RegTech Intelligence


Article
Picking up the new regulatory data gauntlet

In a pivotal move, regulators have unequivocally thrown down the data gauntlet to banks, underscoring a pressing challenge: few banks are currently positioned to meet these rigorous standards.

After taking on board 300 industry comments, EU regulators issued a new, comprehensive and granular Guide on effective risk data aggregation and risk reporting. Though the 20 page document was issued 3 May 2024, it is effective immediately and your firm will be unlikely to meet these new regulatory expectations.

Data ownership, validation processes, and ‘up-to-date data lineages at attribute level’ are the order of the day.

Don’t miss out, come to our 25 September NYC round table (here) to learn how leaders are rethinking the role RegTech can play in this important space!

Old data grades

As JWG analysis described in Q1, after a decade of regulators encouraging banks to adopt better risk data management procedures the BIS issued a sober progress report in November 2023.

Only two of the 31 banks assessed were judged to be fully compliant with data management principles. It stated, “nearly ten years after the initial publication of the Principles and seven years after the expected date of compliance, banks are at different stages in terms of aligning with the Principles, and that additional work is required at all banks to attain and/or sustain full compliance.”

In September 2023, EU regulators voiced concerns at a stakeholder meeting of 300 industry attendees about risk reports taking upwards of 40 days to produce and the quality of underlying data.

Alarmingly, 36% of institutions lack a framework for data management, and only half have established a ‘golden source’ for their data.

New risk data guidance

Last year, the European Central Bank (ECB) detailed new expectations for banks’ effective risk data aggregation and risk reporting.

The ECB consultation notes, “Banks are expected to step up and conclude their efforts to improve their governance framework and data management process in a timely manner.”

new guide that compliments, not replaces BCBS239 is part of a wider strategy intended to ensure that supervised banks ultimately achieve substantial progress in remedying their identified structural shortcomings in risk data aggregation.

In the guide, seven key areas have been singled out: the responsibility of a bank’s management body; the scope of application of the data governance framework; key roles and responsibilities for data governance; the implementation of a group-wide integrated data architecture; the effectiveness of data quality controls; the timeliness of internal risk reporting; and implementation programs.

The paper clearly articulates the need for data definitions, validation rules and “complete and up-to-date data lineages” as part of an integrated data architecture as highlighted below.

New guidance

After reviewing 308 comments the ECB published a 46 page feedback statement to support the final 20 page on 3 May 2024.

JWG concludes the guidance has become even more comprehensive and granular than the consultation paper foreshadowed. A few notable clarifications stood out to us:

  • Accountability. It has been made clear that the guidance provides for collective management body responsibility that should be exercised by one or two people (e.g., CRO or CFO AND CRO)
  • Climate. The Guide now clearly states that it is relevant to all material risks and, therefore, also to material climate-related and environmental (C&E) risks
  • Attribute-level. The Guide now explicitly states that the integrated data architecture should contain complete and up-to-date data lineages on the data attribute level (italics added to denote new footnotes)

You can find the Guide on effective risk data aggregation and risk reporting here.

Conclusions & next steps

Regulators have thrown down the data gauntlet to industry and are in the field now asking about each firm’s improvement plans.

Chief Financial Officer and Chief Risk Officers should have a board mandate for the Chief Data Officers and Chief Information officers: Let’s get explicit ownership for data definitions, ensure valid data validation processes, and maintain up-to-date data lineages.

Like their physical manufacturing counterparts, CDOs and CIOs will be propelled to strive towards zero-defect programs. However, with massive data estates, and cost pressures it will not be easy for senior mangers to make this transition in time.

The question looms large – how can senior managers both streamline expenses and satisfy these new requirements?

To promote global dialogue on how to deliver regulatory change JWG post hundreds of focused articles a year to thousands of subscribers. Get involved and join the mail list.

By hitting the subscribe button you agree to our Privacy Policy