VISUALIZACIÓN DE LA NORMA

1 Introduction 3

2 Own funds target and ICAAP criteria. 4

2.1 Own funds target. 4

2.2 Criteria for consideration in conducting the ICAAP 5

3 Practical implementation of the ICAAP: yearly internal capital adequacy assessment report. 7

3.1 Executive summary and conclusions. 8

3.1.1 Risk profile of the institution 8

3.1.2 Governance and risk management and control systems 9

3.1.3 Own funds target: level, composition and distribution among legally independent group institutions 9

3.1.4 Capital planning 9

3.1.5 Programme of future measures 9

3.1.6 Other matters 10

3.2 Internal governance, risk management and internal audit of risks. 10

3.2.1 Internal governance 10

3.2.1.1 Description of the institution’s organisation 10

3.2.1.2 Functions and responsibilities of the Board of Directors relating to the management of risks, their internal control and capital adequacy 10

3.2.1.3 Internal governance assessment 11

3.2.2 Risk management 11

3.2.2.1 Corporate risk culture: general principles of risk management 11

3.2.2.2 Specific aspects of each risk 11

3.2.2.3 Overall assessment of risk management 13

3.2.3 Internal audit of risks 13

3.2.3.1 Risk review-related internal audit tasks 13

3.2.3.2 Internal audit assessment 13

3.3 Measurement of risks and quantification of the capital needed to cover them 14

3.3.1 Assessment of capital needs for credit risk 15

3.3.2 Assessment of capital needs for credit concentration risk 16

3.3.3 Assessment of capital needs for market risk 17

3.3.4 Assessment of capital needs for operational risk 18

3.3.5 Assessment of capital needs for interest rate risk in the banking book 19

3.3.6 Assessment of capital needs for liquidity risk 20

3.3.7 Assessment of capital needs for other risks 20

3.4 Aggregation of capital needs and reconciliation adjustments 21

3.4.1 Aggregation of capital needs for the various risks 21

3.4.2 Adjustments made to reconcile the management and solvency approaches 22

3.5 Capital planning 23

3.6 Programme of future measures 25

3.7 Other matters 25

4 Review of this information by the Banco de España 25

Annex 1.1 Capital report format 26

Annex 1.2. Return IAC01 and instructions for completing it 31

Annex 2. Sectoral and individual concentration 42

Annex 3. Principles of the internal capital adequacy assessment process (ICAAP) 44

Annex 4. Provisions concerning internal governance 47

Annex 5. Guidelines relating to Pillar 2 drafted by the EBA and the BCBS 52

The aim of these guidelines is to simplify the application of the internal capital adequacy assessment process (ICAAP) for institutions, as provided for in article 123 of Directive 48/2006 of the European Council and of the Parliament on the taking up and pursuit of the business of credit institutions (hereinafter the Directive). In this internal capital adequacy assessment process it is necessary to consider the qualitative aspects of risk management and, therefore, these guidelines also provide details for implementing article 22 of the Directive on corporate governance and risk management and control.

[2]

These articles in the Directive have been developed by the European Banking Authority (EBA)[3] in its documents entitled “Guidelines on the Application of the Supervisory Review Process under Pillar 2”, published on 25 January 2006, and Guidelines on Internal Governance, published on 27 September 2011. The present guidelines are based on the principles and criteria laid down in these EBA guidelines[4], a summary of which is included in Annexes 3 and 4. Annex 5 indicates other guidelines relating to Pillar 2 drafted by the EBA guidelines and the Basel Committee on Banking Supervision.

Articles 22 and 123 of the Directive have been transposed into Spanish legislation in Article 30 bis, paragraph 1 bis of Law 26/1988 on the Discipline and Intervention of Credit Institutions, and in Article 6, paragraph 4 of Law 13/1985 on Investment Ratios, Capital and Reporting Obligations of Financial Intermediaries, which have been implemented in Royal Decree 216/2008 on the own funds of financial institutions in Article 66 (Organisation, risk management and internal control requirements), 67 (Risk management policy) and 68 (Internal capital adequacy assessment process), and also in the rules in the chapter ten on internal governance and capital assessment of Banco de España Circular 3/2008 on the determination and control of minimum regulatory capital (henceforth the Circular).

The aim of the Basel Pillar 2 is to ensure an appropriate relationship between the risk profile of credit institutions and the capital they actually hold, both in absolute terms and in terms of composition (core capital, Tier 1 capital, Tier 2 capital)[5], and, where appropriate, in terms of the distribution between the different legally independent entities of a consolidated group of credit institutions. This alignment between the capital and risks of institutions will make for better risk management.

To achieve this aim, and as stipulated in Article 123 of the Directive, institutions should conduct a process (ICAAP) to identify, measure and aggregate their risks, in order to determine the capital needed to cover them. This process should also include medium-term capital planning and establish an own funds target which allows an adequate buffer over the legal requirements of Pillar 1 to be maintained on a permanent basis.

2.1 Own funds target.

The own funds target is that which the institution considers necessary to maintain both at present and in the future period addressed in its capital planning. The target should be in keeping with the risks inherent in the institution's activity, the economic environment in which it operates, the governance and risk management and control systems, the strategic business plan, the quality of the capital available (ratio of Tier 1 own funds to total own funds) and the actual possibilities of obtaining more capital if needed.

To determine the own funds target, once the capital needed under Pillar 1 has been calculated, the institution should, by means of the ICAAP, review and assess the other risks or factors that have not been considered and which, owing to their significance, should be taken into account. It should further estimate the capital needed to cover all risks and to maintain an adequate buffer in respect of the legal minimum capital requirements under Pillar 1.

The own funds target is not automatically deducted from the arithmetic sum of the magnitudes obtained in the ICAAP and included in its summary (see final table of Annex 1), since to determine the own funds target, institutions should consider as a whole all the aspects referred to in the two foregoing paragraphs and which are explained in these guidelines. Insofar as the ICAAP brings to light larger capital needs additional to those of Pillar 1 or larger deficiencies in internal governance or in management or control of their specific risks, the larger the buffer in respect of the minimum capital requirements under Pillar 1 should be.

Institutions should consider whether they need a greater capital buffer owing to a limited geographical or business sphere of operations.

The own funds target is a reference set by the institution itself, with a reasonable buffer or range of fluctuation, based on its future expectations. Institutions should attempt to ensure the medium term sustainability and consistency of this objective, irrespective of possible temporary imbalances which may arise as a result of adverse impacts or specific circumstances (e.g. one-off corporate transactions).

The own funds target set should also enable institutions to meet their minimum capital requirements under Pillar 1 in the event of a severe economic recession or of clearly unfavourable business circumstances. Thus, institutions should use appropriate stress scenarios of the type and in the manner mentioned in Section 3.5 of these guidelines.

If the own funds actually held are below the target set, the institution should inform the Banco de España of the causes of the situation and of the measures envisaged to return to this target.

2.2 Criteria for consideration in conducting the ICAAP

The ICAAP gives priority to the quantitative aspects of risk management and to the estimation of capital needs. However, the importance accorded to the qualitative aspects of risk management and control should not be sidelined. Accordingly, there is a clear relationship between a credit institution's capital needs, on one hand, and the soundness and effectiveness of its internal governance, risk management and control systems and procedures, on the other.

In performing the ICAAP, institutions should take into account the following criteria:

- The assessment process is the responsibility of the institutions and should be carried out by them. Consequently, although these guidelines are intended to direct this process, it is the institutions that will decide its exact content and the extent and depth of the analysis, following the principle of proportionality set out in the paragraph below and which is fundamental so that they are not overburdened by this process.

- The capital assessment process should be proportionate to the degree of sophistication of each institution's activities, to its risk management systems and to the approaches (standardised or advanced) used in Pillar 1. This proportionality principle (included in the EBA Guidelines) is especially applicable to small and less complex institutions.

- Institutions should focus their internal capital adequacy assessment on organisational and control aspects and on the risks that are relevant to them and which may affect their current or future solvency.

- The process should take into account the impact of the business cycle and also of adverse external conjunctural factors on the capital the institution needs. This will involve developing sufficiently detailed and rigorous stress scenarios for the various risks. Nonetheless, to this end the aforementioned principle of proportionality should also be taken into account.

The result of the internal capital adequacy assessment process, should shortcomings or weaknesses be detected, need not be an increase in capital needs; it may also or alternatively entail the need to improve internal governance, the strengthening of risk management systems or the stepping up of internal controls.

The performance of the ICAAP does not mean that the risk management systems used by institutions should be changed, although in view of the result of such process it may be concluded that they should be improved.

The internal capital adequacy assessment process should be based on the analysis of risks by the institution for the management of such risks, but at the same time it should have a useful solvency approach. Hence, when necessary, the necessary capital amounts derived from the assessment of risks from a management perspective should be reconciled with those deemed appropriate from a solvency perspective. This reconciliation is explained in greater detail in Section 3.4.2 of these guidelines.

The calculations of the capital needed under Pillar 1 implicitly entail a wide diversification, since they have been calibrated for internationally active banks which, given their size and nature, have a significant diversification of their business. Consequently, institutions should, in the ICAAP, consider additional benefits of diversification in a prudent and sufficiently substantiated manner.

