BCBS 239 was a post-financial crisis landmark for bank risk management and its oversight. The Basel Committee on Banking Supervision’s January 2013 document contained 14 principles for effective risk data aggregation and risk reporting (RDARR) – 11 for systemically important banks and three for supervisors – and gave the institutions three years to comply.
Ten years past that deadline, the job is still not done. The Basel Committee, which through 2023 issued seven detailed reports on how far and on which principles the banks had progressed (or fell short), in January this year acknowledged ongoing complications while offering what amounted to a friendly reminder..
“The BCBS 239 principles,” said this latest newsletter, “provide a strong framework for bank data and risk management practices, initially targeting systemically important banks and applicable both at the banking group level and on a subsidiary level . . . The Basel Committee remains committed to fostering dialogue between supervisors and the industry to address ongoing challenges and advance the effective implementation of BCBS 239.”
Meanwhile, the European Central Bank’s 2025-2027 Supervisory Priorities has a sharper edge on RDARR, “where, despite long-standing engagement with supervisors and acknowledged improvements, some banks have still not addressed major shortcomings.” It places the need for scrutiny and remediation alongside “supervisory expectations as regards banks’ management of climate-related and environmental risks.”
The ECB has lately raised private credit as a supervisory concern.
The Group of Central Bank Governors and Heads of Supervision (GHOS), BCBS’s oversight body, cited “good progress” toward outstanding Basel III reforms: “About 75% of member jurisdictions have now implemented, or will shortly implement, the standards, and the remaining jurisdictions have communicated their plans to do so.” A BCBS report in March found “Basel III Liquidity Coverage Ratios (LCRs) and Net Stable Funding Ratios (NSFRs) increased while capital and leverage ratios remained stable for large internationally active banks in the first half of 2025.”
“The ECB has made BCBS 239 remediation a top supervisory priority through 2027, with escalation measures for institutions that fail to move,” says a LinkedIn post by Assad Mumtaz, founder and principal consultant, Finlytics Hub. “The banks that treated this as a compliance checkbox are about to find out what enforcement actually looks like.”
The original 2013 document.
The European Central Bank stated that effective RDARR frameworks are important for “timely decision-making and effective strategic steering. While ECB Banking Supervision acknowledges that major progress has already been made in this regard, the remediation process is not yet complete and will require follow-up work in forthcoming supervisory cycles.”
“Thematic reviews and on-site inspections across Europe have revealed an ‘unsatisfactory’ implementation status,” EY consultants wrote last year. “Multiple interpretations exist across the sector, and many banks have taken shortcuts where possible. To both clarify and reinforce its supervisory expectations, the ECB issued” an RDARR guide in May 2024.
“ECB has announced targeted reviews of RDARR practices, on-site inspections, and annual questionnaires as key activities,” the EY piece noted. The central bank “enjoins the banks to ‘step up their efforts’ under the penalty of ‘triggering escalation measures’ if they fail to meet supervisory expectations.”
According to a December 2024 McKinsey & Co. article, “There’s a broadening of scope in terms of which institutions are receiving regulatory attention – including Tier 2 and Tier 3 institutions. The assessments are also deepening in their application and level of detail across areas of policy, capability, and reporting.
“In Europe, they take the form of on-site inspections, targeted reviews of priority areas, and assessments of data quality related to supervisory reporting . . . In the United States, assessments involve examinations of the data management practices of banks, along with evaluations of related areas such as regulatory reporting, resolution and recovery planning, and specific report examinations (for example, the Complex Institution Liquidity Monitoring Report, or FR 2052a). These assessments can result in matters requiring immediate attention (MRIAs) and matters requiring attention (MRAs); in the most severe situations, they may lead to consent orders.”
As of the BCBS’s 2023 update, in the wake of setbacks and disruptions attributed to the COVID pandemic, only two of the 31 assessed G-SIBs (global systemically important banks) were fully compliant with the risk data principles. Those are numbered 1 through 11 and have shorthand titles such as governance, completeness, timeliness and accuracy.
In 2024, PwC illustrated compliance levels for 11 BCBS 239 principles (listed at left) at three intervals. Green arrows indicate positive, amber little, and red negative change. On a scale of 1 (non-compliant) to 4 (fully compliant), the overall average for 31 G-SIBs improved only 0.03 between 2019 and 2022.
At the same time, not one of the principles had been “fully implemented across all banks.”
The Basel Committee’s 2026 note was more qualitative than granular.
While the principles still apply, “implementation has evolved over the years, reflecting changes in the business, technology and risk landscape,” said the global supervisory committee. “For instance, changes in the business environment, such as mergers and acquisitions or the introduction of new products, often involve adjustments to risk data aggregation and reporting practices. At the same time, technological advancements offer new opportunities but also introduce additional complexity and dimensions of risk.
“Despite progress, meeting the intended outcomes of the principles remains a continuous effort due to the complexity of implementation and advancements in broader operational and business transformations.”
Among other BCBS observations: Some banks have applied the principles more broadly in enterprise-wide data governance. “This evolution reflects the growing recognition of data as a strategic asset that supports regulatory reporting, finance, analytics as well as business activities, and can differ depending on a financial institution's size, complexity and risk profile.
“While this broader application can increase complexity and may involve additional investments in governance, technology and personnel, it may offer opportunities to rationalize systems, remove silos, reduce costs and improve data quality across domains.”
The BCBS also pointed to data lineage, or the traceability of data from its origin to final use:
“Legacy systems, distributed data estates and the dynamic nature of data lineage complicate banks’ efforts to confirm end-to-end data traceability. Finding appropriate vendor solutions and the resource-intensive nature of identifying and maintaining data lineage can further hinder progress. However, demonstrating the business benefits of data lineage, such as cost reduction and improved efficiency, can help secure investment in automated tools.”
Production of ad hoc reports “remains a significant hurdle for some banks, particularly during crises or in response to regulatory requests in light of an emerging risk. Balancing manual and automated processes across fragmented data estates is resource-intensive but contributes to effective risk data aggregation.”
Complex, cross-border organizational structures and decentralized IT can further complicate data management and compliance.
“Industry participants have highlighted the complexity of aligning with principles, expectations and in some cases requirements in different jurisdictions,” said the January report. “In response, banks may choose to establish standardized group-level practices that address circumstances in various jurisdictions, applying them consistently across affiliates.
“Emerging technologies, such as artificial intelligence and advanced automation, hold promise for improving risk data aggregation capabilities. However, their adoption is still in the early stages. As the quality of AI-driven outputs depends on high-quality data, robust data management becomes more important for effective implementation.”