There is clear fatigue in the industry around BCBS 239 compliance, but the exercise has also enabled other capabilities, say PwC’s Irene Liu, David Yakowitz and Catherine Lee.
On a global basis the BCBS 239 framework was issued in 2013 after the 2008 Global Financial Crisis showed that banks’ ability to manage risks during times of stress and crisis was inadequate. The BCBS (Basel Committee on Banking Supervision) found that banks were unable to aggregate risk information across their business lines and geographies in a consistent, timely and accurate manner, and this in turn led to poor risk decision making.
Initially applicable to G-SIBs (globally systemically important banks), the BCBS 239 framework is now the global industry standard for risk data governance, aggregation, and reporting. The G-SIBs were given a three year period to comply, however as of mid-2018, five and a half years into the journey, only two of the 30 G-SIBs had achieved compliance.
In Singapore, the MAS (Monetary Authority of Singapore) designated D-SIBs (domestically significant banks) in 2015 and set a BCBS 239 compliance deadline for these institutions for the end of 2018. Not surprisingly, given the G-SIBs experience, the Singapore D-SIBs found it challenging to achieve compliance and indicated the need for additional time to complete their BCBS 239 programmes.
Throughout the BCBS journey in Singapore, PwC has been facilitating collaborative roundtable sessions with the Singapore D-SIBs as well as other G-SIB institutions. These sessions have allowed banks to come together and discuss common challenges and approaches to compliance.
Our most recent roundtable was held in February 2019 – the first since the MAS deadline for compliance. This article summarises the key topics discussed during the session, including the state of banks’ journeys and remaining challenges.
Did the Singapore banks meet the MAS deadline?
Based on a short poll conducted during the session, 75% of participants said that they were still in “project mode” in their BCBS 239 programmes, as some functions were not yet ready to proceed to the business-as-usual (BAU) stage. The remaining 25% have transitioned residual project activities to BAU functions.
Banks have generally committed to the MAS that they aim to complete initial compliance activities by the end of 2019.
Where are the banks in terms of the MAS compliance rating scale?
The MAS has required banks to perform self-assessments of their compliance with BCBS 239 through completion of a detailed questionnaire in which ratings of 1 (not started) to 4 (fully compliant) had to be provided by the banks.
Most of the Singapore roundtable participants rated themselves ‘3’ across the 11 principles in their self-assessment ratings, which indicate they are on track to reaching full compliance.
One institution which had indicated a ‘2’ attributed this to a deliberate decision to take a conservative approach at the self-assessment stage in order to manage regulatory expectations. This bank also noted that ongoing BAU processes are in place.
The constant change in the business environment, where there may be changes to the organisational and regulatory requirements at a global level, means that D-SIBs will have to adapt accordingly. As another D-SIB aptly puts it, “due to so many changing factors, you could be a ‘4’ yesterday but a ‘3’ tomorrow”.
What are the largest remaining challenges to achieving compliance?
PwC asked participants in the roundtable session to rate their key remaining challenges. The most frequently noted challenge (72%) was the remediation of data quality issues.
Embedding data ownership (46%) was the second greatest challenge, while architecture and infrastructure, and demonstrating tangible benefits were tied at 36%.
On the subject of expanding the scope of BCBS 239 reports beyond Risk, the general consensus was that most banks include other areas like Finance and Regulatory Reporting, but the focus is still on Risk.
A deeper dive into the data-related challenges
One of the participants noted that the lack of clear data ownership was their toughest barrier to addressing data quality issues. Detecting quality problems is only part of the battle – there needs to be a process in place to assess and remediate the issues and this requires clear ownership.
After detection, issues must be assessed and remediation strategies developed. This requires banks to understand their data flows to pinpoint the source of the problem and to know who is accountable at that point for remediation.
To improve the understanding of data flows, banks have invested in identification of Critical Data Elements (CDEs) and documenting data flows and lineage for their CDEs.
To address the accountability issue, banks have incorporated data ownership principles and policies into their overall data governance approaches. The result is that governance bodies can more easily distribute accountability for remediation of data issues to data owners.
Are banks seeing tangible benefits of their BCBS 239 programmes?
While banks have adopted differing compliance approaches one thing is certain – the industry as a whole has spent considerable sums of money on BCBS 239. Based on data from the Global Association of Risk Professionals, it was estimated in 2016 that the global banking industry would have spent between USD 12 billion and USD 15 billion on the programme in the three to five years that followed.
It is therefore quite reasonable to ask about the benefits being achieved for such a high level of investment. While none of the roundtable participants noted specific monetary returns, most banks did acknowledge that their BCBS programmes have helped in various ways.
One of the main benefits noted was the efficiencies in the reporting/metric generation process as better-quality data and improved controls reduced the amount of time needed for reconciliations and adjustments.
Risk functions also reported having a better understanding of where and how the data they use comes to them. In some cases, this improved understanding has led to changes in data sourcing and a reduction of manual processes.
Data quality capability enhancement was a driver to understanding limitation of data and improving confidence for use of data.Technology enhancements were also noted – at one bank, a single enterprise data warehouse is driving efficiencies, as all reporting and analytics is run from a “single source of truth”.
Ultimately, the correlation between investment in a BCBS 239 programme, and top and bottom line performance is not so direct. As one participant pointed out, it is hard to isolate better data quality as a specific driver of an increase in revenue, for example.
What are banks doing to address the Independent Validation requirements of BCBS 239?
Participants in the roundtable each shared a brief update on where their institution stood in terms of independent validation. Progress ranged from banks that are already fully operational with validation functions to banks that are still in process of designing and mobilising the functions.
For the banks that have implemented the function there were some common themes. The reporting line of the validation team is within the Risk function. The size of the validation team is generally quite small (3-4 dedicated resources).
One of the banks noted the importance of aligning the validation framework to the compliance approach. For example, this institution based compliance on achievement of key business capabilities, and then developed the validation framework to assess the capabilities.
This same bank also cited the alignment between the internal audit function and the BCBS independent validation function as a critical success factor.
PwC was asked to provide perspective on how regulators globally have set expectations around the independent validation function and noted that very different approaches have been taken.
For example, US regulators took a rather hands-off approach and relied on results from validations performed internally by the banks. Those banks who could not articulate a robust validation process faced deeper scrutiny, while those who had implemented stronger validation processes had their results accepted more easily.
In contrast, the ECB (European Central Bank) has taken a more hands-on approach in which they have performed assessments of the banks themselves.
In general, the observation is that there is a correlation between strength of a bank’s validation process and how much the regulator is willing to rely on it.
What lies ahead?
There is clear fatigue in the industry around BCBS 239 as banks have been working towards compliance for so long without specific guidance on what compliance means from their regulators.
As a result, institutions are eager to transition out of programme mode and into BAU mode and look for ways to leverage their investment in BCBS 239 compliance.
As banks continue their journeys to achieve wider business objectives such as their digital strategies, they will find that many of the concepts of BCBS 239 are key enablers. This includes the ability to leverage high quality data, in a timely and consistent fashion, with robust controls, and all through fit-for-purpose architecture and infrastructure.
While banks are focused on the fatigue now, we are hopeful that one day they will look back and appreciate that BCBS 239 actually drove them (albeit reluctantly) to improve capabilities without which they could not have achieved some of their wider goals.
Irene Liu is PwC Southeast Asia Risk and Regulatory Consulting Partner; David Yakowitz is Managing Director, PwC Global Data Subject Matter Expert; and Catherine Lee is Director, PwC Southeast Asia Regional BCBS 239 and Data Governance Driver.