ECB throws down the gauntlet on BCBS 239

April 2023

In his speech at the 22nd Handelsblatt Annual Conference on Banking Supervision on 28 March 2023, Andrea Enria, Chair of the Supervisory Board of the European Central Bank (ECB) discussed “A new stage” for European banking. Before concluding his speech, Enria referenced the ECB’s intention to “escalate our interventions in other areas where we see persistent sluggishness in the response from banks, using the whole range of enforcement and sanctioning measures at our disposal” – and the topic he focused on was BCBS 239, stating that “despite the intensity of supervisory pressure in recent years and the large number of findings that have been identified” banks are still not complying with BCBS 239 principles, and that banks “with adequate risk data aggregation and reporting capabilities are still the exception”.

Pressure has been mounting on European banks since Deficiencies in risk data aggregation and reporting (RDARR) was announced as a priority by the ECB for 2023-2025, and this latest statement is the ECB throwing down the gauntlet at banks – non-compliance is no longer an option.

This is particularly evident in the ECB’s latest activities – following the publication of the priorities in December 2022, there has been a sharp increase in the number of on-site inspections focussing on RDARR. But what are the key areas of focus for such on-sites, and how can banks start preparing for them? What is certainly clear from our discussions with banks across Europe is that these on-sites are particularly intrusive and will require extensive attention from banks to get themselves prepared.

As data is present and critical to all aspect of banks, potential focus areas of ECB on-sites can be vast, depending on the specific shortcomings of the bank. What is common to most is the intensity of the on-site and the scrutiny of the inspectors. Examples of focus areas include:

• Governance: Sufficient involvement from the Management Board, not only as part of ‘business as usual’ but also in the adequate and proper definition of requirements around RDARR; involvement of key internal functions as well as adequacy and presence of an independent validation unit within data processes.
• Definition of data: Types of data and risk reports subject to BCBS 239 principles (e.g., credit risk-related data, all risk data, FINREP (Financial Reporting)). We note on-sites in which the ECB focuses heavily on what data the bank defines as being subject to BCBS 239 principles.
• Data lineage: Level of process automation and coverage of the entire data flow (e.g., to consolidate data from different business units / subsidiaries) as well as accuracy and granularity of data.
• Data management and data quality: Data quality processes and controls (e.g., quality of the controls in place). Furthermore, we have seen supervisory teams with strong modelling backgrounds challenge the accuracy of data and controls, not just the governance.

In addition, banks should expect specific fire-drills to test ad-hoc capabilities, and often this is given at short notice (around three to four days). Even during the on-site, banks should be on their toes and ready to adapt to rapidly changing circumstances.

With all of this in mind, there are several things banks can do to get prepared. We have outlined a few key tasks below:

• Preparatory activities and prioritisation: Given the high volume of workshops / requests, banks should start early to plan workshops to prepare staff for discussions with supervisors, and have prioritization mechanisms in place for multiple queries in parallel.
• Re-review definitions: Given the high focus on the “definition of data”, banks should look to re-review internal policies for the definition of data subject to BCBS 239 principles to be ready to discuss. Recent discussions with banks show variation, whereby the data included in the bank internal risk report typically does involve certain finance data.
• Prepare for fire-drills: Banks could consider performing fire-drills to compile and submit selected indicators on short notice, e.g., on liquidity data, including with appropriate validation to be ready for similar requests during an on-site.
  

It has been a long journey since the Basel Committee published their Principles for effective risk data aggregation and risk reporting back in January 2013. Ten years later, most banks are still not compliant. The gauntlet has been thrown down by the ECB – it is now up to banks to rapidly prepare themselves for an increase in scrutiny and to effectively manage their final steps towards compliance.