(a) Purpose. This subpart establishes:

(1) Minimum requirements for using Enterprise-specific internal risk measurement and management processes for calculating risk-based capital requirements; and

(2) Methodologies for the Enterprises to calculate their advanced approaches total risk-weighted assets.

(b) Applicability. (1) This subpart applies to each Enterprise.

(2) An Enterprise must also include in its calculation of advanced credit risk-weighted assets under this subpart all covered positions, as defined in subpart F of this part.

(c) Principle of conservatism. Notwithstanding the requirements of this subpart, an Enterprise may choose not to apply a provision of this subpart to one or more exposures provided that:

(1) The Enterprise can demonstrate on an ongoing basis to the satisfaction of FHFA that not applying the provision would, in all circumstances, unambiguously generate a risk-based capital requirement for each such exposure greater than that which would otherwise be required under this subpart;

(2) The Enterprise appropriately manages the risk of each such exposure;

(3) The Enterprise notifies FHFA in writing prior to applying this principle to each such exposure; and

(4) The exposures to which the Enterprise applies this principle are not, in the aggregate, material to the Enterprise.

(a) Terms that are set forth in § 1240.2 and used in this subpart have the definitions assigned thereto in § 1240.2.

(b) For the purposes of this subpart, the following terms are defined as follows:

Advanced internal ratings-based (IRB) systems means an Enterprise's internal risk rating and segmentation system; risk parameter quantification system; data management and maintenance system; and control, oversight, and validation system for credit risk of exposures.

Advanced systems means an Enterprise's advanced IRB systems, operational risk management processes, operational risk data and assessment systems, operational risk quantification systems, and, to the extent used by the Enterprise, the internal models methodology, advanced CVA approach, double default excessive correlation detection process, and internal models approach (IMA) for equity exposures.

Backtesting means the comparison of an Enterprise's internal estimates with actual outcomes during a sample period not used in model development. In this context, backtesting is one form of out-of-sample testing.

Benchmarking means the comparison of an Enterprise's internal estimates with relevant internal and external data or with estimates based on other estimation techniques.

Business environment and internal control factors means the indicators of an Enterprise's operational risk profile that reflect a current and forward-looking assessment of the Enterprise's underlying business risk factors and internal control environment.

Dependence means a measure of the association among operational losses across and within units of measure.

Economic downturn conditions means, with respect to an exposure held by the Enterprise, those conditions in which the aggregate default rates for that exposure's exposure subcategory (or subdivision of such subcategory selected by the Enterprise) in the exposure's jurisdiction (or subdivision of such jurisdiction selected by the Enterprise) are significantly higher than average.

Eligible operational risk offsets means amounts, not to exceed expected operational loss, that:

(i) Are generated by internal business practices to absorb highly predictable and reasonably stable operational losses, including reserves calculated consistent with GAAP; and

(ii) Are available to cover expected operational losses with a high degree of certainty over a one-year horizon.

Expected operational loss (EOL) means the expected value of the distribution of potential aggregate operational losses, as generated by the Enterprise's operational risk quantification system using a one-year horizon.

External operational loss event data means, with respect to an Enterprise, gross operational loss amounts, dates, recoveries, and relevant causal information for operational loss events occurring at organizations other than the Enterprise.

Internal operational loss event data means, with respect to an Enterprise, gross operational loss amounts, dates, recoveries, and relevant causal information for operational loss events occurring at the Enterprise.

Operational loss means a loss (excluding insurance or tax effects) resulting from an operational loss event. Operational loss includes all expenses associated with an operational loss event except for opportunity costs, forgone revenue, and costs related to risk management and control enhancements implemented to prevent future operational losses.

Operational loss event means an event that results in loss and is associated with any of the following seven operational loss event type categories:

(i) Internal fraud, which means the operational loss event type category that comprises operational losses resulting from an act involving at least one internal party of a type intended to defraud, misappropriate property, or circumvent regulations, the law, or company policy excluding diversity- and discrimination-type events.

