Rules on Credit Risk Management
No: 341000036442 Date(g): 1/2/2013 | Date(h): 21/3/1434 Status: In-Force 1) In terms of its Charter issued by Royal Decree No. 23 dated 23-5-1377 H (15 December 1957 G), SAMA is empowered to regulate the commercial banks. In exercise of the powers vested upon it under the said Charter and the Banking Control Law, SAMA has decided to issue this Circular and the enclosed Rules on Credit Risk Management for Banks. The requirements contained in this Circular and the Rules are aimed to complement the existing regulatory requirements issued by SAMA from time to time.
2) The enclosed Rules on Credit Risk Management contain, inter alia, the following major requirements for banks:
i. The Board of Directors is required to provide effective oversight to ensure prudent conduct of credit activities and avoid unduly excessive risk taking by their bank;
ii. The Board of Directors is responsible for formulation of a well-defined Credit Policy for the bank. The Policy should set out the overall strategy and credit risk appetite of the bank as well as the broad parameters for assuming and managing credit risk. The Policy should be reviewed regularly to take into account market developments and any changes in the operating environment;
iii. The Board is also required to constitute a Board Committee headed by a non-executive director to assist the Board in overseeing the credit risk management process and to discharge such other related responsibilities as may be assigned to it by the Board;
iv. Banks are required to put in place an elaborate credit risk management framework to effectively manage their credit risk. Such framework would include, inter alia, the process for Board and senior management oversight, organizational structure, and systems and procedures for identification, acceptance, measurement, monitoring and control of credit risk;
v. The senior management of the bank is responsible for ensuring effective implementation of the credit policy and credit risk strategy approved by the Board. For this purpose, the management should develop and implement well-defined policies and procedures for identifying, measuring, monitoring and controlling credit risk in line with the overall strategy and credit policy approved by the Board;
vi. The organizational structure/framework for credit risk management should be commensurate with the bank’s size, complexity of operations and diversification of its activities. The organizational structure should facilitate effective management oversight and proper execution of credit risk management and control processes. The structure may comprise of a credit risk management department or unit independent of credit origination function and a management committee responsible for monitoring of credit risk;
vii. Banks should ensure to have in place adequate systems and procedures for credit risk management including those for credit origination, limit setting, credit approving authority, credit administration, credit risk measurement and internal rating framework, credit risk monitoring, credit risk review, and management of problem credits;
viii. Banks should conduct stress tests on their credit portfolio to assess its resilience under “worst case” scenario and to analyze any inherent potential risks in individual credits or the overall credit portfolio or any components thereof. For this purpose, banks should follow the guidance provided in the SAMA Rules on Stress Testing issued on 23 November 2011;
ix. Banks should ensure to have in place an effective management information system(MIS) to measure, monitor and control the credit risk inherent in the bank’s on- and off-balance sheet activities. The MIS should produce reports on measures of credit risk for appropriate levels of management, the relevant Board committee and the Board to enable them to take timely decisions on credit risk management;
x. Banks should introduce effective internal controls to manage credit risk. In this regard, bank’s internal audit function should independently assess the adequacy and effectiveness of such internal controls and report findings thereof to the senior management and the Board or its relevant committee for timely corrective actions;
3) The enclosed Rules shall be applicable to the locally incorporated banks as well as the branches of foreign banks. Where a locally incorporated bank has majority owned Subsidiary(ies) operating in the financial sector, it will either formulate group level Credit Policy consistent with these Rules for application across the group or will ensure that the subsidiary’s credit policies and procedures are in line with these Rules. Furthermore, in case of foreign subsidiaries, the legal and regulatory requirements of the host country shall also be taken into account while framing their credit policies and procedures. For the purpose of these rules, majority owned subsidiary(ies) include those subsidiary(ies) where a bank owns more than 50% of its shareholding. The branches of foreign banks licensed and operating in Saudi Arabia shall also follow these Rules. However, they will apply these Rules to the extent practically applicable to them and with such modifications as may be considered expedient keeping in view the size and complexity of their business activities. Further, their Credit Policy can be approved by the Chief Executive or a relevant management committee at Head Office instead of the Board of Directors.
4) Banks are also required to ensure compliance with all other regulatory requirements and guidelines on credit risk management as issued by SAMA from time to time. They are also required to comply with the “Principles for the Management of Credit Risk”, “Sound credit risk assessment and valuation for loans” and “Principles for enhancing corporate governance” issued by the Basel Committee on Banking Supervision in September 2000, June 2006 and October 2010 respectively as well as any other related principles and standards including updates thereof issued by the relevant international standard setting bodies.
5) The enclosed Rules shall come into force with immediate effect and banks are required to take all necessary steps to bring their existing policies, procedures and structures in line with these Rules by 30 June 2013. Furthermore, they are also required to submit a copy of their revised Credit Policy fully aligned with these Rules and duly approved by their Board of Directors to the Central bank latest by 30 June 2013. In case there are any practical issues in implementation of these rules, banks should approach SAMA to seek further guidance on addressing such issue
1. General Requirements
1.1. Overview
Credit risk is historically the most significant risk faced by banks. It is measured by estimating the actual or potential losses arising from the inability or unwillingness of the obligors to meet their credit obligations on time. Credit risk could stem from both on and off balance sheet exposures of banks. Keeping in view the importance of effective credit risk management for the safety and soundness of banks, these Rules are being issued by SAMA to set out the regulatory requirements for further strengthening of credit risk management framework in banks.
