Response to consultation on draft Implementing Technical Standards on Pillar 3 data hub
Question 1: Do you agree with the proposed IT solutions that would support the implementation of the P3DH to Large and Other institutions? If not, please explain the reasons why.
Comment Relating to IT Solutions:
- Specific Point: The proposed IT solutions supporting the implementation of the P3DH for large and other institutions.
- Response: While the IT solutions outlined in the consultation paper align with the EBA’s objectives of enhancing data aggregation and reporting capabilities across large and other institutions, we believe there are areas where these solutions could be further refined to ensure long-term resilience, scalability, and comprehensive compliance.
Specifically, there are several considerations and potential enhancements that could improve the effectiveness of the Pillar 3 Data Hub (P3DH) in achieving its objectives.
Key Areas for Improvement and Specific Considerations
- Real-Time Data Integration and Processing Capabilities:
- Current Proposal: The proposed IT solutions focus on periodic data submission in standardized formats, such as XBRL-csv for quantitative data and PDF for qualitative information.
While these formats enable efficient data aggregation and comparability, they may limit institutions’ ability to provide real-time updates or continuous monitoring.
- Suggested Enhancement: Introducing real-time or near-real-time data integration capabilities would allow institutions to submit data continuously, capturing risk exposures as they develop. This could involve enhancing IT infrastructure to support continuous data pipelines or enabling automated updates at shorter intervals.
Real-time integration would significantly improve the responsiveness of the P3DH, allowing regulators and stakeholders to monitor risk profiles dynamically, especially in volatile market conditions.
- Scalability and Flexibility in IT Systems:
- Current Proposal: The IT solutions appear tailored to handle the current data requirements and reporting volumes.
However, as the financial landscape evolves and new data requirements arise (such as those related to environmental, social, and governance (ESG) factors), the P3DH’s IT framework may require adaptability to scale up or incorporate new data categories.
- Suggested Enhancement: Building scalability and flexibility into the P3DH from the outset will be essential for long-term compliance and resilience.
This could involve designing modular IT systems that can easily integrate additional data sources or metrics without requiring a full system overhaul. For example, implementing a cloud-based or hybrid architecture could allow for the scaling of data storage and processing capacity as needed, avoiding potential system bottlenecks.
- Unified Data and Risk Metrics:
- Current Proposal: The consultation paper mandates standardized formats for data submissions but does not introduce a unified risk metric.
Without a standardized metric, institutions may face challenges in achieving true comparability across various types of risk exposures, particularly when integrating both financial and non-financial risk data.
- Suggested Enhancement: The introduction of a common metric, such as the Risk Unit (RU) proposed by the Risk Accounting Standards Board (RASB), would help unify risk data and allow for consistent aggregation across diverse risk categories.
Using a metric like the RU, which is additive and scalable, would enable institutions to represent their risk exposure more consistently, improving both internal risk management and external comparability.
- Long-Term IT Infrastructure Upgrades and Interoperability:
- Current Proposal: The IT solutions focus on ensuring that institutions can submit data in a standardized format to the P3DH.
However, many institutions, especially larger ones, operate on complex legacy IT infrastructures that may struggle with interoperability and integration.
- Suggested Enhancement: A phased approach to IT infrastructure upgrades could be encouraged, allowing institutions to gradually integrate systems capable of handling real-time and cross-functional data requirements.
For instance, the EBA could provide a roadmap for aligning legacy systems with new standards, supported by technical guidelines on how to achieve interoperability between older systems and the P3DH.
Rationale and Evidence:
- Rationale: The proposed reliance on upgrading existing IT systems to meet the P3DH’s data requirements, without fundamentally transforming the underlying data structure, risks perpetuating some of the key implementation issues observed during BCBS 239.
Specifically, BCBS 239’s implementation highlighted the persistent challenges of fragmented data silos, limited interoperability between legacy systems, and insufficient real-time data integration—all of which could hinder the EBA’s objectives for the P3DH.
Grody and Hughes’ research in risk accounting underscores the importance of a unified, foundational approach to data management. Their work emphasizes that sustainable improvements in risk reporting and management cannot be achieved solely by layering new requirements or formats onto existing IT systems. Instead, the introduction of a standardized, additive metric, such as the Risk Unit (RU), embedded within a unified data structure, is crucial for achieving a truly integrated risk management system. This unified data approach would allow for seamless data aggregation, improved interoperability, and real-time reporting—three critical aspects that align closely with the EBA’s goals for the P3DH.
Challenges from BCBS 239 and Their Relevance to the P3DH Implementation
During BCBS 239 implementation, financial institutions encountered significant barriers due to their reliance on existing IT architectures. Key issues included:
- Data Silos and Fragmented Systems:
- Many institutions struggled with compartmentalized data systems that prevented holistic risk data aggregation. These data silos led to inconsistencies, delayed reporting, and inefficiencies in consolidating risk information across the enterprise.
