After five years of hard work, international banking regulators are close to completing the framework for a new accord on minimum capital requirements. If the regulators can work out the remaining details and conflicts before mid- 2004, banks will be scheduled to implement the Basel II rules by the end of 2006.

These new standards, aiming for a closer match between the capital that banks hold and the risks they take, should in theory lead to more stable, efficiently run institutions. Bankers concur that the original pact—the 1988 Basel accord—is badly out-of-date. But agreement on specifics has been difficult to reach, and the implementation deadline has already been pushed back once. There may be further delays.¹

How should US banks respond to the impending new rules? US regulators require only the largest banks (by assets) and those with significant assets abroad to follow them. Just a few such banks have begun comprehensive programs to ensure compliance, including the upgrading of their risk-rating systems.² By contrast, some—mainly European—banks have used early drafts of Basel II to prepare for what they see, despite the uncertainties, as inevitable changes in capital standards. Banks in emerging markets are lagging behind. Those in China and India have opted out entirely, claiming that the accord is too complex.

Waiting delays the benefits andcreates the possibility of missing the deadline for compliance

The wait-and-see approach of some US banks—both those required to participate and those that can opt in—is too conservative. Basel II mostly prescribes good banking and business practice; waiting postpones the benefits and creates the possibility of missing the deadline for compliance. Anyway, many provisions still under discussion have little impact on what institutions should do now. Banks must develop more sophisticated ways to estimate default probabilities and losses, for example, but don't immediately need to know Basel II's specific risk-weight formulas.

Large US banks required to participate should move quickly on the basis of what is currently known. So should banks that decided to opt in but deferred action. We urge the many other US institutions sitting on the fence to consider the business case for opting in. A bank could improve its risk management in a way that would have a bottom-line impact even without Basel II. Still, there are important reasons to go all the way: banks certified as Basel II-compliant could benefit from lower capital charges and the enhanced reputation that would come from the regulators' seal of approval.³

Toward best practice

In revising the original 1988 Basel accord, regulators are taking account of improvements in IT, new banking products, and the risk-management revolution that has led, for example, to the boom in securitized assets. The draft proposals have further evolved in response to criticism from bankers, national regulators, and politicians. Many US banks have delayed taking action because of uncertainty about the implementation timetable and disagreements among US regulators about the accord's provisions. Even US banks that want to opt in are confused about when to begin what is sure to be an intensive effort, how to pace it, and what to make a priority. But in Europe, many banks weren't put off by the haziness and faced less domestic regulatory ambiguity.

Banks that are already overhauling their risk-management systems wonder how Basel II will fit in with their initiatives. A few have concluded that it is just a regulatory nuisance—a lot of money and fuss over nothing. The best way to sort out these concerns is to examine where and how the Basel II regulations bring banks to best practice and to look at the business case for the required investments. Even a partial understanding of the shape of the regulations should incline banks to positive action. Applying the Basel II requirements will take banks to, or close to, best practice in risk management, particularly in risk measurement and processes. Here we present our view of how closely the Basel II provisions approach best practice in credit, operational, and market risk—and what the banking industry should do in response.

Credit risk

Credit risk is exposure to the chance that a borrower or counterparty might not honor its contractual obligations. Of the three types of risk discussed here, Basel II is most specific and almost always at best practice in this one. The new rules call for a rating system that explicitly takes account of the probability of default and the loss given default, for example. Most bankers agree that this is the best-practice approach because it helps banks to assess the risk from clients or transactions more accurately. Today there are no requirements in this area.

In some cases, though, Basel II offers only general requirements; for example, it lets banks decide how to use information about customer behavior, such as deposit balance histories and loan repayments, for the purpose of credit ratings. Using such information represents best practice because it helps banks to distinguish good from bad borrowers. Regulators chose to allow banks to develop their own approach if they can back it up.

In other areas, regulators stopped short of best practice because it is hard to validate inputs and outputs supplied by banks. Thus, for example, banks aren't required (or able) to use internal portfolio models, which explicitly account for correlation and diversification effects in credit portfolios. Following the spirit of Basel II, banks would have to show that correlation coefficients were statistically significant, and regulators would have to be able to validate these claims. That's tough sledding because such correlations are even harder to establish than probability-of-default or loss-given-default parameters, so regulators instead settled on an average benchmark portfolio to calibrate formulas. Here, banks should go beyond Basel II. Large commercial lenders, for instance, might want to invest in internal portfolio models to improve the management of their credit portfolios.

To comply with Basel II, most US banks will need to upgrade their rating systems and credit processes, including the prediction and collection of defaults. For those institutions that have to meet the implementation deadline of December 31, 2006, time is short. While many scoring systems for consumer credit portfolios meet the requirements, problems with generating and archiving default data have created compliance gaps for smaller loan portfolios.

