BCBS 239 implementation progress has veered off course at some banks as a result of the Covid-19 crisis, prompting a need for reassessment, says John Berven at Solidatus.
As the world wrestles with the ongoing impact of the coronavirus, whether looking at specific lockdowns or the widespread impact on different industries, one word commonly applied is ‘reset’. Shutdowns implemented around the world due to the virus have forced organisations to rapidly review both essential and less critical business systems, as so many have had to rapidly pivot to allow for greater work-from-home capabilities.
This is just as true when it comes to internal data compliance and access policies as it is for complicated internal data structures at banks. Indeed, the summary of BCBS 239 – the Principles for effective risk data aggregation and risk reporting from the Basel Committee on Banking Supervision (BCBS) – is that “the right information needs to be presented to the right people at the right time”.
In the context of Covid-19, this “right information” still needs to be accessed by the right people, even in cases where staff are working remotely. In the current environment, this has to now be facilitated through more flexible, cloud-based systems rather than the longstanding legacy infrastructures still present at many financial institutions.
Legacy systems themselves are often one of the reasons why so many organisations in Asia Pacific remain only partially compliant with BCBS 239 – even four years on from the original deadline. Looking back to the inception of the principles, their original inspiration lay in the immediate aftermath of another global crisis, in 2008. Specifically, it was identified that some ‘globally systemically important’ banks did not have a firm grip on their risk reporting and could not react quickly enough.
Reappraised under the current climate, the parallels with the current pandemic are clear. At least this time around, the issues of risk and correct access to the right data by the right individuals in a timely fashion should have been facilitated by all of the progress made in the seven years since BCBS 239 was originally introduced.
According to the latest progress report on BCBS 239 implementation published in April 2020, “In general, banks require more time to ensure that the Principles are effectively implemented”. This need for more time is often a matter of resource and focus. In a typical BCBS 239 project, over half the resources usually are taken up by determining and documenting data flows as data lineage.
This is a critical part of the process – if a bank cannot describe what data flows where, or document all of the sources of data used in a regulatory report, regulators will not be satisfied. Seeing data in context is essential for a full high-level view. Given the rapid introduction of new measures as lockdowns in the region started to bite, some banks (perhaps in haste) have skipped this crucial step to BCBS 239 compliance.
Ultimately, one of the biggest hurdles encountered in implementing BCBS 239 is the tendency to take a short-term view. In a rush to achieve compliance as quickly as possible, some banks sought out consultants to collect data to merely ‘get across the line’, without an analysis of the bigger picture or a plan to build out a truly sustainable process that could be managed and maintained internally.
Accordingly, when operational priorities shifted during the Covid-19 crisis, BCBS 239 implementation progress at some banks came to a halt. As a result, these implementation programmes will need to be reassessed and, in some cases, restarted to get back on course.
The reassessment of BCBS 239 compliance projects does come with some benefits. In part due to Covid-19-related disruptions, many banks now have a better idea where their data sits and where it flows. Based on these new insights, banks could adopt a more future-sighted approach – starting at the end goal and looking back.
Banks should consider what their organisations could do with all the metadata captured for BCBS 239. For example, they could be identifying data quality issues and assessing their impacts along the flows from originating systems to reports. They could also be identifying all ‘creditor’ related data, from wherever it originates, with a view to ensuring it all gets through to the relevant reports.
On a broader level, different teams (often in other offices, or in different countries) need to be able to find specific data sets to run new initiatives, and would benefit from seeing clearer definitions of those datasets. Banks could also undertake experiments to help them understand what would change if they moved their systems to the cloud – or, indeed, to pinpoint what may have changed if cloud technology was introduced very quickly.
Some banks may have difficulty accepting that their BCBS 239 compliance projects have veered off track during the last few months. But, the processes to address this are the same as pre-pandemic, only better understood. A key aspect to keep in mind is the importance of bringing in a sustainable and repeatable process to collect up-to-date metadata which will facilitate ongoing compliance.
Metadata means information about the data banks hold – for example, its business meaning, which system produced it, who owns the data, where the data is stored, what it is used for. To harness it effectively for compliance tracking, many banks will be looking at access to an integrated metadata platform, which allows data users to more easily decode deeper layers within the data.
Introducing and rooting a sustainable process for BCBS 239 implementation within an organisation demands a centralised approach to data management, which allows for the management of both user access and user accountability throughout the organisation. For very large multinational banks, the only practical option is to lean into automation.
Fully understanding the detail and depth which already resides in a bank’s existing metadata is the best way forward, rather than trying to overlay additional detail – a largely unnecessary process as the metadata itself already holds the information which needs to be identified and tracked for BCBS 239 compliance.
It is straightforward enough to implement an integrated platform to harness this metadata, one that treats that data as a first-class asset, with all the control and ownership that it implies. But most users are not technical, so the underlying architecture must also be simple and adaptable, without artificial constraints. The architecture needs to include lineage, quality metrics, glossaries, high level views, search, queries and reports – and deliver these easily and seamlessly.
Without a focus on simplicity and usability, banks risk investing vast amounts of resources in rolling out a technical solution to a pressing problem, which less technically-minded staff won’t engage with.
To solve banks’ compliance issues, however, the first step is to identify how processes which were brought in to meet short-term crisis-driven needs may have coped. For organisations seeking to progress further with the tenets of BCBS 239, it may now be essential for them to commence this assessment, and quickly, in spite of other operational priorities under the current crisis-like environment.
Principle 2 of BCBS 239 states:
“A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles.”
Without reassessment, data architecture issues have the potential to impact not only compliance with BCBS 239 itself, but broader digital transformation goals of banking businesses throughout the region.
John Berven is the APAC Head of Solidatus, having joined the firm two years ago and incorporated the Singapore office in January 2019. He previously spent 18 years at State Street Global Markets.