Why is implementing BCBS 239 so challenging?
Banks still face challenges on the bumpy road towards compliance with BCBS 239.
In January 2013, the Basel Committee on Banking Supervision (BCBS) proposed the Principles for Effective Risk Data Aggregation and Risk Reporting, known as BCBS 239 or PERDARR.
The principles emphasize the importance of banks having the ability to aggregate risk data and to report in a flexible manner in order to improve the banks’ insight on their risk positions. What are the challenges faced when implementing these principles?
By January 2016, banks identified as Global Systemically Important Banks (G-SIBs) are required to comply with BCBS 239. Besides, supervisors are strongly advised to also apply the principles to banks identified as Domestic Systemically Important Banks (D-SIBs), three years after their designation. Many banks are still struggling to achieve full compliance in time for the BCBS 239 deadline January 2016.
Compliance with BCBS 239 requires a careful interpretation by the banks. The 14 principles are covered by 4 closely related topics explained below; 3 topics are directly related to the banks, while the last topic applies to the supervisors.
Governance and Infrastructure
The first topic stresses the importance of a strong governance framework, risk data architecture, and IT infrastructure. Data quality and consistency across all business units and jurisdictions is crucial.
Risk Data Aggregation
The second topic relates to the banks’ capabilities to aggregate data in order to meet reporting expectations. It emphasizes the ability to meet ad hoc risk management requests for both internal and external supervisory requirements.
Risk Reporting Practices
The final bank related topic covers the risk reporting practices. Timely risk reports which are clear, accurate, and comprehensive, need to be presented to the relevant people in order for them to be used as a reliable decision making tool.
Supervisory Review, Tools and Cooperation
Supervisors are expected to continuously monitor the banks’ organization-wide compliance with the principles. This requires cooperation and information transparency amongst supervisors in other jurisdictions so that a clear overview of the banks in a broader perspective can be achieved.
BCBS 239 principles for effective risk data aggregation and risk reporting
With the introduction of Basel I in 1988, BCBS launched a first set of international regulations mainly focusing on credit risk. Basel I aimed to minimize risk by requiring minimum capital levels for financial institutions. Assets were classified in five risk categories, each carrying its own level of risk weights.
This rather simplistic way of assessing a bank’s risk has been developing over time. With Basel III on its way, the progression of the regulation has put risk at the top of the agenda for the banks’ boards.
In recent years, the recognition of the importance of IT in measuring risk has improved rapidly. The increased focus on quantifying risk has required banks to move their focus to a more data-oriented environment. As a result, banks’ IT capabilities need to be increased significantly. BCBS 239 is in line with this evolution.
Although BCBS pushes an open door, the principles reiterate the importance of the fundamentals of today’s risk management practices.
Bankers perceive IT in the same way most people perceive the engine of their car: it usually stays ‘under the bonnet’. As long as the engine runs, everything is fine. This rather careless perception is sufficient when a bank is relatively small, but for G-SIBs it is a whole other story.
Given the large size of G-SIBs and the broad package of principles, it becomes clear it will take a huge effort to become compliant. Because BCBS 239 is not a cookbook, banks find it difficult to determine how authorities are going to assess their compliance.
Past M&A activities have resulted in overly complex and rigid IT landscapes. Banks tend to heavily rely on these IT landscapes, consisting of geographically dispersed heterogeneous systems and fragmented databases. The reports that are produced within IT landscapes are generally standardized, databasespecific reports with predefined frequencies and parameters.
In order to walk a successful road towards compliance, all parties involved have to speak the same language. These parties, being financially, risk or audit oriented, are highly interdependent and must construct a common view in order to work towards a united goal. To be able to achieve this common vision, it is crucial for all parties to be aware of the fundamental role IT plays in their business. Because the IT department knows ‘what’s under the bonnet’, it should always be involved in the decision-making process related to data aggregation and risk-reporting practices.
This alignment is continually challenged during the implementation of BCBS 239. Banks need to find consensus on data-related topics, such as achieving the desired data quality, data definitions, data availability, data accountability, as well as the data storage and retrieval process.
Besides these factors, the complexity, size and availability of data used by banks lead to a lack of data adaptability. This inability to adapt prevents banks from properly aggregating data on a crossborder level. Also, the vast variety of data involved plays an influential role in this process.
In other words, size is a paradoxical factor. The bigger an organization is, the more capacity it has for change, but it will also be more difficult to implement the new regulation.
As previously noted, compliance with BCBS 239 requires G-SIBs to be able to consistently aggregate their data in order to report in the most flexible way. G-SIBs that are able to realize high standards on both data aggregation and flexible reporting can capture major business benefits.
In order to aggregate data consistently, it needs to be stored and retrieved consistently as well. Only constructing a sophisticated, transparent and harmonized IT-landscape is not enough. It also asks for consensus and accountability regarding data definitions. This can be achieved by storing these data definitions in a data dictionary. Ultimately, this consensus leads to an increase in data quality and a decrease in manual efforts. Given the enhanced data quality, management can rely on more accurate analyses and therefore improve the risk management.
Flexible risk reporting allows banks to produce ad hoc and tailored risk reports for specific audiences.
The improvement in risk aggregation produces more accurate current insights as well as improved predictions on a shorter time-span. Ultimately, a company-wide real time risk reporting tool enables banks to assess specific risk factors at any time. When threats like a Grexit or Brexit approach reality, such a reporting tool can calculate real-time exposures and other risk metrics.
Road to compliance
Banks still face challenges on the bumpy road towards compliance with BCBS 239. Where small banks lack the capacity to comply with the principles, larger banks face an excessive level of complexity.
Although the principles describe an ideal scenario in which banks can greatly improve their risk management, it remains uncertain whether G-SIBs will be able to walk this road towards compliance in time.