BCBS 239, what is it? What does it require? How to be compliant?

BCBS 239 is a set of Principles to strengthen the risk data aggregation and facilitate the resolution of banking crises.

The 2007 global financial crisis exposed the fragility and inadequacy of corporate data management models, highlighting severe shortcomings in banks’ ability to identify and mitigate risks effectively. The proper aggregation of risk exposures and the ability to detect risk concentrations at various levels—group, legal entity, and operational unit—were essential requirements that many financial institutions failed to meet.

To address these gaps, in January 2013, the Basel Committee on Banking Supervision (BCBS) issued BCBS 239, a regulatory framework targeting global systemically important banks (G-SIBs). Developed by an international task force, this framework outlines key principles to strengthen risk data aggregation capabilities and improve internal and external risk reporting processes. Banks identified as G-SIBs were required to comply with these principles by January 2016.

In April 2020, the Basel Committee published an update titled Progress in Adopting the Principles for Effective Risk Data Aggregation and Risk Reporting. This document provides further guidance and an assessment of the implementation status of the regulation at that time.

However, BCBS 239 is not limited to G-SIBs. The Basel Committee has strongly recommended that national supervisory authorities apply the same principles to domestic systemically important banks (D-SIBs), granting them a three-year compliance window following their designation.

Regulation objectives: strengthening risk Data Management in banking

The primary goal of BCBS 239 is to enhance banks’ ability to aggregate risk data effectively, ultimately strengthening their crisis management capabilities and minimizing the impact of financial disruptions.

As outlined in the regulation, a robust risk data management system plays a crucial role in the recovery framework. It empowers both banks and regulatory bodies to anticipate potential issues, proactively mitigate risks, and explore viable solutions to restore financial stability. For instance, better risk data management can increase the likelihood of identifying a strategic merger partner, ensuring a smoother resolution for banks in distress.

Beyond compliance, aligning with BCBS 239 offers significant benefits, including improved operational efficiency, a reduced likelihood of financial losses, enhanced strategic decision-making, and, ultimately, greater profitability. By investing in strong risk data aggregation and governance, banks can not only meet regulatory requirements but also drive long-term business resilience and competitive advantage.

Key principles for effective risk Data Aggregation and Reporting

BCBS 239 establishes essential principles to enhance financial risk management and improve data-driven decision-making in the banking sector. These principles ensure that risk data is accurate, timely, and actionable, enabling financial institutions to maintain stability and regulatory compliance.

The fundamental principles include:

• Completeness, Integrity, and Granularity – Risk reporting systems, both internal and external, must comprehensively cover all major risks a bank is exposed to. They must operate efficiently, maintain high Data Quality standards, and incorporate robust control mechanisms to ensure accuracy.
• Governance and Oversight – Top management and risk committees should receive an annual assessment on the bank’s alignment with BCBS 239 principles, including data completeness, quality, and reporting timeliness. Any significant compliance gaps must be addressed through a structured remediation plan.
• Adaptability and Crisis Response – A bank’s risk reporting system must be flexible and responsive, capable of adapting to financial crises or addressing urgent regulatory requests. Whether triggered by market volatility, internal developments, or supervisory mandates, the system must ensure real-time, accurate reporting to support rapid decision-making.

By adhering to these principles, banks can not only meet regulatory expectations but also strengthen resilience, improve operational efficiency, and mitigate financial risks effectively.

On what focus points should we base a methodology to achieve regulatory compliance?

We identify three key points:

GOVERNANCE AND IT INFRASTRUCTURE

Strengthening the current Data Quality Framework and its system of controls by:

• extending Data Governance to the activity of risk data processing and the preparation of the related reporting
• developing the IT architecture towards supply chain integration and efficiency in preparing the reporting

RISK DATA AGGREGATION CAPABILITIES

Banks should be able to monitor financial risks in a reliable way via:

• overseeing data accuracy and integrity while minimizing manual intervention
• constant and complete updating of the data
• adaptable and flexible data to meet the specific requirements

RISK REPORTING PRACTICES ENHANCEMENT

Ensure the data is available for the right people at the right time via:

• data accountability, guaranteed by Data Governance
• reporting accuracy
• completeness, clarity, and timeliness of the reports
• creating cooperation tools for the various automated business actors

But what to do in practice?

