Banking`s own Y2K?

A banking accord may seem at first glance to be a dry subject, but the New Basel Capital Accord, or Basel II as it is known informally, is a major event in the banking world. So much so that in several quarters it has been referred to as this sector`s own Y2K.

That appellation is unfair in many ways since Basel II, essentially a framework to make banks more accountable for ensuring provision of capital to cover default and risk, is not just a matter of replacing technology. But in some ways, particularly with regard to the seriousness and global extent of the issue, Basel II is similar to a Y2K event. And it certainly does have some significant technology implications.

The accord is to be implemented at the end of 2006, although banks should already have started preparation to overcome the many challenges they face, particularly in the area of information management. Yet overcome these challenges they must, since failure to comply with Basel II may have serious consequences. These include a loss of credibility, poor ratings, and a loss of business.

It is widely accepted that there is an urgent need for an updated regulatory framework for managing risk in the banking industry, particularly in the wake of such events as the collapse of Barings Bank and Daiwa Bank, Y2K, the September 2001 World Trade Centre attack, the Enron bankruptcy and, closer to home, the demise of Saambou Bank.

Ray Leonard, CEO of banking software group Global Technology (Glotec), says the main drivers behind ensuring that banks have adequate capital to cover their risks include the fact that banks are becoming bigger. In the US in particular, the number of banks has dropped sharply over the past decade as the larger banks have swallowed up their smaller competitors.

"Technology is also a driver. In the past banks met and exchanged paper cheques twice a day. The amounts involved were much smaller and cleared in local hubs and netted there. So the clearing risk was limited to local branches. Now cheques are cleared centrally and banks are netting and clearing around R1 billion." This means that credit risk is no longer limited to one area, but applies to the entire institution. Other drivers include a more sophisticated market, as well as internationalisation. "With moving money around on SWIFT [an international banking network] it creates a huge potential for risks with people you don`t know," Leonard says.

With moving money around on SWIFT [an international banking network] it creates a huge potential for risks with people you don`t know.

Ray Leonard, CEO, Global Technology

The original Basel Capital Accord was drawn up by the Basel Committee on Banking Supervision in 1988. The Basel Committee is a group of central banks, bank supervisors and regulators that formulates broad supervisory standards and guidelines, and recommends statements of best practice. The recognition that the original accord was outdated led the committee to propose a replacement in 2001. The new version, Basel II, is set to be implemented worldwide at the end of 2006.

The document is weighty both in terms of its size and complexity, but in a nutshell it determines how much capital banks must set aside to cover unforeseen hazards. This it does by prescribing how to identify, measure, monitor and manage the full range of risks to which the banks are exposed. The greater the risk, the greater the amount of capital needed to cover it. Methods for calculation range from simple to advanced. In the area of credit risk, for example, there is a standardised approach, a foundation internal ratings-based (IRB) approach and an advanced IRB approach. There are built-in rewards for adopting the more advanced approaches, but banks have to meet various criteria to adopt those methods.

Basel II has three main sections, referred to in the document as pillars. Pillar one deals with minimum capital requirements and involves methods used to calculate risk-weighted assets with regard to credit risk and operational risk. Pillar two involves a supervisory review allowing supervisors to review banks` capital adequacy positions relative to their overall risks and to take appropriate action. The third pillar, market discipline, outlines a set of disclosure requirements to allow market participants to asses key information about a bank`s risk profile and level of capitalisation.

Failure to comply adequately with Basel II will have several implications. According to the latest consultative paper, "Supervisors should consider a range of options if they become concerned that banks are not meeting the requirements embodied in the supervisory principles outlined above. These actions may include intensifying the monitoring of the bank; restricting the payment of dividends; requiring the bank to prepare and implement a satisfactory capital adequacy restoration plan; and requiring the bank to raise additional capital immediately" (p. 144).

These actions may include intensifying the monitoring of the bank; restricting the payment of dividends; requiring the bank to prepare and implement a satisfactory capital adequacy restoration plan; and requiring the bank to raise additional capital immediately.

Third consultative paper, Basel Committee, Bank for International Settlements

Leonard says other consequences of inadequate compliance include a loss of business, since rating agencies will use Basel II`s capital adequacy ratios when assessing a bank`s credit rating, and corporates in particular are likely to take their cue from the ratings.

