I am writing to require your institution, if it has not already done so, to develop and implement policy and procedures to assess and manage Year 2000 risks posed by counterparties.
An authorized institution ("AI") is subject to increased risks (e.g. credit risk, liquidity risk and counterparty trading risk) when its counterparties encounter Year 2000 problems. These problems may result from a counterparty's own failure to achieve Year 2000 compliance, or from problems that are not addressed by its service providers, clients or other external dependencies.
The Hong Kong Monetary Authority ("HKMA") expects all AIs to develop and implement a counterparty assessment framework to identify, assess and establish controls in relation to Year 2000 risks posed by counterparties. Your institution should aim to substantially complete the counterparty assessment process before 31 March 1999. This should also include establishing the overall potential impact of Year 2000 counterparty risks on your institution, and controls to be implemented to manage and mitigate these risks. Your institution should also incorporate counterparty risk assessment into the normal due diligence process on new counterparties as soon as possible.
It should be stressed that it is your responsibility to identify and manage any counterparty risks, whether or not Year 2000 related, in an effective manner. In fact, I am aware that many of you have put in place counterparty assessment policy and procedures. To assist those who have not yet done so, the attached Guidance Note sets out some suggestions. However, it should be noted that the guidance provided is neither exhaustive nor universally applicable. Each institution must tailor its risk management process having regard to factors such as its size, appetite for risk-taking, reliance of counterparties on IT systems and the level of its own Year 2000 risk exposure.
The process of developing and implementing a counterparty assessment framework is likely to take several months to complete. Hence, you are advised to give early attention to the matter and to draw up a realistic processing time-frame, having considered factors such as your institution's scale of operations, resource availability and the complexity of the assessment. You should also ensure that yourself and other members of the senior management are in a position to review and approve the counterparty assessment framework before its implementation, and to monitor the progress and results of assessment on a regular basis.
Should you have any queries on the above, please contact Mr Vincent Lee at 2878-1384.
(a) | Identify material counterparties
The assessment framework should help identify counterparties that pose material risk exposure to the AI. It is for the AI to judge what constitutes material risk exposure to the institution which may depend on any one or more of the following factors:
Institutions should note that while the risks posed by an individual counterparty may not be material, the risks posed by a group of counterparties may be if they have common dependencies, e.g. a sizable agent to which a large group of counterparties might have outsourced their computer operations. In such cases, the assessment should be carried out on the dependencies concerned, instead of the counterparties themselves. Another example where assessment may have to go beyond institutions' counterparties is the potential exposure due to diminution in the value of the collateral, e.g. where shares of a Year 2000 non-compliant company are being used as collateral. In material cases, an assessment should be carried out on the company concerned. |
(b) | Assess Year 2000 efforts of material counterparties
The next step is for AIs to assess whether a material counterparty has the necessary commitment and resources to achieve Year 2000 compliance. Needless to say, staff should be trained to assess Year 2000 efforts of material counterparties. If institutions consider that outside assistance is necessary, many reputable firms have training courses available for this purpose. To ensure that the information received is consistent and provides a basis for comparison, it would be useful for AIs to develop standard sets of assessment form to assess the Year 2000 efforts of material counterparties. Some counterparties may be reluctant to disclose their Year 2000 compliance efforts. AIs should ensure that these cases are followed up. If the responses are insufficient after repeated requests, the risk assessment should reflect this. (It is worth noting that in certain cases, a face-to-face interview can be more effective in getting responses than by sending around standard questionnaire). Institutions should document any findings from the assessment, follow-up actions and status updates on material counterparties. |
(c) | Evaluate Year 2000 risks on the institution
After the assessment, the Year 2000 risks posed by material counterparties should be evaluated both on an individual and aggregate basis. Institutions may find it useful to adopt a risk rating system. A simple system, e.g. low, medium and high risks, may be sufficient. The management should determine follow-up actions in respect of each category of risk rating. The rating should also be factored into the overall credit assessment of the counterparty. Compliance progress of counterparties should be monitored on a regular basis. Those with a higher risk rating or higher potential impact should be monitored more frequently e.g. on a bi-monthly basis. The risk exposure of the AI's cash flows, balance sheet, etc. should be evaluated and reported to the senior management on a regular basis. |
(d) | Develop appropriate risk controls
Following the evaluation of Year 2000 risks posed by counterparties, AIs should consider appropriate measures to manage and mitigate these risks. Different risk management controls may be needed to address unique and material Year 2000 issues that may arise from different categories of counterparties. However, in general, the following considerations should be given:
|