Posted by Irena Gecas-McCarthy, Advisory Principal, Deloitte & Touche LLP, David Wright, Advisory Managing Director, Deloitte & Touche LLP, Dmitry Gutman, Advisory Managing Director, Deloitte & Touche LLP, Dilip Krishna, Advisory Managing Director, Deloitte & Touche LLP, Ken Lamar, Independent Senior Advisor to Deloitte & Touche LLP, Richard Rosenthal, Advisory Senior Manager, Deloitte & Touche LLP, Claudio Rodriguez, Advisory Senior Manager, Deloitte & Touche LLP, Pranav Shanghvi, Advisory Senior Manager, Deloitte & Touche LLP, Mike Thakkar, Advisory Senior Manager, Deloitte & Touche LLP, and Alex LePore, Advisory Senior Consultant, Deloitte & Touche LLP on August 10, 2016
Federal Reserve Board (FRB) officials have made clear in communications with the industry that they expect the foreign banking organizations (FBOs) similar to the US bank holding companies to have the capabilities to access and provide high-quality data, including credible internal reporting/MIS and regulatory reporting data from the outset.1 They point out that FBOs have had more than three years to come into compliance with enhanced prudential standards (after the initial rule proposal) and believe that effective internal MIS and regulatory reporting processes should be in place by now. This expectation—coupled with increased transparency provided by the public disclosure of several regulatory reports—places pressure on FBOs to ensure that their end-to-end data production processes and control frameworks produce accurate and complete reporting. There are additional regulatory reporting requirements that have been proposed and will be finalized as the industry comment periods end and the FRB processes are finalized. These include the attestation of the FR Y-14 reports for the FBO Intermediate Holding Companies (IHC).
Building clear process and control documentation, data governance, and quality assurance processes are critical to demonstrating credible MIS and regulatory reporting implementation. Establishing confidence in reporting will be especially critical to meeting IHC capital planning expectations related to the April 2017 Comprehensive Capital Analysis and Review (CCAR) submissions (the non-public “dry run”). The bar is high. FBOs face reputational risk as a result of the increased transparency provided by the public disclosure of regulatory reporting filings (most notably the FR Y-9C, which will disclose IHCs’ capital ratios, balance sheet information, and financial performance, among other information, as well as public disclosure of CCAR results).
Beginning with Internal MIS – passing the “use test”
Alongside the additional focus on regulatory reporting, which generally grabs the headlines when significant misstatements occur, there are expectations from the IHC boards, senior management, regulators, and internal audit that the information that supports internal MIS is credible, well understood, and used in daily risk management and capital planning and management processes across the combined US operations. Regulators want to ensure that MIS being used in risk and capital management across the all levels is driven by data that is accurate, clearly defined, consistently sourced, and effectively managed. Much of this is grounded in BCBS 2392 risk data and aggregation principles, including:
Our view is that, even as regulators begin to focus with greater intensity on the quality of internal MIS, it first starts with management and the board of directors feeling comfortable that they have the right data of sufficient quality to manage their US footprint. Passing the “use test” will include tracing a metric/risk appetite component through the MIS readiness process and demonstrating its usage for decision-making and the escalation of data issues. FBOs should be prepared to document the report preparation lifecycle including data sourcing, validation, control, escalation of issues, and use across the Three Lines of Defense (3LoD). Importantly, internal audit should understand the principles set forth by BCBS 239 as it provides assurance with respect to the bank’s reporting processes. Both second line (risk and quality assurance processes) and third line of defense (internal audit) roles in transaction testing to test controls will need to be implemented. Ultimately the focus will now shift to: how do you use this MIS? Is it actually part of the businesses’ daily risk management routines?
Gearing up for more focus on reporting processes
While FBOs are gearing up for regulatory reporting deadlines, regulators are now increasingly focused on the robustness of the framework supporting the report preparation and quality assurance process.
Adding to the pressure is a recent proposal3 from the FRB that would apply a CFO attestation requirement to IHCs in the Large Institution Supervision Coordinating Committee (LISCC) portfolio with respect to the FR Y-14 filing requirements.4 The proposal, which would largely mirror the FRB’s requirement5 for US bank holding companies in the LISCC portfolio, would require CFOs to attest that the actual data—including the data on which the forecasts are based—are materially accurate, the internal controls are effective, and that the firm will report any material errors/omissions in data or weakness in controls on the FR Y-14 forms. While the formal requirements are only for LISCC firms, other large firms will likely be expected to have the same type of processes in place to assure data quality.
Beyond attestation, IHCs are expected to meet stringent expectations on report preparation, monitoring and use. This includes end-to-end process documentation to explain controls around the reporting process, reconciliations, and manual adjustments. Further, the documentation must describe policies and frameworks governing accountability, data, and firm-wide awareness of the criticality, and impact of regulatory reporting.
The backbone of MIS and regulatory reporting is data quality and availability. Quite soon, the FRB will likely begin detailed examinations of the IHC reports on liquidity and capital, as well as the FR Y-9C reports. Their aim will be to ensure institutions have established comprehensive governance and robust processes to produce high-quality data for accurate regulatory reports. To meet these requirements, institutions need to have robust data management capabilities, including:
While all the points above are important, the cornerstone is the culture of accountability that extends throughout the organization. An effective culture includes the creation of a formal enterprise-wide data policy that must define roles and responsibilities of data producers, consumers and stewards throughout the data flow, outline escalation processes for identifying and resolving systemic issues in a timely manner, and outline accountability in a way that strictly enforces compliance with all requirements.
Ensuring adequate data quality that measures up to regulatory expectations requires a transformative multi-year effort, which could include large-scale IT programs. Institutions should demonstrate a continuous improvement focus on data in order to be ready for when the regulators will be at the door.
Having established all the processes, controls, and governance frameworks, FBOs still face significant challenges going into the “go-live” date from an operational readiness standpoint. These include orchestrating multiple complex reports simultaneously going live as well as instituting a regime of regular data quality and control testing.
1Federal Reserve System, “Agency Information Collection Activities: Announcement of Board Approval Under Delegated Authority and Submission to OMB,” 81. Fed. Reg. 35016 (June 1, 2016), available at https://www.gpo.gov/fdsys/pkg/FR-2016-06-01/pdf/2016-12867.pdf.
2Basel Committee on Banking Supervision, “Principles for effective risk data aggregation and risk reporting,” (January 2013), available at http://www.bis.org/publ/bcbs239.pdf.
3Federal Reserve System, “Proposed Agency Information Collection Activities; Comment Request,” 81 Fed. Reg. 49653 (July 28, 2016), available at https://www.gpo.gov/fdsys/pkg/FR-2016-07-28/pdf/2016-17876.pdf.
4The attestation requirement would begin with the reports as of December 31, 2017 and become fully effective with the reports as of December 31, 2018.
5Federal Reserve System, “Proposed Agency Information Collection Activities; Comment Request,” 81 Fed. Reg. 3412 (January 21, 2016), available at https://www.gpo.gov/fdsys/pkg/FR-2016-01-21/pdf/2016-01043.pdf.