External Risk Data

Definition

External Risk Data are any data sets used by an organization for the purposes of Risk Management without having been produced internally by the organization.

Examples

• Credit Bureau Scoring data used in the development of Credit Scorecard models

ECB TRIM Requirements

Regulated financial institutions must implement formal Data Governance which applies also to externally procured datasets^[1]

Data-related requirements established under the CRR apply to all data: internal, external or pooled.

To ensure that credit risk management and measurement processes are built on appropriate data, for the purposes of risk differentiation, risk quantification and review of estimates institutions should assess whether external data can be used to complement internal data when they consider they do not have sufficient available internal data.

If an institution uses statistical models and other mechanical methods to assign exposures to obligors or facilities grades or pools, the data used to build the model must be representative of the population of the institution’s actual obligors or facilities. If external data are used, the same requirements with regard to representativeness must be applicable vis-à-vis the bank’s portfolio or portfolio subset for which the external data are used.

Proving representativeness in cases where an institution uses external data is generally more difficult as internal data are scarce. If an institution cannot provide sufficient proof that the external data are representative it may still use external data if it shows (by quantitative analysis and/or qualitative argumentation) that the information gained from the use of the external data outweighs any drawbacks stemming from the deficiencies identified and an appropriate Margin of Conservatism (MoC) is applied.

In particular, institutions should provide evidence that the model’s performance does not deteriorate when including information derived from the external data, and that the parameter estimates are not biased. To assess these issues, the institution should conduct quantitative and qualitative validation analyses specifically designed for this purpose.

If an institution uses statistical models and other mechanical methods to assign exposures to obligors or facilities grades or pools, it must have in place a process for vetting data inputs to the model, which should include an assessment of the accuracy, completeness and appropriateness of the data.

In addition, and in accordance with Article 179(1)(a), in quantifying the risk parameters to be associated with rating grades or pools institutions must incorporate all relevant data, information and methods. To comply with these requirements, institutions should ensure that, when external data are used for risk differentiation, risk quantification or review of estimates, they know the data sources and the most relevant data processing operations of the variables acting as direct model inputs performed by the data provider.

Institutions should be able to differentiate between internal and external data and to document which information is internal and which information is received from external data sources. To ensure that the data remain appropriate, institutions should provide an adequate rationale in the event that, for the purpose of risk differentiation, risk quantification or review of estimates, they modify the external data acquired, select only part of a wider external database or use different external providers.

References