New Policy Document on Credit Risk to take effect for Financial Institutions from 1 January 2024

Bank Negara Malaysia (“BNM”) issued a new Policy Document on Credit Risk1 (“New Policy Document”) on 31 July 2023. The New Policy Document will take effect from 1 January 2024, whereupon it will supersede the existing policy document of the same name issued by BNM on 27 September 2019.
The New Policy Document will apply to the following: 
  • Licensed banks;
  • Licensed investment banks;
  • Licensed Islamic banks;
  • Licensed international Islamic banks;
  • Licensed insurers;
  • Licensed takaful operators; and
  • Where relevant, financial holding companies. 
The New Policy Document applies to the above-referred financial institutions on an entity basis for all financial institutions excluding financial holding companies and on a consolidated basis for all financial institutions in respect of paragraphs 8 (general requirements), 13 (credit risk monitoring), 14 (credit concentration risk) and 16 (credit risk reporting).
The New Policy Document is to be read together with other relevant legal instruments and policy documents that have been issued by BNM, in particular: 
  • Guidelines on Data Management and MIS Framework;
  • Risk Governance;
  • Single Counterparty Exposure Limit; and
  • Single Counterparty Exposure Limit for Islamic Banking Institutions. 
This article provides a summary of some of the requirements set out in the New Policy Document.
The New Policy Document seeks to ensure that credit risk management practices of financial institutions remain effective amid the increased size and diversity of product offerings by financial institutions, greater internationalisation of the financial system and the growing role of domestic capital markets.
General requirements
The board has the overall responsibility to promote a sound credit risk management environment to support prudent credit decision-making. To this end, the board must annually approve the financial institution’s credit risk strategy, which articulates the financial institution’s overall direction for its credit activities.
Senior management is to be collectively responsible for the effective management of credit risk in line with the board-approved credit risk strategy and to ensure the effective implementation of the approved credit risk strategy.
A financial institution must have internal systems and infrastructure that are robust and able to produce aggregate information on its credit exposures and support timely identification and escalation of credit risk management issues. It must also ensure proper documentation and audit trail of its credit risk management process including credit risk assessment and approval process, development and validation of credit risk measurement methodologies as well as the outcomes of the independent credit review.
It must also establish an internal policy that sets out the appropriate training and continuous professional development needs for officers undertaking credit risk management responsibilities.
While the board and senior management play a key role in credit risk oversight, the responsibility for credit risk management is distributed throughout a financial institution. For example, business lines are primarily responsible for managing credit risks inherent in day-to-day activities, such as where credit officers evaluate customers for potential credit opportunities.
Credit risk assessment
A financial institution must establish sound and well-defined credit acceptance criteria, which is to take into consideration common credit characteristics for distinct categories of counterparties or facilities and the boundaries of the credit risk strategy and credit risk policy.
Guidance is provided in paragraphs 9.3 to 9.20 of the New Policy Document on various aspects of the assessment, including, among others, the ability of a counterparty to honour its commitments, sound understanding of any external ratings used, specific risks involved in exposure to foreign credit risk, factors to be considered in evaluating implicit support arrangements and collateral provided.
Credit approval
A financial institution must establish a well-defined board-approved authority structure for the credit risk assessment process that sets out, among others, the limits granted to each credit approval authority and circumstances under which the delegation of authority is allowed. The authority structure must mitigate potential conflicts of interest by individuals within the credit approval authority.
Exceptional credits
The New Policy Document recognises that a financial institution may extend exceptional credits2 and provides guidance in paragraph 11.2 of the New Policy Document on the systems and controls a financial institution must establish to manage and monitor exceptional credits.
Credit risk management
A financial institution is required to establish an approach for measuring the risks in all credit exposures, with the capability to aggregate and appropriately segment different credit exposures based on shared credit risk characteristics, e.g. by groups of connected counterparties, product type and risk characteristics.
A financial institution must have in place appropriate credit risk measurement methodologies to estimate credit losses, having regard to the nature, scale and complexity of its credit exposures. At a minimum, the financial institution must estimate the probability of default (PD), loss given default (LGD) and exposure at default (EAD) for its significant credit exposures.
A financial institution that leverages on external ratings for purposes of credit risk measurement must ensure that the methodology adopted by the rating agency fulfils the requirements set out in paragraph 12 of the New Policy Document.
The rating grades established by a financial institution must include sufficiently granular triggers or factors to enable the identification of both migration of credit risk and significant changes in credit risk that result in a change in rating grades of credit exposures. More stringent criteria are to be applied for upgrades which must be supported by evidence of sustained improvement in the factors under consideration, e.g. the gearing and cash flow of a counterparty.
Validation of credit risk measurement methodologies
A financial institution must establish a framework to validate its credit risk measurement methodologies to ensure that such methodologies are conceptually sound, fit for purpose and remain relevant on an ongoing basis. To ensure that objectivity of the validation process is preserved, the validation process should be undertaken by a party that is independent from those who developed the credit risk measurement methodologies.
Any weaknesses in the credit risk measurement methodologies identified during the validation process must be rectified and reported to senior management and the validation results are to be reported to the board.
Pre-implementation validation
As part of the pre-implementation validation process, a financial institution must ensure that information used to develop the credit risk measurement methodologies represent the relevant portfolio and is in line with the financial institution’s overall risk appetite and credit risk strategy and meets internally established data quality standards.
Post-implementation validation
The credit risk measurement methodologies must be periodically reviewed to determine whether they continue to be relevant. At a minimum, the review must include an assessment of the accuracy and discriminatory power of the credit risk measurement methodologies, whether the risk factors underlying the methodologies remain appropriate and whether the existing methodologies continue to suit the nature of the portfolio.
Credit risk monitoring
A financial institution must establish credit risk monitoring procedures to identify early signs of deterioration in a counterparty’s ability to honour its obligations and assess whether credit exposures remain consistent with the contractual terms, risk appetite and credit risk policy.
In performing credit risk monitoring, a financial institution must consider the potential impact of changes in the operating environment, whether domestic or abroad, on the credit risk profile of an individual credit exposure and the overall credit portfolio, such as those pertaining to interest rates, inflation, asset prices, competition and socio-political conditions.
The roles, responsibilities and reporting structure pertaining to monitoring activities must be defined in a manner that facilitates objectivity in credit risk monitoring.
Credit concentration risk
A financial institution must have adequate processes that enable the effective management of credit concentration risk. It must be able to identify the sources and degree of credit concentration risk in its portfolio, including: (a) single counterparties and groups of connected counterparties; (b) counterparties in the same industry, economic sector or geographic region; (c) counterparties whose financial performance is dependent on the same activity or commodity; and (d) exposures in particular asset classes, products, collateral or currencies.
Appropriate methodologies3 to assess credit concentration risk must be established. Such methodologies must incorporate correlations between credit exposures, taking into account the historical trend of defaults, credit losses or relevant proxies4 across an appropriate time horizon.
As part of prudent management of credit concentration risk, a financial institution must establish exposure limits based on clear rationale and supported by an appropriate analytical framework. These limits must be supplemented with early warning indicators to identify credit exposures that are approaching their limits on a timely basis so that the financial institution has sufficient time to undertake necessary actions to maintain exposures at a prudent and manageable level.

