PwC spoke to DBS’s Sia Nam Chie and OCBC’s Simon Lavender about the challenges they faced setting up the independent validation function for BCBS 239 compliance.
The BCBS 239 framework issued in 2013 sets the global industry standard for risk data governance, aggregation, and reporting. In 2015, banks in Singapore started on their respective BCBS 239 journeys with a compliance deadline for the end of 2018.
A key aspect of compliance has been the need for continuous independent review and validation of banks’ risk data aggregation and risk reporting capabilities, to ensure that BCBS 239 standards are still being upheld post-compliance.
As regulators show concern over the level of BCBS 239 compliance globally, the need to independently validate a bank’s compliance against an ever-growing suite of regulatory notices increases. The long-term benefits of having an independent validation function, whose work can be relied upon by regulators, becomes more apparent.
In an exclusive interview conducted with Sia Nam Chie, Head of Compliance Validation at DBS Bank (DBS), and Simon Lavender, Head of Group Data Validation at Oversea-Chinese Banking Corporation (OCBC), both banking heads said they believe the independent validation function is here to stay.
In fact, the role of the function is likely to evolve in the years to come. This is because firstly, as Sia noted, there could be higher expectations, in terms of breadth and depth of coverage, as well as the skills and competencies, of this function.
Secondly, as Lavender noted, independent validation is a leading and key capability that can help drive changes to data standards, data architecture, and risk practices – which he believes will be increasingly important over the coming years.
Challenges of the Independent Validation Function
While the future of independent validation is bright, as a newly set-up function that never existed previously in banks, growing pains were expected.
After more than a year in his new role, Sia says validating against the BCBS 239 principles is challenging, yet exciting. As the BCBS 239 principles are qualitative in nature, the requirements are subject to interpretation. One would need to have a good understanding of how different business or support units function and then apply the requirements appropriately.
“My team and I needed to first know the various subject matters well enough to put forth our views and recommendations. Knowing the principles is just the start. Applying them to various situations and advising the stakeholders on the requirements is a different ballgame,” he says.
Some of these early difficulties Sia faced were echoed by Lavender, who further highlighted challenges validating compliance across the bank’s entire pipeline of data sources. For risk data aggregation and reporting purposes, this cut across the business, risk, IT, finance and other functions.
Learning from experience and managing stakeholders
Given the challenges that came with the job, Lavender emphasised the importance of spending a significant amount of time developing the validation framework and procedures to establish a clear process that can be communicated and approved.
For an independent validation function’s success, the framework and procedures need to be built around a capability model, rather than at the BCBS 239 principle level.
Additionally, access to senior management forums, with a direct reporting line to senior management (i.e. the Chief Risk Officer) for escalation and independence is key, Lavender says.
In conducting validations, being fair and objective is imperative in order to successfully conduct the validation work, Sia says. As the team is newly established, it needs to earn the trust and respect of the stakeholders, while maintaining the independence.
Managing stakeholders goes beyond working-level groups, as there is a requirement to update senior management and the Board on the overall level of BCBS 239 compliance, he added.
As Lavender aptly summarised, delivering difficult messages becomes an essential skill, as providing updates becomes a frequent task for the independent validation function. He says:
“The updates you give and the level of detail in your messages are going to be different depending on the audience. For example, at the department level, this is a process level, detailed discussion about the tools and capabilities used. At the senior management level, you need to deliver compliance reports that highlight significant issues and actions that may materially impact the bank. At the Board level, you need to provide explanations using the BCBS 239 principle, highlighting trends and gaps which articulate the bank’s overall compliance status.”
Leveraging on Artificial Intelligence (AI) for Independent Validation
With digital and technology innovations at the forefront of many banks’ plans, it is only a matter of time before the execution of independent validation converges with wider strategic agendas, Sia and Lavender agreed.
While the validation work does not currently require the use of technological tools, Sia says in the future he hopes to employ more advanced tools to automate data validation and expand validation coverage.
Lavender echoes this sentiment, saying that as the process matures, it will become increasingly possible to develop software to help with validation execution. At this juncture, however, banks should focus purely on meeting the regulatory requirements.
As banks adopt AI and automate more of the risk data aggregation and reporting processes over time, the independent validation framework will need to be expanded to incorporate these capabilities, while also ensuring that technologically driven changes do not weaken the bank’s ability to aggregate risk.
PwC perspective: Independent Validation – a space to watch
Over the next few years, the independent validation will be the function that will reimagine what it means to prove to regulators – with a high degree of assurance – that banks are complying with relevant regulations.
On one hand, the development of an independent validation function was expected, and it has taken shape both as best practice and a practical way for banks and regulators to affirm compliance, such as in relation the implementation of Capital Adequacy standards (Basel III / MAS 637) and Risk Data Aggregation and Reporting (BCBS 239).
On the other hand, the step-by-step details on how to execute independent validation have largely been left to the banks for experimentation. As such, the path each bank takes will be unexpected and vary in their own ways.
One thing is certain: as banks transform their businesses and employ new cutting-edge technologies in their business-as-usual (BAU) work, the execution of independent validation will eventually converge, potentially enhancing the function and increasing its usefulness.
This convergence would see the independent validation function infuse technology innovations in machine learning (ML), natural language processing (NLP), and robotic process automation (RPA) throughout the entire independent validation process. For example, an NLP solution would be able to read banks’ vast policy frameworks, and translate the requirements contained therein into executable code to perform tests over large volumes of data.
In the next instalment of our Independent Validation series, we will deep dive into how other AI innovations can support independent validation work, and how other functions within banks can further innovate their BAU processes by leveraging these technology advancements.
Given the scale and scope of data at banks that needs to be assessed for compliance against global standards, we foresee the application of technology as potentially game-changing for the independent validation space.
Shierly Mondianti is a Manager at PwC Southeast Asia focusing on risk, regulations and data matters in the banking sector; Irene Liu is PwC Southeast Asia Risk and Regulatory Consulting Partner.