market risk management market risk management … market risk management market risk management...

1

Market Risk Management Market Risk Management Market Risk Management Market Risk Management System System System System ChecklistChecklistChecklistChecklist

“Market risk” is the risk that a financial institution will incur losses because of a change in the price of assets held (including off-balance-sheet assets) resultingfrom changes in interest rates, securities etc. prices, foreign exchange rates, and other market risk factors. (“Market-related risk” refers to this risk plusaccompanying credit risks and other related risks.) There are three forms of market risk:

1) Interest-rate risk: the risk of losses because of changes in interest rates, and specifically, the risk of declining profits or losses because of changes ininterest rates when an institution has a mismatch of interest rates and/or periods for its assets and liabilities.

2) Price fluctuation risk: the risk of a decline in asset prices because of changes in the prices of securities etc.

3) Foreign exchange risk: the risk of losses when an institution has a net asset or net liability position in its foreign-currency assets and liabilities andforeign exchange prices are different from the prices initially expected.

Inspectors will verify and inspect the market-related risk management systems of financial institutions using the Risk Management Systems Checklists(Common Items), and this checklist.

This checklist applies to all deposit-taking financial institutions, including the foreign offices of Japanese banks (foreign branch offices, foreign subsidiaries,and foreign liaison offices, etc., though whether or not to include these offices in the inspection will be determined in light of applicable laws and ordinances,including applicable foreign-country laws and ordinances) and the Japan offices of foreign banks. In inspections of cooperative financial institutions, inspectorsshould be aware that cooperative financial institutions are only required to select accounting auditors in limited cases.

Notes on the use of this manual in inspectionsNotes on the use of this manual in inspectionsNotes on the use of this manual in inspectionsNotes on the use of this manual in inspections

This manual is only a handbook to be used by inspectors in the inspection of financial institutions. It is expected that, as part of their efforts to ensure soundand proper operations and in accordance with the principle of self-responsibility, individual financial institutions will fully exercise their creativity andinnovation to voluntarily create their own detailed manuals. These institutional manuals should make note of the content of this manual and be adapted to thesize and nature of the institution.

The check points in this manual represent criteria to be used by inspectors in evaluating the risk management systems of financial institutions. They do notconstitute direct statutory obligations to be achieved by institutions. Care must be taken that the manual is not employed in a manner that is mechanical andunvarying. There may be cases in which the letter of the checklist description has not been fulfilled, but the institution has nonetheless taken measures thatare, from the perspective of ensuring the soundness and appropriateness of its operations, rational, and these measures are equivalent in their effects to thedescriptions for the check point or are sufficient given the size and nature of the institution. In such cases, the institution’s measures should not be deemedinappropriate.

Inspectors will therefore need to engage in full discussion of relevant points with financial institutions during on-site inspections.

2

Explanation of check pointsExplanation of check pointsExplanation of check pointsExplanation of check points

1) Unless explicitly stated otherwise, items expressed in the form of questions such as “does the institution” or “is the institution” are minimum standardsthat are expected of all financial institutions. Inspectors, as they go through their checklists, need to fully verify the effectiveness of these items.

2) Unless explicitly stated otherwise, items worded in the form of “it would be desirable that” constitute “best practice” for all financial institutions.Inspectors need only confirm these items.

3) Items that are a combination of the two represent minimum standards for internationally active banks (those financial institutions calculating theircapital adequacy ratios according to the Basle standards) but serve only as best practices for other financial institutions (those calculating their capitaladequacy ratios according to domestic standards).

Distinction between Distinction between Distinction between Distinction between ““““board of directorsboard of directorsboard of directorsboard of directors”””” and and and and ““““board of directors etc.board of directors etc.board of directors etc.board of directors etc.””””

1) Items that are defined as roles of the “board of directors” are items for which the board of directors itself needs to determine all essential matters. Thisdoes not, however, preclude the board of directors from delegating consideration of draft documents to the management committee or similar bodies.

2) The phrase “board of directors etc.” includes the board of directors, the management committee, the business steering committee, and similar bodies.Items that are defined as roles of the “board of directors etc.” would ideally be determined by the board of directors itself, but may be delegated to themanagement committee etc. provided that there has been a clear delegation of this authority from the board of directors, the management committee etc. haskept minutes of its proceedings and other materials that would allow after-the-fact confirmation, and there are adequate internal controls in place, e.g., theresults are reported to the board of directors, and auditors are allowed to participate in the management committee etc.

3

Types of financial institutionTypes of financial institutionTypes of financial institutionTypes of financial institution

Below are descriptions of types of financial institution based on differences in their business strategies regarding market trading (including derivatives). Referto the table below when categorizing institutions by specific forms of trading.

Inspectors will verify that individual financial institutions clearly categorize themselves with reference to the following table. (Note, however, that when thereare substantial differences in forms of trading engaged in at individual offices, each office may categorize itself and adopt market-related risk managementsystems appropriate for its category.)

(1) Global Dealer (GD):

1) A financial institution that engages in dealing in major financial markets.

2) A financial institution that internally produces complex derivatives.

(2) Customer Dealer (CD):

1) A financial institution that hedges its own ALM position.

2) A financial institution that trades with customers but does not take large positions.

(3) Limited End User (EU): A financial institution that mainly hedges its own ALM positions.

Type of dealing

Type of financialinstitution

Pricing on Pricing on Pricing on Pricing on interbankinterbankinterbankinterbankmarketsmarketsmarketsmarkets

Development of newDevelopment of newDevelopment of newDevelopment of newderivativesderivativesderivativesderivatives

Pricing forPricing forPricing forPricing forcustomerscustomerscustomerscustomers

Trading ofTrading ofTrading ofTrading ofderivatives withderivatives withderivatives withderivatives withcomplex structurescomplex structurescomplex structurescomplex structures

ContinualContinualContinualContinualderivatives tradingderivatives tradingderivatives tradingderivatives trading

Trading of generallyTrading of generallyTrading of generallyTrading of generallyestablishedestablishedestablishedestablishedderivativesderivativesderivativesderivatives

Hedging of ownHedging of ownHedging of ownHedging of ownALM positionsALM positionsALM positionsALM positions

Global DealerGlobal DealerGlobal DealerGlobal Dealer 〇〇〇〇〇〇〇

Customer DealerCustomer DealerCustomer DealerCustomer Dealer 〇〇〇〇〇

Limited End UserLimited End UserLimited End UserLimited End User 〇〇

4

ItemItemItemItem Risk Management System Check PointRisk Management System Check PointRisk Management System Check PointRisk Management System Check Point Explanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check Points RemarksRemarksRemarksRemarks

I.I.I.I. Awareness of risk managementAwareness of risk managementAwareness of risk managementAwareness of risk managementetc.etc.etc.etc.

1. Awareness of directors and roleof board of directors

(1) Articulation of strategic goals basedon management policies for the institutionas a whole

(1) Different types of financial institution [GD, CD,EU] will require different risk managementsystems. Does the board of directors clearly specifythe institution’s type?

(2) Establishment of risk managementsystems

(2) Does the board of directors establish appropriatemarket-related risk management systems in linewith finalized strategic goals and riskmanagement guidelines, and commensurate toprofit targets etc.?

(3) Formulation of concepts forestablishment of position limits, etc.

(3) Does the board of directors articulate basicconcepts to be used in setting position limits(interest-rate sensitivity and notional principaletc. ceilings), risk limits (ceilings for expectedlosses from VaR and similar concepts), and losslimits? These concepts should serve as guidelinesfor the financial institution’s risk management.For example, does the board of directors set a goalof minimizing risk, or of actively taking on acertain level of risk and producing profits whilemanaging that risk?

(4) Setting of appropriate position limits,etc.

(4) Does the board of directors etc. study the risk-taking operations of individual divisions based onthe basic concepts used for setting position limitsetc., and does it set appropriate limits for theservices and risk categories handled by thedivision in light of the division’s position withinthe overall business of the institution, and theinstitution’s capital, profitability, riskmanagement capacity, and personnel capacity?

Does the board of directors etc. regularly(minimum of once per accounting period) restudythe nature of divisions’ risk-taking operations andreview limits?

It is desirable that there be measurements ofthe total risk limits for all market divisions for thepurpose of confirming whether resources havebeen allocated appropriately throughout theinstitution. The perspective in this should be tocompare the institution’s strength, asdemonstrated by its capital etc., with the risk ithas taken on to verify whether or not risks areexcessive given its current strength level.

5


2. Awareness and roles of seniormanagement

(1) Formulation of risk managementrules

(1) Do market risk management rules clearlyarticulate the roles and authorities of the marketdivisions (front office), clerical managementdivisions (back office), and risk managementdivisions (middle office etc.), particularly withregards to market trading (including derivatives)?

(2) Appropriate management of positionlimits, etc.

(2) Does senior management have responsibility forproviding appropriate management in accordancewith the basic concepts used in setting positionlimits etc. and the limits set?

Note: “Senior management” refersto branch office managers andpersons in senior managerialpositions (including directors) withequivalent levels of responsibility,and so throughout.

Note: “Risk management division”refers for GDs to “an independentrisk management division withexpert staffing,” for CDs and Eus,to “an independent riskmanagement division with expertstaffing or a division (person) incharge of risk management withinthe back office division.”

(3) Personnel management designed toprevent incidents

(3) Does senior management, in accordance with theguidelines articulated by the board of directorsetc., have programs in place to require employees(including managers) to stay away from their jobsfor a minimum of one week a year for the purposeof preventing incidents? This might includecontinuous leave, training, internal reassignment,or any combination thereof. It is desirable thatthis period be at least two weeks.

Does senior management manage the statusof these programs and ensure that they arecarried out faithfully?

Does senior management engage inappropriate personnel rotation so that specificemployees are not engaged in the same jobs in thesame departments for prolonged periods of time?If specific employees must be engaged in the samejobs in the same departments for prolongedperiods of time, does senior management haveother appropriate measures to prevent incidentsfrom occurring?

6


II.II.II.II. Establishment of appropriaEstablishment of appropriaEstablishment of appropriaEstablishment of appropriateteteterisk management systemsrisk management systemsrisk management systemsrisk management systems

1. Risk recognition andassessment

Establishment of integrated riskmanagement organizations

Does market-related risk management coverboth designated trading divisions (i.e., “tradingdivisions”) and non-designated trading divisions(i.e., “banking divisions”).

It is desirable that at some point in thefuture the institution has an integratedmanagement system that also covers credit risksand market risks from both designated tradingdivisions and non-designated trading divisions.

If the institution does not have an integratedmanagement system that covers credit risks andmarkets from non-designated trading divisions,does it utilize “ALM management” as described in2.(2) except as specifically provided for otherwisein 2.(1) (“Market risk management”).

2. Management

(1) Market-related management

1) Customer riskmanagement system

(1) Establishment of systems to manageand deal with disputes between theinstitution and its customers

(1) [GD, CD] When customer-side risk management isinsufficient, customers can incur substantiallosses, which may result in the financialinstitution being subject to lawsuits that place itat risk of losses. Does the institution have systemsin place to manage and deal with disputes withcustomers, including a clearly designated divisionto respond to disputes?

Does the division responsible for respondingto disputes with customers quickly investigate thecauses of the dispute and take measures toprevent recurrence?