(ii) External fraud, which means the operational loss event type category that comprises operational losses resulting from an act by a third party of a type intended to defraud, misappropriate property, or circumvent the law. All third-party-initiated credit losses are to be treated as credit risk losses.

(iii) Employment practices and workplace safety, which means the operational loss event type category that comprises operational losses resulting from an act inconsistent with employment, health, or safety laws or agreements, payment of personal injury claims, or payment arising from diversity- and discrimination-type events.

(iv) Clients, products, and business practices, which means the operational loss event type category that comprises operational losses resulting from the nature or design of a product or from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements).

(v) Damage to physical assets, which means the operational loss event type category that comprises operational losses resulting from the loss of or damage to physical assets from natural disaster or other events.

(vi) Business disruption and system failures, which means the operational loss event type category that comprises operational losses resulting from disruption of business or system failures.

(vii) Execution, delivery, and process management, which means the operational loss event type category that comprises operational losses resulting from failed transaction processing or process management or losses arising from relations with trade counterparties and vendors.

Operational risk means the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events (including legal risk but excluding strategic and reputational risk).

Operational risk exposure means the 99.9th percentile of the distribution of potential aggregate operational losses, as generated by the Enterprise's operational risk quantification system over a one-year horizon (and not incorporating eligible operational risk offsets or qualifying operational risk mitigants).

Risk parameter means a variable used in determining risk-based capital requirements for exposures, such as probability of default, loss given default, exposure at default, or effective maturity.

Scenario analysis means a systematic process of obtaining expert opinions from business managers and risk management experts to derive reasoned assessments of the likelihood and loss impact of plausible high-severity operational losses. Scenario analysis may include the well-reasoned evaluation and use of external operational loss event data, adjusted as appropriate to ensure relevance to an Enterprise's operational risk profile and control structure.

Unexpected operational loss (UOL) means the difference between the Enterprise's operational risk exposure and the Enterprise's expected operational loss.

Unit of measure means the level (for example, organizational unit or operational loss event type) at which the Enterprise's operational risk quantification system generates a separate distribution of potential operational losses.

(a) Process and systems requirements. (1) An Enterprise must have a rigorous process for assessing its overall capital adequacy in relation to its risk profile and a comprehensive strategy for maintaining an appropriate level of capital.

(2) The systems and processes used by an Enterprise for risk-based capital purposes under this subpart must be consistent with the Enterprise's internal risk management processes and management information reporting systems.

(3) Each Enterprise must have an appropriate infrastructure with risk measurement and management processes that meet the requirements of this section and are appropriate given the Enterprise's size and level of complexity. The Enterprise must ensure that the risk parameters and reference data used to determine its risk-based capital requirements are representative of long run experience with respect to its credit risk and operational risk exposures.

(b) Risk rating and segmentation systems for exposures. (1) An Enterprise must have an internal risk rating and segmentation system that accurately, reliably, and meaningfully differentiates among degrees of credit risk for the Enterprise's exposures. When assigning an internal risk rating, an Enterprise may consider a third-party assessment of credit risk, provided that the Enterprise's internal risk rating assignment does not rely solely on the external assessment.

(2) If an Enterprise uses multiple rating or segmentation systems, the Enterprise's rationale for assigning an exposure to a particular system must be documented and applied in a manner that best reflects the obligor or exposure's level of risk. An Enterprise must not inappropriately allocate exposures across systems to minimize regulatory capital requirements.

(3) In assigning ratings to exposures, an Enterprise must use all relevant and material information and ensure that the information is current.

(c) Quantification of risk parameters for exposures. (1) The Enterprise must have a comprehensive risk parameter quantification process that produces accurate, timely, and reliable estimates of the risk parameters on a consistent basis for the Enterprise's exposures.

