BCBS 239: The Foundation of Strong Risk Management

Introduced after the 2007–2009 financial crisis, BCBS 239 ensures that financial institutions can aggregate and report risk data reliably. By emphasizing robust data governance—focusing on data ownership, quality, and accountability—it promotes transparency and supports timely and accurate risk reporting. These principles are the foundation for regulatory compliance and are increasingly critical as financial institutions face mounting pressure to modernize and digitalize.

‍

‍

A Snapshot of Challenges and Opportunities in 2025

The ECB's Guide on Effective Risk Data Aggregation and Risk Reporting highlights that many banks remain far from fully adopting BCBS 239, despite the demonstrated risks of non-compliance. Institutions face persistent challenges with fragmented IT systems, complex organizational structures, and inconsistent data governance frameworks. These issues often result in suboptimal data quality—marked by inaccuracies, delays, and incomplete information—that hampers decision-making and regulatory compliance.

‍

The report underscores that poor data quality is often underestimated, as its operational and financial losses remain largely unquantified. For example, fragmented systems and inadequate aggregation capabilities lead to missed opportunities for automation and hinder banks’ ability to meet the increasing demand for detailed, high-frequency data.

‍

Moreover, many banks have struggled to maintain the momentum of their BCBS 239 programs, often due to insufficient funding and a lack of strategic prioritization by boards and senior management. This has left critical areas, such as risk data governance and IT infrastructure modernization, underdeveloped. Banks that delay action risk falling behind in their ability to adapt to evolving risks, such as climate-related exposures, and to leverage new technologies effectively.

‍

Lessons Learned from Stress Events

The ECB Guide identifies stress events, such as the global pandemic, as clear indicators of the consequences of inadequate risk data management. During these crises, banks with fragmented data governance and IT architectures struggled to respond effectively, highlighting the importance of redesigning and simplifying internal processes.

‍

The Guide also points to the benefits of automation and standardization as key enablers of resilience. By streamlining data aggregation and reporting, banks can reduce operational and IT costs, enhance decision-making, and improve their ability to manage risks in real-time. These improvements, while requiring significant upfront investment, deliver long-term benefits through modernization and greater operational efficiency.  

Recommendations for Moving Forward

Banks are at varying stages of aligning with the Principles. While some have achieved full or near-full compliance, others continue to face considerable challenges and have significant progress to make. Insights from the 2022 assessment highlight key areas for improvement, leading to the identification of the following additional recommendations for banks.

‍

Key recommendations from Basel Committee on Banking Supervision:

„Bank boards should prioritise and intensify their oversight of data governance, including the development, implementation, and maintenance of robust data governance frameworks, risk data aggregation and reporting.“

„Banks should foster a culture of ownership and accountability for data quality across the organisation.“

„Banks should ensure sound data quality as the foundation for digitalisation projects.“

‍

A strong governance structure is vital for effective risk data aggregation and reporting capabilities. While banks may have different governance setups tailored to their specific activities and organizational structures, key attributes include a strong commitment from the board and senior management. However, robust governance alone cannot overcome challenges like legacy IT systems and fragmented data.  

‍

For successful implementation of BCBS 239, a comprehensive data governance framework with defined roles and responsibilities is essential. One bank has established such a framework, ensuring board and senior management oversight for resource allocation. A dedicated group data office manages data governance and standards, reporting to a board member responsible for data quality. This office regularly updates the board on progress and issues, while business areas report on their specific data framework status.

‍

Are banks fully capitalizing on their opportunity regarding BCBS239? Why is it more relevant than ever

While BCBS 239 was not initially designed with AI in mind, its principles provide a valuable framework for data governance that supports the integration of AI in finance. By ensuring data accuracy, quality, and traceability, financial institutions can leverage AI technologies more effectively, enhancing both innovation and compliance.

‍

AI models in finance rely heavily on high-quality, accurate, and well-governed data. BCBS 239 emphasizes robust data governance frameworks, including clear data ownership, lineage, and quality controls. Implementing these principles ensures that the data feeding AI models is reliable, thereby enhancing the models' effectiveness and trustworthiness. While its primary focus is on enhancing risk management and regulatory compliance, the principles of BCBS 239 are increasingly relevant in the context of artificial intelligence (AI) in finance.

‍

Just remember. AI models are only as good as the data they are built on.

‍

How do banks utilize AI systems?  

In risk management, AI analyzes vast transactional data in real-time to detect fraudulent activities and assess credit risk by evaluating both traditional and alternative data sources. AI also facilitates stress testing and scenario analysis, enabling banks to simulate financial crises and evaluate portfolio resilience (source).

‍

Customer service has been transformed through AI-powered chatbots and virtual assistants that handle inquiries and provide financial advice, offering seamless support (source).

‍

The successful use of AI in banking depends on strong data governance to ensure accuracy and consistency, making governance a cornerstone of the financial sector's digital transformation. AI offers immense opportunities in areas like fraud detection, credit risk assessment, and market forecasting but also increases the need to manage high-risk data carefully.  

‍

With regulations like the EU’s AI Act categorizing many financial AI applications as high-risk (AI systems used to evaluate the creditworthiness of a person, and for risk assessments and pricing for life and health insurances of a person, banks must embed AI in a transparent and well-governed data environment. This approach enables innovation while mitigating systemic risks, regulatory breaches, and ethical concerns, ensuring trust and operational success.

‍

‍

Under current regulations regarding AI reliability, many models that have been commonly used in the banking and financial sectors over the past 20 years now fall under scrutiny. These include complex predictive models used to evaluate candidates for loans or mortgages. Such models analyze various criteria, such as the applicant's financial history, age, hometown, and job position, to estimate the likelihood of loan repayment. Essentially, these models use machine learning to assess risk.

‍

With the introduction of the AI Act, many of these models will now be classified as high-risk AI systems. The assessment of their riskiness takes into account the level of human involvement. For AI systems entirely driven by automated decision-making, the risk is considered very high.  

‍

One of the main challenges with these models is their potential for bias, often influenced by factors unrelated to the applicant's actual creditworthiness. For example, lending decisions can sometimes be affected by gender bias or other discriminatory factors. Under the new regulations, banks will be required to formally document the extent of bias in each model and outline steps to mitigate these risks. This includes performing regular assessments, maintaining written explanations of model biases, and implementing strategies to reduce discriminatory outcomes. These measures are essential to ensure AI systems remain fair, transparent, and compliant with evolving regulatory standards.

‍

At Dawiso, we enable organizations to meet these standards by providing a robust data governance platform that bridges the gap between compliance and innovation. With tools like data lineage, metadata management, and automated documentation, we help financial leaders manage their data confidently, ensuring compliance with BCBS 239 while embracing AI-driven transformation.

‍