All banks operating in Saudi Arabia are required to ensure that they have put in place an elaborate credit risk management framework to effectively manage their credit risk. Such framework would cover various types of lending including corporate, commercial, SME, retail, consumer, etc. The credit risk management framework should include, inter alia, the following components:
i. Board and senior management’s Oversight;
ii. Organizational structure;
iii. Systems and procedures for identification, measurement, monitoring and control of credit risk.
While designing and strengthening their credit risk management framework, banks should ensure compliance of these Rules. Furthermore, banks should also take into account the requirements of the “Principles for the Management of Credit Risk”, “Sound credit risk assessment and valuation for loans”, and “Principles for enhancing corporate governance” issued by the Basel Committee on Banking Supervision in September 2000, June 2006 and October 2010 respectively, and any other related principles and standards including updates thereof issued by the relevant international standard setting bodies.
1.2. Objective of the Rules
The objective of these Rules is to set out the minimum requirements for banks in the area of credit risk management. However, banks are encouraged to adopt more stringent standards beyond the minimum requirements of these Rules to effectively manage their credit risk.
1.3. Scope of Application
These Rules shall be applicable to the locally incorporated banks as well as the branches of foreign banks. Where a locally incorporated bank has majority owned Subsidiary(ies) operating in the financial sector, it will either formulate group level Credit Policy consistent with these Rules for application across the group or will ensure that the subsidiary’s credit policies and procedures are in line with these Rules. Furthermore, in case of foreign subsidiaries, the legal and regulatory requirements of the host country shall also be taken into account while framing their credit policies and procedures. For the purpose of these rules, majority owned subsidiary(ies) include those subsidiary(ies) where a bank owns more than 50% of its shareholding. The branches of foreign banks licensed and operating in Saudi Arabia shall also follow these Rules. However, they will apply these Rules to the extent practically applicable to them and with such modifications as may be considered expedient keeping in view the size and complexity of their business activities. Further, their Credit Policy can be approved by the Chief Executive or a relevant management committee at Head Office instead of the Board of Directors.
1.4. Effective Date
These Rules shall come into force with immediate effect. All banks are required to take all necessary steps to bring their existing policies, procedures and structures in line with these Rules by 30 June 2013. Furthermore, they are also required to submit a copy of their revised Credit Policy fully aligned with these Rules and duly approved by their Board of Directors to the Central Bank latest by 30 June 2013. In case there are any practical issues in implementation of these rules, banks should approach SAMA to seek further guidance on addressing such issues.
2. Board and Senior Management’s Oversight
2.1. Responsibilities of the Board Of Directors
The Board of Directors is responsible for approving the credit risk strategy of the bank in line with its overall business strategy. The credit strategy should be aimed at determining the credit risk appetite of the bank. The overall credit strategy and related policy matters shall be clearly outlined in a policy document to be called “Credit Policy”. Specifically, the Board’s responsibilities with regard to creditgranting function of the bank would include the following:
i. Developing a credit strategy for the bank to spell out its overall risk appetite in relation to credit risk;
ii. Ensuring that the bank has a well-defined Credit Policy duly approved by the Board;
iii. Forming a Board Committee headed by a non-executive director to assist the Board in overseeing the credit risk management process and defining its terms of reference (this Committee may also monitor other risks in addition to credit risk);
iv. Ensuring that the bank has an effective credit risk management framework for the identification, measurement, monitoring and control of credit risk;
v. Requiring the management to ensure that the staff involved in credit appraisal, monitoring, review and approval processes possess sound expertise and knowledge to discharge their responsibilities;
vi. Ensuring that bank has adequate policies and procedures in place to identify and manage credit risk inherent in all products and activities including the risks of new products and activities before being introduced or undertaken. Such policies and procedures should also provide guidance on evaluation and approval of any new products and activities before being introduced or undertaken by the bank;
vii. Ensuring that the bank’s remuneration policies do not contradict its credit risk strategy. In this regard, the board should ensure that the bank’s credit processes are not weakened as a result of rewarding unacceptable behavior such as generating short-term profits while deviating from credit policies or exceeding established limits;
viii. Ensuring that the bank’s overall credit risk exposure is maintained at prudent levels;
2.2. Responsibilities of the Senior Management
The senior management of the bank shall be responsible, inter alia, for the following:
i. Ensuring effective Implementation of the credit policy and credit risk strategy approved by the board of directors. In this regard, the management should ensure that the bank’s credit-granting activities conform to the established strategy, that written procedures are developed and implemented, and that loan approval and review responsibilities are clearly and properly assigned;
ii. Developing policies and procedures for identifying, measuring, monitoring and controlling credit risk. Such policies and procedures should be in line with the overall strategy and credit policy approved by the Board and address credit risk in all of the bank’s activities and at both the individual credit and portfolio levels. These policies and procedures should, inter alia, provide guidance to the staff on the following matters:
a. Detailed and formalized credit evaluation/ appraisal process;
b. Credit approval authority at various hierarchy levels including authority for approving exceptions;
c. Credit risk identification, measurement, monitoring and control across all products and activities of the bank including risks inherent in new products and activities;
d. Credit risk acceptance criteria;
e. Credit origination, credit administration and loan documentation procedures;
f. Roles and responsibilities of units/staff involved in origination and management of credit;
g. Procedures for dealing with defaulted credits.
