Embed Size (px)
Citation preview
The New Normal - living with continuous regulatory change in the financial markets
BCBS239: the behemothlumbers on
2 © GFT 2015
Introduction
Across the financial system, Global Systemically Important
Banks (G-SIBs) are continuing to wrestle with the
regulatory behemoth that is BCBS239 as they near the
compliance deadline. More so than many regulations, the
sheer size and scale of BCBS239 makes it a particularly
daunting challenge for banks to overcome. Annual
budgets of tens of millions of dollars, and total programme
costs typically in the 50 to 150 million dollar range attest
to the scale of the challenge. With the January 2016
deadline rapidly approaching, there still remains a very
large question mark over the extent to which G-SIBs will be
compliant.
In January 2015, the Basel Committee on Banking
Supervision published its second report on the progress
made by the G-SIB banks in their attempts to comply with
the 11 banking Principles of BCBS239. The report, entitled
“Progress in adopting the principles for effective risk data
aggregation and risk reporting” provides an update and a
report on progress towards the 11 Principles set out in the
January 2013 BIS Document.
Although generally improvements have been made since
the first progress report was released in December 2013,
some banks have reported a downgrade in their ability to
meet compliance requirements. 14 of the 31 G-SIBs said
they would be unable to comply with at least one of the 11
Principles by January 2016.
The picture that emerges is one where many banks
are struggling to establish strong governance, data
aggregation, architecture and processes. BCBS239
requires the implementation of large-scale, global strategic
IT infrastructure, which is difficult enough, but also needs
the cultural, business process and governance changes to
support it. The BIS has also highlighted the concern that
many banks continue to rely on manual workarounds to
achieve compliance.
Despite the mixed response from some banks, many
still believe that full compliance will be possible by
January 2016. With so much still to be achieved, is this a
sign of overconfidence? It is likely that banks may have
overestimated their predicted levels of compliance, and
what is now required is a thorough and honest appraisal
by each individual G-SIB on what they still need to do to
comply with BCBS239.
The challenges facing G-SIBs
The origins and drivers of BCBS239 can be traced
back to the 2008 financial crisis; as a response to the
analysis and interrogation that inevitably followed. At the
height of the crisis, it became apparent that banks were
unable to aggregate data quickly or effectively enough,
preventing them from identifying risk exposures and acting
appropriately on them. As the crisis unfolded, their ability
to make appropriate business decisions was compromised
by data quality issues and their inability to aggregate risk
information quickly and accurately.
The Principles of BCBS239 require banks to strengthen
their risk data aggregation capabilities and internal risk
reporting practices. If banks are going to comply with
these Principles by the January 2016 deadline, they need
urgently to review their current governance structures,
data architectures, IT infrastructure and capabilities, as well
as think about the overall culture that exists within their
individual institution towards data and risk analysis.
The self-assessments by the G-SIBs clearly show how
difficult complying with the Principles has proven to be.
The size, scope, and complexity of this regulation pose
a set of unique challenges, on top of other local and
regional regulations that banks are already tackling. The
self-assessments demonstrate that there is still much to be
accomplished, including: addressing the heavy reliance on
manual processes and tactical fixes, creating consistent
documented processes for the aggregation of risk data
at the Group level, improving the handling, aggregation
and proper accounting of collateral, and improving
the reconciliation and control processes for risk data
aggregation. The question now is whether G-SIBs have
enough time remaining to comply with the deadline, and if
their remediation programmes are currently delivering the
required changes to make this happen.
BCBS239 is a “non-prescriptive” regulation; the onus is
on the banks to decide how they intend to interpret the
Principles as well as set and defining their own minimum
standards for compliance. By way of a motoring analogy,
if banks are driving along the road towards a destination
called “BCBS239 Compliance”, each G-SIB is currently
at a different stage of the journey, with some having
much further to travel than others. For some, they are still
struggling to determine exactly where “Compliance” is on
the map, or the best route to get there!
3 © GFT 2015
With the growing awareness that time is running out,
there is increasing pressure to simply meet the “letter
of the law” (i.e. to tick the boxes for compliance), rather
than to embrace the full spirit of the regulation as hoped
for by BIS; with banks seeking to implement significant
operational and cultural change in the management
of their risk data. With limited time remaining, it is very
likely that many of the G-SIBs will now only be capable
of achieving the minimal standards for compliance, with
many manual workarounds and legacy issues to be
resolved at a later date.
