bcbs 239_leveraging infrastructure_copal amba whitepaper
TRANSCRIPT
BCBS 239Leveraging Infrastructure
White Paper
Ramachandran PRSenior Vice President Risk Management
Ram is Senior Vice President, Risk Management, at Copal Amba. He is responsible for the set-up and growth of the entire Risk vertical. Ram
has around 14 years of experience in expanding client relationships and managing/transitioning processes offshore in the risk and analytics space. He has also led and executed mission-critical projects across areas such as middle-office operations, risk management, market research, and technology research. He holds a Master of Computer Science and a Bachelor of Computer Science from Bharathiar University, India.
Soumyadip ChakrabartyAssociate Vice President Risk Management
Soumyadip is Associate Vice President, Risk Management, at Copal Amba, and has over 5 years of Risk Management and Consulting experience in the
domains of Regulatory Compliance and Market and Credit Risk Management. He has held multiple roles across various projects for US and UK-based banks and major NBFCs. He is a FRM Charterholder and holds a Post Graduate Diploma in Risk Management.
One Executive Summary .............................................................................. 3
Two Why is Risk Data Important? ........................................................... 4
Three Topic Overview & Principles ............................................................ 5
Four Scope & Key Implementation Challenges ................................ 7
Five Impact Assessment ............................................................................... 9
Six Pilot Run ...................................................................................................10
Seven Conclusion ...............................................................................................13
2
Index
Authors
Executive Summary
Periods of financial turmoil have underscored the necessity of timely reporting of risk data across businesses and geographies. The lack of standardized data aggregation and control practices meant that regulators needed to address these blind spots. The response came in the form of BCBS 239, a 28-page rule book from regulators, proposing core standards on aggregation, controls, and reporting practices of risk data.
BCBS 239 emphasizes 14 principles spread across 4 topics. 11 of these 14 are applicable to banks. The Basel Committee, in its post mortem of the crisis, identified missing standards for risk data aggregation and control processes, and highlighted that banks need to invest in creating a bigger, better, and more comprehensive risk data infrastructure. These 11 principles focus on improving banks’ ability to capture granularity in risk data, and then aggregate exposure across counterparties, asset classes, and geographies seamlessly.
The Basel Committee had set an aggressive timeline to comply with these guidelines and decided to track progress on compliance with these guidelines. However, results of various studies on progress against these objectives have been worrying. In the last progress report published by the BCBS, 14 of 30 banks declared themselves “materially non-compliant” and expressed concerns about not being able to comply with at least one of the principles by the January 2016 deadline.
Banks have been faced with the challenges of enriching risk data across asset classes, aggregating this data, and establishing data taxonomy.
We, at Copal Amba, have identified key areas that will be impacted by these 11 principles. Our studies indicate that banks have been spending more in the areas of IT infrastructure and departmental synergy. Furthermore, they would need to re-align their strategic decisions and establish a better infrastructure to include real-time data for front-office and hedging trades in the centralized risk database.
It has become increasingly important for big banks across the globe to be sensitive to the quality of data used in calculating risk metrics. However, without proper data control, the veracity of such metrics is doubtful. BCBS 239 focuses on prodding systemically important banks (SIBs) to set up IT infrastructure, develop control processes, and augment data quality and management.
However, increased costs associated with augmenting IT infrastructure and other requirements urged banks to be prudent in their analysis of where to invest and how much. The objective of writing this paper is to highlight the hurdles faced by banks in complying with BCBS 239 and how outsourcing/engaging third parties can help them rationalize costs and mitigate the risk of overspending, as well as use the regulatory delta as a competitive advantage.
3
Why is Risk Data Important?
From a risk management perspective, a simple data repository is not enough. To successfully react to a change, or to pre-empt an imminent change in scenario, banks need to be agile and make sense of the stored data. Crisp and clean data is of paramount importance for advanced risk management measures, such as stress testing and factor analysis, or even higher order analytics using advanced statistical measures such as logistic regression. Data attributes, such as accuracy and completeness, are also equally important.
The financial crisis accentuated the necessity of clean and accurate data, especially in times of stress. This is especially critical, as demand for clean data and timely reporting of risk metrics is looked at the most in times of crisis. BCBS 239 came as a repercussion of sorts. The Basel Committee, in its post mortem of the crisis, highlighted how the lack of veritable data accentuated the crisis, by leaving banks underprepared.