Larger banks in the nonmandatory category will likely opt in over time, using Basel II as a catalyst for promoting better risk-management practices, but they may not achieve full compliance by the proposed deadline. These banks should assess, segment by segment, how far they are from compliance and which segment would benefit if implemented first.

Operational risk

Operational risk is exposure to losses from inadequate internal processes and systems and from external threats such as rogue traders. The Basel II draft regulations are specific about what must be measured but vague about how to do so. These proposals focus mainly on measuring risk and capital adequacy. It makes sense, for example, to collect internal and external data on losses so that the data can be used to model loss distributions, as the draft requires, because this is among the few ways to quantify operational risk. But banks are free to decide how the historical data series should be transformed into a statistical assessment of required capital.

Little mention is made of risk mitigation—for instance, contingency plans for disasters like major systems failures or reviews of business practices to warn banks about potential risks to their reputation, such as the investment banks' 1990s practice of linking research and banking. Risk mitigation can reduce losses triggered not only by external disasters but also by internal practices. A well-designed data recovery plan, for example, can reduce the financial impact of a trading platform that breaks down—a low-frequency, high-impact risk. High-frequency, low-impact risks, such as credit card fraud, can be addressed by reengineering operations-intensive processes. The draft regulations' opacity gives banks the flexibility to tailor the best approach for themselves.

Some banks have begun developing processes required by Basel II, but few if any institutions have made the operational-risk framework a practical tool to drive bottom-line results by enhancing operational effectiveness. While the key elements of a best-practice framework have emerged, practices and design choices vary greatly in, for example, the formats and levels of detail for a bank's self-assessment. Despite the regulators' silence on risk mitigation, banks should move ahead here.

Market risk

Market risk is exposure to adverse market price movements, such as exchange rates, the value of securities, and interest rates or spreads. Market risk has two components: trading risk and structural-interest-rate (or asset-liability) risk. No changes have been made in the rules on trading risk since a 1996 Basel I amendment that pushed banks toward best practice by letting them use internal models to determine the capital requirements for market risk in trading portfolios. Structural-interest-rate risk—the risk to earnings and equity values from mismatches in the interest rate sensitivity of assets and liabilities—is addressed relatively vaguely. In the bank treasury function of asset-liability management, Basel II repeats the principles put forward in the first capital accord and other existing regulatory guidelines. These principles are framed at too high a level to translate into specific best practices.⁴

The absence of specific market risk provisions is disappointing, for the specificity of new credit and operational-risk regulations is what has forced and will go on forcing banks to upgrade their approaches. The market risk rules in asset-liability management will amount to something like "have policies" or "measure vulnerability to stress scenarios," and most banks can argue that they do so already. The Basel regulators may have paid less attention to market risk either because most banks typically require significantly less capital for structural-interest-rate risk than for credit risk (perhaps 60 to 70 percent of an average bank's capital) or because of other existing regulations. Nonetheless, many retail banks have assumed substantial asset-liability risk in the recent interest environment. In principle, standards for measuring economic-value and earnings risk caused by structural-interest-rate risk should be as stringent as those for credit risk.

While Basel II may not change the requirements for structural or trading risk, the general safety and soundness principles it restates imply that standards will go on evolving. For institutions that now have no regulatory or business issues, this area is of little concern. Banks should follow best-practice developments and update as needed even if Basel II gives little advice on what to do or where to focus.

The business case

Our research reveals a significant profit impact—above and beyond the savings banks might gain from reduced capital charges and funding costs by adhering to Basel II—from moving to best practice. For some banks, the more risk-sensitive Basel II formulas could substantially reduce regulatory capital, sometimes by up to 50 percent in segments such as residential mortgages. If banks could reduce their capital as a result, they would save on funding costs. But savings from reduced capital aren't automatic. Many banks and rating agencies assess the amount of capital required by economics rather than regulation, so the capital a bank actually decides to hold may not change. In addition, other constraints (such as leverage ratios under current US regulations) may also prevent banks from reducing regulatory capital significantly.

1. In our client work, we have identified four important Basel II-style risk-management efficiencies. Benchmarks from typical improvement efforts suggest that they could raise pretax earnings by 3 to 6 percent.
2. Reduced charge-offs through better default-prediction and collection processes can add 1 percent to pretax earnings. Improved credit-rating systems, for example, make more accurate predictions of who will default. Better earnings come not only from turning down people whose credit quality is likely to fall but also from lending to those who might have been rejected before but now seem to be worthy risks. Also, sharper insights into collateral value help banks improve their bad-loan workout processes.

