The principles in the final document (28-page / 136KB PDF), published by the Basel Committee on Banking Supervision following consultation with stakeholders, will be mandatory for the largest 'globally systemically important' banks (G-SIBs). National regulators have been encouraged to apply the same principles to the largest domestic banks within three years of their designation as 'systemically important', while smaller banks could be subject to a "proportionate" version of the rules depending on their "size, nature and complexity".
Committee chair Stefan Ingves said that the new document was a "significant step" towards improving banks' risk management capabilities.
"They will also contribute to G-SIBs' resolvability, hence reducing the potential recourse to taxpayers," he said.
The 14 principles set out in the document are intended to strengthen the ability of banks to monitor aggregate risks across the whole of their businesses. They are split into sections concerning overarching governance and infrastructure, risk data aggregation capabilities, risk reporting practices and supervisory review, tools and cooperation. Banks are expected to have in place a strong governance framework, risk data and IT systems as preconditions to compliance with the other principles.
The Basel Committee defines risk management data as data that is "critical" to enabling a bank to manage the risks it faces. Both data and reports should provide the bank's management with the ability to monitor and track risks, relative to the bank's own risk tolerance level.
The inability of large banks to quickly develop a comprehensive picture of the combined risk across their various securities and derivatives holdings, loan portfolios and other business strands had emerged during the financial crisis, the Basel Committee said. In particular, IT and data systems were inadequate to support the broad management of financial risks.
"This meant the banks' ability to take risk decisions in a timely fashion was seriously impaired with wide-ranging consequences for the banks themselves and for the stability of the financial system as a whole," it said in a statement. "The principles ... are intended to strengthen banks' risk data aggregation capabilities and internal risk reporting practices. They complement other international initiatives underway and will allow banks to comply effectively with them."
The document specifies that banks should be able to generate "accurate and reliable risk data" to meet both normal and 'stress' reporting accuracy requirements. Data should be collected using "largely automated" processes, in order to minimise the potential for human error. Data should be available by business line, legal entity, asset type, industry, region and any other groupings relevant to the risk in question and cover exposure, concentration and emerging risks.
The system should have the ability to generate aggregate risk data on-demand, for example in relation to internal or supervisory requests or during times of stress or crisis. Banks should be able to generate this data in a "timely" manner while also meeting accuracy and integrity principles. Precise time constraints will vary depending on the nature and potential volatility of the risk being measured, as well as how critical that particular risk is to the bank's overall risk profile.
Banks already designated as G-SIBs by the Financial Stability Board (FSB) will be required to meet the principles by January 2016, both at a group level and as each individual bank. Banks subsequently designated as G-SIBs in one of the FSB's annual updates will be required to comply within three years of their designation, according to the document. Those G-SIBs subject to the 2016 will be expected to begin implementing the principles immediately, and both national supervisors and the Basel Committee will monitor and assess their progress.