By Andreas Pilger, Senior Consultant
and Joana Elisa Maldonado, Regulatory Compliance Assistant
More than one year after the implementation deadline, BCBS 239 stays a major issue on banks’ compliance agendas. 30 Global Systemically Important Institutions (G-SIBs) had to comply with the Principles for Effective Risk Data Aggregation and Risk Reporting (the Principles) – the Basel Committee on Banking Supervision (BCBS) standard number 239 – by January 2016. Yet, a recent progress report reveals that only 2 of the 30 banks managed to achieve full compliance by March 2017. Other banks that need to comply with the Principles are still facing an implementation period of several years.
Why are banks struggling to comply with the standard? Which are the biggest challenges for implementation? And which lessons can be learned from the past years for better compliance? In this article, we provide an overview of BCBS 239 and take a closer look at the Basel Committee’s progress report to identify compliance challenges and successful ways to compliance.
Primarily, BCBS 239 is a standard for global banks with systemic relevance. G-SIBs which were identified by the Financial Stability Board (FSB) in 2011 and 2012 were supposed to comply by January 2016. G-SIBs which were identified by the FSB at a later point need to comply three years after their identification.
Not a G-SIB? Don’t stop reading yet – in addition to the 30 G-SIBs, national supervisors may oblige their Domestic Systemically Important Institutions (D-SIBs) or Other Systemically Important Institutions (O-SIIs) or even a wider range of banks to comply with the standard. What is more, the standard applies both at banking group level and at solo basis.
BCBS 239 is a set of 14 principles for a sound risk data framework, published in 2013 in reaction to shortcomings in risk management practices which became evident during the 2007-9 financial crisis. The standard seeks to strengthen banks’ Risk Data Aggregation and Risk Reporting (RDARR) capabilities.
The application of the Principles is very comprehensive: the goal is to build a bank-wide framework for data processing, management and reporting, with a focus on the traceability of data. The Principles also apply to a bank’s group risk management processes, including outsourced processes.
Three of the 14 Principles are addressed to supervisors. The 11 Principles for banks cover the following three areas:
|Overarching Governance & Infrastructure|
Principles 1 & 2
A bank should have in place a strong governance framework, risk data architecture
& IT infrastructure.
|Risk Data Aggregation Capabilities|
Principles 3 - 6
Banks should develop & maintain strong risk data aggregation capabilities to ensure that risk management reports reflect the risks in a reliable way.
|Risk Reporting Practices|
Principles 7 - 11
Risk reports based on risk data should be accurate, clear & complete. They should
contain the correct content & be presented to the decision-makers in a time that
allows for appropriate responses.
Principles 12 - 14
Supervisors should review compliance with the Principles to determine whether
the Principles themselves are achieving their desired outcome and whether further enhancements are required.
End of March 2017, the Basel Committee published a BCBS 239 progress report assessing the 30 G-SIBs identified in 2011 and 2012 based on questionnaires filled in by supervisors in July 2016. The BCBS acknowledges that the importance of the Principles is already recognised in boards and senior management is appropriately involved. It finds that in the last years, banks have improved their risk data governance structures, for example by setting up committees and senior-level positions.
However, the report concludes that the G-SIBs which were supposed to comply with the standard by January 2016 are still mostly non-compliant. In fact, only two of the 30 banks achieved full compliance by March 2017, 24 are expected to achieve full compliance before the end of 2018, and four of them even beyond 2018.
The BCBS estimates that banks need five to six years to achieve full compliance.
On average, the banks are about two and a half years past due in their compliance process.
In July 2016, only one bank was fully compliant with all Principles and there was not one single Principle with which the entire sample of banks had achieved full compliance. But which Principles and topics pose a challenge for the majority of banks? The report reveals that Principle 2 (data architecture & IT infrastructure) and Principle 3 (data accuracy) are the major obstacles on the way to full compliance. Furthermore, many banks lack behind on Principle 5 (timeliness), Principle 6 (adaptability) and Principle 7 (accuracy of reports). More than ten banks expect to need until the end of 2018 or beyond to comply with the rules for data architecture & IT infrastructure, data accuracy, completeness and adaptability in risk aggregation, as well as accuracy and frequency in risk reporting.