Problem credits
A financial institution is required to establish criteria for identifying problem credits. At a minimum, a credit exposure must be classified as a “problem credit”5 if any of the following is met: (a) the counterparty is experiencing financial difficulty in meeting its financial obligations, such as where the counterparty is currently past due on any of its material obligations; (b) the financial institution has granted a concession following an increase in credit risk of the counterparty, such as by making changes to contractual terms, that the financial institution would not otherwise consider under normal circumstances; or (c) under the relevant accounting standards, the credit is deemed to have
experienced a significant deterioration in credit risk, whether due to counterparty-specific factors or those relating to macroeconomic and sectoral considerations.

The management of problem credits must be undertaken in a structured and targeted manner, with a focus on improving recovery outcomes and providing feedback to further strengthen the financial
institution’s credit risk strategy and credit risk policy.
The problem credit management process employed by a financial institution must be commensurate with the severity of problem credit. A financial institution must periodically assess the appropriateness of its existing process, taking into consideration the volume, materiality, nature and complexity of problem credits as well as availability of relevant expertise and resources. It must conduct periodic reviews to identify the key drivers leading to significant credit exposures being classified as problem credits and communicate the outcome of this review to the board.
Financial institutions must establish controls to avoid ‘ever-greening’ of rescheduled and restructured credits. In addition, banking institutions must also comply with the requirements specified in Appendix 1 of the New Policy Document in respect of rescheduled and restructured loans/ financing facilities.
Write-offs are to be undertaken in a timely manner and reflect realistic repayment and recovery expectations. To this end, a financial institution must establish a board-approved policy for write-offs that, at a minimum, sets out the circumstances, conditions and approving authority under which a credit can be written-off.

