Transforming BoE’s Data Collection: The evolution of regulatory reporting
Finance is very much a data business with financial firms critically dependent on good information. They need fast access to comprehensive data, which provides them with insight in order to provide services and compete effectively. As a result, firms have been making significant investments in new technologies to improve their analysis and store large volumes of data.
Regulators are likewise dependent on good and timely data so as to build a comprehensive picture of the state of the financial markets that they oversee. However, authorities have only recently started to appreciate the benefits of new technologies for both capturing and analysing the data.
To that effect, the Bank of England launched a Discussion Paper (DP) in early January 2020 on “Transforming data collection from the UK financial sector”. The purpose of the paper is to “seek ways to decrease the burden on industry and to increase the timeliness and effectiveness of data in supporting supervisory judgements”.
The DP touches on a number of wide-ranging issues, including a potential change in the architecture of regulatory reporting from a ‘push’ to a ‘pull’ model to provide more flexibility and timeliness, and asks whether a central service provider should play the role of data aggregator across all firms to help standardise data and mutualise costs.
The focus of this article concentrates specifically on the areas of operational effectiveness of some of the themes developed in the DP, as follows:
The importance of coordination between authorities in order to maximise the benefits and to minimise implementation costs
In the DP, the Bank asks for feedback on the importance of cooperation between authorities given that varying levels of innovation across a number of authorities might end up increasing firms’ costs.
There are a couple of scenarios that would gain immediate efficiencies from such regulatory cooperation. The first scenario is when the same activity is reportable to more than one authority, for example, a foreign exchange trade that needs to be reported to the two different authorities for each of the currencies involved. If both of these authorities were to agree on how that reporting should occur, then only one system would need to be developed to satisfy both authorities. A second scenario involves two similar trades, for example, a UK government bond and Eurozone bond, each being reported to their respective jurisdictions. Because capital markets firms typically build a single system for processing similar products across all jurisdictions, it is likely in this example that a single system exists which can process all bond trades across both jurisdictions. If both authorities were to agree on the reporting requirements for bond trades, then firms will be able to use a single reporting table for reporting to the UK and for the Eurozone, paving the way for operational synergies.
These examples demonstrate how regulatory cooperation could translate into lowered costs for industry. Coordination between authorities would not have to take place across all areas, however, as the length of time it could take to coordinate runs the risk of hampering the pace of innovation.
The use of ISO standards as the means of achieving cross-jurisdiction efficiencies
For data in particular, standards are critical as they drive up quality. Regulators will of course decree a particular data standard which is useful at the time of the mandate, however, the challenge is that requirements often change over time. A key element of any standard, therefore, must be its ability to evolve and meet developing requirements – an aspect that essentially boils down to the governance of a particular set of standards.
International Organisation for Standardisation (ISO) standards are not only increasingly being used within the international capital markets industry, but are universally acknowledged as having the best governance model. Further, regulators already have a lot of experience working with both the creation and management processes of ISO standards. Two good examples of this are the oversight of both the Legal Entity Identifier (LEI) and unique product identifier (UPI) maintained via the Financial Stability Board (FSB) established in April 2009 by the Group of 20 (G20) leaders.
If no ISO standard exists for a data element that needs to be reported, then regulators could request ISO to create a new ISO standard for that data element. Alternatively, regulators could select an industry standard that is already in widespread use. In the case of the latter, it would be helpful for the standard to also operate under ISO governance. One prominent example of a stand-alone industry standard that also operates as an ISO standard is the WC3 web services standard which provides the foundation of much of the internet’s web functionality.
The criticality of cyber-security to the ‘Pull’ model
Whilst a ‘pull’ API-type model involving a regulator going into a bank to ‘pull’ relevant data (rather than having to have it ‘pushed’ via email or file transfer by the bank to regulator) provides a certain level of simplification from a firm’s perspective, one key consideration not covered by the DP is the significant cyber-security implications. In fact, due to the need to keep pace with rapidly evolving cyber-security best practices, the opening up of bank infrastructures for feature-rich ‘pull’ functionality could be quite a costly overhead for the foreseeable future.
If, for instance, multiple authorities move to a pull model, firms may need to build separate infrastructure for each authority to allow the ‘pull’ to occur, however, this would mean not only a duplication of costs, but it would leave open quite a few external access points that a cyber hacker could target. An alternative model could be to place all regulatory data in a centralised infrastructure with partitioning so only the appropriate authority could see its respective data. This would require protection for only a single point of access, although if cyber attackers were to gain entry they would now have access to the entirety of the data set. Clearly each approach involves a different set of trade-offs. In order to strike an appropriate balance for mitigating the risk of successful cyber-attacks, firms should consider adopting the ISO 27001 (information security management) standard. One of the benefits of ISO 27001 is that firms and service providers can get external accreditation by an independent third party to validate that the ISO standard is indeed being adhered to and, therefore, provide comfort that cyber-security best practices are being followed.
The benefits of a central service provider to mutualise costs
Within the DP, the Bank asks for viewpoints on whether the build-out of a reporting capability, today performed by individual solution vendors, should instead be performed by a central service provider (CSP) in an attempt to lower costs across industry. The Bank gave the example of a centralised regulatory reporting utility built by major Austrian banks under the encouragement of the central bank of Austria.
The role of a CSP would be especially important if coordination between authorities turned out to be limited (perhaps due to differing timelines or other practical reasons) and/or where the Bank decides to implement the pull model. In such circumstances, the CSP’s ability to mutualise costs would be even more essential, especially with regards to mitigating the cyber-security costs as mentioned in the section above. Other benefits include a single standardised implementation to mitigate the risk that different firms may interpret a pull-API specification in different ways, and therefore may at times return slightly different data sets for the same API call. Further, a CSP can perform a common, consistent quality assurance role by ensuring that fields of data across all firms are interpreted and returned to the Bank in a similar manner, thereby making aggregation of high quality data possible across firms.
The deadline for written responses to the Bank’s discussion paper has been extended to 20 May 2020. As well as seeking written responses to the paper, the Bank will establish industry working groups to explore these issues, of which one focus will be to inform the scope and aims of the next phase of the Bank/FCA Digital Regulatory Reporting Pilot. The Bank has therefore proposed that the next stage of DRR should be in line with the likely future direction of both the Bank’s and the FCA’s data collection strategies.
Table for discussion
Through the DP, industry has been given a chance to view the Bank’s forward thinking ideas with regards to both streamlining reporting models and exploring the opportunities provided by the latest technologies such as cloud and big data. It is clear from the announced aims of the review that the Bank is ready to engage in a partnership between industry and authorities. An active dialogue is required, and the user community in the form of the financial services industry should play their part in helping bring this vision to fruition.