Although several IT companies have referred to Basel II as the banking industry`s Y2K, this is not strictly true. Leonard points out that Basel II is not simply a technology problem needing a technology solution. That said, Basel II is certainly similar to Y2K in terms of the immensity of the implementation projects, the fact that there is a deadline, and the global scope. Basel II has considerable implications for technology and many IT companies have geared up to do business in this area. Atos KPMG Consulting director Alan Epstein says the bulk of IT spend will be around data, as banks without the right data will not be able to comply with Basel II`s provisions.

"Some banks think they need to buy new technology, new databases and so on," he says. "But in fact they have a lot of it already. They may need SAS and others to help tweak things, but the need is in data mining, data analysis and so on, rather than hard boxes. They need to spend money on making data talk."

Some banks think they need to buy new technology, new databases and so on. But in fact they have a lot of it already.

Alan Epstein, director, Atos KPMG Consulting

The quality of available data is a key concern. Banks will need to have a rolling five-year history of documented exposures to the client. Industry observers say the banks` information is inadequate at present to comply with the more advanced approaches of the accord, and much of the information they do have is in silos that seldom communicate with each other.

Andre Blaauw, Absa GM for enterprise-wide risk management, says data models and the structure of data warehouses across the enterprise remain the biggest challenge. "There are no off-the-shelf solutions that I am aware of, so we have begun a huge data mapping exercise and started building interfaces."

David Hodnett, director, group risk at Standard Bank, says there are several challenges around Basel II involving data and/or technology. For example, in the standardised approach to credit risk, which involves the use of ratings, the South African rating market is not developed, which means not many companies here have ratings.

"On the operational risk front, I think it`s just that it`s a very new area, so there`s a lot of work to be done in this space and a lot of understanding still to be put into in terms of what people mean by the advanced approach. If you`ve read the accord, out of the 600 pages, 400 are on credit, and probably 100, if that, are on operational risk. It`s not that precise. Credit is very clear."

If you`ve read the accord, out of the 600 pages, 400 are on credit, and probably 100, if that, are on operational risk. It`s not that precise. Credit is very clear.

David Hodnett, director of group risk, Standard Bank

However, in the foundation and advanced internal ratings-based approaches to credit risk, the main issue is around data "because you have to be able to calibrate a whole lot of things and back test. The easiest example to do is listed corporates in SA. How many defaults have we actually had in the last 10 years on our stock exchange? Probably a handful. We`ve had some big ones, but there`s not been a lot. Now with that it`s almost impossible to validate any models you put together to try predict defaults because you`ve got no defaults to back test it against, which is very different to the US and Europe, where there are so many companies and you`re going to have more data to do it.

Everyone`s really at the beginning of their Basel II process. They`re identifying where the holes are, what they have to do.

David Hodnett, director of group risk, Standard Bank

"A lot of people have used Standard & Poor`s and Moody`s data to calibrate the data because Moody`s has obviously been keeping it for a long time. But once again, in our case, the question mark is: is that data valid for us, because that`s based in the US, and it`s all their history." He says there might be an element of industry co-operation required to pool data. "We are doing some work together, but not a lot at this point in time. Everyone`s really at the beginning of the Basel II process. They`re identifying where the holes are, what they have to do, though I think the work will pick up pace."

Lloyd Chisholm, GM financial services at SAP, says there will be a tough fight between IT companies for the Basel II space. While SAP sees SAS and Algorithmics as its main competitors, it cannot discount other players.

Kerry Evans, SAS Institute sales manager, financial services, says all IT players in the Basel arena will take a modular approach because banks already have several modules in the three Basel areas. The major consulting houses as well as companies such as EDS, Ascential, T-Systems and several others, are vying for a piece of the Basel pie.

"Many product vendors are using Basel II as an opportunity to sell their products," says Business Edge Systems director Hennie Pretorius. "Providers of business intelligence solutions have created frameworks that will assist banks with data analysis and reporting. Similarly, risk management consulting companies are proposing their software as the solution. Although these technology solutions will assist banks in ultimately complying with Basel II, there is no silver bullet."

Although these technology solutions will assist banks in ultimately complying with Basel II, there is no silver bullet.

Hennie Pretorius, director, Business Edge Systems

Evans says while many banks view Basel II as a grudge purchase, much like Y2K, there is a strong business case for its implementation. Customer relationship management is a big focus as banks are aiming for a single view of the customer and even of a household, and Basel II facilitates this. Basel II compliance also has significance for marketing, as a single view of the customer allows the bank to assess spending patterns and market around that information.