Credit risk reporting
A financial institution must ensure that credit risk reports to the board and senior management are prepared in a manner that clearly explains and gives sufficient prominence to significant credit risk issues and developments that may materially impact the financial institution and must be submitted in a timely manner. In particular, the reports must enable the board and senior management to: (a) relate the information presented to the financial institution’s credit risk strategy, risk appetite and credit risk policy, and to identify any of these arrangements that need to be reviewed; (b) be aware of significant credit exposures (including portfolio of credits supported by implicit support arrangements), both on an individual and aggregated basis; and (c) assess the need for measures to mitigate any emerging risks.
Independent credit review
A financial institution must undertake an independent credit review in accordance with paragraphs 17.2 to 17.5 of the New Policy Document to ensure that credit decision-making remains consistent with the financial institution’s overall credit risk management arrangements. The review is to be undertaken by an independent party that is not within the scope of the review.
The scope, depth and frequency of the independent credit review is to commensurate with the significance of a particular area or activity to the financial institution’s credit risk profile.
At a minimum, the independent credit review must include assessments of: (a) the quality of credit risk assessment and rigour of credit approval processes; (b) whether credit decisions are in accordance with the credit risk strategy, credit risk policy and relevant legal and regulatory requirements; (c) the scope, effectiveness and timeliness of credit risk monitoring activities; (d) the accuracy and timeliness of ratings assigned to counterparties; and (e) appropriateness of credit classifications and provisioning levels. The independent credit review function must be subject to internal audit assessments.
The outcomes of, including any recommendations arising from, independent credit reviews are to be clearly documented and escalated directly to the Board Risk Committee, Board Audit Committee and senior management.
Rescheduling and restructuring of loans/financing facilities by banking institutions6
Appendix 1 of the New Policy Document sets out specific requirements relating to the rescheduling and restructuring of loans/financing facilities by banking institutions.
A banking institution is required to establish a board-approved policy on rescheduled and restructured loan/financing facilities that includes the following: 
  1. define the circumstances and conditions where a loan/financing facility may be rescheduled or restructured, including the appropriate credit grade classification and staging policies under MFRS 9;
  2. set out situations where a loan/financing facility may be rescheduled or restructured more than once, and establish appropriate controls governing such loan/financing facility;
  3. define additional considerations under which a rescheduling and restructuring could result in the loan/financing to be upgraded;
  4. ensure information on the credit quality of rescheduled and restructured loan/financing facilities is maintained at a sufficiently granular level to enable a separate review and monitoring of such facilities;
  5. ensure compliance with Shariah rules and principles in respect of the rescheduling or restructuring of an Islamic financing facility; and
  6. for credit-impaired loan/financing facilities that are rescheduled and restructured, define a minimum repayment period being not less than six months (based on the revised and restructured terms and conditions) to be continuously observed before the facilities can be reclassified as non-impaired. 
Appendix 1 also sets out the conditions in which a rescheduled and restructured loan/financing facility is to be reported as “rescheduled and restructured” in the Central Credit Reference Information System (CCRIS) as well as the conditions to be satisfied for such classification to be removed.
Article by Lee Ai Hsian (Partner) and Javene Fan (Associate) of the Banking and Finance Practice of Skrine.

1 For the purposes of the New Policy Document, “credit risk” refers to the risk of a counterparty failing to perform its obligations.
2 An “exceptional credit” refers to any provision of finance that deviates from a financial institution’s approved credit risk policy (paragraph 5.2 of the New Policy Document).
3 Examples of methodologies to identify or measure concentration risk provided in the New Policy Document include the Herfindahl-Hirschman Index (HHI), Gordy Granularity Adjustment (GA) and economic capital modelling approaches.
4 The New Policy Document provides sectoral stock market indices as an example of relevant proxies.
5 Problem credit refers to any credit exposure for which there is reason to believe that a portion or all amounts due will not be repaid or recovered in accordance with the contractual terms (paragraph 15.2 of the New Policy Document).
6 The term “banking institutions” refers to licensed banks, licensed investment banks and licensed Islamic banks (paragraph 5.2 of the New Policy Document).

This alert contains general information only. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. For further information, kindly contact