The Banco de España will review and evaluate the ICAAP and the internal governance environment in which it is performed applying the risk-based approach to banking supervision (SABER, by its Spanish acronym). The dialogue on the ICAAP between the institution and the Banco de España will be an essential part of the ICAAP review and assessment process. However, the Banco de España will also bear in mind other relevant information available to it, and specifically that arising from its status as supervisory authority.

One important aspect of the ICAAP at those institutions which use advanced methods under Pillar 1 (IRB approach for credit risk, AMA for operational risk, or VaR models for market risk) is the self-assessment of compliance with the minimum requirements established in the Circular for their use (internal validation). However, this aspect of the ICAAP is beyond the scope of these guidelines, as it has been addressed in the Guidelines on the implementation and validation of advanced approaches previously published by the Banco de España, in line with the related EBA guidelines on this matter dated 4 April 2006 and entitled Guidelines on validation.

To formalise the ICAAP and facilitate its review by the Banco de España, the capital assessment process should be included in a report known as the yearly internal capital adequacy assessment report (hereafter "the capital report"). This will be sent to the Banco de España along with the year-end own funds reporting and is therefore a confidential document.

The report should contain the following sections:

1. Executive summary.

2. Internal governance, risk management and internal audit of risks.

3. Measurement of risks and quantification of the capital needed to cover them.

4. Aggregation of the capital needs and reconciliation adjustments.

5. Capital planning.

6. Programme of future measures.

7. Other matters.

Given the importance this report will have for the institution itself and for the Banco de España review, the institution's management (Board of Directors or equivalent body) should be apprised of the report's content and approve it.

Detailed below are the contents of the different sections of the report. The institutions should, however, adapt the content of the capital report to their own needs and circumstances, as this report should contain the relevant information substantiating the summary, conclusions and programme of future measures. The principle of proportionality to be applied in the internal capital adequacy assessment process should also be reflected in the content of the report, so that it is focused on the relevant risks and aspects for the institution.

The capital report should be self-explanatory. However, to prevent institutions from duplicating information published previously on their own initiative or in compliance with legislation, the various sections of the report, except Section 1 (executive summary and conclusions) and Section 6 (programme of future measures), may be completed through the inclusion of parts of other previously published reports, indicating the source. Such sections should be updated and attached as annexes. In any event, the information included should conform to the aim and requirements of the capital report.

Given the foreseeable stability over time of the systems and procedures relating to internal governance, risk management and internal audit of risks, the sub-sections of Part 3,2 of the report may be completed by reference to the sub-sections of the report submitted in the previous two years, as long as significant changes have not taken place. Nevertheless all the sections relating to internal capital adequacy assessment should be updated every year and a general update of Section 3.2 of the report carried out every three years.

Annex 1 includes a report format which concludes with the summary ICAAP return. In case of groups of credit institutions the summary return should be broken down by significant institution. To this end significant institutions will be identified in Section 1 of the capital report. This identification will, when appropriate, be carried out in co-operation with other supervisors. The different sections or sub-sections of the report should also be broken down by significant institution when there are major differences with respect to the group.

3.1 Executive summary and conclusions.

The aim of this section of the report is to offer an overview of the internal capital adequacy assessment process and of the main conclusions, which are set out in greater depth in the other sections of the capital report.

First, the scope of application of the ICAAP should be indicated (individual institution, consolidated or sub-consolidated group) and, if a consolidated group of credit institutions is involved, the institutions included in the ICAAP should be listed in an annex, showing those considered significant for the purpose of the last paragraph of section 3. According to that paragraph, if in a group of credit institutions there are significant differences in any relevant subsidiary credit institution with respect to the group as a whole, such differences should be specified in the related section of the capital report, indicating the institution where such differences are present and, where appropriate, the envisaged period within which the subsidiary institution in question will come under the general managerial scope of the group.

Since the capital report contains sections relating to different departments of the institutions, the department or person responsible for the integration of the different parts and for their review should be indicated. The capital report will indicate the contact person with the Banco de España on matters relating to the capital report[6]. The capital report should be signed by the individual designated as the contact person for the Banco de España. The date of its approval by the Board of Directors or equivalent body should be indicated.

Next, this section should reflect the following:

3.1.1 Risk profile of the institution[7]

The material risks to which the institution is exposed should be outlined, and a summary assessment of the exposure to the risks and of the quality of these exposures should be made. The assessment should refer to the inherent risk and draw on quantitative data wherever possible. In this connection, exposure and risk quality indices and parameters suited to the different risks should be used. The section should conclude with an analysis and assessment of the institution's overall risk profile.

When presenting the inherent risk in the capital report, institutions should follow the risk structure and definitions and the risk matrix ratings (high, medium-high, medium-low or low) used by the Banco de España in its supervisory process. This matrix is published in the document “The Banco de España Supervisory Model”. To establish the rating for each risk, institutions should follow their internal criteria.

This section of the report shall finish with an analysis and assessment of the institution’s overall risk profile.

3.1.2 Governance and risk management and control systems

A broad assessment should be made of the suitability of internal governance and of risk management and control systems for the institution's risk profile. Where necessary, weaknesses should be highlighted, indicating whether they are in the process of being resolved or not.

3.1.3 Own funds target: level, composition and distribution among legally independent group institutions[7]

The own funds target should be established in terms of core capital and as a capital ratio (e.g. 7%). This target should be compared with the core capital actually available on the capital reporting date. To this end, the definition of core capital used will be that of “common equity” established by the Basel Committee, including any criteria for applying this definition set out in European and Spanish legislation.

In addition, groups of credit institutions should indicate their policies and targets for the distribution of capital among the various significant legally independent institutions, considering the individual risks at each one, and specifically indicating the policy and own funds target of the group parent. To do this, the ability or actual possibility to transfer, if necessary, capital among the different group institutions by means of dividends or capital increases should be taken into account. The aforementioned targets should be compared with the own funds effectively available at each credit institution (parent or subsidiary) at the reporting date, stating any available own funds in excess of the limits.

On setting own funds targets, it should be indicated whether the rating the institution wishes to maintain has been taken into account and if so, what that rating is.

3.1.4 Capital planning

Capital planning for the future should be summarised and assessed, including the institution’s policy for dividends (where appropriate) and capitalisation, and indicating the time period (necessarily the medium-term) the planning spans.

3.1.5 Programme of future measures

Where appropriate, the significant limitations or weaknesses identified in the ICAAP, the measures envisaged in the plan of action to correct them and also the possible changes (improvements) foreseen in risk management should be summarised.

3.1.6 Other matters

Other matters that the institution considers relevant should be reflected.

3.2 Internal governance, risk management and internal audit of risks.

This section of the report includes the qualitative aspects of the ICAAP relating to internal governance, risk management and the internal audit of risks. The content of this section should be proportional to the size and complexity of each credit institution. For groups of credit institutions the different sub-sections should be broken down into significant subsidiaries when there are major differences with respect to the group.

3.2.1 Internal governance

The aim of this section is to summarise the institution's organisation and governance policies in respect of risk management.

In preparing this section, regard should be had to the principle of proportionality that should underlie all information included in the capital report.

This section of the report should specifically include:

3.2.1.1 Description of the institution’s organisation

The institution’s organisation chart should be indicated, including the Board of Directors or equivalent body and its committees, with their composition, functions and responsibilities, organisational and working rules, powers and delegations. Diagrams reflecting the organisation and functional reporting lines of the related bodies should be included in this section.

3.2.1.2 Functions and responsibilities of the Board of Directors relating to the management of risks, their internal control and capital adequacy

It should be specified how the institution's Board of Directors takes responsibility for:

- The nature and level of the risks borne.

- The correspondence between this level of risks and existing capital.

It should be stated how the institution's Board of Directors establishes the corporate risk culture and ensures that:

- The sophistication of risk management and measurement processes is suited to the institution’s risks and business.

- The internal control systems are appropriate for ensuring orderly and prudent management of the institution's business and risks.

- The own funds targets are tailored to the institution’s risk profile and to the economic environment in which it operates.

For illustrative purposes, this section should include a summary report of the risk-related activities performed by the Board of Directors during the year.

3.2.1.3 Internal governance assessment

This section should conclude with a broad assessment of the institution's internal governance relating to risk management, indicating where appropriate deficient aspects.

The assessment process will consider, among other things, the degree of compliance with the provisions of the EBA Guidelines on internal governance (GL44) regarding the different aspects of it, as shown in Annex 4. Besides evaluating this compliance, weaknesses or vulnerabilities observed should be made apparent, considering, following, where appropriate, the principle of proportionality set out in those guidelines. [8]

When making this valuation it should also be considered the degree of fulfilment of the recommendations of the “Unified Code of Good Governance” approved as “unique document with the recommendations of corporate governance” by the CNMV on 22 May 2006.

