BCBS 239: the transformation towards the compliance
Based on Deloitte’s EMEA Survey
This analysis conducted by Deloitte aims at elaborating the steps towards the achievement of a full compliance towards the regulation on data aggregation governance, recently put into place for the major European banks (BCBS 239: Principles for effective risk data aggregation and risk reporting).
The analysis has been supported by a survey addressed to the largest European banks in order to identify and define the way in which the latter are reacting to the new regulatory challenges, trying at the same time to form the new methods and routes over which both imminent and long-term objectives could be attained.
Following the first regulatory deadline of 1st January 2016 set for the Global Systemically Important Banks (G-SIBs), the Bank of International Settlements (BIS) has also requested to these banks a self-assessment to identify their reached level of compliance. The main outcome is that none of the G-SIBs has fully achieved the standards set by the regulator within the pre-agreed deadlines. This fact has generated a necessity (and hence a challenge) for the banks to recalibrate their approach, adopting a more solid, efficient and long-term vision this time.
The final objective of BCBS 239 is the definition of the general guidelines for Risk Data Aggregation, without providing any details on how to be fully compliant though. The application of the defined principles has been left to the banks’ discretion, allowing for the development and the definition of various approaches which foresee the realization of synergies with other Regulatory requirements (e.g. TRIM, SREP, AnaCredit, etc.).
Leveraging on Deloitte’s EMEA Network, it has been possible to carry-out a survey that aims at identifying the ways in which the G-SIBs and D-SIBs (Domestic Systemically Important Banks) have approached this regulatory challenge, highlighting, in this way, the main ways of intervention that can lead to maximum compliance.
In accordance with the guidelines provided by the Regulator, three areas of investigation have been identified in order to initially illustrate the most striking results of the survey and subsequentially make a comparison between the findings of the assessment published by BIS in March 2017:
- Governance and Process
In order to define and create in detail a new organizational structure, several actions have been carried on, with the consequent formalization of roles and responsibilities that led to the definition of an End-to-End process.
- IT infrastructure and data aggregation process
Modifications of the IT Infrastructure have been introduced so as to ensure the accuracy, the correctness and the timeliness of the information. Using this field as benchmark, approx. 70% of the interviewed banks seem to believe that they conform to the Regulation. However, as indicated by the findings of the March 2017 publication, further refinements are necessary to achieve full conformity to the required standards.
- Risk Reporting
Until now, the developed report offers only partial support to the decision-making process. Standard reporting has been introduced so that regulatory and monitoring requirements will be met by the major business lines.
- Further investments are necessary from the G-SIBs to bridge the gaps identified by the regulator. The expected results of all relevant interventions must be realised by the end of 2018 (more than 2 years since the original deadline of 1st January 2016).
- Based on the lessons learnt from the G-SIBs experience, the D-SIBS should:
- Carry-out an as-is evaluation that will be based on the new regulatory interpretation of the BCBS 239, anticipating at the same time the gaps to be filled-out;
- Define an individual long-term strategic plan with the goal of achieving the Target Operating Model. The objective of this plan should be the conception of a solid and integrated infrastructure, capable of reducing the manual interventions, as well as any consequent operational risks;
- Develop Automatic Processes and Robust Controls that will certify the quality of the data.
- The compliance with the Regulatory requirements of the BCBS 239 demands greater focus on:
- Governance & Processes - the role of Chief Data Officer (CDO) can help the integration of results to become fast and efficient, as long as a solid and robust data governance process is in place;
- IT Infrastructure - define a more centralised, inclusive (across all the steps of the processing) and timely data management solution;
- Risk Reporting - an activity that not only has to be consistent with the quality of controls, but also flexible, to enable risk managers to make the most out of the new integrated reports.