Emerging & Specific Regulation

BCBS 239239 Extension

What is BCSB 239 Compliance? and What is the latest BCBS 239 Extension?

BCBS 239 refers to the “Principles for Effective Risk Data Aggregation and Risk Reporting” issued by the BCBS in 2013. These principles provide guidance to banks on how to improve the way they collect, manage, and report risk data, with the goal of strengthening risk management practices. 

The extension of BCBS 239 principles by the European Central Bank (ECB) marks a significant step towards fortifying financial institutions’ risk data aggregation and reporting capabilities. This initiative addresses the deficiencies identified in earlier implementations of BCBS 239, aiming to bolster the financial industry’s resilience by enhancing data quality, governance, and infrastructure to support robust risk management practices.

BCBS 239 Compliance & Latest Revisions

The thematic review conducted by the European Central Bank (ECB) on effective risk data aggregation and risk reporting, guided by the Basel Committee on Banking Supervision’s (BCBS) 239 principles, presents a comprehensive evaluation of the current state of risk data management among significant financial institutions. The review, initiated as a supervisory priority in 2016, involved an in-depth assessment of 25 significant institutions to gauge their governance structures, data aggregation capabilities, and reporting practices in the realm of risk management.

The ECB’s findings from the review paint a concerning picture of the implementation status of the BCBS 239 principles among the examined institutions, including some classified as global systemically important banks. Notably, none of these institutions had fully realized the BCBS 239 principles by the review’s conclusion. The shortcomings primarily stem from ambiguous responsibilities and accountability for data quality, with a blurred understanding of the roles and responsibilities between business control functions and IT departments.

The review emphasizes the importance of sound risk data aggregation capabilities and effective risk reporting practices, especially in the wake of the global financial crisis, which underscored the critical impact of managing risk-related data on an institution’s risk profile and the sustainability of its business model. The ECB’s assessment underscores the necessity for further enhancements in governance frameworks, data management processes, and IT infrastructures to bolster risk data aggregation and reporting capabilities.

Key areas of concern highlighted by the review include: (i) inadequate clarity on roles and responsibilities for data quality, (ii) poor scoping of key reports, (iii) disconnect between Legal Entity and Global governance, (iv) incomplete implementation of the BCBS principles, and (v) a lack of oversight at executive levels. These deficiencies call for concerted efforts to rectify governance arrangements, IT strategies, and operational processes to meet supervisory standards and international best practices.


BCBS 239 Compliance: Pitfalls & Lessons Learned

The urgency for implementing the BCBS 239 extension is driven by the increasing complexity of the financial system and the lessons learned from past financial crises, including the 2007 crisis and the more recent challenges posed by the COVID-19 pandemic. These events have underscored the critical importance of having reliable risk data for decision-making and risk management, particularly in stress situations. The ECB’s consultation, which concluded on October 6, 2023, reflects a proactive approach to addressing these challenges and preventing future systemic risks. BCBS 239 Compliance is back in question!

Tackling as a matter of priority the seven key areas of concern highlighted by the ECB is key:

  1. Responsibilities of management bodies,
  2. Sufficient scope of application,
  3. Effective data governance framework,
  4. Integrated data architecture,
  5. Group-wide data quality management and standards,
  6. Timelines of internal risk reporting,
  7. Effective implementation programmes.

Taking proactive steps to enhance Risk Data Aggregation and Risk Reporting (RDARR) capabilities is essential, especially with the expectation of heightened regulatory oversight. The ECB’s Banking Supervision division places a high emphasis on the improvement of governance structures and the integrity of risk data, indicating a supervisory focus. The division is poised to leverage its full range of supervisory instruments and authority to enforce stringent disciplinary measures against entities that disregard its directives, evidenced by the imposition of fines within this fiscal year. Moreover, RDARR is poised to assume an increasingly pivotal role within the Supervisory Review and Evaluation Process (SREP), wherein substandard data quality could precipitate stricter Pillar 2 Requirements (P2R).


WHo is impacted by BCBS 239?

The BCBS 239 extension affects a wide array of financial institutions, especially those with significant international operations and those deemed systemically important.

Asset Managers

How Can We Help?

The ECB’s initiative underscores a broader regulatory push towards enhancing the financial industry’s risk management capabilities through better data practices. The ECB’s guide not only sets out to address current inadequacies but also aims to future-proof institutions against emerging risks. Implementing these guidelines can lead to significant operational and financial benefits, including improved risk management, strategic decision-making, and cost efficiencies through automation and streamlined processes.


Performing a preparedness evaluation

  • Expanded Gap Analysis: Deloitte can dive deeper into your existing systems, identifying not just gaps against the principles but also potential bottlenecks, hidden vulnerabilities within your data infrastructure, or legacy systems that might hinder compliance.
  • Benchmarking: Compare your existing risk data practices against industry best practices and anonymized peer data, providing a broader view of where you stand beyond just regulatory requirements.
  • Implementation Cost Projections: Integrate cost estimates for remediation actions into the roadmap, including technology upgrades, process changes, and potential staffing needs, aiding budgeting and resource allocation.


Data Architecture and Governance

  • Prioritizing Risk-Centric Data: T3 would strongly emphasize the “risk” aspect of risk data, ensuring governance focuses on what metrics and data types are most critical for risk management decision-making.
  • Data Ownership & Accountability: Clear focus on defining roles and responsibilities across business units and IT teams, suitable for organizations where data ownership can get blurred.
  • Integration with Existing Risk Frameworks: Design governance structures that tie into how your institution already assesses, measures, and mitigates risk, rather than creating a parallel structure just for BCBS 239.


Technology Implementation and Integration

  • “Right-Sized” Technology Solutions: Help you evaluate more targeted tools and best-of-breed solutions rather than large enterprise platforms, offering greater flexibility for smaller firms or those with niche technology needs.
  • Agile Implementation: Focus on iterative implementation models for system changes, minimizing disruption and allowing for course correction.
  • Data Validation as Priority: Prioritize robust reconciliation and data quality validation features within any recommended technology solutions.

Want to hire 

Regulation Expert? 

Book a call with our experts