BCBS 239: PERDAR on the Road to compliance
di Luigi Mastrangelo e Mattia Monti

Ott 23 2015
BCBS 239: PERDAR on the Road to compliance <small><small><I> di Luigi Mastrangelo e Mattia Monti </I></small></small>

1.   Regulatory context

In January 2013, the Basel Committee on Banking Supervision (BCBS) issued 11 principles for effective risk data aggregation and risk reporting (hereafter also called BCBS #239) and it outlined the path to compliance for G-SIB and D-SIB[1]. The Regulators drown-up the following deadlines for achieving the full compliance of BCBS #239: January 2016 for G-SIB, 2019 for D-SIB[2].

This principles-based document is intended to address what Supervisors consider as a major weakness that banks carried into the crisis: the inability to understand quickly and accurately their overall exposure and other risk measures that influence their key risk decisions. The principles-based approach used by BCBS has the aim to leave to financial institutions the capability to interpret and conceive a tailored approach for coping with BCBS 239 standards.

These principles-based rules can be a great opportunity for banks in order to transform these requirements in value added points. Therefore, Banks should assess with strategic perception this new regulatory body for driving and steering the activity avoiding a mere “checking-the-list” activity for the compliance.

2.   Challenges for Banking Sector

The scenario in which BCBS #239 has to be applied is quite complicated because Banks has complex and structured organizations and they have set-up a risk monitoring view that has always been considered (even by Regulators themselves) as “silos-based” instead of cross risk as outlined by the new ECB rules (i.e. Comprehensive Assessment).. BCBS #239 aims at breakdown the old “silos” view where the risk is monitored for each type without having a common aggregated view of the counterparty. BCBS #239 is crucial to avoid in the future lack of risk monitoring processes that cannot timely control the exposure impacting the going concern of the financial institution. The new regulatory view is forcing the banking sector to find a value added solution for each of the following challenges:

  1. Data Governance: BCBS #239 aims to improve the governance of data elaborated by IT systems in order to ensure the best data quality. First of all the normative highlights that a clear process for validating the data is crucial to increase the control over them and data quality. The second point outlined in the BIS document deals with the definition of the measure that is crucial for a correct data aggregation process through a data taxonomy. The normative remarks also the need to have a clear documentation in which banks can control and steer the running process with a proper exception or escalation action, if needed.
    The monitoring and the creation of these processes should be performed at a group-wide level with an “orchestra leader” that steers all the activities.
  2. Infrastructure & Data Quality: In the financial breakdown several banks show that data capture and aggregation processes are unwieldy and relatively unsophisticated. This needs data cleansing and manual reconciliation before the production of aggregated management reports. In addition, the different risk types require data with varying degrees of granularity, reducing the consistency and quality of data. These activities also increase the attention span of validator on the creation of manual patches for the data squaring instead of assessing the figures and steering the business. Therefore, banks also need the ability to generate aggregated risk data across all critical risk types in all the situations, i.e. normal run or specific “ad-hoc” regulatory request. The BCBC #239 embeds the request to improve the data automation in order to improve data accuracy and timeliness without losing a certain degree of flexibility. In the current days, a new comprehensive risk view is stressing the silos IT systems in order to produce aggregated data with manual corrections at group level. This approach sometimes is affecting the local validation process because the corrections cannot display or recreate in a proper way the local figures validated at facility/product by local validator, as faced during the Asset Quality Review exercise.[3]
  3. Reporting: Banks have more requirements today when it comes to meet reporting demands. Both National Controlling Authorities and European Central Bank are asking for more information aim at increasing transparency and a clear accountability. Therefore, top management is looking for more information to cope with this requirement and use these additional information sets for a new strategy plan. This scenario is growing the pressure on both Finance & Risk Departments and IT infrastructure as well.

If Banks will identify the correct business mix for winning these three main challenges, they can manage both business activities and capital charge in a more punctual way:

Image A

Image B

Therefore, due to this wide range of opportunities that banks can envisage, banks should conceive a proper implementation path of the 11 principles of BCBS #239. A clear action plan before starting any activity is crucial for orientating effort and financial resources.