For most banks, front-office deals and trades were not captured on a real-time basis. Often, there were manual interceptions in data aggregation. Such interceptions limited banks’ capabilities in aggregating data, especially in times of stress. These manual interceptions negatively affected report turnaround times, thereby having a
detrimental effect on the efficacy of risk reports. The Basel Committee particularly focused on this aspect of reporting. The Committee emphasized the regularization of such impacts, and stressed on creating IT infrastructure, and minimizing manual interceptions in risk reporting through its overarching principles. Banks have been directed to invest in creating a risk data management and reporting system. Such systems are expected to enable faster turnarounds, so that risk data can be aggregated and reported in a reasonably quick timeframe, both during normal and stress periods.
The Basel Committee has also instituted control checks, such as ad hoc reports to gauge banks’ level of preparedness and the effectiveness of the system created.
From a regulatory perspective, Basel II and other regulations did require the banks to invest in building a strong IT infrastructure; however, there was no standard set of rules to enforce this. Control and maintenance are highly subjective and, hence, there were was no standard set of minimum requirements for banks. BCBS 239 is designed to ensure that there are adequate standards and controls. Similar to Basel guidelines, the BCBS 239 principles are the minimum standards; local regulators may decide to include a wider range of banks as applicable.
4
Key Takeaways
Regulations and risk reporting have changed drastically following the financial crisis. Regulators’ focus is not only on reporting metrics, but also on improving the granularity of such metrics. Changes in regulatory requirements have initiated a series of investments by banks to build risk data warehouses. However, the process is complicated mostly because of migration issues from legacy systems, as well as the sheer volume of data.
Topic Overview & Principles
1. Overarching governance and infrastructure“A bank is expected to have in place a strong governance framework, risk data architecture and IT infrastructure.”1
» The bank’s board and higher management is responsible for ensuring data quality. The board should be able to establish a framework and be fully aware of any limitations. This framework needs to be consistent across both in-house and outsourced projects.
» Risk data quality should be agnostic across business types and the bank’s group structure.
» The bank should be nimble and able to deliver high - quality reports in times of stress, or even if the report is ad hoc/urgent.
2. Risk data aggregation capabilities“Banks should develop and maintain strong risk data aggregation capabilities to ensure that risk management reports reflect the risks in a reliable way”1
» The bank should consider automating the aggregation process in order to minimize the probability of error by reducing human intervention.
» It should also ensure that such aggregation encompasses all material risk data across the banking group. Data aggregated should be scalable and flexible, thereby providing granularity to the level of business lines, geographies, asset types, etc., and enabling the bank to meet ad hoc reporting requirements.1
» The banks should have agile aggregation capabilities, so risk data can be aggregated in a timely manner for reporting purposes and risk metrics reports produced quickly during times of stress or crisis.
3. Risk reporting practices“Accurate, complete and timely reporting”1
This is the largest bucket, accounting for the most number of principles. However, this does not mean that the Basel Committee places a significant weightage only on this area. Rather, a number of principles in this area underline the multi-dimensional nature of risk reports.
» Risk reports should be complete, comprehensible, and clear to the decision makers, and need to be presented within a specific timeframe to allow the decision makers sufficient time to incorporate the information in their decision-making process.
» To maintain integrity and accuracy of reports, the bank should validate and reconcile risk reports, and should ensure maintenance of well-defined exception reports to explain data errors.
» The banks should establish a minimum level of accuracy and precision in risk reporting standards, which are to be sustained in both normal and stress scenarios.
» Risk reporting should be forward looking and, therefore, be able to identify any potential increase in risk concentrations and patterns with respect to the bank’s risk appetite.
» Reports should have an optimum mix of both quantitative and qualitative information.
1. Abridged version of the guidelines suggested in Basel committee on in the banking supervision publication: see “Principles for effective risk data aggregation and risk reporting” pg 13 – 23.
5
G-SIB additional loss absorbency bucket
Source: FSB, November 2015 paper
6
In the pre-BCBS 239 world, the focus of risk reports was on the output but not necessarily on the process. BCBS 239 underscores this tectonic shift in regulators’ focus, with banks required not only to adhere to the reporting guidelines, but also to maintain a common semantic of data management and control.
In its post-mortem of the financial crisis, BCBS reiterated the importance of having robust data architecture and highlighted how “bank’s information technology (IT) and data infrastructures were inadequate to support the broad management of financial risks.” BCBS hopes to overcome this issue by presenting a common minimum standard through its overarching governance and infrastructure principles.