(2) Development of derivatives products (2) [GD, CD] Derivative products can potentially havean extremely large impact on a financialinstitution because of disputes with customers andlawsuits resulting from them. In light of this, doesthe institution provide legal and technical checksof newly handled high-risk derivative products byrisk management experts and does it seek theapproval of the board of directors etc. beforehandling these products?

Does the institution refrain from developinghigh-risk derivative products in response toinappropriate demands from customers?

7


(3) Sales to customers (3) [GD, CD] It is desirable that derivative productsbe sold to customers with the ability and capacityto adequately manage product risks.

Does the institution respond with particularcaution when customers seek to purchasederivative products for speculative purposesrather than for their own position hedges?

(4) Explanation of products to customersand confirmation of customer intent

(4) [GD, CD] In selling derivative products toinexperienced customers, does the institutionprovide specific, easily-understood documents andexplanations about the nature of the product andthe risks involved, including concrete examples(not just best-case scenarios but also worst-casescenarios and the expected maximum loss)?

When selling products to customers in whichthe customer himself bears risk, does theinstitution, when necessary, obtain writtenconfirmation from the customer that explanationshave been provided?

(5) Reporting of trades to customers (5) [GD, CD] After selling products, does theinstitution provide the customer with informationon the market value of the customer’s positionregularly and at other times as necessary, when sorequested by the customer?

Do indications of market price clarify howthe market price is expressed (whether it takesaccount of hedge costs, for example)?

Does the institution have measures andsystems to provide customers with accuratemarket price information, for instance, by havinginformation provided by a risk managementdivision (or back office division) that isindependent of the market division?

2) Performance management Analysis of profit/loss status andchecking for inappropriate handling

Does the institution refrain from unsoundhandling of derivative trades etc. for the purposeof manipulating the settlement of accounts etc.?Should profit divisions generate excessive profits,does the risk management division analyze thefactors involved and verify whether or not therehas been inappropriate handling that isinconsistent with rules governing riskmanagement?

Does the risk management study profitsand losses in relation to contracted values,notional principal, and trading volumes?

8


3) Monitoring of price andrisk

(1) Measurement of accurate marketprices

(1) Does the institution accurately measure themarket price of positions (including fair pricescalculated by models etc.) for both designatedtrading divisions and non-designated tradingdivisions? Does it attempt to measure, to theextent possible, the market price of loans andother instruments for which there is noestablished technology for measuring marketprices? It is desirable that measurements also bemade on a consolidated basis.

(2) Monitoring and measurement of riskfactors

(2) For example, for interest rates, does theinstitution measure risk in terms of changes in theshape of the yield curve and changes in spreadsbetween products and markets as well as in termsof rises (or falls) for interest rates as a whole?

[GD, CD] If the institution engages insubstantial amounts of option trading or “writes”any options no matter how small the volume, doesit measure the need for changes in hedge ratesand appropriate hedging levels because of changesin market prices or changes in the expected rate ofchange of market prices, or because of fluctuationsin market prices?

(3) Measurement of risk with uniformindicators

(3) Does the institution quantitatively measure riskusing uniform indicators for all divisions? It isdesirable that uniform indicators capture andmeasure all necessary risk factors. However,should there be risks that are not adequatelycaptured and measured by uniform indicators,does the institution ensure that all necessaryfactors are taken into account in businessdecision-making by supplementing uniformindicators with other information that measuresthese risks?

[GD] Does the institution use riskmeasurement methods that are rational andobjectively precise, for example, VaR methodsbased on statistical techniques?

[CD, EU] It is desirable that the institutionuse VaR methods based on statistical techniques,but if it does not, does it use simplifiedmeasurements such as BPV?

9


(4) Establishment of organizations toverify appropriateness of model andmanage model

(4) Is the appropriateness of pricing models and riskmeasurement models verified by organizationsthat are independent of the front office andorganizations developing financial products (forexample, by the risk management division,inspections division, or outside consultants)?Should inadequacies be found in models, areappropriate corrections made?

Are systems and rules in place that do notallow the content of models to be easily changed?Are models managed appropriately and inaccordance with pre-established rules?

It is desirable that all models be reviewedregularly (about once per year).

(5) Verification of the effectiveness of riskmeasurement functions

(5) Does the risk management division, inspectionsdivision, or other division regularly measure theimpact of changes in interest rates and foreignexchange rates etc. on profits and capital? Aremeasurements compared against actual profit/losstrends to verify the effectiveness of riskmeasurement functions?

(6) Appropriate implementation of stresstesting

(6) VaR is a technique that only measures themaximum risk under normal market conditions.Does the institution also perform regular stresstesting in addition to VaR measurement? If theinstitution primarily performs sensitivity analysesbased on BPV, does it regularly analyze worst casescenarios?

Is there clear rationale for the assumptionsused in the stress testing and is this rationaleappropriate?

[GD, CD] Does the institution perform stresstesting as frequently as possible (for example,about once per quarter) in relation to changes inmarket conditions, the size of the positions itholds, and the content of its portfolio etc.?

[EU] It is desirable that the institutionperform tests/analyses as frequently as possibledepending on the content etc. of its portfolio (forexample, about once a year).

10


(7) Frequency of position monitoring,market price appraisal, and riskmeasurement

(1) [GD, CD] Does the institution monitor positions,appraised market prices, and measure risks atleast once per day for major products ondesignated trading accounts? It is desirable thatthe institution make general measures that alsoinclude non-designated trading accounts asfrequently as possible (at least once per month)and that measurements consolidate majorbranches and offices.

[EU] Frequent market price appraisals andrisk measurements are not required, but it isdesirable from ALM perspectives that theinstitution make general measures that includenon-designated trading accounts at least once permonth.

4) Position limit, risk limit,and loss limit management

(1) Formulation of clear rules for positionlimit management, etc.

(1) Does the institution have a clearly establishedsystem for reporting to managers and chain ofauthority (guidelines, procedures etc.) for cases inwhich position limits, risk limits, and loss limitshave been exceeded or are likely to be exceeded?

Do rules prohibit the continued holding ofpositions in excess of position limits, risk limits,and loss limits?

(2) Delegation of authority of positionlimits, etc.

(2) Does the institution clearly specify the extent ofauthority given to dealers etc. by delegatingauthority in writing for positions, profit targets,and loss limits to each managing director, seniormanagement, and dealer, and seeking thesignature of the dealer etc. to confirm all changesin limits? Does the institution regularly (at leastonce per half-year) review the position limits setfor individual divisions?

(3) Compliance with rules for positionlimit management, etc.

(3) Does the institution rigorously apply managementrules for position limits etc.? When problems arefound in rules or their application, does theinstitution make appropriate improvements?

Should risk management problems beencountered, is information speedily andaccurately communicated to the risk managementdivision etc. rather than just dealing with theproblem inside the division?

11


(4) Position management, etc. (4) [GD] Does the risk management division havesystems in place allowing it to monitor positionsand losses on major products during the dayshould there be a need to do so? Does it have andappropriately use systems to manage positionprofits by dealer and portfolio?

[CD, EU] Does the risk managementdivision at a minimum have systems in place thatallow it to monitor positions and losses on majorproducts on a daily basis?

5) Market liquidity risk (1) Appropriate management of marketliquidity

(1) Does the risk management division accuratelymeasure the status of market liquidity (or receivereports thereon)?

When necessary, does it report to therepresentative director and/or board of directorsetc. on the status of market liquidity?

(2) Setting and review of position limits,etc.

(2) Market conditions may make it impossible toexecute trades in the market at the prices initiallyplanned for. In light of this, does the riskmanagement division, when necessary and withthe approval of the board of directors etc.(decisions to be made by the managing director inemergencies and reported to and verified by theboard of directors etc. afterwards), set positionlimits taking market liquidity conditions intoaccount?

Are position limits regularly (at least onceper half-year) reviewed to take account of changesfor investment products and market conditions?Are they also reviewed from time to time asnecessitated by changes in conditions?

(3) Operations taking account of marketliquidity risk, etc.

(3) Are investments made with reference to marketsize, depth, and liquidity for individual products?

(4) Monitoring (4) Does the risk management division measuredaily positions for each product and monitorchanges in market size and credit status?

(5) Reporting (5) Does the risk management division reportmeasured position status etc. accurately to themanaging director (or when necessary to therepresentative director or board of directors) asrequired in the rules? If position limits areexceeded, and in times of crisis or potentialcrisis, does it report as frequently as possible tothe representative director and/or board ofdirectors and take appropriate countermeasures?

12


6) Operational management (1) Back-office processing in accordancewith rules

(1) Does the institution handle foreign exchange,funds, securities trades, and derivatives thereof inaccordance with applicable rules and manuals?For example:

1) Does the back office division monitor alltrading without exception (for example, finalconfirmation of system input, confirmationwith ticket stamping and serial numbersetc.)

2) Are trading details input without delay?

3) Do managers approve corrections to errors indealing tickets discovered at theconfirmation/adjustment stage?

4) Are “incomplete” deal tickets (becauseprocessing will be performed in the future)appropriately managed and recorded?

5) Are confirmations sent by someone otherthan the person responsible for the trade?

6) Are confirmations and dealing ticketsappropriately checked against each other?

7) Are dealing tickets, dealing sheets, andconfirmations kept and stored in anappropriate manner?

Is documentary evidence (for example,individual trading records) from the marketdivision and the back office division checked bythe internal inspections division and stored for astorage period specified in the rules (minimum of1 year)?

(2) Data cross-checking (2) Is trading data from the market division and backoffice division cross-checked? When mistakes arefound, are the causes quickly investigated andsupplementary procedures taken in accordancewith preestablished methods? For example, insecurities trading, does the institution regularly(at least once per month) check positions as shownin the dealing system of the market divisionagainst securities balances on the accounts of theback office division that have been confirmed withsecurities companies and the custody division?

13


7) Management of credit risksassociated with markettrading

(1) Measurement of credit risk associatedwith market trading

(1) [GD, CD] Does the institution use currentexposure (total replacement cost and potentialexposure) to measure credit risk? Does it alsomeasure payment risk?

[EU] Do measurements of credit risk at aminimum use the nominal principal method ororiginal exposure method (nominal or contractedprincipal multiplied by a multiplier for the productor trading period)? Is the institution considering aswitch to current exposure if it is planning toestablish foreign offices in the future? Does it alsomeasure payment risk?

(2) Integrated on/off-balance-sheetmanagement of positions, marketprice appraisals, and credit risks

(2) [GD, CD] It is desirable that the institutionmonitor individual trading for individualcounterparties, that it provide integratedmanagement of on- and off-balance sheet marketprices and credit risks, and that it provideinformation on exposures and credit limits tocredit risk senior management in an accurate andtimely manner.

Do branch offices accurately measure on-and off-balance sheet credit risks for individualcounterparties at least once per month and at anytime new credit is granted or credit is renewed (orat the most recent time this has taken place)?

[EU] Do branch offices accurately measureon- and off-balance sheet credit risks forindividual counterparties at least once per monthand at any time new credit is granted or credit isrenewed (or at the most recent time this has takenplace)?

(3) Clear systems for credit approval,independent credit approval functions

(3) [GD, CD] Does the institution analyze the creditrisk of counterparties at least once per year? Doesit set credit limits ahead of time for counterpartieswith which it engages in frequent and on-goingtrading?

