Frustrated authorities resort to BCBS 239 ‘fire drills’

ECB and Finma lob impromptu data requests at banks, as BCBS 239 quietly permeates everyday supervision

BCBS data check

  • Fed up with the tempered pace of BCBS 239 adoption, the European Central Bank and the Swiss Financial Market Supervisory Authority have taken to conducting ‘fire drills’ to check banks’ ability to quickly assemble their risk data.
  • In both Europe and the US, BCBS 239 has been tucked into regulatory supervision.
  • First conceived as a standard for internal reporting, BCBS 239 is now being expected in regulatory reporting, with some banks fined for lapses.
  • Banks are struggling with expectations that can vary from one jurisdiction to the next, as well as keeping up with what they consider a moving target.

Exasperated by the patchy uptake of the BCBS 239 principles on risk data, regulators in Europe have been conducting ‘fire drills’ to test compliance, while authorities both in Europe and the US have been quietly knitting them into expected regulatory performance.

Both the European Central Bank and the Swiss Financial Market Supervisory Authority (Finma) have been carrying out fire drills for some time, making surprise requests for risk data to see how quickly banks are able pull it together. A crucial goal of BCBS 239 is that banks should be able to size up their exposure under duress.

The head of market risk at a large European bank got a surprise visit from the ECB last year.

“They sent us a lot of data requests under BCBS 239 in the middle of the summer – when they know no-one is there – just to challenge our expertise and our faculty to extract data,” he says. “They have a long-term plan to keep on challenging us.”

The fire drills reflect regulators’ determination to avoid a repeat of the financial crisis, when spotty data contributed to the conflagration. The drills are also an acknowledgment by regulators that they need to be more pre-emptive and go beyond regulatory requirements.

“It’s a reflection of the rapidly changing world we’re now operating in,” says Rick Hawkins, chief data officer for global risk and global finance at HSBC in London. “They’ve always asked for data. What’s different now is the scale and scope on both sides. Banks are holding an increasing amount of data far beyond the specific metrics and measures that are detailed in regulations. Regulators want more granular information to help comprehend local and market behaviour.”

More generally, though, BCBS 239 has been seamlessly woven into ordinary regulation. For instance, the Federal Reserve seems to have embedded it in its Comprehensive Capital Analysis and Review (CCAR) – without ever mentioning it. Elsewhere, the Financial Conduct Authority fined UBS £28 million last year for violations that read like a laundry list of BCBS 239 infractions, also without naming the standard.

It’s not as if regulators haven’t been patient. The Basel Committee on Banking Supervision first published its 239 standard on data stewardship in 2013. It put the industry on notice that the standard would become fully effective three years later, in 2016. A three-year grace period ended a year ago.

Regulators have also been using BCBS 239 as a basis for assessing a bank’s regulatory reporting, and have occasionally fined them for lapses. “I am aware of some clients who have had consequences that were directly related to examinations on BCBS 239,” says David Yakowitz, managing director at PwC in Singapore, without naming the regulators or banks.

Regulators want more granular information to help comprehend local and market behaviour
Rick Hawkins, HSBC

Complying with BCBS 239 is a big lift. Risk data needs to be reconciled with accounting data, and banks are expected to build a single authoritative source for risk data. Risk managers must have access to that data in order to aggregate, validate and reconcile it. A data dictionary, or a master data file, is necessary to ensure data is defined consistently.

“Twenty years ago, it was easy,” says an operational risk executive at a UK bank. “Regulators wanted a report of transactions, and you could send a raw file or an Excel spreadsheet.

“Today, BCBS 239 asks whether you have the ability to aggregate in order to do something more sensible with the data,” he continues. “Most of the time, the answer is no.”

An ECB spokesman confirmed the bank was “currently monitoring and assessing the actual implementation of the remediation plans delivered by the banks” for BCBS 239 within the framework of its regular supervisory activities.

“For a while now, the ECB has gone to using all available information for implicit checks on BCBS 239,” says Asin Tavakoli, a consultant at McKinsey & Company’s Düsseldorf office. “They are expecting BCBS 239 compliance implicitly; whether you had 23 risk metrics in scope between 2014 and 2016 is secondary today. They expect more foundational capabilities in the risk and financial space.”

Raising the bar

US and European regulators have taken very different approaches to BCBS 239. The ECB has been more proactive in monitoring BCBS 239, due mostly to the larger number of G-Sibs relative to the US; the Fed, in contrast, can leverage the qualitative part of CCAR to spot data lapses.

“The US regulators are focused on CCAR, which is far more prescriptive, rather than a more generalist approach,” says Hawkins. “What we have seen is the Fed taking more of an interest in BCBS 239, but it’s not been as hands-on.”

Summarising the Fed’s position, Yakowitz comments: “They do detailed examinations and if any of these banks have control gaps or data management gaps, they already know about it through CCAR. They don’t need BCBS as an additional tool.”

The Fed did not provide a comment when contacted.

Although the BCBS 239 principles were originally directed at a bank’s internal reporting, regulators seem to be using them to judge the quality of regulatory reporting. Authorities, particularly in the UK, are citing faulty data controls and governance as a basis for assessing penalties for this type of lapse.

