• BANK Part 4.2 BANK Part 4.2 Credit risk management policy

    • BANK 4.2.1 Credit risk management policy

      (1) A banking business firm must establish and implement a credit risk management policy:
      (a) that is appropriate for the nature, scale and complexity of its business and for its risk profile; and
      (b) that enables the firm to identify, measure, evaluate, manage and control or mitigate credit risk.
      (2) The objective of the policy is to give the firm the capacity to absorb any existing and estimated future losses arising from credit risk.
      Derived from QFCRA RM/2014-2 (as from 1st January 2015).

    • BANK 4.2.2 BANK 4.2.2 Policies — general credit risk environment

      A banking business firm's credit risk management policy must establish:

      (a) a well-documented and effectively-implemented process for assuming credit risk that does not rely unduly on external credit ratings;
      (b) well-defined criteria for approving credit (including prudent underwriting standards), and renewing, refinancing and restructuring existing credit;
      (c) a process for identifying the approving authority for credit, given its size and complexity;
      (d) effective credit risk administration, including:
      (i) regular analysis of counterparties' ability and willingness to repay; and
      (ii) monitoring of documents, legal covenants, contractual requirements, and collateral and other CRM techniques;
      (e) effective systems for the accurate and timely identification, measurement, evaluation, management and control or mitigation of credit risk, and reporting to the firm's governing body and senior management;
      (f) procedures for tracking and reporting exceptions to, and deviations from, credit limits or policies;
      (g) prudent and appropriate credit limits that are consistent with the firm's risk tolerance, risk profile and capital; and
      (h) effective controls for the quality, reliability and relevance of data and validation procedures.
      Amended by QFCRA RM/2015-3 (as from 1st January 2016).

      • BANK 4.2.2 Guidance

        Depending on the nature, scale and complexity of a banking business firm's credit risk, and how often it provides credit or incurs credit risk, the firm's credit risk management policy should include:

        (a) how the firm defines and measures credit risk;
        (b) the firm's business aims in incurring credit risk, including:
        •   identifying the types and sources of credit risk that the firm will permit itself to be exposed to (and the limits on that exposure) and those that it will not;
        •   setting out the degree of diversification that the firm requires, the firm's tolerance for risk concentrations and the limits on exposures and concentrations; and
        •   stating the risk-return trade-off that the firm is seeking to achieve;
        (c) the kinds of credit to be offered, and ceilings, pricing, profitability, maximum maturities and ratios for each kind of credit;
        (d) a ceiling for the total credit portfolio (in terms, for example, of loan-to-deposit ratio, undrawn commitment ratio, a maximum amount or a percentage of the firm's capital);
        (e) portfolio limits for maximum gross exposures by region or country, by industry or sector, by category of counterparty (such as banks, non-bank financial entities and corporate counterparties), by product, by counterparty and by connected counterparties;
        (f) limits, terms and conditions, approval and review procedures and records kept for lending to connected counterparties;
        (g) types of collateral, loan-to-value ratios and criteria for accepting guarantees;
        (h) the detailed limits for credit risk, and a credit risk structure, that:
        •   takes into account all significant risk factors, including intra-group exposures;
        •   is commensurate with the scale and complexity of the firm's activities; and
        •   is consistent with the firm's business aims, historical performance, and the amount of capital it is willing to risk;
        (i) procedures for:
        •   approving new products and activities that give rise to credit risk;
        •   regular risk position and performance reporting; and
        •   approving and reporting exceptions to limits;
        (j) allocating responsibilities for implementing the credit risk management policy and monitoring adherence to, and the effectiveness of, the policy; and
        (k) the required information systems, staff and other resources.
        Amended by QFCRA RM/2015-1 (as from 1st July 2015).

    • BANK 4.2.3 BANK 4.2.3 Policies — credit decisions

      (1) A banking business firm's credit risk management policy must ensure that credit decisions are free of conflicts of interest and are made on an arm's-length basis. In particular, the credit approval and credit review functions must be independent of the credit initiation function.


      1 This rule does not prevent arrangements such as an employee loan scheme, so long as the policy ensures that the scheme's terms, conditions and limits are generally available to employees and adequately address the risks and conflicts that arise from loans under it.
      2 The credit risk management policy of a banking business firm should clearly set out who has the authority to approve loans to employees. The authority of a credit committee or credit officer should be appropriate for the products or portfolio and should be commensurate with the committee's or officer's credit experience and expertise.
      3 Each authority to approve should be reviewed regularly to ensure that it remains appropriate for current market conditions and the committee's or officer's performance.
      4 A banking business firm's remuneration policy should be consistent with its credit risk management policy and should not encourage officers to attempt to generate short-term profits by taking an unacceptably high level of risk.
      (2) The policy must state that decisions relating to the following are made at the appropriate level of the firm's senior management or governing body:
      (a) exposures exceeding a stated amount or percentage of the firm's capital;
      (b) exposures that, in accordance with criteria set out in the policy, are especially risky;
      (c) exposures that are outside the firm's core business.
      Derived from QFCRA RM/2014-2 (as from 1st January 2015).

      • BANK 4.2.3 Guidance

        1 The level at which credit decisions are made should vary depending on the kind and amount of credit and the nature, scale and complexity of the firm's business. For some firms, a credit committee with formal terms of reference might be appropriate; for others, individuals with pre-assigned limits would do.
        2 A banking business firm should ensure, through periodic independent audits, that the credit approval function is properly managed and that credit exposures comply with prudential standards and internal limits. The results of audits should be reported directly to the governing body, credit committee or senior management, as appropriate.
        Derived from QFCRA RM/2014-2 (as from 1st January 2015).

    • BANK 4.2.4 Policies — monitoring, testing and access

      (1) A banking business firm's credit risk management policy must provide for monitoring the total indebtedness of each counterparty and any risk factors that might result in default (including any significant unhedged foreign exchange risk).
      (2) The policy must include stress-testing the firm's credit exposures at intervals appropriate for the nature, scale and complexity of the firm's business and for its risk profile. It must also include a yearly review of stress scenarios, and procedures to make any necessary changes arising from the review.

      Note The firm's ICAAP sets out how these monitoring and testing are to be achieved. ICAAP includes procedures to continuously identify, measure, evaluate, manage and control or mitigate the risks arising from the firm's activities, and the capital held against such risks — see rules 3.1.4 and 3.1.5.
      (3) A firm must give the Regulatory Authority full access to information in its credit portfolio. The firm must also give the authority access to staff involved in assuming, managing and reporting on credit risk.
      Derived from QFCRA RM/2014-2 (as from 1st January 2015).