What is the future of the BCBS 239?

In short, I see greater demand for a consistent measurement approach coupled with a rise in standards. BCBS 239 has been well understood by those involved since the beginning. Interpretations on topics such as data lineage, data quality monitoring, data aggregation and stress/crisis reporting are aligning. However, specificity on topics that have not been clearly defined remains lacking, such as the application of accounting controls on risk data.

In addition, standards for compliance are rising due to market demand for new and innovative products. This has resulted in higher expectations from regulators around capability (e.g. on retail exposure reporting as a result of higher digital bank lending). This remains challenging due to the principles-based nature of the regulation.

Regulators who, to date, do not have a common criterion for assessment do not appear fully aligned. International regulators often take a different approach to domestic ones. In essence, global banks need to find innovative ways to respond as a result. Positive steps are being taken to address this in pockets e.g. via “RegTech” (joint initiatives between regulators and participants to standardise submissions) which will hopefully move us all towards a more consistent method of interpretation and evaluation.

So, whilst banks have been hoping for specific instructions to be detailed by the Basel Committee, I don’t see that happening any time soon. In the meantime, they must focus on addressing the primary concerns i.e. their ability to accurately and quickly determine exposures and concentrations in the event of a downturn/correction (see the opening paragraph of BCBS 239).

How are firms going about developing clear principles for taxonomies?

Organisations are increasingly leaning towards “effective data management” - using data management standards and methodology to define a common language for data and mapping it back. Some banks do not have an adequate hierarchy for data but whether it’s a data ontology or a data taxonomy, ultimately your design approach should centre on a “define consistently” principle. I’d caution against defining data to the nth degree of granularity without considering, and implementing, an automated monitoring and change management capability. 

What are some of the practical challenges when complying with BCBS 239 guidelines?

The first challenge is that there aren’t any official guidelines! The principles are very sensible statements from a risk management standpoint. The regulation is part of a suite of measures (Pillar 2 within Basel III) that address the too big to fail issue and associated systemic risk. Organisations must interpret the requirements and then define their approach to compliance. With this in mind, some key practical challenges during implementation can be summarised as follows:

•Getting on the same page
Given the principles-based nature of the regulation, it’s difficult to get stakeholders and programme teams aligned on approach. This becomes even more difficult when implementation crosses business, functional and geographical boundaries. A solution to this is to very quickly articulate a common and specific standard for implementation and communicate it. A basic example of this is agreeing on a definition for Timeliness, Accuracy and Completeness. It’s amazing how varied the interpretation of Timeliness is across banks e.g. is it the time to produce a metric, the time to report it, the age of data of the metric or the age of data of its constituent parts?

Agreeing on scope
Most banks have opted for the mainstay of risk management processes i.e. market risk, credit risk, operational risk and liquidity risk. However, even within these areas, there is a disparity in terms of processes and risk metrics that are covered. Part of this is exacerbated by the fact that regulators aren’t always proscriptive with respect to the way metrics are calculated and do not always mandate a minimal set of risk management measures. Another observation is that some banks have opted to include non-financial risk whilst others haven’t. Ideally, the regulator would have stipulated a minimum standard but in the absence of this, it’s vital that the board/senior management within risk (through consultation with finance, data and IT) agree to apply controls to processes deemed critical during normal and stressed/crisis times.

•Taking it seriously
Of course, banks take BCBS 239 seriously. However, in the highly regulated environment we currently face, there is a competition for the attention of board members and senior managers. Even though requirements from BCBS 239, IRRBB (Interest Rate Risk on the Banking Book) and the IFRS 9 accounting standards indirectly affect capital requirements under Pillars 1 and 2, as of now, there are no capital charges associated with being “materially non-compliant”. The Senior Manager’s Regime requirement does focus the mind somewhat by placing accountability on bank representatives with respect to all regulatory submissions. Even so, many consider BCBS 239 to be a “data ops” problem and not a “risk management” problem. This requires a focused executive education initiative with firmly accepted accountabilities driven by policy and role definitions but primarily, a clear understanding of why it’s the right thing to do.

What are the new risk types that banks need to take into consideration?

Although not ‘new’, there are three areas that are experiencing renewed vigour in addressing the risk associated with them:

• Model risk – where models are proven to be inaccurately setup (e.g. using false assumptions or having feed issues), this would not only have a direct impact on a bank’s ability to accurately allocate risk but can also result in banks being forced by the regulator to adopt simplified but capital restricted models

• Cybersecurity risk – certainly a risk type for this age, if a “zero-day attack” on a bank is successful and results in the loss of “pre-public domain” data that can be used to move markets, the bank not only loses the ability to retain existing customers but also future potential ones

• Contagion risk – is one of the main drivers for classification as a G/D SIB – this is where BCBS 239 can provide a firm basis for risk management – if implemented with “cross-risk type” adaptability in mind, BCBS 239 can drive a response to a contagion scenario where a negative market event can lead to an impact across multiple areas of the bank

What would you like to achieve by attending the 7th Edition Risk Data Aggregation and Risk Reporting?

I’m looking forward to a constructive dialogue with peers and regulators on mutual concerns. In particular, the onward integration of BCBS 239 principles into the fabric of financial institution processes and frameworks.