���㣨Leyu����������

Governance

• Involvement of the Board and senior management in ‘business as usual�� processes and the adequate and proper definition of requirements around RDARR and how they align to BCBS 239 principles.
• Involvement of key internal functions and the adequacy and presence of an independent validation unit within data processes.
• Clearly defined and formalized documentation of the governance model (i.e., roles, responsibilities, and accountabilities for the board, management, and across all 3 lines of defense (LOD); policies, standards, and procedures), including mapping, ownership, and ongoing testing and monitoring of controls.
• Assessment of data risks associated with RDARR, with associated data risk taxonomy and minimum control requirements.

Data Universe and Tiering

• The scope of the “data universe�� including types of data and risk reports covered by the RDARR standard (e.g., models; metrics; regulatory, compliance and risk reporting).
• Data classifications, tiering, and risk ratings based on sensitivity, integrity, availability, and criticality.

Data Lineage

• Level of process automation and coverage of the entire data flow (e.g., to consolidate data from different business units / subsidiaries) as well as the accuracy and granularity of the data.
• Ability to trace and report on the relationship between data outputs and business processes, systems of record, and systems of origin.

Data Management and Quality

• Data management processes and controls (e.g., standardized data controls around access and authorization, quality and integrity, capture and usage, privacy and security, and sharing with third parties; understanding of data sources;) aligned with the data risk taxonomy and shown to be sustainable through a regular and robust control testing function.
• Data quality issue management and reporting (e.g., measurement of data risk exposures for key RDARR metrics and reporting).

BCBS

��

A progress report assessing 31 G-SIBs and their adoption of BCBS 239. The report indicates that although banks have made some notable improvements, weaknesses and challenges persist in fragmented IT landscapes and deficient risk data aggregation and reporting capabilities. Further, the report urges FS regulators to increase/intensify their supervision and enforcement in order to promote widespread RDARR compliance.

n/a

FDIC

Proposed new corporate governance and risk management guidelines outlining expectations for board and management responsibilities regarding risk management. Specifically, the proposal sets the expectations for “covered institutions�� to implement risk management programs that contain policies and procedures designed to ensure that their risk data aggregation and reporting capabilities are appropriate to their business size, complexity, and risk profile and support supervisory reporting requirements.

Expanded Risk Governance and Management: FDIC Proposed Guidelines

OCC

New policies and procedures to implement when considering supervisory and enforcement actions against banks subject to Heighted Standards that exhibit or do not correct “persistent weaknesses��. The Heightened Standards for risk governance frameworks address RDARR expectations for financial institutions to have “policies supported by appropriate procedures and processes, designed to provide risk data aggregation and reporting capabilities appropriate for the size, complexity, and risk profile of the covered bank, and to support supervisory reporting requirements��.

Bank Supervision: OCC “Persistent Weaknesses��

��