Design & implement an effective & sound ICAAP
As per the Basel II Capital Accord, all Cypriot Investment Firms (CIFs) must ensure compliance with Pillar II regulatory obligations and have in place an effective and sound Internal Adequacy Assessment Process (ICAAP). The ICAAP will be submitted to the regulator only upon request. The regulator then uses the Supervisory Review and Evaluation Process (SREP) to assess the process implemented by the firm and the capital requirement calculations performed against the risks it faces.
Up until the 11th of July 2019, no other regulatory reporting layer was in place to support the regulator on its supervision role in regards to the ICAAP. On that day, the Cyprus Securities and Exchange Commission (CySEC) introduced additional regulatory reporting obligations for all Cyprus Investment Firms (CIFs) with the main objective being to enhance the regulator’s supervision capacity on;
– the assessment of the Internal Capital Adequacy Assessment Process (ICAAP),
– the assessment of the annual audited financial statements,
– the safeguarding of clients’ money.
The new regulatory reporting is named “Prudential Supervision Information” and must be submitted to the regulator by the 31st of July 2019. Further information can be found on SALVUS news page.
Within this commentary, we discuss the importance of establishing an effective ICAAP and the responsibilities of all stakeholders of the CIF in order to ensure compliance with the regulatory requirements.
The importance of establishing an effective and sound ICAAP
The ICAAP process is considered an internal tool for the CIF, which accounts for all procedures, arrangements, controls in place and risks the firm faces to derive one figure; the internally calculated required capital based on all these. Automatically, the ICAAP forms an integral part of the decision-making process for the firm, considering the risks inherent of the firms’ business activity. In doing so, the ICAAP;
– identifies all the risks the firm is exposed to based on its risk profile and operating environment,
– allocates an appropriate internal capital for the identified risks,
– designs the needed internal mechanisms and risk controls.
The internal and external business environment along with the internal governance framework must be taken into consideration when drafting the ICAAP report. The group structure, the business model, products and services along with the operating and business environment of the firm must be explored in-depth within the report.
The report must be comprehensive in order to capture all material risks the CIF is exposed to including the risks covered under Pillar I, risks not fully covered under Pillar I and risks falling under Pillar II. The risk-based approach, both quantitative and qualitative, is to be employed by the CIF and has to be adequately documented. In parallel, all factors taken into consideration for the additional allocated capital should be based on the risk profile and the complexity of the firm.
It is vital for the ICAAP report to be forward-looking in terms of capital planning in order to meet the strategic plans of the CIF without disruption. The relevant stress tests ought to be conducted and analyzed in order to assess their impact on the future capital planning of the firm.
Responsibility for the design and implementation of the ICAAP
The Board of Directors (BoD) is ultimately responsible for the design and approval of the ICAAP, while the senior management is responsible for the detailed review and implementation.
The risk management, compliance and internal audit functions are the departments/functions at the core of this exercise. The responsibilities of the three lines of defense are highly important and need to be clearly presented within the ICAAP report.
Further, the results of the ICAAP, the stress test scenarios and any material deficiencies must be communicated to the BoD.
Special attention should be given by the risk management department of the firm and specifically on the;
– risk management policies, procedures and risk mitigation techniques of the firm,
– identification of the risks faced by the firm,
– establishment of the risk registry,
– creation of a detailed monitoring methodology on the identified risks,
– application of the stress-test scenarios and analysis of the results,
– proposed capital allocation for Pillar II risks,
– preparation, implementation and monitoring of the ICAAP report,
– ICAAP-related training to all stakeholders of the firm.
The internal audit of the firm plays a significant role in the robustness of the ICAAP report, as it provides an independent review on the compliance of the policies and procedures employed of the firm. The internal auditor should provide an independent challenge and then assurance on the risk assessment, the numbers included in the report, the stress-tests performed and the capital allocated for Pillar II risks.
The principle of proportionality is a key consideration for the ICAAP and SREP, as the final figure for the capital requirements are dependent on the size and complexity of the firm’s business. It is worth noting that CIFs must provide sufficient evidence to justify the reasons for classifying themselves as small and non-complex or not materially exposed to risks, in case they do so. In such cases, CIFs are allowed to follow a simplified process for the preparation of a simple ICAAP report.
It is essential, for the ICAAP report to be reviewed regularly to ensure that the risks identified by the CIF are covered adequately. The firm must review the procedures in place at least once a year and subsequently produce the yearly ICAAP report. Another review of the ICAAP would be necessary if changes in any of the factors mentioned above, affect the assumptions used in the current report and directly impact the business or the risk profile of the firm.
We understand that the regulator provided a short timeframe for the submission of the form 144-14-11 on Prudential Supervision Information. If you require more details for the creation of an effective ICAAP report or support to complete the requested form, please let us know at firstname.lastname@example.org.
The information provided in this article is for general information purposes only. You should always seek professional advice suitable to your needs.