International Banks regulated by the Financial Services (Regulation and Supervision) Department (FSRC – Nevis Branch) are required to submit an ICAAP every year to the Regulator of International Banking – though this can be in the form of an annual update.
The ICAAP has several aims. Broadly they are for a bank:
- To set out its longer–term strategy and how the risks to that strategy can be mitigated.
- To set out its material current risks and how they are mitigated
- To assess how much capital it needs
- To enable the regulator to determine how much capital the bank may need above the minimum regulatory requirement (subject to a minimum regulatory capital policy set out elsewhere)
There are several key characteristics of an ICAAP and they are that the:
- ICAAP should be discussed and signed off each year by the board
- ICAAP should be integrated and be dependent on other risk identification and mitigation tools
- ICAAP should be high‐level and relatively short – generally no more than 10 pages
The ICAAP is the key element in pillar II. Pillar II is intended firstly to determine capital for those risks covered in pillar I where the minimum regulatory capital may be insufficient and secondly to determine the capital level for those risks not covered in pillar I. The material risks covered in pillar I are credit and operational risk. In pillar II they include interest rate in the banking book, securitisation, reputational risk, credit concentration, conduct risk, group risk, and pension obligation risk. Further detail on these risks – in terms of definition and practice – is available generally, not least through publications by the Basel Committee.
A typical ICAAP document might begin with a statement of the bank’s current strategy and the main risks to that strategy. It might explain how those risks are intended to be mitigated and where there are weaknesses in that mitigation. It should be recalled that banks exist to take risks and the regulator does not expect a board to argue that there are no risks or that the risks are entirely mitigated.
The document might then explain where the bank wants to be in say 5 years’ time. Again, the ICAAP document should identify the main risks to that strategy and how they are to be mitigated. Even if a bank intends to stick win the current strategy, it will need to identify the risks to the status quo – these might be environmental or technology risks for instance.
The ICAAP needs to link with other risk control tools being used within the bank – for example the risk register, key risk indicators, internal audit and so on.
It is unlikely that the bank will determine the minimum regulatory capital in pillar I is sufficient. Banks in Nevis are not expected to use models of any kind in determining capital levels; not least due to a lack of data. They are however expected to have a rationale for allocating a block of capital to a particular risk. It is expected that over time risks will change and that the allocation and level of capital will change also. The latter will vary with risk – banks should not propose a continuous downward trend in capital.
There should be a broad relationship between capital and the adequacy of the control environment. If the latter proves to be weak, then additional capital is likely to be necessary. However capital should generally be allocated on the assumption of a reasonable sound control environment. Capital, it should be remembered, is to deal with unexpected control failures. The ICAAP should not just be a capital tool – it needs to be linked into the control environment of the banks.
Banks may wish to consider stress‐testing their business. This might for example be through scenarios. However this approach is not obligatory and, when used, should be kept as simple as possible. Banks may also wish to engage in a reverse stress test ‐ whereby a worst‐case scenario exhausts the capital available.