Problematic areas for compliance
¬ Governance structures
BSBS239 states that banks should have in place strong
governance frameworks. However, achieving this
has proven highly problematic. A robust governance
framework should be the foundation which banks can
use to help build their BCBS239 solution – without this,
compliance becomes increasingly difficult to achieve.
Due to their size, G-SIBs will naturally face many
challenges relating to their data architectures and the
roles and responsibilities associated with this architecture.
Poor quality data can be linked to the existence of many
data sources and formats with perennial questions about
formats, data quality, SLAs and ownership. Improved
governance is vital, but it also requires G-SIBs to define
clear data standards, identifying where high quality data
comes from and what it should look like. G-SIBs need to
document exactly how their data is managed in terms of
the processes, controls, responsibilities and reporting.
Mapping the “data lifecycle” and making it accessible and
available to relevant stakeholders will be vital.
A key aspect, however, is that governance structures
are not just robust, but flexible. Banks must be able to
aggregate data across different entities, business lines
and risk types, not simply for a particular point in time,
but to evolve over time and keep up with business, legal
and regulatory changes. Significantly more flexible data
architectures must be in place to allow for real-time and
ad-hoc reporting in both normal and stressed conditions,
such as the 2008 global financial crisis.
¬ Risk data activities
Risk data management has been raised by BCBS239 to a
new level. During the financial crisis, it became clear that
weak risk data aggregation, reporting capabilities and
an overreliance on manual processes were major issues.
Many of the limitations and deficiencies in these areas
arose because firms had numerous, disparate data sources
using different formats, technologies, nomenclature and
data quality assurance processes. These problem areas
were highlighted in the most recent progress report, with
8 firms reporting that they would not be fully compliant on
Principle 3 (Accuracy and integrity).
Key elements of compliance on Principle 3 will include
improved and more robust quality assurance processes
and the introduction of standardised taxonomies and
data protocols.
Ultimately, improved risk data will help banks improve their
decision-making, identifying where their exposures lie and
reporting this data as quickly as possible to those who can
do something about it. For example, with better visibility of
aggregated risk data, a risk manager could identify issues
quickly, before they become problems. The recent Russian
debt crisis provides a classic example, whereupon many
firms were unable to understand their exposure to the
problem, and were therefore unable to do anything about
it.
¬ Information technology
High quality data aggregation cannot be achieved
without the appropriate information technology (IT) and
data architecture. The regulators reported that during
the financial crisis, the IT systems and data architectures
found in many banks were inadequate to support the
management of financial risk. The regulators noted that
those institutions which had better risk data management
processes were the ones that had the appropriate
technology, and platforms in place to help them analyse
their risk data better.
BCBS239 will stimulate the need to reassess existing
legacy systems and technology and consider whether
firms can deliver data in the required format to answer the
questions being asked of them. This will require major IT
infrastructure projects for many G-SIBs, which may include
updating or replacing core legacy systems, to avoid
leaving themselves a looming “technical debt” for the
future.
4 © GFT 2015
¬ Legacy technologies
Updating embedded legacy systems is, however, no easy
task, and will inevitably lead to an increase in spending by
banks on their risk aggregation technology. The level of
investment required and the scale of projects deployed
will depend on how entrenched the legacy platforms are
and the selection of appropriate replacements. These
challenges are compounded by the need to continue to
meet bank risk and reporting obligations, while at the
same time overhauling their legacy technologies.
¬ Manual workarounds
The 2015 progress report revealed that G-SIBs are
continuing to rely heavily on manual workarounds to deal
with the demands of complying with BCBS239. Manual
workarounds and tactical mitigants are typically major
constraints on the flexibility, adaptability and operational
robustness of BCBS239 solutions. Although manual
workarounds and tactical mitigants (such as end-user
applications) are sometimes difficult to avoid, it must be
remembered that they increase “process debt” which
carries a heavy penalty to be paid at some point in the
future.
As with any debt which accumulates over time with a
crippling rate of interest, technical and process debt can
reach unmanageable proportions as complexity rises
unabated. This situation increases the potential risk to the
firm and also inflates the cost to eventually make a more
strategic change in future. G-SIBs have been advised to
“simplify their current IT architecture and data flows across
departments and legal entities” in order to streamline the
aggregation process and to enable quick aggregation
of risk data during times of stress. However, with such
embedded systems and processes, accumulated over
many years, this is easier said than done.
