The Basel Committee on Banking Supervision regulation BCBS 239 is a game changer, requiring banks to review and sometimes renew their data management processes in order to strengthen risk data aggregation capabilities and push risk reporting towards near real time.
The challenges of BCBS 239 were the subject of a discussion session at A-Team Group’s recent New York Data Management Summit. Andrew Delaney, chief content officer at A-Team, moderated the session and was joined by John Fleming, head of enterprise data governance at BNY Mellon; Srikant Ganesan, managing partner at Risk Focus; and Brian Sentance, CEO at Xenomorph.
Outlining BCBS 239, Fleming explained: “The regulation is made up of 11 principles that firms must use as a guide to develop a compliant risk data aggregation platform. The principles are mostly about risk data aggregation, but some cover areas such as the timelines and completeness of data, and the completeness and usefulness of reports.” Sentance added: “BCBS 239 is a hot topic for banks, they are taking a variety of approaches to compliance and are feeling the pressure of meeting the regulation.”
Covering the four pillars of BCBS 239, Fleming started with pillar one, noting the complexity of complying with the regulation in a bank like BNY Mellon, which operates many systems, applications, databases and has just under 21 million data elements in production every day. He said: “There is already huge friction in keeping data correct across so many systems and we must now adhere to the BCBS principles. Most important is that risk systems built as end-of-day batch systems will not meet the principles’ requirements for a continuous platform. We need to pulse information through the organisation with increased periodicity and we need to create an adaptable reporting framework to report on-demand. On the governance side, a good programme, including policy, standards and structure, should be able to meet the regulation’s requirements around data quality.”
Picking up on pillar 2, Ganesan said the four principles of the pillar are all related to the aggregation of risk data. He explained: “The first principle requires accuracy and integrity of data that will be fed into risk calculations, the second notes completeness of data for risk aggregation, the third calls for timeliness of risk data as risk numbers have to be accessible at any time, and the fourth covers adaptability to ensure a bank’s infrastructure can adapt to changing regulatory requirements.”
On pillar three, Sentance said: “Pillar three is about risk reporting. It is much like pillar two in terms of accuracy and completeness of data, but it is different in requiring clarity and frequency of risk reports that people can understand and access.”
On pillar four, which covers supervisory review, Fleming said: “This pillar looks at issues such as how people are being supervised if there is human intervention in creating reports and who is checking the work. It is also about documenting processes and checking that this is correct.”
In terms of timing around the regulation, Fleming said BNY Mellon will be materially ready for BCBS 239 when it is implemented in January 2016 and explained: “We will meet compliance through strategic investment in a strategic platform and figuring out what we need most on the platform to aggregate risk. Over time, we would like to
build a completely consolidated platform.” Ganesan said he didn’t expect any firms to be entirely compliant with the regulation by the implementation date, but suggested it will probably be enough for a bank to demonstrate that it is working towards compliance.
Considering what firms should be doing now to ready themselves for BCBS 239, Ganesan said: “Traditionally, firms have touched on risk aggregation reporting as part of their compute infrastructure. BCBS 239 separates risk aggregation from this environment. This means banks need to focus on data quality, which is the driving force behind getting the regulation right. They also need to move from end-of-day to real-time risk aggregation. I would advise them to get the end-of-day process correct and then evolve it into a near or real-time architecture.”
Sentance concluded: “We have been working to make sure data management programmes we are supporting cover the front, middle and back offices. It is also important to get business people involved in the BCBS 239 compliance process right from the start so that they can say upfront if there are problems with data, rather than after the event.”