With many banks continuing to struggle to meet the BCBS 239 deadline, we shine a light on some of the remaining questions around implementation. In a forum convened by Risk and sponsored by IntraLinks, our panel discusses achieving significant business value, how far global financial institutions have moved with the risk data aggregation and reporting mandate, how banks can accelerate their compliance, its value to the business and when banks will see return on this investment.
- Guillaume Figer, deputy head, global risk measurement, Societe Generale
- Mark Kalen, global product strategy and marketing, IntraLinks
- Gordon Liu, executive vice-president, US head of global risk analytics, HSBC
The Basel Committee on Banking Supervision’s risk data aggregation and risk reporting regulation (BCBS 239) consists of 14 principles covering governance and infrastructure, risk data, aggregation capabilities, risk reporting, supervisory review and co-operation. Banks that are investing the time and effort in conforming, long ago decided the project could be used to support their own business and risk management needs. This forum examines where the benefits are and whether they are materialising yet.
Risk: How close are you to getting lasting value, rather than just conformance, out of BCBS 239?
Guillaume Figer, Societe Generale: I am in charge of modelling and what could be called the key BCBS 239 user. My role is to get value from the data by extracting the knowledge from the data, which means providing the bank with better models or analysis. Regarding the value, I think we are already achieving it around the principles of accountability, governance and the automation of data processes. Some things affecting value, such as homogeneity of data or better definition, are direct and short term. Some are more long term – when you have a model built and you need to recalculate data, or when you need the time to allow your IT architecture to evolve. In those cases, it takes more time to achieve value.
Any compliance project that will be targeted on value and will always keep in mind the BCBS 239 principles will, depending on the differences, capture better and better value.
Gordon Liu, HSBC: From HSBC’s point of view – particularly from the US – I think that we have gained a great deal of value already, even after only a few years. BCBS 239 was one of the major drivers in our setting up a chief data officer (CDO) function.
In the US, there is also this matter of compliance with the Comprehensive Capital Analysis and Review (CCAR) requirements. From my own invested role in modelling, we do end-to-end data management. We are not just developing the model – you need to see the model and the data, then view the model and input this type of data as well as the governance, documentation, testing, implementation and validation altogether. So the major part is the data.
I am sure many companies will have seen already that, if the data is not good or the input data is not good, the model is going to fail. Keep the model design for the banks as a whole, especially the end-to-end data management; we are seeing many benefits from taking this route.
The other part is the policy setting – everything as a principle, which is based on BCBS 239 – so a major part of our model risk governance and development policies include how to manage new data and ensure it is complete, accurate and adaptable. That is the principal setting from BCBS 239 as well as from the CCAR initiative in the US.
We still need to set out a real measurable and/or targeted objective from this principle basis. We still have a long way to go.
Risk: Are most banks still primarily focused on conformance or has the conversation turned now to the wider potential benefits?
Mark Kalen, IntraLinks: Unfortunately, I would have to say we are still on the path to conformance. When this regulation came out, the Basel Committee regulators were publishing a self-assessed annual progress report. In 2013, 37% of the respondents in that report said they felt they would be materially non-compliant by the effective date.
The expectation was that the percentage would decrease. However, in the 2014 progress report, 47% reported that they expected to be materially non-compliant – and then the progress reports stopped reporting percentages. The way we interpret this is that it was a much larger and more complex process than people initially understood it to be. The greatest areas of expected non-compliance and, perhaps, realistic non-compliance are around overarching governance and infrastructure. These two of the 11 principles that banks have to comply with, of 14 in total, are really the underpinnings of the remaining principles.
If you do not have the governance and infrastructure in place, it will be very difficult to say you are fully compliant with the remaining principles. I think we are still in that phase of conformance for the global systemically important banks. The domestic systemically important banks, which are also expected to comply with these standards, are probably even less far along.
Risk: What are the key obstacles to taking the next step, deriving value from BCBS 239?
Guillaume Figer: When you have IT infrastructure and large global exposure, the evolution and automation of the processes take time, and you cannot always accelerate. We realised that one obstacle is needing different people to communicate; IT people and business-oriented people speak a different language.
BCBS 239, with its clear principles, was a way for us to remove the obstacle and establish a common language around data, so that everyone aligns. It takes time to change the culture – the obstacles are not only IT but also the people who need to understand what the data is used for and how the principles impact the business if they are not complied with. And the users need to understand where the data comes from, so they can express their needs in terms of BCBS 239 principles.
So data or IT infrastructure are issues, but it is also a matter of people solving issues together using the same language. BCBS 239 could help because the principles are clear and can be understood by everyone, and allow better communication.
