BCBS 268 Says Banks Must Ramp Up Data Governance and IT

In BCBS 268, Progress in adopting the principles for effective risk data aggregation and risk reporting”, the BCBS has made several important observations about the state and progress of compliance with BCBS 239.

Most notably, BCBS 239 may apply not only to the GSIBS but domestically systematically important banks as well! Extending the logic a bit further, the entire industry will sooner or later be under the purview of the standard and even midsized banks need to start planning, if not implementation, now.

• National supervisors may choose to apply the principles to D-SIBs 3 years after their designation as D-SIBs; as well as the G-SIBs by Jan 2016.

The BCBS highlighted some flaws in the Bank's self assessment, indicating that far more work maybe needed than GSIBs have currently assumed.

1. Scope limited to the group level: The principles laid out in BCBS 239 apply to all material business units or entities within the group as well.
2. A number of banks only focused on the quality of risk reports to senior management and the boards (not including middle management).
3. Many banks assessed only a few types of risk, such as credit risk and market risk, while not comprehensively covering other types of risk, such as liquidity risk, operational risk and other risks.
4. Very few bank offered insights into their definitions of materiality or tolerance level for manual versus automated processes for risk data aggregation and reporting. 

The BCBS has placed particular emphasis on making sure that  that Banks must invest in upgrading IT and governance and making sure that they have plans to conduct independent validation of their risk data aggregation and risk reporting capabilities (RDARRC).

• Banks must resolve the significant limitations currently affecting their risk IT systems.
• Banks that have not yet established their plans for independent validation of their data aggregation and reporting must make concrete efforts towards these goals.
• Banks also need to ensure that the role of the “data owner” is clearly documented and to set out accountability for risk data quality.

Banks need to have in place:

1. Formal and documented risk data aggregation frameworks.
2. Comprehensive data dictionaries that are used consistently by all group entities.
3. A comprehensive policy governing data quality.
4. Controls through the life cycle of data.

• 10 G-SIBs mentioned that they currently expect to not fully comply with at least one Principle by 1 January 2016. Some of these banks noted that this is due to large, ongoing, multi-year, in-flight IT and data related projects. 

In the area of risk data aggregation, the BCBS has specifically outlined the need for automation in order to ensure adaptability, timeliness, completeness and accuracy.

• Manual aggregation/reconciliation, even if it somehow results in acceptable risk reports, cannot substitute for strong aggregation capabilities.  
• Manual processes impair Banks’ ability to ensure accuracy and timeliness of data, particularly in stress situations, as was evident in the recent financial crisis.
• Banks must make significant efforts to improve their risk data accuracy, completeness, timeliness and adaptability.
• Banks must ensure that the data quality checks supporting their risk data are as robust as those supporting their accounting data.

The BCBS highlighted that automation is also a requirement for risk reporting processes to be adaptable such as to periods of stress.

• Adaptability was one of the lowest-rated principles in this category, and banks must ensure that they can generate relevant data on a timely basis to meet evolving internal and external risk reporting requirements.

Banks need to have in place:

1. An appropriate balance between automated and manual systems that allows rapid aggregation of data, even in stress times  
2. Documentation of timely risk data aggregation processes;
3. Data definition consistent across the organization
4. Customization of data to users’ needs.

The BCBS noted that strong risk data governance and aggregation capabilities are necessary for sound risk reporting, and the corresponding discrepancy in bank's self assessment. Specifically, the BCBS asked how banks can claim to have strong risk reporting capabilities without demonstrating strong data governance and robust IT infrastructure!

• Banks generally assigned themselves higher ratings on the risk reporting principles than they did on the corresponding data aggregation principles. 
• This raises a question as to how reliable and useful risk reports can be when the data within these reports and the processes to produce them have significant shortcomings.
• In particular, Banks may have overstated their actual level of compliance with risk reporting principles with regard to the ability to rapidly collect, analyze and report on risk exposures due to overreliance on manual processes Frequency of ad hoc stress/scenario reporting. Banks must have in place:  

1. Formal procedures for rapid collection and analysis of risk data and timely dissemination of reports. 
2. Banks rated themselves relatively low on:
3. Automated and manual edit and reasonableness checks  
4. Use of an integrated procedure to identify data errors
5. Inventory and classification of risk data items 

The BCBS also insisted that major global regulators are committed to enforcing full compliance by Jan 1, 2016, which can be seen as evidence that the regulator will not accept box-ticking as an acceptable response.

Reading between the lines, it is possible the regulator may impose restrictions on non-compliant bank's ability to conduct businesses that are not covered by sound data governance, IT infrastructure and automated risk reporting processes.

• Supervisory authorities have a broad range of tools and remedial actions to enforce the principles and have the expertise/resources to monitor banks’ progress towards implementation.
• To ensure that G-SIBs will fully comply with the Principles by the deadline, national supervisors will investigate the root causes of non-compliance, and use supervisory tools or appropriate discretionary measures depending on banks’ situations.
• Based on this exercise, it is recommended that supervisory authorities consider enhancing their efforts to:

1. Fully integrate the Principles in a comprehensive way within their supervisory programs
2. Test banks’ capabilities to aggregate and produce reports in stress/crisis situations, including resolution
3. Conduct thematic reviews
4. Develop concrete supervisory plans or other supervisory tools for 2014 and 2015.  

As relevant, that work will be coordinated by the WGSS with the implementation of other G-SIB/D-SIB standards under the Regulatory Consistency Assessment Program (RCAP).

The WGSS is contemplating the following steps:

1. Conduct a self-assessment survey of banks in a reduced form and a thematic review of the requirements with lowest scores
2. National supervisors’ review of banks’ self-assessments
3. Stress tests to require banks to complete a risk data aggregation template within a limited time

In summary, the BCBS has asserted that simply investing in proving compliance is not enough and banks must invest in accelerating IT delivery programs to achieve compliance in letter and spirit.