PwC’s South East Asia Consulting team discusses progress made to comply with BCBS 239 in Southeast Asian jurisdictions, providing an outlook and recommendations for the year ahead.
The Bank for International Settlements (BIS) issued the “Principles for effective risk data aggregation and risk reporting”, also known as BCBS 239, in 2013. Aimed at improving banks’ risk data aggregation capabilities and internal risk reporting practices, the regulation is now applied in 34 designated Global Systemically Important Banks (G-SIBs), across 11 jurisdictions (China, France, Germany, Italy, Japan, Netherlands, Spain, Sweden, Switzerland, the UK, and the US).
The Global Financial Crisis of 2007 – 2008 demonstrated how weak governance over risk data aggregation and risk reporting processes, coupled with underlying data and technology inadequacies, can inhibit the timely decision making for key financial risk management across banks.
BCBS 239 comprises 14 principles that are grouped into four closely related sections: overarching governance and infrastructure, risk data aggregation capabilities, risk reporting practices and supervisory review, tools and cooperation. Principles 1 to 11 are the banks’ responsibilities (Figure 1), while the remaining Principles 12 to 14 are the supervisors’ responsibility.
Banks were given three years from the issuance of the guidelines to be fully compliant with all the requirements set out in the 11 Principles.
Regional regulatory developments
Fast forward to 2019, almost seven years since BCBS 239 was issued, the G-SIBs supervisors assessed that none of the 34 banks were fully compliant with BCBS 239. This is despite 23 banks’ self-declaration of full compliance by 20201. The reality is that the principle-based requirements of BCBS 239, especially to design, build and maintain a strong IT infrastructure to support normal, stress and crisis times (Principle 2) makes it one of the hardest regulations to achieve full compliance globally. Regulators have taken steps to put pressure on banks for BCBS 239 compliance. This is evident through the European Central Bank’s fire drills2. In the US, both the Federal Reserve and the Office of the Comptroller of the Currency have examined banks and given “matter requiring attention” notice or consent orders accordingly3.
While most of the G-SIBs are concentrated in the Western hemisphere, there are banks in China, Japan, and Singapore that need to meet BCBS 239 requirements. Unlike banks in China and Japan which operate under the context of G-SIBs, the Monetary Authority of Singapore (MAS) has identified seven banks in Singapore as Domestic Systemically Important Banks (D-SIBs) in 2015 and required the D-SIBs to be compliant with BCBS 239 by 20194.
The other APAC countries do not currently require banks to be compliant with BCBS 239, but some regulators in the region have issued local regulations based on the best practices set out in BCBS 239:
- Australian Prudential Regulation Authority (APRA) CPG 235 – Managing Data Risk5
- Bangko Sentral ng Pilipinas (BSP) Circular 971- Guidelines on Risk Governance6
- Bank Negara Malaysia (BNM) – Guidelines on Data Management and MIS Framework for Development Financial Institutions in Malaysia7,
- China Banking and Insurance Regulatory Commission (CBIRC) – Guidelines on Data Governance8.
Regional industry observations
In Singapore, the D-SIBs that need to comply with BCBS 239 are quite diverse. Some are Singapore-headquartered banks with regional branches in Indonesia, Malaysia, Thailand, etc., while others are international bank branches that require compliance with BCBS 239 at their head office. One is even a subsidiary of a bank that does not need to comply with BCBS 239 in its home country.
Given their diversity, the level of maturity and progress of banks have similarly been mixed, with an overall positive projection of material compliance to BCBS 239. Banks agree that it is difficult to achieve and remain at full compliance, especially when IT architecture evolves with the current state of digitisation, and more so when the BCBS 239 scope increases to include other departments outside of risk and the significant territories of operations.
Having started the BCBS 239 journey five years ago, most Singapore D-SIBs are now focusing on the operationalisation, improvement and validation of their BCBS 239 capabilities. Some of the key focus areas include 1) data quality improvement, which continues to be an ongoing practice 2) independent validation of risk data aggregation and reporting practices and 3) balancing automation and manual processes in line with the nation’s digital agenda.