Gordon Liu: I agree with Guillaume – it is also a culture issue. Fundamentally, we are in the business of data. It doesn’t matter if you are a bank teller, a credit officer, a relationship manager or risk manager – all are contributing to data accuracy. And that data can go into the bank’s assets or, sometimes, it can be a burden for the bank itself. For ourselves, dealing with the modelling side, we are only part of it; in a sense there is only certain data we use, and there are only certain models to be deployed in certain systems. While the IT system is a big obstacle, there are huge investments in it. We try to do the big data architecture, everything fuller, but we also have small nodes. So perhaps the limitations of our architecture and the culture are the biggest obstacles for the banking industry.
Risk: While people are trying to get fundamental architecture and infrastructure points in line, does that necessarily mean you cannot make progress in other areas? Do you have to do it sequentially or can you work on these in parallel?
Mark Kalen: There are certainly multiple workstreams in the organisations I am working with. It is a lot about what I call ‘operationalising compliance’. There are three critical components to data from an operational perspective: it must be accurate, complete and timely. This infrastructure is about achieving those objectives around your data and then being able to report it in a way that makes sense. Some big banks are operating in 50, 60 or 70 different countries, and consist of dozens, if not hundreds, of different business units. All this information has to be collected, co-ordinated, consolidated and reported. That whole operational process must contend with geographical boundaries, business unit silos and systems that do not talk to each other. Much of the data is coming out of dozens and possibly hundreds of disparate systems – how do you collect it, aggregate it and then massage it into some meaningful insights?
Everyone is trying to achieve this objective and these are some of the big operational challenges that firms are struggling with. But, yes, they can do it in multiple streams simultaneously.
Risk: Are you getting a clear line from supervisors and regulators on when you are in conformance and what conformance is?
Guillaume Figer: As a modeller, I am not in charge of the programme or assessment of the compliance because, in the BCBS 239 text, specific independent units should assess the compliance. However, BCBS 239 is a principles-based text, with not all 14 principles targeted at the banks – three are targeted at supervisors on how they supervise risk data and aggregation.
My personal feeling is that compliance with the BCBS 239 principles will be an
ongoing process between the supervisor and the bank. Both parties will learn and make continuous improvements because you will always have new data, new products, new activities or even new risks that may arise. For example, it is difficult to foresee what the next crisis may be – it is often unexpected – so we may have the same difficulty with the underlying data. It is difficult to know whether the IT infrastructure data you are collecting is useful.
I think that, as our knowledge improves, the benchmarking between the banks will be performed by the supervisory exercise and we will have a clearer view as we advance on what is not acceptable, what is sub-standard and what the best practices are. I think this is why we are participating in this forum – to set a clearer line on those topics.
Risk: Are you seeing an ongoing process of dialogue and change at HSBC? Is that how the relationship with the supervisors is working?
Gordon Liu: The US did not really issue supervisory guidance with BCBS 239; US regulators have different requirements on CCAR, but this is a similar process, with additional concrete requirements. We seek constant guidance here and from the UK, but from a different perspective.
To be very clear, BCBS 239 is principles-based so it is very difficult. It is a principle, so you need to determine whether you have accuracy, and how accurate it is. How high is your risk appetite? From the risk perspective, are you getting enough data? It is very difficult to measure, but this is the only way I see to compliance.
At each review point, supervisors give you the guidance and the principle. They ask the bank to think: do you have a good know-your-customer process? Are you complete? Are you accurate? Do you have what is needed in terms of frequency and complication? For the banks with the correct culture there is not really a different view on that. If you are the data user, everything should be the right way but it is hard. For many data fields, there is not much to be gained and many infrastructures are not supporting options. For some data, they are not asking for a mandatory field but, if you want it to be mandatory instead of optional, you will be asking your representatives, correspondent banks and other customers that you want them all to be mandatory – and that is a very difficult thing to do.
Even though the principle is clear, the measure is not. You do not have the metrics to measure the effectiveness of this compliance. Because of that difficulty, the banks have to think very hard to define your risk appetite. What is your compliance? What does your risk manager want it to be? Not only for compliance, but for the banking side of the business as well. I think it is a two-way street and we are getting better – the bank is doing more and is quite compliant, even more than it needs to be.
Risk: What is the progress of the roll-out to BCBS 239 to other subsidiaries globally? Have you faced any issues with your roll-out?
Gordon Liu: We set our minimum standards, including the data completing, which are not exactly the same as being in compliance with BCBS 239. Certainly, we tick their requirement and translate it into the minimal requirement globally. So there will not be a roll-out for HSBC globally. We still have some way to go to get full compliance awards – the higher requirements – but we try to reach the minimum set of standards to be compliant as common ground. Therefore, in some jurisdictions you will have higher standards.
Risk: Have you seen opportunities or been able to capitalise on the work done so far? Are you seeing clients beginning to take advantage of the groundwork they are laying?
