Few post-crisis regulatory efforts were as comprehensive as the Basel Committee’s BCBS 239 Principles, focused on risk data aggregation and risk reporting (RDARR) practices. The first of its kind, this framework for effective data governance was designed to correct for deficiencies that hampered systemically-important banks’ (D-Sibs) responsiveness to the immediate aftermath of the 2008 credit crunch. While various national reporting mandates were introduced (or beefed up) to provide market overseers with a more transparent picture of credit and liquidity risks, BCBS 239 was meant, in tandem, to be the guiding force for longer-term, internal technological transformation at the world’s largest banks.
From the beginning, the nature of this principles-based regulation has implied some long twists and turns for the 30 D-Sibs in its scope. BCBS 239 isn’t strictly prescriptive, and despite being global in nature and extensive in its scope, the consequences for missing a BCBS 239 mark or pushing a deadline back vary by jurisdiction—or sometimes lack entirely. Though innate interest in effective data governance has risen around the industry, this too varies. As a result, the priority for implementation among covered institutions has been inevitably uneven.
Yet, given the investment that regulators and the industry alike have put into shaping BCBS 239, progress is being very closely evaluated and expectations very firmly managed. That has promised banks’ unvarnished feedback into BCBS and central banks participating in the project. Together, these aspects have created something of a unique test case for post-crisis regulatory formation—if one that also happens to cover a critically important area for firms’ institutional health and agility of firms going forward.
Law of Thirds
So, how well is it working? A serious update came into view earlier this summer when BCBS published a progress report that provides a comparison point to expectations first set in 2016. Perhaps unsurprisingly, the early returns weren’t especially pretty, and can be summed up quite simply and in a word: delayed.
It isn’t all bad. Basel reports positive movement in terms of the all-important establishment of implementation roadmaps. Every D-Sib is now at least on the way. But the most indicative number lies in the wave of banks that have revised their implementation deadlines, particularly the number that now believe it will be sometime after 2018, in some cases as long as 2021, before reaching full compliance. That group jumped from just four banks in 2016, up to 13. And to read the tea-leaves, most of these laggards borrow from a group that had previously thought they would already be in full compliance today. It is fair to say that many didn’t realize just how much road is in front of them.
The other interesting figures come as firms report compliance across the the 11 different principles, grouped respectively by governance and infrastructure; data aggregation capabilities; and risk reporting subsets. As the update suggests, there has been progress in terms of a handful of banks now being fully-compliant across several of the principles. But for more than a third of them, several firms that initially believed they were on their way or “largely compliant” have actually fallen backwards to—or perhaps simply become more realistic about—current “material non-compliance”. Those include Principles 4 and 6 in data aggregation, and 9 and 11 in reporting practices. Others, such as Principle 2 in governance and infrastructure, have simply retained the high number of non-compliant firms from 2016—well more than a third of D-Sibs, and in a couple cases, nearly half.
Because BCBS 239 is so sweeping, there are lots of gaps and places where firms should continue to improve. The report argues these have less to do with board-level support, resources procurement or building out a chief data office—foundational work which seems generally well at hand—and more to do with achieving the IT and architectural maturity required to do the job.
The Committee emphasized a range of areas: among others, these include deficient data quality controls, including poor data standards and taxonomies particularly as implemented within foreign subsidiaries; weaknesses in data quality checks such as independent validation and “non-blocking” validation controls; lack of an integrated “end-to-end ownership model” to enable ongoing data oversight and remediation across risk and finance functions; and perhaps above all, the inability to automate reconciliation and other key data management processes, where manual workarounds essentially crash under stress simulations.
A separate industry survey from PwC published this month highlights some of the consequences of this plodding work. Many respondents, the consultancy found, have worked towards conceptual BCBS 239 compliance, but are finding they haven’t yet realized the “outcome-based benefits”—loss reduction, faster decision-making—that were originally intended. There is some growing frustration, and it begs the question: why?
Almost three quarters (73 percent) of those queried cited infrastructural deficiencies as a key compliance challenge; regulatory interpretation and completing data lineage to authoritative or original source came next at 55 percent. Those results parallel the BCBS findings. The more interesting numbers, however, come from a breakdown of how firms are approaching BCBS 239. For instance, the oversight function for the regulation is split almost evenly, with 55 percent locating it in risk and 45 percent with the chief data office. Likewise, the independent validation function is well-dispersed; notably, less than one in ten are using an external audit to perform that task. And most surprisingly, only 27 percent say that external regulatory reporting has been included in any way within the scope of the project.
Seeing the Light
In short, while the data governance organization and infrastructure are being put in place as BCBS intended, there remains a lack of industry consensus about who should take the BCBS 239 lead, and for that matter, how key processes like validation should be achieved (and by whom). Because BCBS 239 is so focused on functional integration and standardization, risk teams and chief data offices should ideally be working in mutual partnership. As some banks might be learning, even if this is a data governance exercise, there is no way to do it effectively without your CRO bought in. And drawing only upon in-house capabilities makes it a heavier lift, too. De-emphasizing independent validation, leaving external out, and assigning primary BCBS 239 compliance responsibility to one silo or another, would certainly make effective integration harder, and it turns out, makes BCBS 239 compliance gains harder to achieve, too.
The sense is that in the years still to come, the further compliance expectations drift out, the more BCBS 239 risks becoming like any other regulatory exercise—tick the boxes, rather than fulfilling the spirit of the principles. For something as crucial as risk data governance, that would be a shame. Hopefully, those now in the trenches can still see the light—and the value—ahead.