While there is no expectation of BCBS 239 compliance in Malaysia, there are two aspects that impact Malaysian banks from a risk data aggregation and risk reporting perspective.
First, where a Malaysian bank might have significant connectivity with one of the seven D-SIBs in Singapore and secondly, is one of the seven D-SIBs in Singapore, certain BCBS 239 best practices will need to be adopted for risk data aggregation and risk reporting. Consequently, BCBS 239 compliance will apply to these banks, and the challenge is the long-distance trust-based implementation and enforcement of process and system standards.
Second, the compliance to Bank Negara Malaysia (BNM) guidelines on data management and MIS, are centred around six key principles9 that mirror some parts of BCBS 239’s data management expectations.
Currently, banks are in the process of assessing themselves against the six principles outlined in the guidelines. BNM has not mandated BCBS 239 compliance, but they have distributed letters addressed to CEOs of their local systemically important banks to encourage the adoption of risk data aggregation and reporting best practices, similar to those outlined in BCBS 239.
In the Philippines, the BSP took the lead back in 2017 to issue Circular 971 which takes key lessons and principles from BCBS 239. Circular 971 has been in full effect since its issuance. However, unlike other jurisdictions that have the full BCBS 239 enforced, Circular 971 primarily adopted principles such as accuracy and integrity, completeness, timeliness, adaptability, (reporting) accuracy, comprehensiveness, clarity and usefulness. These principles are then ‘tested’ as part of wider risk management processes, within areas such as Internal Capital Adequacy Assessment Process (ICAAP), information technology risk management, operational risk management, and Board and senior management risk reporting. There is no enforcement of compliance.
Indonesia, Thailand and Vietnam
In Indonesia, Thailand and Vietnam, the ripples of BCBS 239 will be felt when: 1) enhanced risk data aggregation, risk reporting, and data management expectations are needed for Basel II compliance, 2) Singapore D-SIBs have a key entity in that market, in which case then BCBS 239 best practices will need to be adhered to for risk data aggregation and risk reporting, or 3) the regional banks recognise BCBS 239 as the gold standard and leverage this standard as part of data/technology project implementation.
Outlook for 2021 and recommendations
Outlook #1: Banks need to expand the scope of BCBS 239 beyond risk data to application of proportionality
Banks have different risk profiles and strategies depending on their size, customer base and product offerings. Therefore, while we think it is due time for banks to consider expanding BCBS 239 best practices beyond risk data, banks will also need to apply the concept of proportionality in this scoping exercise to consider matters such as:
- timeliness of data (i.e., which types of data are more ‘time-sensitive’ and fluctuate more frequently, for example, liquidity or market data),
- level of automation (over manual processes) that is sufficient,
- frequency of assessing and validating implemented capabilities.
Recommendation: Banks should review their regulatory compliance approach and strategy to define how proportionality can be applied with practical guiding principles, criteria and approach. This is to ensure there is a structured and justifiable decision-making process for a step-by-step BCBS 239 scope expansion. By doing this well, banks will be better able to manage their compliance levels more consistently on a sustained basis, in contrast to the large swings in compliance ratings we have seen over the years.
Outlook #2: APAC regulators may conduct in-depth reviews and take strict action against non-compliance
Till date, there has been no known in-depth supervisory review of BCBS 239 by any of the APAC regulators. At most, regulators have singled out a few banks to ‘highlight’ expectations for BCBS 239 and have provided an extension (where needed) for the bank to comply. Some regulators like MAS have suspended on-site inspections and supervisory visits to help FIs deal with COVID-19. We expect APAC regulators to follow the lead of other global regulators and conduct a more in-depth review of BCBS 239 in 2021. Additionally, we see the current COVID-19 pandemic as being a strong test of the bank’s ability to generate timely and voluminous risk analysis at the behest of the management and the regulators. An inability to do so might risk the country’s financial stability and hence stricter enforcement actions might be in sight.