The conclusions of the assessment process will be shown in this section of the report. [8]

3.2.2 Risk management

This section of the report should address the following:

3.2.2.1 Corporate risk culture: general principles of risk management

The general principles of risk management should be summarised, indicating the governing body that establishes these principles and the internal policies for their application. It should also be indicated how these internal policies are communicated to the different organisational levels.

The functions and responsibilities of the area of overall risk management and control should be summarised, and it should be indicated how this area integrates into the organisation chart and into the risk function.[8]

3.2.2.2 Specific aspects of each risk

For each of the risks of significance to the institution, the following aspects should be indicated:

3.2.2.2.1 Risk policy: limits, diversification and mitigation.

The maximum exposure limits set for each risk and the policies in place for their diversification and mitigation should be stated. It should be indicated how these policies are applied in practice in the institution's decision-making process.

3.2.2.2.2 Organisation of the risk function and of powers, responsibilities and delegations. Risk control function. Reports on the risk function.

The hierarchy established in the institution for the management of each risk (in its three facets: assumption, measurement and control) and the delegation of functions and responsibilities should be described. The levels of management centralisation-decentralisation, the boundaries of responsibility and authorisation, and the separation of the functions of the various risk management bodies should be explained.

If, for some risk there exists a separate or independent risk function, the structure and responsibilities of the attendant control function should be indicated.

3.2.2.2.3 Management tools: measurement, admission, communication, control and monitoring systems.

A summary description should be given of the tools and procedures for the management of the various risks, indicating the measurement or risk assessment methodology, the approval, communication, control and monitoring systems and procedures, and the IT systems supporting management, including the stress tests carried out[7] and, where appropriate, the historical databases used for measurement.

The periodic or sporadic management reports used and their recipients should be stated, identifying specifically those addressed to the board of directors.

3.2.2.2.4 Policy and tools for the monitoring and recovery of impaired assets.

For those risks in which it is appropriate, the systems and procedures for the monitoring and recovery of impaired assets and bad debts should be indicated.

3.2.2.2.5 Risk management assessment.

The policy, organisation (suitability of the organisational structure, of the delegation of functions, of the activity of the risk-related committees), measurement methodology and management and control systems and procedures of each risk should be assessed.

3.2.2.3 Overall assessment of risk management

Based on individual assessment of the management and materiality of each risk for the institution, a general assessment should be made of the policy, organisation (suitability of the organisational structure, of the delegation of functions, of the activity of the risk-related committees, etc.), measurement methodologies, and risk management and control systems and procedures.

3.2.3 Internal audit of risks

The organisation and reporting lines of the internal audit function should be described. Further, the report should address the following in this section:

3.2.3.1 Risk review-related internal audit tasks

The functions assigned and the resources allocated to periodical risk review by internal audit should be indicated.

Where appropriate, details should be given of the matters examined by internal audit in the area of risks. By way of example, the following may be mentioned:

- Compliance with risk management internal rules (limits, procedures).

- Effective and appropriate use of risk management tools by the organisation as a whole (use test).

- Review of the internal control functions of the risk function, and of their appropriateness and effective functioning.

- Suitability of risk management IT systems.

- Precision and sufficiency of the data used.

- Assessment of risk measurement methodologies.

The main conclusions from the internal audit reports derived from the audit work conducted in relation to the various risks and the corrective measures proposed, if any, should be reflected, indicating the governing body to which the reports are addressed.

3.2.3.2 Internal audit assessment

This section should conclude with an assessment of the suitability of the internal audit function and resources in respect of the tasks assigned to it in the area of risks.

3.3 Measurement of risks and quantification of the capital needed to cover them

This section in the report and the following Section 3.4 include the quantitative aspects of the ICAAP, i.e. those relating to the identification and individual quantification of the different risks to which the institution is exposed and their subsequent aggregation.

The capital calculated in these two sections should be considered in the capital planning in Section 3.5, and should finally be used to determine the own funds target established in Section 2.1, since the institution should, in the present and also in the future period covered by its capital plan, hold a level of capital tailored to its risks and an appropriate buffer in excess of its minimum capital requirements under Pillar 1.

For the assessment of Pillar 1 risks in the ICAAP (i.e. credit, market and operational risks), institutions should, in each of the risk categories indistinctly, choose one of the following options:

- Option 1: use the approach and result obtained under Pillar 1, including where necessary the aspects of each risk not considered in this pillar. Here, institutions should only explain the differences between the calculations of the ICAAP and those of Pillar 1, which should be those due to the additional aspects included.

- Option 2: adapt the Pillar 1 approach to the institution’s risk management. If institutions use this option, they should justify this adaptation which, moreover, should be used in the management of the related risk (without prejudice to the Pillar 1 use test). They should also explain the differences between the results of the ICAAP for this risk and those of Pillar 1. The more the adaptation and the result diverge from the treatment under Pillar 1, the more exhaustive the justification and explanation should be.

For the remaining risks to be taken into account in the ICAAP, the institutions should make their own estimates which they should include in the related section of this report. To facilitate these estimates for the overall group of institutions supervised by the Banco de España, a simplified option is included for each risk aimed, in general, at institutions that apply standardised approaches under Pillar 1. When simplified options are thus indicated, they may also be used by institutions that apply advanced approaches under Pillar 1. Reasons justifying the use of these simplified options need not be given. The institutions that use simplified options may also use own estimates if they consider them more appropriate, but in that case they should give the reasons why they did so and use the related measurement methodology in the management of the risk involved.

In the case of groups of credit institutions, if for some risk there are significant methodological differences of measurement in some major institution, these differences should be included in the corresponding sub-section.

This section of the report should include:

3.3.1 Assessment of capital needs for credit risk

To evaluate credit risk capital needs, institutions should use one of the following options:

- Option 1: use the methodology of Pillar 1 (standardised or IRB) and the result obtained therewith. They should aggregate to this the aspects of the credit risk not considered under Pillar 1, specifically the residual risks derived from the use of risk mitigation techniques (e.g. ineffective guarantees or collateral derived from deficient implementation or management thereof, etc.) and the possible heightened risks stemming from asset securitisation and from lending denominated in foreign currency (e.g. the possible negative effects on the capacity to pay of borrowers as a consequence of fluctuations in interest and exchange rates. [8]

Institutions may replace the foregoing aggregation with an analysis of ther following that justifies why additional capital is not needed[8]:

- Effectiveness of mitigation techniques used in the capital calculation under Pillar 1. Indeed, irrespective of the Pillar 1 methodology used (standardised or IRB), Basel II stimulates and recognises the use of different credit risk mitigation techniques by reducing the capital requirements. Therefore it is necessary that the institutions evaluate the effectiveness of these mitigation techniques, which in many cases require an active and complex management.

- The significant and effective transfer of exchange rate risk from customers in foreign currency lending. [8]

- The significant and effective transfer of risk to third persons and the non-existence of implicit support in the different securitisation programmes undertaken by the credit institution.

- Option 2: adapt the Pillar 1 approach to the institution’s credit risk management. If this option is used, institutions should justify this adaptation. The more the adaptation and the result diverge from the treatment in Pillar 1, the more exhaustive the justification should be. This adaptation should be used in credit risk management. Further, the differences between the results thus calculated and those obtained in Pillar 1 should be explained.

By way of example, two possible situations are mentioned:

- Use of the standardised approach under Pillar 1 and use of the IRB approach for certain portfolios under Pillar 2, since there is a rating system in place for the management of such portfolios.

- At institutions that apply IRB approaches under Pillar 1, the use of correlations other than those used in Pillar 1 in specific portfolios, since they adapt better to the actual risk situation at the institution and are effectively being used in the management of such portfolios; consideration of the benefit of geographical diversification between countries in a different economic area (e.g. between Europe and Latin America), for the same reason. In this case it may be necessary to reconsider the correlations used for the borrowers within each portfolio since when loan portfolios are disaggregated to consider the benefit of the diversification among them, borrowers within each sub-portfolio will show a more uniform behaviour and therefore a higher correlation.

In both options, institutions should separately include in this section their assessment of capital to cover the risk of equity securities not held for trading. To do this they may use the Pillar 1 approach or another methodology they consider more appropriate for managing this risk. If these equity portfolios are significant, institutions should use methodologies sensitive to the real risk assumed. Credit institutions that use methodologies other than those of Pillar 1 should reconcile, if necessary, the results of these methodologies to those obtained from a solvency analysis, in accordance with Section 3.4.2.

The capital report should reflect the option used, the result obtained and, moreover:

- For institutions that use option 1, a specific analysis of the risk mitigation techniques used and their potential residual risk, and of the asset securitisation programmes and of lending in foreign currency and its potential risk not envisaged in Pillar 1. Both risks should be quantified if they are significant.[8]

- For institutions that use option 2, a summary of the methodology used and the reasons for doing so, with the sufficient degree of portfolio disaggregation.