Banks need to understand and monitor closely the amount
of technical and process debt they are storing up for the
future, and ensure that there are plans and a budget in
place to address this challenge. One such plan would be to
include implementation debt assessment and remediation
strategies into regular technical and business audits.
¬ Leadership requirements
Delivering the projects required for BCBS239 compliance
requires effective leadership within every G-SIB. The 2015
progress report recommended greater engagement from
senior management and boards of directors, and more
awareness of the risk and data aggregation capabilities
within each bank.
Senior management and board members have to start
thinking differently about risk data management. They
need to create a culture where everyone begins to think
about data in a more in-depth and holistic way. Senior
management has to understand the value of IT and data
and demonstrate to all stakeholders how it impacts on
the ability to make better business decisions, as well as
meeting the requirements of BCBS239 compliance.
Board members should take an active interest in, and
responsibility for, the data quality and aggregation
capabilities which ultimately underpin risk management
strategy and decision-making. Accountability for risk is not
something that can be delegated; ultimate responsibility
for risk management sits with the board and executive
committee members.
Senior management needs to monitor and engage more
actively in the delivery of projects, paying close attention
to the progress and to become cognisant of trade-offs in
terms of “strategic” versus “tactical” approaches, as well as
the long term viability and robustness of solutions. As with
many regulatory change initiatives, BCBS239 has too often
been viewed simply as an issue for IT to resolve.
This thinking has to change. The ability to store, deliver
and report the required risk data is intrinsically linked
to the IT capabilities within each bank, but senior
management should be seeking to develop a framework
that allows them to work more collaboratively with IT
stakeholders to create effective policies and strategies
for risk management. Board members should be directly
involved in assessing whether the project implementation
is on track, as well as identifying and enabling the timely
resolution of any obstacles to implementation. It requires
those in IT departments and those managing data to
think about IT along business lines rather than in an
organisational silo.
5 © GFT 2015
What has been the North American
experience?
Historically, BCBS239 has not been not high on the
agenda for US domestic banks, compared with their
European counterparts, yet the more vigorous action-
oriented approach of American regulators has already
provided strong incentives to make progress on some
BCBS239 Principles.
OCC Enforcement Actions have been very effective in
forcing compliance, with recent examples touching on data
aggregation principles. Interestingly, these enforcement
actions tend to be quite specific, and also call for
Executive Committee and sometimes board involvement in
supervision and monitoring.
What can D-SIBs learn from the
G-SIB experience?
Under the BCBS239 guidelines, D-SIBs are not required
to implement BCBS239 by January 2016, but the Bank for
International Settlements (BIS) recommended that regional
regulators apply a three year timeframe for compliance,
commencing with the individual organisations’ designation
as a D-SIB. Since the regulators’ recognition of D-SIBs is
not a globally synchronised process, there is a blurring of
timelines, but D-SIBs are now beginning to budget, plan
and mobilise their BCBS239 programmes.
Starting from scratch, and with three years to implement,
D-SIBs should be able to take advantage of the
experiences and lessons learned by many of the G-SIBs,
such as not launching a programme without clear data
taxonomies or governance processes, and ensuring
attention is paid to the proper inclusion of collateral in the
programme. By avoiding these costly mistakes, using time
and budget more efficiently, and ensuring that appropriate
tools, processes and accelerators are utilised, D-SIBs can
reduce project risk and aim for a better quality and more
timely end result.
Moreover, D-SIBs who seize the opportunity to get it right
the first time will also be able to avoid the near-ubiquitous
tactical mitigants and manual processes found in the
approach of G-SIBs. They can focus on strategic build,
rather than burden themselves with costly technical and
process debt for years to come.
In sharp contrast to the majority of G-SIBs, it is even
possible that some D-SIBs will realise the gains in
efficiency, reduced probability of losses, enhanced
strategic decision-making, and increased profitability cited
by the BIS as the core benefits of improving their risk data
aggregation capabilities.
The challenges and problem characteristics for D-SIBs
are of course different from G-SIBs. However, D-SIBs are
smaller and typically less complex than G-SIBs, with fewer
distinct entities and source systems, so the scale of the
costs and challenges are reduced and, in principle at least,
more easily managed. On the other hand, D-SIBs will also
generally be more sensitive to budgetary pressures and
cost of ownership. In addition, D-SIBs will not necessarily
have the large regulatory change and execution teams
required to undertake this ambitious and far-reaching
regulatory project.