Key Takeaways
As seen in the FSB report, a large portion of banks have a loss absorbency capacity of a mere 1.0%. Such a situation mandates banks to have better estimates of losses, and for any sophisticated calculation, data is important.
2 Banks
3.5%
2.5%
2.0%
1.5%
1.0%
2 Banks
19 Banks
NULL
3 Banks
We believe BCBS 239, when fully implemented, will be a key measure and enable better decision making; however, there are some key challenges to successful implementation. The mandatory self-assessment results corroborate this fact. BCBS 268, the compiled self-assessment report of the G-SIBs, although a bit dated (released in December 2013) underlines the preparedness and potential risks that banks face in implementing 239 guidelines.
In the report, most of the G-SIBs assigned least preparedness ratings to Principle 2 (IT infrastructure), Principle 3 (Accuracy), and Principle 6 (Adaptability).
Additionally, reviews and studies conducted by Copal Amba have brought out a common theme across the cross-section of the banking community. Although initially, an increase in expenses may be a cause of concern, going forward, stakeholders agree that such investments will help banks take risk-based decisions efficiently.
Indeed, regulators are trying to make risk and accounting data control seamless; implementation of the aggregation principles would result in better synergies with the front-office trades, easy reconciliation across asset classes, and increased visibility of risk exposures and metrics, besides banks being able to achieve better risk underwriting. There are, of course, impediments to this consolidation. We discuss some of the most critical ones below.
Self assessment ratings by principles
Governance/ Infrastructure
Risk data aggregation capabilities
Risk reportingpractices
P1 P2 P3 P4 P5 P6 P7 P8 P9 P10 P11
Fully compliant 0 0 0 0 2 1 0 8 3 2 7
Largely compliant 25 14 18 22 17 15 21 20 26 21 23
Materially non-compliant 5 16 12 8 11 14 9 2 1 7 0
Non-compliant 0 0 0 0 0 0 0 0 0 0 0
Average rating 2.8 2.5 2.6 2.7 2.7 2.6 2.7 3.2 3.1 2.8 3.2
Source: BCBS 268
Scope & Key Implementation Challenges
0
5
10
15
20
25
30
P1
Num
ber
of b
anks
P2 P3 P4 P5 P6 P7 P8 P9 P10 P11
Anonymized TestRun-BCBS 268
Jan 2016Implementation2013 Initiation
7
1. Data structure and volumeThe banks in question here are G-SIBs, so effectively we are looking at huge volumes of data – in different formats, from different sources, stored in myriad legacy systems, across different business lines, and spread across geographies. Add to this multiple data owners and not so well-defined processes, and the variability is overwhelming. To standardize such data points into one common format is a challenging task. For this, banks need to invest heavily in upgrading their IT systems, and may need to facilitate process changes on a case-to-case basis.
2. Absence of data taxonomyTo standardize data across multiple businesses and in multiple formats, the starting point is to have precise data taxonomy and maintain a data dictionary. The dictionary will serve as the common, standardized rulebook for all
businesses and should contain both data attributes and applicability to businesses. Similar to a “word dictionary”, banks would need to set up a risk lexicon. However, compiling this for gazillions of data for SIBs is not only difficult, but also incredibly complicated.
3. Aggregating exposureThis perhaps is the biggest quantitative hurdle for banks. BCBS 239 expects banks to have visibility of risk concentration by country, business line, or even counterparties, and then drill down to trade level granularity. Banks’ exposure to different counterparties – in different countries and time zones – varies. And this is just one piece of the puzzle. Considering that exposure across counterparties is calculated differently, and that often statistical/stochastic values are non-additive across businesses, the complexity in calculating country-level exposure can be appreciated.
8
Impact Assessment
Key Takeaways
There is an implicit reputational cost component associated with non-compliance. For large banks, nothing is more damaging than impaired goodwill and reputation in the market. BCBS 268 came as a moment of truth for banks. Irrespective of weaknesses and caveats, BCBS 268 highlighted the level of preparedness among large banks
9
Impact PointsBCBS Topics
IT Expenditure
Existing Processes
Strategic Impact
Inter Department Synergy
Overarching Principles
Data Aggregation Capabilities
Risk Reporting Capabilities
High Med Low
We, at Copal Amba, conducted a study to understand the impact of these principles across FOUR areas: IT expenditure, existing processes, strategic impact, and inter-department synergies. The main aim of the study was to assess banks’ preparedness in complying with the principles.
