Our team at RiskMinds Live uncover the burden of a principles-based regulation, BCBS-239, with Krishnan Ranganathan ahead of this year’s RiskMinds Asia conference in Hong Kong this October…
What is BCBS-239?
During the financial crisis, banks were unable to understand quickly and accurately their overall exposures and other risk metrics having a bearing on their key risk decisions. In January 2013, BCBS-239 was introduced as a principles-based regulation to address this issue and improve the risk management and decision making process prevalent in banks. This aims to improve how each bank defines, gathers and processes risk data and measures performance against risk tolerances.
The regulation prescribes 14 principles-two on over-arching governance and infrastructure, four on risk data aggregation capabilities and five on risk reporting practices. The balance three are on account of supervisory review tools and co-operation. The compliance date for G-SIBs is 1 January, 2016.
While each will be different, how will regulators assess compliance on the whole? What may be the varying regulatory approaches towards assessment?
As recommended by Principle-12, the FSB and BCBS have urged supervisors to play a more active role in enforcement of the principles.
Some National Competent Authorities (NCAs) have hinted that reliance on Internal Audit may assume significance while assessing the Bank’s compliance. Some regulators have taken a general “hands-on” approach to BCBS-239 compliance asking for regular follow-up meetings with Banks leading up to both ‘material’ compliance and full compliance. Some supervisors have adopted a more “hands-off” approach as they hope to rely on the Stress Testing returns process to review banks’ risk data aggregation and reporting capabilities. Some are taking recourse to self-assessment surveys, including interviews with senior management (typically Board level) and Internal Auditors. There are also indications that key regulatory reporting data might be used to evaluate compliance.
How are banks tackling remediation?
Banks are adopting multiple approaches to define the scope of their remediation programs. Many are going for a focused set of risk reports, data and metrics agreed upon with their regulators. These focus on the key metrics used by senior management for the bank’s material risk decisions, popularly called KSMMs or “Key Senior Management Metrics”.
Most banks are adopting federated models for both architecture and governance where a central BCBS 239 Data Management Office (DMO) steers dedicated work streams or projects. In terms of data architecture, many banks are opting for “golden sources” to capture data in tandem with common standards.
What challenges will arise in demonstrating compliance? And what may their solutions be?
BCBS-239 Principles demand that Firms are able to provide the information that Senior Management needs, accurately, comprehensively and in a timely manner- both in normal times as well as during a stress situation, which was clearly not the case during the financial crisis. However, the principles focusing on quality (“completeness,” “timeliness,” “adaptability” and “accuracy”) can be open to interpretation (being subjective) with different meanings, and potentially different metrics, when applied to different risk types (credit, market or liquidity).
As an example, the existing report delivery mechanism at various Banks is cumbersome for the Board to effectively use key Management Information for decision making. Some of the banks are producing Senior Reporting dashboards (consolidating existing daily, weekly, monthly Risk and Finance data communicated via email to the Board), thus creating a ‘standard practice’ to help address 5 of the 11 Principles covering Reporting practices, more specifically clarity and usefulness, frequency and distribution.
Because BCBS-239 is principles-based with no clear compliance criteria, the industry is tending towards a view based on ‘capabilities’, i.e. in order to measure the degree of ‘material’, compliance, banks are identifying and agreeing the capabilities that must be demonstrated to the supervisors along with their associated level of maturity.
Disclaimer
“The response provided to these interview questions (‘response’) are based on my personal views as the proposed speaker in the RiskMinds Asia Conference and do not reflect any views or advice of Nomura Services India Private Limited or its affiliates (“Nomura”). This response should not be construed as being that of Nomura and Nomura will not be responsible or liable for any views expressed or advise provided herein.”
Comments