28 May 2025 | Published by: Alexander Croonen, Dr. Mahir Alman, Christian Bergner
Introduction
In 2013, the Basel Committee on Banking Supervision (BCBS) introduced the BCBS 239 Standards for risk reporting, which were implemented in 2016. These 14 principles aim to enhance risk management quality and facilitate informed decision making by banks that are considered systematically important both globally (G-SIBs) and domestically (D-SIBs), particularly during times of crisis.
In the 2023 Supervisory Review and Evaluation Process (SREP), supervisory authorities have observed that risk data aggregation and risk reporting (RDARR) – the ability of banks to efficiently collect, aggregate, and report their risk data quickly and accurately – emerged as a key area for improvement. Banks continue to face challenges in fully complying with the implementation of BCBS 239.1
To address the significant work still required, the European Central Bank (ECB) published a Guide on Effective Risk Data Aggregation and Risk Reporting in May 2024 and prioritized RDARR in line with the Single Supervisory Mechanism (SSM) supervisory priorities for 2025-2027. The guide aims to promote robust governance and effective processes for identifying, monitoring, and reporting risks based on BCBS 239.2 This includes all data utilized for both strategic and operational management to leverage its economic benefits.3
The publication of the ECB guide makes it clear that banks are expected to accelerate the mitigation of deficiencies in aggregation and reporting.4 This means that a coordinated approach along the fields of action is essential and will require enhancements in financial institutions’ IT architecture, data quality frameworks, risk reporting and IT governance. Going forward, action is needed to integrate these regulatory requirements and best practices into the current banking infrastructure, to ensure compliance while strengthening the overall risk management and data governance framework as well as minimizing data risks by setting up proper data controls.
Implications of the ECB Final Guidelines on the Implementation of BCBS 239
With the 2024 Final Guide on Effective Risk Data Aggregation and Risk Reporting, the ECB tightens the requirements on governance, risk data aggregation and risk reporting and defines minimum standards on best practice approaches, which can be summarized as in the following:
- It is necessary that the steering body takes responsibility and is involved in the management. Specific members of the steering body must oversee and implement the data management framework, ensure that RDARR tasks are prioritized and take responsibility for data quality (DQ).
- The framework needs to be fully integrated into all legal entities, risk categories and models, as well as business areas and needs to contain the entire lifecycle of the data, to ensure comprehensive coverage. The framework should be centrally planned and have key responsibility owners.
- It is important to provide detailed documentation of sources, lineage, and taxonomies to consistently ensure data quality.
- Best practices suggest enacting stricter guidelines for data quality checks, with systematic and continuous monitoring, including indicators with tolerance thresholds, validations along delivery paths, impact analyses of quality issues, and procedures for addressing violations of such quality guidelines.
- Having faster and more flexible reporting capabilities is key to creating timely and accurate risk reports, even in stress and crisis situations, with expertise always available on call.
The final guidelines introduce three key changes to the existing BCBS 239 standard. First, they emphasize the importance of establishing clear responsibility hierarchies by anchoring accountability in the steering body, signaling the ECB’s expectation for banks to clarify their governance structures.
Second, the guidelines explicitly incorporate environmental, social and governance (ESG) topics, specifically addressing climate and environmental risks. The additional data that banks need to collect under stress conditions, along with the associated challenges of data lineage and collection along the value chain, have already been highlighted by the Corporate Sustainability Reporting Directive (CSRD).
Finally, beginning in 2025, banks will be assessed for compliance with the final guidelines during SREP and other regulatory examinations. The significance of complying with the enhanced BCBS 239 has grown, and the ECB is closely monitoring and following up on related findings and measures.
Key Challenges of the Final Guidelines on RDARR for Banking
The following tables represent the key focus areas of the final guidelines on RDARR for banks and provide feasible solutions:
Outlook on Supervisory Priorities
Dedicated OSIs on BCBS 239 have already started for some banks and will be conducted for others, as a more detailed examination of supervisory expectations on RDARR, not only within the framework of SREP, but also OSIs or internal model validations (IMIs), which could result in additional capital requirements.5
Existing RDARR-related projects, including past benchmarks like data lineage assessments and fire drills, will undergo a comprehensive review. This may lead to additional project initiatives and stricter supervisory actions to ensure compliance with regulatory expectations and improve risk data management and reporting processes. Non-compliance with RDARR requirements will be more closely examined, especially in relation to risk management frameworks like Internal Capital Adequacy Assessment Process (ICAAP) and Internal Liquidity Adequacy Assessment Process (ILAAP), as well as governance requirements, Capital Requirements Regulation (CRR), Digital Operational Resilience Act (DORA), digitalization efforts, and the potential use of AI solutions.6
The ECB’s initiative highlights that, beyond previous projects, there remains significant action required at many institutions. It emphasizes the need not only to integrate BCBS 239 principles and related regulations into foundational data but also to align these standards with existing structures, processes, and workflows. This comprehensive approach ensures that regulatory requirements are effectively incorporated at all levels of the organization, enhancing overall risk management and governance.
Capco’s Contribution
Capco provides essential support to financial institutions in aligning with the ECB’s RDARR requirements under BCBS 239. Our approach involves a thorough evaluation of current data governance frameworks, identifying compliance gaps and enhancing data quality and reporting mechanisms. We implement robust data lineage and governance practices to ensure risk data accuracy, timeliness, and effectiveness. Beyond initial assessments, Capco offers a strategic roadmap for building strong governance frameworks and selecting appropriate data management tools, helping clients reduce regulatory pressure and optimize compliance reporting.
In an increasingly complex regulatory environment, Capco is the trusted partner to help clients navigate challenges and ensure long-term success in managing risk data.
1 See: Guide on effective risk data aggregation and risk reporting (europa.eu)
2 See: Wesentliche Entwicklungen in der EU-Bankenregulatorik (der-bank-blog.de)
3 See: Guide on effective risk data aggregation and risk reporting (europa.eu)
4 See: Progress in adopting the Principles for effective risk data aggregation and risk reporting (bis.org)
5 See: Guide on effective risk data aggregation and risk reporting (europa.eu)
6 See: Guide on effective risk data aggregation and risk reporting (europa.eu)