BCBS 239: What does it cover and how can banks comply?

25 March 2015 / Ben O'Brien

The deadline for implementing the new BCBS 239 Risk Data Aggregation and Reporting Principles is fast approaching and we’re seeing many in the industry focusing on making sure they’re compliant and ready to meet the Basel Committee’s January 2016 target.

Recently, I attended the BBA‘s Risk Data Aggregation Forum, which looked at the scope of the new principles and what compliance looks like. While the current regulation is focused on global systemically important banks (G-SIBs) it was interesting to hear the common consensus that serious financial services organisations ought to comply with the principles anyway and in doing so, will achieve significant business benefit. I’d like to share with you some of the key points that were covered during the day.

What is BCBS 239?

BCBS 239 was born out of the recent financial crisis and the realisation of the inadequacies of banks’ IT and data architectures, which left them unable to aggregate risk quickly and accurately, and manage their risks properly. It comprises a set of principles aimed at making sure the aggregation of data is such that banks can monitor risks accordingly and importantly, report on them accurately in a timely fashion.

While BCBS 239 has a compliance badge, looking at it purely as a “tick in the box” exercise is only likely to result in the return on investment being unrealised and an opportunity being lost. However, successful adherence to and full adoption of the BCBS 239 principles will result in increased internal and external business value of an organisation and, while BCBS 239 only currently applies to the identified G-SIBs, it won’t be long before domestic banks (D-SIBs) come under the same scrutiny.

Key Principles

BCBS 239 constitutes 14 key principles (see http://www.bis.org/publ/bcbs239.pdf for the full details), with those key to data management and infrastructure being:

I. Overarching governance and infrastructure

1. Governance: A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee.

2. Data Architecture and IT Infrastructure: A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis.

II. Risk data aggregation capabilities

3. Accuracy and Integrity: A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimise the probability of errors.

4. Completeness: A bank should be able to capture and aggregate all material risk data across the banking group.

5. Timeliness: A bank should be able to generate aggregate and up-to-date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability.

6. Adaptability: A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs and requests to meet supervisory queries.

III. Risk reporting practices

7. Accuracy: Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.

8. Comprehensiveness: Risk management reports should cover all material risk areas within the organisation; with the depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile.

9. Clarity and usefulness: Risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making.

10. Frequency: Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed, at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision-making across the bank.

While these principles are not prescriptive in terms of the metrics or numbers banks need to comply against, they cover the different areas you need to be aware of and that you need to consider when applying judgements and making decisions. The principles in themselves are nothing new; in fact, we all ought to have been following these principals anyway as a matter of best practice. However, having them documented and established as an industry standard may prompt banks to consider further:

  • The quality of the data or the report – its accuracy and robustness
  • The imperfections and gaps in the data
  • What, if any, trade-offs are being made between accuracy and timeliness?
  • Does the board or those making decisions from the data know of its limitations?
  • What is the strategy to improve?
  • And from a regulatory point of view, is the data we provide to the regulator of the right quality, accuracy and delivered on time?

Getting it Right

During the BBA forum, it was interesting to share different organisation’s experience. The insights gained were particularly useful for those in the room who are likely to be the next to fall under a compliance agenda including the D-SIBs who are soon destined to be nominated and given a timescale of three years in which to comply. For everyone else, it was good to share thoughts and ideas on how to improve data and reporting and so in turn improve insight, judgement and decisions.

There were some good insights into how organisations are approaching these new principals and what they feel are the key points to getting it right. These key points were:

  • BCBS 239 compliance has to be done with the business rather than for the business, or worse still done to the business. Successful implementation requires both Risk Management and Data Management expertise, with practitioners being able to communicate expertly and authoritatively with both business and IT functions. Working across departments such as risk, finance, IT and operations, means you can take a holistic rather than siloed approach. If a holistic business-focused approach is not taken, while an organisation may still be compliant it may run the risk of making bad decisions.
  • While BCBS 239 has a compliance aspect, it brings with it a focus, direction, cultural change, and much needed improved transparency. It tackles areas that need to be addressed, and in doing so will deliver to banks a number of improvements. By having data consistency and the potential to deliver a single version of the truth, banks will be better placed to develop their competitive advantage and grow their business returns.
  • The change in approach needs to be driven by CEO and/or COO. Taking a top-down view highlights the importance of the exercise which in turn will help to define the scope and approach. It can also quickly highlight any complexities and/or dependencies, and will help move the focus away from it being a tick-box compliance exercise and towards it being an exercise that is needed for the business by the business.
  • Adopting these principles is a ‘work-in-progress’ and it takes time! The latest G-SIB self-assessments show that not all banks expect to be fully complaint by 1st January 2016, while others indicate that their implementations are likely to be completed extremely close to the wire. So, the good news is that there appears to be a level of pragmatism and openness to different approaches from the regulators; providing there is a plan in place and that the business has the right focus (i.e. not considering it a tick the box exercise). However, having a plan in place to address non-compliance is not in itself compliance.
  • Return on investment. While it may be a two to three year investment programme, pay back is likely to be achieved within four to five years, with benefits continuing well beyond that.
  • “Quick fixes” and manual workarounds can be part of the problem and so the need to take a holistic business driven approach working across the business and principles is further reinforced.
  • BCBS 239 will quickly become business as usual; achieving compliance in 2016 is just the start. The principles set out are on-going and, in successful organisations, will form a central component to future plans and risk management.
  • A good example of the principles in action is the data submission for this year’s concurrent Stress Testing, with the quality and timeliness of the data submission being key.
  • There is a real impact of getting it right or indeed getting it wrong. Not establishing Risk Data Aggregation and Reporting Principles could inform and indirectly impact Pillar 2 capital outcomes.

Improving risk data aggregation will not only help banks foresee and anticipate problems ahead, the new BCBS 239 principles will help improve the stability of the financial system as a whole. It’s great to see so many in the banking industry appreciate the importance of improving their risk data management practices and hence the quality of their risk data. In fact this is something we’ve increasingly been supporting our clients in achieving. While there are up-front costs and resources required to comply with BCBS 239, doing so will pay dividends for an organisation, enhancing risk functions’ judgements and informing decision making.

For additional risk resources, including whitepapers, blogs and case studies, visit our dedicated microsite.