12 C.F.R. § 1240.121
(a) Process and systems requirements.
(b) Risk rating and segmentation systems for exposures.
(c) Quantification of risk parameters for exposures.
(2) An Enterprise's estimates of risk parameters must incorporate all relevant, material, and available data that is reflective of the Enterprise's actual exposures and of sufficient quality to support the determination of risk-based capital requirements for the exposures. In particular, the population of exposures in the data used for estimation purposes, the underwriting standards in use when the data were generated, and other relevant characteristics, should closely match or be comparable to the Enterprise's exposures and standards. In addition, an Enterprise must:
(d) Operational risk—(1) Operational risk management processes. An Enterprise must:
(i) Have an operational risk management function that:
(2) Operational risk data and assessment systems. An Enterprise must have operational risk data and assessment systems that capture operational risks to which the Enterprise is exposed. The Enterprise's operational risk data and assessment systems must:
(ii) Include credible, transparent, systematic, and verifiable processes that incorporate the following elements on an ongoing basis:
(A) Internal operational loss event data. The Enterprise must have a systematic process for capturing and using internal operational loss event data in its operational risk data and assessment systems.
(1) The Enterprise's operational risk data and assessment systems must include a historical observation period of at least five years for internal operational loss event data (or such shorter period approved by FHFA to address transitional situations, such as integrating a new business line).
(2) The Enterprise must be able to map its internal operational loss event data into the seven operational loss event type categories.
(3) The Enterprise may refrain from collecting internal operational loss event data for individual operational losses below established dollar threshold amounts if the Enterprise can demonstrate to the satisfaction of FHFA that the thresholds are reasonable, do not exclude important internal operational loss event data, and permit the Enterprise to capture substantially all the dollar value of the Enterprise's operational losses.
(3) Operational risk quantification systems. The Enterprise's operational risk quantification systems:
(e) Data management and maintenance.
(f) Control, oversight, and validation mechanisms.
(3) An Enterprise must have an effective system of controls and oversight that:
(4) The Enterprise must validate, on an ongoing basis, its advanced systems. The Enterprise's validation process must be independent of the advanced systems' development, implementation, and operation, or the validation process must be subjected to an independent review of its adequacy and effectiveness. Validation must include:
(5) The Enterprise must have an internal audit function or equivalent function that is independent of business-line management that at least annually: