Why BCBS 239 Compliance is essential in 2025

Regulatory authorities’ patience is running out.

In brief

• BCBS 239 compliance is essential for banks to enhance operational efficiency and meet evolving regulatory expectations.
  
  
• The ECB's RDARR Guide outlines critical requirements for effective risk data aggregation and reporting frameworks.
  
  
• Banks must address key challenges, including data lineage, independent validation functions, and the integration of technological solutions.

Since its publication in 2013 with an initial expected implementation target of early 2016¹, significant developments have occurred regarding BCBS 239 for Banks. Thematic reviews and on-site inspections across Europe have revealed an “unsatisfactory” implementation status. Multiple interpretations exist across the sector, and many Banks have taken short cuts where possible. To both clarify and reinforce its supervisory expectations, the ECB issued the Risk Data Aggregation and Risk Reporting (RDARR) Guide in May 2024.

Why does BCBS 239 remain a top priority in 2025?

Most Large Banks have undergone on-site inspections and are aware of its importance; however, we have observed two key developments that underscore the top priority of BCBS 239 compliance.

Remediation of “deficiencies in risk data aggregation and reporting” has been defined as the ECB’s number two priority for 2025-2027

It is for a reason that the ECB included remediation of “deficiencies in risk data aggregation and reporting” among its top supervisory priorities for 2025-2027². The ECB urges Banks to address long-standing deficiencies and establish adequate and effective RDARR frameworks, to support efficient steering by management bodies and to address supervisory expectations, including in times of crisis.

ECB notes that Banks which unlock the full potential of BCBS 239 capabilities, can enhance their operational efficiency and increase resilience. Access to high-quality governed data is also essential for harnessing innovative technologies such as Artificial Intelligence and advanced analytics to develop innovative products and services.

As part of its supervisory priorities work program, the ECB has announced targeted reviews of RDARR practices, on-site inspections, and annual questionnaires as key activities. The ECB enjoins the Banks to “step up their efforts” under the penalty of “triggering escalation measures” if they fail to meet supervisory expectations.

ECB’s prescriptive RDARR Guide sharpens expectations

Following an initial draft in July 2023, the final RDARR Guide was published in May 2024. This Guide outlines requirements for effective Risk Data Aggregation and Risk Reporting, shares industry best practices, and reinforces supervisory expectations for BCBS 239. Recognizing the primary cause of insufficient RDARR progress, the Guide emphasizes the role of the management body and effective implementation programs.

Some key pointers³:

• The Guide holds the management body accountable for the implementation of effective and prudent governance arrangements. “Deficiencies in these areas may also lead to a reassessment of the suitability of the responsible members and, in severe cases, the removal of such members.”
  
  
• The Guide prescribes that the RDARR framework should be owned by at least one member of the management body. It mentions the appointment of the Chief Risk Officer (CRO), or the CRO together with the Chief Finance Officer (CFO), as a “pragmatic solution”.
  
  
• The Guide also provides guidance on the second and third lines of defense as independent validation functions that “should perform regular assessments of the institution’s RDARR capabilities for material entities and risk types”.
  
  
• The Guide is more precise on the (expanding) scope of the reporting to be included in BCBS 239 programs, clearly stating that supervisory reports, such as COREP, FINREP or model and ESG data should be included as well.
  
  
• The Guide requires complete and up-to-date data lineage at the data attribute level - starting from data capture to final reporting.
  
  
• The Guide defines four key dimensions of data quality controls in implementation programs: (1) Accuracy, (2) Integrity, (3) Completeness and (4) Timeliness, and requires the establishment of a concrete register for data quality issues and limitations.
   

So, how can you elevate your BCBS 239 Compliance efforts?

Let us tie that to some common themes we observe our clients struggling with:

Establish an effective implementation program: The program should help the Bank make a leap towards regulatory compliance, solve material deficiencies, and position the Bank for future success.

• Struggle: Management bodies struggle with the set-up of effective implementation programs, leading to unsatisfactory progress, unclear scope, and a lack of focus and prioritization. We observe CROs and CFOs being concerned about managing the full chain from data capture to (regulatory) report across domains. This results in outputs where value-add can seem questionable at times.
  
  
• Improvement: Design a BCBS 239 program with a clear and realistic ambition level in terms of scope and level of compliance. It is essential that the program, along with its transition to Business-as-Usual (BaU), is prioritized by the management body, with clearly defined responsibilities assigned. A strong mandate with solid program management at the core, and validated commitment from involved stakeholders to ensure effective multidisciplinary teams. Ensure that execution is clearly measurable by defining KPIs, allowing for progress reporting and effective program steering. Value-add should be prioritized at all times: The results of the program should add value to the Business, be maintainable, and technology-driven where possible. This ensures a smooth transition to BaU when the program ends.

Establish an Independent Validation Function (IVF): A critical aspect of BCBS 239 is the establishment of an IVF within the second line of defense, which plays a pivotal role in managing risks effectively and independently.

• Struggle: Management bodies struggle with establishing an IVF as an independent second Line function that challenges the compliance status. IVFs find themselves not adding value to the BCBS 239 program and standing organization, missing clarity in responsibilities and frameworks, and lacking mandate to operate.
  
  
• Improvement: Develop an assessment framework to evaluate the maturity of your IVF. Ensure that your framework includes dimensions such as Organizational Design, Tools and Technology, and Processes and Controls, apply it regularly and implement improvements.

Implement Effective Data Lineage: Robust data lineage is another critical aspect of BCBS 239 Compliance, requiring both horizontal and vertical visibility across a Bank's data flows.

• Struggle: Many Banks struggle with the complexities of establishing effective data lineage. Without a well-defined framework, organizations often face confusion regarding lineage expectations. The coexistence of legacy and target state systems further complicates matters, as Banks must navigate the transitional period in the context of supervisory pressures. The variety of technologies used within Banks also makes implementing end-to-end lineage challenging, as the choice of technology can significantly impact success. Some Banks resort to manual documentation to meet deadlines, which raises maintainability concerns and creates a need to balance immediate remediation efforts with sustainable, future-proof activities.
  
  
• Improvement: To enhance value-adding data lineage efforts, Banks should develop a comprehensive framework with clear expectations and responsibilities. Thoroughly analyzing and investing in technology can streamline the documentation process and improve maintainability. Investigating ongoing efforts, such as existing control frameworks in the business, can help identify areas where the need for extensive end-to-end lineage documentation could be minimized. Engaging with regulators is crucial when identifying these potential efficiencies. Finally, regular assessments of data lineage maturity (e.g., by the IVF) will help identify gaps and areas for improvement.

Manage and sustainably govern Key Risk Indicators (KRIs) and Critical Data Elements (CDEs): KRIs provide essential metrics for monitoring and managing risks, while CDEs ensure the accuracy, consistency, and reliability of data necessary for effective risk data aggregation and reporting.

• Struggle: The recent RDARR guidance demands that KRIs should cover at least the Bank’s risk appetite indicators, as well as material risk types such as capital risk, solvency risk, and liquidity risk. The set of KRIs depends on the risk profile of the Bank and should be defined autonomously. Beyond this challenge of identifying the appropriate KRIs, Banks face considerable difficulties in linking each KRI to its corresponding CDE(s) and managing them consistently throughout the business processes.
  
  
• Improvement: Start with assessing the current governance mechanisms and your KRIs, and subsequently categorize the KRIs into three levels: Strategic (e.g., for an Executive Committee audience), tactical (e.g., for a Group Risk Committee audience), and operational (e.g., for a day-to-day manager audience). Document the grouped KRIs and relate the respective CDEs to them in a centralized library. This process necessitates collaboration between KRI and CDE owners, along with the implementation of solid governance measures such as automated data validation and traceability mechanisms. Guidance on the collaborative efforts of KRI and CDE owners should be articulated in a formal policy, with oversight provided by a BCBS 239 (Implementation Program) Manager. Many Banks also adopt the concept of ‘data products,’ which groups CDEs into a meaningful dataset.

Embrace technological solutions: Leveraging technological advances is crucial for data management, aggregation, analytics, and reporting capabilities, thereby supporting BCBS 239 Compliance.

• Struggle: Many Banks face the complexity and cost of integrating (legacy) technology, data management and reporting systems, while ensuring data accuracy, consistency, and governance across these diverse systems. Next to integration struggles, as mentioned before, some Banks are currently conducting parts of BCBS 239 in a manual fashion (e.g., data lineage exercises). This paves the way for rigid data pipelines, complicating BCBS 239 compliance and resulting in low maintainability in general.
  
  
• Improvement: Invest in scalable and flexible metadata management tooling and adopt an integrated implementation approach in alignment with your Enterprise Architect, such that it fits your current data landscape. If your landscape is mainly based on one of the major public cloud vendors (e.g., Azure, GCP, or AWS), their respective metadata management tooling (e.g., Microsoft Purview, Google Cloud Data Catalog, or AWS Glue Data Catalog) may be a suitable choice. If the landscape is more scattered, dedicated metadata management vendors (e.g., Alation, EDC, or Collibra) are well-integrated across systems and provide a wide spread of features. When choosing a metadata management tool, investigate its capabilities in business vs. technical metadata, data lineage, workflow management, data governance and integrations with data quality tooling. This will facilitate the realization of key improvements through technology, including enhanced implementation speed, increased efficiency, greater flexibility, and improved maintainability.