3. Risk-based pricing to improve pricing discipline on loans and risk selection and to reduce risk from new business opportunities can raise risk-adjusted pretax earnings by 1 to 2 percent. Good loan pricing must be risk adjusted: riskier borrowers require higher provisions for expected losses and more capital for covering bigger unexpected ones. With better systems to assess and differentiate risk, banks can enter new or more risky segments without fearing disaster.

4. Cutting operating expenses by streamlining underwriting processes can raise pretax earnings by 0.5 to 1 percent. One North American retail bank, for example, generated loans through different channels, including mortgage brokers, thereby making the process of capturing data complex and redundant. With a new rating system, data were entered only once, and—most important—automated decision making reduced the need for manual intervention.
5. Cutting expenses by mitigating operational losses can raise pretax earnings by 1 to 2 percent. The savings come from lower losses because of problems ranging from teller error to rogue trading, as well as from lower capital charges. Banks can either reengineer processes to reduce human error or develop contingency plans for problems like systems breakdowns. This approach also has less quantifiable benefits, such as better customer retention and management information.

Substantial savings can also be had from reducing regulatory-capital requirements, though the benefits may vary greatly by customer segment and the risk characteristics of particular loan portfolios. Consider operational risk: for big banks that must adhere to Basel II, moving to a proposed advanced measurement standard might generate savings from 20 to 25 percent of the capital requirements for operational risk if regulatory capital exceeds economic capital.

Getting there

These savings require big investments. For large, diversified global banks, the cost is typically $100 million but can be as high as $250 million, and the process could well take up to three years. For diversified regional banks, the cost is about $25 million to $50 million. Many banks would incur much of this cost even without Basel II, since they must upgrade their risk-management capabilities to keep pace with changing markets.

Basel II's objective—instilling best-practice, sophisticated, analytically driven risk-management policies based on each bank's experience—will increase overall IT requirements. For most banks, enhanced IT systems and data integration will account for more than 75 percent of the investment Basel II requires.⁵ The most important cost drivers are the number and nature of a bank's portfolios, loans, and processes (including the degree to which existing data warehouses are integrated), the starting point and maturity of tools and processes, and the scope and timing of implementation. To build a new credit-rating system, for example, a bank must first develop a prototype and then expand it into a broadly available production tool, usable by the front line, that is integrated with existing data warehouses.

From the perspective of best-practice risk management, credit risk will largely drive Basel II's implementation costs. Much of the cost, we estimate, will go toward addressing credit risk: 55 to 65 percent for credit-related IT systems integration (including data migration) and 25 to 30 percent for nonsystems credit risk (including models and prototypes). Operational risk will account for almost all remaining costs; those for external reporting and supervision will be negligible.

Banks with well-integrated IT systems can meet the requirements relatively easily. Others face limitations from dispersed legacy systems and poor data architectures. But the temptation to undertake massive IT-restructuring projects under the Basel umbrella should be measured against less elegant but pragmatic and cheaper approaches. One of our clients concluded that a $20,000 Excel-based solution would capture data easily and accurately for a segment with only a few loan defaults a year. A more elaborate project to integrate the data with the main data warehouse would have cost $5 million. Banks should also consider combining the IT programs they undertake for Basel II with those needed to comply with the US Sarbanes-Oxley corporate-governance legislation and with international accounting standards in Europe. An operational-risk self-assessment program needed for compliance with Basel II, for example, would tie in nicely with the management certification of financial controls required by Sarbanes-Oxley.

The United States has 7,000 banks. The top 50 should comply with most if not all Basel II requirements. Banks with risky portfolios may face higher regulatory-capital charges under Basel II, but such banks are in particular need of best-practice risk management. Insofar as Basel II doesn't reach best practices, we encourage banks to pursue them if there is a business case.

Some bankers may worry about wasted effort. But we detect a spirit of flexibility in the Basel regulators' comments and especially in the US regulators' Advanced Notice of Public Rulemaking, which will limit the risk of building capabilities that won't ultimately be needed.⁶ Banks in the opt-in category will likely be able to work with regulators to establish a transition path to compliance and can therefore start upgrading areas that make the most business sense. Banks may even be able to comply with Basel II for their major segments but not all of their portfolios if they can show that this choice reflects solid business realities.⁷

Banks that have already started risk-management programs view Basel II as a change agent. They use the new accord to focus bankwide attention on efforts to achieve risk-management leadership. Basel II is also good news for banks whose risk-management efforts, begun with the best of intentions, have languished through inattention. CEOs should recognize that moving so many parts of a bank—most business units as well as the treasury and other corporate-center functions—to best practice involves a huge effort. We know from long experience that it will fail if top management doesn't take the lead and ensure that benefits from a well-developed business case are captured.