• PRU A4.1 PRU A4.1 Credit Risk systems and controls

    • Guidance

      1. Depending on an Authorised Person's nature, scale, frequency, and complexity of Credit Risk granted or incurred, the Credit Risk policy of an Authorised Person should address the following elements:
      a. how, with particular reference to its activities, the Authorised Person defines and measures Credit Risk;
      b. the Authorised Person's business aims in incurring Credit Risk including:
      i. identifying the types and sources of Credit Risk to which the Authorised Person wishes to be exposed (and the limits on that Exposure) and those to which the Authorised Person wishes not to be exposed;
      ii. specifying the level of diversification required by the Authorised Person and the Authorised Person's tolerance for risk concentrations and the limits on those Exposures and concentrations; and
      iii. stating the risk-return that the Authorised Person is seeking to achieve on Credit Risk Exposures;
      c. types of facilities to be offered, along with ceilings, pricing, profitability, maximum maturities and maximum debt-servicing ratios for each type of lending;
      d. a ceiling for the total loan portfolio, in terms, for example, of the loan-to-Deposit ratio, undrawn commitment ratio, a maximum dollar amount or a percentage of capital base;
      e. portfolio limits for maximum aggregate Exposures by country, industry, category of borrower/Counterparty (e.g. banks, non-bank Financial Institutions, corporates and retail), product (e.g. property lending), Groups of related parties and single borrowers;
      f. limits, terms and conditions, approval and review procedures and records kept for Connected lending - all Authorised Persons should have a formal policy statement, endorsed by the Governing Body, on such lending covering these matters;
      g. types of acceptable Collateral, loan-to-value ratios and the criteria for accepting guarantees; and
      h. how Credit Risk is assessed both when credit is granted or incurred and subsequently, including how the adequacy of any security and other risk mitigation techniques are assessed;
      i. the detailed limit structure for Credit Risk, which should:
      i. address all key risk factors, including intra-Group Exposures;
      ii. be commensurate with the volume and complexity of activity; and
      iii. be consistent with the Authorised Person's business aims, historical performance, and the level of capital the Authorised Person is willing to risk;
      j. procedures for:
      i. approving new products and activities which give rise to Credit Risk;
      ii. regular risk position and performance reporting;
      iii. limit exception reporting and approval; and
      iv. identifying and dealing with problem Exposures;
      k. the allocation of responsibilities for implementing the Credit Risk policy and for monitoring adherence to, and the effectiveness of, the policy; and
      l. the required information systems, staff and other resources.
      2. The Credit Risk policy should emphasize the principles of prudence and should be enforced consistently. The policy and its implementation should ensure that credit facilities are only granted to credit-worthy customers and that risk concentrations are avoided.
      3. The Credit Risk strategy and policy need to be clearly disseminated to, and understood by all relevant staff.
      4. The Credit Risk policy of an Authorised Person should clearly specify the delegation of its credit approval authorities. Credit authority thus delegated should be appropriate for the products or portfolios assigned to the credit committee or individual credit officers and should be commensurate with their credit experience and expertise. An officer's credit authority may, however, be increased on the basis of his or her track record. An Authorised Person should ensure that credit authority is required for acquiring any types of credit Exposures, including the use of Credit Derivatives for hedging or income generation.
      5. Credit authority delegated to the credit committee and each credit officer should be subject to regular review to ensure that it remains appropriate to current market conditions and the level of their performance.
      6. An Authorised Person's remuneration policies applicable to all staff should be consistent with its Credit Risk strategy.

      The policies should not encourage officers to generate short-term profits by taking an unacceptably high level of risk.