3.3.2 Assessment of capital needs for credit concentration risk

To assess capital needs for credit concentration risk, institutions should use one of the following options:

- Simplified option[7] : Institutions should calculate the sectoral concentration index (SCI) of their credit portfolio using the method set out in Annex 2. If this index is greater than 12, their capital requirements for credit risk under Pillar 1 should be increased as follows:

Institutions should also calculate the individual concentration index (ICI) of the 1,000 borrowers with the largest direct risk exposures using the method set out in Annex 2. If the ICI exceeds 0.1, they should multiply the Pillar 1 credit risk capital requirements for the borrowers included in the index by the multiplier obtained by linear interpolation of the values in the following table:

Additionally, institutions should include a list of the 10 largest indirect and counterparty risks, indicating in both cases the obligor and the amount.

- General option: institutions should use the in-house methodologies they consider to be most suitable, which they should justify and use in managing this risk. This option is obligatory for institutions using IRB approaches under Pillar 1. Institutions must assess their individual (including counterparty and indirect risk), sectoral and geographical concentration. For the purpose of individual and sectoral concentration analysis, the institutions using this option should also calculate their capital needs according to the simplified option above.

It is possible for the measurement of capital needs for this risk to give a result of no capital need, but institutions must justify this outcome.

The capital report should set out the option used, the result obtained and, moreover:

- The information requested in Annex 2.

- The institutions using the general option should summarise the method used and set out the basis for it.

3.3.3 Assessment of capital needs for market risk

To assess capital needs for market risk, institutions should use one of the following options:

- Option 1: use the method and result obtained under Pillar 1 (standardised method or VaR models).

- Option 2: adapt the Pillar 1 approach to the institution’s market risk management. If this option is used, the institutions should justify this adaptation. The more the adaptation and result diverge from the Pillar 1 treatment, the more exhaustive the justification should be. The methodology used should be that employed in market risk management and the differences between the results thus calculated and those obtained in Pillar 1 should be explained.

By way of example, two possible situations are mentioned:

- The institutions using Pillar 1 standardised approaches to measure market risk may use VaR models totally or partially, provided they are actually used in managing market risk in the related portfolios.

- The institutions that use VaR models in Pillar 1 may adapt them in the ICAAP, using parameters actually employed in the management of this risk.

Institutions with no capital needs for this risk need not fill out this section.

In this section, institutions should assess separately the on-balance-sheet structural exchange risk if this risk is material. To do this, they should use methodologies suitable for the level of risk assumed which are effective in assessing the real risk.The capital report should include the option used, the result obtained and, moreover:

- For institutions using option 1, a specific analysis of the material aspects of this risk not captured in Pillar 1, and the additional capital needs, if any.

- For institutions using option 2, a summary of the methodology used and the reasons for doing so, at a sufficient level of detail.

3.3.4 Assessment of capital needs for operational risk

To assess capital needs for operational risk, institutions should use one of the following options:

- Option 1: use the methodology and result of Pillar 1 (basic indicator, standardised or AMA approaches).

- Option 2: adapt the Pillar 1 approach to the institution's operational risk management. In this case institutions should justify this adaptation. The more the adaptation and result diverge from the Pillar 1 treatment, the more exhaustive the adaptation should be. The methodology used should be that employed in operational risk management. The differences between the results thus calculated and those obtained in Pillar 1 should be explained.

By way of example, two possible situations are mentioned:

- An institution using the basic indicator approach under Pillar 1 could use the standardised approach in its ICAAP, for some or all of its lines of business.

- An institution using the standardised approach under Pillar 1 could use the AMA approach in its ICAAP.

The capital report should set out the option used, the result obtained and, moreover:

- For institutions using option 1, a specific analysis of the material aspects of this risk not captured in Pillar 1. A possible way to fulfil this requirement will be by means of a yearly internal audit report on the management, control and impact of this risk in the institution.

- For institutions using option 2, a summary of the methodology used and the reasons for doing so, at a sufficient level of detail.

3.3.5 Assessment of capital needs for interest rate risk in the banking book

To assess the capital needs for interest rate risk in the banking book, institutions should use one of the following options:

- Simplified option: institutions should use the adverse impact on their economic value referred to in Rule [4 of the capital assessment chapter] of Circular CBE 2008 on own funds, which is included in column 2 of Return RP51.

If this adverse impact reduces an institution’s economic value to below 130% of its total minimum capital requirements under Pillar 1, capital equal to 100% of the difference between 130% of that minimum capital requirements and the diminished economic value after the aforementioned adverse impact should be allocated. For this purpose the Banco de España may issue methodological guidelines for the treatment of sight deposits and publish the specific values of the impact on interest rates that are to be considered in the major currencies.

However, if the adverse impact calculated above reduces the initial economic value by less than 5% of its value, institutions may give reasons justifying why no capital is needed to cover this risk according to the above calculation, even though, after impact, the capital stands below the aforementioned 130% of Pillar 1 minimum capital requirements, provided that after impact it does not stand below 105% of those minimum capital requirements.

To this end, institutions should consider a maximum duration of 4 years for non remunerated sight deposits and deduct from them a minimum percentage of 10%. This minimum will be considered volatile and therefore have a duration of zero.[7]

In any case, the capital assigned for this risk by an institution should be at least the largest of:

a) The reduction in the economic value due to the adverse impact minus 24% of the eligible capital.

b) The reduction in the economic value due to the adverse impact minus 24% of the economic value before the impact.

- General option: institutions should use the in-house methodologies they consider to be most suitable, which they should substantiate and use in managing this risk. In this case, institutions should also calculate their capital needs under the simplified option and adjust appropriately, if required by Section 3.4.2 of these guidelines, the capital needs for solvency purposes. The more the result given by the simplified option differs from that calculated with in-house methodology, the more exhaustive the reasons given to justify the latter should be. It is permissible for the measurement of capital needs for this risk to give a result of no capital need, but institutions must justify this outcome.

The capital report should set out the option used and the result obtained. The institutions using the general option should summarise the methodology used and its basis.

3.3.6 Assessment of capital needs for liquidity risk

Institutions may replace their estimate of the capital required to cover this risk by an analysis of their liquidity policy, liquidity control systems and contingency plans, giving evidence that they have adequate liquidity and do not need capital to cover this risk. Institutions unable to provide evidence of adequate liquidity should establish an action plan and allocate capital to cover this risk.

The capital report should include a summary of the liquidity policy and situation and state the capital allocated, if any, to cover this risk.

3.3.7 Assessment of capital needs for other risks

To assess capital needs for other risks, institutions should use one of the following options:

- Simplified option: instead of assessing the capital required to cover these risks, institutions may allocate capital equal to 5% of their total minimum capital requirements under Pillar 1.

- General option: institutions should use the in-house methodologies they consider to be most suitable, which they should substantiate and use in managing this risk. Institutions should report at least their reputational and business risks, including the procedures for estimating and monitoring them. They should also assess any other risk they consider to be material.

Institutions with significant exposures derived from their insurance business (through subsidiaries) should analyse them and allocate capital to cover this risk, not deducting from capital in this case the shareholdings in these subsidiaries. Alternatively they may deduct the shareholdings in insurance subsidiaries, indicating the solvency situation of these subsidiaries in accordance with insurance regulations, which must cover such risks sufficiently.

In addition, any material risks derived from future pension commitments or any other commitment of institutions should be assessed and covered adequately, if this has not already been done.

Institutions using this option for reputational or business risks may employ the simplified option for the rest, assigning a conservative coefficient instead of the general value of 5% under the simplified option.

Reputational risk should include, inter alia, the risk derived from all of a credit institution’s dealings with customers that could result in negative publicity concerning its practices and business relations and, consequently, a loss of confidence in its moral integrity.

Business risk should include the risk of hypothetical (internal or external) adverse events that negatively affect an institution’s ability to achieve its objectives and consequently have a negative effect on earnings (profit and loss account) and, through the latter, on solvency.

The capital report should set out the option used and the result obtained, if any. The institutions using the general option should summarise the methodologies used and their basis.

3.4 Aggregation of capital needs and reconciliation adjustments

3.4.1 Aggregation of capital needs for the various risks

The aforementioned individual estimate of capital needs for the various risks should be used in this section to determine the total necessary capital. There are both simplified and general aggregation options for aggregating capital needs.

- Simplified aggregation option: institutions should calculate their total capital needs by simple summation of the capital required to cover each of their risks separately, as per the result of the individual measurements in Section 3 above. This option should be used by the institutions that use standardised approaches under Pillar 1.

- General aggregation option: the institutions that use advanced approaches under Pillar 1 to measure some of their risks (credit, market and operational) and also use quantitative models for overall management of all their risks may use in these models, aggregation formulas enabling the benefits of inter-risk diversification to be included. These models should be used in the institution’s overall risk management and must be capable of allocating capital to the various business units on the basis of their different risk profiles. Institutions that use the general aggregation option should also calculate their capital needs by simple summation. The greater the difference between the result of simple summation and that calculated using an in-house methodology, the more exhaustive the rationale for the latter should be. .

The capital report should set out the option used, the result obtained and, moreover:

- The institutions using the simplified option should limit themselves to completing the numerical data in the summary table in Annex 1.

- The institutions using the general aggregation option should also summarise the methodology used and its basis, making reference to such internal documents as they consider necessary.