(2) An Enterprise's estimates of risk parameters must incorporate all relevant, material, and available data that is reflective of the Enterprise's actual exposures and of sufficient quality to support the determination of risk-based capital requirements for the exposures. In particular, the population of exposures in the data used for estimation purposes, the underwriting standards in use when the data were generated, and other relevant characteristics, should closely match or be comparable to the Enterprise's exposures and standards. In addition, an Enterprise must:

(i) Demonstrate that its estimates are representative of long run experience, including periods of economic downturn conditions, whether internal or external data are used;

(ii) Take into account any changes in underwriting practice or the process for pursuing recoveries over the observation period;

(iii) Promptly reflect technical advances, new data, and other information as they become available;

(iv) Demonstrate that the data used to estimate risk parameters support the accuracy and robustness of those estimates; and

(v) Demonstrate that its estimation technique performs well in out-of-sample tests whenever possible.

(3) The Enterprise's risk parameter quantification process must produce appropriately conservative risk parameter estimates where the Enterprise has limited relevant data, and any adjustments that are part of the quantification process must not result in a pattern of bias toward lower risk parameter estimates.

(4) The Enterprise's risk parameter estimation process should not rely on the possibility of U.S. government financial assistance.

(5) Default, loss severity, and exposure amount data must include periods of economic downturn conditions, or the Enterprise must adjust its estimates of risk parameters to compensate for the lack of data from periods of economic downturn conditions.

(6) If an Enterprise uses internal data obtained prior to becoming subject to this subpart or external data to arrive at risk parameter estimates, the Enterprise must demonstrate to FHFA that the Enterprise has made appropriate adjustments if necessary to be consistent with the Enterprise's definition of default. Internal data obtained after the Enterprise becomes subject to this subpart must be consistent with the Enterprise's definition of default.

(7) The Enterprise must review and update (as appropriate) its risk parameters and its risk parameter quantification process at least annually.

(8) The Enterprise must, at least annually, conduct a comprehensive review and analysis of reference data to determine relevance of the reference data to the Enterprise's exposures, quality of reference data to support risk parameter estimates, and consistency of reference data to the Enterprise's definition of default.

(d) Operational risk—(1) Operational risk management processes. An Enterprise must:

(i) Have an operational risk management function that:

(A) Is independent of business line management; and

(B) Is responsible for designing, implementing, and overseeing the Enterprise's operational risk data and assessment systems, operational risk quantification systems, and related processes;

(ii) Have and document a process (which must capture business environment and internal control factors affecting the Enterprise's operational risk profile) to identify, measure, monitor, and control operational risk in the Enterprise's products, activities, processes, and systems; and

(iii) Report operational risk exposures, operational loss events, and other relevant operational risk information to business unit management, senior management, and the board of directors (or a designated committee of the board).

(2) Operational risk data and assessment systems. An Enterprise must have operational risk data and assessment systems that capture operational risks to which the Enterprise is exposed. The Enterprise's operational risk data and assessment systems must:

(i) Be structured in a manner consistent with the Enterprise's current business activities, risk profile, technological processes, and risk management processes; and

(ii) Include credible, transparent, systematic, and verifiable processes that incorporate the following elements on an ongoing basis:

(A) Internal operational loss event data. The Enterprise must have a systematic process for capturing and using internal operational loss event data in its operational risk data and assessment systems.

(1) The Enterprise's operational risk data and assessment systems must include a historical observation period of at least five years for internal operational loss event data (or such shorter period approved by FHFA to address transitional situations, such as integrating a new business line).

(2) The Enterprise must be able to map its internal operational loss event data into the seven operational loss event type categories.

(3) The Enterprise may refrain from collecting internal operational loss event data for individual operational losses below established dollar threshold amounts if the Enterprise can demonstrate to the satisfaction of FHFA that the thresholds are reasonable, do not exclude important internal operational loss event data, and permit the Enterprise to capture substantially all the dollar value of the Enterprise's operational losses.

(B) External operational loss event data. The Enterprise must have a systematic process for determining its methodologies for incorporating external operational loss event data into its operational risk data and assessment systems.

(C) Scenario analysis. The Enterprise must have a systematic process for determining its methodologies for incorporating scenario analysis into its operational risk data and assessment systems.

