Financial institutions are grappling with complex data-integration issues as they aim to comply with the Basel II framework, an international agreement that places specific requirements on how banks compute the risk associated with their assets. U.S. companies have until January 2008 to comply with the framework, but given the amount of work involved, it will be a race to the finish.

Basel II was approved last year by the Bank for International Settlements, the governing body of the world's central banks. It's intended to motivate banks to upgrade and improve their risk-management systems, business models, and capital strategies by requiring that regulatory capital--the funds banks must set aside to cover losses from bad loans or other problems--be computed based on the riskiness of a bank's assets. Central to this approach is letting banks create internal ratings systems for grading loans and other financial instruments and develop advanced measurement approaches for operational risk such as the likelihood of losses caused by unpredictable events.

The benefits of compliance extend beyond satisfying regulators. "A good internal rating system that's able to predict default helps us in developing a good credit process," says Giovanni Parrillo, director of credit risk management at Italy's Banca Nazionale del Lavoro.

Yet, as banks get into the nitty-gritty of Basel II, they're finding the road to compliance difficult and costly. In a recent survey by Accenture of executives at 63 of the largest financial institutions in North America and Europe, 45% say they expect to spend more than $60 million through 2007 on Basel II compliance. Of that spending, 36% will be on IT systems and interfaces.

U.S. regulators have determined that only the largest institutions, those with the greatest international presence, must adopt Basel II. Regulators say they expect to have rules for compliance in place early next year; in the meantime, they've urged financial institutions to proceed with Basel II implementation efforts.

Merrill Lynch & Co. has built a data warehouse called Architecture for Regulatory, Credit, and Treasury Consolidation to collect detailed data on financial instruments in its balance sheet. "Basel II requires collecting detailed information about each asset on the balance sheet," says Marc Baumslag, Merrill Lynch's chief technology officer for liquidity and risk technology. "Immediately, you've raised the bar on the information and detail you need to accurately compute capital."

Merrill Lynch is reengineering its systems and workflow used for computing credit ratings. Under Basel II's advanced internal-ratings-based approach, banks need to compute a dual rating for each asset on their books: One rating is the borrower's likelihood of default, and the second is the bank's expected loss-given-default. For example, if a company defaults on its bonds, bondholders might expect to recover 35% of the bond's value; holders of riskier instruments such as derivatives might only expect to recover 30% of the value.

Merrill Lynch has computed loss-given-default for all of its borrowers and is evolving its workflow to make it part of what credit analysts do on a daily basis. "We have to rethink all of our applications and figure out how to compute credit risk in terms of losses rather than exposures," Baumslag says.

To do so, Merrill Lynch is testing a homegrown "regulatory analytics engine," which uses Microsoft database technology and input from Merrill Lynch's data-warehouse system to compute the risk-weighted assets and capital for each segment of Merrill Lynch's portfolio. The system uses data-mining software to allow financial analysts to perform what-if analyses.

European Style
In Europe, banks have until January 2007 to be in compliance with Basel II. Banca Nazionale del Lavoro began developing its internal-ratings-based credit system in 2000, four years before the Basel II framework was adopted. "We realized early on that we needed a system of internal ratings based on statistical models," BNL's Parrillo says.

Its first step was to create a data warehouse using technology from SAS Institute Inc. to store and analyze risk-related data. It loaded the warehouse with historical data on 120,000 business clients and used statistical techniques to calculate credit scores for each client.

The credit-risk model has moved out of the development stage, and BNL's IT department is testing it before placing the system into production, by the beginning of 2007. The system is subject to approval by the Bank of Italy, Italy's central bank and BNL's primary regulator.

BNL has realized business benefits from its Basel II effort. The company reduced the average probability of default on its portfolio by 10% in the first six months of this year. It also has an early-warning system. When the internal ratings for a client begin to deteriorate, the bank automatically reduces its exposure to that client and forestalls losses.

Austrian bank Erste Bank Group plans to fulfill its Basel II requirements in time for the January 2007 deadline. It has built a data warehouse using IBM's DB2 technology but plans to switch to Oracle next year, because it provides a lower total cost of ownership, says Guenther Kraehan, Erste Bank's Basel II project manager. SAS Institute provides the data-analysis software.

Erste Bank is spending a huge amount for Basel II compliance, Kraehan says, and other development work has been sidelined as a result. But the business benefits will justify the cost: In addition to lowering its capital requirements, the bank will be able to feed risk information to its sales and marketing departments, letting them make better-informed decisions about the credit worthiness of customers.

Global Effort
ING Direct, the retail-banking subsidiary of the Dutch ING Group, has been working on Basel II compliance since early 2004, says Mark Gibbons, head of risk management for ING Direct in the United States. For Basel II compliance, it's using a data repository it built five years ago when the U.S. unit began operations. All of the relevant credit and operational risk data are in the warehouse, and the bank is testing statistical models against this data. The work done in the United States parallels Basel II compliance efforts by units in other countries and ING Direct's parent company.

Since ING Direct is relatively new, it had little historical data on loan defaults, so it supplemented its own data with data from external sources to create a system for predicting defaults. "We've used statistical techniques to compare the characteristics of our loan portfolio with industry data in order to forecast losses," Gibbons says. The work is being carried out by a cross-functional Basel II team composed of people from the IT, finance, risk, and credit departments. The team still has a significant amount of work to meet the 2007 deadline, Gibbons says. "Getting to Basel II is a challenge."

Protiviti Inc., a risk consulting firm, has developed an operational-risk extension for its Governance Portal platform, an integrated system for compliance with Basel II, Sarbanes-Oxley, and other regulations. The Operational Risk Management Portal extension is designed to minimize losses by increasing the visibility of operational-risk exposures and by managing the assessment and effectiveness of controls that can mitigate such exposures. The portal includes modules for risk self-assessment, loss events, and capital allocation. "We offer a broad platform focused on an integrated approach for Sarbanes-Oxley and Basel II," says Scott Gracyalny, Protiviti's managing director of risk-technology solutions.

With so much work to do ahead of the approaching deadline, Basel II will be a major distraction for the financial industry in the next few years. Stay tuned for further developments as the deadlines draw near.

Illustration by Craig LaRotonda