BCBS 239 2025: Principles for Effective Risk Data Management and Reporting

Updated November 6th, 2024

Share this article

BCBS 239, issued by the Basel Committee on Banking Supervision in 2013, establishes risk data aggregation and reporting principles for global banks. It aims to improve decision-making and risk management by ensuring accurate, comprehensive, and timely data. Banks must adhere to 14 principles across governance, risk data aggregation, and risk reporting to enhance stability, particularly during times of stress.
See How Atlan Simplifies Data Governance – Start Product Tour

BCBS 239 instructs financial institutions on improving financial stability by optimizing their risk management practices. This regulation from the Basel Committee on Banking Supervision demands a cultural shift towards data governance, data quality, and transparency, while recommending the use of technology to ensure regulatory compliance.

BCBS 239 consists of 14 principles divided into four main sections:

  1. Overarching Governance and Infrastructure: Ensuring a strong data governance framework.
  2. Risk Data Aggregation Capabilities: Enhancing data accuracy and completeness.
  3. Risk Reporting Practices: Requiring timely and comprehensive risk reporting.
  4. Supervisory Review, Tools, and Cooperation: Encouraging supervisors to monitor compliance and enhance banks’ infrastructure and practices.

These principles help banks strengthen their ability to respond to risks effectively by ensuring data consistency and quality.

This article explores the key principles and requirements of BCBS 239, challenges, and an implementation strategy to ensure compliance.

Table of contents #

  1. What is BCBS 239?
  2. What are the benefits of implementing BCBS 239?
  3. What penalties do banks face for BCBS 239 non-compliance?
  4. What are the 14 key principles of BCBS 239?
  5. Challenges in implementing BCBS 239
  6. Implementation strategy for BCBS 239 compliance
  7. Atlan for BCBS 239 compliance
  8. Bottom line
  9. FAQs about BCBS 239
  10. BCBS 239: Related reads

What is BCBS 239? #

BCBS 239 is a set of principles published by the Basel Committee on Banking Supervision (BCBS) – a global committee of representatives from central banks and supervisory authorities.

It was originally published in January 2013 and since then, the Committee has published eight reports on banks’ progress towards full implementation. BCBS 239 principles were expected to be implemented by the beginning of 2016.

Who do BCBS 239 principles apply to? #


BCBS 239 primarily applies to banks designated as Globally Systemically Important (G-SIBs). It can also be applied to Domestic Systemically Important Banks (D-SIBs).

What is the objective of BCBS 239? #


The main objective of BCBS 239 is to:

  • Strengthen the data governance frameworks across banks
  • Enhance risk data aggregation capabilities
  • Improve internal risk reporting practices of banks

BCBS 239 defines ‘risk data aggregation’ as follows:

Defining, gathering and processing risk data according to the bank’s risk reporting requirements to enable the bank to measure its performance against its risk tolerance/appetite. This includes sorting, merging or breaking down sets of data.” - BCBS 239

What is the history of BCBS 239? Why was it introduced? #


BCBS 239 places a particular focus on transparency and accountability, addressing gaps identified during the 2007-2008 financial crisis.

One of the biggest lessons from the 2007-2008 global financial crisis was that “banks’ information technology (IT) and data architectures were inadequate to support the broad management of financial risks.”

Many banks had significant shortcomings in their risk data aggregation capabilities and risk reporting practices. This affected their ability to spot risk exposures quickly and accurately, adversely impacting the banks as well as the stability of the global financial system.

In 2013, BCBS 239 was introduced to address these shortcomings by promoting standardized risk data management practices and creating a foundation for more resilient, transparent, and accountable financial institutions.

What are the benefits of implementing BCBS 239? #

According to the BCBS committee, implementing BCBS 239 principles can:

  • Increase the business value generated by banks
  • Enhance banks’ infrastructure for reporting key information, particularly that used by the board and senior management to identify, monitor and manage risks
  • Improve the decision-making process across a banking enterprise
  • Enhance the management of information across legal entities, while facilitating a comprehensive assessment of risk exposures at the global consolidated level
  • Reduce the probability and severity of losses resulting from risk management weaknesses
  • Improve the speed at which information is available, thereby speeding up decision-making
  • Improve a bank’s quality of strategic planning and the ability to manage the risk of new products and services

What penalties do banks face for BCBS 239 non-compliance? #

Currently, non-compliant banks receive supervisory follow-up letters and are subject to independent reviews by external auditors. However, the BCBS Committee recommends stricter actions on a case-by-case basis.