Are the setting, review, and management ofcredit limits performed by a credit review divisionthat is independent of market-related divisions? Itis desirable that the credit limits set areconsistent with other credit standards.

[EU] Does the institution fully study thecredit risk etc. of counterparties when selectingcounterparties for trades?

14


(4) Formulation of credit limit rules andappropriate management of creditlimit

(4) Does the institution have clearly definednegotiations guidelines (policies on creditsupplements etc.) when credit limits areapproached, and rules on reporting to managers,authorization, and procedures to be followed whencredit limits are exceeded?

Does the institution manage credit limitsappropriately and in accordance with the rules?

[GD, CD] When credit risk volumes reachcredit limits, does the institution suspend tradingthat would result in the extension of new credits,report to the senior management as set forth inthe rules (or when necessary to the representativedirector and/or board of directors), and decide onand implement reviews of credit limits and otherresponses with the approval of the manager (orwhen necessary of the representative directorand/or board of directors)? It is desirable that theinstitution also take measures to mitigate risk forexisting trades, for example, by collectingadditional collateral.

In managing credit limits, it is effective toestablish appropriate alarm points at stages priorto counterparty’s credit limit with rules forinitiating discussions of supplementing credit riskmeasures for the counterparty when the alarmpoints are reached.

(5) Use of risk mitigation measures (5) It is desirable that credit risk be mitigated withnetting contracts, additional collateral, andguarantees, after having confirmed the legalvalidity of contracts.

8) Market risk rules (verifyonly for institutionscalculating their capitaladequacy ratios accordingto international standards)

(1) Rules governing exceptions forinstruments not counted incalculations of market-riskequivalents

(1) Do items excluded by both financial institutionswith designated trading accounts and financialinstitutions without designated trading accountsunder the rules governing exceptions forinstruments not counted in calculations of market-risk equivalents (the Notice [FinancialSupervisory Agency/Ministry of Finance NoticeNo. 16 of 1998] and so throughout) meet theconditions in the Notice?

15


(2) Rules on scope of market riskcalculations

(2) Do both financial institutions with designatedtrading accounts and financial institutionswithout designated trading accounts include alltrading and assets specified in the Notice (Article10)?

(3) Accurate calculation of market-riskequivalents

(3) Does the institution calculate market riskequivalents accurately using an internal model orthe standard method as set forth in the Notice(Attach 3)?

[GD] Financial institutions engaged indealing on major financial markets and internallydeveloping complex derivatives need to use moreprecise methods to quantify market risk. It istherefore desirable that they use internal models.If they do not, do they calculate using thestandard methods?

Internal models need to be used in aconsistent manner. Does the institution takeappropriate corrective procedures if back testingresults indicate there to be inadequacies in its riskmeasurement model (including notifications to theFinancial Supervisory Agency)?

When internal models are used, do themodels meet the following standards?

1) Is there a “risk management division”established independent from divisionsengaged in trading covered by market riskequivalent calculations?

2) Does the risk management division performappropriate back testing and stress testing,and does it create documents noting theprocedures used?

3) Is the board of directors etc. activelyinvolved in risk management procedures?For example, does it receive reports on riskstatus and make necessary decisions?

4) Does the institution create documents notingthe internal guidelines, management, andprocedures for the administration of riskmeasurement models? Does it take steps toensure compliance?

5) Is the risk measurement process subject tointernal audit at least once per year? Is italso subject to regular external audit byexternal auditors etc.?

16


6) Do external auditors confirm that the riskmeasurement model meets the quantitativerequirements in the official model?

For the standard method, does theinstitution make calculations in accordance withthe method set forth in the Notice (Attachment 3)?

[CD, EU] Use of the standard method isacceptable. Does the institution make calculationsin accordance with the method set forth in theNotice (Attachment 3)?

(4) Awareness of differences betweenofficial model and actual model

(4) The internal model for market risk found in theinternational standards may assume differenttrading techniques than are actually used, forexample, it assumes that investments are held fora period of 10 days. It is desirable that institutionsare aware of this and that they modify theirinternal risk management model as suits theirtrading practices.

(5) Understanding of model in riskmanagement division

(5) It is conceivable that an institution would usedifferent risk measurement models for each officeand product. Does the risk management divisionuse several types of model? Does it determinemodel components in a consistent fashion? Does itverify that there are no problems with riskaggregation procedures? And does it understandthe nature of models and procedures?

Is the institution able to explain the causesand appropriateness of any differences in risk asmeasured by the market, risk management, andback office divisions?

(2) ALM management

1) ALM organizations

(1) Establishment of ALM Committee etc. (1) Does the institution establish an ALM Committeeetc. as an organization to provide generalmanagement of assets and liabilities and toformulate strategic goals and the like?

(2) Coordination between ALMCommittee etc. and relevant divisions

(2) Does the ALM Committee etc. make effective useas reference data of the analyses and tradingpatterns of divisions responsible for interest-rateand foreign exchange-rate forecasting, riskmeasurement, and hedging transactions?

Does the institution have a system in placefor reporting important information from relevantdivisions to the ALM Committee etc.? (Is thedefinition of “important information” clearlyarticulated in the rules?)

17


(3) Participation of directors in ALMCommittee etc.

(3) Do the directors and the senior managementresponsible for relevant divisions (including therepresentative director when there are sharpfluctuations in the market environment) attend allmeetings of the ALM Committee etc. andparticipate in discussions?

(4) Installation of ALM systems (4) It is desirable that the institution have systems inplace that are able to cover and performmultifaceted analyses of all major sources ofinterest-rate revision risk, yield curve risk, basisrisk and other forms of interest-rate risk, and alsoforeign exchange risk, price fluctuation risk andother forms of market risk.

2) Interest-rate riskmonitoring

(1) Multifaceted risk management usinga variety of techniques

(1) Does the institution integrate on- and off-balancesheet products and does it perform multifacetedanalyses of them (for example, does it makeconcurrent use of different analytical methodssuch as gap analysis and simulation analysis)?

(2) Analysis of interest-rate risk and useof analytical results

(2) Does the institution regularly (at least once perquarter) create and analyze maturity ladders inline with interest-rate revision periods? Does itregularly (at lest once per quarter) measure riskusing multifaceted analytical methods (forexample, simulation analysis and interest-ratesensitivity analysis)? Is this information used bythe ALM Committee etc.?

It is desirable that the institution regularly (ifpossible, at least once per quarter) perform stresstesting and use this information in the ALMCommittee etc.

3) Foreign exchange riskmonitoring

(1) Appropriate monitoring of foreignexchange risk

(1) Does the institution appropriately manage therisks to which it is exposed, for example, by usingappropriate financial techniques for the foreignexchange risks associated with foreign-currencyassets (including yen-invested foreign-currencyassets) and liabilities?

(2) Analysis of foreign exchange risk anduse of analytical results

(2) Does the institution regularly (at least once perquarter) measure risk and use thesemeasurements in the ALM Committee etc.?

It is desirable that the institution regularly (ifpossible, at least once per quarter) perform stresstests and use this information in the ALMCommittee etc.

18


4) ALM operations (1) Appropriate setting and review ofposition limits

(1) Are position limits and risk limits for overallmanagement of assets and liabilities set inaccordance with the basic risk managementguidelines determined by the board of directorsand with reference to the capital and net profitson core businesses etc. of the institution? Areposition limits reviewed regularly (at least onceper half year) and as necessary?

(2) Appropriate risk control (2) Are interest-rate, foreign exchange, pricefluctuation and other market risks controlled inaccordance with risk management guidelinesdetermined by the board of directors?

(3) Use of findings from ALM Committeeetc. in management strategy

(3) Does the board of directors refer to the analyticalresults of the ALM Committee etc. whenformulating strategic goals and risk managementguidelines?

Does the risk management division constantlyverify that risk controls and other businessoperations are performed in accordance with therisk management guidelines determined by theboard of directors? Does it report its findings to theboard of directors? If it finds that businessoperations are not in accordance with guidelines,are remedial measures quickly taken?

(3) Designated trading issues(verify only for financialinstitutions engaged indesignated trading orestablishing designatedtrading accounts)

(1) Formulation of rules (1) Segregated accounting requires that arbitrarydecisions be eliminated and transparency assured,and this in turn requires that the board ofdirectors etc. formulate clear rules and that theserules be consistently adhered to. At minimum,does the institution formulate rules regarding thefollowing matters? Does it handle these rules etc.as important rules and does it handle changesunder procedures similar to those used informulating the rules?

1) Clear administrative rules for segregatedaccount based on the legal definition of“designated trading purposes.”

• Definition of designated trading purposes

• Clear organizational divisions by tradingpurpose (divisions of personnel into units)and independent decision-makingauthority

• Restrictions on concurrent service ofdealers in organizations involved indesignated trading and other

19

ItemItemItemItem Risk Management System Check PointRisk Management System Check PointRisk Management System Check PointRisk Management System Check Point Explanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check Points RemarksRemarksRemarksRemarksorganizations

• Bans on transfers between accounts

• Creation of ledgers in designated tradingaccounts for each type of designatedtrading on the account

• Limits on the markets of counterparties todesignated trading of securities, andawareness of hedging purposes

2) Authority and responsibilities of themanagers of the divisions engaged indesignated trading and the managers of thedivisions calculating market values etc.

3) Compliance with rules and procedures forchanging rules

4) Basic concepts for the calculation of marketprices etc.

• Adherence to calculation methods specifiedin the Banking Law or other laws or inministerial ordinances

• Calculation of market prices by a differentorganization independent of theorganization engaged in designatedtrading

• Calculation methods for market prices etc.(notation when the calculation of marketprices etc. is to use the “Fair PriceCalculation Procedures” or anotherdocument)

• When the “new foreign exchangeaccounting standards” are used in thecalculation of market prices etc., clearnotation of the scope of coverage

• Performance of internal audits andinspections of compliance to rulesregarding calculation of market prices etc.

• Method by which organizations with “frontoffice functions” will be involved in thecalculation of market prices etc. whenthere is need for their involvement

5) Rules and management methods for internaltrading

• Definition and scope of internal trading

20


• Basic guidelines for internal trading

• Approval of internal trades by anorganization independent from front-officeorganizations

• Approval procedures for internal trades,storage of documents

6) Rules for consigned trading

• Performance of internal audits andinspections of compliance to rulesregarding internal trading

(2) Separation of organizations andpersonnel

(2) It is desirable that organizations engaged intrading for designated trading accounts (at least,organizations with “front office functions”) be atthe level of units (for example, an “office,”“department,” or “group”) or larger, and that theirorganization and staffing be different from theorganizations engaged in trading for non-designated trading accounts on which the samekinds of trades are made but for differentpurposes.

Organizational divisions are not necessarilyrequired, however, when there is an objective andclear segregation of designated trades and theassets involved therein from other trades andtheir assets and there is little risk of accountsbeing manipulated (for example, when adesignated trading division engages in tradesother than those listed as designated trades).

(3) Bookkeeping/ledgers (3) Do the books for designated trading accountsenable designated trades and the assets involvedtherein to be clearly segregated from other tradesand the assets involved therein? Are thereappropriate notations in the category ledgerscreated at the time applications are filed with theauthorities?

Are these ledgers used effectively in actualoperations? (Does the institution refrain fromusing other ledgers in actual operations?)

