Just a few days ago, the news broke of a heavy fine totaling 135.6 million dollars imposed on a large bank by the U.S. Federal Reserve (60.6 million) along with the Office of the Comptroller of the Currency (75 million): an event that highlights the financial and reputational risks associated with an inadequate approach to Data Management, in violation of regulatory requirements.
The fine is due to insufficient progress in improving the frameworks for risk data management, risk governance, and regulatory reporting, in reference to previous enforcement actions taken by U.S. authorities in 2020 (with a mega fine of 400 million at the time), which had identified serious deficiencies in data management and quality; these deficiencies were deemed to undermine the bank’s ability to comply with regulatory requirements and effectively manage related risks.
Despite the jurisdictional differences and varying regulatory frameworks, important analogies emerge with Europe, where the ECB’s supervisory priorities for the next three years in the area of RDARR (risk data aggregation and risk reporting) focus on points that have much in common with the criticisms made by the Federal Reserve and the Office of the Comptroller of the Currency against the sanctioned intermediary. This is not surprising considering that the U.S. regulatory framework [i] – for the overlapping portion – shows a high degree of alignment with the BCBS 239 standard and the latest provisions of the ECB Guide on RDARR.
In this scenario, it is legitimate to ask whether, on the European front, the ECB – following the disappointing results of the assessments carried out over the past five years [1] and the repeated warnings that resulted from them – will decide to make more effective use of its inspection and sanctioning powers, which its prerogatives grant it [2]. The question brings us back to the considerations outlined earlier regarding the significant financial and reputational risks to which entities found to be non-compliant would be exposed.
But then, how should one act to limit risk profiles and avoid the serious consequences of a potential sanctioning measure? European banks must first prioritize a modern and robust approach to data management, not only to comply with regulations but also to improve operational integrity, protect their customers, and ensure the continuity of the services provided.
To meet increasingly challenging requirements, which we have discussed over the past few months, especially on the Regulatory Reporting side, it is essential to invest in frameworks, processes, and technologies, also in terms of Data Quality and Data Governance, and to have proactive strategies for risk management.
Sources
[i] 12 C.F.R. Part 30, Appendix D, “OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches”
[1] We refer to the results of the thematic review published in the 2018 Report on the Thematic Review on effective risk data aggregation and risk reporting (europa.eu), as well as those of the sample monitored during the 2022 cycle of the Supervisory Review and Evaluation Process (SREP).
[2] Recent statements by prominent members of the ECB’s Supervisory Board go in this direction: see the following interventions in this regard: Interview with Financial Times (europa.eu), Risk data aggregation and risk reporting: ramping up supervisory effectiveness (europa.eu).