    • Counterparty Risk assessment

      7. The Authorised Person should make a suitable assessment of the risk profile of its Counterparties. The factors to be considered will vary according to both the type of credit and Counterparty such as whether the Counterparty is a company or a sovereign Counterparty and may include:
      a. the purpose of the credit and the source of repayment;
      b. an assessment of the skill, integrity and quality of management and overall reputation of the Counterparty;
      c. the legal capacity of the Counterparty to assume the liability to the Authorised Person;
      d. an assessment of the nature and amount of risk attached to the Counterparty in the context of the industrial sector or geographical region or country in which it operates and the potential impact on the Counterparty of political, economic and market changes; this assessment may include consideration of the extent and nature of the Counterparty's other financial obligations;
      e. the Counterparty's repayment history as well as an assessment of the Counterparty's current and future capacity to repay obligations based on financial statements, financial trends, cash flow projections and the potential impact of adverse economic scenarios;
      f. an analysis of the risk-return trade-off, with regard to the proposed price of the Credit Facility;
      g. the proposed terms and conditions attached to the granting of credit, including on-going provision of information by the Counterparty, covenants attached to the facility, the adequacy and enforceability of Collateral and guarantees; and
      h. the Authorised Person's existing Exposure to the individual Counterparty, sector, country or product and the availability of credit given Exposure limits.
      8. An Authorised Person should document any variation from the usual credit policy.
      9. An Authorised Person involved in loan syndications or consortia should not rely on other parties' assessments of the Credit Risks involved but should conduct a full assessment against its own Credit Risk policy.
      10. An Authorised Person granting credit to obligors in other countries should be cognisant of the additional risks — country risk and transfer risk — involved in such credits. An Authorised Person should therefore consider the environment — economic and political — in the relevant countries, the potential effect of changes thereto on the obligors' ability to service the credit and the contagion effects in regions where economies are closely related.
      11. The exception reporting should be adequately supported by a management reporting system whereby relevant reports on the credit portfolio are generated to various levels of management on a timely basis.
      12. Connected Counterparties should be identified and the procedures for the management of the combined Credit Risk considered. It may be appropriate for Authorised Persons to monitor and report the aggregate Exposure against combined limits in addition to monitoring the constituent Exposures to the individual Counterparties.
      13. An Authorised Person should consider whether it needs to assess the credit-worthiness of suppliers of goods and services to whom it makes material prepayments or advances.

    • Risk assessment: Derivative Counterparties

      14. An Authorised Person should include in its Credit Risk policy an adequate description of:
      a. how it determines with which Derivative Counterparties to do business;
      b. how it assesses and continues to monitor the credit-worthiness of those Counterparties;
      c. how it identifies its actual and contingent Exposure to the Counterparty; and
      d. whether and how it uses credit loss mitigation techniques, e.g. margining, taking security or Collateral or purchasing credit insurance.
      15. In assessing its contingent Exposure to a Counterparty, the Authorised Person should identify the amount which would be due from the Counterparty if the value, index or other factor upon which that amount depends were to change.
      16. An Authorised Person should clearly specify the delegation of its credit approval authorities. Credit authority thus delegated should be appropriate for the products or portfolios assigned to the credit committee or individual credit officers and should be commensurate with their credit experience and expertise. An officer's credit authority may, however, be increased on the basis of his her track record. An Authorised Person should ensure that credit authority is required for acquiring any types of credit Exposures, including the use of Credit Derivatives for hedging or income generation.
      17. Credit authority delegated to the credit committee and each credit officer should be subject to regular review to ensure that it remains appropriate to current market conditions and the level of their performance.

    • Credit approval procedures

      18. An Authorised Person should adhere closely to the "Know Your Customer" principle and should not lend purely on name and relationship without a comprehensive assessment of the credit quality of the borrower.
      19. Credit decisions should be supported by adequate evaluation of the borrower's repayment ability based on reliable information. Sufficient and up-to-date information should continue to be available to enable effective monitoring of the account.
      20. All credits should be granted on an arm's length basis. Credits to related borrowers should be monitored carefully and steps taken to control or reduce the risks of Connected lending.
      21. An Authorised Person should not rely excessively on Collateral or guarantees as Credit Risk mitigants. Such Credit Risk mitigants may provide secondary protection to the lender if the borrower defaults, the primary consideration for credit approval should be the borrower's debt-servicing capacity.
      22. An Authorised Person should be sensitive to rapid expansion of specific types of lending. Such trends may often be accompanied by deterioration of credit standards and thus merit increased focus on more marginal borrowers.
      23. An Authorised Person should ensure through periodic independent audits that the credit approval function is being properly managed and that credit Exposures comply with prudential standards and internal limits. The results of such audits should be reported directly to the Governing Body, the credit committee or senior management as appropriate.