21


(4) Prohibition against organizationstrading for designated tradingaccounts from trading on othertrading accounts

(4) Does the institution refrain from havingorganizations engaged in trading for designatedtrading accounts engage in trading for non-designated trading accounts (and vice versa)?(However, this does not apply when there is anobjective and clear segregation of designatedtrades and the assets involved therein from othertrades and their assets and there is little risk ofaccounts being manipulated)

(5) Prohibition against arbitrary accountselection

(5) Does the institution refrain from makingarbitrary decisions about accounts? For example,does it refrain from using, because of market riskconcerns, designated trading accounts for tradingthat should be on non-designated tradingaccounts?

(6) Appropriateness of internal trading (6) Internal trading within the same financialinstitution has the potential to utilize differencesin accounting systems to post profits or losses.Such arbitrary handling must be eliminated.From this perspective, does internal tradingappropriately comply with the “Documents NotingMatters Related to the Handling of InternalTrades” created at the time approval was receivedfor the establishment of designated tradingaccounts (or with other rules governingdesignated trading accounts)?

(7) Separation of divisions involved indesignated trading from divisionscalculating market prices

(7) Calculations of market prices must ensure thatprices are fair. From this perspective, does theinstitution assign different divisions to calculatemarket prices from the divisions involveddesignated trading?

(8) Creation and storage of materialsproviding basis for market price etc.calculations

(8) Internal and external inspections and audits ofthe financial institution must verify the fairnessof market price calculations. To facilitate this,does the institution keep and manage for setperiods of time documents that enable marketprice calculations to be reproduced?

(9) Assurance of objectivity in fair pricecalculations

(9) Is the institution aware of the following in theassurance of the objectivity of fair pricecalculations?

1) Does the institution create and consistentlyuse “Fair Price Calculation Procedures”based on rules etc. Should there be need tomodify calculation methods because ofinstitutional changes or the development ofnew appraisal techniques etc., does the

22

ItemItemItemItem Risk Management System Check PointRisk Management System Check PointRisk Management System Check PointRisk Management System Check Point Explanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check Points RemarksRemarksRemarksRemarksinstitution revise its procedures in a timelymanner and in accordance with the rulesetc.?

Are changes in calculation methods clearlynoted?

2) To check the internal fairness andappropriateness of the “Fair PriceCalculation Procedures,” are the “Fair PriceCalculation Procedures” subject to priorapproval from divisions engaged in tradingfor designated trading accounts(organizations with “front office functions”)and organizations independent oforganizations developing financial products(for example, the risk management divisionor the inspections division etc.)?

Do the organizations above regularly checkthe application and administration of theseprocedures (for example, the risk managementdivision or the inspections division etc.; however,divisions performing calculations are excluded)?

3) Is assurance of the objectivity of fair pricecalculations included as a priority item ininternal inspections?

Are the following included as points to benoted in inspections?

a) Violations of the scope of trading set byministerial ordinance (now allowed toengage in inter-account trading forexchange trades, securities trades, andacquisition or transfer of monetary credits)

b) Effectiveness of internal checks, forexample, appropriate handling of internaltrading at fair prices and in accordancewith rules

c) Clear indications of internal trades ontrading tickets and segregated storagethereof

d) Intentional profit/loss adjustments

23


(10) Calculation of fair prices 10) Are fair price calculations made by organizationsindependent of organizations with front-officefunctions and in accordance with the followingconcepts?

1) Exchange trades

Are prices calculated using rational methodsbased on published closing prices (trading priceson the exchange [closing price <includingliquidation price> etc.])?

2) Non-exchange trades

(a) Non-exchange trades for which quotes areobtainable

Are prices in principle calculated usingquotes from brokers (including screens), dealers,and others?

(b) Other trades

Does the institution use the following?

a) Obtainable quotes for financial products of asimilar nature

b) Estimates based on appraisal methods(discounted present value, option pricecalculation model etc.)

Is it aware of the following?

1) Efforts to ensure fair calculations of theprice of over-the-counter derivatives

a) Are calculations generally the same for thetime of the trade and the end of the term?

b) Are calculations checked by externalauditors?

c) Are calculations checked during internalinspections?

2) Compliance with and consistent use of thefollowing as defined in the “Fair PriceCalculation Procedures””

a) Types and sources of basic data

b) Time at which basic data is obtained

c) Method of creating yield curves from basicdata

24


d) Method and period of basic data storage

e) Correction methods when corrections aremade

(11) Information disclosure (11) It is necessary to disclose “important accountingguidelines.” From this perspective, does theinstitution disclose the following matters inrelation to appropriate segregated accounting andthe measurement and management of objectivemarket prices?

1) Framework for designated trading accounts(definition of “trading for designated tradingpurposes,” specific lists of products covered,organizational divisions etc.)

2) Market price concepts (use of fair priceconcepts in market price calculations,outline of fair price calculation procedures,means of assuring objectivity etc.)

3) Financial information related to designatedtrading accounts

3. Segregation of duties Erection of mutual-checking systems When the market divisions and back officedivisions operate multiple computer systems, doesthe risk management division obtain positioninformation from both the market divisions andback office divisions and confirm that there are nodiscrepancies between them (not necessary ifintegrated systems are used)? Does the riskmanagement division monitor compliance toposition limits and other management rules? Doesit play an appropriate role in enhancing andoperating risk management systems, gatheringand processing information, and reporting to theboard of directors etc.? Does the risk managementhave adequate personnel to monitor trading?

Does the risk management division regularlyperform precise checks and analyses to search forabnormalities in the calculation of intra-termprofits and losses (including appraisal profits andlosses)?

[GD] Does the institution have anindependent risk management division staffedwith experts in market trading and riskmanagement techniques?

[CD, EU] It is desirable that the institutionhave an independent risk management divisionstaffed with experts in market trading and risk

25

ItemItemItemItem Risk Management System Check PointRisk Management System Check PointRisk Management System Check PointRisk Management System Check Point Explanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check Points RemarksRemarksRemarksRemarksmanagement techniques, but if it does not, does ittake other steps, for example, by establishing arisk management group in the planningdepartment?

* Is the institution aware of the followingmatters regarding mutual checkingfunctions?

1) Do familiarity between the chief dealer andthe back office division manager place thedealers in the position of being able todirectly manipulate and issue instructionsregarding accounting?

2) Are veteran dealers personally so trusted bysuperiors (branch office managers andrelevant executives) that they are considered“unquestionable” by other employees? Is theinstitution aware that human risks areincreased when they are dependent onspecific personnel and does it carefullycontrol this?

3) Are organizations run so that separationsbetween organizations do not function? Forexample, is there a “confirmation team”below the market division manager or doesthe same person function as the manager forboth the market division and the back officedivision?

4) Is all information communicated quickly andaccurately to the risk management division?Should risk management problems beencountered, is information speedily andaccurately communicated to the riskmanagement division etc. rather than justdealing with the problem inside the division?

5) Does the institution have an independentrisk management division and is expert staffassigned to it? Is the risk managementdivision able to report directly to therelevant directors etc. without influencefrom the trading divisions?

6) Area audio recordings made of dealertrading twenty-four hours a day? Is thecontent of recordings checked againsttrading records using regular sampling orother techniques?

Are recorded tapes stored for a set

26

ItemItemItemItem Risk Management System Check PointRisk Management System Check PointRisk Management System Check PointRisk Management System Check Point Explanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check Points RemarksRemarksRemarksRemarksperiod of time (are tapes stored andmanaged by sections independent of themarket division and back office division (forexample, the risk management division) orby a section of the back office division withseparate work responsibilities)? It isdesirable that telephones be recorded for theback office division as well for purposes ofafter-the-fact confirmation.

When comparing the content of dealertrading recordings with the dealing tickets(trading records), do not check dealingtickets against recordings. Rather, checkwhether the entire content of recordings ison the dealing ticket.

7) Is at-home dealing only used underrestricted conditions for the purpose ofavoiding risks from after-hours operations?Does the institution specify trading volumes,types, and dealers? (Are their written rules?)Are answering machines and the likeinstalled so that trading is recorded?

8) Are dealers fully aware that dealingrecordings are regularly checked againstdealing tickets?

4. Communication of information (1) Risk management division’s access toinformation

(1) Is the risk management division able to obtaintrading information and other internal data andmarket data from the market divisions directlyand in an appropriate and comprehensivemanner? Is the risk management division able todirectly instruct and supervise the middle officesof other divisions?

(2) Installation of dealing supportsystems

(2) [GD] Does the institution provide a dealingsupport system that provides dealers (or units)with real-time and/or daily-appraised marketprices for the positions of each office for all majorproducts with which they are involved?

[CD] Does the institution provide a dealingsupport system that provides dealers (or units)with daily-appraised market prices for thepositions of each office for all major products withwhich they are involved?

(3) Installation of computer systemssuited to back-office processing

(3) Does the institution install and manageaccounting and information computer systemsthat are sufficiently able to perform all basicclerical processing, settlement, and management

27

ItemItemItemItem Risk Management System Check PointRisk Management System Check PointRisk Management System Check PointRisk Management System Check Point Explanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check Points RemarksRemarksRemarksRemarksof all trading in which the institution is engaged?

(4) Establishment of back-up systems (4) Does the institution have a back-up system,including effective contingency plans?

(5) Assurance of system safety (5) Does the institution engage in appropriate andadequate management designed to preventunauthorized access to computer systems, forexample, management of entry and exit from workareas and use of passwords?

(6) Communication of information to therisk management division

(6) Do the market divisions etc. communicate allinformation quickly and accurately to the riskmanagement division? Should risk managementproblems be encountered, is information speedilyand accurately communicated to the riskmanagement division etc. rather than just dealingwith the problem inside the division?

1

Liquidity Risk Management System ChecklistLiquidity Risk Management System ChecklistLiquidity Risk Management System ChecklistLiquidity Risk Management System Checklist

Liquidity risk could include two different types of risk: the risk that a financial institution will incur losses because it is forced to raise funds at markedlyhigher interest rates than normal, or because a deterioration etc. of its financial position renders it unable to assure itself of adequate funding and thereforeunable to maintain cash flow (cash flow risk), and the risk that upheavals etc. in the market will render it impossible to trade and therefore force theinstitution to engage in transactions at prices that are markedly more disadvantageous than normal (market liquidity risk).

Inspectors will verify and inspect the liquidity risk management systems of financial institutions using the Risk Management Systems Checklists (CommonItems), the Market Risk Management Systems Checklist, and this checklist. This checklist is to be used for inspections of cash flow risk systems; the MarketRisk Management Systems Checklist for inspections of market liquidity risk.







1) Unless explicitly stated otherwise, items expressed in the form of questions such as “does the institution have” or “is the institution doing” are minimumstandards that are expected of all financial institutions. Inspectors, as they go through their checklists, need to fully verify the effectiveness of these items.

2





2) The phrase “board of directors etc.” includes the board of directors, the management committee, the business steering committee, and similar bodies.Items that are defined as roles of the “board of directors etc.” would ideally be determined by the board of directors itself, but may be delegated to themanagement committee etc. provided that there are adequate internal checks in place, i.e. there has been a clear delegation of this authority from the board ofdirectors, the management committee etc. has kept minutes of its proceedings and other materials that would allow after-the-fact confirmation, and there areadequate internal controls in place, e.g., the results are reported to the board of directors, and auditors are allowed to participate in the management committeeetc.