3.   G-SIBs approach for compliance

As mentioned in the last status from BCBS and also in the last Deloitte’s assessment, G-SIBs are finalizing the BCBS #239 plan following three main drivers that sometimes display a not forward looking and value creation orientated view:

  • Fix or build: Several G-SIBs are focused on the simple filling-in the gaps in order to comply with regulatory requirement and avoid Regulatory fines on January 2016 in case of missing compliance.
  • Tactical approach against a Target Solution: The wide range of activities required by BCBS #239 and the short timeframe for applying there are forcing G-SIB to identify alternative path for the compliance. Indeed, Broad strategic transformation of data and technology that achieve the full IT and governance compliance is difficult to finalize in few years. Therefore, each bank is tailoring its tactical solution for achieving the best results. The main drivers that G-SIBs are using in Europe are the following:
    • Risk Type: it identifies the risk typology (i.e. Credit risk) and operations that are managing huge exposure in bank portfolio
    • Reports: relevant report deliveries to Regulator (i.e. RWA) or Top management
    • Audience: final users of the report (i.e. Regulator, Top management, Business Analysts)
    • Measures & Attributes: they identify the most critical risk measures/attributes cross risk generated by the banks (i.e. Exposure at Default)
    • Business Unit: it identifies the relevant business units in the bank business mix
    • Legal entity: it identifies the relevant legal entities in the bank business mix

Based on the possible drivers the definition of a strategy is leveraging on the following mix of approaches:

    • Subset of risk reports, data and measures: Top management identifies the relevant risk reporting processes that has to cope with BCBS #239 requirements (i.e. RWA).
    • All the risk reports, data and measure for the relevant areas of the banks such as business unit or legal entity: This approach defines the perimeter considering the relevant business area of the bank identified by business volume and risk taken.
  • Compliance against Business model modification: G-SIBs banks seem focused to the compliance without taking the opportunity to review their business model in order to catch the business opportunity of the normative.

For all the approaches mentioned in the first paragraph, G-SIBs have considered three relevant points in accordance with its on-going activities in order to take the highest level of synergy. Their action for their action plan will be depicted in next subparagraphs.

3.1  Data Governance

BCBS #239 aims to define a new approach for managing the data governance within the financial institution. Indeed, two main actions are required: Definition of a clear monitoring process and data ownership, data dictionary for the same level playing field of each measure/attribute.

Regarding the first point, a new unit has been considered in several banks for monitoring and developing the new BCBS #239 paradigm: the Chief Data Officer unit (hereafter also CDO). This new unit will play a relevant role in the following areas[4]:

  • Voice of the data: providing stewardship, champion and implementing data management strategies and data quality management standards.
  • Measure and manage data risk: Developing capability to measure and predict risk and influence enterprise risk appetite at executive tables.
  • Influence corporate strategy: enabling a better analytics for decision making, helping refining corporate strategy using the insights gained from effective analysis of data
  • Improve the top line: increasing revenues, customer approval rating, and market goodwill through the effective governance and use data.
  • Improve the bottom line: concerning low cost of quality and cost compliance, improving productivity through availability of timely correct data.

The prevision of the Chief Data Office will be the corner stone of the entire BCBS #239 due to her/his capability of monitoring the data aggregation process in all its features from policy to aggregation key logic. CDO is going to lead the bank to a long term solution that will cope with both optimization of the available resources and BCBS #239 principles.

3.2  Infrastructure & Data Quality

Secondly, each bank has to carefully evaluate and improve is its IT infrastructure. Before BCBS #239, each bank considered a risk stand-alone without an aggregated view. This view has led to an IT infrastructure that has developed one system for each specific risk, tailored to the business unit that is using it. This approach can produce several misalignments in term of taxonomy and aggregation keys to enable actual communication among different silos. Therefore, a deep review of the IT architecture is needed in terms of:

  • Authoritative source: Identifying the source that is the right data recognized by business owner
  • Granularity: Identifying the useful level of information available in the system for the business needs
  • Aggregation process: defining the rule of aggregation of the inputs received for each risk type

In addition to the points listed above, banks should also consider the data quality tools to be applied in the IT infrastructure in order to provide the most complete and accurate data to business owners.