3.4.2 Adjustments made to reconcile the management and solvency approaches

As mentioned in Section 2.2, the ICAAP should be based on the risk analysis carried out by institutions for risk management purposes. Hence for some risks it may be necessary to make adjustments to reconcile the capital figures used in the management of certain risks to those used from a solvency standpoint.

The purpose of these adjustments is to offset the greater capital needs of the management approach with funds (e.g. unrealised capital gains or economic value) not counted for solvency purposes, but that the management model does consider and seeks to protect. Described below, by way of examples, are two situations in which such adjustments may be necessary:

- Quoted shares carried at cost in the long-term investment portfolio and on which there are unrealised gains. In this case it may be suitable to use for management purposes a quantitative model (e.g. VaR) applied at the current market value of the shares. This approach aims to preserve the value of the shares (including the unrealised gains) and would therefore foreseeably result in a capital need figure above that calculated under Pillar 1 if the institution is using a default approach (PD/LGD) in Pillar 1 based on book value. In this situation and for the purpose of ICAAP solvency analysis, institutions may prudently offset the higher capital needs of the management approach against a part of the gains not considered to be capital under Pillar 1.

- Exposure to interest rate in the banking book. In institutions that use in-house models (general option), the capital needs figure under a management approach may be high if the institution seeks to preserve the economic value of its balance sheet. However, the economic value will, in turn, if sufficiently high, protect the institution’s solvency from an adverse impact of interest rates, although the institution’s net interest margin may deteriorate. In this situation, and for the purpose of ICAAP solvency analysis, institutions may offset, again prudently, the capital needs under their own model against a part of the economic value of the balance sheet.

For these purposes, institutions should assess consistently and prudently under the ICAAP the risks and the available capital associated with them. In this connection, as an example relating to quoted equity securities, an approach to assessing capital needs based on default and consequent loss of a considerable part of the value of the investment (PD/LGD approach) should not imply that the related unrealised gains are eligible as capital available to cover this or other risks.

3.5 Capital planning[7]

In planning their future capital needs derived from compliance with their future capital requirements under Pillar 1, institutions should include the assessment of all additional risk exposures carried out in the ICAAP. For this purpose, every year they should estimate the capital sources and allocations within their planning horizon, which they should define for this purpose and which should not be less than three years.

In order to do so, they should make projections, considering the institution's strategic plan, of the capitalised profit, dividends, share issues, subordinated capital issues, and capital charges derived from expected business growth, from changes in the Pillar 1 risk profile, from other risks assessed in the ICAAP, from one-off transactions, etc.

In this section, stress tests should be conducted to identify those events or changes in the market conditions in which institutions operate that may adversely affect their future solvency.

Each year institutions should carry out and reflect in their capital report a macro stress test that considers a scenario of general deterioration derived from a significant fall in economic activity (recession). This scenario should reflect sufficiently adverse behaviour of a combination of at least GDP, interest rates, the unemployment rate and housing prices.

Institutions should also conduct other stress tests if relevant to them. As examples, the following may be mentioned:

- Specific deterioration of the economic sectors in which an institution’s activity is concentrated.

- Situations of special tension and volatility in the money markets and those for other financial products.

- Scenarios of significant stock market falls.

- Scenarios of serious operating losses.

- Scenarios of liquidity crisis.

- Scenarios of errors in the valuation of complex financial products.

These stress scenarios must be sufficiently intense and encompass situations that have occurred in an institution’s markets over a sufficiently long period (for example, situations in the last 20-30 years) and may consider active management strategies to mitigate its effects.

The institutions using advanced approaches under Pillar 1 (IRB, VaR, AMA) should specifically conduct stress tests to assess how adverse events may affect their future capital requirements under Pillar 1 derived from the use of the related advanced approaches. Specifically, institutions using IRB models for credit risk should estimate the changes in their Pillar 1 capital requirements derived from ratings variations during the business cycle (migrations). These changes in Pillar 1 capital requirements should be considered in capital planning.

The additional capital needs derived from the different stress tests, both for Pillar 1 risks and for other material risks identified in the ICAAP, should be estimated and, where applicable, possible alternative capital elements identified to cover them. For these purposes, such elements may include a prudent assessment of unrealised gains and other items of a similar nature, as well as a prudent estimate of additional capital of other types (core capital, Tier 1 capital and Tier 2 capital) that the institution could generate if needed. When quantifying these alternative capital elements, it should be kept in mind that they will probably be used in crisis situations.

The contingency plans in place for use in case of unforeseen divergences and events should be explained in the capital planning.

The presentation of the stress tests should not consider any alternative sources of capital or active management strategies undertaken to mitigate the impact, i.e. the outcome should be presented gross of mitigation. Where appropriate the impact of the mitigation produced by alternative sources of capital or any other action should be explained separately in this section.

This section of the capital report should set out the following:

- The period covered by the planning, which must not be under three years.

- Analysis of deviations in the period with respect to the planning prepared in the prior period.

- Summary of the planning methodology used and of its results.

- Summary of the stress tests conducted and of their results.

- Summary and quantification of any alternative capital sources.

The capital report should include the estimates of the macroeconomic variables used as inputs in the capital plan and in the macro stress test. It should also include those elements of the strategic plan and accounting planning that are considered to be significant in the projections made.

This section should reflect, for the various stress tests included in the capital planning and the macro stress test, the estimated amount of the main balance sheet items (including loans and receivables in the public and private sectors, deposits from the private sector, loans in arrears and loan loss provisions), a representative disaggregation of risk-weighted assets, net interest income, gross income, net operating income and profit or loss before tax. Significant direct adjustments to equity expected in the period covered by the planning should also be indicated, as well as planned issues or retirements of equity capital, regardless of the nature of the instruments involved (core capital, Tier 1 capital or Tier 2 capital).

These stress tests should take into account the EBA document “Guidelines on Stress Testing (GL32). EBA recommendations should be followed when carrying out of the macro stress test unless the institution considers them inappropriate. The estimates of macroeconomic magnitudes provided by the European Central Bank (ECB) should also be taken into account.

3.6 Programme of future measures

Based on the assessments set out in Section 3.2 and the estimates included in Sections 3.3 to 3.5, the main deficiencies and weaknesses found should be summarised and, if significant, an action plan drawn up to remedy them. This action plan may include the following measures, among others:

- Modification of the institution’s risk profile: reduction of a certain activity or activities, application of new risk mitigation techniques, etc.

- Improvements in governance and internal organisation; improvements in risk management and internal control.

- Modification of the own funds target, stating the related adaptation period, if appropriate.

This section should also set out the future changes in risk and capital management that the institution intends to undertake, such as changes in the general risk policy, improvements in the management and control tools for a particular risk, changes in Pillar 1 approaches, etc. In any event, all matters relating to plans for future improvement should be included only in this section, although cross-references to them can be made in other sections.

3.7 Other matters

Other matters that institutions consider it necessary or useful to include in the report and have not been addressed in any other section should be set out here.

The Banco de España should include in its annual supervision plans a review of the ICAAP and determine whether institutions’ own funds targets (in terms of level, composition and distribution) and action plans (if deficiencies were detected) are suitable for their risk profile. The capital report should serve as the basis for reviewing the ICAAP.

The Banco de España may make a reasoned proposal to an institution that it change its own funds target or action plan. Finally, after a process of dialogue between the two - if necessary - the institution and the Banco de España should agree on other own funds targets and, if appropriate, an action plan which the institution should undertake to maintain and implement, respectively.

Nevertheless, the Banco de España may require an institution to have capital additional to the minimum requirements under Pillar 1 or other different or supplementary measures considered necessary given the institution’s high risk profile or the extent of the deficiencies detected in its internal governance, in risk management or in internal control. The Banco de España should formally communicate these requirements, which should be set out in a return to compliance programme prepared by the institution and approved by the Banco de España, in accordance with section 3 and 4 of Article 71 of Royal Decree 216/2008 on the own funds of financial institutions.

CRITERIA FOR PREPARING RETURN IAC01 SUMMARY OF INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS (ICAAP)

A. GENERAL CRITERIA

1. These criteria relate to the preparation of Return IAC01 in accordance with the guidelines on the internal capital adequacy assessment process (ICAAP guidelines) at credit institutions of 25 June 2008, which in turn set forth the criteria to be taken into account by institutions in preparing the capital report.

2. Monetary amounts will be expressed in thousands of euro and ratios as percentages to two decimal places (x.xx%). Cells shaded in grey are not to be filled in.

3. In accordance with paragraph 3 of Rule 4 of Banco de España Circular CBE 3/2008 of 22 May 2008 on the determination and control of minimum own funds (hereafter “the Circular”), this return must be prepared by consolidable groups of credit institutions and by credit institutions not forming part of a consolidable group of credit institutions. Rule 107.2 of the Circular also requires this return to be prepared, at sub-consolidated level, by the Spanish banking subsidiaries of consolidated groups of credit institutions which have subsidiaries in non-EU third countries.

Consolidable groups of credit institutions will take into account the need to submit, in addition to consolidated Return IAC01, the summary ICAAP return broken down by banking subsidiary (or sub-group) subject to the second sub-paragraph of paragraph 4 of Rule 107 of the Circular. This will be construed without prejudice to the power of the Banco de España to request this breakdown with respect to other significant subsidiaries when necessary for proper valuation of the capital adequacy assessment process adopted by the group.