3




(1) Understanding of cash flow risk (1) Do directors understand that cash flow problemscan in some cases lead directly to bankruptcy andthe triggering of systemic risk?

(2) Articulation of strategic goals withreference to cash flow risk

(2) Does the board of directors take account of cashflow risks when setting strategy goals?

Note: “Cash flow riskmanagement division” refersto a division that managesand administers cash flow ona daily basis. “Riskmanagement division” refersto a division that monitorscompliance to internalstandards etc. regarding cashflow, and so throughout.

(3) Establishment of cash flow riskmanagement systems

(3) Does the board of directors, in managing cash flowrisk, put systems in place for sufficient mutualchecking, for example, by separating the cash flowrisk management division from the riskmanagement division or otherwise providing forappropriate cash flow risk management?

Does the system allow the cash flow riskmanagement division to recommend measures forsecuring liquidity directly to the representativedirector as warranted by risk conditions?

(4) Setting and review of limits (4) Do the representative directors set and reviewlimits as required by the nature of the institution’sasset investments and fund-raising conditions so asto appropriately manage cash flow risk? Do therepresentative directors report such setting andreview of limits to the board of directors?

Does the board of directors verify that theinformation reported by the representative directoradheres to liquidity risk management guidelines?


(1) Establishment of rules for cash flow riskmanagement

(1) Does senior management in the cash flow riskmanagement division and risk managementdivision formulate management methods, reportingmethods, decision-making methods and otherrelevant rules based on categories of cash flowtightness (“normal,” “needs attention,” “crisis”)? Dothey seek the approval of the board of directors forthese rules?

Note: “Senior Management”refers to branch officemanagers and persons insenior managerial positions(including directors) withequivalent levels ofresponsibility, and sothroughout.

(2) Appropriate cash flow risk managementpractice

(2) Does senior management in the cash flow riskmanagement division manage cash flowappropriately and in accordance with cash flow riskmanagement guidelines and risk managementrules?

4


II.II.II.II. Establishment of appropriateEstablishment of appropriateEstablishment of appropriateEstablishment of appropriaterisk management systemsrisk management systemsrisk management systemsrisk management systems

1. Risk recognition and assessment

(1) Analysis of cash flow risk factors anddevelopment of countermeasures

(1) Does the cash flow risk management divisiongather and analyze information on the institution’sshare price, reputation, and other matters thatwould have an impact on fund-raising? Does itformulate appropriate countermeasures?

If the institution has separate cash flow riskmanagement divisions for yen and foreigncurrencies or for domestic and foreign branches,does it have a means of providing integratedmanagement of cash flow risks?

(2) Measurement of liquidity at consolidatedsubsidiaries

(2) The bankruptcy of a consolidated subsidiarybecause of a deterioration in its cash flow is likelyto have a large impact on the institution. Does cashflow risk management capture conditions atconsolidated subsidiaries and take them intoaccount?

2. Cash flow risk management (1) Implementation of liquidity assessments,management of risks on both the assetand liability sides

(1) Does the cash flow risk management division assessliquidity from both the asset and the liability sides?Does it monitor the status of liquidity assurance,for example, when and how much money theinstitution is able to raise, how much collateral itcan provide and how much funding it will generate?

(2) Appropriateness of cash flow riskmanagement

(2)

1) Does the cash flow risk management divisionmanage the following matters as necessary,endeavor to quickly grasp their impact oncash flow, and create daily cash flow tables,and weekly and monthly cash flow forecastsfor yen and foreign currency assets? (Do thosefinancial institutions calculating their capitaladequacy ratios according to the Baslestandards also create quarterly cash flowforecasts? It is also desirable that financialinstitutions calculating their capital adequacyratios according to domestic standards createquarterly cash flow forecasts.)

a) Central management of large fundmovements

b) Management of market-based fund-raising

c) Management of investment and fund-raising instruments by type of instrumentand term structure

d) Management of collateral status

5


e) Management of deposit etc. maturity

f) Management of contractual credit balancesreceived and granted

g) Management of payment reserve assets

h) Management of cash (including ATMs)

i) Management of foreign currency cash flow

j) Management of cash flow taking account ofexchanges between foreign currencies.

Etc.

2) Does the risk management division managethe following matters as necessary, endeavorto quickly grasp their impact on cash flow,provide information to the board of directorsetc. and cash flow risk management division,and exert checks on the cash flow riskmanagement division?

a) Management and analysis of deposit andlending plans and results

b) Management of market fund-raising limits

c) Management of funding gap limits

d) Management and analysis of contractualcredit balances received and granted

e) Management of status of fund-raisingdependent on specific lenders/investors(concentration of risk)

f) Management of dependence on Bank ofJapan fund-raising

Etc.

(3) Appropriateness of cash flow riskmanagement methods

(3) Does the cash flow risk management divisionmonitor planned investments (planned amount ofloans, guarantees etc. to be disbursed) andpotential fund-raising (amount able to raise oninterbank open markets, incoming deposits,forecast cancellations etc.) based on reports etc.from business divisions etc.?

Does the cash flow risk management divisiontake account of the following matters inendeavoring to monitor investment plans and fund-raising potential?

Note: “Business divisions etc.”refers to business divisions,branch offices, and foreignoffices, and so throughout.

6


1) Off-balance sheet transactions (includingcurrency swaps etc.)

2) Commitment lines

3) Current account overdrafts

4) Measurement of actual investment periods(for example, investments that are formallyshort-term but in actually long-term)

5) Status of fund-raising dependent on specificlenders/investors (concentration of risk)

6) Dependence on Bank of Japan fund-raising

7) Tightness of cash flow (for example, “normal,”“needs attention,” “crisis” etc.)

Do money position financial institutions setand review cash gap limits from time to time asrequired?

(4) Awareness of liquidity risk in operationsand administration

(4) Do business divisions operate and administer theirfunctions taking liquidity risk into account aswarranted by the cash flow status measured by thecash flow risk management division?

(5) Assurance of payment reserves andmeans of fund-raising

(5) Does the cash flow risk management divisionsecure means of fund-raising as warranted by thetightness of cash flow (for example, “normal,”“needs attention,” “crisis” etc.) and does it securepayment reserve assets (cash on hand, depositsetc.) for withdrawals of deposits etc.?

3. Communication of information (1) Reports from business divisions etc. tocash flow risk management division, riskmanagement division

(1) Do business divisions etc. work in closecoordination with the cash flow risk managementdivision and risk management division to reportlarge movements of funds in a timely and accuratemanner?

Do branch offices etc. measure expected fundsmovements and report it to the cash flow riskmanagement division so there are no largediscrepancies between forecasts and actual cashflow?

It is desirable that the risk managementdivision be equipped with the authority andsystems etc. to obtain information directly at alltimes.

Note: “Branch offices etc.”refers to branch offices andforeign offices.

(2) Reports from risk management divisionto board of directors etc.

(2) Does the risk management division report theinformation measured in II:2(2)2) to the

7

ItemItemItemItem Risk Management System Check PointRisk Management System Check PointRisk Management System Check PointRisk Management System Check Point Explanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check Points RemarksRemarksRemarksRemarksrepresentative directors and managing directorsregularly and at other times as warranted. Does italso report regularly and as needed to the board ofdirectors etc.?

(3) Reports from cash flow risk managementdivision to board of directors etc.

(3) Does the cash flow risk management divisionreport cash flow status and forecasts regularly (oneper week) and whenever necessitated by cash flowtightness to the representative directors andmanaging directors? Does it also report regularlyand whenever needed to the board of directors etc.?

(4) Installation of systems for cash flow riskmanagement

(4) Are the cash flow risk management division andrisk management division equipped with systemsthat enable the appropriate measurement andmanagement of risk?

4. Establishment of crisismanagement system

(1) Formulation of response plans forliquidity crises

(1) Do the cash flow risk management division and riskmanagement division seek the approval of theboard of directors in the formulation and majorrevision of liquidity crisis countermeasures? (Dothey seek the approval of the board of directors etc.for other revisions?)

Do countermeasures include communicationand reporting systems (a system for reportingdirectly to the representative director), responsemethods (assurance of means of fund-raising), andchains of authority and decision-making?

Are countermeasures reviewed as appropriateso that they are feasible at all times?

(2) Assurance of means of fund-raising (2) Does the cash flow risk management divisionmonitor at all times the institution’s domesticholdings of assets that can be immediately sold orused for collateral (government bonds etc.) and thetime and amount of funds that can be raised fromyen investments and yen conversions etc.? Does theinstitution have lines of credit, etc. that will enablefund-raising from central banks and commercialfinancial institutions so that it is assured of ameans of fund-raising in times of crisis?

Does the institution constantly monitortrading environments etc. so that it is able tosmoothly liquidate assets to raise funds (forexample, sell securities)?

1

Operational Risk Management Operational Risk Management Operational Risk Management Operational Risk Management System System System System ChecklistChecklistChecklistChecklist

1) Operational risk is the risk that a financial institution will incur losses because personnel (including executives) fail to perform operations accurately, orengage in actions that result in mishaps or improprieties.

2) Inspectors will verify and inspect the operational risk management systems of financial institutions using the Risk Management Systems Checklists(Common Items),and this checklist.







1) Unless explicitly stated otherwise, items expressed in the form of questions such as “does the institution have” or “is the institution doing” are minimumstandards that are expected of all financial institutions. Inspectors, as they go through their checklists, need to fully verify the effectiveness of these items.


2




2) The phrase “board of directors etc.” includes the board of directors, the management committee, the business steering committee, and similar bodies.Items that are defined as roles of the “board of directors etc.” would ideally be determined by the board of directors itself, but may be delegated to themanagement committee etc. provided that there are adequate internal checks in place, i.e. there has been a clear delegation of this authority from the board ofdirectors, the management committee etc. has kept minutes of its proceedings and other materials that would allow after-the-fact confirmation, and there areadequate internal controls in place, e.g., the results are reported to the board of directors, and auditors are allowed to participate in the management committeeetc.

3




Directors’ understanding and awarenessof risk management

Do the directors understand the locus ofoperational risk throughout the operations of thebank? Are they aware of the importance ofmitigating operational risk? Do they takeappropriate measures to do so?


Senior management’s understandingand awareness of risk management

Is senior management aware of theimportance of mitigating operational risk? Does ittake appropriate measures to cause the staff ofthe divisions it oversees to understand theimportance of and take steps to mitigateoperational risk?

In monitoring operational risk, it is desirablethat senior management endeavor to analyzequantitatively operational risk from theperspective of the latent size of operational lossesto which the institution is exposed and thepotential for operational losses to be realized.

Note: “Senior management” refersto branch office managers andpersons in senior managerialpositions (including directors) withequivalent levels of responsibility,and so throughout.

II.II.II.II. Auditing and correction ofAuditing and correction ofAuditing and correction ofAuditing and correction ofdeficienciesdeficienciesdeficienciesdeficiencies

1. Internal audits

Methods and content of audits by theauditing division

1) Does the auditing division createtechniques and content for head officeaudits and self-audits in the form ofimplementation standards andimplementation procedures?

If business divisions etc. createimplementation standards andimplementation procedures for self-audits,are these documents approved by theauditing division?

2) Does the auditing division analyze theresults of head office audits and self-auditsand accurately notify business divisionsand branch offices thereof?