Mark Kalen: Our customers are starting to have a better overall risk profile of their organisation and are thinking about it. One of the underlying reasons for this regulation was that, during the global financial crisis, regulators wanted a better understanding of banks’ risk profiles, but did not have the data. Many people think this prolonged and aggravated the crisis.
The real underpinning of this is having a better risk profile, should the regulators need to come in, and the thought that the executive leadership team of these banks should have been monitoring and asking questions already about that information – this was, I think, eye opening. Some of the more beneficial aspects of this are an improved risk profile and an understanding of their organisation to help make decisions. In Europe, the Middle East and Africa (Emea) we are seeing the concept of ring-fencing – that is, understanding which of your lines of business are particularly risky and setting them up as their own legal entities so, if something goes wrong, it does not drag the entire bank down. A better risk profile helps you understand which entities and areas you want to ring-fence.
A similar approach, ‘de-risking’, is being engaged in North America. Banks are trying to better understand their risk profile so that they can figure out whether there are certain products or certain markets they do not want to serve, simply because the risk profile is too high. Some of the side benefits, apart from resolution planning and that sort of activity, are that the banks are starting to leverage this information. A broader overall understanding of the risk profile allows banks to make better and more informed decisions on how to manage that risk, whether through the use of ring-fencing or other types of tactics, such as de-risking.
Guillaume Figer: Regarding global implementation and the relationship between the subsidiary and head office: typically, there was not a clear accountability of the data centre or use of the data. A subsidiary would send risk data that would not comply exactly with the global definition of the data and would also lack accountability – on the data itself and on the use of the data.
What we have seen in terms of clear improvement and clear value in this area is a greater accountability of subsidiaries in the data that they send and the value that the data brings. We are certifying not only that the data is proper, but that it is proper for the use we make of it at head office.
Gordon Liu: We see a lot of benefits already coming in, such as aggregation of data, which has to be based accurately on details and uses a bottom-up approach. One example is on loss-given-default calculation. One default could be recovering over many years after default and could be slowed down based on your location, jurisdiction or your legal expenses. The final results also depend on your effective discount rate, which can be your cost of capital or return on equity. Now we have this aggregation, we need a breakdown for all the different cashflows to be as detailed as possible. For every cashflow, we want to know: what is the value? Where does it come from? Which category? What is the cost of obtaining that data yourself? What is the discount rate during that time period?
Risk: It sounds as if, to conform with BCBS 239, you are doing what you would probably want to be doing anyway. Are regulators pushing you in the direction that you want to go?
Guillaume Figer: Yes. BCBS 239 was created for a purpose and the purpose set by the supervisor is exactly the one that we would have had anyway due to the big data evolution – accuracy and completeness. Now we have a common language that we can speak within the bank and with the supervisor about how we can improve. We can show internally and externally how we improve through the principles and key compliance indicators. We have built a common language around whether we are complying, and how far we are complying with the principles set out. It is not exactly a measurement, but an indication of where we stand, which before BCBS 239 would not have existed.
Risk: Can you give some more insight into how accountability now works in practice. The problem in the past was with different business units or subsidiaries submitting their risk data, which was not conforming with the approved head-office definition. How have you resolved that?
Guillaume Figer: When you take simple data like loan-to-value, does the value in one country mean the same as the value in another country? Are the guarantee and recovery mechanism the same? At some point there is an underlying complexity, there is a simplification when you aggregate, for example, ratings – with the same rating, you can group very different sectors in very different countries.
You need to understand that there is an underlying complexity and, second, that the risk aggregation process is a complex topic due to, for example, different jurisdictions. The existence of CDOs – a new role or one very much pushed forward – has evolved greatly, and not only in the banking industry. It is a kind of trend due to big data, is that now we have really people, CDOs that are in charge of the data from some business lines. We also have data owners – people in charge of ensuring all this complexity is understood by someone and that the problems can be resolved in a timely manner.
Risk: As an industry, are banks reaping the benefits they may have hoped for at this stage?
Mark Kalen: Overall, I do not think we are there yet because the infrastructure is not as far along as most people would like it to be. I think it is going to be a while before it is.
An interesting topic that I am hearing about more and more frequently is individual accountability – that is, people being accountable for the data provided in a regulatory sense. There could be a concern if, for example, you have a business unit at which the risk data looks like it is low risk but it is earning 20%, 30% or 40% profit margins. You have to question the legitimacy of that data. Why are they reaping such a high rate of return with such a low risk profile? And hold those who are reporting that risk data accountable for what they are reporting.
During the financial crisis, multi-billion dollar fines and penalties have been handed out like candy. There is outcry among the public and the regulators that not enough individuals are being named when these fines are incurred. So, in Emea, they have the senior manager and certification regime and new requirements for executive roles and responsibilities to be defined and sign-offs on various regulatory and financial data.
