Risk Management

Risks Unique to Internet Banks

At Rakuten Bank, we verify the risk profile at least once a year and report to the Risk Management Committee. We discuss various risks identified in the verification, the status of those risks, necessary countermeasures and subsequent monitoring methods, and implement risk management systems based on the risk characteristics of an Internet bank.

We raise funds mainly from deposits from individual customers in all regions of Japan, and in order to manage the funds safely, the majority of the investment is for individual customers such as home loans, card loans, and Rakuten Card trust beneficiary right. Hence, we regard personal credit as the center of credit risk and manage the risk by monitoring the status of the portfolio for each product and reporting to the Risk Management Committee. In addition, since we are a bank that does not have physical stores, we believe that we may be more susceptible to reputation on the Internet than other financial institutions. We recognize that there is a liquidity risk, and we are constantly monitoring and responding to reputational risks.

Risk Management Framework

Rakuten Bank’s Board of Directors has established our risk management policies in the Regulations for Bank-wide Risk Management, which include specific regulations and detailed regulations for each division based on the overall policy. Business is conducted in accordance with the rules and regulations prescribed. Our overall risk management system is centrally managed by the Risk Management Division, with monthly reporting to the Risk Management Committee, Management Conference and Board of Directors. Meanwhile, the Regulations for Crisis Management is in place for cases of business incidents and/or natural disaster which allows us to take all possible measures necessary to ensure that we can serve our public function as a bank, even in unforeseen circumstances.

Risk Management Framework (As of June 30, 2023)

【1】Integrated Risk Management Framework

(1) Capital Risk Management

We have been managing capital allocations (hereinafter referred to as “capital allocation management”) for the purpose of containing the level of risk exposure (including credit risk, market risk, and operational risk) within the amount of capital allocated and ensuring sound management.
In specific terms, by setting the upper limit of possible risk (allocable capital) and by avoiding eroding capital under the rapid downturn of economy and markets through securing a fixed surplus capital (hereinafter referred to as “capital buffer”), we ensure risk exposure is contained within the capital allocated to each risk category, namely market risk, credit risk, and operational risk. The amounts of the capital allocations are determined on a quarterly basis by the Board of Directors.

(2) Stress tests

In order to formulate and execute forward-looking business strategies, we use stress test methods. We analyze and grasp the impacts of changes in the business environment and risk profile due to future “Changes of the economic environment,” “Changes of the business trends,” and “Other changes of the social situations, natural or man-made disasters.”
In specific terms, we develop several scenarios such as “Changes of the economic environment (interest rates, foreign exchange rates, and stock prices),” “Changes of the business trends (corporate performances, employment environment, annual earnings),” and “Other changes of the social situations (international political situations, domestic security situations, etc.), natural (earthquake, storm and flood disaster, etc.) or man-made (wars, terrorisms, infrastructure failures) disasters.” We conduct “Verification of the capital buffer sufficiency on the capital allocation,” “Verification of the influence on prospective revenue,” “Verification of the influence on business continuity” quarterly and report the results to the Risk Management Committee, Management Conference and the Board of Directors.

【2】Market Risk and Credit Risk Management Framework

(1) Market Risk Management

Rakuten Bank defines market risk as the risk of declining profits or incurring losses due to fluctuations in the value of assets held as a result of fluctuations in interest rates, foreign exchange rates and stock prices. Moreover, the sources of such assets include (i) investment assets generated through investment operations and (ii) securities and other assets held for strategic purposes including 1) Japanese government bonds, municipal bonds and government backed bonds, 2) Japan Housing Finance Agency Mortgage Backed Securities, 3) listed stocks, ETFs, 4) foreign currency and 5) other marketable assets. Rakuten Bank has stipulated the method of measurement of risk capital, loss-cut rules, monitoring methods and cycles for each of the above assets in the Regulations for Market Risk Management and Detailed Regulations for Market Risk Management. The maximum amount of potential loss (Value at Risk) is calculated on a daily and monthly basis, and the measurements results are used in the management of capital allocation. The status of compliance with each rule is reported on a daily and/or monthly basis to the Risk Management Committee, Management Conference and the Board of Directors, etc.

(2) Credit Risk Management

Rakuten Bank defines credit risk as the risk of decrease or the loss of the value of assets and incurring losses mainly due to deterioration in an obligor’s financial position. Moreover, the sources of such assets include (i) trade-receivables generated through the provision of services, (ii) investment assets generated through investment operations, (iii) receivables generated through loan operations, and (iv) securities and other assets held for strategic purposes. Rakuten Bank has stipulated the method of measurement of risk capital, decision-making processes as to credit offering in relation to the value, loss-cut rules, and monitoring methods and cycles for each of the above assets in the Regulations for Credit Risk Management and Detailed Regulations for Credit Risk Management.
As mentioned above, Rakuten Bank mainly deals with small-lot credit for individuals such as home loans, Rakuten Bank super loans (card loans), and trust beneficiary rights of Rakuten Card Co., Ltd. By implementing risk measurement for each pool created according to product and debtor characteristics, we quantitatively grasp and manage this credit risk.
For securities holdings and corporate customers with business loans, we grant common debtor ratings stipulated in the “Internal Rating Detailed Rules” and manage credit limit based on the credibility of the obligors. In addition, the status of credit risk management is reported monthly to the Risk Management Committee, Management Conference and the Board of Directors, etc.

