Snippet —What is BCBS 239?

BY JUSTIN ARBUCKLE

Why should DevOps care about BCBS 239? These proposals, that many of you might be in the middle of implementing, will create additional oversight requirements internally as regards the use and transmission of data within the development process.

BCBS 239 is the Basel Committee on Banking Supervision rules for effective risk data aggregation and reporting.

Although many of the provisions of this committee apply to what are known as ‘systemically important’ organisations (read: banks too big to fail), in actual fact, there is great pressure on national central banks to ensure that all banks comply with these regulations.

Most relevant to us is Principle 2 which covers the maintenance of an auditable evolution of controls that use risk data:

Principle 2: Data architecture and IT infrastructure – A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles

specifically,

…in partnership with risk managers, should ensure there are adequate controls throughout the lifecycle of the data and for all aspects of the technology infrastructure.

Here are some important caveats from an IT point of view:

“All the Principles included in this paper are also applicable to processes that have been outsourced to third parties.”

The governance framework “should include agreed service-level standards for both outsourced and in-house risk data-related processes.”

“Independent validation… should be conducted using staff with specific IT data and reporting expertise…”

The Big Idea:

Ensure that you have effective practises for dealing with the creation, obfuscation and migration of data in your development process as the scope of those data important to risk reporting will begin to encroach on a wide range of transactional data.