BCBS239: the behemoth lumbers on
With less than 12 months to go before the official January 2016 deadline, the Basel Committee on Banking Supervision’s latest report reveals that banks are struggling to comply with the Principles of BCBS239.
The report published in January 2015 represents the capabilities and progress of the 31 Global Systemically Important Banks (G-SIBs), in their quest to meet the full set of requirements by the 1st January 2016 deadline. This is the second BCBS239 report to be published and comes a year after the first was released in December 2013.
What is clear from the latest report is that while much has been achieved, there remains a great deal yet to be accomplished. One of the most noteworthy results from the 2014 questionnaire was that 14 banks indicated that they would be unable to comply with at least one of the 11 Principles by the deadline, whereas in 2013 only 10 banks believed that this would be the case.
This cannot be seen as a surprise as it is clear from the report that while much has been achieved, there is still a great deal to be accomplished. Overall there have been minor improvements in average ratings but many banks continue to encounter difficulties in establishing strong data aggregation, governance, architecture and processes; often relying on manual workarounds which indicates a tactical rather than strategic approach is being taken.
In comparison to the 2013 results, we’ve seen downgrades in the areas of governance, infrastructure and risk data aggregation capabilities. This should raise alarm bells for the regulator in its attempts to encourage full compliance from banks.
The regulator has made a number of recommendations including: the ‘need to fully engage senior management and the board of directors, to have supervisors monitor more carefully the progress on IT architecture projects, the need to minimise use of manual systems, and the importance of quality controls. This is now a major issue for senior management and boards of the G-SIBs. In the report, it was indicated that improvements to board-level reporting are a necessary action. For some banks, the current limitations of risk reporting have yet to be communicated to the board.
No carrots but what about sticks?
The regulators and supervisory authorities have a variety of tools to encourage and enforce compliance, ranging from information-gathering powers, to the enforcement of penalties and capital add-ons if their regulated banks fail to comply with the Principles. However, as the progress report points out, there is no uniform strategy among authorities for applying any specific tool or approach.
The report recommends that supervisory authorities should ensure that senior management and boards of directors of each G-SIB are directly involved in assessing progress in implementation, as well as in identifying and enabling timely resolution of any obstacles to full implementation by 2016.
Compliance to BCBS239 has now been extended further to include Domestic Systemically Important Banks (D-SIBs). The report also advises that supervisory authorities who have not yet engaged with their D-SIBs should enter into initial discussions to assess how each firm will implement the Principles within the three-year time frame after they are designated as a D-SIB.
In attempting to comply with the Principles of BCBS239, the D-SIBs have the advantage of being able to learn from the experiences of their G-SIB counterparts. Being smaller in size, compliance should present fewer challenges for the D-SIBs and they should be able to efficiently adopt ‘best practice’ strategies already used successfully by many of the G-SIBs.
The legacy of debt
This year’s report underscores (as did the December 2013 report), the reliance many firms have on manual work-arounds. Furthermore, the report recommends that regulators should have detailed discussions about the tactical mitigations and the longer term strategic solutions banks intend to implement.
This is a key point, since manual work-arounds and tactical mitigations are typically major constraints on the flexibility, adaptability and operational robustness of any solution. Although manual work-arounds and tactical fixes are sometimes difficult to avoid whist working to tight deadlines, firms must realise that the technical and process debt introduced often carries a heavy long-term penalty; in fact, an exorbitant rate of interest.
The progress report also stresses the need of the G-SIBs to take action in terms of “simplifying current IT architecture and data flows across department and legal entities to streamline the aggregation process and to enable quick aggregation of risk data during times of stress”.
As with any debt that accumulates over time with a crippling rate of interest, technical and process debt can reach catastrophic proportions as complexity increases unabated and the technical or process stability and maintainability become critically impaired.
This weight of this debt can only be sustained for so long – eventually something will give way. Firms can avoid this moment by fully understanding and monitoring the amount of technical and process debt they are creating, ensuring that senior management have full visibility of the BCBS239 programme, with adequate budgeting, tracking and sign-off incorporated into the plan.
One approach would be to include implementation debt assessment and remediation strategies into regular technical and business audits. This is a logical extension of what many internal audit departments (and external auditors) already do. Furthermore, audit points tend to have established processes for budgeting, tracking and sign-off which could be incorporated into the senior management visibility of BCBS239 programmes.
The need for a Lingua Franca
A further theme emphasised in the January report is the need for consistent taxonomies, in particular tasking G-SIBs with “ensuring that consistent risk labelling and calculation standards, integrated data taxonomies and dictionaries exist at the group level, and throughout the organisation”.
The need to establish consistent, global standards is a significant challenge, especially where the number of disparate data sources and systems is significant, as is the case in the majority of G-SIBs. What is needed is a ‘Lingua Franca’ of sorts: a consistent set of standards and conventions for the calculation, representation, tagging and control of aggregation of financial and risk information.
Lumbering towards the line
Although it may appear that time is running out for the G-SIBs to meet the January 2016 deadline, there is still sufficient time for initiatives to be implemented that will achieve greater compliance. With a regulation as far reaching as BCBS239, adopting a more strategic rather than a tactical approach will give banks a greater opportunity to meet all 11 Principles.
Senior management and the board of directors must become more engaged with the requirements of BCBS239. This means reviewing the management and governance structures currently in place and building closer relationships between heads of compliance and risk in order to improve the quality of risk reporting. If this can be achieved, then the G-SIBs may be able to tackle the behemoth of BCBS239 as it lumbers towards the 2016 deadline with a growing level of confidence.