iii. Communication of approved credit policy and procedures down the line to the concerned staff;
iv. Ensuring that there is a periodic independent internal assessment of the bank’s credit policy and strategy as well as of the related credit-granting and management functions;
v. Instituting a process for reporting any significant deviation/exception from the approved policies and procedures to the senior management/board and ensuring rectification thereof through corrective measures;
3. Credit Policy and Procedures
Each Bank shall formulate a Credit Policy that is approved by its Board of Directors. Such policy should be clearly defined, consistent with prudent banking practices and relevant regulatory requirements, and adequate for the nature and complexity of the bank’s activities. The Credit Policy should be applied on a consolidated bank basis and at the level of individual subsidiaries, as applicable.
The Policy should, inter-alia, cover the following:
i. Overall strategy of the bank to determine its risk appetite and risk tolerance levels in relation to credit risk;
ii. Broad parameters for taking credit exposures to customers, banks, geographic areas/countries, economic sectors, related parties, etc. This should, inter alia, include obtaining a credit report from SIMAH and credit checks about the borrower from other banks;
iii. Exposure limits for different categories of borrowers. Such limits should be in line with the SAMA’s “Rules on Exposure Limits” as amended from time to time;
iv. Policy parameters for achieving reasonable diversification of credit portfolio. This would include diversification over client segments, loan products, economic sectors, geographical locations, lending currencies and maturities;
v. Know Your Customer process for taking credit exposures. Such process should, inter alia, include obtaining information on legal and ownership structure of the corporate borrowers, their governance structure including management profile, beneficial ownership and basic financial information of their major business affiliates / subsidiaries (both local and foreign), details of their global financial commitments (both local and foreign) including the lenders and type of security/collateral provided to them, business plan/financial forecasts of the borrower covering the tenor of the credit facilities,, regular visits to owners of borrowing entities and their guarantors, monitoring involvement of owners/major shareholders in key business decisions, and the requirements for signing credit agreements and associated documents by the borrowers in the presence of bank’s staff. With regard to signing of credit documents, the Credit Policy should provide that credit agreements and associated documents in respect of all those exposures (including funded and / or non-funded facilities) exceeding one percent of total Tier-1 capital of the bank or SAR 100 million whichever is less, must be signed in the presence of bank’s senior officers. The Policy should also lay down an elaborate process for signing the credit documents in respect of all other exposures in the presence of bank’s staff to fully protect the interest of the bank;
vi. Structuring of credit facilities/transactions with clearly defined purpose and monitoring end use of credit facilities. Furthermore, no financing to be provided to support speculative activities and general purpose activities or any activity which lacks a well-defined purpose for utilization of credit facilities. This will, however, not include the working capital or overdraft facilities provided the end use of such facilities is monitored by the bank to ensure their ultimate utilization for the purpose for which those were granted;
vii. Broad parameters for providing financing for the subscription of initial public offering(IPO) of shares. Such financing, if provided, should be based on a clear and cautious policy and against adequate collateral with sufficient margins to mitigate the risk of volatility in share prices. The maximum financing for the subscription of IPO of shares shall be restricted to 50% of the amount to be subscribed by a single person. Banks shall also obtain complete particulars of the borrower and verify his credentials including name, identity and credibility before granting any financing (as per SAMA Circular dated 22 Shaban 1413 H);
viii. Broad parameters for seeking collateral against financing facilities as well as the nature of such collateral. Furthermore, the parameters for taking any exposures without collateral should be clearly spelled out along with the procedures to cover the associated recovery/settlement risk in such exposures;
ix. Requiring the Senior Management to ensure that the staff involved in credit appraisal, credit administration, credit review and other related functions are well trained to discharge their responsibilities and are periodically rotated in their assignments;
x. Other related matters to spell out the credit policy parameters of the bank.
A copy of the Policy duly approved by the Board shall be submitted to SAMA within 30 days of its approval. The Board of Directors or a relevant sub-committee of the Board of each bank shall review their Credit Policy as and when needed but at-least once in every three years. All significant/material changes to the Credit Policy shall be approved by the Board of Directors or a relevant sub-committee of the Board and a copy thereof submitted to the Central Bank within 30 days of such approval. In case of frequent changes in the Credit Policy, banks may choose to submit the revised Credit Policy to the Central Bank once a year incorporating all changes made during a year, within 30 days of the end of a calendar year.
