A key lesson learned from the financial crisis is that banks lacked risk information to make sound business decisions. In other words, banks’ information technology (IT) and data architecture were inadequate to support the broad management of financial risks and many banks lacked the ability to aggregate risk exposures and identify concentrations quickly and accurately on bank group level, across business lines and between legal entities.
Some banks were unable to manage their risks properly because of weak risk data aggregation capabilities and risk reporting practices and 8 years after the crisis, progress has been slow in key areas.
In January 2013, the Basel Committee on Banking Supervision issued 11 principles for effective risk data aggregation and risk reporting (BCBS 239) and outlined the paths to compliance for G-SIBs and D-SIBs. The BCBS 239 requirements are intended to address what supervisors see as a major weakness that banks carried into the crisis.
In 2016, the ECB will be carrying out thematic review to assess bank’s compliance with these BCBS 239 principles.
This thematic review will apply a two-tier, two-step approach in line with overall priorities within the SSM and thus will reinforce the follow-up actions on SSM’s 2015 thematic review of risk governance and risk appetite. It will be embedded into SSM’s 2016 priorities and be performed by JSTs and a centralized working group with members of the ECB and NCA providing operational guidance and ensuring consistency.
From March to August (step 1), 11 large banks (group 1) will be evaluated on specific BCBS 239 projects implementation status at group level. This evaluation will be based on documentation assessment complemented by focused interviews with banks’ risk, finance and project officers.
During the same period, the ECB will distribute self-assessment questionnaires to 14 other banks (group 2). Afterwards, from September to December (step 2), the ECB will select and investigate deeply some topics on the basis of available bank-specific information, and then send follow up letters with findings and remedial actions (end of 2016 and beginning of 2017).
Against this backdrop, banks should rely on effective tools for assessing compliance with RDA&RR principles on an ongoing basis as well as providing for an independent evaluation and certification procedure. To address these needs, KPMG member firms have developed a certification tool, relying on a sound certification framework and broad-ranging underlying methodology, supported in an accessible environment, which is designed to provide useful functionalities and leading to timely and beneficial insights to be considered in the decision making process.
Examining the ECB’s expectations around data, technology, and cyber security.