A combination of data management hurdles, talent shortages and poor succession planning are bedevilling banks as they struggle to respond to a long-standing risk data aggregation directive – even after repeated European Central Bank (ECB) criticism of their compliance shortfalls.
The Basel Committee on Banking Supervision’s Principles for effective risk data aggregation and risk reporting (BCBS 239) was introduce in 2013 and requires institutions to take steps to secure and ensure optimal quality of their risk data capabilities and risk reporting.More than a decade later, however, very few banks have fully complied. According to a report published last year by professional consulting giant PwC only two of 31 major institutions in-scope – known as global systematically important banks (G-SIBs) – had fully complied with all 14 principles laid out by BCBS 239.
‘Significant Gaps’
In a supervisory letter issued by the ECB in February, the overseer said many banks had “significant gaps in meeting supervisory expectations” and added that they also “fail to provide credible target end dates for implementation”. The damning comment continued to say that “the number of institutions without fully adequate risk data aggregation and risk reporting (RDARR) capabilities is still too high”. The ECB said it would intensify its monitoring of banks to ensure they take remedial action.
While the ECB said that bolstering RDARR would bring cost and operational benefits to banks, data experts told Data Management Insight that the breadth of the regulation and a number of deep-rooted business challenges are preventing many from getting their systems in order.
“It’s an elephant-in-the-room type of topic – it’s apparent that none of the companies we speak to are really any further along than they thought they’d be,” said Tom Carroll, Head of Business Development at Datactics. “With BCBS239, it still feels like a can of worms that people are cracking open and trying to get to grips with.”
Compliance Appeal
The ECB has sought to impress the importance of good RDARR capabilities on banks, pointing in particular to how it had been beneficial during the pandemic, the Russia-Ukraine war and recent market turmoil. It has rolled out a number of initiatives to get banks fully conversant with the regulation – and the language around them becoming more impatient with each rollout.
It was abundantly clear that there was a gulf between ECB expectations and banks’ delivery soon after BCBS 239 was introduced. In late 2018 the central bank found that 59 per cent of in-scope institutions turned in regulatory reports with at least one failing validation rule and almost 7 per cent of data points were missing from them.
The ECB began a “supervisory strategy” in 2022 to close the gap, running until 2024. In May of that year it published a guide that clarified what the overseers expected of banks and embarked on targeted reviews of RDARR capabilities.
These efforts found “many banks do not provide proper recent or regular gap analyses where they compare against the BCBS 239 and relevant supervisory expectations. Even when such analyses have been conducted, their relevance for effective steering often remains unclear”.
‘Deficiencies’ Noted
The ECB conceded that a variety of obstacles prevented organisations from realising the advantages that robust RDARR capabilities offer.
The supervisor blamed “deficiencies” on governance shortcomings, fragmented IT infrastructures and a high level of manual aggregation processing, but admitted “remediation of RDARR deficiencies is often costly, carries significant risk and takes time”.
Carroll said that the breadth of the data management effort needed to comply with BCBS 239 has slowed adoption of the capabilities necessary for compliance.
“They’re spending so much time planning for BCBS and thinking about what they need to do and what they need to have in place, and the tools that they need and the frameworks that they might need to put in place,” he said.
“That might require hiring some people and doing an evaluation of data quality and data lineage tools. They’re trying to do it all themselves, and by proxy, they’re getting little done – years are rolling by and little has really been achieved.”
Skills Loss
Importantly, he has found significant weaknesses in banks’ abilities to retain the data expertise that is required to carry out a transformation of this size. Depletion of data team personnel through retirement, illness or headhunting has meant that many organisations have been unable to hold onto the people who can drive the change required to complete such a mammoth task.
Using the analogy of a successful football team, Carroll said the banks that have a stable back-office and that can warehouse know-how and talent are the ones who will succeed no matter who is nominally leading the firm.
“If you’re a team that every nine months changes its manager, and does a whole new strategy, a whole new recruitment philosophy – everything totally different – that makes it very difficult to get anything done,” he said.
“This needs long-term thinking and a structure in place that can roll forward even if a CDO or someone else moves on.”
Levent Ergin, Chief Strategist for Climate, Sustainability and Artificial Intelligence at Informatica, said that compliance with the directive involves retuning so many moving parts within a bank that the task could not be completed without completely rethinking fundamental aspects of its data management setup.
“Hindered by outdated IT systems unsuitable for modern data management functions, they struggle with data silos and inconsistent, inaccurate risk reporting,” Ergin told Data Management Insight.
He said it was important to meet the requirements not simply to satisfy regulators but also to remove potentially damaging weaknesses in banks’ management of risks.
“These issues not only impact decision making but also increase vulnerability to systemic risks,” he said. “Compliance is therefore essential, not just to meet the regulatory requirement, but to ensure resilience.”
Remedial Action
While the ECB has glibly called for banks to strengthen their data governance and management strategies, the data experts have offered more focussed solutions.
Ergin has argued that creating a single source of truth for “counterparties, securities, positions, instruments, and product master data across all systems” was key.
“The reason this is so crucial is this data set can be used to assess the impact of various stress scenarios and identify credit, market, operational and liquidity risks at customers and counterparties,” he said. “These core capabilities are essential for compliance with BCBS 239.
“Ultimately, banks that prioritise robust, reliable, and well-governed data won’t just achieve BCBS 239 compliance. They’ll strengthen risk modelling, enhance decision-making, and build a far more resilient future.”
Carroll, alternatively has called on the framers of the regulation to be more mindful of the amount of work necessary to be compliant.
“BCBS 239 is a big bang – you need to do everything all at once,” he said.
“It would be better if the regulation was structured into chunks that give firms a timeline and an order of how to do these things. That way, firms would know where to act first.”
Subscribe to our newsletter
