RiskTech Forum

Wolters Kluwer: Should BCBS 239 Compliance Be Viewed As A Goal Or a Catalyst For Effective Change?

Posted: 1 July 2016  |  Author: Ruben Lannoo  |  Source: Wolters Kluwer

As the BCBS 239 deadline is - at the time of writing - five months overdue, what approach towards compliance will prove to be more effective? Banks that have taken a methodical and timely ‘check-the-box’ approach, or banks that have viewed the regulation as an opportunity to thoroughly strengthen their underlying governance, architecture and data quality, even if that means not meeting the January 1st 2016 deadline? This commentary will explore both sides of the coin.

To first understand the logic behind both strategies, it’s worth revisiting what the regulation is and how it came to be. Back in January 2013, the Basel Committee on Banking Supervision published the BCBS 239 principles for effective risk data aggregation and risk reporting, in response to the lessons learned during the 2007 global financial crisis. Of the 14 principles, 11 focus on the responsibilities of the risk management function of banks whereas three principles are aimed towards the supervisory bodies. The principles require rigorous governance and thorough data management which should allow banks to have a better understanding of their own data and exposures to the different types of risk (credit risk, market risk, liquidity risk, operational risk and other risks) as well as being able to produce validated, accurate, comprehensive and useful reports in a timely manner to the relevant parties.

At the core of this capacity should be a single authoritative source for risk data per each type of risk. This data must be reconciled with accounting data (where appropriate) to ensure the risk data is accurate. Ideally, these two datasets should be stored in the same system as the single-point-of-truth, which makes these reconciliation efforts redundant. These data architecture requirements are what most G-SIBs are struggling with. BCBS 239 increases pressure on banks to invest in data quality and a solid data architecture. The benefits of a single source of truth, that contains both risk and accounting data, are numerous: clear data lineage, less reconciliation, the ability to use the same data for multiple purposes are only the tip of the iceberg in terms of benefits.

What progress has been made?
The BCBS issued two self-assessment exercises to 31 G-SIBs in 2013 and again in 2014. The results of these questionnaires (published in December 2013 and January 2015) clearly showed banks would have to strain their teams to meet the January 1st 2016 deadline. One bank even indicated meeting the requirements of all Principles would not be feasible before the end of 2018.

Banks clearly struggled and continue to struggle the most with Principle 2 (Data architecture/IT infrastructure), Principle 3 (Accuracy and Integrity) and Principle 6 (Adaptability). About a third of the banks indicated they would not be compliant with these principles by the January 2016 deadline. The results of the 2013 progress report also showed a lot of the 31 G-SIB’s failed to comprehend the link between the different principles. Some data aggregation and risk reporting principles closely align with each other because complying with the former is a prerequisite to complying with the latter. In general, banks assigned themselves higher ratings on the risk reporting principles than they did on the corresponding data aggregation principles. A few banks that rated themselves as fully compliant on principle 8 (comprehensiveness risk reporting) assessed themselves as being materially non-compliant on one or more data aggregation principles.

In the 2014 progress report there was a clear trend and noticeable improvement in the understanding of how certain principles are interlinked. Supervisors are aware of the challenges banks face and know a lot of G-SIBs are still not sufficiently covering one or more principles four months after the deadline.

As there may be differences in interpretation between different banks and supervisors it is not straightforward to enforce compliance with the BCBS 239 principles requirements across the board. "The implementation of the principles, and the assessment of compliance, now relies on the interpretation and application of domestic supervisors," said a spokesperson for the Basel Committee. This also means all sanctions, in whatever shape or form, are also to be implemented by the national regulators.

This adds to the complexity as these banks are typically regulated by a multitude of regulators. It is still unclear how non-compliance would be treated. Fines or capital add-ons are possible but not confirmed by any of the regulators. However, fines and penalties should be a last-resort for banks that are unwilling to comply with the principles. The Basel Committee suggests that in cases of non-compliance at the implementation deadline, banks should provide a remedial plan that is agreeable to supervisors, so no penalties are expected in the short term.

Compliance or a solid foundation?
Banks have spent millions of dollars so far to tackle this. In fact, a McKinsey report from June 2015 estimated that an average G-SIB would have spent about USD 230 million and an average D-SIB USD 75 million to aggregate risk data that was previously dispersed over a wide variety of systems, geographic locations and banking groups.

This effort will without a doubt act as a catalyst to empower banks to make better, faster decisions based on higher quality data. They need to grasp this opportunity with both hands as banks who only do enough to comply to BCBS 239 without looking at the opportunities it presents will, without a doubt, be finding themselves behind the leading pack in the future as they will lack the flexibility, accuracy and completeness of data of their competitors that went the whole nine yards.

However, this long-term vision comes with a price. Banks who have chosen the long-term approach of massively reducing manual interventions may find themselves struggling to meet all requirements, while other banks that opted for the short-term approach of increasing governance on existing manual processes may be perceived as ‘more compliant’ but in reality have a serious disadvantage, as they will continue to struggle with manual interventions and data quality specifically in stress/crisis situations when correct data has to be available in very short timeframes. The fear of massive reputational risk of non-compliance may have been a factor in the decision process when choosing for the latter.

Compliance with the BCBS 239 principles should not be seen as a target as such, but as an opportunity to improve the quality of the various components (governance, data architecture, IT infrastructure, and high-quality data) that lead to supreme risk reporting capabilities. Banks that followed this approach may not yet have reached full compliance with the BCBS 239 Principles but will reap the long-term benefits of their effort in the future, both in ‘business as usual’ as well as in stress/crisis situations when they are capable of making better decisions due to the availability of timely, accurate and comprehensive reports based on accurate, complete and adaptable data aggregation capabilities. After all - isn’t that what the BCBS 239 principles are all about?