Domestic systemically important banks have less than a year to comply with the principles of Regulation 39 of the Regulations relating to Banks. (BCBS 239)
The Principles aim to strengthen bank’s risk management practices by improving their risk data aggregation and reporting.
At the time of writing, global systemically important banks should have already complied.
A large portion of Basel III is dedicated to definitions and to traceability.
Basel III seeks to solve the problem of the definition of capital, given that, in the past financial institutions have formulated their own definitions of capital that have some times fallen short of what was intended by regulators.
Basel III on capital: “Finally, to improve market discipline, the transparency of the capital base will be improved, with all elements of capital required to be disclosed along with a detailed reconciliation to the reported accounts.” BIS
This is not a minor problem.
The complexity of modern capital management environments cannot be underestimated.
1. Data used to calculate key risk metrics may be need to be consolidated from hundreds (or even thousands) of business systems. Larger banks are having to define and govern over 50 000 unique data assets – business terms, calculations, report definitions, reference data sets, data sharing agreements and many more.
The only way to get this right is to engage and share responsibility for data governance across the group.Each stakeholder must be engaged to ensure that their knowledge is correctly documented and approved – with each completing a small piece of the overall puzzle. Banks that assume this problem can be solved by a small metadata management team are likely to miss the January 2017 deadlines.
2. Even within a single organisation different business units (wholesale versus retail for example) and regions may have differing interpretation of terms and calculations, or require differing levels of compliance. Some regions may be, for example, comply with Basel II while other regions may need to move to the more stringent Basel III regulations.
Risk teams must support a federated approach that governs and integrates these many requirements to provide a view across the banking group. Consideration must be given to how different interpretations will be amalgamated, which version of each term is relevant to each area, and how to explain changes that impact reporting to the central authorities
3. Banks must build an adequate data environment for Basel III. Basel III requires a much more granular use of data to calculate risk. This means that banks can no longer rely on aggregated data fed into spreadsheets – but must build and maintain complex risk data warehouses. This is turn requires a full understanding of the elementary data that will have to be obtained from many sources system – and that may, in turn, make use of a variety of existing ETL tools and processes.
Example of Scope and Complexity of Reporting Expected by Basel III: “ Indeed,
one of the most procyclical dynamics has been the failure of risk management
and capital frameworks to capture key exposures – such as complex trading
activities, resecuritisations and exposures to off-balance sheet vehicles – in advance
of the crisis.” BIS
To meet this need banks must manage concepts from both a business and a data-centric level. Business traceability ensures that auditors can easily understand where data was sourced, how it was calculated and what changes have been made, irrespective of the underlying technical complexities or tools used. Business traceability also tracks relationships between data elements and calculations so that the impact of changes can be clearly understood across processes, reports and calculations
Good technical lineage is a necessity to meet the January 2017 BCBS239 deadline. It does not however fulfill the need of business users to trace and link their data assets through their non-technical world.
Business traceability extends data lineage to give the different business contexts necessary for compliance.
The right solution will cherry pick technical assets and allow different lines of business to add and link business terms, processes, policies and any other data concept modeled by the organization. Enabling customizable views that combine both business and technical information is critical to understanding and reporting on critical risk data and to using it effectively.
4. Basel III extends the reporting requirements for banks. Advanced Disclosure Requirements: “…banks which disclose ratios involving components of regulatory capital (e.g. “EquityTier 1”, “Core Tier 1” or “Tangible Common Equity” ratios) must accompany such disclosures with a comprehensive explanation of how these ratios are calculated.” BIS
Banks must ensure that they can not only report on terms but that they can report on the process of how the terms were defined and approved, and by whom. Risk subject matter experts must be engaged in curating and defining terms to ensure that a correct understanding of the actual risk calculations is defined and reported on.
5. Basel III puts a higher premium on data quality that previous regulations. Data Quality Specification: “Banks applying the internal model method must have a collateral management unit … This unit must control the integrity of the data used to make margin calls, and ensure that it is consistent and reconciled regularly with all relevant sources of data within the bank” BIS
Once again, banks that depend on IT staff for their data quality reporting may struggle to meet tight deadlines, and may introduce errors that may cause audit findings against the BCBS239 reports.
6. Basel II requires ongoing audits and reports on the entire data management process
“Data Management Assurance: It is important that supervisory authorities are able to assure themselves that banks using models have counterparty credit risk management systems that are conceptually sound and implemented with integrity. The bank must carry out an initial validation and an on-going periodic review of its IMM model and the risk measures generated by it. The validation and review must be independent of the model developers.
A review of the overall risk management process should take place at regular intervals (ideally no less than once a year) and should specifically address, at a minimum: (A) the integrity of the management information system; (B) the accuracy and completeness of CCR data; (C) the accurate reflection of legal terms in collateral and netting agreements; into exposure measurements; the verification of the consistency, timeliness and reliability of data sources used to run internal models, including the independence of such data sources;” BIS
Obviously, concepts, terms, and definitions will be an important component of such regulatory assurance. The real challenge, however, is to deliver the integrated reporting and audit trails that are required in order to meet these needs.
Banks that attempt to cobble together a variety of technically oriented tools to meet this need will struggle to meet the January 2017 deadlines.
Instead, banks should consider an integrated data governance platform that provides off the shelf support for each of these key areas and provides the management reporting and audit trails to satisfy both internal and external audit requirements.
Contact us for a discussion around your BCBS239 progress