Banks have spent millions on BCBS239* compliance, but they aren’t yet in the clear. In case you missed it, the European Central Bank (ECB) recently published new guidance that updates the decade-old regulation to be more prescriptive, more expansive and include non-financial risk.

While the change to BCBS239 primarily impacts ECB-regulated banks right now, financial institutions in other countries should pay attention, because regulators around the world are developing similar approaches.

So, what’s changed? The ECB is concerned that some banks are treating BCBS239 as a regulatory checkbox, rather than implementing real, lasting improvements to risk data aggregation and reporting. So, it’s demanding urgent action to address several areas of weakness:

The  ECB feels that some banks’… … So it’s demanding
Boards and senior executives haven’t given enough investment and focus to risk data aggregation and reporting Top-down engagement
Implementations of BCBS239 are too narrow in scope Inclusion across internal risk reports, financial reports, supervisory reports, specific models and risk indicators
Data governance frameworks are inadequate That people in certain roles adopt specific responsibilities
Data architectures aren’t integrated and consistent across all parts of the organisation Complete and up-to-date data lineages on the data-attribute level
Data quality management is poor Controls for front-end systems 
Data quality management for employees’ devices and applications, including spreadsheets
Internal risk reporting isn’t sufficiently timely That the timeliness corresponds to the frequency at which each report is generated
That the bank can quickly gather data of sufficient quality to respond well to stress scenarios
Implementations of BCBS239 have been poorly managed Proper adherence to project management principles

Many of these new requirements could be difficult and expensive to meet.

As a leader in finance, risk, or data, you need to be aware of the updated guidance and steer your firm to compliance to avoid additional regulatory scrutiny, and even expensive additional Pillar 2 capital requirements. 

Here are the four actions that we recommend organisations take to meet the latest BCBS239 rules:

1. Re-assess your progress and prioritise 

Your first action should be to assess your organisation’s compliance against the new guidance. You’ll need to be ready to explain to the regulator how you’re responding to the latest requirements.

The new expectations are much broader, as your data aggregation and reporting framework now needs to cover internal risk reports, financial reports, supervisory reports, models and key risk indicators. This broader remit may require adjustments to your scoping methodology. You’ll also have to demonstrate how your organisation will conduct regular scope reviews to manage the relevance of your controls as your business and market evolve.

In addition, the latest guidance demands that banks take data quality more seriously by applying industry-leading approaches to data quality management   right across the enterprise. Of course, this delivers value beyond compliance, as more reliable data leads to better risk-based decisions across the business   .  

As you proceed, you need to show you’re taking the new guidance seriously and responding with urgency. It’s important to decide which activities to prioritise to achieve compliance without creating a large administrative burden. We recommend ensuring that compliance efforts are aligned with your business goals and drive business value. The best approach will be one that builds on your prior investment in BCBS239 compliance and enhances your existing processes and systems to meet the new demands.

2. Embrace quick wins

The most effective responses to BCBS239 integrate the requirements into existing strategic initiatives and use compliance as a driver for innovation and efficiency. This approach presents some quick wins.

For example, your organisation is no doubt already investing in improvements to risk management technologies and practices. Finding ways to use these investments to enhance your BCBS239 compliance at the same time is a practical and cost-effective way to show you’re responding to the latest guidance.

Another quick win is ensuring that your investments in data lineage and provenance will support both AI use cases and BCBS239 compliance. Many banks have already spent millions on data lineage solutions that deliver little value beyond ticking the regulatory box, so they’ll need to approach this next investment carefully.

A third quick win is delivering robust training programmes for boards and senior management, who are ultimately responsible for risk and financial reporting. The right training encourages executive leadership to champion BCBS239 because they see the value and need for it, not just because it’s another regulation to comply with. It also helps to meet the ECB’s requirements around accountability and foster a culture of proactive risk management.

3. Embed compliance into your business-as-usual operations

We recommend reviewing your existing board- and executive-level reports to determine the best way to embed BCBS239-related risk data aggregation and reporting metrics within them. This helps make BCBS239 part of how you run your business rather than a separate requirement. On top of this, it ensures that your reporting isn’t just a compliance exercise, but also provides strategic value and actionable insights for decision-makers.

In parallel, it's worth adapting critical decision-making processes – such as allocation of capital – to ensure good data quality. We recommend building a risk management toolkit – including backtesting methods such as profit and loss attribution, actual vs expected, and root-cause analysis – to identify data issues and strengthen compliance.  

Ultimately, you want to be able to easily explain how BCBS239 informs your risk management processes, with reference to specific documents and reports. This is the kind of best practice that regulators will have seen in firms where BCBS239 has been implemented effectively.

4. Drive efficiency and cost savings

A widely-held misconception – and something we hear often – is that implementing BCBS239 drives increased costs. But this needn’t be the case. Properly implemented, BCBS239 compliance should lead to cost reductions over time, particularly as it can help you avoid costly mistakes such as poor credit decisions, misallocation of capital, or delays in understanding risk exposure to a particular industry or country.

Using automation to streamline processes, reduce manual effort, and enhance data quality will help you avoid duplication and save time, while also improving accuracy and driving greater consistency in ways of working. All of this leads to operational efficiencies and competitive advantage. 

In addition, a compliance-by-design approach can make compliance an effortless part of your business processes. This enables you to shift from point-in-time compliance and annual attestation to ongoing and continuous monitoring. With the right upfront design and the appropriate level of discipline, an automated, compliance-by-design approach is surprisingly simple to achieve.

Of course, when you bring additional risk reports, metrics or data elements into scope, there will be some initial work to incorporate them into the control framework that you have set up to maintain BCBS239 compliance. However, if your BCBS239 framework is well-designed, you’ll naturally bring more things into scope over time to benefit from its advantages. 

Compliance starts now

Responding proactively to the ECB’s latest guidance can help you identify and implement quick wins to generate business value beyond BCBS239 compliance. Our Baringa experts can help you define the ideal scope and priorities to meet the regulator’s expectations while driving further business benefits.

We don’t believe in one-size-fits-all solutions. We help you focus on the right details for your organisation’s specific needs – whether that’s adapting your credit risk reports to incorporate BCBS239 requirements, providing targeted training that drives genuine cultural change, implementing pragmatic and cost-effective integrated data taxonomies, or developing a risk data aggregation and reporting framework that demonstrates compliance with low effort and high impact.

We work as an integrated extension to your team, helping you embed resilience at the core of your organisation to protect your most valuable assets. And when we leave, our capabilities stay with you – because we upskill your people to build sustainable solutions faster, keeping you ready for the next wave of risk and regulation.   

Contact Dan Golding, Priya Sreedher or Paul Jones to discuss your firm’s compliance.


*Basel Committee on Banking Supervision standard number 239: "Principles for effective risk data aggregation and risk reporting"

Our Experts

Related Insights

Contact us

Find out what we can do for you...

Get in touch

Does kindness in business pay?

Find out in our Economics of Kindness series