The ECB BCBS 239 thematic review is well underway and is already presenting challenges for banks. This two-phase review, which will conclude by the end of 2016, covers 25 European banks that have been divided into two groups: Group 1 comprises 11 Tier 1 banks and Group 2 comprises 14 Tier 2 banks.
During the first phase of the review, for Group 1 banks, the ECB carried out on-site reviews and then specific deep dives that were individualized per bank, whereas Group 2 banks had to provide a self-assessment of their compliance by filling out a questionnaire.
The second phase of this thematic review started in October and is being carried out through two consecutive exercises: The Fire Drill exercise follow by the Data Lineage exercise.
For the Fire Drill exercise, the ECB asked banks to compile and submit selected indicators on short notice (e.g. within 48 hours) using a pre-defined template (early November). The ECB also assigned the banks’ Internal Audit function to conduct an independent validation of the data submission. For that purpose, the ECB provided ‘agreed upon procedures (AUP)’ (a set of instructions) to the internal audit teams for the first time and the results of this internal revision were due to the ECB on 16 December 2016.
In short, many banks have found the exercise challenging, and encountered a number of pain points along the way. Many were not able to provide real time liquidity data and in the best case scenario provided data as of end of September. Complicating things further, some banks provided the same data with different reference dates for each subsidiary as they have different settlement dates. Banks did not anticipate the internal independent audit request. Banks’ internal audit teams are generally not involved in the BCBS 239 implementation programs and banks found it challenging to ask an internal audit function to confirm compliance with technical reporting requirements.
The Data Lineage exercise is a deep dive exercise that focuses on banks’ data lineage capabilities of two indicators, one related to credit risk (CR) and the other one to liquidity risk (LR). During a half day workshop with their JSTs, banks are expected to do the following:
Many Tier 2 banks are wondering how to demonstrate the “drill down” capacity if they don’t have a Data Lineage tool or if their reporting system does not provide any Drill Down feature. KPMG understands from the ECB’s comments that a comprehensive slide deck describing the end-to-end process flow broken down into phases as the extraction, aggregation and reporting of risk data, including details on the individual roles and responsibilities associated with control environment of those activities would be sufficient.
Regarding Tier 1 banks, most have implemented or are currently implementing interconnected tools for Dictionary Management, Data Lineage, Quality Management and Certification Support. Even though the implementation is in its early stages and/or the tools do not cover all the data and metrics, these platforms will be shown to the JSTs during their respective workshops. To date, KPMG has not spotted a clear trend in the industry regarding the implementation choices as some banks decided to implement pre-packaged tools, whereas others have decided to go for in-house development tools. KPMG’s Enterprise Data Management professionals have deep knowledge and strong expertise on these topics.
At KPMG’s ECB Office we see that the ECB is becoming more demanding with regards to BCBS 239, which is becoming a critical and a hot topic and will be one of the ECB’s 2017 priorities. We can also see that many banks are struggling with interpretation matters and need to exchange best practices and views with each other. Banks should expect similar exercises in the coming months. For this purpose, many of them continue to spend significantly more time and committing more resources to BCBS 239 compliance and supervisory interactions on this topic. Many banks are planning to increase their staff dedicated to this topic. The supervisory emphasis on data has resulted in heightened expectations of data availability, quality and governance. Data governance, risk data aggregation and automatization of processes are currently among banks’ key investments.
Examining the ECB’s expectations around data, technology, and cyber security.