The Basel Committee on Banking Supervision (BCBS) issued its standard number 239 nearly a dozen years ago in 2013. Its aim was to enhance banks' risk management through better risk data aggregation and internal risk reporting. The binding compliance deadline for global systemically important banks (G-SIBs) was in January 2016, and for domestic systemically important banks (D-SIBs), it was within three years of their designation.

Challenges and Progress in Compliance

Despite the passage of time, full compliance remains a challenge for many institutions. Regulators are now focusing more attention and taking a more forceful approach. The scope of regulatory attention has widened to include Tier 2 and Tier 3 institutions. Assessments are becoming more in-depth across various areas such as policy, capability, and reporting.In Europe, on-site inspections, targeted reviews, and data quality assessments lead to significant penalties. In the US, examinations of data management practices, along with evaluations in other areas, can result in various actions. Beyond direct penalties, there are indirect financial consequences as well.According to the Bank for International Settlements, only two out of 31 G-SIBs have fully complied, and some formerly compliant banks have been downgraded. A series of progress reports have provided additional guidance, but there is still a long way to go.

Renewed Call to Action

The latest report in November 2023 highlighted the lack of meaningful progress and set significant expectations for banks and their supervisors. The report pointed out issues such as underfunding and lack of senior leadership attention to the standard. It also suggested that some banks have a "boil the ocean" approach and fail to prioritize requirements. Technical factors also pose a challenge.Regulatory bodies have also called attention to related problems. The ECB's banking supervision identified RDARR deficiencies, and its guide provided guidance on various aspects.

Guiding Principles for Success

When it comes to managing risk-related data effectively, several key challenges need to be addressed. These include getting different organizations to work together, conducting root-cause analysis, and aligning incentive structures.1. Make it a business impact story from the start: The CFO, CIO, and CRO should bring business leaders on board and link the effort to business objectives. They should highlight opportunities and develop a perspective on integrating initiatives. Practical implementation involves identifying data pain points and prioritizing remediation.2. Take a risk reduction approach from the outset: Identify and prioritize critical information and address it first to mitigate risks. Start with a prioritized scope and expand it over time. Ensure risk and finance collaboration and share critical data elements.3. Look for opportunities to accelerate execution: Use generative AI tools to accelerate data compliance and development. Start with tools to automate data lineage and transparency, and then think through the entire data life cycle. Consider a suite of tools to build deployable data quality workflows.4. Remediate at the source with a target architecture and operating model: Aim to remediate data upstream in the data life cycle. Move towards a target data architecture with limited authorized provisioning points. Implement data controls early to ensure quality. Map data lineage to identify areas for improvement.5. Be transparent and comprehensive in regulatory dialogue: Be proactive and transparent with regulators. Communicate in a structured manner and provide regular progress reports. Implement initiatives on their own and integrate BCBS 239-related initiatives with other programs.

Banks' Maturity Levels

European and US banks are at different stages of their BCBS 239 journeys. Some are just starting, while others are refreshing their efforts or accelerating progress. Those further along have been dedicated to compliance for several years but still face regulatory scrutiny. Banks in the middle have documented frameworks but struggle with making progress and engaging the business. Those just starting often face execution problems.However, the rewards are worth the effort. With renewed attention and rising expectations, banks have the opportunity to gain a competitive advantage through enhanced digitization, improved risk management, and better relationships with regulators.