a globally consistent approach which will consider both the idiosyncratic and systemic risks potentially posed by NBFIs. However, until this work is complete and new rules are adopted consistently by key supervisors around the world, banks should expect increased supervisory scrutiny of their risk management frameworks, particularly for more leveraged NBFI counterparties. Banks can prepare by overhauling their CCR frameworks to improve counterparty due-diligence, governance and risk management, risk measurement and risk appetite, stress testing, data aggregation and reporting to address increasing supervisory expectations.
As the growth of financial assets outside of the banking system continues, so do banks’ exposures to a wide variety of complex, interconnected counterparties. Banks must respond to this by investing in additional risk management resources and infrastructure and by evolving with the changing market environment to promote safe, sound, and sustainable outcomes.
As we saw with collapse of Archegos, the downsides to getting CCR wrong can verge of the catastrophic. However, getting it right has significant upsides. A bank with sound risk management, a detailed understanding of its counterparties and their risk profiles and a clear sense of its own capabilities will service its clients better.
Non-bank financial intermediaries as providers of funding to euro area banks (europa.eu)