Since the BCBS 239 principles on risk data aggregation and risk reporting were published by the Basel Committee in 2013, globally systemically important banks (GSIBs) have invested significant time and budget to reach compliance. However, four years on, the great majority are still not yet fully compliant, as updated by BCBS in March 2017.
In ASEAN, Singapore was the first country to designate, in 2016, its domestically systemically important banks (DSIBs). These banks (three local, and four foreign) have been identified by the Monetary Authority of Singapore (MAS) as being systemically important to the local economy, meaning that should one of these banks default, the potential impact on the Singapore ecosystem and marketplace could be very significant, and could have implications on the labour market and society as a whole.
The DSIBs are also encouraged to adopt the BCBS 239 principles, and those in Singapore are already working on their compliance programmes. In addition, regional banks in the other ASEAN countries that have either already been or are in the process of being designated as DSIBs will soon begin work to meet the BCBS 239 requirements. As they embark on their implementation, there are lessons that can help them avoid, or at least mitigate, certain pitfalls.
Lesson 1: Be aware of the potential implications
First and foremost, BCBS 239 principles are a set of regulatory requirements which banks need to comply with. However, one should not forget that the primary driver of these principles is the global financial crisis of 2008, during which systemic organisations were wiped out partly because their management were unable to obtain accurate and timely information about their risks and exposures. Ultimately, what is really at stake, beyond the need for adequate information, is the stability of the economy and the protection of the public.
Lesson 2: Spend time on scoping and interpreting the principles
BCBS 239 principles, like any other principles, are prone to subjectivity - what does it mean to be compliant? The principles require a certain level of pre-analysis, understanding and interpretation of the requirements. It also depends on how high the organisation is willing to set the bar. Here are some examples of areas of subjective interpretation:
Lesson 3: Identify synergies and leverage capabilities
Although the BCBS 239 principles are quite recent, the areas of purview are not new. Data integrity and risk reporting have always somehow been part of the organisations’ agenda, whether in terms of governance or processes and controls. However, this does not mean that there are no gaps in data quality and reporting. These gaps need to be identified and addressed in due course in order to offer risk information that is of an acceptable and comfortable level to the senior management.
Hence, before deciding to invest in heavy solutions and initiate deep transformations, organisations should perform a detailed assessment of their current capabilities and how these capabilities already or could be leveraged to address BCBS 239 requirements. Similarly, banks that already have big transformation programmes in motion should consider integrating solutions to address BCBS 239 requirements more efficiently.
Lesson 4: Try to avoid a pure silo-based approach
One of the key challenges of BCBS 239 compliance is that it requires many different skills - at least the CRO, CDO and Chief Information Officer (CIO) must be involved in the programme. However, if these key C-suite stakeholders are not properly coordinated and monitoring the same holistic and integrated agenda, the chance of success will be significantly reduced. Splitting roles and responsibilities by each BCBS 239 principle is possible, as long as there is a robust overarching governance framework with ongoing coordination and collaboration.
Lesson 5: Engage other key stakeholders early in the process
Another mistake is to keep the BCBS 239 programme isolated with no regular communication on its progress and status. For instance, the internal audit team becomes a key stakeholder for BCBS 239 compliance once the related processes switch to business-as-usual mode. Although there is no obligation to have them involved at the start of the compliance programme, it is advisable to bring the team on board as soon as possible, as eventually they will be the third line of defence to provide the Board with assurance on the bank’s level of adherence to the principles. Furthermore, some technical skills within the internal audit space can be quite useful to BCBS 239, such as operational risk, internal controls, data integrity management and IT controls.
The regulator is another key stakeholder that should be kept aware of the progress of the bank’s BCBS 239 compliance programme. In fact, the sooner the bank engages the regulator to share its plans, the better the bank is perceived. Opening the dialogue early will allow for opportunities to verify the bank’s understanding and interpretation of the principles, and will provide some assurance that the bank is in the right direction in terms of roadmap and work programmes.
To conclude, BCBS 239 compliance is challenging and requires at least a couple of years to achieve. However, if some of the key lessons reviewed in this article are not duly considered, it can easily double the time needed to reach full compliance.
The views expressed in this column are the author's own and do not necessarily reflect this publication's view, and this article is not edited by Asian Banking & Finance. The author was not remunerated for this article.
Do you know more about this story? Contact us anonymously through this link.
Frederic is an Executive Director within Deloitte Southeast Asia’s Financial Services Industry practice, leading risk management and Basel advisory services and covering more than 40 banks in Singapore and Southeast Asia. He has over 17 years of multi-disciplinary experience in risk management, regulatory compliance and internal/external audit in the banking and asset management industry, essentially within international audit and consulting firms, as well as in risk management for a large bank with assets under management of more than USD 100 billion.