D-SIBs who undertake BCBS239 programmes with a more
strategic approach, and pay close attention to the painful
lessons learned by G-SIBs, should be able to reduce
risks and project costs, and achieve compliance, but an
integrated risk aggregation platform which adds value.
Conclusion
On 1st of January 2016 what can we expect to find? Will the
G-SIBs be in a position to confidently say they have met all
the Principles asked of them, or will they be desperately
seeking an extension from the regulators? It is clear from
the progress report that many banks do not expect to
achieve full compliance and they will likely have significant
additional remediation and implementation activities
beyond this date.
G-SIBs with outstanding items will then need to
demonstrate adherence to agreed plans that specifically
focus on those areas that need urgent attention, and they
will risk regulatory censure or penalties if they fail to meet
their commitments.
6 © GFT 2015
Succeeding with BCBS239
The key to success for any firm should begin with senior
management taking the lead in embracing the importance
and value of risk data management within each institution.
Those firms who succeed not only in complying by the
deadline, but also improving their strategic aggregation
and management of their risk, will be those that:
1. Embrace the strategic opportunity for change
and ensure appropriate strategy, commitment
and investment
2. Implement a complete system of robust governance,
project supervision and reporting
3. Minimise manual workarounds for compliance,
thereby reducing their future technical debt, process
debt and end-user application policies
4. Establish risk data taxonomies, with consistent
documentation of the aggregation process
5. Include all collateral positions and sources in addition
to firm exposures
6. Implement robust reconciliation and data quality
control processes
We have seen that many firms faced by the huge
demands of BCBS239 and other competing regulations
rely heavily on manual workarounds and tactical
mitigants in order to comply with requirements. Such
solutions compromise long-term value and indeed can
work counter to the spirit and objectives of BCBS239.
Such firms should be identifying how they can make
the transition towards implementing more strategic
solutions.
Taking and managing risk is at the very core of banking,
so it is profoundly appropriate that firms should be able
to flexibly and accurately aggregate risk information.
Whether they are a G-SIB or a D-SIB, firms should
appreciate that BCBS239 is not simply another form of
regulation that requires compliance; it is an opportunity
to entirely re-evaluate their risk data aggregation,
management and reporting, ultimately leading to better
governance, better decision-making and improved
operational efficiency.
7 © GFT 2015
AML & Risk Practice Lead (USA)
As AML and Risk Practice Lead, Alan focuses on how best
to change compliance, AML and risk operations through
new processes and targeted IT investment. He and his
teams are currently guiding new and automated AML
risk assessment services and are helping in the early
identification of rogue traders for major international banks.
With GFT, Alan has been involved in addressing immediate
regulatory and compliance challenges focusing on risk
assessment, business process, policy and workflow. He
has co-designed and developed new global compliance
risk assessment frameworks, methodologies and executive
reporting systems, supporting more accurate targeting of
transaction monitoring systems and the identification of
rogue trading and potential market abuse.
Managing Principal, Risk Consulting
John is a Managing Principal in risk consulting, with over
20 years’ experience in the financial sector, delivering
solutions in risk management and front office derivatives
trading. John has experience with strategic systems,
performing risk and P&L for equity swaps, portfolio swaps,
and FX hedges for over 800 trading books across four
principal legal entities. John previously worked at Goldman
Sachs on the specification, development and validation of a
jump to default methodology, as well as undertaking similar
roles with JP Morgan and Credit Suisse.
Managing Principal, GFT
Tony has 17 years of investment banking experience gained
in line, change and programme management roles, running
operational and IT teams. He is responsible for a number
of ‘in-flight’ regulatory change programmes for a number of
banking clients, including BCBS239 compliance initiatives.
Featured Specialists
Alan Morley
Tony Sodhi
John Barclay
8 © GFT 2015
About GFT
GFT is one of the world’s leading solutions
providers in the finance sector offering
consulting, implementation and maintenance
for a broad range of IT applications.
Combining technological expertise and
seamless project management with a deep
understanding of the financial industry, GFT
is a reliable partner for well-known companies
all around the globe.
Headquartered in Germany, GFT has stood
for technological expertise, innovative strength
and outstanding quality for over 25 years.
› gft.com
This report is supplied in good faith,
based on information made available to GFT at
the date of submission. It contains confidential
information that must not be disclosed to third
parties. Please note that GFT does not warrant
the correctness or completion of the information
contained. The client is solely responsible for
the usage of the information and any decisions
based upon it.