SPECIFIC CRITERIA FOR RETURN IAC01 SUMMARY OF INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS (ICAAP)

B. GENERAL DESCRIPTION

4. Return IAC01 includes information on the capital adequacy assessment process according to the criteria established by the Banco de España in the ICAAP guide and to Rule 107 of the Circular, which transposes Article 123 of Directive 2006/48 and implements Articles 6.4 of Law 13/1985[10] and 68 of Royal Decree 216/2008[11]. This process should enable institutions to assess and maintain on an ongoing basis the amounts, types and distribution of internal capital and of regulatory capital they consider adequate to cover all risks, depending on their nature and level, to which they are or may be exposed.

For the purpose of this return, the meaning of regulatory capital will be as defined in Rule 7 of the Circular and that of capital will be as defined internally by the institution for the purpose specified in the previous subparagraph.

5. Return IAC01 is divided into two pages. Page one sets out the institution’s regulatory capital target along with regulatory capital, regulatory capital requirements and the capital requirements according to the institution’s estimates. Page two consists of three sections devoted to ordinary planning, regulatory capital in stress scenarios and alternative sources of capital.

6. Page one of this return has five columns: the first sets out, as a ratio, the institution’s regulatory capital target, including a breakdown into Tier 1 capital and Tier 2 capital; the second and third columns give the amounts (at the reporting date) of regulatory capital and of regulatory capital requirements for credit, market and operational risk and for insurance business conducted through subsidiaries; and, finally, the fourth and fifth columns show the capital requirements for the main risks as estimated by the institution itself (column 5) using the methodology indicated in the option column (column 4).

7. The second page is as follows. Each of the first two sections consists of three sets of columns. There is one set for each of the three years for which projections of future capital requirements are made. Each of these sets in turn contains three columns: one for the solvency ratio the institution hopes to have at the end of each of those three years, another for estimated regulatory capital requirement and the third for estimated regulatory capital. The third and last section, which relates to alternative sources of capital, consists of four columns setting out the amount of other possible sources of capital at the reporting date and at the end of each of the three projection years.

8. As regards the lay-out of rows, page one consists of three sections, one relating to the regulatory capital target, another to regulatory capital at the reporting date and the third to quantification of the capital required to cover the risks faced by the institution, including the effect of risk diversification and of adjustments made to reconcile the management and solvency approaches. The content of the rows in this last section will depend on the method used by the institution to determine capital for the various risks.

9. The second page consists, as mentioned above, of three broad sections: the first, relating to ordinary planning, indicates expected total regulatory capital and breaks it down into core and Tier 1 capital; the second, relating to stress scenarios, sets out the various scenarios analysed by the institution; and the third, relating to alternative sources of capital, enumerates the various sources considered by the institution in its planning.

C. DESCRIPTION OF COLUMNS

The columns are as follows:

10. PERCENTAGE: Page 1, column 1. See Section 2.1 of the ICAAP guide. The information of this column, relating to the regulatory capital target, will be expressed as a percentage in the form of a solvency ratio. If the institution sets a target range, the middle of that range will be stated (for example, if an institution sets a target range of 13.50%-12.00% for its regulatory capital, the middle of the range would be 12.75%). The target is not, in principle, deducted from the arithmetic sum of values included in the other part of Return IAC01.

11. AMOUNT: Page 1, column 2. Contains the amounts of currently held regulatory capital reported in Rows 1 Total regulatory own funds, 1.4 Total Tier 1 capital for general solvency purposes, 1.5 Total Tier 2 capital for general solvency purposes and 1.6 Total ancillary capital for market risk and exchange risk in Return RP10 at the reporting date.

12. REGULATORY CAPITAL REQUIREMENT: Page 1, column 3. This column states the regulatory capital requirement for the risks referred to in paragraph 1 of RULE FOUR of the Circular and for insurance risk. Therefore, the figures stated here will necessarily coincide with the amounts in Return RP10 for those risks, except in the case of insurance risk (see paragraph 19.7 relating to other risks).

13. ICAAP – OPTION: Page 1, column 4. This column, along with column 5 (“capital requirement”), summarizes the figures of the internal capital adequacy assessment process carried out by the institution. It will be completed by entering the following numerical codes denoting the method chosen from those proposed in the ICAAP guidelines:

If the institution uses an ICAAP methodology of type 2 for some portfolios but not for all of them, option 2 should be entered in column 4.

In the case of credit, market and operational risk, the reference to the option chosen for ICAAP will be included on the line used to reflect the regulatory capital requirement. That is to say, if, for example, the institution has entered €200,000,000 in row 3.1.1 relating to the standardised approach, but in its internal capital adequacy assessment process it used a methodology similar to that required for advanced approaches (whether or not approved by the Banco de España), this amount will be included in the same row, entering a 2 in the “option” column, as established in the above table:

14. ICAAP – CAPITAL REQUIREMENT: This column will include the capital requirement estimated by the institution in the framework of its internal capital adequacy assessment process to cover the risks indicated in the related rows.

15. CAPITAL PLANNING (Page 2). See Section 3.5 of the ICAAP guide. Capital planning is divided into three broad sections: ordinary planning, stress scenarios and alternative sources of capital. The first two include nine columns relating to the three years which, as a minimum, have to be covered by the future capital requirements projection (three columns per year), while the third section also contains information relating to the reporting date. The explanations about this page are given by means of a description of its rows.

D. DESCRIPTION OF ROWS

16. REGULATORY CAPITAL RATIO TARGET[12]

: See also the explanations of the column “percentage” in point 11 above.

16.1 TOTAL REGULATORY CAPITAL RATIO: This ratio will be determined in a way consistent with the procedure of Section 3.2 of Return RP10 and, accordingly, will be calculated as the quotient in which the numerator is 8% of the institution’s total regulatory capital and the denominator is its capital requirements. This box should only be filled in if this target is determined internally by the institution.

16.2 CORE CAPITAL RATIO: In this case the numerator of the above quotient in point 16.1 will consist only of the total core capital target for general solvency purposes. This box must be filled in.

16.3 TIER 1 CAPITAL RATIO: In this case the numerator of the above quotient in point 16.1 will consist only of the total Tier 1 capital target for general solvency purposes, i.e. the amount set by the institution as the target to be reported in row 1.4 of Return RP10. This box should only be filled in if this target is determined internally by the institution.

17. REGULATORY CAPITAL: Page 1, column 2. Comprises the amounts of currently held regulatory capital reported in Return RP10, namely[13]:

17.1 REGULATORY CAPITAL: Amount stated in row 1 of Return RP10.

17.2 CORE CAPITAL: Amount of core capital.

17.3 TIER 1 CAPITAL: Amount stated in row 1.4 of Return RP10.

17.4 TIER 2 CAPITAL: Amount stated in row 1.5 of Return RP10.

18. QUANTIFICATION OF CAPITAL REQUIREMENTS: Sum of the capital needed for the following risks:

18.1 CREDIT RISK: See Section 3.3.1 of the ICAAP guide. It is the sum of rows 3.1.1 (standardised approach), 3.1.2 (basic IRB approach) and 3.1.3 (advanced IRB approach). In column 3, institutions will state the amounts reflected, respectively, in rows 2.1.1, 2.1.2.1 and 2.1.2.2. plus those in rows 2.1.2.3, 2.1.2.4 and 2.1.2.5 of Return RP10; in column 4 they will list, where applicable, the options chosen for carrying out the ICAAP (see ICAAP – OPTION above); and in column 5 they will show the capital requirement under the option. Institutions which use simultaneously the standardised approach, basic IRB approach and/or advanced IRB approach and thus enter in Return RP10 amounts in more than one of the rows 2.1.1, 2.1.2.1 and 2.1.2.2 will distinguish between the related portfolios also in Return IAC01, for which purpose they will use rows 3.1.1, 3.1.2 and 3.1.3.

18.2 MARKET RISK: See Section 3.3.3 of the ICAAP guide. This is the sum of rows 3.2.1 (standardised approach) and 3.2.2 (VaR approach). In column 3, institutions will enter the amounts reflected, respectively, in rows 2.2, 2.3.1 and 2.3.2 of Return RP10; in column 4, the options chosen for carrying out the ICAAP (see above ICAAP – OPTION); and in column 5 the capital required under that option.

18.3 OPERATIONAL RISK: See Section 3.3.4 of the ICAAP guide. It is the sum of rows 3.3.1 (basic indicator approach), 3.3.2 (standardised approach) and 3.3.3 (advanced approaches). In column 3, institutions will enter the amounts reflected, respectively, in rows 2.4.1, 2.4.2 and 2.4.3 of Return RP10; in column 4 they will list the option chosen for carrying out the ICAAP (see ICAAP – OPTION above); and in column 5 they will specify the capital requirement under that option.

