The increasing scrutiny that regulators are placing on BCBS 239 compliance is causing challenges for financial institutions, but with more pressing and threatening regulations, it may play second fiddle for attention, according to Randeep Singh Buttar, Head of Data Change and Strategy (Global Risk and Finance) at HSBC.
BCBS 239 was formed through the Basel Committee on Banking Supervision and went into effect on 1 January 2016. The key purpose of the directive was to ensure banks can show confidence in the risk data aggregation and reporting processes they provide to regulators. Financial institutions need to ensure strong data aggregation governance, timeliness in generating updated risk reports, and clear and concise information delivered through the reports, to name just a few of the principles.
Initially, HSBC’s BCBS 239 commitments were made to their home regulator, the PRA. Over time, other regulators mandated compliance in their jurisdictions sometimes based on the DSIB designation of the local entity. As the directive has aged, extra scrutiny is being applied requiring more resources to maintain compliance – resources which are already being spread across an ever-increasing number of regulations.
Randeep Singh Buttar said, “Over time regulators started to show a desire for more detail and a lot more scrutiny. They wanted us to cover more countries and be able to drill down in our responses to a more granular level of detail. No longer was it okay to just tell them how compliant we are against this regulation. Instead, it became more about demonstrating how compliant you are against any given chapter, this paragraph, and also to break that down for at the group, entity, business line and functional levels. Requests have become more demanding and the need to provide responses became somewhat more logistically challenging, due to the globally dispersed nature of our organisation.”
Going even further, a lot more regulators have begun to ask similar questions but not in a standardised manner. For example, the bank might be asked for compliance updates by the HKMA in Hong Kong, Singapore’s MAS, Mexico’s CNBV, OCC in the US, OSFI in Canada, and ECB in Europe at different points in the year. This poses a problem, as local executives could provide answers based on a partial view of local compliance. Regulators could pick up on the different responses given by the bank for the same question. This is a simple error caused because execs might not have a single source to go to demonstrate compliance.
“We offset that risk, by developing a single RegTech platform in-house. Essentially this allowed us to interpret the regulation, define a series of business rules, and then apply a scoring mechanism to those rules based on evidence requirements that were clearly articulated. As we ran through the program we started picking up our scores, which gave us the opportunity to visualise our results and also publish them out to anyone who wanted to see them, or anyone who had exposure to a regulator. This ensures they had the exact same answer that anyone else would have across the bank,” he said.
Organisations often need time and work to reshuffle infrastructure and hitting them with heavy fines or in-depth compliance reports on day one, or even year one, does not help the market. As BCBS 239 was a principle-based regulation, interpretation was left open which meant banks did not have a harmonised view of compliance, Buttar said.
Regulators now have a clearer understanding of what they need to be checking and want more granularity in terms of knowing how banks are solving these challenges. Buttar believes they mainly desire to understand what banks are doing in context of infrastructure and data quality, front to back. In essence, if a bank is releasing risk metrics publicly, it’s essential to know where the data came from, how it was calculated, how many people did it go through, was it all done manually, and so on.
“The industry needs BCBS 239. It’s about transparency and about making sure that we as an industry are contributing to a safer and more secure financial system. The end result is better internal risk management. If we are addressing the principles of that particular directive adequately enough, then what it means is that we are operating from a much more sound infrastructure basis, and that can only be a good thing for the industry on a whole especially when another crisis appears.”
Resources and priorities within financial institutions are being stretched more than ever and the current number of regulations entering the market is increasing at the same time. GDPR, MiFID II, Basel 3 and FRTB are just some of the other big regulations posed to institutions. One thing which potentially hinders BCBS 239 in getting focus from banks is that there are currently no fines associated with it, Buttar said. However, it’s important to understand that BCBS 239 is a foundation block for other regulations and directives which also rely on showing the quality of data going into and being derived from models. Leveraging this link could help banks to comply to multiple regulations at little extra effort. Buttar went even further to state that BCBS 239 principles can go beyond just risk and finance but used across the entire bank for the purposes of data, as well as, risk management in general.
The role of technology in compliance
Legacy systems can only do so much for data aggregation. BCBS 239 is putting a lot of strain on financial institutions to demonstrate the lineage of data from system to system. One serendipitous result of this is firms can better visualise their system processes and highlight legacy systems or areas which are too bogged down by manual interactions. Once these are identified, the bank can begin to look for something more suited to handle the role.
RegTech solutions are an obvious point-of-call to help banks improve their compliance processes, being purposely designed to fix the bug-bares and can be quickly airdropped in. Buttar said that “From a compliance standpoint, it makes sense to have a centralized RegTech platform that allows you to get a group wide view of your compliance state.” Collating all of this information and building risk scores makes it essential for a ‘single version of truth’ which can then be utilised and adapted for the local nuances.
Copyright © 2018 RegTech Analyst