The results are in line with our initial expectations. There are increased concerns that the overarching principles will be costly and have significant impacts across the parameters. Banks are most comfortable with the risk reporting capability, which is expected given the expertise these banks have garnered through risk reporting over time.
The challenge is, of course to be compliant with the overarching principles.
Highlights
1. The SIBs rated themselves on a scale of 1 - 4 – 1 being the lowest and 4 being the highest.
2. The national supervisors neither validated the ratings nor scrutinized the rigor applied by banks in assigning the numbers Principles that fared the best among banks included Principle 8 - Comprehensiveness, and Principle 11 - Distribution. If looked at closely, these two principles are the closest to traditional reporting standards. It’s no wonder that banks are more comfortable with these principles.
3. The Principles that banks reported as “materially non-compliant”, i.e. potential red flags, included Principle 2 - Data and IT infrastructure, and Principle 6 - Adaptability. Both these principles are related to aggregation and infrastructure ramp up, two of the biggest challenges.
The Basel Committee decided to publish anonymized results, highlighting SIB preparedness in implementing BCBS 239 by the given deadline. The results were collated and published as BCBS 268.
SIBs - By country
Pilot Run
10
9
5
43
2 2 21 1 1 1 1
USA U
K
Fran
ce
Japa
n
Switz
erla
nd
Spai
n
Ger
man
y
Swed
en
Net
herla
nds
Italy
Chin
a
Belg
ium
11
Data Aggregation Capabilities
1. No data quality and controls
2. Manual interceptions and processes need to be phased out
3. Lack of control process documentation
Governance and Infrastructure
1. Proper documentation framework required
2. Lack of a comprehensive data dictionary
3. Lack of proper role definition of data owners
4. Independent validation of risk data not established
Overarching Weaknesses
1. Lack of granularity - Business units not included
2. Not comprehensive - All risk buckets not considered
3. Uniform report quality not maintained - Quality of reports to middle management not considered
4. Definition of compliance not considered
Snapshot of weaknesses
Key Takeaways
As shown above, these weaknesses are huge challenges in effective risk data reporting. If banks cannot confidently aggregate risk data, then accurately reporting such data becomes a barrier as well. Therefore, banks need to focus on their IT infrastructure and improve risk aggregation processes.
P7Accuracy
P8Comprehensiveness
P9Clearly and Usefulness
P10Frequency
P11Distribution
12
Key Takeaways
The Principles that fared the best were P11, P8, and P9. However, we need to take into consideration the fact that banks did not include granular-level reports and did not account for report quality and usefulness among middle and lower management for this study. On parameters of Adaptability and Data Architecture, the banks fared the poorest. This is a concern. BCBS 239 was formulated to facilitate detailed reporting, especially in times of stress. Without better data infrastructure and adaptability of IT systems, the impact of these reports will be lost.
P1
Governance
P2
Data and IT infrastructure
P3Accuracy and Integrity
P4Completeness
P5Timeliness
P6Adaptability
50%30%
20%
P11
3.23 3.2 3.072.83 2.83 2.73 2.7 2.7 2.6 2.57 2.47
P8 P9 P1 P10 P4 P5 P7 P3 P6 P2
Top 3 Bottom 3
BCBS 239
Aggregation
Compre-hensive
Granular Reporting
Ownership
Control
BCBS facets Weighted score of principles
Source: BCBS 268
Highlights1. Set up data ownership.
2. Automation of aggregation and control technique.
3. Reports need to be granular yet comprehensive.
Timelines1. Initial timeline - January 2016.
2. Of 14 principles, 11 are applicable to banker.
Highlights1. One - third of all G-SIBs
materially non-compliant on at least principle.
2. Data aggregation is a challenge.
3. Increased expenditure on it projects.
Risk
Rep
ortin
g pr
actic
es-I
II
Risk
Dat
a A
ggre
gati
on-I
I
Ove
rarc
hing
Pri
ncip
les-
I
13
We, at Copal Amba, believe BCBS 239 is a regulation that focuses on a number of issues beyond just risk data and its aggregation. Admittedly, the regulation is more focused on technological aspects and beefing up banks’ IT systems to facilitate better reporting. However, the underlying spirit of the regulation is more subtle and strategic. The regulation is more than what meets the eye. Although it appears to focus on data and IT infrastructure, there is a wider strategic angle that may not be evident.