18.4 INTEREST RATE RISK: See Section 3.3.5 of the ICAAP guide.

18.5 CONCENTRATION RISK[9] : See Section 3.3.2 and Annex 2 of the ICAAP guide. It is the sum of rows 3.5.1 (individual concentration), 3.5.2 (sectoral concentration) and 3.5.3 (other types of concentration). The following table gives an example of how to carry out these calculations:

Given the following portfolio:

The calculations are as follows:

If the simplified option were chosen, Return IAC01 would be completed as follows:

18.6 LIQUIDITY RISK: See Section 3.3.6 of the ICAAP guide[14].

18.7 OTHER RISKS AND OTHER REQUIREMENTS (Page 1): See Section 3.3.7 of the ICAAP guide. Regardless of how insurance risk is treated, if the simplified option is chosen, row 3.7 of this return will include 5% of the amount entered in row 3, column 3 of the return and no breakdown by row will be performed. If, on the contrary, the general option were chosen, the option chosen for each risk and the capital allocated will be indicated in the related rows.

Column 3 states the sum of sections 2.5 and 2.6 of Return RP10 and, in addition, the requirements for insurance risk, as described below. In column 4 the institution will enter option 1 if it uses the simplified option of the guide for reputational and business risks; otherwise, it will enter option 2. In column 5 it will include, in addition to the requirements for other risks, the amounts of Sections 2.5 and 2.6 of Return RP10, unless the institution justifies in the report the use of another criterion.

With regard to insurance risk, column 3 will set out the net regulatory capital requirements of insurance subsidiaries under Rule 9.1.e) of the Circular, and where appropriate reported in RP90. Column 5 relating to required capital (ICAAP) includes the capital allocated to cover the risk derived from insurance business as specified in Section 3.3.7 of the ICAAP guide; option 1 will be entered in column 4 if the institution chooses to deduct from regulatory capital the equity investments in these subsidiaries, in which case the amount in column 5 will be the same as in column 3 but of opposite sign and option 2 will be entered in column 4 if the institution chooses to assess the risks and the capital requirement. In this second case, account would be taken of the related adjustments to the capital requirement, in accordance with the capital currently held at insurance subsidiaries, and these adjustments reflected in the related row (other adjustments) of the adjustments made to reconcile the management and solvency approaches.

19. ADJUSTMENTS FOR RISK DIVERSIFICATION: The individual estimate of the capital required for the various risks carried out previously will be used to determine the capital requirement in this row. For the aggregation, the ICAAP guide, Section 3.4.1, establishes a simplified option and a general option for institutions using advanced approaches to measure some of their risks and quantitative approaches for joint management of all their risks. In the simplified approach, no amount will be included in the capital requirement column.

20. ADJUSTMENT TO RECONCILE THE MANAGEMENT AND SOLVENCY APPROACHES: See Section 3.4.2 of the ICAAP guide.

21. TOTAL CAPITAL REQUIREMENT: Sum of the capital required for the various risks considered significant for the institution less, where applicable, the effect of risk diversification, plus or minus the reconciliation adjustments included in the preceding point. This figure will coincide with that in row 3.4.2 of Return RP10.

22. EXPECTED PERIOD-END REGULATORY CAPITAL ACCORDING TO PLANNING[9] : This will include the estimate made by the institution in its ordinary or “central scenario” planning of the regulatory capital ratio expected each year. Estimates will be given of the total capital requirement and of regulatory capital, with a breakdown between core capital and Tier 1 capital, at the end of each of the three planning years. If the projections are fulfilled, the figures in row “1. Expected period-end regulatory capital according to planning” will be equal to those entered, respectively, in the following three years in rows 3.2.a, 2 and 1 of Return RP10. They are estimates which may not coincide with the regulatory capital target indicated on the first page of this return.

The related ratios are calculated as follows:

If the institution considers in its planning the issuance of shares, subordinated capital, etc. (see second paragraph of Section 3.5 of the ICAAP guide), these sources will not be listed in the section relating to alternative sources of capital.

23. CAPITAL UNDER STRESS SCENARIOS: See Section 3.5 of the ICAAP guide. The rows in this section state, in the relevant columns, the core capital ratio, capital requirements and core capital estimated for the various stress scenarios which the institution sees fit to analyse, at the end of each of the three planning years. The outcome of the various stress scenarios should be stated on a gross basis, i.e. the effect of management actions undertaken or alternative sources of capital issued to mitigate the impact of the stress should not be included.

In particular, institutions using advanced approaches will take into account what is said in the sixth paragraph of said Section 3.5 and will enter under the name “IRB procyclicity” the results of the sensitivity analysis of the variations in their capital requirements derived from the migration of ratings during the business cycle.

24. TOTAL ALTERNATIVE SOURCES OF CAPITAL: See Section 3.5 of the guide. Each source considered by the institution as useful under a stress situation will be entered in a separate row. Only the alternative capital sources that increase the capital shall be shown here. Information on those other sources that reduce the capital requirements should be given in Section 5 of the capital report.

In order to calculate sectoral and individual concentration indices, regard will be had to all of the institution’s direct risk exposures in the EU (including discounted commercial paper, credit, loans, fixed-income securities, equity securities, liquid assets, off-balance-sheet exposures, guarantees including CDSs -using a 100% credit conversion factor- and any other form of financial support) regardless of the portfolio (trading, available-for-sale or long-term) in which they are recorded. Neither risk exposures to general government and deposit institutions, nor securitised assets treated as such for the purposes of capital calculations (without prejudice to application of the provisions of paragraph 6 of Rule 102 of Circular 3/2008 for securitisation exposures held by the institution), nor the risk associated with other derivatives should be included for these purposes.

The balances to be considered should be gross of provisions and not reduced for any risk-mitigation factor (guarantees received, deposits pledged, etc.).

Sectoral concentration:

The institution’s direct risk, excluding exposures to individuals except for those derived from business activities), should be grouped according to the above criteria in the economic sectors listed in the following table, based on the obligor’s CNAE classification:

The sectoral concentration index should be calculated using the formula

where x is the value of risk exposure to each economic sector.

The surcharge should be applied only to the capital requirements for credit risk relating to the exposures included in the calculation of the sectoral concentration index.

Individual concentration:

An inventory should be carried out of the total direct risk exposure (using the same criteria as for calculating the sectoral concentration index) to the 1,000 largest borrowers of the institution, irrespective of their status as a natural or legal person and of their legal form. If various borrowers are linked because they constitute an economic group or decision-making unit, they should be grouped together and considered as a single risk. The individual concentration index ICI should be calculated using the formula

where x is the total direct investment corresponding to each borrower or group (among the 1,000 largest borrowers of the institution) and Σy is the amount of the institution’s total direct risk exposure (considering the overall loans and receivables).

If the number of borrowers or groups of borrowers of the institution does not exceed 1,000, the foregoing calculation should be made with respect to the total borrowers.

The surcharge should be applied to the capital requirements for credit risk relating to the borrowers included in the calculation of the individual concentration index (Σy).

The general principles of this process, which is referred to in principle 1 of Pillar 2 of the revised capital adequacy framework and Article 123 of the Directive, and which is known as the ICAAP (Internal Capital Adequacy Assessment Process), have been set out by the EBA in its guidelines on Pillar 2 (Guidelines on the application of the supervisory review process under Pillar 2) and are as follows:

Principle 1: Every institution must have a process for assessing its capital adequacy relative to its risk profile.

Principle 2: The ICAAP is the responsibility of the institution. The ICAAP should be tailored to the institution’s circumstances and needs, and it should use the inputs and definitions that the institution normally uses for internal purposes.

Principle 3: The ICAAP’s design should be fully specified, the institution’s capital policy should be fully documented, and the management body should take responsibility for the ICAAP. The management body should approve the conceptual design, scope, general methodology and objectives of the ICAAP and is responsible for integrating capital planning and capital management into the ICAAP. The management body should ensure that capital planning and management policies are communicated and implemented. The results of the ICAAP should be reported to the management body.

Principle 4: The ICAAP should form an integral part of the management process and decisionmaking culture of the institution. The ICAAP’s uses should include, for example, allocating capital to business units, playing a role in the individual credit decision process, playing a role in the preparation of the institution’s budgets and expansion plans, etc.

Principle 5: The ICAAP should be reviewed regularly. The ICAAP should be reviewed as often as is deemed necessary to ensure that capital coverage reflects the risk profile of the institution at all times. This review should take place at least annually. Any changes in the institution's strategic focus, business plan, operating environment or other factors that materially affect assumptions or methodologies used in the ICAAP should initiate appropriate adjustments to the ICAAP. New risks that occur in the business of the institution (e.g. those due to new products) should be identified and incorporated into the ICAAP.

Principle 6: The ICAAP should be riskbased. Institutions should set capital targets which are consistent with their risk profile and operating environment. However, institutions may take other considerations into account in deciding their capital targets, such as external rating goals, market reputation and strategic goals. In this case the institution must be able to identify the amount of capital held in response to these considerations outside its risk profile.

There are some types of (less readily quantifiable) risks for which the process of assessment should be more qualitative. The institution should clearly establish for which risks they will use a quantitative measure, and for which risks a qualitative estimate will be made.