【3】Liquidity Risk Management Framework

In order to ensure that operations remain continuous without interruption, even in the event of a drastic outflow of deposits such as in the event of a run on banks, or in situation of stress under which asset outflows are expected to continue over a period of time, Rakuten Bank has set forth the basic policy on liquidity risk in the Regulations for Bank-wide Risk Management and Regulations for Liquidity Risk Management for the purpose of securing funding based on the holding and utilization of assets, which are convertible into cash. Additionally, Rakuten Bank manages liquidity risk through the clarification of an action plan intended to ensure sufficient liquidity and control reputational risk by setting forth the Liquidity Risk Contingency Plan, whose basic policy involves a judgment of the situation and its categorization into “Normal,”
“Requiring Caution,” “Cause for Concern” or “Crisis Point,” depending on the fund liquidity status (mode determination) and taking appropriate actions. The liquidity risk management monitoring results are reported monthly to the Risk Management Committee and the Board of Directors, etc.

【4】Operational Risk Management Framework

In accordance with the Regulations for Bank-wide Risk Management and the Regulations for Operational Risk Management, Rakuten Bank recognizes the reinforcement of our operational risk management framework to be one of our priority management tasks and has been developing and improving our operational risk management framework, as well as enhancing its sophistication.

(1) Processing Risk Management Framework

In order to address potential processing risks, Rakuten Bank, as a general rule, conducts an Operational Risk Assessment every year, with particular emphasis on identifying the location, type and impact of risks inherent in the bank’s processing flow. At the same time, an evaluation of the control status of such risks is conducted and risk reduction measures are deliberated and implemented for processing flows, which are determined to be high risk. Additionally, in order to address risks that have materialized, Rakuten Bank defines events that require reprocessing or responses from the entire organization, separate from normal business processes, as a result of the willful intent or inadvertent administrative error of the bank’s executives, employees or subcontractors, or errors in the systems or administrative processes as incidents, and has been striving to reduce risks by building a framework to prevent the recurrences of incidents that match the degree of materialization of such risks. The status of assessment and the occurrence/causes/prevention measures of such incidents are reported to the Risk Management Committee, etc.

(2) Information System Risk Management Framework

As Rakuten Bank depends on computer systems for the greater part of our business operations, we recognize information system risk to be one of our most fundamental risks; and accordingly have built a management framework, in addition to strictly overseeing the planning, development and operation of our company-wide systems. Moreover, in addition to duplicating networks and hardware and implementing off-site storage of customer data in preparation for disasters and failures, Rakuten Bank has established a disaster control center capable of quickly resuming operations following disasters to ensure even more reliable and safe operations. Furthermore, a detailed Contingency Plan has been set forth that places the highest priority on the preservation of customers’ assets, as part of a framework that allows customers to engage in transactions with peace of mind. Rakuten Bank’s overall policy on information system risk has been resolved by its Board of Directors and articulated in the Regulations for Information System Risk Management. Based on the Regulations, purpose based rules and office manuals are placed to familiarize our employees with the overall policy on information system risk. Additionally, the management status of information system risk is reported on a monthly basis to the Risk Management Committee, the Board of Directors and other committees.

(3) Information Security Risk Management Framework

In order to address the threats to customer assets, customer information, bank assets and bank information, Rakuten Bank implements the following measures based on the risk management frameworks for information security risk, information system risk and compliance risk, which have been set forth in the management of operational risk. The Risk Management Division is responsible for the overall management of information security risk, the System Division is responsible for the management of system security associated with information system risks, and the Planning Division is responsible for dealing with financial crimes, while a mechanism has been put in place that ensures the absence of any gaps among the risk management of each division. Moreover, we have reinforced our information security by conducting checks in compliance with FISC (The Center for Financial Industry Information Systems) safety standards and other information security standards, primarily on system confidentiality, integrity and availability, while, in terms of external threats to our web system, we implement the latest system security measures, including the performance of regular security tests by a third party. Additionally, incident reports relating to information security risk, security status of information system and reports on the handling status of financial crimes are given by each division on a monthly basis to Risk Management Committee, Compliance Committee, and the Board of Directors, etc.

(4) Management Framework of Other Operational Risks

(i) Reputational Risk
Rakuten Bank defines reputational risk as the risk of disruption to the bank’s operations due to media reports and/ or rumors stemming from false facts or actual materialization of various risk cases relating to the bank’s operations and manages such risks by establishing the Regulations for Reputational Risk Management which set forth basic management policies and the response methods in the event that such risks materialize.

(ii) Human Risk and Legal Risk
Rakuten Bank defines human risk as the risk incurred from HR operations, such as inequality or inequity in the bank’s human resources management (including problems with remuneration, benefits, dismissal, etc.) and discriminatory conduct (including sexual harassment), and an increase in the number of employees going on long-term leave as a result of mental problems, and other factors, and legal risk as the risk of incurring losses (including litigation costs and attorney fees) from penalties, administrative dispositions, compensation for damages and voided contracts, and other issues as a result of statutes or litigation, and manages such risks by establishing the Regulations for Human Risk Management and the Regulations for Legal Risk Management which set forth the basic policies on the management of such risks.