(D) Business environment and internal control factors. The Enterprise must incorporate business environment and internal control factors into its operational risk data and assessment systems. The Enterprise must also periodically compare the results of its prior business environment and internal control factor assessments against its actual operational losses incurred in the intervening period.

(3) Operational risk quantification systems. The Enterprise's operational risk quantification systems:

(i) Must generate estimates of the Enterprise's operational risk exposure using its operational risk data and assessment systems;

(ii) Must employ a unit of measure that is appropriate for the Enterprise's range of business activities and the variety of operational loss events to which it is exposed, and that does not combine business activities or operational loss events with demonstrably different risk profiles within the same loss distribution;

(iii) Must include a credible, transparent, systematic, and verifiable approach for weighting each of the four elements, described in paragraph (d)(2)(ii) of this section, that an Enterprise is required to incorporate into its operational risk data and assessment systems;

(iv) May use internal estimates of dependence among operational losses across and within units of measure if the Enterprise can demonstrate to the satisfaction of FHFA that its process for estimating dependence is sound, robust to a variety of scenarios, and implemented with integrity, and allows for uncertainty surrounding the estimates. If the Enterprise has not made such a demonstration, it must sum operational risk exposure estimates across units of measure to calculate its total operational risk exposure; and

(v) Must be reviewed and updated (as appropriate) whenever the Enterprise becomes aware of information that may have a material effect on the Enterprise's estimate of operational risk exposure, but the review and update must occur no less frequently than annually.

(e) Data management and maintenance. (1) An Enterprise must have data management and maintenance systems that adequately support all aspects of its advanced systems and the timely and accurate reporting of risk-based capital requirements.

(2) An Enterprise must retain data using an electronic format that allows timely retrieval of data for analysis, validation, reporting, and disclosure purposes.

(3) An Enterprise must retain sufficient data elements related to key risk drivers to permit adequate monitoring, validation, and refinement of its advanced systems.

(f) Control, oversight, and validation mechanisms. (1) The Enterprise's senior management must ensure that all components of the Enterprise's advanced systems function effectively and comply with the minimum requirements in this section.

(2) The Enterprise's board of directors (or a designated committee of the board) must at least annually review the effectiveness of, and approve, the Enterprise's advanced systems.

(3) An Enterprise must have an effective system of controls and oversight that:

(i) Ensures ongoing compliance with the minimum requirements in this section;

(ii) Maintains the integrity, reliability, and accuracy of the Enterprise's advanced systems; and

(iii) Includes adequate governance and project management processes.

(4) The Enterprise must validate, on an ongoing basis, its advanced systems. The Enterprise's validation process must be independent of the advanced systems' development, implementation, and operation, or the validation process must be subjected to an independent review of its adequacy and effectiveness. Validation must include:

(i) An evaluation of the conceptual soundness of (including developmental evidence supporting) the advanced systems;

(ii) An ongoing monitoring process that includes verification of processes and benchmarking; and

(iii) An outcomes analysis process that includes backtesting.

(5) The Enterprise must have an internal audit function or equivalent function that is independent of business-line management that at least annually:

(i) Reviews the Enterprise's advanced systems and associated operations, including the operations of its credit function and estimations of risk parameters;

(ii) Assesses the effectiveness of the controls supporting the Enterprise's advanced systems; and

(iii) Documents and reports its findings to the Enterprise's board of directors (or a committee thereof).

(6) The Enterprise must periodically stress test its advanced systems. The stress testing must include a consideration of how economic cycles, especially downturns, affect risk-based capital requirements (including migration across rating grades and segments and the credit risk mitigation benefits of double default treatment).

(g) Documentation. The Enterprise must adequately document all material aspects of its advanced systems.

(a) Changes to advanced systems. An Enterprise must meet all the minimum requirements in § 1240.121 on an ongoing basis. An Enterprise must notify FHFA when the Enterprise makes any change to an advanced system that would result in a material change in the Enterprise's advanced approaches total risk-weighted asset amount for an exposure type or when the Enterprise makes any significant change to its modeling assumptions.