Principle 7: The ICAAP should be comprehensive. The ICAAP should capture all the material risks to which the institution is exposed, regardless of whether or not there are capital requirements for them under Pillar 1. There is no standard categorisation of risk types and definition of materiality and institutions are free to use their own terminology and definitions. However, the ICAAP should cover:

– Pillar 1 risks, indicating any major differences between the treatment of Pillar1 and Pillar 2 risks and the possible underestimation of credit, operational and market risk if standardised approaches are used.

– Risks not fully captured under Pillar 1, such as, for example, the risk derived from credit concentration, the residual risk due to the use of in credit risk mitigation (CRM) techniques, and the additional risk stemming from securitisation.

– Material Pillar 2 risks, such as, for example, on-balance-sheet interest rate risk, liquidity risk, reputational risk and business risk.

– Risk factors external to the institution, stemming from the regulatory environment and from the economic environment in which the institution operates and, in particular, the effects of the business cycle on the institution’s solvency.

Principle 8: The ICAAP should be forwardlooking, so as to ensure capital adequacy also in the future. The ICAAP should take into account the institution's strategic plans and how they relate to macroeconomic factors. The institution should develop an internal strategy for maintaining capital levels which can incorporate factors such as loan growth expectations, future sources and uses of funds, and any procyclical variation of Pillar 1 minimum own funds requirements.

The institution should have a capital plan which states the institution's capital target and the time horizon for achieving it. The plan should also lay out how the institution will comply with legal capital requirements in the future and provide for contingency plans in the event of divergences and unexpected events. Institutions should conduct appropriate stress tests which take into account the risks specific to the markets in which they operate and unfavourable developments in the business cycle.

Principle 9: The ICAAP should be based on adequate measurement and assessment processes. These processes should be documented. The results of the ICAAP should feed into an institution's strategic plan and influence the institution's management of its risk profile. Institutions will not be required to use economic capital (or other) models, although it is expected that more sophisticated institutions will elect to do so.

There is no single ‘correct’ assessment process. Institutions may design their ICAAP in different ways. The following are examples:

– The result produced by the regulatory Pillar 1 methodologies and consideration of nonPillar 1 elements. In other words, to obtain a capital goal, institutions may take the Pillar 1 requirements and then assess Pillar 2 concepts that relate to Pillar 1 (such as concentration risk, residual risk of CRM and securitisation) and concepts that are not dealt with under Pillar 1 (such as interest rate risk). Supervisors would expect the institution to demonstrate that it had analysed all risks outside Pillar 1 and found them to be absent, not material, or covered by a simple cushion over the Pillar 1 minimum.

– A ‘structured’ approach, using different methodologies for the different Pillar 1 and Pillar 2 risks and then calculating the total requirements by simple summation.

– A more sophisticated and complex system using aggregation methodologies to integrate the different risks through the use of correlations.

Some risks are easier to measure than others, depending on the availability of information. This implies that their ICAAPs could be a mixture of detailed calculations and estimates. Nonquantifiable risks should be included in the ICAAP if they are material, even if they can only be estimated.

It is also important that institutions not rely on quantitative methods alone, but include qualitative analyses and evaluate risk management.

Principle 10: The ICAAP should produce a reasonable outcome. The ICAAP should produce a reasonable overall capital figure. The institution should be able to explain the similarities and differences between its ICAAP result and its own funds requirements.

To satisfactorily determine their capital requirements, credit institutions, in addition to quantifying the risks associated with their activity, should also assess their internal governance. The principles, procedures and mechanisms of internal governance, which are referred to in principle 1 of Pillar 2 of the revised capital adequacy framework and Article 22 of the Directive, have been set out by the EBA in its Guidelines on Internal Governance which lay down requisites regarding the following areas and matters:

A) Corporate Structure and Organisation

1. Organisational framework

2. Checks and balances in a group structure

3. Know-your-structure

4. Non-standard or non-transparent activities

B) Management body

B.1 Duties and responsibilities of the management body

5. Responsibilities of the management body

6. Assessment of the internal governance framework

7. Management and supervisory functions of the management body

B.2 Composition and functioning of the management body

8. Composition, appointment and succession of the management body

9. Commitment, independence and managing conflicts of interest in the management body

10. Qualifications of the management body

11. Organisational functioning of the management body

Assessment of the functioning of the management body

Role of the chair of the management body

Specialised committees of the management body

Audit committee

Risk committee

B.3 Framework for business conduct

12. Corporate values and code of conduct

13. Conflicts of interest at institution level

14. Internal alert procedures

B.4 Outsourcing and remuneration policies

15. Outsourcing

16. Governance of remuneration policy

C) Risk management

17. Risk culture

18. Alignment of remuneration with risk profile

19. Risk management framework

20. New products

D) Internal control

21. Internal control framework

22. Risk Control function (RCF)

23. The Risk Control Function‟s role

RCF‟s role in strategy and decisions

RCF‟s role in transactions with related parties

RCF‟s role in complexity of the legal structure

RCF‟s role in material changes

RCF‟s role in measurement and assessment

RCF‟s role in monitoring

RCF‟s role in unapproved exposures

24. 27. Chief Risk Officer

25. Compliance function

26. Internal Audit function

E) Information systems and business continuity

27. Information system and communication

28. Business continuity management

F) Transparency

29. Empowerment

30. Internal governance transparency

The European Banking Authority (EBA-http://www.eba.europa.eu/) and the Basel Committee on Banking Supervision (BCBS-http://www.bis.org/bcbs) have drafted different documents and guidelines relating to internal corporate governance, risk management and measurement and Basel Pillar 2 implementation, which must be taken into account by institutions in applying these Banco de España guidelines[18] and which, given that they are directly related to the latter, are listed below:

- EBA documents :

- Guidelines on supervisory review process, 25 January 2006.

- Guidelines on Validation. 4 April 2006.

- Technical Guideline on Interest Rate Risk in the Banking Book. 3 October 2006.

- Additional Guidelines on Stress Testing 14 December 2006.

- Additional Technical Guidelines on Concentration Risk. 14 December 2006.

- Compendium of Supplementary Guidelines on Implementation Issues of Operational Risk. 08 September 2009.

- Principles for disclosures in times of stress (Lessons learned from the financial crisis). 26 April 2010

- Guidelines on instruments referred to in Article 57(a) of the CRD. 14 June 2010.

- Guidelines for the operational functioning of colleges. 15 June 2010.

- Revised Guidelines on stress testing. 26 August 2010.

- Revised Guidelines on the management of concentration risk under the supervisory review process. 02 September 2010.

- Guidelines on the management of operational risks in market-related activities. 12 October 2010.

- Guidelines on Remuneration Policies and Practices. 10 December 2010.

- Guidelines for the joint assessment of elements covered by the supervisory review and evaluation process and joint decision regarding the capital adequacy of cross-border groups. 22 December 2010.

- Guidelines on the application of Article 122a of the Capital Requirements Directive (CRD). 31 December 2010.

- Guidelines on internal governance, 27 Septembre 2011.

- Guidelines on AMA extensions and changes, 6 January 2012.

- Basel Committee on Banking Supervision (BCBS) documents:

- Framework for Internal Controls. September 1998

- Risk Concentrations Principles. December 1999

- Sound Practices for Managing Liquidity. February 2000

- Principles for the Management of Credit Risk. September 2000

- Principles for the management and supervision of interest rate risk. July 2004.

- Implementation of Basel II: Practical Considerations. July 2004.

- Compliance and the compliance function in banks. April 2005.

- Enhancing corporate governance for banking organisations. February 2006.

- The management of liquidity risk in financial groups. May 2006.

- Home-host information sharing for effective Basel II implementation. June 2006.

- The Core Principles Methodology. October 2006.

- Core Principles for Effective Banking Supervision. October 2006.

- Principles for home-host supervisory cooperation and allocation mechanism in the context of Advanced Measurement Approaches (AMA) November 2007.

- Liquidity Risk: Management and Supervisory Challenges. February 2008.

- Cross-sectoral review of group-wide identification and management of risk concentrations. April 2008.

- Principles for Sound Liquidity Risk Management and Supervision. September 2008.

- Principles for sound stress testing practices and supervision. May 2009.

- Range of practices and issues in economic capital frameworks. March 2009.

- Findings on the interaction of market and credit risk. May 2009.

- Enhancements to the Basel II framework. July 2009.

- Revisions to the Basel II market risk framework. July 2009.

- Guidelines for computing capital for incremental risk in the trading book. July 2009.

- Compensation Principles and Standards Assessment Methodology. January 2010.

- Principles for enhancing corporate governance. October 2010.

- Good Practice Principles on Supervisory Colleges. October 2010.

- Developments in Modelling Risk Aggregation. October 2010.

- Sound Practices for the Management and Supervision of Operational Risk - consultative document. December 2010.

- Basel III: International framework for liquidity risk measurement. standards and monitoring. December 2010

- Range of methodologies for risk and performance alignment of remuneration – final document, May 2011.

- Basel III: A global regulatory framework for more resilient banks and banking systems - revised version, June 2011.