4. Organizational Structure
The overall structure for credit risk management should be commensurate with the bank’s size, complexity of operations and diversification of its activities. The organizational structure should facilitate effective management oversight and proper execution of credit risk management and control processes. While the organizational structure may vary from bank to bank, it would generally comprise of the following:
4.1. Credit Risk Management Department or a Unit
Such department or unit can be part of the overall risk management function of the bank but should be independent of the loan origination function. This department or unit should be responsible, inter alia, for the following:
a. Monitoring adherence to the overall risk tolerance limits set out in the Credit Policy of the bank;
b. Ensuring that the business lines comply with the established credit risk parameters and prudential limits;
c. Establishing the systems and procedures relating to credit risk identification, internal risk rating approaches, Management Information System, monitoring of loan portfolio quality and early warning;
d. undertaking portfolio evaluations and conducting comprehensive studies on the environment to test the resilience of the loan portfolio;
e. Coordinating on remedial measures to address deficiencies/problems in credit portfolio;
f. Other matters relating to credit risk management.
4.2. Credit Risk Management Committee
This Committee will be a management committee and responsible for monitoring of credit risk taking activities and overall credit risk management function. This Committee can either be a separate committee comprising of the heads of relevant functions depending upon their size, organizational structure and corporate culture or these responsibilities can be assigned to the overall Risk Management Committee of the bank. Its terms of reference may include, inter alia, the following:
a. Ensure implementation of the credit risk policy / strategy approved by the Board;
b. Monitor credit risk on a bank-wide basis and ensure compliance with limits approved by the Board;
c. Providing input in formulation of credit policy of the bank particularly on credit risk related issues including, for example, setting standards for presentation of credit proposals, financial covenants, rating standards and benchmarks, etc.;
d. Make Recommendations to the Risk Management Committee or any other relevant committee of the Board on matters relating to delegation of credit approving powers, prudential limits on large credit exposures, standards for loan collateral, portfolio management, loan review mechanism, risk concentrations, risk monitoring and evaluation, pricing of loans, provisioning, etc. as and when required;
e. Dealing with any other matters relating to credit risk management.
The Credit Risk Management Department or Unit will provide necessary support to the Credit Risk Management Committee in discharging its responsibilities.
5. Systems and Procedures
Banks should put in place adequate systems and procedures for credit risk management. Broad guidelines for setting systems and procedures regarding various credit related activities of a bank are provided hereunder:
5.1. Credit Origination
Banks should establish sound and well-defined credit-granting criteria, which is essential to approving credit in a safe and sound manner. These criteria should include a clear indication of the bank’s target market and a thorough understanding of the borrower or counterparty, as well as the purpose and structure of the credit, and its source of repayment.
Banks should also have clearly established processes and procedures to assess the risk profile of the customer as well as the risks associated with the proposed credit transaction before granting any credit facility. These processes and procedures should be applicable for approving new credits as well as the amendment, renewal and re-financing of existing credits. The factors to be considered for origination of credit may include, inter alia, the following:
a. Credit assessment of the borrower’s industry, and macro economic factors;
b. The purpose of credit and source of repayment;
c. Assessing the track record / repayment history of the borrower. In case of new borrowers, assessing their integrity and repute as well as their legal capacity to assume the liability;
d. Assessment/evaluation of the repayment capacity of the borrower;
e. Determination of the terms and conditions and covenants of credit;
f. Assessment of the adequacy and enforceability of collaterals;
g. Assessment of adherence to exposure limits and determination of appropriate authority for credit approval;
All extensions of credit must be made on an arm’s-length basis. In particular, credits to related borrowers must be authorized on an exception basis, monitored with particular care and other appropriate steps taken to control or mitigate the risks of non-arm’s length lending.
In case of consortium/syndication loans, it is important that other consortium members should not over rely on the lead bank and should have their own systems and procedures to perform independent analysis and review of syndication terms.
5.2. Limit Setting
Banks should establish overall credit limits at the level of individual borrowers and counterparties, and groups of connected counterparties that aggregate in a comparable and meaningful manner different types of exposures, both in the banking and trading book and on and off the balance sheet.
SAMA has separately specified exposure limits for single counterparties and group of connected counterparties. While remaining within the overall limits specified by SAMA, banks can establish more conservative exposure limits. Banks are required to have well-defined policies and procedures for establishing their internal exposure limits as such limits are an important element of credit risk management. The limit structure should set the boundaries for overall risk taking, be consistent the bank’s overall risk management approach, be applied on a bank-wide basis, allow management to monitor exposures against predetermined risk tolerance levels and ensure prompt management attention to any exceptions to established limits. Banks should take into account the following parameters in establishing their exposure limits:
a. The size of the limits should be based on the credit strength of the borrower, genuine requirement of credit, economic conditions and the bank’s risk tolerance;
b. The limits should be consistent with the bank’s risk management process and commensurate with its capital position;
c. The limits should be established for both individual borrowers as well as groups of connected borrowers. The limits can be based on the internal risk rating of the borrower or any other basis linked to the borrower’s risk profile;
d. There can be separate limits for different credit products and activities, specific industries, economic sectors or geographic regions to avoid concentration risk. The ultimate objective should be to achieve reasonable diversification of credit portfolio;
e. The results of stress testing should be taken into account in the overall limit setting and monitoring process;
f. Credit limits should be reviewed regularly at least annually or more frequently if the borrower’s credit quality deteriorates;
g. All requests of increase in credit limits should be fully evaluated and substantiated.
