Bank of Russia fine-tunes operational risk management requirements after consultations with banks

The Bank of Russia fine-tuned the draft regulation ‘On the Requirements for Operational Risk Management in Credit Institutions and Banking Groups’ after consultations with the banking community.

Amendments to the draft regulation concern, among other things, the differentiation of required ratios and the timeframes for the introduction of operational risk management depending on a credit institution’s assets and licence type. The Bank of Russia suggests dividing credit institutions into three categories: banks with a basic licence and NCIs, banks with a universal licence with up to 500 billion rubles in assets, and banks with a universal licence with more than 500 billion rubles in assets. The draft regulation establishes specific requirements for each bank category.

The amendments to the document also concern the threshold value of losses from operational risk events registered in the respective base, and update definitions of operational risk types and the related losses.

In particular, the draft regulation established the requirements for information security risk (including cyber-risk) and information system risk management; maintaining an operational risk event database; internal reporting of credit institutions on operational risk; credit institutions’ IT policy; and additional requirements for the capital needed to cover losses from materialisation of operational risk, including information security risk (including cyber-risk).

The document is the first regulation issued as part of the introduction of the new standardised Basel III approach to operational risk assessment for the calculation of capital adequacy requirements.