    • Risk control

      24. An Authorised Person should consider setting credit limits for maximum Exposures to single and Connected Counterparties, as well as limits for aggregate Exposures to economic sectors, geographic areas, and on total Credit Risk arising from specific types of products. By limiting Exposures in these categories, an Authorised Person can manage credit Exposure more carefully and avoid excessive concentrations of risk.
      25. The Credit Risk policy of an Authorised Person should include a policy to control and monitor Large Exposures and other risk concentrations. An Authorised Person should carefully manage and avoid excessive risk concentrations of various kinds. These include Exposure to:
      a. individual borrowers (in particular Exposure exceeding 10% of the firm's capital base);
      b. Groups of borrowers with similar characteristics, economic and geographical sectors; and
      c. types of lending with similar characteristics (e.g. those based on assets with similar price behaviour).
      26. Notwithstanding the Concentration Risk limit specified as part of the prudential Rules on Large Exposures, Authorised Persons should exercise particular care in relation to facilities exceeding 10% of capital base.
      27. Authorised Persons should recognise and control the Credit Risk arising from their new products and services. Well in advance of entering into business transactions involving new types of products and activities, they should ensure that they understand the risks fully and have established appropriate Credit Risk policies, procedures and controls, which should be approved by the Governing Body or its appropriate delegated committee. A formal risk assessment of new products and activities should also be performed and documented.
      28. An Authorised Person in Category 123A or 5 is also subject to concentration limits and notification requirements as spelt out in Chapter 4.

    • Risk measurement

      29. An Authorised Person should measure its Credit Risk using a robust and consistent methodology, which should be described in its Credit Risk policy. The Authorised Person should consider whether the measurement methodology should be back-tested and the frequency of any such back-testing.
      30. An Authorised Person should also be able to measure its total Exposure across the entire credit portfolio or within particular categories such as Exposures to particular industries, economic sectors or geographical areas.
      31. Where an Authorised Person is a member of a Group, the Group should be able to monitor credit Exposures on a consolidated basis.
      32. An Authorised Person should have the capability to measure its credit Exposure to individual Counterparties on at least a daily basis.
      33. Authorised Persons should analyse their credit portfolios to identify material inter-dependencies which can exaggerate risk concentrations. The importance can be illustrated by the contagion effects that a substantial decline in property or stock prices may have on the default rate of those commercial and industrial loans which rely heavily on such types of Collateral.
      34. Authorised Persons should establish a system of regular independent credit and compliance audits. These audits should be performed by independent parties, e.g. internal audit and compliance, which report to the Governing Body or the audit committee.
      35. Credit audits should be conducted to assess individual credits on a sampling basis and the overall quality of the credit portfolio. Such audits are useful for evaluating the performance of account officers and the effectiveness of the credit process. They can also enable Authorised Persons to take early measures to protect their loans.