Banks should closely monitor their credit exposures against established limits and put in place adequate procedures for timely identification of any exceptions against the approved limits. There should also be well defined procedures to deal with any excesses over approved limits. Furthermore, all such instances of excesses over limits should be reported to the senior management along with the details of the corrective action taken. Exceptions to the approved limits should be approved at senior level by the authorized persons. In case of occurrence of frequent exceptions, the management or the board should review the limit structure and devise a strategy to ensure non-occurrence of such breaches.
5.3. Delegation of Authority
Banks are required to establish responsibility for credit approvals and fully document any delegation of authority to approve credits or make changes in credit terms. In this regard, banks are required to take into account the following factors:
a. Board of Directors or its relevant sub-committee should approve the overall lending authority structure, and explicitly delegate credit sanctioning authority to senior management (by position/level of hierarchy) and/or the Credit Committee. The Senior Management may assign the delegated powers to specific individuals or positions down the line subject to adherence of the overall delegation of authority and the criteria laid down for this purpose by the Board or its relevant subcommittee;
b. Lending authority assigned to different levels of hierarchy should be commensurate with the level, experience, ability and character of the person. For this purpose, banks may develop a risk-based authority structure whereby the lending authority is tied to the risk ratings of the obligor;
c. There should be a clear segregation of duties between Relationship Managers, Credit Approvers, Operations processors and Risk Managers with regard to credit approvals or making any changes in credit terms. Any limitations on who should hold credit approval authority should also be clearly stated;
d. The credit policy should spell out the escalation process to ensure appropriate reporting and approval of credit extension beyond prescribed limits or any other exceptions to credit policy;
e. There should be a periodic review of lending authority assigned to different levels of hierarchy;
f. There should be an appropriate system in place to detect any exceptions or misuse of delegated powers and reporting thereof to the senior management and/or the Board of Directors or its relevant sub-committee;
5.4. Credit Administration
Credit administration is an important element of the credit process that support and control extension and maintenance of credit. Banks should have in place a system for the ongoing administration of their various credit risk-bearing portfolios. Banks should also have separate units to perform credit administration function. A typical credit administration unit generally performs the following functions:
a. Credit Documentation: Ensuring completeness of documentation (loan agreements, guarantees, transfer of title of collaterals, etc.) in accordance with the approved terms and conditions of credit;
b. Credit Disbursement: Ensuring that credit approval have been obtained from the competent authority and all other formalities have been completed before any loan disbursement is effected;
c. Credit monitoring: This process starts after disbursement of credit and include keeping track of borrowers’ compliance with credit terms, identifying early signs of irregularity, conducting periodic valuation of collateral and monitoring timely repayments;
d. Loan Repayment: The obligors should be communicated ahead of time as and when the principal and/or commission income becomes due. This may be done either by providing details of the due dates and repayable amounts for both commission and principal in the facility agreement or through a separate communication to the obligor before each due date of the principal and/or commission income or by adopting both these practices. Any delinquencies involving non-payment or late payment of principal or commission should be tagged and communicated to the management. Proper records and updates should also be made after receipt of overdue amount;
e. Maintenance of Credit Files: All credit files should be properly maintained including all original correspondence with the borrower and necessary information to assess its financial health and repayment performance. The credit files should be maintained in a well organized way so that these are easily accessible to external / internal auditors or SAMA inspection team. Banks may resort to maintain electronic credit files only if permitted by relevant law(s) and subject to compliance of all relevant rules/regulations;
f. Collateral and Security Documents: Ensuring that all collateral/security documents are kept in a secured way and under dual control. Proper record of all collateral/security documents should be maintained to keep track of their movement. Procedures should also be established to track and review relevant insurance coverage for facilities/collateral wherever required. Physical checks on collateral/security documents should also be conducted on a regular basis.
Banks should ensure that the credit administration function should be independent of business origination and credit approval process. In developing their credit administration function, banks should ensure:
a. the efficiency and effectiveness of credit administration operations, including monitoring documentation, contractual requirements, legal covenants, collateral, etc.;
b. the accuracy and timeliness of information provided to management information systems;
c. adequate segregation of duties;
d. the adequacy of controls over all “back office” procedures; and
e. compliance with prescribed management policies and procedures as well as applicable laws and regulations.
5.5. Credit Risk Measurement
Banks should adopt elaborate techniques to measure credit risk which may include both qualitative and quantitative techniques. Banks should also establish and utilize an internal credit risk rating framework in managing credit risk. The internal credit risk rating is a summary indicator of a bank’s individual credit exposures and categorizes all credits into various classes on the basis of underlying credit quality. This rating framework may incorporate, inter alia, the business risk (including industry characteristics, competitive position e.g. marketing/technological edge, management capabilities, etc.) and financial risk (including financial condition, profitability, capital structure, present and future cash flows, etc.). The rating system should be consistent with the nature, size and complexity of a bank’s activities.