Both Evans and Epstein say the accord offers banks an opportunity to increase profits, since it rewards banks that meet the conditions to adopt the advanced approach by allowing a lower capital provision to be put aside. Epstein says some of the larger banks could free up billions of rands through adopting an advanced approach.

Instead of investing in proprietary applications that address only the legal anti-money laundering requirement, banks should look at the bigger picture.

Kerry Evans, sales manager: financial services, SAS Institute

According to Evans, a sophisticated analytical system will also fulfil legal and reporting needs other than those of Basel II, such as that required by King II and the new anti-money laundering legislation.

"Instead of investing in proprietary applications that address only the legal anti-money laundering requirement, banks should look at the bigger picture. They should treat the legal requirement as an opportunity to invest in a business intelligence solution that will not only address money laundering, but that goes far beyond that to minimise risk throughout the business."

Clearly, none of the banks are ready now.

Lloyd Chisholm, GM financial services, SAP

"Clearly, none of the banks are ready now," says Chisholm. "Some would claim that with credit risk they have the basics right, for example doing credit rating at an advanced level, but in other areas they are not that complex. They have defined their strategy, and some have articulated it very well. They have identified risk areas and appointed committees for each area.

"The next phase deals with how to enable their strategy, and that`s when they`ll go to the major vendors. The challenge is: what do you take and not spend too much without compromising on the ideal architecture?" Chisholm, like many other IT players in this space, says banks are running out of time with regard to data.

"The difficulty is in the fact that most banks don`t have data for five years," says Epstein. "They have three years` worth of data. But while they have always kept opening and closing balances, they have lost the information in between, so many of the banks are getting consultants in to see if they can reconstruct the data."

Blaauw says Absa is targeting the advanced approaches in Basel II in areas where the bank can meet the requirements for data. "Some data is not available - the industry is too small - so we`ll have to tone down our aspirations to the foundation approach in those areas."

But we have started with many models already, even before Basel II, so we didn`t have to start from scratch.

Andre Blaauw, GM for enterprise-wide risk management, Absa

He says the Basel II implementation programme is a large and complex one. "But we have started with many models already, even before Basel II, so we didn`t have to start from scratch." Absa also had the advantage of having brought several disparate systems together when it merged its four banks into one group in the 1990s.

Other banks did not want to go on the record, saying they did not want to commit themselves publicly to a particular approach at such an early stage. However, Absa`s case seems to be the industry norm. Those taking this approach believe they will migrate to more sophisticated approaches as they meet the requirements later on.

Basel compliance is by no means a cheap exercise, although none of the banks are prepared yet to say how much it will cost them.

Would this spend be taking place without Basel II? I would like to think so, because at the end of the day all Basel II is, is almost a best practice document. And that`s the way we`ve approached it in the bank.

David Hodnett, director of group risk, Standard Bank

Says Hodnett: "Would this spend be taking place without Basel II? I would like to think so, because at the end of the day all Basel II is, is almost a best practice document. And that`s the way we`ve approached it in the bank. We do have a Basel II steering committee, but you will not hear a project being spoken about as a project to be Basel II compliant. They are projects that we`ve said we need to run to improve our risk management process, and that`s been the sign-off. Then we said OK, now if we follow best practice, then we should be following Basel. And we`re doing that check now to make sure that the projects we`ve got under way do follow Basel."

Hodnett says risk management is getting more expensive anyway. "The nature of people is changing within risk management - you`re having to hire a more actuarial, quantitative type of person. They don`t come cheap." While banks are probably moving in the direction of Basel II anyway, Hodnett says it is perhaps making the spending requirements come more quickly. "Instead of being spread out over 10 years we`re going to say if I want to be Basel II compliant I`m going to have to do it in five years.

But this stuff is expensive. If you buy an operational risk model from overseas, these things go for $2 million to $3 million.

David Hodnett, director of group risk, Standard Bank

"But this stuff is expensive. If you buy an operational risk model from overseas, these things go for $2 million to $3 million. If you want to buy a credit system, they go for R20 million to R30 million. But is it because Basel II is asking you to spend it? I`d like in the main to say no, we should be upgrading our systems anyway."

There seems to be no question, however, that banks in SA will meet the Basel II deadline, even if it means adopting a less sophisticated approach in areas where data quality is insufficient and moving to more advanced approaches later. On one thing all players agree: it will not be an easy ride.