    • Risk monitoring

      36. An Authorised Person should implement an effective system for monitoring its Credit Risk, which should be described in its Credit Risk policy. The system may monitor the use of facilities, adherence to servicing requirements and covenants, and monitor the value of Collateral and identify problem accounts.
      37. An Authorised Person should consider the implementation of a system of management reporting which provides relevant, accurate, comprehensive, timely and reliable Credit Risk reports to relevant functions within the Authorised Person.
      38. Adequacy and sophistication of Credit Risk measurement tools required depends on the complexity and degree of the inherent risks of the products involved. An Authorised Person should have information systems and analytical techniques that provide sufficient information on the risk profile and structure of the credit portfolio. These should be flexible to help Authorised Person to identify risk concentrations. To achieve this, an Authorised Person system should be capable of analysing its credit portfolio by the following characteristics:
      a. size of Exposure;
      b. Exposure to Groups of related borrowers;
      c. products;
      d. sectors, e.g. geographic, industrial;
      e. borrowers' demographic profile for consumer credits, e.g. age or income group, if appropriate;
      f. account performance;
      g. internal credit ratings;
      h. outstandings versus commitments; and
      i. types and coverage of Collateral.
      39. An Authorised Person should have procedures for taking appropriate action according to the information within the management reports, such as a review of Counterparty limits.
      40. Particular attention should be given to the monitoring of credit that does not conform to usual Credit Risk policy, or which exceeds predetermined credit limits and criteria, but is sanctioned because of particular circumstances. Unauthorised exceptions to policies, procedures and limits should be reported in a timely manner to the appropriate level of management.
      41. Individual credit facilities and overall limits and sub-limits should be periodically reviewed in order to check their performance and appropriateness for both the current circumstances of the Counterparty and in the Authorised Person's current internal and external economic environment. The frequency of review will usually be more intense for higher-risk Counterparties or larger Exposures or in fluctuating economic conditions.
      42. An Authorised Person should have in place a system for monitoring the overall quality of its Credit Risk Exposures under normal and stressful conditions. There should also be a reporting system which alerts management to aggregate Exposures approaching various pre-set portfolio limits.
      43. An Authorised Person should be mindful of business and economic cycles and regularly stress-test their portfolios against adverse market scenarios. Adequate contingency planning should be developed in conjunction with stress-testing to address the possibility of crises developing in a very rapid fashion.
      44. Appropriate stress testing of credit Exposures can be an essential part of the credit management process. Examination of the potential effects of economic or industry downturns, market events, changes in interest rates, changes in foreign exchange rates and changes in liquidity conditions can provide valuable information about an Authorised Person's Credit Risk. This information can be utilised to inform the Authorised Person's on-going credit strategy.
      45. As new techniques for Credit Risk management, monitoring and reporting are developed, the Authorised Person should ensure they are tested and evaluated before undue reliance is placed upon them.
      46. Where the account officer for a credit (or customer relationship manager, branch manager or similar) moves on, the incoming officer should carry out a take-over review. The review should cover inter alia the credit-worthiness of the borrowers, the adequacy of the documentation, compliance with covenants, performance of each loan and the existence and value of any Collateral.

    • Problem Exposures

      47. An Authorised Person should have processes for the timely identification and management of problem Exposures. These processes should be described in the Credit Risk policy.
      48 An Authorised Person involved in Providing Credit should establish a dedicated unit to handle the recovery and work-out of problem loans and should establish policies for the referral of loans to this unit.
      49. An Authorised Person should ensure that its loan portfolio is properly classified and has an effective early-warning system for problem loans.
      50. An Authorised Person should develop and implement internal risk rating systems for managing Credit Risk. The rating system should be consistent with the nature, size and complexity of the Authorised Person's activities. In using internal risk ratings, an Authorised Person should seek to achieve a high granularity in the rating system and adopt multiple grades for loans that are not yet irregular and to develop the ability to track the migration of individual loans through the various internal credit ratings.
      51. Depending on the size and nature of the Authorised Person, it may be appropriate for problem Exposures to be managed by a specialised function, independent of the functions that originate the business or maintain the on-going business relationship with the Counterparty.
      52. Exposures identified as problems or potential problems should be closely monitored by management, and an Authorised Person should set out, for example, whether a loan grading system or a watch or problem list is used and, in the latter case, the criteria for adding an asset to or taking an asset off that list.
      53. It is recommended that Authorised Persons establish a dedicated unit to handle the recovery and work-out of problem loans and put in place policies for the referral of loans to this unit.
      54. An Authorised Person should have adequate procedures for recovering Exposures in arrears or those which had provisions made against them. These should allocate responsibility both internally and externally for its arrears management and recovery and define the involvement of the Authorised Person's solicitors.
      55. Requirements relating to provisioning against loss on problem Exposures are covered in Chapter 4.

    • Risk mitigation

      56. Various methods can be used to mitigate Credit Risk, such as taking security or Collateral, obtaining a guarantee from a third party, purchasing insurance or Credit Derivatives. Authorised Persons should view these as complementary to, rather than a replacement for, thorough credit analysis and procedures.
      57. In controlling Credit Risk, an Authorised Person may utilise certain mitigation techniques.

