Basel II: legal implications for the IT sector

16 August 2005

Lous Vervuurt, Jeroen van der Lee


This article discusses the implications of the Second Basel Capital Accord (“Basel II”). It specifically focuses on the changing IT environment for banks and financial institutions, and the legal implications of this. Firstly, we will briefly outline the background of Basel II.

The Basel Capital Accords

The Basel Committee on Banking Supervision (“Basel Committee”) was established in 1974. This Committee formulates broad supervisory standards and guidelines and recommends statements of best practice. The Basel Committee has members from thirteen countries including The Netherlands. Each country is represented by its banking sector supervisory authority (The Netherlands is represented by the Dutch Central Bank, De Nederlandsche Bank N.V., “DNB“). The Basel Committee is not a formal supervisory authority and the recommendations of the Basel Committee have no legal status. However, in practice the agreements concluded in Basel are implemented both nationally and internationally.

In 1988 the Basel Committee adopted the first Basel Capital Accord (“Basel I”). It was the first comprehensive international accord regarding compliance by banks with applicable capital requirements. Basel I was also implemented in many non-participating countries. The so-called “BIS-Ratio” for example has become the generally accepted solvency standard for financial institutions worldwide.

Basel II is a completely new capital accord which was officially published in June 2004 by the central banks and the financial supervisory authorities of the G-10 countries. In brief, Basel II provides for a differentiation of capital requirements for banks and other financial institutions to account for the differences in size of these institutions. Basel II provides an advanced and sophisticated system leading to better understanding of the relationship between risk and investment. Particularly important for the IT sector is the fact that Basel II also sets requirements for the control of risks from people and systems, inadequate or defective internal processes, or from external circumstances (such as human errors, system errors or fraud). It should be noted that Basel II is not particularly disadvantageous for the financial sector; proper compliance with Basel II may in fact be beneficial, since a bank may be subject to a lower capital requirement if it can demonstrate its risk investment is adequate.

Basel II is not legislation itself but will be implemented in the EU by Directives.[1] The EU has announced that these Directives will come into force by the end of 2006. In The Netherlands, DNB is preparing to implement new standards. DNB is organising consultations with market parties in order to obtain their input.[2]

It is important that banks start to prepare for the implementation of Basel II as soon as possible. Basel II will take effect from the beginning of 2007, and banks and financial institutions will be required to use their data from the previous two years. Therefore the systems for recording this data are required to function as soon as possible. However, a study by KPMG covering 294 banks in 38 countries at the start of 2004 revealed that many banks were behind schedule in respect of their preparation projects. At the time of the study, half of the banks were still making an initial assessment of what should be done.

Basel II: the legal implications for the IT sector

For most banks and financial institutions, the implementation of Basel II involves a considerable adjustment to IT systems. Automated systems are the most appropriate way of implementing the new rules of risk assessment, data management and reporting. Data management in particular is regarded as one of the most important challenges in implementing Basel II. The development of internal rating systems connected to external databases with information about countries, banks and companies will play an important role. To allow the assessment of the risk of loss or failure in real-time, the current systems for risk management must be reviewed, redeveloped and made compatible with external systems. Furthermore, Basel II will lead to a centralisation of data. Attention will have to be paid to the filing of this data and the computerisation and flexibility of the reporting systems.

The implementation of Basel II should be regarded in combination with a range of different laws and regulations, for example from company law, e.g. Sarbanes-Oxley, to privacy and data protection, anti-discrimination rules, competition law, accountancy standards, and health and safety rules.

The IT market must, therefore, be prepared for not only the technical but also the financial implications of Basel II: it has been forecast that a total of at least $4 billion will be spent on software and services in the run up to the implementation of Basel II. There also is a lot of legal work to be done.

The most important legal question will be who is to be responsible for the costs of making the IT systems of a financial institution compliant with Basel II. If a financial institution has outsourced its systems, it may expect the service provider to be responsible. It is, therefore, advisable for both financial institutions and IT companies to review their contracts in this respect.

In addition, new and existing contracts should also be reviewed from the perspective of system procurement, integration projects, maintenance and disaster recovery. IT suppliers should check whether systems they have supplied are Basel II compliant. This is particularly important when an IT contract stipulates which party is responsible for systems complying “with applicable laws and regulations”. If the responsibility is with the IT supplier, then the supplier must ensure that the system will comply with Basel II.

Furthermore, banks and financial institutions will have to check how liability is apportioned in their IT contracts: apportionment of liability forms part of the operational risk analysis of a bank or financial institution. If liability for damages caused by computer systems rests with the bank, that bank will have to maintain additional capital to cover the risk. If the risk is on the supplier’s side, the bank will be subject to a smaller capital requirement. If the risk falls on the bank but adequate disaster recovery is in place, lower capital requirements might apply.

Clauses regarding warranties, termination and intellectual property rights are also important. If an IT contract can be terminated by the supplier at short notice or if intellectual property rights do not vest in the bank, this may have implications for the applicable capital requirement.

Reporting and data storage are also important: organisations must assess which reporting obligations and data storage obligations for risk management apply; and whether the current systems meet requirements. Supervisory authorities may possibly exercise control, therefore systems must enable audits, even if systems have been wholly or partially outsourced. At the time of writing it remains unclear how supervisory authorities will organise control and this is therefore hard to anticipate.


To conclude, much work must be done in both the legal and the IT fields before Basel II is implemented. Implementation of Basel II is considered to be the biggest IT challenge since Y2K. However, unlike Y2K, it is clear that there will be significant implications for daily business operations. Financial institutions that are obliged to comply with Basel II or that will comply on a voluntary basis will in the long run certainly obtain benefits in terms of money, time and people. These benefits will go beyond compliance with the capital accord itself.

Banks and financial institutions have not yet received guidelines on the way in which they will be required to report to their supervisory authorities. DNB’s consultation is still in progress. The trial run for Basel II will take place next year. Only when banks and financial institutions know in which way reporting is to take place, will it be possible to closely examine the IT side. For IT service providers, the challenge is that they have the opportunity to approach new markets and customers by developing specific products. Even before its implementation, Basel II will lead to much work and investment. The financial markets are dynamic, and constant new trends place burdens not only on the institutions involved but also on those enabling the work, such as IT developers and suppliers. The goal to be pursued is in everyone’s interest: trust in the financial system. As DNB states: “trust comes gradually but runs fast!”[3]

The author can be contacted by email: Jeroen van der Lee.


[1] Directive 2000/12/EG, and Directive 93/6/EEC the CAD III-Directive (Capital Adequacy Directive)

2 See, where the consultation documents can be found.

3 Prof.dr. A. Schilder R.A., DNB’s manager in a speech to the Ondernemingskring Zaanstreek in Zaandam on 21 October 1999.