In the US, the Department of Justice issued the Yates memo of Individual accountability for corporate wrongdoing, which states that firms cannot expect co-operation credit unless they name specific individuals involved in misconduct. That is worth noting as you start looking at this data that is coming into your organisation. If it does not pass the reasonableness test, you need to dig deeper and ensure sources are adequate and appropriate.
As far as conformance goes, I think some of the challenges arise in places where there are capital and liquidity requirements, and the data collected in those areas is largely providing something of a framework that allows the BCBS 239 to leverage. Clearly, it is not to the degree the regulators are going to sign off on for quite a while, and I think even they are not going to be truly sure of what they are looking for when they begin reviewing these programmes. They are going to need to establish a baseline, and I think their criteria will be: is this going to help us if we had to come into a resolution-type situation, take control of the bank and help to unwind it or help it to overcome solvency issues or financial stability issues?
That is going to be the litmus test. Once again, it will be based on the ability of the firm to demonstrate that they concurrently gather complete, accurate or timely data, or they have a road map to show how they will get there. Part of the challenge is being able to adopt best practice across your organisation, business units, geographical boundaries and silos. How do you collect the information being gathered? What is the review? What is the approval process? If the data does not reap those three standards of timeliness, accuracy and completeness, then who is really accountable? If the data does not meet those standards, the risk profile could be significantly impaired and business decisions could damage the bank.
Risk: For a banker seeking a good source for an implementation playbook, other than hiring expensive consultants, do you have any tips?
Guillaume Figer: On all those topics there is no ‘magical’ solution. I think in each organisation, even in global organisations, every entity has a different history. However, there is a kind of technological background that enables more things, for example, a lower cost of data and better data lineage techniques. I would say that the implementation playbook would be a mix of knowing the history – the strengths and weaknesses – and assessing how new technology can help in solving the issues faced.
However, even with the help of technology, there is an inherent complexity in the world that we cannot avoid. At some point we need to tackle those issues one by one and not try to solve everything as if by magic.
Risk: How great a priority are banks making BCBS 239 for 2017? Does it have the budget it requires, given the competing priorities?
Gordon Liu: It’s a very high priority. There are increasing daily issues with BCBS 239 or its equivalent, which are a catalyst to ensure the bank is actually accelerating and making it a higher priority. That higher priority does not mean it is competing with the CCAR or the Fundamental review of the trading book (FRTB), because it is a critical part of these programmes. Without good data quality or all the principles that have been implemented, you are not going to have a very good programme for CCAR or FRTB either.
So this has become a critical part of our top-priority programmes, in terms of the benefits and the resourcing it requires. Previously, there were no CDO positions but now they exist across different organisations. In addition, the CDOs – or other lines of business that are doing the data quality – now come with authority. Without authority you cannot be held accountable. I think this is something that has been planted into all the different programmes.
Risk: Looking ahead to, say, 2020, how much better will the industry be doing the things regulators want them to? What new capabilities would have been unlocked along the way? Is there a bright future coming out of all of this work?
Mark Kalen: Absolutely. Firms we work with have gone on hiring binges since the financial crisis due to all these fines and penalties, hiring 3,000 or 5,000 compliance professionals in a single year. The pace of regulatory change since the financial crisis is starting to subside. So those resources can be redeployed to other initiatives with a lower priority, which is perhaps part of the reason BCBS is not as far along as we’d like it to be. I think the future is bright for those reasons.
Guillaume Figer: Yes, the future is bright. What I see is that it takes a long time for organisations to digest those principles. Now we are more in a phase of changing the bank, whereas later the principle will be self-evident, and so obstacles around the bank will be handled more as a normal process.
Data is fundamental for a bank or for all the industries that are non-material. So I see many initiatives and improvements around BCBS 239, but more in the realm of the bank’s activities.
Gordon Liu: I agree the future is very bright and BCBS 239 will not be a topic then – our issues will be in a different form. Data affects everything, and will change the banks’ many activities. Technology will change how we store and value the data. At the same time, all the different requirements, including the cost itself, has to be part of the plan.
However things change, the dynamic will not change. Banks will be setting up data centres to ensure they are validating, retrieving or using that data uniformly across the organisation on a global basis. On that point, it certainly will not be changed compared with today. It will all be in different systems, where hopefully the same data source and the same data centre are being gathered, the standard is being applied and consistency is carried across everything.
At the same time, I am sure there will be new issues arising. We are probably going to begin – or perhaps have already started – using big data platforms. The technology platform is evolving so fast that today is good – but maybe in a few years we will have found that the platform has to be changed dramatically or drastically, and we will have to redo our technology and begin rethinking for that strategy. But I think it will be a much better world in terms of technology and data compliance, with everything together and integrated.
The panellists were speaking in a personal capacity. The views expressed by the panel do not necessarily reflect or represent the views of their respective institutions.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email [email protected]
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email [email protected]