      Normally, they include:
      a. accepting Collateral, standby letters of credit and guarantees;
      b. entering into Netting arrangements;
      c. setting strict loan covenants; and
      d. using Credit Derivatives and other hedging instruments.
      58. In determining which types of credit mitigation techniques should be used, firms should also consider:
      a. their own knowledge and experience in using such techniques;
      b. cost-effectiveness;
      c. type and financial strength of the Counterparties or Issuers;
      d. correlation with the underlying credits;
      e. availability, liquidity and realisability of the credit mitigation instruments;
      f. the extent to which legally recognised documentation, e.g. ISDA Master Agreement, can be adopted; and
      g. the degree of supervisory recognition of the mitigation technique.
      59. While mitigation through Collateral and guarantees is usually dealt with at the time of granting of credits, Credit Derivatives and Netting are often employed after the credit is in place, or used to manage the overall portfolio risk. When the mitigation arrangements are in place they should then be controlled. Authorised Persons should have written policies, procedures and controls for the use of credit mitigation techniques. They should also ensure adequate systems are in place to manage these activities.
      60. Authorised Persons should revalue their Collateral and mitigation instruments on a regular basis.

      The method and frequency of revaluation depends on the nature of the hedge and the products involved.
      61. If an Authorised Person takes security or Collateral, on credit facilities, appropriate policies and procedures should be documented covering:
      a. the types of security or Collateral considered;
      b. procedures governing the valuation and revaluation of security or Collateral including the basis of valuation;
      c. policies governing the taking of security or Collateral, including obtaining appropriate legal title; and
      d. policies governing possession of security or Collateral.
      62. The value of security and Collateral should be monitored at an appropriate frequency. For example, commercial property might be revalued annually, whereas Securities provided as Collateral should be marked to market usually on a daily basis. Residential property may not need to be revalued annually, but information should be sought as to general market conditions.
      63. When taking Collateral in support of an Exposure, an Authorised Person should ensure that legal procedures have been followed, to ensure the Collateral can be enforced if required.
      64. An Authorised Person should consider the legal and financial ability of a guarantor to fulfil the guarantee were it called upon to perform its obligations as guarantor.
      65. An Authorised Person should analyse carefully the protection afforded by risk mitigants such as Netting agreements or Credit Derivatives, to ensure that any residual Credit Risk is identified, measured, monitored and controlled.
      66. An Authorised Person providing mortgages at high loan-to-value ratios should consider the need for alternative forms of protection against the risks of such lending, including mortgage indemnity insurance, to protect against the risk of a fall in the value of the property.

    • Record keeping

      67. The Authorised Person should maintain appropriate records of:
      a. credit Exposures, including aggregations of credit Exposures, by:
      i. Groups of Connected Counterparties; and
      ii. types of Counterparty as defined, for example, by the nature or geographical location of the Counterparty;
      b. credit decisions, including details of the facts or circumstances upon which a decision was made; and
      c. information relevant to assessing current credit quality.
      68. Credit records should be retained for at least six years, subject to any requirement in the Rules requiring such records to be kept for a longer period.
      69. It is important that sound and legally enforceable documentation is in place for each credit agreement as this may be called upon in the event of a default or dispute. An Authorised Person should therefore consider whether it is appropriate for an independent legal opinion to be sought on documentation used by the Authorised Person. Documentation should be in place before the Authorised Person enters into a contractual obligation or releases funds.

    • Country and transfer risk Exposure

      70. Chapter 4 does not provide limits on the size of an Authorised Person's Exposure to a particular country or region. However, an Authorised Person which has Large Exposures in a country or region should include in its Credit Risk policy:
      a. the geographical areas in which the Authorised Person does or intends to do business;
      b. its definition of Credit Risk Exposure and transfer risks (such as exchange restrictions) associated with doing business in each country or region;
      c. how to measure its total Exposure in each country or region and across several countries or regions;
      d. the types of business the Authorised Person intends to undertake in each country or region;
      e. limits on Exposures to an individual country or region which the Authorised Person deals with, and sub-limits for different types of business if appropriate;
      f. the procedure for setting and reviewing country or regional limits; and
      g. the process by which the Authorised Person's actual country or regional Exposures will be monitored against limits and the procedure to be followed if the limits are breached.
      71. When setting country or regional limits, an Authorised Person should consider:
      a. the economic and political circumstances prevailing in the country or region;
      b. the transfer risks associated with any particular country or region;
      c. the type and maturity of business undertaken by the Authorised Person in a particular country or region;
      d. the Authorised Person's existing concentration of country or regional risk;
      e. the source of funding for the country or regional Exposure; and
      f. sovereign or other guarantees offered.

