BCBS239 – PSD2 – Risk, Compliance, Innovation – All-in-one?

BCBS239 and PSD2 are two different sets of regulations that are leading the charge to redefine the ‘legacy’ systems. BCBS (Basel Committee on Banking Supervision) regulation number 239 focuses on effective risk data aggregation and reporting focusing on the institutional side of the business. PSD2 (Payment Service Directive 2) on the other hand forces retail banks to provide access to their IT infrastructure to third-party.

The two regulations push the strategic thinkers within the financial institutions to develop engines that not only cater to delivering the necessities but works to automate risk management and compliance monitoring.


Principles of BCBS239 focuses on systemically important banks (SIB) both globally (G-SIB) and domestically (D-SIB) to manage and understand data and be able to relate and report various on various risk metrics. The basic idea behind BCBS239 is for banks to ensure that there is single source of data available of all the activities. Historically, this data has been part of individual product lines and P&Ls. The risk teams have had to take a manual approach to using Excel and Access as databases to consider corporate view.

The deadline for being compliant was January 2016 but the rate of adoption has been slow. Three specific reasons that makes it tedious, expensive and intense are –

i) historical silo’s within the banks

ii) unable to instantly to reconcile activities from front office systems to back office

iii) the inability of multiple systems (departments) to communicate and aggregate data

These are well-known reasons but if we look to the future BCBS239 aims to solve not just these problems but if strategised and implemented this could make financial institutions think of data in a very (different) Google / Facebook manner.

Principle 4

Out of the 14 BCBS239 Principles, the point above Principle 4 does capture the imagination. Initially, the idea is for all the G-SIBs and D-SIBs to have this in place but in reality this data could easily be chopped and diced for all the SIBs clients. If there ever was a consortium (there are quite a few around) we could have risk aggregation at every institutional level. It maybe early days but the foundation for development of distributed ledgers and blockchain has been laid.

The whole idea behind BCBS239 is to better understand risk exposure and timely reporting of the same. In my view this has clearly stemmed not just from the 2008 financial crisis but the continued focus on stress tests has pushed the fear of unknown.

The focal point is data aggregation and reporting for the purposes of managing risk. If we considered a view beyond the current horizon there are opportunities for managers to deliver shareholder value, set the parameters of operations and utilise the data to forecast scenarios that impact Balance Sheet.


PSD2 changes a few things. There is a good piece by Alessandro Longoni that talks about the changes. In short, the regulation allows new players to enter the retail space and retail banks now have to provide information on an individual’s bank account (where consented). This means a significant step away from a bank’s perspective. The IT system that was to-date locked and inaccessible suddenly has to provide information on money movements.

This again as a regulation is already in-play across Europe. PSD2 pertains to an IT strategy within retail / private banking that never existed. Looking beyond the current remit of PSD2 the opportunities for new players (Fintech) and existing one’s are alike but it is not a level playing field. Banks, Wealth Managers are way ahead as they 2 important ingredients –

i) a customer base that is disengaged engaged

ii) trust which is almost taken for granted

The opportunity for Fintech is the use of artificial intelligence, the use of data and innovation. The check-points come instantly deployed by the banks which will not only cost but will eventually push fintech companies to learn the processes and find an optimum operating model.

The challenge for new players is the development of the product set that helps in customer acquisition. On the other hand this becomes an opportunity in a very basic sense for retail banks to have a technology and operating model strategy that will enable them to integrate services (act like an aggregator) and provide service that caters to managing money and risk.

Fintech companies do not hide the fact that we are in the data game. It has always been about data but with technology we can now predict habits and patterns and eliminate intermediaries. The question remains is there a partnership model or are we headed down a silo-ed approach and that begs the question how does one make profits of these?

Bottom line

We are well underway with BCBS239 and PSD2. Both regulations are about two things

a) Institutional space: Risk data aggregation and reporting i.e. overhaul of data management systems

b) Retail space: Access to banking infrastructure (account level info) via new types of categories and players

This boils down to technology infrastructure, but, not just integration and layering the data right but also creating opportunities to foster thinking around new products, efficiency in processes and building on an infrastructure that has stood the test of time.

It is people’s money, whether at an institutional level or at a retail banking layer. Markets will perform their function efficiently but if the flow of data (information) is in appropriate direction with trust that this is ‘single version of truth’ extra knowledge will not hurt anyone in the long-run. Providing access with consent will result in competition and perhaps more collaboration as well.

The two regulations serving separate engines have the makings of creating the regulatory and compliance engines that have long been desired for. Bottom line, future is information, managing risk and choice of products, led by data.