October 2024
Banking is fundamentally an information business. One lesson regulators drew from the global financial crisis was that many banks lacked adequate systems to assemble and aggregate data on their exposures and risks. So in January 2013 the Basel Committee articulated its Principles for effective risk data aggregation and risk reporting (RDARR), known as the BCBS 239 principles.
Yet as KPMG professionals wrote last year, over ten years since the adoption of BCBS 239 few banks have fully complied. The ECB has led the charge among global supervisors to require banks to do better.
Final Guide
The ECB’s latest step is the finalisation in May of its new Guide on effective RDARR, following a consultation last year. The new Guide sets out the ECB’s expectations for how banks should implement the BCBS 239 principles. As in last year’s consultation draft, it requires banks to establish rigorous frameworks for data governance and data lineage, to ensure the quality and integrity of risk data. Banks should also have effective systems for timely regular risk reporting to top management and the capability to generate ad hoc reports at speed when required.
The final version of the Guide also goes further than the consultation draft in some key respects. It broadens the range of data subject to the BCBS 239 standard to include regulatory, supervisory and financial reporting such as COREP, FINREP and stress test returns. It requires banks to nominate 1 or 2 members of their management board as personally responsible for bringing their risk data systems up to scratch. Also, for the first time it explicitly discusses supervisory enforcement measures in case of non-compliance. These could include not only ‘traditional’ sanctions such as capital add-ons but also financial penalties and reassessments of the fitness and propriety of a bank’s management body or its members.
Penalty box
The emphasis on enforcement reflects frustration within the ECB at the slow pace of BCBS 239 implementation to date. In public statements ECB leaders have repeatedly hinted that this could be the next area for the imposition of periodic penalty payments (PPPs, daily fines for as long as a bank remains noncompliant), hitherto only deployed in the field of climate and environmental risk.
For example, in her very first speech as Supervisory Board Chair Claudia Buch described up-to-date information systems as ‘indispensible’ and said the ECB would be ‘strengthening our efforts to ensure that long-standing shortcomings are remediated.’ Further in a July interview Supervisory Board member Elizabeth McCaul highlighted risk data aggregation as a potential candidate for PPPs.
Aside from enforcement, we have seen the ECB’s campaign of on-site inspections on risk data aggregation and risk reporting continue. These inspections have typically been highly complex and challenging affairs, lasting up to 3 months, involving as many as 15 inspectors and often featuring risk data ‘fire drills’ in which banks are required to produce large quantities of data at short notice with little warning.
Driven by data
The ECB has long been known as a data-hungry supervisor, whose approach has been characterised by a high volume of extensive and detailed data requests. This has been motivated not only by an interest in the content of the data requested, but also by a concern to test the quality of banks’ internal information systems. For it is a core ECB belief that strong management information is an essential marker of a well-run bank. So banks should expect no let-up in ECB focus on this issue and should continue to upgrade their data capabilities in response.
Investing in internal data systems, however, is not just a matter of compliance. As business becomes increasingly data driven, and advances in data analytics allow for ever more sophisticated insights into customer behaviour and needs, the value of good data will only increase.
Better understanding of customers, markets and business is a competitive advantage that banks should invest to embrace.