Gaps in meeting BCBS risk data aggregation and reporting principles

The Basel Committee on Banking Supervision published its latest progress report on banks’ implementation of the Principles for effective risk data aggregation and risk reporting (BCBS 239).

Key highlights

  • Progress is lagging.The BCBS noted that the complexity and interdependence of IT improvement projects has challenged banks’ compliance with the Principles and progress since last year is marginal; compliance was required January 2016 and nearly half of the covered banks are not expected to comply by year-end 2018.
  • Banks are facing several challenges. Banks continue to experience difficulties in implementing the Principles across an entire banking group as well as in managing interdependencies between risk data aggregation and risk reporting and other bank-wide strategic projects.

The Basel Committee on Banking Supervision (BCBS) published its latest progress report on banks’ implementation of the Principles for effective risk data aggregation and risk reporting, commonly referred to as BCBS 239. The Principles were published in January 2013 in response to the global financial crisis. They were designed to strengthen risk data aggregation and risk reporting practices at global systemically important banks (G-SIBs, or banks) with the goal of improving the banks’ risk management practices, decision-making processes, and resolvability. At that time, thirty institutions across 12 jurisdictions were designated as G-SIBs; they were expected to adopt the Principles by January 2016. The current June 2018 report finds that only three of the thirty G-SIBs achieved full compliance by year-end 2017 and most others made limited progress toward implementation during that year. These findings follow the BCBS’s March 2017 report, which found an “unsatisfactory” degree of implementation during 2016.

Implementation efforts and challenges

The BCBS reports that only one G-SIB met the 2016 compliance deadline and that most banks are struggling with timelines that will reach beyond 2018. Three main reasons for the extended compliance timelines are identified in the report:

  • Dynamic nature of compliance: As an ongoing process, banks must reassess their compliance whenever there are key changes in business models, risk profiles, or strategic initiatives that are likely to bring new implementation challenges.
  • Required efforts underestimated: Some banks underestimated the efforts needed to fulfill the Principles, such as updating legacy IT systems, and some have not shown the commitment needed to meet project deadlines.
  • Higher supervisory expectations: In some cases, supervisors have asked banks to extend the coverage of their implementation of the Principles after the initial scope was deemed to be unsatisfactory.

The BCBS also attributes the extended compliance timeline to banks’ failure to comply with Principles 1 and 2 (covering governance, data architecture, and IT infrastructure), which BCBS considers preconditions for complying with the remaining Principles.

  • Principle 1: At some banks, the risk data aggregation and risk reporting frameworks had not been appropriately approved by the board and senior management as required, senior management had not been sufficiently informed of limitations in the bank’s risk data aggregation and risk reporting capabilities, or there were challenges in sustainable data governance and management.
  • Principle 2: Some banks are still upgrading the data architecture for the banking group or material subsidiaries, and some banks have an overreliance on manual processes causing them to struggle to meet the data and IT infrastructure demands of their daily business operations.

The BCBS states that although banks now have in place implementation roadmaps assessed by their supervisors, they continue to experience difficulties in implementing the Principles across an entire banking group, as the international scale of G-SIBs’ operations creates challenges in consistency. Banks have also had difficulties in managing the interdependencies between risk data aggregation and risk reporting and other bank-wide strategic projects, as the interdependencies between these projects may complicate their implementation of the Principles.

Some supervisors have reportedly told G-SIBs that their compliance with the Principles will be factored into an overall supervisory review, which could potentially lead to a higher Pillar II capital add-on. In the U.S., the Principles are generally reflected in, and evaluated as part of, the Federal Reserve Board’s Comprehensive Capital Analysis and Review (CCAR) and the Office of the Comptroller of the Currency’s Heightened Standards.

Key recommendations

The BCBS has outlined three new recommendations but notes that the recommendations in its previous progress reports continue to be relevant as the identified challenges persist.

  • Banks should continue to implement the Principles in line with their roadmaps and consider how implementation would benefit other initiatives: Further delays should be avoided. The board and senior management should be strongly committed and ensure that the bank has a well-established group risk data governance framework, dedicated oversight from board and senior management, strategic solutions for data architecture and IT infrastructure, clear ownership of data for functional levels, and an internal validation unit to ensure proper implementation.
  • Supervisors should maintain supervisory intensity to ensure banks’ implementation of the Principles: Supervisors are encouraged to meet with the banks’ board of directors and/or senior management in 2018, and regularly thereafter. Supervisors should consider combining off-site supervision with on-site inspections.
  • Supervisors should continue to promote home-host cooperation: Supervisors are encouraged to share their supervisory methodologies regarding the implementation of the Principles on platforms such as the Risk Data Network, and through supervisory colleges and Crisis Management Groups to help facilitate consistent application of supervisory expectations for global banking groups when implementing the Principles on a group-wide basis. 


For more information, please contact Steve Arnold, Brian Hart, or Ben Roberts.

Steven Arnold

Steven Arnold

Financial Services Advisory Leader, KPMG US

+1 213-430-2110
Brian Hart

Brian Hart

Principal, Financial Services Risk, Regulatory and Compliance Network Leader, KPMG US

+1 212-954-3093
Benjamin Roberts

Benjamin Roberts

Principal, Financial Services, KPMG US

+1 860-522-3200