5 key lessons for Asian banks' BCBS 239 compliance journey

Since the BCBS 239 principles on risk data aggregation and risk reporting were published by the Basel Committee in 2013, globally systemically important banks (GSIBs) have invested significant time and budget to reach compliance. However, four years on, the great majority are still not yet fully compliant, as updated by BCBS in March 2017.

In ASEAN, Singapore was the first country to designate, in 2016, its domestically systemically important banks (DSIBs). These banks (three local, and four foreign) have been identified by the Monetary Authority of Singapore (MAS) as being systemically important to the local economy, meaning that should one of these banks default, the potential impact on the Singapore ecosystem and marketplace could be very significant, and could have implications on the labour market and society as a whole.

The DSIBs are also encouraged to adopt the BCBS 239 principles, and those in Singapore are already working on their compliance programmes. In addition, regional banks in the other ASEAN countries that have either already been or are in the process of being designated as DSIBs will soon begin work to meet the BCBS 239 requirements. As they embark on their implementation, there are lessons that can help them avoid, or at least mitigate, certain pitfalls.

Lesson 1: Be aware of the potential implications
First and foremost, BCBS 239 principles are a set of regulatory requirements which banks need to comply with. However, one should not forget that the primary driver of these principles is the global financial crisis of 2008, during which systemic organisations were wiped out partly because their management were unable to obtain accurate and timely information about their risks and exposures. Ultimately, what is really at stake, beyond the need for adequate information, is the stability of the economy and the protection of the public.

Lesson 2: Spend time on scoping and interpreting the principles
BCBS 239 principles, like any other principles, are prone to subjectivity - what does it mean to be compliant? The principles require a certain level of pre-analysis, understanding and interpretation of the requirements. It also depends on how high the organisation is willing to set the bar. Here are some examples of areas of subjective interpretation:

• BCBS 239 ownership: Beyond the political aspects inherent to all ownership allocation processes, there are different governance models in the marketplace. Some banks perceive BCBS 239 as a risk management matter with the Chief Risk Officer (CRO) being the one responsible for the compliance programme. Others tend to consider BCBS 239 to be mainly about data management, and the Chief Data Officer (CDO) will hold this responsibility. There are also those that favour a more collegial setup, forming a BCBS 239 committee comprising all key decision-making stakeholders. While there is no one-size-fits-all solution, a common success denominator is a high level of ongoing coordination and involvement from all key stakeholders, no matter who is responsible on paper.
• Selection of critical risk measures (CRM): There is no rule of thumb for how many CRMs a bank should consider for BCBS 239. 80 to 100 CRMs is about average, but the range can be quite wide, with some banks including as many as 150 to 200 CRMs to be comprehensive. Others prefer to focus on a limited set of 30 to 40 highly critical ones. The number of CRMs to employ has to be a management decision and depends on the risk management appetite of each bank’s governing body, even if the regulator might tend to be in favour of fewer CRMs with higher accuracy.
• Level of process automation: Some banks are comfortable with the current level of manual processes associated with their reporting production as long as there is a robust control framework and offers agility. Others will consider a higher level of automation that can better serve the purpose of becoming compliant. In some cases, BCBS 239 has even driven banks to deploy robot process automation (RPA) solutions. Eventually, each bank needs to perform a detailed analysis on which manual processes can be further automated, with a view to maximise the level of comfort on data accuracy and timeliness.
• Data quality framework and data lineage: How should data quality be defined in terms of threshold and tolerance levels when there is no “sweet spot” within this zone of subjectivity? In terms of accuracy and quality of a CRM, what is deemed acceptable for one bank may not be tolerated by another, with all things being equal. Most importantly, the bank needs to be able to articulate the rationale for its data quality thresholds and indicators, and ensure that it is fully understood and approved by its senior management. It is also essential to be able to deconstruct each CRM into its individual critical data elements (CDE) to map all data flows and data quality controls. In this area of data lineage, solutions range from simple and highly manual flowchart-types to more strategic, integrated and automated tools.

Lesson 3: Identify synergies and leverage capabilities
Although the BCBS 239 principles are quite recent, the areas of purview are not new. Data integrity and risk reporting have always somehow been part of the organisations’ agenda, whether in terms of governance or processes and controls. However, this does not mean that there are no gaps in data quality and reporting. These gaps need to be identified and addressed in due course in order to offer risk information that is of an acceptable and comfortable level to the senior management.

Hence, before deciding to invest in heavy solutions and initiate deep transformations, organisations should perform a detailed assessment of their current capabilities and how these capabilities already or could be leveraged to address BCBS 239 requirements. Similarly, banks that already have big transformation programmes in motion should consider integrating solutions to address BCBS 239 requirements more efficiently.

Lesson 4: Try to avoid a pure silo-based approach
One of the key challenges of BCBS 239 compliance is that it requires many different skills - at least the CRO, CDO and Chief Information Officer (CIO) must be involved in the programme. However, if these key C-suite stakeholders are not properly coordinated and monitoring the same holistic and integrated agenda, the chance of success will be significantly reduced. Splitting roles and responsibilities by each BCBS 239 principle is possible, as long as there is a robust overarching governance framework with ongoing coordination and collaboration.

Lesson 5: Engage other key stakeholders early in the process
Another mistake is to keep the BCBS 239 programme isolated with no regular communication on its progress and status. For instance, the internal audit team becomes a key stakeholder for BCBS 239 compliance once the related processes switch to business-as-usual mode. Although there is no obligation to have them involved at the start of the compliance programme, it is advisable to bring the team on board as soon as possible, as eventually they will be the third line of defence to provide the Board with assurance on the bank’s level of adherence to the principles. Furthermore, some technical skills within the internal audit space can be quite useful to BCBS 239, such as operational risk, internal controls, data integrity management and IT controls.

The regulator is another key stakeholder that should be kept aware of the progress of the bank’s BCBS 239 compliance programme. In fact, the sooner the bank engages the regulator to share its plans, the better the bank is perceived. Opening the dialogue early will allow for opportunities to verify the bank’s understanding and interpretation of the principles, and will provide some assurance that the bank is in the right direction in terms of roadmap and work programmes.

To conclude, BCBS 239 compliance is challenging and requires at least a couple of years to achieve. However, if some of the key lessons reviewed in this article are not duly considered, it can easily double the time needed to reach full compliance.