Source: Basel Committee.
|Assessment||Governance & infrastructure||Risk data aggregation capabilities||Risk reporting practices|
|4 = fully compliant, 3 = largely compliant, 2 = materially non-compliant, 1 = not implemented|
|Source: Basel Committee|
By rating banks by compliance with each principle, supervisors have revealed that Principle 2 (data architecture & IT infrastructure) has the lowest average level of compliance, followed by Principle 3 (data accuracy), Principle 5 (timeliness), Principle 6 (adaptability) and Principle 7 (accuracy in reporting) with an average of material non-compliance. Only Principle 8 (comprehensiveness), Principle 9 (clarity & usefulness) and Principle 11 (distribution of reports) have achieved levels of large compliance across banks.
The Basel Committee draws the conclusion that banks are currently facing two core challenges when implementing BCBS 239:
Based on the results of the BCBS progress study, banks should pay particular attention to the following four points in order to achieve full compliance with the Principles:
Definition of Compliance Targets & PrioritiesThe crux of BCBS 239 implementation is the principle-based approach of the standard. The Principles are rather vague and general, giving no measurable metrics but a wide freedom of interpretation. On the one hand, it means that there are no clear indicators to monitor the compliance progress. On the other hand, it can be advantageous, since it allows the banks to tailor compliance according to their needs. While for small banks implementing a minimum might be optimal, a large bank may benefit from applying the Principles to additional processes, such as financial and operational processes, or supervisory reporting.
Key question for implementation: What are the costs and benefits of applying BCBS 239 to an extended scope of processes?
Applying BCBS 239 to a larger array of processes can reduce structural costs, eliminate losses which result from insufficient risk management and improve decision-making, thus leading to a competitive advantage through efficiency gains. Banks can therefore transform the challenge of a lack of compliance metrics into the benefit of taking a tailored approach that generates added value for their specific business by setting customised individual compliance targets. With limited resources it is impossible to implement everything at once with multiple simultaneous large-scale projects. That is why it is crucial to set specific priorities for implementation. The BCBS compliance statistics have shown that it can take up to six years to achieve full compliance – but setting the right targets and priorities might get you on a fast-track towards compliance.
Infrastructure: The data architecture and IT infrastructure form the starting point for building a strong RDARR framework. Yet, most banks are struggling to comply with the respective Principle 2. A common enterprise architecture and integrated data taxonomies need to be defined. RDARR principles should be aligned with company policies and clear responsibilities assigned to the relevant staff.
Data Quality: High quality data is the basis of effective risk management and evidence-based decision-making. BCBS 239 requires consistent data at different levels of granularity. Automation plays a major role here to guarantee accurate, up-to-date and complete data. Yet, the right balance needs to be found by reverting to manual processes when a certain degree of flexibility needs to be provided in data delivery. This is relevant for responding to ad-hoc requests – a capability which is tested by supervisors in so-called fire drills, i.e. simulations of short-notice requests. In addition, reliable data sources, regulated access to data, reconciliation and maintenance are key to comply with the challenging Principle 3 on accuracy. Processes should be well documented, a data dictionary implemented and data profiling and data quality analysis performed.
Reporting: Likewise, reporting requires comprehensive automation to permit the timely delivery of consistent risk reports from all departments. To comply with the exponentially increasing reporting requirements with far-reaching demands in terms of transparency and accountability, processes need to be lean, transparent, accountable and efficient. Assuring effective risk data aggregation in this way will enable the bank to perform adequate risk management.
The wide-reaching non-compliance of banks will trigger supervisory reviews and follow-up action in the coming months and years. Supervisors will conduct regular reviews, thematic reviews, auditors’ reviews as well as fire drills to monitor compliance with BCBS 239. In case of deficiencies, the supervisors will take remedial action in form of requests of independent reviews, increased supervisory intensity and even capital add-ons or restrictions of business activities. Non-compliance can therefore become costly, while compliance is a lengthy and challenging process.
To prepare for supervisory control and become compliant in time, the Basel Committee advises banks to approach the BCBS 239 compliance exercise with the following two recommendations:
The BCBS will continue its monitoring efforts and recommends that supervisors incentivise compliance, refine assessments and communicate assessment results to each bank by June 2017.
Finalyse combines the adequate set of regulatory knowledge, banking track record, risk management and technical skills to help you navigating through the BCBS 239 challenges all the way through to full compliance. Our ‘hands-on’ touch and already existing BCBS 239 experience allow us to quickly diagnose the current situation, provide BCBS 239 compliant recommendations and steer and execute the related operational implementation according to the bank’s needs. For more information, please contact Silvio Santarossa, Partner Risk Advisory at Finalyse.