Recommendation: Banks should not lose momentum on their BCBS 239 programmes, and instead maximise the “additional” time to consider expanding the scope beyond internal risk reporting. Regulators could prepare internally to ensure full compliance with Principles 12, 13 and 14, and be ready to conduct formal BCBS 239 supervisory reviews. For example, Principle 14 (home/host cooperation) requires cooperation with other supervisors globally to review banks’ compliance in multiple jurisdictions. This will require significant time and effort to coordinate between regulators.
Outlook #3: Banks will continue to embrace technology innovations
In addition to the strong market demand for data governance and data quality in Southeast Asia, there is also a growing trend to migrate to cloud platforms and digitalise banking processes such as risk data aggregation and risk reporting. There are still banks that are using manual processes to manage their data flows and data lineage, which is not sustainable in the long run. Implementing technology solutions is necessary for them to remain competitive with peer banks, as well as competitors like digital banks, which are natural agile cloud-natives. For example, a digital bank can implement a technology solution such as AI-enabled data quality remediation, or tools to help with automatic harvesting of data lineage and business rules mapping, given a leaner architecture landscape.
Recommendation: Banks should consider leveraging technology to automate labour-intensive processes. While BCBS 239 can be a catalyst to push the data-driven organisation’s end-to-end agenda, this will need to be coupled with cautious adoption of technology to ensure investments in innovation technology solutions are relevant and compatible with the banks’ existing technology architecture.
Outlook #4: Increased cost of compliance will drive further investments in and wider scope of independent validation
With the increased scrutiny on the level of compliance (or lack of) in compliance requirements in the last 12 months, both in multinational banks and in banks in APAC, this drives an increased focus on the effectiveness and efficiency of the policies and compliance to procedures. The independent validation requirement in BCBS 239 has been serving its dues in its second line of defence role to perform a deep dive review of the policies, their operating effectiveness and controls. This has been proven to be much more effective than an absolute reliance on self-declaration without onsite reviews. The benefits can be harnessed to other functions of a regulatory compliance nature.
Recommendation: Banks could consider increasing the mandate of the independent validation function to extend the checks on BCBS 239 to their ancillary uses such as for compliance / regulatory / financial reporting. This will give the banks greater assurance over the quality and consistency of the reports provide both to internal management as well as to external stakeholders such as investors and regulators.
The views expressed are for general information purposes only, and should not be used as a substitute for consultation with professional advisors. This article was reproduced with permission from PricewaterhouseCoopers Consulting (Singapore) Pte. Ltd, and forms part of its Risk and Regulatory Outlook 2021.
©2021 PricewaterhouseCoopers Consulting (Singapore) Pte. Ltd. All rights reserved.
 Basel Committee on Banking Supervision, “Progress in adopting the Principles for effective risk data aggregation and risk reporting,” 2020.
 Steve Marlin, “Frustrated Authorities Resort to BCBS 239 ‘Fire Drills’,” Risk.net, February 10, 2020.
 Steve Marlin, “Regulators bristle at slow progress on BCBS 239,” Risk.net, July 18, 2018.
 Monetary Authority of Singapore, “MAS Publishes Framework for Domestic Systemically Important Banks in Singapore,” May 01, 2015.
 Australian Prudential Regulation Authority, “Prudential Practice Guide: CPG 235 – Managing Data Risk,” September, 2013.
 Bangko Sentral ng Pilipinas, “Circular No. 971: Guidelines on Risk Governance,” 2017.
 Bank Negara Malaysia, “Guidelines on Data Management and MIS Framework for Development Financial Institutions,” 2012.
 Nick Beckett, Amanda Ge, “CBIRC publishes the guidelines for the data governance of banking financial institutions,” Lexoloogy, June 21, 2018.
 The six principles are as follows: 1) an effective data management and MIS framework, 2) sound data governance structure to ensure data quality, 3) comprehensive data and systems architecture, 4) assessment and monitoring of data quality in accordance to data policies, 5) effective controls over data security and privacy, and 6) effective and timely access to critical data (Refer to footnote 7).