Do business division managers and branchoffice managers use audit findings toimprove the level of clerical work?

Note: “Internal audit” refers tohead office audits by the auditingdivision, and self-audits byindividual business divisions andbranch offices, and so throughout.

Note: “Branch offices etc.” refers tobranch offices and foreign offices.

Note: “Branch office manager”refers to the manager of a branchoffice or foreign office.

4


2. Correction of deficiencies Reports of deficiencies to board ofdirectors and senior management

Are audit results and other necessary mattersreported to the board of directors regularly (ortimely if needed)? In particular, is the board ofdirectors given timely reports of improprietiesthat would have a serious impact on theoperation of the institution?

Is the representative director furnished withreports that provide accurate and specificnotations of the frequency, importance, cause,and planned improvements for operationalmisses.

3. Improprieties (1) Improprieties (1)

1) Are improprieties reported to thesupervisory authorities and dealt withappropriately as mandated by applicablelaws and ordinances. Are the police andother relevant agencies quickly informed offacts that potentially impinge uponcriminal provisions?

2) Are problems that would have a seriousimpact on the operation of the institutionquickly reported to the clerical division,auditing division, and also to the board ofdirectors?

3) Are improprieties investigated and resolvedby divisions independent of the divisioninvolved in the improprieties (for example,by the auditing division)?

Does the institution analyze the causes ofimproprieties, provide division managersand branch office managers with analyticalresults from the perspective of preventingfuture incidents, and take measures toprovide recurrence in a timely manner.

4) Does the institution have a system in placefor investigating the facts related toimproprieties, holding relevant partiesaccountable, and clarifying supervisoryresponsibilities?

5


(2) Complaints etc. from customers (2)

1) Does the institution have proceduresestablished for dealing with complaints etc.(including inquiries that could be related toimproprieties) from customers?

2) Does the institution deal quickly withcomplaints etc. (including inquiries thatcould be related to improprieties) fromcustomers in a coordinated effort betweenthe clerical division and other relatedbusiness divisions?

3) Does the institution make and store recordsof the content of complaints etc. (includinginquiries that could be related toimproprieties) from customers and theresults therefrom? Are the clerical divisionand auditing division furnished withregular reports?

4) Are problems that would have a seriousimpact on the operation of the institutionquickly reported to the clerical division,auditing division, and also to the board ofdirectors?

III. III. III. III. Operational risk managementOperational risk managementOperational risk managementOperational risk managementsystemssystemssystemssystems

1. Role of operations division

(1) Organization of clerical division (1)

1) Does the institution have a division that isclearly designated to formulate operationalrules etc.?

2) Does the institution have a division that isclearly designated to provide operationalsupervision and training and a system thatenables this division to function fully?

3) Does the clerical division have a systemable to respond quickly and accurately toinquiries etc. from branch offices recordingclerical processing?

4) Is the clerical division independent ofbusiness promotion divisions and able toexert sufficient checks on them?

(2) Formulation of rules etc. (2)

1) Are operational rules comprehensive and inconformity with all applicable laws andordinances?

6


Do the operational rules contain clearprocedures for handling exceptions anddifferences of interpretation?

2) Does the clerical division analyze businessoperations, establish the locus ofoperational risk and formulate rules toprevent risks from being incurred?

3) Do operational rules contain clearprovisions, particularly regarding thehandling of cash, physical certificates etc.,important documents, and exceptionaltreatments?

4) Do the operational rules contain clearprovisions regarding the operations of otherbusiness divisions as well as the branchoffices?

5) Are operational rules reviewed andimproved as needed in light of problemsidentified from audit results, improprieties,complaints, and inquiries?

6) Are operational rules reviewed andimproved as necessary in light of changesin laws, ordinances, and other exogenousfactors?

(3) Internal control (3) Does the clerical division:

1) Take measures to constantly check theoperational management of branch offices?

2) Have systems in place to prevent branchoffice managers from concealingimproprieties?

3) Endeavor to improve the operational levelsof branch offices in coordination with theauditing division etc.?

2. Role of branch offices (1) Role of branch manager (1) Does the manager of the branch office:

1) Constantly monitor risks associated withclerical processing?

2) Check compliance to appropriate clericalprocessing guidelines and rules etc., andother matters for which risk is inherent?

3) Endeavor to prevent situations in whichthose responsible for accuracy and checking

7

ItemItemItemItem Risk Management System Check PointRisk Management System Check PointRisk Management System Check PointRisk Management System Check Point Explanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check Points RemarksRemarksRemarksRemarksare too busy to be able to adequatelyfunction in their checking capacity?

4) Understand where the problems are in thebranch’s clerical processing and endeavor tomake improvements?

5) Deal strictly with exceptional treatments inparticular?

6) Deal responsibly and in coordination withthe clerical division and other relatedbusiness divisions when exceptionaltreatment is provided?

(2) Rigorous operational management (2)

1) Is clerical processing performed in arigorous manager?

2) Are accuracy checks performed in afundamentally rigorous manner and notjust as a perfunctory formality?

3) Is the branch office manager informedimmediately when there are cash incidents?Are reports provided to the clerical division,auditing division, and other necessarydivisions?

4) Does the institution follow the standardsspecified by the authorities in rigorouslyverifying identities before beginningdealings or engaging in large cash dealings?

5) Are exceptional treatments only processedafter approval from the branch officemanager or other executive?

6) Are exceptions to the rules handled asinstructed by the branch office manager incoordination with the clerical division andother relevant business divisions?

(3) Customer protection (3)

1) Is the institution’s clerical processing fair toits customers?

2) Does the institution provide customers withappropriate and sufficient explanation ofthe content and nature etc. of transactionswhen engaging in transactions withcustomers?

8


3) In particular, does the institution provideappropriate and sufficient explanation tocustomers when selling products in whichthe customer himself/herself incurs risk?When necessary, does it ask the customerto confirm that he/she has receivedexplanations?

4) Does the institution take care not todisclose customer information to thirdparties except as permitted by law or asagreed to by the customer himself/herself?

5) Does the institution handle informationconcerning individual companies, forexample, financial information concerningborrowers, with particular rigor and care?

(4) Functions of self-audits (4) Do branch offices perform effective self-auditsbased on implementation standards andimplementation procedures? Do they report theresults to the auditing division?

9

1) The following are provided merely as examples to be used by inspectors when they perform on-site inspections of operational risk management. No attempt has been made to

exhaustively cover all of the operations of financial institutions.

2) Note that the financial institution’s auditing division has basic responsibility for checking the actual operational processing of the institution. Inspections do not need to

inspect all of the examples listed below on-site as long as inspectors are able to confirm that the auditing division and other relevant divisions are functioning effectively. Likewise, if

it appears that divisions are not functioning effectively, inspectors may need to delve further into other operations of the institution in their checks.

3) On-site inspections need to cover the start-up of new businesses and new product sales even if they are not listed in the examples.

4) The point of the following is not to identify simple, negligible clerical mistakes, but to confirm the functioning of the risk management system.

ItemItemItemItem Risk Management System Check PointRisk Management System Check PointRisk Management System Check PointRisk Management System Check Point Explanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check Points RemarksRemarksRemarksRemarksIV. HaIV. HaIV. HaIV. Handling of clerical workndling of clerical workndling of clerical workndling of clerical work

(1) Internal operations (1) Is the institution aware of the following in thehandling of internal operations (examples only)?

1) Cash and physical certificate etc.management

a) Balance management by executivepersonnel

b) Communication of incidents involvingcash

2) Exceptional treatments

a) Records of exceptional treatments

b) Approval of branch office manager orother executive

c) Supplementary processing of exceptionaltreatment

d) Prevention of overly frequent, orpersistent exceptional treatment, checksby appropriate individuals etc.

3) Transactions using executive keys

a) Check for base-date transactions andother unusual transactions

b) Selection of important transactionsrequiring executive keys

4) Overdrafts

a) Establishment of customers allowedoverdrafts (for example, customers forwhom settlement is not in doubt)

10


b) Prior approval of transactions thatinvolve monetary burdens

5) Handling of documents and certificatesetc.

6) Collection of fees, payment of costs

7) Handling of loss reports

8) Management of general transfers andtransfers prior to liquidation

9) Management of objects held in custody atthe branch

10) Management of CD cards

11) Bill handling, check handling, domestictransfer handling and transmission,foreign exchange

12) Money laundering issues

a) Failure to confirm identity (OperationalGuidelines, “Attached InformationDocuments”, Prevention of MoneyLaundering from Illegal Narcotic andother Drug Transactions)

When opening accounts, leasing safe-deposit boxes, accepting protectivecustodial responsibilities, and engagingin trust results or large cashtransactions (Supervisory Guidelines byFSA)

b) Notification of dubious transactions(Law Concerning Exceptions forNarcotics, Article 5)

c) Concealment, receipt, and payment ofillegal profits etc. (Law ConcerningExceptions for Narcotics, Article 9 andArticle 10)

(2) Outside liaison work (2) Does the institution pay attention to thefollowing in the handling of outside liaison work(examples only)?

1) Transfers of delivered funds and transfersbased on telephone requests

2) Issuing and collection of receipts

3) Handling of cash and physical certificates

11

ItemItemItemItem Risk Management System Check PointRisk Management System Check PointRisk Management System Check PointRisk Management System Check Point Explanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check Points RemarksRemarksRemarksRemarksetc. between the outside liaison and theinternal clerical division

4) Long-term custody of cash, passbooks, andledgers etc.

5) Prevention of incidents at customers towhom outside collection services areprovided

6) Outside payments

(3) Deposit operations (3) Does the institution pay attention to thefollowing in the handling of deposits and relatedmatters (examples only)?

1) Provision of information to depositors

a) Display in the branch office of majordeposit interest rates

b) Availability fee list for perusal in thebranch office

c) Indication of deposit products covered bydeposit insurance

d) Provision of information regarding theentire line of products offered

e) When offering floating-interest depositsbased on specific indexes, appropriateinformation on index levels, interestrates, and calculation methods.

2) Cooperative deposits, Buzumi-Ryodatedeposits

a) Prevention of excessive cooperativedeposits, excessive Buzumi deposits, andexcessive Ryodate deposits.

b) Measures to prevent deposit solicitationcampaigns from becoming excessive

c) Attention to business plans thatemphasize term-end figures

3) Betsudan deposits, suspense receipts,suspense payments

4) Insured time deposits

5) Handling of products without guaranteedprincipal

Note: Buzumi-Ryodate deposits

A general name for compulsorydeposits created in conjunction withbill discounts and loans.

Buzumi deposits

A compulsory deposit of part of themoney generated by a bill discountor a loan collateralized with acommercial bill.

Ryodate deposits

A deposit made in conjunctionwith a loan as all or part of thecollateral on the loan or as a

12


6) Actions that impinge on laws regardingdeposit-taking

consideration or recompense (defacto collateral) for the loan.

Betsudan deposits

An accounting title of convenience formoney temporarily held on depositthat cannot be assigned to any otherkind of deposit or that would beinappropriate to assign to any othertitle. Examples would includeunsettled or unliquidated amountsgenerated in conjunction withfinancial institution deposit-taking,lending, foreign exchange, securities,custodial services, or otherbusinesses.

(4) Lending operations (4) Does the institution pay attention to thefollowing in the handling of lending and relatedmatters (examples only)?