3.3  Reporting

The third point that banks should carefully consider for the full compliance with BCBS #239 is the design of a reporting process. The new reporting will have a well-known distribution process of the reports that have been considered useful and clear for risk monitoring purposes. Therefore, each bank should define the rules for distributing the report and also the design of each report. Banks should also take care particularly of the designing phase in order to develop a new culture in top management about reporting. Top management should start to rely on standard reports that are automatically generated and use specific drill-down functionalities only for specific “ad-hoc” analysis. This new approach will reduce time and effort on business side to create presentations or templates for specific reports among units that can cost time and effort on user side that now can be reallocated from data crunching to data analysis.

Nowadays, G-SIBs are close to finalize their BCBS #239 plan and the experience and the challenge faced by them should be a good starting point for D-SIBs in order to immediately start a consistent and reliable action plan.

4.   How banking sector should cope with BCBS #239 and take economical advantage

The best approach can rely on two relevant cornerstones that are mandatory to cope with BCBS #239 and to achieve the best results with the lower effort.

Before starting any activity, top managers have to evaluate the current status of the capability to aggregate of the bank through a detailed assessment. The goal of the assessment is to understand the capability to define:

  • Governance and Responsibility for monitoring cross risk aggregation processes identifying the right owner of each data.
  • Clear definitions of measures/Attributes understanding the grade of sharing of the definition of each risk measure/attributes.
  • IT architecture to automatically aggregate cross risk data considering the technology already available in the bank.
  • Accuracy and clarity for the cross reporting

The final outcome of this assessment is to highlight the areas in with the top management will invest or start recovery actions for the best compliance, avoiding and waste of money and time. During the assessment, managers have to consider all the on-going initiatives to identify which of them can cope with BCBS #239 compliance. This additional task reduces the allocation of budget optimizing the bank’s assets. Leveraging on the on-going projects, top management is going to anticipate the BCBS #239 compliance but also start the sharing of the new governance approach with middle management for a common understanding of the view.

Finalized the assessment, the action plan is needed for filling the BCBS #239 gaps not covered by on-going initiatives already started. In this phase, top managers have not to look through the simple BCBS #239 compliance but they have to consider the opportunities for creating value in the long term. In this respect, a multi-year plan have to be set up (if needed above the regulatory deadline) in order to have a clear definition of the final target and strategic benefits to achieve. Each plan has to address:

  • Target operating model to carry over the monitoring and the assessment of the activities in the next years
  • Scope and target capabilities to conceive a value-oriented view of scope, in terms of measures and reports and in terms of level at which apply the regulation (i.e. group, legal entity or division). At the same level of granularity, defining individual target aspirations that again are oriented towards generating value will exploit better the potentiality of this regulation
  • Quality and controls for all the measures affected by BCBS #239. Define a set of quality aspects that allow measurement and control improving quality performance. It would also be valuable to define evidence that will be collected to prove compliance to regulator. The earlier these goalposts are established and regularly measured, the greater the accuracy and acceleration will be provided to the plan
  • Implementation of the IT solution for having the required risk data aggregation level considering all the panel of technology available for improve the aggregation processes

Considering these drivers and the elapsed for the target solution, top management has to define the milestones for both minimal regulatory compliant and finish line for the best economical advantage. This clear definition of the roadmap can properly clarify the path for each of these points maximising the results with the lowest level of expenses but with highest business benefit.


[1] Principle for an effective risk data aggregation and risk reporting, Basel committee for Banking Supervision, Publication #239, BIS, January 2013

[2] G-SIB: Global Significant Important bank. G-SIB is a bank that has global implications in case of its default; D-SIB: Domestic Significant important bank, D-SIB is a bank that affects this home country in case of its default. Ref – http://www.bis.org/publ/bcbs224.pdf

[3] Progress in adopting the principles for effective risk data aggregating and risk reporting, Basel committee for Banking Supervision, Publication #239, BIS, January 2015

[4] Deloitte White paper, Deloitte Consulting, 2013.


I commenti per questo post sono chiusi