Such ‘forceful supervisory measures’ can include:

  • Capital add-ons
  • Restrictions on capital distributions or business activities
  • Other penalties/fines

What are the 14 key principles of BCBS 239? #

BCBS 239 is structured around 14 principles that focus on improving governance, risk data aggregation capabilities, and risk reporting practices within financial institutions. These principles are divided into four core categories:

Overarching governance and infrastructure

  1. Governance
  2. Data architecture and IT infrastructure

Risk data aggregation capabilities

  1. Accuracy and integrity
  2. Completeness
  3. Timeliness
  4. Adaptability

Risk reporting practices

  1. Accuracy
  2. Comprehensiveness
  3. Clarity and usefulness
  4. Frequency
  5. Distribution

Supervisory review, tools, and comparison

  1. Review
  2. Remedial actions
  3. Cooperation

Let’s explore each principle further.

Overarching governance and infrastructure #


Principle 1: Governance

This principle emphasizes the necessity for a strong governance framework to oversee risk data aggregation and reporting. It mandates that a bank’s board and senior management should actively oversee and support these processes, establishing clear lines of responsibility for risk management.

Principle 2: Data architecture and IT infrastructure

Banks need a well-designed, scalable data architecture and IT infrastructure that support consistent and accurate risk data aggregation.

This involves ensuring databases communicate effectively and systems are designed to capture, aggregate, and report risk data properly. It also includes setting up “integrated data taxonomies across the banking group.” This contains information on the characteristics of the data (metadata), use of single identifiers and naming conventions (for legal entities, customers, accounts, etc.).

Risk data aggregation capabilities #


Principle 3: Accuracy and integrity

Risk data must be accurate, reliable, and of high quality. This involves ensuring that there are no errors during the data collection, storage, and processing stages, and any discrepancies should be identified and addressed promptly.

As a pre-condition, BCBS 239 recommends:

  • Setting up a dictionary of the concepts used, such that data is defined consistently across an organization
  • Documenting and explaining all risk data aggregation processes
  • Measuring and monitoring the accuracy of data
  • Developing appropriate escalation channels and action plans to deal with poor data quality

Principle 4: Completeness

All relevant risk data must be captured and aggregated across the banking group to give a holistic view of its risk exposure.

Data should be available by business line, legal entity, asset type, industry, region and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations and emerging risks.” - BCBS 239

This comprehensive approach enables banks to spot potential risk concentrations and emerging threats.

Principle 5: Timeliness

Risk data should be aggregated and reported promptly, ensuring that decision-makers have access to up-to-date information, especially during times of stress or crises.

The precise timing will depend upon:

  • The nature and potential volatility of the risk being measured
  • The criticality to a bank’s overall risk profile
  • The bank-specific frequency requirements for risk management reporting (under normal and stress/crisis situations)

Principle 6: Adaptability

The risk landscape is ever-evolving. So, banks must be flexible and able to meet diverse reporting requirements, including those that arise during crises or changes in regulatory expectations.

Adaptability should account for:

  • Data aggregation processes
  • Data customization catering to the end-user’s needs
  • New developments (internal and external) affecting a bank’s risk profile
  • Regulatory framework changes

Risk reporting practices #


Principle 7: Accuracy (in reporting)

Risk reports must accurately reflect the underlying data, offering a clear and truthful picture of the bank’s risk profile. A key BCBS 239 requirement to ensure accuracy is “maintaining an inventory of the validation rules that are applied to quantitative information.”

This inventory should explain and validate the conventions used to describe any mathematical or logical relationships.

Principle 8: Comprehensiveness

Reports should be comprehensive, covering all significant risks, which helps decision-makers understand the full scope of the bank’s risk exposure. Risk management reports should include:

  • Exposure and position information for all significant risk areas (credit risk, market risk, liquidity risk, operational risk)
  • All significant components of those risk areas (single name, country and industry sector for credit risk)
  • Risk-related measures (regulatory and economic capital)
  • Emerging risks (with adequate context on risk appetite/tolerance)
  • Recommendations for action, wherever necessary

Principle 9: Clarity and usefulness

Reports should be clear, concise, and tailored to the needs of the audience, especially senior management and the board, allowing for well-informed decision-making.

Reports should reflect an appropriate balance between detailed data, qualitative discussion, explanation and recommended conclusions. Interpretation and explanations of the data, including observed trends, should be clear.” - BCBS 239

Principle 10: Frequency

Reports must be generated regularly, with frequency adjusted according to the bank’s risk profile and external conditions. During periods of increased risk, more frequent reporting may be necessary.

Supervisors expect that in times of stress/crisis all relevant and critical credit, market and liquidity position/exposure reports are available within a very short period of time to react effectively to evolving risks.” - BCBS 239

Principle 11: Distribution

Risk reports should be shared with all relevant stakeholders, ensuring that the right people get the required information when they need it.

Supervisory review, tools, and cooperation #


Principle 12: Review

Supervisors should regularly assess banks’ compliance with BCBS 239.

Supervisors are allowed to test a bank’s compliance with BCBS 239 with occasional requests on selected risk issues with short deadlines. This helps them gauge a bank’s capacity to aggregate risk data rapidly and produce risk reports.

Principle 13: Remedial actions

If banks are found to have inadequate risk data practices, supervisory bodies should enforce corrective measures. This could range from asking for improvements to imposing sanctions.

BCBS 239 recommends that supervisors should have a range of tools at their disposal to address material deficiencies in a bank’s risk data aggregation and reporting capabilities, such as:

  • Requiring a bank to take remedial action
  • Increasing the intensity of supervision
  • Requiring an independent review by a third party (external auditors)
  • Using capital add-ons as both a risk mitigant and incentive

Principle 14: Cooperation

For banks operating in multiple jurisdictions, there should be cooperation between home (where the bank is headquartered) and host (where the bank operates) supervisory authorities.

This sort of cross-border supervisory cooperation ensures global oversight. It also encourages information sharing among regulatory bodies to promote consistent enforcement.

Bottom line: The fourteen principles of BCBS 239 underscore the critical nature of risk data aggregation and reporting in banking. Effective implementation of these principles ensures a resilient banking sector capable of weathering financial stressors and promoting global financial stability.

Challenges in implementing BCBS 239 #

While BCBS 239 provides a comprehensive framework, banks encounter several challenges when trying to implement its principles. Nearly ten years after the initial publication of the BCBS 239 principles and seven years after the expected date of compliance, the BCBS committee found that only two banks were fully compliant (as of November 2023).

These challenges often stem from existing infrastructure limitations, organizational culture, ambitious timelines, and the sheer scale of data governance required:

  • Legacy IT infrastructure and data architecture: Many banks struggle to adapt legacy systems to support real-time data aggregation and reporting. Diverse, fragmented IT infrastructure can create obstacles to integrating data across the bank, affecting the accuracy and completeness required under BCBS 239.

Several banks still lack a common taxonomy and complete data lineage, which further complicates banks’ ability to harmonize systems and detect data defects.” - Progress in adopting BCBS 239, November 2023

  • Insufficient organizational buy-in: Several banks established BCBS 239 adoption programs. However, such programs were often underfunded, limited in scope and lacking sufficient attention from boards of directors (boards) and senior management.

At certain banks, board and senior management lack awareness/attention to data issues, and therefore do not ensure appropriate budget, resources and accountability for risk data aggregation and reporting initiatives.” - Progress in adopting BCBS 239, November 2023

  • Lack of proper governance and clear accountability: Establishing clear governance frameworks is essential, yet many institutions lack defined roles and responsibilities for data management. This ambiguity can lead to inconsistent practices across the organization and hinder compliance efforts.
  • Inconsistent data quality: Ensuring high-quality, consistent data is a major hurdle for many banks. Discrepancies in data definitions, incomplete data sources, and varied standards across departments make it difficult to achieve the accuracy and completeness required for risk aggregation.
  • Adapting to new and emerging risks: The financial landscape is constantly evolving, introducing new risks that banks must consider. Keeping data frameworks current to accommodate these risks can be challenging.
  • Increased regulatory pressure and scrutiny: Increased regulatory oversight has placed additional pressure on banks to meet BCBS 239 standards promptly. Supervisory bodies may require banks to report rapidly during stress events, adding urgency to already complex compliance requirements.

Implementation strategy for BCBS 239 compliance #

Achieving BCBS 239 compliance begins with evaluating your data management maturity and enhancing it through a structured plan that delivers measurable ROI. Let’s look at some of the recommendations from the BCBS committee to elevate your data management efforts:

  • Ensure data transparency: Data transparency is critical to data management maturity. Build a transparent data estate to trace asset flows, identify and resolve quality issues, and maintain consistent reporting.
  • Strengthen governance frameworks: Bank boards should prioritize developing, implementing, and maintaining robust data governance frameworks.
  • Define data governance roles (end-to-end): Banks should ensure strong board and senior management ownership, establish clear lines of accountability. They should also support the setting up of dedicated governance committees and roles (data governance managers, stewards, etc.).
  • Establish clear data ownership: Banks should establish distinct ownership and accountability for data quality by designating data owners and fostering an enterprise-wide data culture. The BCBS Committee recommends presenting a standard set of key performance indicators (KPIs) to the board of directors to assess data quality for all material group-level risks.
  • Establish a compliance strategy: Regular compliance audits, internal reviews, and stress tests should be conducted to gauge adherence to BCBS 239 principles. Engaging with regulators proactively and addressing their feedback can also support ongoing compliance.
  • Define and maintain clear data taxonomies: A clear taxonomy helps in organizing data consistently. This involves defining data elements, their relationships, and hierarchies, ensuring that data from different sources can be integrated seamlessly.
  • Ensure end-to-end data lineage: A key component of BCBS 239 is maintaining data lineage—tracing data’s journey to understand the origins of the data used in regulated reports.
  • Prioritize data quality: Data quality should be at the forefront. This involves processes to detect and rectify errors, inconsistencies, or gaps in the data. Continuous monitoring can help ensure that data remains accurate, complete, and timely.
  • Upgrade technology and leverage automation: Modernizing IT infrastructure is essential for data aggregation and risk reporting. Leveraging modern technology solutions that automate several aspects of risk data aggregation and reporting (metadata ingestion, asset documentation, profiling, lineage, policy setting, tagging, etc.) can scale your compliance efforts.
  • Engage in regular training and awareness programs: Training programs can educate staff on the importance of data governance and the role it plays in risk management. As the regulatory landscape and technology evolve, banks should invest in continuous training.
  • Continuous monitoring and improvement: Implementing BCBS 239 is not a one-time project but an ongoing process. Cultivating a mindset that welcomes feedback, learns from challenges, and continuously seeks to enhance risk data practices is essential for long-term success.

Also, read → Data steward vs. data owner | What banks need to know about BCBS 239 data lineage | Everything you need to know about BCBS 239 compliance

Atlan for BCBS 239 compliance: How banks can improve their data management efforts #

Atlan offers a unified control plane to search, discover, access, and govern data assets for BCBS 239 compliance. Some of the core capabilities include (but aren’t limited to):

  • Governance workflows: Streamline compliance with approval workflows that enhance governance maturity.
  • Data ownership: Designate and oversee responsibilities for various stakeholders within teams.
  • Business glossary: Define and contextualize data asset definitions to ensure consistent understanding of BCBS concepts.
  • Data lineage: Visualize data flows and build end-to-end visibility of your data estate.
  • Data classification: Use tags and custom metadata to organize data, with auto-propagation via lineage mapping.
  • Data contracts: Establish data contracts for a closer understanding, surfacing and remediation of data quality issues.
  • Policy manager: Document BCBS principles, monitor compliance, and manage alerts (on deviations) and remediation actions.

Also, read The unified control plane in action

Bottom line #

BCBS 239 is a crucial framework that enhances financial stability by setting robust standards for risk data aggregation and reporting. Its principles encourage institutions to embrace data-driven practices, ensuring resilience, transparency, and efficiency.

While challenges such as legacy infrastructure, data quality, and evolving risks persist, banks can overcome these hurdles through strategic investment in governance, technology, and data-driven culture to build end-to-end data transparency.

By following the 14 principles of BCBS 239, banks can forge a future defined by stability, trust, and sustainable growth.

Want to understand how Atlan fits into your BCBS 239 compliance plan? Speak to our experts.

FAQs about BCBS 239 #

What is BCBS 239 and what is its objective? #


BCBS 239 is a regulation by the Basel Committee on Banking Supervision designed to strengthen banks’ risk data management and reporting. Introduced after the 2007-2008 financial crisis, its goal is to enhance global financial stability through improved data aggregation and risk reporting practices.

Why is BCBS 239 compliance critical? #


BCBS 239 compliance ensures banks can aggregate and report risks accurately and quickly, crucial for financial system stability. It mandates improvements in data governance, data quality, and transparency, leading to better decision-making and risk management.

What are the penalties for non-compliance with BCBS 239? #


Non-compliance with BCBS 239 can result in fines, operational restrictions, and damage to the institution’s reputation. Penalties vary by jurisdiction but may erode trust between the institution and regulators.

What are the 14 key principles of BCBS 239? #


BCBS 239 outlines 14 key principles covering governance, data architecture, risk data aggregation, accuracy, integrity, completeness, adaptability, timeliness, and frequency of risk reporting. These principles ensure that financial institutions have robust frameworks to manage data and report risks effectively.

How can data lineage help banks achieve BCBS 239 compliance? #


Data lineage tracks data flow and transformations from source to destination, ensuring BCBS 239 compliance. It enhances transparency in data handling, supports accurate reporting, and facilitates auditing, helping banks adhere to risk data aggregation and reporting principles.

Share this article

[Website env: production]