1) Identification (confirmation of theintentions of the borrower, guarantor, andprovider of collateral etc.)

2) Appraisal and management of collateralproperty

a) Documented, objective appraisals by realestate appraisers or using standardvalues etc.

b) Notation on collateral ledger andmanagement ledgers etc. of collateralproperty and guarantee certificates etc.

c) Provision and renewal of fire insurance

d) Confirmation of intentions of joint andseparate guarantors (guaranteeconfirmation)

3) Financial loan for premium payment

4) Progress on applications

5) Management of large borrowers and loss-making borrowers

13


(5) Securities operations (5) Does the institution pay attention to thefollowing in the handling of securities andrelated matters (examples only)

1) Over-the-counter bond sales

a) Operations that pay special attention toprohibited actions such as false tradingindications, promotion of large volumesales of specific securities held by theinstitution, and actions involving the useof credit.

b) Conformity to statutory requirements inthe Securities and Exchange Law etc.and to the rules of the Association ofSecurities Dealers of Japan

c) Education and training of employees

2) Investment trust sales

a) Appointment of accountable internalsupervisors, sales supervisors, andinternal managers etc.

b) Operations that pay special attention toprohibited actions such as solicitation ofinvestment with positive judgementstatements, trading on discretionaryaccounts, covering of losses, andprovision of additional profits etc.

c) Conformity to statutory requirements inthe Securities and Exchange Law,Securities Investment Trust Law etc.and to the rules of the Association ofSecurities Dealers of Japan

d) Appropriate and sufficient explanationto customers of the risk of loss ofprincipal incurred

e) Establishment of special spaces in officesfor direct sales and redemptions etc. ofinvestment trusts clearly separated fromother services (for institutions “loaningspace” for investment trust sales)

f) Education and training of employees

14


(6) Other operations (6) Does the institution pay attention to thefollowing in the handling of other operations(examples only)?

1) Commodities funds

a) Operations that pay special attention toregulations designed to protect investors,including regulations against suchprohibited actions as loaning names,loaning money and mediating loans, andimproper solicitation.

b) Appropriate and sufficient explanationto customers of the risk of loss ofprincipal incurred


2) Mortgage-backed securities

a) Operations that pay special attention toregulations designed to protectpurchasers, including regulationsagainst such prohibited actions asloaning names and improper solicitation.

b) Appropriate and sufficient explanationto customers of the nature of theproduct, including explanations ofwhether the contract guaranteesprincipal


3) Loan cash receipts and disbursementstrusts

a) Solicitation as warranted by customerknowledge and experience

b) Appropriate and sufficient explanationto customers


4) Small-lot credit sales

5) Liquidation of credits from local publicbodies etc.

6) Liquidation of general loan credits

7) Loan participation

8) Foreign exchange

15


a) Notification of dubious transactions(Law Concerning Exceptions forNarcotics, Article 5)

b) Concealment, receipt, and payment ofillegal profits etc. (Law ConcerningExceptions for Narcotics, Article 9 andArticle 10)

c) Confirmation of identity by the financialinstitution etc.

d) Reporting of confirmations of identity bythe financial institution etc.

9) Exchange

a) Notification of dubious transactions(Law Concerning Exceptions forNarcotics, Article 5)

b) Concealment, receipt, and payment ofillegal profits etc. (Law ConcerningExceptions for Narcotics, Article 9 andArticle 10)

c) Confirmation of identity by the financialinstitution etc.

1

Computer System Risk ManagementComputer System Risk ManagementComputer System Risk ManagementComputer System Risk Management System System System System ChecklistChecklistChecklistChecklist

1) Computer system risk is the risk that a financial institution will incur losses because of down or malfunctioning computer systems or other computer systeminadequacies, or because of improper use of computer systems.

2) Inspectors will verify and inspect the operational risk management systems of financial institutions using the Risk Management Systems Checklists(Common Items), and this checklist. Should problems be identified in management systems and it be deemed necessary to engage in a deeper and more specificverification, inspectors shall refer to “Safety Standards for the Computer Systems of Financial Institutions” and the accompanying explanatory materials (editedby the Financial Institution Information Systems Center); for contingency plans they shall refer to “Contingency Plan Procedures for Financial Institutions” andContingency Plan Formulation Manual for Financial Institutions” (edited by the Financial Institution Information Systems Center).

3) This checklist applies to all deposit-taking financial institutions, including the foreign offices of Japanese banks (foreign branch offices, foreign subsidiaries,and foreign liaison offices, etc., though whether or not to include these offices in the inspection will be determined in light of applicable laws and ordinances,including applicable foreign-country laws and ordinances) and the Japan offices of foreign banks. In inspections of cooperative financial institutions, inspectorsshould be aware that cooperative financial institutions are only required to select accounting auditors in limited cases.


This manual is only a handbook to be used by inspectors in the inspection of financial institutions. It is expected that, as part of their efforts to ensure sound andproper operations and in accordance with the principle of self-responsibility, individual financial institutions will fully exercise their creativity and innovation tovoluntarily create their own detailed manuals. These institutional manuals should make note of the content of this manual and be adapted to the size and natureof the institution.

The check points in this manual represent criteria to be used by inspectors in evaluating the risk management systems of financial institutions. They do notconstitute direct statutory obligations to be achieved by institutions. Care must be taken that the manual is not employed in a manner that is mechanical andunvarying. There may be cases in which the letter of the checklist description has not been fulfilled, but the institution has nonetheless taken measures that are,from the perspective of ensuring the soundness and appropriateness of its operations, rational, and these measures are equivalent in their effects to thedescriptions for the check point or are sufficient given the size and nature of the institution. In such cases, the institution’s measures should not be deemedinappropriate.


In inspecting computer system risk management, inspectors will need to be fully aware of the importance and nature of individual systems.

• System importance refers to the size of the impact that a system has on customer transactions and management decisions.

• System nature refers to centralized main frame systems in computer centers, decentralized systems such as client/server configurations, stand-alone systems inuser divisions, and the like, and the use of management methods that are appropriate to the system.

2


1) Unless explicitly stated otherwise, items expressed in the form of questions such as “does the institution” or “is the institution” are minimum standards thatare expected of all financial institutions. Inspectors, as they go through their checklists, need to fully verify the effectiveness of these items.

2) Unless explicitly stated otherwise, items worded in the form of “it would be desirable that” constitute “best practice” for all financial institutions. Inspectorsneed only confirm these items.

3) Items that are a combination of the two represent minimum standards for internationally active banks (those financial institutions calculating their capitaladequacy ratios according to the Basle standards) but serve only as best practices for other financial institutions (those calculating their capital adequacy ratiosaccording to domestic standards).


1) Items that are defined as roles of the “board of directors” are items for which the board of directors itself needs to determine all essential matters. This doesnot, however, preclude the board of directors from delegating consideration of draft documents to the management committee or similar bodies.

2) The phrase “board of directors etc.” includes the board of directors, the management committee, the business steering committee, and similar bodies. Itemsthat are defined as roles of the “board of directors etc.” would ideally be determined by the board of directors itself, but may be delegated to the managementcommittee etc. provided that there has been a clear delegation of this authority from the board of directors, the management committee etc. has kept minutes of itsproceedings and other materials that would allow after-the-fact confirmation, and there are adequate internal controls in place, e.g., the results are reported to theboard of directors, and auditors are allowed to participate in the management committee etc.

3




(1) Articulation of strategic goals basedon management philosophies for theinstitution as a whole

(1) Does the board of directors articulate strategicgoals? Do these strategic goals include strategicguidelines for computer systems that see computersystems as part of management strategy in light ofadvances in information technology?

Do strategic guidelines for computer systemsspecify: 1) system development priorities(priorities in institutional response, for example,adaptation of computer systems for Y2K,European integration, consolidated accountingand the like), 2) computerization progress plans,3) computer system investment plans and otherrelevant matters?

(2) Establishment of risk managementguidelines

(2) Does the board of directors articulate basicguidelines for risk management? Do the basicguidelines for risk management include securitypolicies (basic policies for the appropriateprotection of the information assets of theorganization)?

Do security policies specify: 1) information assetsto be protected, 2) reasons for protection, 3) locusof responsibility etc. for protection, and otherrelevant matters?

Note: “Internal inspections” refers tohead office inspections by theinspections division and to self-inspections by the business divisionsand branch offices.

II.II.II.II. Establishment of appropriateEstablishment of appropriateEstablishment of appropriateEstablishment of appropriaterisk management systemsrisk management systemsrisk management systemsrisk management systems

1. Awareness and evaluation ofrisk

Identification of the locus and types of risk tobe managed

1) Is the institution aware of and does itevaluate risks across the entire system,including evaluations of systems fordifferent operational functions such as theaccounting system, information system,external system, securities system, andinternational system?

2) If divisions other than the computer systemsdivision build their own computer systems,are they aware of and do they evaluate therisks in these systems?

3) Is the institution aware of and does itevaluate the increasing diversity and degreeof risk from the expansion of networks (theInternet, electronic mail) and the spread ofpersonal computers?

4


2. Division of responsibilities Erection of mutual checking systems 1) Do institutions calculating their capitaladequacy ratios according to internationalstandards divide responsibilities between acomputer systems development division andadministration division in order to eliminateindividual mistakes or malicious actions?

For foreign offices, the standards in “2)”below are acceptable.

2) It is desirable that institutions calculatingtheir capital adequacy ratios according todomestic standards engage in the separationof responsibilities described in “1)” above.However, if it is difficult for them to clearlyseparate the development andadministration divisions because of staffingconstraints, do they provide mutualchecking, for example, in the form of regularrotations of staff between the developmentand administration divisions?

3) Regardless of the organizations described in“1)” and “2)” above, does the inspectionsdivision etc. provide checking functions forsystems that by nature make it difficult toseparate development and administrationorganizations, for example, end usercomputing (EUC)?

4) Does an inspections division independent ofthe systems divisions perform regularsystems inspections?

5) Are inspection results regularly reported tothe board of directors etc.?

III.III.III.III. Monitoring activities andMonitoring activities andMonitoring activities andMonitoring activities andcorrecting deficienciescorrecting deficienciescorrecting deficienciescorrecting deficiencies

1. Internal inspections

(1) Organization of inspections division (1) Does the inspections division have personnelversed in computer systems?

(2) Methods and content of inspectionsperformed by inspections division

(2)

1) Do inspections cover all operations that arerelated to computer system risk?

2) Are computer systems divisions anddivisions that erect their own systemsinspected by the head office in principle atleast once per year?

3) Are the procedures for use of computer

5

ItemItemItemItem Risk Management System Check PointRisk Management System Check PointRisk Management System Check PointRisk Management System Check Point Explanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check Points RemarksRemarksRemarksRemarksequipment outside the computer systemsdivisions (for example, terminals and ATMsin branch offices) checked?

4) It is desirable that internal inspectionsenable confirmation of auditing trails(journals and other records that traceprocessing content and the like) and provideevidence of the content of system operations.

(3) Computer crime and accidents (3) Does the institution have organizations that arefully aware of computer crime (introduction ofviruses and unauthorized programs, destructionof CD/ATM equipment and theft of cash, cardfraud etc.) and computer accidents (hardware andsoftware failures, operational misses,telecommunications line failure, power outages,external computer failures etc.)? Does it havesystems for after-the-fact checking(administrative and maintenance inspections)?