What we have seen is the Fed taking more of an interest in BCBS 239, but it’s not been as hands-on
Rick Hawkins, HSBC

“Whenever there are missing trades or timeline gaps due to batch latency or overnight processing catch-up, FCA [Financial Conduct Authority] and other regulators are claiming that the banks don’t really know how their internal risk and reporting pipelines really work and should have done by now given the age of the regulation,” says Rupert Brown, founder and chief technology officer of Evidology Systems, a regulation-compliance software company in London.

“In the worst cases, a Section 166 has been applied for a ‘drains up’ inspection,” he adds. Section 166 of the Financial Services and Markets Act gives the FCA the right to request information for regulatory purposes.

The Prudential Regulation Authority, it is understood, expects banks to apply the principles when observing statutory reporting requirements.

“Some regulators have said they think it’s a best practice for banks to adopt the BCBS approach in regulatory reporting,” says Yakowitz.

While the watchdog hasn’t published any explicit expectations for compliance, the PRA has made its thoughts pretty plain, notes his colleague Tom Fish, director, financial services risk and regulation at PwC.

“On a number of occasions – in public conferences and in bilateral meetings with UK banks – they have stated that they would view inaccurate or late regulatory returns as evidence of non-compliance with BCBS 239.” Many UK banks have viewed this as a back test on compliance, he says. “Furthermore, the Dear CEO letter that the PRA sent to banks in October on the reliability of regulatory returns stated the expectation of complete, accurate and timely returns – also repeating the BCBS principles but without direct reference.”

Also in the UK, last March the FCA explained its £28 million fine of UBS by saying the bank’s weak reporting systems had resulted in 31.5 million inaccurate transaction reports – though it never explicitly referred to BCBS 239.

The FCA review found that “UBS’s framework did not adequately test and reconcile the completeness and accuracy of all transaction reporting data” between 2007 and 2015. It continued, “This weakness contributed to a number of transaction reporting errors not being identified for significant periods of time. For example, UBS submitted 31,496,430 inaccurate transaction reports to the Authority, which incorrectly reported the time the transaction was booked, rather than when it was executed, or reported the time to the minute rather than to the second.”

Principles that vary by locale

In the US, it appears the banks may have actually made progress on BCBS 239, given the glare of CCAR, one observer says.

“The qualitative assessment of CCAR leveraged BCBS 239 compliance as exam questions; very few banks have been called out on the qualitative side in the last two years,” notes Nilotpal Roy, managing director, risk and finance data transformation at KPMG in Atlanta. “They put in the foundation in 2016 and have started to build on that foundation.”

The 239 standard consists of 14 principles grouped into three categories: governance and infrastructure, risk-data aggregation and risk reporting. Risk-data aggregation refers to the way banks collect and process data, a quality filter crucial in measuring risk.

But the principles are interpreted differently at the various regulators, leaving banks chafing at having to sometimes meet disparate requirements.

“What good looks like for a single bank in a jurisdiction is not the same as for a globally significant institution,” says Hawkins.

Roy agrees that BCBS 239 causes confusion across jurisdictions. “Regulatory changes at the local jurisdiction need to be reviewed with the BCBS 239 lens to ensure alignment and compliance,” he says.

The G-Sifis [global systemically important financial institutions] are getting beaten up over the fact we’re not fully compliant, yet the bar is continuously rising
Rick Hawkins, HSBC

While large banks do claim real progress on BCBS 239, some say Basel’s 1-to-4 self-rating scale is unfair when each regulator has its own idea of what compliance means.

“As a global bank and a G-Sib operating in 60 countries, reporting on a 1-to-4 basis is inadequate. If any one entity is not fully compliant, I can’t say we’re fully compliant,” says Hawkins. The banks to a large degree have to interpret the principles themselves. “What may be adequate for a single bank becomes more nuanced for a G-Sib that has a complicated network of banks and branches,” he adds.

To arrive at one’s grade, regulators issue questionnaires as guides, and the questionnaires might also vary from one regulator to the next. Although very few banks see themselves as fully compliant, others have made substantial progress in becoming largely compliant. (No bank ever saw itself as non-compliant.)

BCBS 239 has also brought about an intimacy with regulators that most bankers would just as soon avoid. Authorities are demanding greater insight into who has control over data as it moves from source to production, and how it’s being recorded. The mere possibility of spot inspections has raised compliance anxiety.

“The G-Sifis [global systemically important financial institutions] are getting beaten up over the fact we’re not fully compliant, yet the bar is continuously rising,” says Hawkins at HSBC.

And perhaps trying to anticipate the next step makes more sense than gunning for a top score.

“Many banks are moving into a state of perpetual compliance,” says McKinsey’s Tavakoli. “Most would always aim to be between 3 and 4 realising, however, that the underlying definition for the scale would be constantly shifting upwards – as intended by BCBS 239 in the first place.”

At its heart, BCBS 239 aims to ensure banks can assess their exposure on the fly during a crisis. In its June 2018 progress report, the Bank for International Settlements noted that based on fire drills, many banks were deficient in this regard.

“Some of the banks had used their quarterly report to represent key risk information. The BIS said, ‘We’re not worried about your quarterly report. We’re much more interested in what you do when Lehman Brothers goes bankrupt’,” says Yakowitz.

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here