By asking banks to aggregate across the cross-section of businesses, the Basel Committee is focusing more on simplifying and streamlining processes and businesses. Practices such as over-hedging and opportunistic buying across asset classes in search of revenue will now have to be looked through the lenses of risk and compliance.
Banks will be now be nudged toward formulating an integrated strategy for portfolio creation. The erstwhile disconnect between front-office trades, trade booking, and pricing will need to be integrated.
Copal Amba’s studies have identified ramping up (down) facilities (as and when required) as a major challenge. IT infrastructure should be intelligent enough to be able to scale up (down), as per requirements, and the system should be smart enough to understand overlapping areas and recognize deltas.
The challenge for large banks, however, is not just compliance but also maintenance. Banks are better off outsourcing such expensive processes, but again
BCBS 239 is pervasive, which is to say that even third parties or sub-contractors come under the purview of the rule. Hence, a strategy to outsource some of the functions, especially in the domain of data cleansing and validation needs to be looked at differently – banks would have to tie up with firms that fully understand the nature of the regulation and have a strong team of SMEs to deploy.
The challenge for banks is not just to have a better repository of data, but also to develop a better aggregation and reporting technique. Banks are well aware of their position and may need to consider external support to leverage their existing infrastructure.
The answer to this challenge is consolidation, and to achieve effective consolidation, banks need to understand the commonalities in regulations and take a more integrated approach. Copal Amba believes banks (increasingly) need to avoid siloed responses to manage regulatory changes – regulations in today’s world cannot be treated as mutually exclusive. Furthermore, banks need to leverage the overlap in regulations, especially in data quality and reporting guidelines.
The Basel Committee is pushing banks towards a more data-based decision-making process. To create a comprehensive risk management culture and establish ERM, banks need to be more sensitive to risk data and its uses. By making the board responsible, the Basel Committee is improving the visibility of risk as a function, as well as an agenda of board-level deliberation.
Conclusion
The future of decision making is risk-focused analytics and banks need to partner with vendors that can use esoteric mathematical/statistical knowledge to provide easy, interpretable reports. The supposedly paradoxical utility comes from deep subject-matter understanding and, hence, choosing a partner with pedigree can be a competitive advantage for banks.
Our study at Copal Amba suggests that hiring external firms can prove to be cost effective for banks. A close analogy can be cloud computing – in which a firm, instead of investing heavily in resources, decides to buy the service of a hosting company. This is especially beneficial for smaller firms. Although in our study, the banks in question are large and systemically important, the idea to outsource has a solid rationale as the regulatory space has not yet matured – it is a developing area that is going
through various iterations. There are high possibilities of consolidation across regulations, superseding some while making others obsolete. To cite an example, Basel III has a reporting standard that is enriched by BCBS 239, with possibilities of it (BCBS 239) being established as the sole reporting standard.
Banks need to find a balance between overspending and under spending while choosing whether to invest and enhance an in-house facility or outsource and wait for the regulatory landscape to mature. These are important strategic decisions and there is no one correct way. Each bank is different and would have to take decisions based on the level of competence and availability of internal staff, as well as the opportunity costs of building vs. outsourcing.
14
About Copal Amba:
Copal Amba is the leading provider of offshore research and analytics services to global financial and corporate sectors. We have consistently been ranked #1 in our space by multiple independent customer satisfaction surveys. Our clients include leading bulge-bracket financial institutions, Fortune 100 corporations, mid-tier companies, boutique investment banks, and funds.
We support over 140 institutional clients through our team of 2,600+ employees. Our 9 delivery centers are located close to our clients and in proximity to scalable talent pools. Our clients have saved over USD1.9 billion over the past 13 years, by using our services to enhance front-office efficiency.
About Copal Amba's Risk Management Services
Copal Amba's Risk Management Services are uniquely positioned to help financial institutions by providingsupport, guidance, and thought leadership on the rapidly evolving regulatory landscape through unrivaled,seamless and end-to-end solutions.
Our cross-functional teams of domain and technology experts help in the development and support of riskmanagement systems, while our consultants are involved in risk reporting, model development/validation,stress testing, data management, formulation of trading strategies, pricing, and other regulatory tasks.
For more information, please visit http://www.copalamba.com/services/risk-management-services/
© 2016 Copal Amba. All rights reserved.
For more information, email us at
www.copalamba.com