BCBS 239: An unfashionable regulation

04 November 2015

BCBS 239 is an unfashionable regulation. There are no calculation changes. No (clear) impact to capital charges. No specified new reports, no defined penalties for failing to comply and, frankly, not a lot of clarity about what compliance actually looks like.

REGULATORY ENVIRONMENT

Basel II. Volcker. Dodd-Frank. Basel III. MiFID II. FRTB. We know these names, acronyms and neat, prime numbers. The regulations of the past decade have had a vast impact on the scale of middle and back offices and on the sheer volume of the technological machine that drives the capital markets.

BCBS 239 (officially, 'Principles for effective risk data aggregation and risk reporting') is an unfashionable regulation by comparison. There are no calculation changes. No (clear) impact to capital charges. No specified new reports, no defined penalties for failing to comply and, frankly, not a lot of clarity about what compliance actually looks like.

It's a regulation that can slip down the priority list and is perhaps best passed on to IT. ('Hey, it's data and process, right? Must be IT… There's probably some new technology that will solve this. What about Big Data, isn’t this the same? Do we have Hadoop?').

COMPLIANCE GAP

It's not surprising that recent surveys have shown a substantial gap between expectation of compliance and reality of implementation. It is now a widely accepted fact that while the vast majority of G-SIBs expect to be compliant by January 2016, most don't expect to have completed their programmes on time.

Regulators will expect to draw on reviews conducted by external auditors – so these independent reviews will bring stark relief. As we approach crunch time, the divergence between expectation and reality is going to become more obvious and more uncomfortable.

ADAPTABILITY IS THE LITMUS TEST

Adaptability has a symbiotic relationship with all of the other BCBS 239 principles. We must embrace change through the entire lifecycle of our risk data aggregation and risk reporting – not (particularly) because the regulators say so, but because change is our reality now. Whether it’s new correlations, new concentration risk, unexpected events or major new calculations – such as the shift to Expected Shortfall from VaR – an end is not even vaguely in sight.

Riskcare’s approach is to test all the principles by changing requirements to see how a system responds. These changes fulfil both explicitly required capability (as the regulation states: ‘A bank’s risk data aggregation capabilities should be flexible and adaptable to meet ad hoc data requests, as needed, and to assess emerging risks’) and implicit capability (and again: ‘The group structure should not hinder risk data aggregation capabilities at a consolidated level or at any relevant level within the organisation… In particular, risk data aggregation capabilities should be independent from the choices a bank makes regarding its legal organisation and geographical presence.’)

A STRUCTURED APPROACH TO MEASUREMENT

Underneath it all, BCBS 239 is very simple. It requires answers to the following:

'Do you have all the data you need to manage your risk?'

'Yes? Are you really sure about that?'

'Can you prove it?'

The regulation provides a structure of 11 principles by which you should be able to measure and prove the quality of both your risk data and your processes to aggregate and report that data.

None of these principles are rocket science. They're best practice approaches to data management of any volume. The scariness comes when we start to assess just how far away from them we can be. Every corner that has been cut over the past 20 years has taken us further from these practices – and in some cases we didn’t just cut the corner….

The more we adhere to these principles, the easier – and crucially, faster and most cost effectively – it will be to comply to shinier, fashionable regulations such as FRTB.