Wall Street & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Compliance

04:00 PM
Jennifer Costley, Ph.D
50%
50%

8 Things You Probably Don�t Know About BCBS 239

The Basel Committee on Banking Supervision's rules for risk reporting are extensive and apply to more financial firms than just the global, systemically important banks.

Living in Manhattan means coping with the increasing complexity of traffic rules on what were, only a few years ago, relatively simple avenues. I happen to live on Second Avenue, which first endured the removal of parking in favor of bus-only lanes, then about six months ago the addition of bike lanes, new parking zones, and turn-only lanes. While the goals may be admirable, the visible result has been a noticeable increase in honking horns, traffic jams, and pedestrian vs. biker confrontations.

I haven’t looked at the section of NYC code that resulted in this mess. But I did review in some detail the document known as “BCBS 239” – the Basel Committee on Banking Supervision “Principles for effective risk data aggregation and risk reporting.”

BCBS 239 is a direct result of the work undertaken by the Basel Committee and the Financial Stability Board (FSB) to provide guidance to enhance banks’ ability to identify and manage bank-wide risks. In particular, FSB recommended that they, in collaboration with standards setters, develop a “set of supervisory expectations” that would guide risk data aggregation and reporting for systemically important financial institutions.

The goals are admirable, but as you might imagine the devil is in the details -- and because most folks assume that BCBS 239 pertains only to the short list of global, systemically important banks (G-SIBs) and only to credit and counterparty risk aggregation, they may be missing a few of the more pertinent details of the document:

  1. It doesn’t just apply to G-SIBs. “It is strongly suggested that national supervisors also apply these Principles to banks identified as D-SIBs.” (domestic, systemically important banks)
  2. It doesn’t just apply to market, credit, and counterparty risk. “These Principles also apply to all key internal risk management models, including… advanced measurement approaches for operational risk.”
  3. You can’t just wait until the deadline. “G-SIBs subject to the 2016 timeline are expected to start making progress towards effectively implementing the Principles from early 2013.”
  4. It isn’t just limited to internal processes… “All the Principles included in this paper are also applicable to processes that have been outsourced to third parties.”
  5. …or internal systems. The governance framework “should include agreed service-level standards for both outsourced and in-house risk data-related processes.”
  6. It considers data confidentiality, integrity and availability (not just aggregation and reporting) as part of the risk management framework.
  7. You can’t rely on your IT audit function to validate compliance. “Independent validation… should be conducted using staff with specific IT data and reporting expertise…"
  8. The Bank’s IT strategy should address any shortcomings against the Principles, and initiatives should be supported through “the allocation of appropriate levels of financial and human resources.”

The slow progress of many of the regulators in identifying D-SIBs has meant in practice that BCBS 239 is currently applicable to only the 30 identified G-SIBs.  But within the G-SIBs, there are likely many IT leaders who are unaware of the scope of BCBS 239 and who, when assessing the broad scope of the guidelines, may not concur with the self-reported progress of their institutions so far.

Source: BCBS “Progress in adopting the principles for effective risk data aggregation and reporting,” December 2013.

Jennifer L. Costley, Ph.D. is a scientifically-trained technologist with broad multidisciplinary experience in enterprise architecture, software development, line management and infrastructure operations, primarily (although not exclusively) in capital markets. She is also a ... View Full Bio
More Commentary
A Wild Ride Comes to an End
Covering the financial services technology space for the past 15 years has been a thrilling ride with many ups as downs.
The End of an Era: Farewell to an Icon
After more than two decades of writing for Wall Street & Technology, I am leaving the media brand. It's time to reflect on our mutual history and the road ahead.
Beyond Bitcoin: Why Counterparty Has Won Support From Overstock's Chairman
The combined excitement over the currency and the Blockchain has kept the market capitalization above $4 billion for more than a year. This has attracted both imitators and innovators.
Asset Managers Set Sights on Defragmenting Back-Office Data
Defragmenting back-office data and technology will be a top focus for asset managers in 2015.
4 Mobile Security Predictions for 2015
As we look ahead, mobility is the perfect breeding ground for attacks in 2015.
More
Register for Wall Street & Technology Newsletters
Video
All Videos
Slideshows
Stressed Out by Compliance, Reputational Damage & Fines?
Stressed Out by Compliance, Reputational Damage & Fines?
Financial services executives are living in a "regulatory pressure cooker." Here's how executives are preparing for the new compliance requirements.
More Slideshows