    • Provisioning

      72. Depending upon the nature of the Authorised Person and its business, the Authorised Person's provisioning policy should set out:
      a. who has responsibility for reviewing the provisioning policy and approving any changes;
      b. how frequently the policy should be reviewed;
      c. when the review will take place, including the circumstances in which a review might be more frequent;
      d. who has primary responsibility for ensuring the provisioning policy remains appropriate, including any division of responsibilities;
      e. the areas of its business to which the provisioning policy relates — it should include both on balance sheet and off balance sheet Exposures and assets;
      f. where it takes different approaches to different lines of its business and the key features of those differences;
      g. who has responsibility for monitoring its asset portfolio on a regular basis in order to identify problem or potential problem assets and the factors it takes into account in identifying them;
      h. whether a loan grading system or a watch or problem list is used and, in the latter case, the criteria for adding an asset to or taking an asset off that list;
      i. the extent to which the value of any Collateral, guarantees or insurance which the Authorised Person holds affects the need for or size of provision;
      j. on what basis the Authorised Person makes its provisions, including the extent to which the level of provisioning is left to managerial judgement or to a committee or involves specified formulae and the methodologies or debt management systems and other formulae used to determine provisioning levels for different business lines and the factors applied within these methodologies;
      k. who is responsible for ensuring that the Authorised Person's provisioning policy is being implemented properly, and the measures the Authorised Person has in place if its provisioning polices are not adhered to;
      l. who is responsible for the regular reviews of the Authorised Person's specific and general provisions and who decides whether provision levels are satisfactory. The reviews should take account of changes in the status of the Exposures and potential losses and changes in the conditions associated with them;
      m. the reports used to enable management to ensure that the Authorised Person's provisioning levels remain satisfactory, the frequency and purpose of those reports and their circulation;
      n. the procedures for recovering Exposures in arrears or Exposures which have had provisions made against them, including who has responsibility both internally and externally for its arrears management and recovery and the involvement of the Authorised Person's solicitors;
      o. the procedures and methodologies for writing off and writing back provisions, including treatment of interest and who has the relevant responsibility for determining these;
      p. the frequency of any review of its write off experience against provisions raised; such a review can help identify whether an Authorised Person's policies result in over or under provisioning across the business cycle, and contribute to a general review of an Authorised Person's provisioning policy and the design of any loan grading systems, Credit Risk models, and risk pricing; and
      q. the Authorised Person's procedures and methodologies for calculating and raising provisions for contingent and other liabilities, how frequently they should be reviewed and who has the relevant responsibilities. Other liabilities include the crystallisation of contingent liabilities such as acceptances, endorsements, guarantees, performance bonds, indemnities, irrevocable letters of credit and the confirmation of documentary credits.
      73. Provisions may be general (against the whole of a given portfolio) or specific (against particular Exposures identified as bad or doubtful), or both. The Regulator expects contingent liabilities and anticipated losses to be recognised in accordance with the applicable accounting standards.
      74. Appropriate systems and controls for provisions vary with the nature, scale and complexity of the credit granted. An Authorised Person for which the extension of credit is a substantial part of its business is expected to have greater regard to developing, implementing and documenting a provisioning policy than an Authorised Person for which Credit Risk is incidental to the operation of its business.
      75. The Regulator recognises that the frequency with which an Authorised Person reviews its provisioning policy once it has been established will vary from firm to firm. However, the Regulator expects an Authorised Person to review its policy to ensure it remains appropriate for the business it undertakes and the economic environment in which it operates. The provisioning policy should be reviewed at least annually by the Governing Body.