An internal rating framework would facilitate banks in a number of ways such as:
a. Credit selection;
b. Amount of exposure;
c. Tenure and price of facility;
d. Frequency or intensity of monitoring;
e. Analysis of migration of deteriorating credits and more accurate computation of future loan loss provisions;
f. Deciding the level of approving authority of credit approval.
It is not the intention of these guidelines to prescribe any particular rating system. Banks can choose a rating system which commensurate with the size, nature and complexity of their business as well their risk profile. However, banks are encouraged to take into account the following factors in designing and implementing an internal rating system;
a. The rating system should explicitly define each risk rating grade. The number of grades on rating scale should be neither too large nor too small. A large number of grades may increase the cost of obtaining and analyzing additional information and thus make the implementation of rating system expensive. On the other hand, if the number of rating grades is too small it may not permit accurate characterization of the underlying risk profile of a loan portfolio;
b. The rating system should lay down an elaborate criteria for assigning a particular rating grade, as well as the circumstances under which deviations from criteria can take place;
c. The operating flow of the rating process should be designed in a way that promotes the accuracy and consistency of the rating system while not unduly restricting the exercise of judgment;
d. The operating design of a rating system should address all relevant issues including which exposures to rate; the division of responsibility for grading; the nature of ratings review; the formality of the process and specificity of formal rating definitions;
e. The rating system should ideally aim at assigning a risk rating to all credit exposures of the bank. However, the banks may decide as to which exposures needs to be rated taking into account the cost benefit analysis. The decision to rate a particular credit exposure could be based on factors such as exposure amount, nature of exposure(i.e. corporate, commercial, retail, etc.) or both. Generally corporate and commercial exposures are subject to internal ratings whereas consumer / retail loans are subject to scoring models;
f. Banks should take adequate measures to test and develop a risk rating system prior to adopting one. Adequate validation testing should be conducted during the design phase as well as over the life of the system to ascertain the applicability of the system to the bank’s portfolio. Furthermore, adequate training should be imparted to the staff to ensure uniformity in assignment of ratings;
g. Banks should clearly spell out the roles and responsibilities of different parties for assigning risk rating. Ratings are generally assigned /reaffirmed at the time of origination of a loan or its renewal /enhancement. Generally loan origination function initiates a loan proposal and also allocates a specific rating. This proposal passes through the credit approval process and the rating is also approved or recalibrated simultaneously by approving authority. This may, however, vary from bank to bank;
h. The rating process should take into account all relevant risk factors including borrower’s financial condition, size, industry and position in the industry; the reliability of financial statements of the borrower; quality of management; elements of transaction structure such as covenants, etc. before assigning a risk rating. The risk rating should reflect the overall risk profile of an exposure;
i. Banks should also ensure that risk ratings are updated periodically and are also reviewed as and when any adverse events occur. There should also be a periodic independent review of the risk ratings by a separate function independent of loan origination to ensure consistency and accuracy of ratings.
5.6. Credit Risk Monitoring
Banks should put in place an effective credit monitoring system that enables them to monitor the quality of individual credit exposures as well as the overall credit portfolio and determine the adequacy of provisions. The monitoring system should also enable the bank to take remedial measures as and when any deterioration occurs in individual credits or the overall portfolio. An effective system of credit monitoring should ensure that:
a. the current financial condition of the borrower is fully understood and assessed by the bank;
b. the overall risk profile of the borrower is within the risk tolerance limits established by the bank;
c. all credits are in compliance with the applicable terms & conditions and regulatory requirements;
d. usage of approved credit lines by borrowers is monitored by the bank;
e. the projected cash flow of major credits meet debt servicing requirements;
f. collateral held by the bank provides adequate coverage;
g. all loans are being serviced as per facility terms & conditions;
h. potential problem credits are identified and classified on a timely basis;
i. provisions held by the bank against non-performing loans are adequate;
The banks’ credit policy should explicitly provide procedural guidelines relating to credit risk monitoring covering, inter alia, the following points:
a. The roles and responsibilities of individuals responsible for credit risk monitoring;
b. The assessment procedures and analysis techniques (for individual loans & overall portfolio). This may include, inter alia, the assessment procedures for assessing the financial position and business conditions of the borrower, monitoring his account activity/conduct, monitoring adherence to loan covenants and valuation of collaterals;
c. The frequency of monitoring;
d. The periodic examination of collaterals and loan covenants;
e. The frequency of site visits;
f. Renewal of existing loans and the circumstances under which renewal may be deferred;
g. Restructuring or rescheduling of loans and other credit facilities;
h. The identification of any deterioration in any loan and follow-up actions to be taken.
