BCBS 239 Data Governance: What Banks Need to Know in 2025

Updated October 30th, 2024

Share this article

The Basel Committee on Banking Supervision established BCBS 239 to set standards for risk data aggregation and reporting in banks.

Central to BCBS 239 is a data governance framework for managing data ownership, accountability, and quality, all of which support accurate and timely risk reporting. Effective data governance enables banks to meet BCBS 239 requirements and build a foundation for transparency and regulatory compliance.
See How Atlan Simplifies Data Governance – Start Product Tour

This article covers BCBS 239 data governance requirements, challenges, elements of a good governance framework, and key capabilities needed for compliance.

Table of Contents #

  1. BCBS 239 data governance requirements: An overview
  2. BCBS 239 data governance: Top challenges
  3. Overcoming challenges with a comprehensive BCBS 239 data governance framework
  4. Implementing BCBS 239 data governance
  5. BCBS 239 data governance: Essential capabilities
  6. Summing up
  7. BCBS 239 data governance: Related reads

BCBS 239 data governance requirements: An overview #

Bank boards should prioritise and intensify their oversight of data governance, including the development, implementation, and maintenance of robust data governance frameworks, risk data aggregation and reporting.” - BCBS 239 Progress Report, November 2023

To comply with BCBS 239, banks must establish a strong governance framework that integrates data management with overall risk management strategies.

BCBS 239 particularly emphasizes outlining a clear separation of senior management’s roles and responsibilities for risk data aggregation and reporting within the framework. The framework should also include stipulations of roles and responsibilities for the board of directors and its subcommittees.

Moreover, the scope of data governance should be well-documented – specifying the reports, models and indicators needed. It should be comprehensive to include all main risk reports and business processes, reflecting the entire data lifecycle (from data origination, capture, and aggregation to reporting).

Other key requirements are:

  • Clear ownership and accountability for risk data management
  • Strong governance frameworks involving board and senior management oversight
  • Integration of data governance with the overall risk management strategy
  • Compliance with the 14 principles of BCBS 239, with particular focus on data architecture, accuracy, completeness, and timeliness of risk data

BCBS 239 data governance: Top challenges #

Despite its importance, implementing BCBS 239-compliant data governance poses significant challenges for banks:

  • Legacy IT systems and fragmented infrastructure: Outdated, fragmented IT systems hinder the efficient aggregation and management of risk data. Legacy systems often lack integration capabilities, making it difficult to build a unified view of data, ensure data quality, and meet timeliness requirements.
  • Data quality and integrity issues: Banks often struggle with varying data definitions and inconsistent data quality across domains and geographies. These inconsistencies reduce the reliability of risk data and make it challenging to meet regulatory standards.
  • Siloed structures: Siloed organizational structures prevent efficient data sharing across departments, limiting visibility and accountability in data governance. These silos make it difficult to establish a unified governance framework that ensures compliance and consistency in risk data.
  • Evolving regulatory expectations: Regulatory standards and expectations are continuously evolving, requiring banks to adapt their data governance strategies to maintain compliance. Meeting these dynamic requirements adds another layer of complexity to data governance and risk management.

Overcoming challenges with a comprehensive BCBS 239 data governance framework #

To address these challenges, banks should establish a data governance framework that emphasizes clear ownership, collaboration, and technology integration. Key elements of an effective BCBS 239 data governance framework include:

  • Clear data ownership to ensure accountability for data quality and compliance with BCBS 239
  • Stakeholder involvement (the board, senior management, and department heads) to align data governance with the broader organizational goals
  • Effective, scalable policies and procedures that define standards for data quality, access, and reporting
  • Leveraging technology (especially automation and AI) to improve data governance efficiency and reduce manual errors
  • Enable collaboration and data sharing to create a unified data governance structure, improve risk visibility, and foster a data culture across your enterprise

Implementing BCBS 239 data governance #

Effective implementation of BCBS 239 data governance involves embedding governance practices into daily operations. Embedded governance shifts data governance from static documentation into dynamic, integrated processes across data teams. Instead of policies stored in PDFs or spreadsheets, governance is coded directly into workflows.

This approach ensures that governance isn’t overlooked but actively applied, evolving with data practices to maintain relevance and trust.

Also, read → The active data governance manifesto

Key steps for implementing embedded governance include:

  1. Standardize data governance practices
  2. Embed governance into your daily workflows with automated tagging, data lineage tracking, and real-time monitoring
  3. Implement systems for continuous monitoring of data governance performance, including real-time alerts and periodic audits

BCBS 239 data governance: Essential capabilities #

Maintaining compliance with BCBS 239 data governance requirements demands specific capabilities that enhance data management, security, and traceability. Here are the essential capabilities banks should consider:

  • Automated compliance management – audit trails, versioning, risk assessments, regulatory reporting
  • Data contracts that establish clear agreements between data producers and consumers, outlining the expectations, responsibilities, and quality standards for data usage
  • Effective metadata management that captures, describes, and manages all types of metadata, and automates metadata ingestion, classification, and sync for data tracking at scale
  • End-to-end data lineage from source to destination (across systems, column, tables, transformations), helping banks understand where data originates and how it flows through their systems
  • Granular access controls and security measures (encryption, personalized data masking, anonymization) to protect sensitive data, and personalize access per user roles, projects, or domains
  • AI-assisted policy creation to analyze data and automate policy updates
  • Automated data asset documentation, tagging, and classification to drive data governance at scale
  • Real-time incident alerts notify relevant stakeholders about policy incidents and breaches as they happen (and not years later)
  • Easy integration with your data stack through out-of-the-box connectors for various data tools (data sources, data movement tools, BI tools, etc.)
  • Collaboration capabilities (threads, comments, alerts, tagging) to streamline communication
  • Flexible deployment options across on-premises, cloud, and multi-cloud environments

Summing up #

Achieving BCBS 239 compliance requires banks to establish a comprehensive data governance framework that supports transparency, traceability, and data quality across all risk data.

Clear ownership, strong governance frameworks, and technology-enabled capabilities are essential for overcoming common challenges like legacy infrastructure, data silos, and evolving regulations.

By investing in essential data governance capabilities—such as automated data lineage, real-time monitoring, granular access controls, and centralized dashboards—banks can meet BCBS 239 standards and build resilience in a dynamic financial landscape.

Share this article

[Website env: production]