Painfully Slow Progress on BCBS239

Two years after the January 2016 deadline for banks to introduce improved risk data aggregation and reporting (BCBS239), the latest report from the BCBS on implementation progress makes grim reading: only three out of thirty global systemically important banks (G-SIBs) are in full compliance, with implementation by most banks showing “at best, marginal progress”.

The Principles for effective risk data aggregation and risk reporting (BCBS239) were published in 2013 to address inadequacies in banks’ IT and data architectures highlighted by the financial crisis, in particular the lack of an up-to-date, group-wide view of risk across business lines and legal entities. Two key principles form the bedrock on which all others are built:

  1. Governance: the risk framework should be subject to strong governance, with board-level visibility of the roadmap and any limitations that prevent full risk data aggregation.
  2. Data architecture and IT infrastructure: adequate infrastructure should be in place to support aggregation and reporting needs in normal times and times of stress.

The remaining principles fall under three categories:

  • Risk data aggregation: producing accurate, complete, up-to-date aggregated data to meet a broad range of scheduled and on-demand reporting requirements.
  • Risk reporting: providing comprehensive, accurate and relevant reports to the people who need them, when they need them.
  • Supervisory review: covering supervisors’ roles in reviewing banks, any subsequent remedial action and collaboration across jurisdictions.

The BCBS did not define objective quantitative benchmarks to measure progress towards these goals, but the June 2018 progress report does attempt to quantify compliance to get a snapshot of the current state of play, as of 2017, and progress since 2016. The report shows that:

  • No principle is complied with by all banks (where banks is the 30 G-SIBs).
  • There is insufficient progress on the first two overarching principles (governance and infrastructure), which may hamper progress elsewhere.
  • Principles around accuracy of data (both in aggregation and reporting) are proving the most difficult, with the lowest levels of compliance.

In spite of this negative outlook, the report strikes an optimistic note: all banks now have a clear implementation roadmap, assessed by their supervisor; enhancements to infrastructure tend to be multi-year projects so the benefits may not yet be apparent; some banks have increased resources and funding and introduced senior roles, such as Chief Data Officer (CDO), to take responsibility for firm-wide data and reporting. This seems like a very low bar for banks, over a year after the deadline and in areas that are simply risk management good practice, not esoteric rules mandated by the regulator.

Key Challenges

The report does highlight key challenges faced by banks, including fundamental ones from the 2016 assessment which remain relevant:

  • Difficulties with execution of large-scale IT projects.
  • Overreliance on manual processes and interventions.
  • Incomplete integration of bank-wide data architecture.
  • Poor data quality controls, including reconciliation and validation.

And new ones that have come to light in the latest monitoring exercise:

  • Complexity and interdependence of IT projects across different strategic initiatives.
  • Implementation and integration across legal entities and jurisdictions, with different technologies and different local regulatory expectations.
  • Underestimation of effort (especially for legacy IT).

What about the D-SIBs?

In 2018 during a workshop for supervisors to exchange views on D-SIBs’ implementations of the Principles, it was summarised that  they have made “some” progress. However, this was based on self-assessments by D-SIBs, which “could be overly optimistic”. The June 2018 progress report recommends that D-SIBs should not underestimate the efforts necessary to fully comply. They face the same challenges as G-SIBs (complex/legacy IT), and where there are subsidiary relationships between G-SIBs and D-SIBs, the poor implementation by a D-SIB will inevitably affect the G-SIB’s ability to comply as a banking group.

What next?

Under the current estimate, there are still 13 banks that will only attain compliance beyond the end of 2018, so there is still plenty of work for banks to do. Compliance with the principles will benefit other initiatives, such as FRTB, and may become more important if it leads to an increase in a bank’s Pillar II capital charge by the regulator.

At Percentile, we see a few key areas that banks can focus on to make significant headway with BCBS 239:

  • Automation: having repeatable, automated processes (driven by good software development practices) will greatly reduce errors. This is highlighted in the report, with banks’ systems’ “struggle to meet the demands of their daily business operations” often being “linked to overreliance on manual processes”.
  • Visibility: showing users all relevant data in a way that can be sliced and diced, allows them to access the data they need and quickly spot data quality issues.
  • Transparency: allowing the users to trace data in a report back to its source, with no black boxes or hidden manual steps.

Find out more

Get in touch to find out how these principles are applied in Percentile’s RiskMine platform to get dynamic, firm-wide aggregation and reporting.