In 2007-2008 the global financial crisis showed the inadequacies of the IT and data architectures of systemically important institutions in the financial system.
Many banks lacked the ability to aggregate risk exposures and identify concentrations quickly and accurately at group level, across business lines and legal entities. As a result, the ability to take timely decisions was seriously impaired, with wide-ranging consequences for the banks themselves and the financial sector as a whole. For example, most institutions struggled to assess their true exposures to Lehman Brothers and other casualties of the market events in 2007–2008 as the key information required was siloed across different department systems and processes, resulting in wholesale fragmentation and a near impossible task to collate the relevant information quickly across numerous legal entities within a large investment bank.
The Basel Comittee on Bank Supervision (BCBS) stepped in to fulfill its original aim, the enhancement of financial stability by improving banking supervision worldwide.
In January 2013, the BCBS published its standard number 239 Principles for the effective aggregation of risk data and risk reporting (also known as BCBS 239) to strengthen risk management at global systemically important banks (G-SIBs) through enhanced internal risk-reporting practices, complementing other existing international initiatives.
The BCBS recognizes that resolution authorities need timely access to aggregate risk data to understand the correct course of action to restore financial strength and viability when a key financial institution comes under severe financial stress.
The focus of BCBS 239 relies on global systemically important banks (G‐SIBs), as outlined in the document, however it is strongly suggested that national supervisors also apply these principles to banks identified as Domestically Systemically Important Banks (D‐SIBs) three years after their designation as DSIBs’. Firms identified as G‐SIBs in 2011 and 2012 were required to fully adopt the BCBS 239 principles by January 2016, however, the fourth report on progress published by the Basel Committee found a wholly unsatisfactory level of compliance, with only one G‐SIB fully compliant within the deadline timing.
Behind the BCBS 239 drive we can find a few relevant issues summarized as follows:
- Immature data processes and infrastructure
- The data required for critical risk assessment came from multiple sources, requiring many manual processes in order to aggregate.
- Bank boards and senior management were ‘blindsided’ by inaccuracy of the data available.
- Reflected by the underlying poor data there were poor risk models, with mistrust at the highest levels of management.
- Lack of definitions of roles and responsibilities in respect of key risk data, mainly due to non‐vertical ownership.
- Due to the underlying issues with the data, the potential value of the aggregate risk data is not recognizsed and therefore neither is its capital optimizsation potential.
Risk data aggregation is defined in the BCBS 239 document as „defining, gathering and processing risk data according to the bank's risk reporting requirements to enable the bank to measure its performance against its risk tolerance/appetite. This includes sorting, merging or breaking down sets of data“.
The 14 principles cover four closely related topics:
- Overarching governance and infrastructure
- Risk data aggregation capabilities
- Risk reporting practices
- Supervisory review, tools and cooperation
Figure 1.1. The Principles grouped by topic
Governance – A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee.
Data architecture and IT infrastructure – A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles.
Accuracy and Integrity – A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimize the probability of errors.
Completeness – A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations and emerging risks.
Timeliness - It should be possible to generate the data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability. (Note that the precise timing depends on the nature and volatility of the risk being measured and its materiality to the risk of the organization as a whole.)
Adaptability – A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs and requests to meet supervisory queries.
Accuracy - Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.
Comprehensiveness - Risk management reports should cover all material risk areas within the organisation. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients.
Clarity and usefulness - Risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include meaningful information tailored to the needs of the recipients.
Frequency – The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed, at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision-making across the bank. The frequency of reports should be increased during times of stress/crisis.
Distribution - Risk management reports should be distributed to the relevant parties while ensuring confidentiality is maintained.
Review - Supervisors should periodically review and evaluate a bank’s compliance with the eleven principles above.
Remedial actions and supervisory measures - Supervisors should have and use the appropriate tools and resources to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices. Supervisors should have the ability to use a range of tools, including Pillar 2.
Home/host cooperation - Supervisors should cooperate with relevant supervisors in other jurisdictions regarding the supervision and review of the Principles, and the implementation of any remedial action if necessary.
BCBS 239 details that banks should establish integrated data taxonomies and architecture across the banking group, including information on the metadata, as well as use of single identifiers and/or unified naming conventions for data including legal entities, counterparties, customers and accounts. The existence of a ‘dictionary’ of the concepts used, such that data is defined consistently across an organization is also mandatory. Supervisors can use this as the starting point to measure and monitor the accuracy of the data, and to develop appropriate escalation channels and action plans to rectify poor data quality.
There is also a drive towards a golden source for each type of risk data, however there is a need to reconcile the risk data with other sources, including accounting data where appropriate, to ensure that the risk data is accurate.
According to the BCBS 239 critical risks include, but are not limited to, aggregated credit exposures to large borrowers, counterparty credit risk exposures (including, for example, derivatives), trading exposures, positions and operating limits, liquidity and operational considerations that are time critical (e.g. systems availability and unauthorized access). Supervisors expect banks to consider accuracy requirements analogous to accounting materiality. For example, if omission or misstatement could influence the risk decisions of users, this may be considered material.
COMPLIANCE WITH BCBS 239
Since BCBS 239 is a principle‐based regulation there are few clear predefined metrics that banks within its scope can use to monitor compliance against the regulation. It is therefore crucial that banks have an ability to accurately assess their level of compliance and actions required to improve this, if needed. Regulators are viewing BCBS 239 compliance through multiple lenses – ultimately a recognition that it touches so many aspects of the regulatory reform landscape post‐crisis, and therefore banks need to position it at the heart of their regulatory transformation programs.
A failure to demonstrate compliant solutions for data management, data governance and alignment between risk, finance and the business will result in a forced change to the way risk is modelled and valued, and ultimately a material increase in the level of capital banks need to hold.
Unlike many other financial regulations there are no defined penalties and/or implications for non‐compliance. If there is a failure to comply with the principles, and if the data infrastructure is not transformed to align with BCBS 239 expectations, the likely consequences could be:
- penalties and increased capital add‐on charges;
- reputational risk; or
- loss of competitive advantage.
BCBS 239 approaches the fundamental data required to adequately manage and run a financial institution in a defensive manner; a formally defined regulatory expectation is expressed that firms need to meet a number of sensible data principles. Adherence to the principles presents an opportunity for firms to optimize their businesses by better utilizing the data and making better business decisions based on the insights provided. A failure to comply with BCBS 239 compared to peers might therefore represent a loss of competitive advantage.
In 2016 the European Central Bank launched a “Thematic Review on effective risk data aggregation and risk reporting”, seeking to carry out an in-depth assessment of institutions’ overarching governance, risk data aggregation capabilities and risk reporting practices that are relevant for each institution as a whole, on the basis of a sample comprising 25 significant institutions.
The Principles for effective risk data aggregation and risk reporting developed by the Basel Committee on Banking Supervision (BCBS 239) were taken as a benchmark of best practices.
The final report was published in May 2018 and raised several concerns also showing that risk data aggregation capabilities and risk reporting practices within the sample of significant institutions were unsatisfactory.
In conclusion, a comprehensive risk management and adequate decision-making in banks remains a priority and reliable data is considered as a precondition to that.
Initiatives of advanced banks to work together towards integrated reporting solutions (a single organizational design for group-wide data governance, a single authoritative source for risk management and regulatory purposes, reconciliation by design, etc.) are seen as best practices and regulators encourage institutions to implement such solutions.
Do the principles from BCBS 239 impact your day to day activity and decision-making? Our experts can advise and offer support in the implementation.