(b) Failure to comply with qualification requirements. (1) If FHFA determines that an Enterprise fails to comply with the requirements in § 1240.121, FHFA will notify the Enterprise in writing of the Enterprise's failure to comply.

(2) The Enterprise must establish and submit a plan satisfactory to FHFA to return to compliance with the qualification requirements.

(3) In addition, if FHFA determines that the Enterprise's advanced approaches total risk-weighted assets are not commensurate with the Enterprise's credit, market, operational, or other risks, FHFA may require such an Enterprise to calculate its advanced approaches total risk-weighted assets with any modifications provided by FHFA.

(a) An Enterprise must use its advanced systems to determine its credit risk capital requirements for each of the following exposures:

(1) General credit risk (including for mortgage exposures);

(2) Cleared transactions;

(3) Default fund contributions;

(4) Unsettled transactions;

(5) Securitization exposures;

(6) Equity exposures; and

(7) The fair value adjustment to reflect counterparty credit risk in valuation of OTC derivative contracts.

(b) The credit-risk-weighted assets calculated under this subpart E equals the aggregate credit risk capital requirement under paragraph (a) of this section multiplied by 12.5.

(a) Qualification to use operational risk mitigants. An Enterprise may adjust its estimate of operational risk exposure to reflect qualifying operational risk mitigants if:

(1) The Enterprise's operational risk quantification system is able to generate an estimate of the Enterprise's operational risk exposure (which does not incorporate qualifying operational risk mitigants) and an estimate of the Enterprise's operational risk exposure adjusted to incorporate qualifying operational risk mitigants; and

(2) The Enterprise's methodology for incorporating the effects of insurance, if the Enterprise uses insurance as an operational risk mitigant, captures through appropriate discounts to the amount of risk mitigation:

(i) The residual term of the policy, where less than one year;

(ii) The cancelation terms of the policy, where less than one year;

(iii) The policy's timeliness of payment;

(iv) The uncertainty of payment by the provider of the policy; and

(v) Mismatches in coverage between the policy and the hedged operational loss event.

(b) Qualifying operational risk mitigants. Qualifying operational risk mitigants are:

(1) Insurance that:

(i) Is provided by an unaffiliated company that the Enterprise deems to have strong capacity to meet its claims payment obligations and the Enterprise assigns the company a probability of default equal to or less than 10 basis points;

(ii) Has an initial term of at least one year and a residual term of more than 90 days;

(iii) Has a minimum notice period for cancellation by the provider of 90 days;

(iv) Has no exclusions or limitations based upon regulatory action or for the receiver or liquidator of a failed depository institution; and

(v) Is explicitly mapped to a potential operational loss event;

(2) In evaluating an operational risk mitigant other than insurance, FHFA will consider whether the operational risk mitigant covers potential operational losses in a manner equivalent to holding total capital.

(a) If an Enterprise does not qualify to use or does not have qualifying operational risk mitigants, the Enterprise's dollar risk-based capital requirement for operational risk is its operational risk exposure minus eligible operational risk offsets (if any).

(b) If an Enterprise qualifies to use operational risk mitigants and has qualifying operational risk mitigants, the Enterprise's dollar risk-based capital requirement for operational risk is the greater of:

(1) The Enterprise's operational risk exposure adjusted for qualifying operational risk mitigants minus eligible operational risk offsets (if any); or

(2) 0.8 multiplied by the difference between:

(i) The Enterprise's operational risk exposure; and

(ii) Eligible operational risk offsets (if any).

(c) The Enterprise's risk-weighted asset amount for operational risk equals the greater of:

(1) The Enterprise's dollar risk-based capital requirement for operational risk determined under paragraphs (a) or (b) multiplied by 12.5; and

(2) The Enterprise's adjusted total assets multiplied by 0.0015 multiplied by 12.5.

(d) After January 1, 2022, and until the compliance date for this section under § 1240.4, the Enterprise's risk weighted amount for operational risk will equal the Enterprise's adjusted total assets multiplied by 0.0015 multiplied by 12.5.