BCBS 239 Compliance: What Banks Need to Know in 2025

Updated October 30th, 2024

Share this article

Launched by the Basel Committee on Banking Supervision, BCBS 239 establishes a framework of principles to improve banks’ risk data aggregation and reporting practices.
See How Atlan Simplifies Data Governance – Start Product Tour

While full compliance was initially expected by 2016, only two banks have achieved it as of 2023, underscoring the operational challenges in transforming data infrastructure and governance practices.

This article explores BCBS 239 compliance requirements, the penalties for non-compliance, common challenges faced by banks, and strategies to ensure compliance.


Table of Contents

  1. BCBS 239 compliance: An overview
  2. BCBS 239 compliance challenges
  3. Penalties for non-compliance
  4. BCBS 239 compliance management strategy to overcome those challenges
  5. BCBS 239 compliance management: Essential capabilities
  6. Bottom line
  7. BCBS 239 compliance: Related reads

BCBS 239 compliance: An overview

BCBS 239 compliance involves implementing fourteen principles (11 for banks, and the remaining three for regulatory supervisors) across four categories:

  • Overarching governance and infrastructure: Banks need a strong governance framework, risk data architecture, and IT infrastructure in place.
  • Risk data aggregation capabilities: Banks must ensure data aggregation is accurate, complete, timely, and adaptable.
  • Risk reporting practices: Risk reports based on complete, accurate, and clear risk data should be presented to the right decision-makers promptly.
  • Supervisory review, tools, and cooperation: Supervisors should continuously monitor and provide incentives to banks for complying with BCBS 239. This includes compliance review, remedial actions, and cross-border cooperation.

So, BCBS compliance management would oversee the implementation of the 14 principles to ensure effective data governance and risk management for banks.

Read more → The 14 key principles of BCBS 239

As mentioned earlier, the original BCBS 239 report expected banks to be fully compliant by 2016. Yet, “only two banks are fully compliant as of November 2023. Also, there is not a single principle that has been fully implemented across all banks.”

BCBS 239 compliance ratings for banks over the years

BCBS 239 compliance ratings for banks over the years - Source: BCBS Progress Report, November 2023

The delayed compliance is largely attributed to:

  • Lack of prioritization of data governance and risk management
  • Insufficient ownership by the board and senior management
  • Challenges with implementing data architecture and IT Infrastructure improvements

Let’s explore these and other challenges that banks are facing with BCBS 239 compliance in the next section.


BCBS 239 compliance challenges

Banks face several challenges in meeting BCBS 239 requirements. Common hurdles include:

  • Lack of prioritization of data governance and risk management: Data governance initiatives are often underfunded and poorly integrated into the bank’s overall strategy.
  • Insufficient ownership by the board and senior management: In many banks, the board and senior management do not fully participate in data governance initiatives, leading to fragmented accountability and ineffective oversight.
  • Challenges with implementing data architecture and IT Infrastructure improvements: Legacy IT systems and fragmented data architecture complicate the data aggregation process. Modernizing these systems to meet BCBS 239 requirements is costly and time-consuming, as it often requires integration across different departments and systems.
  • Data quality and integrity issues: Variations in data definitions, collection methods, and validation processes result in data discrepancies, which can compromise the integrity of risk data reporting.
  • Data silos: Organizational silos prevent data from being shared effectively, creating inconsistencies and limiting the ability to generate an end-to-end view of risk exposure.
  • Evolving regulatory expectations: Regulatory bodies continue to refine their expectations, creating additional compliance requirements. Banks must adapt to these changing standards, which increases the complexity of maintaining BCBS 239 compliance and requires constant updates to risk data processes.

Penalties for non-compliance

Failure to comply with BCBS 239 can lead to significant penalties, affecting a bank’s financial standing, reputation, and operational flexibility.

Supervisory measures for BCBS 239 non-compliance

Supervisory measures for BCBS 239 non-compliance - Source: BCBS Progress Report, November 2023

Supervisors may conduct inspections, issue follow-up letters, or mandate independent reviews. The latest BCBS progress report suggests “more forceful supervisory measures”, such as:

  • Imposing monetary fines on banks for delays or lapses in BCBS 239 compliance
  • Restricting capital distributions, preventing non-compliant banks from paying dividends or executing stock buybacks
  • Setting capital add-ons, requiring banks to hold additional capital as a buffer for poor risk management

BCBS 239 compliance management strategy to overcome those challenges

Overcoming BCBS 239 compliance challenges and avoiding penalties requires a proactive, strategic approach focused on data governance, technology modernization, and data-driven culture. Some of the key aspects to focus on include:

  • Strengthening governance: The first step is to build a strong governance framework with clear roles, responsibilities, and accountability. Involving senior management and the board is crucial to integrate BCBS 239 into business operations.
  • Modernizing IT infrastructure: Banks should invest in scalable, cloud-based platforms that automate several aspects of data collection, aggregation, management, and reporting. This reduces the risk of errors, enhances data quality, and makes sure that your infrastructure is flexible, extendable, and ready for innovation.
  • Data quality management: Banks should establish standardized data definitions, regular data validation, end-to-end lineage mapping (cross-system, column-level), and consistent monitoring of data quality across all teams and geographies.
  • Build a culture of data: Regular training programs can educate employees on the importance of data governance and BCBS 239 requirements, fostering a culture where data quality is prioritized at all levels. Promoting data stewardship within teams can further enhance compliance and data accountability.
  • Engage with regulators: Open and proactive communication with regulatory authorities can support banks in staying aligned with compliance expectations. Regular interactions with regulators can clarify regulatory requirements, address compliance challenges, and provide early insights into evolving standards.

BCBS 239 compliance management: Essential capabilities

Ensuring BCBS compliance requires overseeing the practices, processes, and policies outlined by the BCBS committee – protecting sensitive data assets, maintaining data integrity and security, and achieving full compliance with all 14 principles.

To that end, here are some essential capabilities that you should look for in the tools you’re using for data governance, compliance, and risk management:

  • Automated risk data aggregation across different business units and geographies to improve data quality and speed up the reporting process
  • Automated security and compliance reporting for BCBS 239, GDPR, CCPA, PCI DSS, and other regulations to simplify compliance and adhere to multiple standards efficiently
  • Granular access controls and security measures to protect sensitive data, and personalize access per user roles, projects, or domains
  • Enhanced, automated data lineage and audit trails to document end-to-end data flows down to column level, ensuring transparency and accountability in risk data management
  • Automated tagging and classification (by risk profiles, ownership, and privacy sensitivity) for accurate and consistent data handling, aggregation, and reporting
  • Automated data profiling with ownership, certification and other metadata elements to maintain accountability for data quality and compliance
  • A transparency center with a top-down view of policy coverage across the data ecosystem to identify policy gaps, monitor compliance coverage, and make data governance adjustments as needed
  • AI-assisted policy creation to analyze existing data, suggest appropriate policies, and automate policy updates
  • Data contracts to establish clear agreements between data producers and consumers, outlining the expectations, responsibilities, and quality standards for data usage
  • Real-time alerts for metadata changes, asset creation, and deletion to maintain accurate data lineage, monitor compliance, and promptly address any discrepancies in risk data reporting

Bottom line

Achieving BCBS 239 compliance is essential for banks to strengthen risk management and data governance. A strategic approach focusing on governance, IT modernization, and data quality helps overcome challenges related to legacy systems, data silos, and evolving standards.

Equipping banks with essential capabilities—such as automated aggregation, real-time reporting, detailed audit trails, and comprehensive compliance reporting—supports in achieving BCBS 239 compliance.


BCBS 239 compliance: Related reads


Share this article

[Website env: production]