- Relevance for P3DH: Without a foundational shift towards a unified data structure, the P3DH implementation could face similar fragmentation, where risk data remains confined within departmental silos or incompatible IT systems. This would undermine the benefits of centralized, standardized reporting and hinder the EBA’s ability to achieve comprehensive risk visibility across institutions.
- Integration Complexities:
- Legacy IT systems often lacked the ability to interact smoothly with newer technologies or regulatory platforms, creating a disjointed reporting environment. BCBS 239 aimed to foster consistent and reliable risk reporting, yet institutions found it difficult to reconcile diverse systems and data sources without substantial IT restructuring.
- Relevance for P3DH: Relying solely on incremental IT upgrades for the P3DH could similarly limit integration effectiveness. Real-time data aggregation and consistency in reporting will require more than technical upgrades; they demand a harmonized, interoperable data structure that allows for continuous, automated data flows across the organization.
- Inconsistent Data Models and Metrics:
- BCBS 239 lacked a standardized, additive metric for quantifying and reporting risk, leading to inconsistencies in how institutions measured and disclosed risk. This variability complicated the regulatory oversight process, limiting the comparability of data across institutions.
- Relevance for P3DH: The lack of a unified risk metric in the current IT solutions could result in inconsistent data reporting, potentially compromising the EBA’s objectives for comparability and transparency. A standardized metric like the RU would enable institutions to report risk data that is additive and comparable, reducing discrepancies and providing regulators with a clearer, more unified picture of risk across the sector.
Proposed Enhancements to Avoid Repeating BCBS 239 Challenges
To avoid repeating these challenges in the P3DH implementation, the EBA should consider incorporating the following enhancements into the regulatory guidance:
- Unified Data Structure with Embedded Risk Metrics:
- Establishing a foundational, unified data structure that integrates risk and financial reporting will facilitate data consistency and enable real-time insights. Using a standardized metric such as the RU would provide an additive, scalable approach to quantify risk, allowing institutions to aggregate risk data seamlessly across departments and systems.
- Encouragement of Phased IT Restructuring:
- Instead of relying on patchwork upgrades to existing IT systems, the EBA could encourage a phased, strategic IT restructuring plan for institutions.
This would include the gradual adoption of modern, interoperable systems that can natively support real-time data integration and reporting. Such an approach aligns with Grody and Hughes’ emphasis on long-term structural improvements rather than short-term fixes.
- Evidence: In his book Risk Accounting[1], Peter Hughes, RASB’s founder, argues that effective risk management and reporting require the integration of financial and non-financial risk data using standardized, additive metrics, such as Risk Units (RUs).
This approach is designed to overcome the limitations of fragmented data systems and disparate risk metrics, which have historically hindered comprehensive and consistent risk aggregation.
Hughes emphasizes that without a unified, standardized metric, financial institutions are left with data inconsistencies and misalignments between different risk categories, making it difficult to obtain an accurate, real-time picture of overall risk exposure.
Key Points from Risk Accounting Supporting the Use of RUs:
- Additive and Scalable Nature of RUs:
- Hughes explains that RUs are inherently additive, meaning they can be aggregated across different departments, risk types, and reporting periods. This characteristic is crucial for institutions that need to consolidate diverse risk exposures into a unified, interpretable measure for both internal decision-making and regulatory reporting.
- Implication for P3DH: With RUs, institutions could create a single, comprehensive metric for risk that aligns with the EBA’s goals of consistent and comparable reporting. This additive quality also simplifies reporting structures, reducing the need for complex data reconciliation across risk categories.
- Real-Time Integration and Monitoring:
- Hughes’ risk accounting method embeds RUs directly within financial reporting, allowing institutions to track risk accumulation on a real-time basis rather than waiting for periodic reporting cycles. By linking every financial transaction to a quantifiable RU, institutions can monitor risk as it develops.
- Implication for P3DH: The EBA’s P3DH could benefit from this continuous data flow, enabling real-time updates in risk profiles rather than relying on static snapshots. Real-time integration not only improves regulatory oversight but also empowers institutions to act proactively, adjusting risk strategies in response to emerging threats.
- Reduction of Data Silos and System Discrepancies:
- Risk Accounting stresses the importance of a unified data structure to overcome the challenges posed by legacy systems and siloed data sources. By using RUs, risk accounting unifies disparate risk data, reducing dependency on complex data integration projects and minimizing errors associated with reconciling multiple data systems.