5.7. Independent Credit Risk Review
Banks should establish a mechanism of conducting an independent review of credit risk management process. Such a review should be conducted by staff involved in credit risk assessment, independent from business area. The placement of this function within the organization and its reporting lines can be determined by the banks themselves provided its independence from the business is ensured. The Credit Policy of the bank should contain provisions for conducting the credit risk review whereas the modalities of conducting such a review should be spelt out in the procedural documents. The purpose of such review is to independently assess the credit appraisal and administration process, the accuracy of credit risk ratings, level of risk, sufficiency of collaterals and overall quality of loan portfolio. Banks should take into account the following factors for conducting a credit risk review:
a. All facilities except those managed on a portfolio basis should be subjected to individual risk review at least once in a year. The review may be conducted more frequently for new borrowers as well as for classified and low rated accounts that have higher probability of default;
b. The credit review should be conducted with updated information on the borrowers financial and business conditions, as well as conduct of account. Any exceptions noted in the credit monitoring process should also be evaluated for impact on the borrowers’ creditworthiness;
c. The credit review should be conducted on a solo as well as consolidated group basis to factor in the business connections among entities in a borrowing group;
d. The results of such review should be properly documented and reported directly to the board or its relevant sub-committee as well as to the senior management;
The credit risk review will mainly focus on corporate and commercial loans. Banks may decide not to cover a particular loans products or categories e.g. consumer loans or retail loans under the risk review. However, they should closely monitor the quality of such loans and report any deterioration in their quality along with the results of credit reviews conducted on other loans.
5.8. Managing Problem Credits
Banks should establish a system to identify problem loans ahead of time for taking appropriate remedial measures. Such a system should provide appropriate guidance to concerned staff on identifying and managing various types of problem loans including corporate, commercial and consumer loans. Once a loan is identified as a problem loan, it should be managed under a dedicated remedial process. In this regard, banks may take into account the following factors:
a. The credit policy should clearly set out how the bank will manage problem credits. The basic elements of managing problem credits may include, inter alia, negotiations and follow-up with the borrowers, working out remedial strategies e.g. restructuring of loan facility, enhancement in credit limits, reduction in commission rates, etc., review of collateral/security documents, and more frequent review and monitoring. Banks should provide detailed guidance in this regard in their systems and procedures for dealing with problem credits;
b. The organizational structure and methods for dealing with problem credits may vary from bank to bank. Generally the responsibility for such credits may be assigned to the originating business function, a specialized workout section, or a combination of the two, depending upon the size and nature of the credit and the reason for its problems. When a bank has significant credit-related problems, it is important to segregate the workout function from the credit origination function;
c. There should be an appropriate system for identification and reporting of problem credits along with the details of remedial measures on regular basis to the senior management and/or the Board of Directors or its relevant sub-committee;
6. Stress Testing of Credit Risk
Banks should take into consideration potential future changes in economic conditions when assessing individual credits and their credit portfolios, and should assess their credit risk exposures under stressful conditions. This will enable them to review their credit portfolio and assess its resilience under “worst case” scenario. For this purpose, banks should adopt robust stress testing techniques. The stress testing of credit portfolio will enable banks to proactively analyze any inherent potential risks in individual credits or the overall credit portfolio or any components thereof. This will also enable them to identify any possible events or future changes in economic conditions that have unfavorable effects on their credit exposures and assessing their ability to withstand such effects. Such detection of any potential events or risks which are likely to materialize in times of stress, will also enable the banks to take timely corrective actions before the situation may get out of control.
Some of the common sources of credit risk which should, inter alia, be analyzed by banks are mentioned hereunder for their guidance:
i. Credit concentrations are probably the single most important cause of major credit problems. Credit concentrations are viewed as any exposure where the potential losses are large relative to the bank’s capital, its total assets or the bank’s overall risk level. Credit concentrations can further be grouped roughly into two categories: (i) Conventional credit concentrations e.g. concentrations of credits to single borrowers or counterparties, a group of connected counterparties, and sectors or industries; (ii) Concentrations based on common or correlated risk factors reflecting subtler or more situation-specific factors e.g. correlations between market and credit risks, as well as between those risks and liquidity risk, etc.;
ii. Weakness in the credit granting and monitoring processes including e.g. shortcomings in credit appraisal processes as well as in underwriting and management of market-related credit exposures;
iii. Excessive reliance on name lending i.e. granting loans to persons with a reputation for strong financial condition or financial acumen, without conducting proper credit appraisal as done for other borrowers;
iv. Credit to related parties which are affiliated, directly or indirectly, with the bank;
v. Lack of an effective credit review process to provide appropriate checks and balances and independent judgment to ensure compliance of bank’s credit policy and prevent weak credits being granted;
vi. Failure to monitor borrowers or collateral values to recognize and stem early signs of financial deterioration;
vii. Failure to take sufficient account of business cycle effects whereby the credit analysis may incorporate overly optimistic assumptions relating to income prospects and asset values of the borrowers in the ascending portion of the business cycle;
viii. Challenges posed by the market-sensitive and liquidity-sensitive exposures to the credit processes at banks. Market-sensitive exposures (e.g. foreign exchange and financial derivative contracts) require a careful analysis of the customer’s willingness and ability to pay. Liquidity-sensitive exposures (e.g. margin and collateral agreements with periodic margin calls, liquidity back-up lines, commitments and some letters of credit, etc.) require a careful analysis of the customer’s vulnerability to liquidity stresses, since the bank’s funded credit exposure can grow rapidly when customers are subject to such stresses. Market- and liquidity-sensitive instruments change in riskiness with changes in the underlying distribution of price changes and market conditions;
Stress testing should involve identifying possible events or future changes in economic conditions that could have unfavorable effects on a bank’s credit exposures and assessing the bank’s ability to withstand such changes. Three areas that banks could usefully examine are: (i) economic or industry downturns; (ii) market-risk events; and (iii) liquidity conditions. Stress testing can range from relatively simple alterations in assumptions about one or more financial, structural or economic variables to the use of highly sophisticated financial models. Whatever the method of stress testing used, the output of the tests should be reviewed periodically by senior management and appropriate action taken in cases where the results exceed agreed tolerances. The output should also be incorporated into the process for assigning and updating policies and limits.
