European Insights: Achieving BCBS 239 Compliance

Banks need to have accurate and timely data to ensure effective risk management. However, ten years on from the release of the Basel Committee on Banking Supervision’s principles for effective risk data aggregation and risk reporting (RDARR), regulators complain the majority of European banks have yet to develop adequate RDARR capabilities.

With the European Central Bank’s (ECB) Banking Supervision having prioritised RDARR vulnerabilities for its 2023-2025 supervisory cycle, European banks will be required to deliver tangible results. Following years of limited strategic attention and uneven implementation, European banks will need to revisit their approach to compliance, particularly as the ECB aims for remediation over a reasonably short time frame.

RDARR Ramp-up

European banks must make substantial progress in achieving BCBS 239 compliance. Banks can expect to see targeted reviews, on-site inspections and horizontal benchmarking along with intensified escalation and enforcement of previously identified infringement by the regulator, according to the ECB’s latest BCBS 239 publication – Guide on Effective Risk Data Aggregation and Risk Reporting (Guide).

However, rather than reforming RDARR requirements, the Guide summarises and restates the ECB’s expectations. The Guide provides condensed but clearly defined prerequisites that can be used by banks for comparison and self- ssessment, ultimately assisting in translating a principle-based standard into distinct requirements. These are broken down across seven priority areas.

* ECB has marked these for enhanced review

Monocle recommends establishing a structured implementation programme that sets achievable corrective measures aimed at targeting identified deficiencies through effective governance and oversight. Monocle’s proven BCBS 239 track record in designing, initiating, and managing RDARR engagements has enabled us to assist various banking clients across the globe through all the key elements of their compliance journey.

Banks will need to assess their RDARR capabilities against the expectations of the Guide as well as previous supervisory
findings as part of a thorough gap assessment. They will also need to develop a comprehensive understanding of shortfalls and deficiencies to be addressed ‘within a reasonably short time frame’.

Monocle recommends establishing a structured implementation programme that sets achievable corrective measures aimed at targeting identified deficiencies through effective governance and oversight. Monocle’s proven BCBS 239 track record in designing, initiating, and managing RDARR engagements has enabled us to assist various banking clients across the globe through all the key elements of their compliance journey.

Seven key areas of concern
 

Initially banks will need to understand each of the ECB’s key areas of concern and assess these areas against their existing progress and capabilities:

• 1. Responsibilities of the management body

Internal governance and control mechanisms are critical to ensuring RDARR implementation and continued compliance. The ECB specifically provides requirements regarding management oversight, roles and responsibilities, as well as requirements on appropriate training, knowledge and implementation experience.

Insufficient strategic attention and direction at the executive and senior management level remains a serious concern for the ECB and has been highlighted as one of the key reasons for the poor state of RDARR compliance in Europe. It is imperative that members of senior management are deeply involved and, in certain cases, re-engaged with their bank’s RDARR progress. The Guide explicitly calls for management bodies to establish the bank’s view of what constitutes adherence to the BCBS 239 principles. This is a fundamental first step towards implementation and approval of the bank’s RDARR framework – responsibilities that also lie with senior management.

• 2. Sufficient scope of application

Banks should not underestimate the scope of RDARR. The Guide calls for a clearly defined and documented data governance framework that covers applicable reports, models, risk data and indicators across the entire data lifecycle.

However, with the scope of the framework set to include material internal risk reports and models, supervisory reports such as the FINREP and COREP templates, as well as the atypical inclusion of quarterly and annual financial reports, banks may be overwhelmed by the sheer volume of reports, metrics and downstream data.

To limit scope to a feasible level, senior management must review and set out what constitutes the bank’s main material risk metrics through a formal scoping exercise and consider the principle of risk-based proportionality across its legal entities to construct a scope that is practical and appropriate.

• 3. Effective data governance framework

Data governance entails a comprehensive approach utilising three lines of defence: data owners (stewards) as the
first line (manage risk); a validation function (oversight) as the second; and internal audit function (independent
review) as the third. Finally, the Guide highlights the need for a centralised data governance function that is
responsible for developing, issuing and overseeing policies and procedures, including those linked to data quality
and the data governance framework.

With data owners responsible for the essential task of ensuring accuracy, integrity, completeness and timelines of their data, poor enforcement and adoption of BCBS 239 roles has led to ineffective change. RDARR responsibilities should be prioritised and incorporated as part of data owners’ performance reviews to drive embedment and ensure data quality monitoring and remediation is actioned effectively.

• 4. Integrated data architecture

The Guide highlights consistent and comprehensive data taxonomies as a critical element of integrated data architecture and IT Infrastructure. These data taxonomies (per risk type or legal entity) must include uniform data definitions, up-to-date and end-to-end data lineage, and validation rules, as well as support the ownership of data.