- Implication for P3DH: The EBA’s objective to centralize risk data through the P3DH is directly supported by the risk accounting approach. RUs eliminate the fragmentation between financial and non-financial risk data, making data submission and aggregation to a centralized hub more streamlined and reducing the risk of inconsistencies.
- Improved Comparability Across Institutions:
- Hughes highlights that a standardized metric like the RU can serve as a universal measure of risk, allowing comparisons between institutions regardless of their size or business model.
RUs provide a common language for risk, which enhances transparency and comparability, a key requirement in regulatory frameworks like BCBS 239 and P3DH.
- Implication for P3DH: By encouraging the adoption of RUs, the EBA could significantly improve the comparability of risk data across institutions, enhancing the value of centralized reporting for both regulators and stakeholders.
This comparability supports more meaningful sector-wide analyses and fosters a level playing field.
- Support for Proactive and Prudent Risk Management:
- According to Hughes, the ability to integrate risk data directly into financial processes promotes prudent behavior and proactive risk management.
By having a clear, quantitative view of how risk accumulates in real-time, institutions are better equipped to make informed decisions that align with their overall risk tolerance and regulatory requirements.
- Implication for P3DH: Embedding this proactive approach into the P3DH would encourage institutions to manage risk continuously, rather than treating risk management as a reactive compliance exercise.
This aligns with the EBA’s long-term vision of fostering stability and resilience in the financial sector.
Alternative Regulatory Choice:
- The EBA could consider mandating the adoption of a framework similar to Risk Accounting that embeds a dedicated risk quantification metric into financial systems.
This would create a seamless, robust infrastructure for risk data that aligns with P3DH requirements while preventing common data integration issues.
[1] The “Risk Accounting” book by Peter J. Hughes is available for purchase on Amazon and other retailers (link in the attached document).
Question 2: Would you agree with the specification to provide the information on remuneration policies separately? If not, please explain the reasons why.
Comment Relating to Remuneration Policies:
- Specific Point: The specification to provide information on remuneration policies separately.
- Response: We agree with the proposal, provided that the reporting format ensures transparency and aligns with risk and financial data.
Rationale and Evidence:
- Rationale: Disclosing remuneration policies separately enhances clarity and allows stakeholders to evaluate potential incentive-related risk behavior. However, in his research, Peter Hughes generally emphasizes that transparency alone is not sufficient without integrating such data into broader risk reporting.
Remuneration data should be evaluated in the context of the overall risk profile to provide a full picture of potential vulnerabilities.
- Evidence: In the context of Risk Accounting, remuneration metrics can be tagged with RUs within the conduct risk context, to correlate compensation practices with risk exposure, enhancing the understanding of how incentives may affect risk behavior.
Alternative Regulatory Choice:
- In our view, the EBA could integrate the use of standardized metrics, like RUs, for aligning remuneration disclosures with risk data aggregation, facilitating more meaningful risk assessments.
The RASB expresses its availability to work together with the EBA, government and industry stakeholders to research and codify the best way for this initiative to be implemented.
Question 3: Would you agree with the proposal on the collection of contact points information, including the suggested monthly frequency?
Comment Relating to Contact Points Collection:
- Specific Point: The collection of contact points information and the proposed monthly frequency.
- Response: We agree with the collection of contact points information but have reservations about the proposed monthly frequency.
Rationale and Evidence:
- Rationale: Monthly updates may not provide significant incremental benefits over quarterly updates, which would be more practical and reduce administrative burdens. The focus should be on ensuring that contact persons are equipped with comprehensive knowledge about data aggregation and reporting processes.
- Evidence: Hughes’ emphasis on governance suggests that while frequent updates can support dynamic oversight, the true effectiveness lies in ensuring contact points have in-depth training and a clear understanding of risk reporting systems.
Alternative Regulatory Choice:
- Consider quarterly updates with mandated training sessions to maintain readiness and reliability of contact points’ knowledge and oversight capabilities.
Question 4: Would you have any comments or suggestions on the most adequate profile of the contact persons within the institution?
Comment Relating to the Profile of Contact Persons:
- Specific Point: Adequate profile for contact persons within institutions.
- Response: We recommend that contact persons possess a strong background in integrated risk management and data governance.
Rationale and Evidence:
- Rationale: Contact persons should not only be compliance experts but also have in-depth knowledge of financial and risk data integration practices, such as those in Risk Accounting. This ensures they can oversee data quality and the application of unified risk metrics.
- Evidence: Hughes’ and Grody’s work emphasizes that proper implementation of frameworks like BCBS 239 and P3DH relies on knowledgeable personnel who understand the complexities of aggregating risk data across business lines.
Alternative Regulatory Choice:
- The EBA should specify that contact persons should have qualifications or training in integrated risk and data management, emphasizing practical expertise with standardized data systems.