Detailed guidance on stress testing of credit risk has been provided in the SAMA Rules on Stress Testing issued on 23 November 2011. Banks are required to take into account the requirements of these SAMA Rules in stress testing of their credit portfolio.
7. Management Information System
Banks should put in place effective management information system(MIS) to enable management to be aware, measure, monitor and control the credit risk inherent in the bank’s all on- and off-balance sheet activities. An accurate, informative and timely management information system is an important factor in the overall effectiveness of the risk management process. Banks should comply with the following guidelines in developing and strengthening the MIS for credit risk:
i. The system should be capable of compiling credit information both on solo and consolidated basis as well as across various credit categories and products (including off-balance sheet activities);
ii. The system should be able to produce all the required information to enable the management to assess quickly and accurately the level of credit risk, ensure adherence to the risk tolerance levels and devise strategies to manage the credit risk effectively;
iii. The system should be able to provide information on the composition of the portfolio, concentrations of credit risk, quality of the overall credit portfolio as well as various categories of the portfolio and rescheduled/restructured and “watchlist” accounts;
iv. The reporting system should ensure that exposures approaching pre-defined maximum risk limits/thresholds set out for individual exposures are brought to the attention of management. All exposures should be included in a risk limit measurement system;
v. The management information reports should be prepared by persons who are independent of the business unit(s);
The credit risk management function should monitor and report its measures of risk to appropriate levels of management, the relevant Board committee and the Board. The board should be regularly briefed on the overall credit risk exposure (including off-balance sheet activities) of the bank. The board should be provided, inter alia, the following information for its review:
i. The amount of credit exposures undertaken with broken down by loans categories, types of exposures, products and level of credit grades, etc.;
ii. A periodic report on the existing lending products, their target market, performance and credit quality as also the details of any planned new products;
iii. Concentrations of credit to large exposures, groups of connected parties, specific industries, economic sectors or geographic regions, etc.;
iv. A report on the overall quality of the credit portfolio. This may include, inter alia, details of problem loans including those on the watchlist, categories of their classification, potential loss to the bank on each significant problem loan, the level of existing and additional provisions required there against, etc.;
v. Details of the actions taken and planned to recover the significant problem loans as well as the status of adherence to the terms and conditions of any significant rescheduled/restructured loans;
vi. Such other information as may be required by the board or deemed appropriate by the management to bring to the attention of the board;
Banks should regularly review their management information systems to ensure their adequacy and effectiveness, and introduce changes wherever required.
8. Internal Controls System
Bank's disclosures regarding Risk Management (both quantitative and qualitative) should be subject to the internal controls outlined in this section.As part of their internal controls system, banks should introduce effective controls to manage credit risk. The internal audit function of the bank should independently assess the adequacy and effectiveness of internal controls relating to credit risk management. The internal audit should periodically evaluate the soundness of relevant internal controls covering, inter alia, the following:
i. Adequacy of internal controls for each stage of the credit process;
ii. Appropriateness and effectiveness of internal controls in commensuration to the level of risks posed by the nature and scope of the bank’s lending activities;
iii. Reliability and timeliness of information reported to the Board of Directors, its relevant committee(s) and senior management;
iv. Effectiveness of organizational structure to promote checks and balances and to ensure existence of clear lines of authority and responsibilities for monitoring adherence to approved credit policies, procedures and limits;
v. Adequacy of credit policies and procedures as well as adherence to such policies and procedures;
vi. Compatibility of credit policies and procedures with legal and regulatory requirements as well as adherence to applicable laws/ regulations (this function can either be performed by internal audit or compliance);
vii. An assessment of the alignment of remuneration incentive plans with the approved risk appetite and credit policies of the bank;
viii. Identification of any weaknesses in the credit policies, procedures and related internal controls to enable the management and/or the Board to take timely corrective actions;
The internal audit should report the findings on adequacy and effectiveness of internal controls relating to credit function independently to the senior management and the Board or its relevant committee. The internal audit reports should also provide an assessment of the adequacy of any corrective actions being taken to address the material weaknesses.