For large institutions, the use of a data management tool is essential for monitoring and maintaining RDARR compliance. Banks must first assess whether their existing toolsets can adequately record data management requirements (i.e., data lineage process flows, ownership structures, automated governance, metadata management and data quality management). The benefits of automated data governance and data management system integration (including automated scanning of technical and business metadata, as well as automated data quality) should be strongly considered as a mechanism to fast track the implementation of RDARR requirements.

• 5. Group-wide data quality management and standards

Another area marked for enhanced review by the ECB is that of data quality management. Banks are expected to have group-wide policies and procedures that apply across end-to-end data flows related to material risk indicators and related model development data. This includes the implementation of data quality checks and periodic reconciliations, systemic data quality monitoring and incident management, a robust data quality issues and limitations register, full integration of end-user computing (EUCs), management of any manual workarounds, as well as consideration of data quality risks to ICAAP and ILAAP assessments.

Data quality, particularly for front-office data capture, and manual workarounds are ideal opportunities for robotic process automation (RPA). For many banking functions, including financial control and front-office administration, up to a third of tasks are easily automated through low-code/no-code application development, optical character recognition (OCR) technology and a variety of other RPA technology. With the ECB’s enhanced focus, banks should pursue automation as part of a strategic and structured response to data quality issues and manual workarounds rather than relying on imperfect tactical fixes. The balance between automated and manual processes should be monitored carefully, and the justification to keep manual processes should be documented.

• 6. Timeliness of internal risk reporting

Banks must concentrate on both the frequency of their risk reporting and the time required to produce these reports. This is particularly pertinent during stress periods where banks must be capable of completing ad hoc data requests with sufficient granularity at both an entity and group level – regardless of a bank’s IT infrastructure. Shortly after the March Banking Turmoil in 2023, rapid liquidity risk insights became a necessity to ensure that banks were able to weather further liquidity shocks following the collapse of Silicon Valley Bank in the US as a result of an unprecedented bank run.

Banks must also be prepared to conduct supervisory “fire drill” exercises. Thorough preparation of fire drills, through internal simulations, can set teams up for an easier fire drill process. Compiling fire drill playbooks, which can be used to set out the actions required during a fire drill, clearly lists roles and responsibilities and stores pre-prepared artefacts for the independent validation of the fire drill process.

• 7. Effective implementation programmes

Identified deficiencies and shortcomings should be addressed through an implementation programme that outlines ambitious but feasible outcomes. As highlighted in the Guide, programmes will require effective project management governance as well as adequate subject matter expertise – something that the ECB has found to be missing previously. Implementation plans will need to clearly define targets, milestones, roles, responsibilities and if necessary temporary measures to address weaknesses that require longer timeframes to remediate.

Due to the scope of RDARR compliance, it is vital that the programme has significant reach, visibility and receives the required priority across the various functions impacted by RDARR. Banks should aim to include RDARR as a standing agenda item across applicable committee meetings (including senior management and executive committee meetings – see key concern 1) with representation from the centralised data governance function.

Monocle's BCBS 239 expertise and prior engagements

BCBS 239 implementation has been a significant facet of Monocle’s consulting expertise since the principles were published in 2013. At Monocle, we understand that effective risk data aggregation and risk reporting provides tangible benefits to the efficiency of the various risk functions encountered by our banking clients and that it is vital for management to make informed and timely strategic and operational decisions.

Our prior engagements cover the entire BCBS 239 journey including governance, controls, data management, risk aggregation, risk reporting as well as IT and data architecture. Furthermore, Monocle undertakes a variety of roles including those of project management, business, and technical analysis as well as facilitation with regulators.

• Implementation of effective data governance through the delivery of critical data artefacts, as part of a data steward role, across in-scope liquidity, interest rate, credit, and operational risk metrics.

• Analysis of cloud migration including the delivery of effective data governance embedment at a challenger bank through the delivery of critical data artefacts, as part of a data steward role, across in-scope liquidity, interest rate, credit, insurance, and operational risk metrics.

• Deployment of extensive compliance planning, execution and programme management across all applicable principles of BCBS 239, including enterprise risk reporting, technology, model, funding and liquidity, credit, and market risk metrics.

• Introduction of BCBS 239 compliance into a brand-new challenger bank through the establishment and embedment of absent data management capabilities and data governance framework requirements related to RDARR compliance.

• Enhancement of the reliability of regulatory reporting through the implementation and end-to-end embedment of a trade level balance sheet reconciliation across the full suite of regulatory reporting.

• Implementation of an automated BCBS 239 data quality tool for treasury risk metrics to assist in data quality monitoring and remediation.