The first recommended activity is to identify the scope of analysts of the data related to the greatest banking risks. For the above mentioned principles to take root, it is essential to define and apply the criteria that determine the data application perimeter of the regulation. The aim is to prioritize the most relevant actions for different types of risk:

• credit risks
• financial risks (liquidity and rate) and operational risks

Another useful criterion in the intervention perimeter is the reporting present within the Bank:

• Management reporting
• Regulatory reporting (e.g., FINREP, COREP, etc.)

The second recommended activity concerns risk architecture recognition, or mapping the main application systems relevant in the data life cycle (e.g., Datamart ALM or General Ledger, DWH, Loans, etc.). This step is fundamental as it prepares the activities of critical data analysis, in particular, for the data mapping and in the data life cycle. Involving the Risk Management would allow to identify the various local systems, intermediate preparation and data consolidation systems and point out the interchanges of data streams.

Once all the data in the analysis perimeter is identified, we can proceed to establish the list of the most critical data and the detailed logic of identifying and prioritizing the data. This skimming of critical data happens by analyzing of data relevance. It is usually conducted according to criteria of significance as well as the findings of the Business and IT teams involved in the analysis.

Significant data of highest priority could be, for example, “the economic activity code, Tax ID, Client ID, the probability of default, the approved granted amount, etc.”

Finally, with this data one can proceed to:

• define common nomenclature and semantics, transversal to the bank structures by a single data item
• collect all the data necessary to define the data lineage for critical data (applications, controls, streams, etc.)
• sum up the collected information from the analysis of data lineage and make it graphically available to allow a more accurate and useful knowledge of the data life cycle
• summarize all the quality controls traced by an individual data item from different structures. It is useful for creating a unified control dictionary
• verify the consistency of the data with the BCBS 239 principles. It would allow to prioritize areas for improvement and identify the most critical data
• identify the corrective actions for filling the functional gaps identified during the analysis and make the data conform to BCBS 239.

Why choose Irion?

For years, Irion has been supporting banking clients in achieving regulatory compliance. We do so by speeding up the activities that the data management process requires and supporting effective collaboration between the worlds of IT and of business. Irion EDM facilitates the sharing, collaboration, and optimal data management as well as the automation of operational processes through the clear traceability of the entire data lifecycle and the production of BCBS239 reporting for audit purposes. If your needs relate to regulatory reporting, and not just risk data, then Irion is for you! Our experience is at your disposal. Request a demo.

We can help you with:

• powerful control engines that perform 2.5 million controls per minute, verifying over 60 million records;
• a flexible and collaborative Data Quality Governance system so that different data specialists can interact;
• an effective system to manage poor data quality issues and remediation;
• a module that allows to adopt the already tested metrics or to define, calculate and analyze any type of indicator on any type of business process;
• automations that generate technical rules based on metadata in a smart way and in a few seconds;
• the cutting-edge technologies, such as artificial intelligence and machine learning, included into the platform. For example, they can suggest the most fitting Business controls
• the automatic verbalization of technical rules to facilitate interaction between business and IT users; constantly updated documentation;
• dashboards for continuous monitoring;
• an ideal Data Lineage and impact analysis tool. It provides a graphical interactive representation of the relationships between data;
• it can quickly manage millions of data
• and much more…

Learn how other successful organizations have already started their transformation through practical examples.

Would you like to delve into the key updates from the July 2023 consultation, learn how to ensure BCBS 239 compliance, and explore measures to improve risk data aggregation and risk reporting? Download the free whitepaper available on your right!