It makes sense that regulators have been focused on assessing large banks and financial institutions through annual CCAR exercises. Regulators want to know if these banks have sufficient capital to weather times of economic and financial stress; they also want some indication that their capital-planning processes can address real risk.
The good news is that banks with holdings of $50 billion and above performed quite well against this year’s scenarios. The evidence suggests that large banks understand their portfolios and are modeling them appropriately and have developed processes to be able to react more timely come the next crisis.
So what’s the bad news? In my work helping financial institutions design and implement data governance programs to get control of their data, I’ve noticed an uptick in the number of smaller banks who are approaching Collibra for data governance guidance. As the performance of larger banks has stabilized, regulators are turning more frequently to banks with assets between $10 and $50 billion for evidence that they have data controls and governance in place over their DFAST processes.
New regulatory burdens can be tough for banks that are already working pretty lean. That’s prompted some smaller banks to take a “wait and see” approach when it comes to the current regulatory environment. But while we might continue to see process revisions, I don’t think we’re going to be seeing any radical changes any time soon. In general, most regulators seem to be embracing BCBS-239, the Basel Committee on Banking Supervision’s guidance on risk reporting.
And that means smaller banks need to take a hard look at how their data is being governed. Because today, a lot of institutions we talk to are having a difficult time demonstrating that they understand where their data is coming from and where it’s been, and that they can apply the appropriate controls to their data and processes—precisely what regulators will want to see.
What’s the solution? Well, while some of you might disagree, in my experience, regulators are human beings. They aren’t necessarily looking for every “t” to be crossed right away. They would, however, like to see that you can demonstrate your commitment to the process—even if you don’t have every single report metric nailed. Making data governance a part of business as usual is one very good way to get started. (Check out my previous blog on starting small with data governance.) Once you have some baseline data governance processes in place, you can more easily make a case for data consistency, transparency, and trustworthiness. And by building data governance into your DNA, you will have a better understanding of the strengths and weaknesses of your own portfolio, be able to meet changing requirements more nimbly, and, should your institution grow, be well positioned to respond to more robust reporting requirement in the future.