BCBS 239 Data Lineage: What Banks Need to Know in 2025

BCBS 239, established by the Basel Committee on Banking Supervision, sets the standards for effective risk data aggregation and reporting in banks.

A key component of BCBS 239 is maintaining data lineage—the ability to trace data’s journey from its origin through various stages of transformation and aggregation. Clear, accurate data lineage ensures data accuracy, completeness, and reliability, especially for risk data reporting.
Discover Atlan’s Data Lineage Capabilities – Start Tour

This article explores the requirements for BCBS 239 data lineage, challenges banks face in implementing it, and the essential capabilities needed to overcome these challenges.

---

Table of Contents #

1. BCBS 239 data lineage requirements: An overview
2. BCBS 239 data lineage: Why is it a challenge for banks?
3. Top barriers to achieving BCBS 239 data lineage
4. Essential capabilities for BCBS 239-compliant data lineage
5. Bottom line
6. BCBS 239 data lineage: Related reads

---

BCBS 239 data lineage requirements: An overview #

BCBS 239 requires banks to maintain clear and accurate data lineage to ensure data accuracy, completeness, and traceability, especially for risk data aggregation and reporting.

This requirement is central to risk data aggregation and reporting, supporting accountability and data governance. Here are the core requirements for BCBS 239 data lineage:

• Complete visibility into the flow of risk data across various systems, processes, and departments
• Ability to trace the origin of all risk data to ensure data quality, accuracy, and reliability
• Comprehensive documentation of data flows, transformations, and aggregations to ensure traceability
• Integration of data lineage into the bank’s broader data governance framework ensure consistency, accountability, and compliance throughout the data lifecycle

---

BCBS 239 data lineage: Why is it a challenge for banks? #

Despite its critical role in BCBS 239 compliance, maintaining comprehensive data lineage is challenging for banks, impacting their ability to ensure accuracy, traceability, and accountability across risk data.

Incomplete or fragmented data lineage complicates data aggregation and quality efforts, preventing banks from achieving a unified view of risk data. The Basel Committee’s 2023 progress report illustrates this gap:

“Of the 31 banks assessed, only two banks are fully compliant with all the Principles. Also, there is not a single principle that has been fully implemented across all banks.” - Progress in adopting BCBS 239, November 2023

The report attributes delayed compliance to an underestimation of the effort required to build thorough data lineage and governance frameworks. Many banks lack a standardized taxonomy and complete data lineage, which “complicates banks’ ability to harmonize systems and detect data defects.”

---

Top barriers to achieving BCBS 239 data lineage #

Establishing BCBS 239-compliant data lineage requires addressing multiple challenges related to legacy infrastructure, data silos, manual processes, and regulatory demands:

• Complexity of legacy systems: Legacy systems often operate in silos with limited interoperability, making it difficult to trace data consistently across the bank’s various platforms. Upgrading legacy infrastructure demands significant investment and time, making integration with modern data tools difficult.
• Data silos and fragmentation: Different departments often work with separate data systems, which restricts visibility into data movement and dependencies across the institution. For example, risk management, finance, and compliance departments may each use different definitions and structures for data, which limits the ability to achieve end-to-end data lineage.
• Manual processes: Without automation, documenting data lineage across complex, interconnected systems is labor-intensive and often results in incomplete or outdated records. Manual tracking limits responsiveness to audits and adaptation to data flow changes, risking non-compliance with BCBS 239 standards.
• Regulatory pressure: Regulatory bodies expect banks to maintain up-to-date data lineage, and these expectations continue to evolve. Regulators may request detailed lineage information for audit purposes, requiring banks to demonstrate clear accountability for each transformation in the data’s journey. This pressure for accuracy and agility with data lineage is difficult to achieve without comprehensive data governance and automation tooling.

Overcoming these challenges requires banks to invest in capabilities that support automation, real-time monitoring, and secure data management.

---

Essential capabilities for BCBS 239-compliant data lineage #

The following capabilities are recommended for establishing and maintaining BCBS 239-compliant data lineage:

• Automated, actionable, column-level data lineage with end-to-end visibility that maps data across all systems, processes, and data domains
• Auto-propagation of tags and metadata attributes (ownership, certification, risk profiles, privacy sensitivity) via lineage to ensure that data remains properly labeled and managed across various transformations, domains, projects, and teams
• Real-time monitoring to continuously track data flows and transformations, quickly identifying any discrepancies or anomalies
• Automated compliance reporting to simplify regulatory audits by providing a clear, traceable record of data handling practices
• Granular access controls and security measures (encryption, personalized data masking, anonymization) to protect sensitive data, and personalize access per user roles, projects, or domains
• Real-time incident alerts to notify banks of any significant changes to data lineage, such as schema alterations, data deletions, or asset additions

---

Bottom line #

BCBS 239 compliance requires banks to implement end-to-end data lineage for transparency, traceability, and accuracy across all risk data. While legacy systems, data silos, manual processes, and regulatory pressure present significant challenges, these obstacles can be addressed.

Capabilities like automated data lineage mapping, real-time incident alerts, granular access controls, and auto-propagation of tags and metadata attributes can tackle the above challenges and ensure compliance with BCBS 239 principles.

Investing in these capabilities not only supports BCBS 239 compliance but also strengthens data governance and risk management frameworks, contributing to a more resilient and transparent banking ecosystem.

---

BCBS 239 data lineage: Related reads #

• BCBS 239 2025: Principles for Effective Risk Data Management and Reporting
• Data Governance for Asset Management Firms in 2024
• Data Quality Explained: Causes, Detection, and Fixes
• What is Data Governance? Its Importance & Principles
• Data Governance and Compliance: Act of Checks & Balances
• Data Governance Framework — Guide, Examples, Template
• Data Compliance Management in 2024
• BCBS 239 Compliance: What Banks Need to Know in 2025
• BCBS 239 Data Governance: What Banks Need to Know in 2025
• BCBS 239 Data Lineage: What Banks Need to Know in 2025
• HIPAA Compliance: Key Components, Rules & Standards
• CCPA Compliance: 7 Requirements to Become CCPA Compliant
• CCPA Compliance Checklist: 9 Points to Be Considered
• How to Comply With GDPR? 7 Requirements to Know!
• Benefits of GDPR Compliance: Protect Your Data and Business in 2024
• IDMP Compliance: It’s Key Elements, Requirements & Benefits
• Data Governance for Banking: Core Challenges, Business Benefits, and Essential Capabilities in 2024
• Data Governance Maturity Model: A Roadmap to Optimizing Your Data Initiatives and Driving Business Value
• What Is Data Lineage & Why Is It Important?
• Data Lineage 101: Importance, Use Cases, and Their Role in Governance
• Automated Data Lineage: Making Lineage Work For Everyone
• What is Business Lineage: 10 Use Cases to Apply in 2024

---