2. External audits Use of external auditors Do institutions calculating their capital adequacyratios according to international standardsundergo external audits of computer system riskat least once every three years? (It is desirablethat institutions calculating their capitaladequacy ratios according to domestic standardsalso be audited.)

IV. IV. IV. IV. Planning and development systemsPlanning and development systemsPlanning and development systemsPlanning and development systems

1. Planning and developmentorganizations

(1) Planning and developmentorganizations

(1)

1) Does the institution formulate planningand development rules to encourage theintroduction of extremely reliable andefficient computer systems?

2) It is desirable that the institution have aComputerization Committee or othercompany-wide screening organization.

3) Does the institution formulate medium-and long-term development plans?

4) Does the institution study the effects ofinvestments in computer systems andreport findings to the board of directorswhen necessary in light of the importanceand nature of the system (and always forfindings regarding investment effects forcomputer systems divisions as a whole)?

5) Does the institution have clear rules forstudying and approving development

6

ItemItemItemItem Risk Management System Check PointRisk Management System Check PointRisk Management System Check PointRisk Management System Check Point Explanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check Points RemarksRemarksRemarksRemarksproposals?

6) Are modifications etc. to functioningsystems subject to approval?

(2) Development management (2)

1) Does the institution standardizedevelopment documentation andprogramming methods?

2) Does the institution assign responsibilitiesfor individual development projects? Doesthe board of directors etc. check projects inlight of the importance and nature of thesystem?

(3) Formulation of rules and manuals (3)

1) Does the institution have rules and manualsfor design, development and administration?

2) Does the institution review computersystems as warranted by the nature ofoperations?

3) It is desirable that the institution formulatestandard requirements for design anddevelopment documents and createdocuments in conformance with thesestandards.

4) It is desirable that computer systems leaveauditing trails (journals and other recordsthat trace processing content and the like) .

5) Are manuals and developmentdocumentation easily understood bytechnically competent third parties?

(4) Testing (4)

1) Is testing appropriate and sufficient?

2) Does the institution have testingimplementation organizations in place so asto prevent inadequate testing and reviewsfrom causing problems that would have aprolonged influence on customers or seriousmalfunctions in the creation of riskmanagement documents and other materialsused in managerial decision-making?

3) Does the institution create testing plans?

4) It is desirable that user divisions participate

7

ItemItemItemItem Risk Management System Check PointRisk Management System Check PointRisk Management System Check PointRisk Management System Check Point Explanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check Points RemarksRemarksRemarksRemarksin general tests.

5) Are acceptances made by executivepersonnel fully capable of understandingsystems?

(5) Training (5)

1) Does the institution train personnel in theoperations for which systems are beingdeveloped, not just in developmenttechnology?

2) It is desirable that development personnelbe versed in derivatives, electronicpayments, and other areas requiring highdegrees of specialization, and also in newtechnologies.

(6) Outside provider management (6)

1) Does the institution sign confidentialityagreements when consigning computersystems development to outside vendorsetc.?

2) Does the institution place necessaryrestrictions on the data accessible bypersonnel seconded from outside vendorsetc.?

3) Does the institution monitor theimplementation of outsourced work throughmanagement ledgers and the like?

2. Expansion into new areas Expansion into new areas It is desirable that the institution gather andresearch information on new fields and newtechnologies, and study its position vis a vismanagement strategy.

V. V. V. V. Organizational issuesOrganizational issuesOrganizational issuesOrganizational issues

1. Management organizations

(1) Security management (1)

1) Does the institution assign securitymanagers to appropriately manage securityin accordance with preestablishedguidelines, standards, and procedures?

Note: The following are examples of perspectives thatmight be used in security.

a) Physical security (explanation)

• Measures to prevent physical intrusion

• Crime-prevention equipment

• Enhancements to computer operations

8

ItemItemItemItem Risk Management System Check PointRisk Management System Check PointRisk Management System Check PointRisk Management System Check Point Explanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check PointsExplanation of Risk Management Check Points RemarksRemarksRemarksRemarksenvironments

• Maintenance and inspections of equipmentetc.

b) Logical security (explanation)

• Mutual checking among and withindevelopment and administrativeorganizations

• Development management organizations

• Measures to prevent electronic intrusion

• Program management

• Evaluation and management of outsidesoftware packages at the time ofintroduction

• Operational security management etc.

2) Do security managers control themanagement organizations for computersystems, data, and networks?

(2) Computer system management (2)

1) Does the institution have computer systemmanagement procedures in place to ensuresafe and smooth operation of computersystems and prevent unauthorized access?Does it assign computer system managers toprovide appropriate management?

2) It is desirable that the institution assignsystem managers to individual systems orindividual operations.

3) Does the institution study its computersystem assets at least once per year andengage in appropriate scrap-and-buildprograms?

4) Does the institution have appropriate andadequate organizations to manage theequipment and machinery in its head office,branch offices, and computer center?

5) Does the institution have appropriate andadequate organizations to managecomputers used off-premises?

6) Do divisions other than computer systemsdivisions who build their own computersystems have system managers?

9


(3) Data management (3)

1) Does the institution assign data managers toensure the confidentiality, completeness,and utility of data?

2) Does the institution provide for safe andsmooth utilization of data by formulatingrules and manuals covering datamanagement procedures and useauthorization procedures etc. and ensuringthat relevant employees are thoroughlyfamiliar with these rules and manuals?

3) Does the institution have appropriate andadequate organizations to protect data,prevent unauthorized use of data, andprevent the introduction of unauthorizedprograms?

(4) Network management (4)

1) Does the institution assign networkmanagers to appropriately manage networkoperations and control and monitor access?

2) Does the institution provide for safe andsmooth network operations by formulatingrules and manuals covering nationalmanagement procedures and useauthorization procedures and ensuring thatrelevant employees are thoroughly familiarwith these rules and manuals?

3) Do institutions calculating their capitaladequacy ratios according to internationalstandards provide for alternative meansshould networks be down? (It is desirablethat institutions calculating their capitaladequacy ratios according to domesticstandards also provide this.)

2. System administrationorganizations

(1) Clarification of work responsibilities (1)

1) Does the institution clearly separateresponsibilities for data reception,operations, work results verification, anddata program storage?

2) Does the institution ban operators fromaccessing data and programs outside of theirareas of responsibility?

10


(2) Systems operation management (2)

1) Does the institution engage in operationsbased on work schedules, instructions andthe like?

2) Does the institution engage in operationsbased on approved work schedules andinstructions?

3) Does the institution record all operationsand have managers check them based onpredefined checklists?

4) It is desirable that the institution enableimportant operations to be performed bymultiple employees or, wherever possible,automate their performance.

5) Does the institution provide for reportoutputs and obtain and keep work historiesso that managers are able to checkoperations processing results?

6) Does the institution ban developers inprinciple from accessing operations? Doesthe institution provide for identification ofdevelopers and after-the-fact inspections ofaccess by operations managers in the eventthat development personnel must accessoperations, for example, in order to remedyfailures?

(3) Incident management (3)

1) Does the institution require records to befilled out and when necessary reports to beissued to the head office in the event ofproblems?

2) Does the institution regularly analyze thenature of problems and take necessarycountermeasures?

3) In the event of important problems thatwould have a serious influence on business,do divisions speedily work in coordinationwith the head office to find solutions and dothey report to the board of directors?

11


(4) Outside provider management (4)

1) Does the institution sign confidentialityagreements when consigning computersystems development to outside vendorsetc.?

2) Does the institution place necessaryrestrictions on the data accessible bypersonnel seconded from outside vendorsetc.?

3) Does the institution monitor theimplementation of outsourced work throughmanagement ledgers and the like?

(5) Protection of customer etc. data (5)

1) Does the institution in principle prohibit thedisclosure of customer data to third partiesexcept as permitted by law or agreed to bythe customer himself/herself? Does theinstitution provide for appropriatemanagement of customer data handling byassigning managerial responsibilities andformulating management methods andhandling methods?

2) Does the institution have appropriate safetymeasures to counteract the risk ofunauthorized access to customer data, or theloss, damage, falsification, or disclosure ofcustomer data?

(6) Improper access prevention (6)

1) Does the institution have systems to preventunauthorized access by confirming theidentity of the person or terminal accessingsystems as appropriate for the nature of theoperation and the connection method?

2) Does the institution obtain systemoperations histories as an auditing trail tomanage unauthorized access and enableafter-the-fact auditing and regular checking?

(7) Computer viruses etc. (7) Does the institution have measures in place toprevent the introduction of computer viruses andother unauthorized programs? Does it havesystems in place to quickly discover and eliminatethese programs in the event of introduction?

• Computer virus infection

12


• Records of programs that have not gonethrough standard procedures

• Intentional modification of authorizedprograms

VI.VI.VI.VI. Crime prevention, disasterCrime prevention, disasterCrime prevention, disasterCrime prevention, disastermitigation, back-ups, andmitigation, back-ups, andmitigation, back-ups, andmitigation, back-ups, andprevention of unauthorizedprevention of unauthorizedprevention of unauthorizedprevention of unauthorizedaccessaccessaccessaccess

(1) Crime prevention (1)

1) Does the institution have an anti-crimeorganization and manager in order toprevent criminal activities?

2) Does the institution engage in appropriateand adequate management designed toprevent actions that would threaten thesafety of computer systems, for example,management of entry and exit from workareas, management of important keys etc.?

(2) Disaster mitigation (2)

1) Does the institution have a disaster-mitigation organization and manager tomitigate damage and carry on work in theevent of disaster?

2) Are these organizations in line withdisaster-mitigation organizations andbusiness organizations, and are there clearassignments of responsibility for individualoperations?

3) Does the institution have measures tocombat damage from fire, earthquake, andflooding?

4) Does the institution have predeterminedevacuation points for important data etc.?

(3) Improper access prevention (3) Does the institution clearly set and manageauthority to use terminals and access data andfiles as warranted by the degree of importance ofthe terminals, data, and files?

(4) Back-ups (4)

1) Does the institution obtain back-ups toenable response in the event of damage orfailure of important data files and programs?Does it formulate clear managementmethods therefor?

2) Does the institution take care to providedecentralized storage and remote-locationstorage when it obtains back-ups?

13


3) Do institutions calculating their capitaladequacy ratios according to internationalstandards have off-site back-up systems fortheir branch office on-line systems and otherimportant computer systems? (It is desirablethat institutions calculating their capitaladequacy ratios according to domesticstandards also have off-site back-upsystems.)

4) Does the institution document its back-upcycle?

(5) Formulation of contingency plans (5)

1) Does the institution formulate contingencyplans to prepare for disasters and otherevents that would prevent computer systemsfrom functioning in a normal manner?

2) Does the institution seek approval from theboard of directors in the formulation and anyimportant reviews of its contingency plans?(Does it seek the approval of the board ofdirectors etc. for other, less-importantreviews?)

3) Does the institution base its contingencyplans on “Contingency Plan Procedures forFinancial Institutions” and ContingencyPlan Formulation Manual for FinancialInstitutions” (edited by the FinancialInstitution Information Systems Center)?

4) Does the institution envision causes fromwithin and outside the institution in theformulation of its contingency plans, not justdisasters and other emergencies?

5) Does the institution analyze the impact onthe payments system and the damage tocustomers in the formulation of contingencyplans?