The Basel Committee on Banking Supervision (BCBS) introduced BCBS 239, a regulatory response to the 2008 financial crisis. The interdependence between global systemically important banks (G-SIBs) highlights the need for improved risk data aggregation and reporting practices. Achieving compliance with BCBS 239 is about adhering to regulatory requirements and enhancing banks’ overall risk management framework and operational efficiency.

Understanding BCBS 239

BCBS 239, officially titled “Principles for Effective Risk Data Aggregation and Risk Reporting,” was issued in January 2013 in response to the ‘too big to fail” interdependencies that led to the global financial crisis of 2008. The BCBS 239 guidelines outline 14 principles divided into four main categories and aim to improve banks’ ability to aggregate and report on data risk effectively.

Overarching Data Governance and Infrastructure

Principle 1: Data Governance

Banks must have a robust governance framework to oversee the entire risk data aggregation and reporting process. This is an important step that requires establishing a data governance committee responsible for the integrity and accuracy of risk data.

Principle 2: Data Architecture and IT Infrastructure

The IT infrastructure should support the collection, aggregation, and reporting of risk data. Banks must invest in modern, scalable IT systems that can handle large volumes of data.

Download Our BCBS 239 Compliance Solution Brief.

Risk Data Aggregation Capabilities

Principle 3: Data Accuracy and Integrity

Data accuracy and integrity ensure that data is trustworthy and reliable. Financial firms need to implement automated data validation tools to ensure data is accurate, consistent, and reliable throughout the data lifecycle.

Principle 4: Completeness

Financial institutions should capture data on all existing and potential material risk exposures, including critical risks that are off-balance sheet. This requires Conducting regular data audits and risk assessments to ensure completeness.

Principle 5: Timeliness

The availability of risk-related data should be timely to facilitate prompt decision-making. Financial firms must develop real-time data processing capabilities to provide insights to quickly mitigate risk.

Principle 6: Adaptability

The risk data aggregation process should be flexible to adapt to new risks and regulatory changes. It is strongly recommended that banks use technologies that can be easily updated when sorting, merging, or breaking down data sets.

Data Security Automation for Financial Services

Risk Reporting Practices

Principle 7: Accuracy

Risk management reports should accurately reflect the risk in data without any alteration. Banks should follow the reporting principles in the BCBS 239 document to standardize reporting formats to minimize errors and make critical decisions about risk.

Principle 8: Comprehensiveness

Risk management reports must be comprehensive, covering all material risks within the organization. These reports should be consistent with the bank’s operations and risk profile. They should include information on all significant risks and their components and cover risk-related measures. Additionally, banks should regularly review the contents of risk management reports to ensure they remain comprehensive.

Principle 9: Clarity and Usefulness

Banks must develop automated risk management reports that are clear, concise, and practical for decision-making. Banks can use visual aids like charts and graphs to enhance report clarity but must ensure that risk reporting policies align with the needs of the board, management, and other areas of the organization.

Principle 10: Frequency

Banks should produce risk reports that are readily available at the frequency required by senior management and regulators. Financial institutions must establish a reporting schedule that meets internal needs and aligns with regulatory requirements.

Principle 11: Distribution

Banks’ risk management reports should be distributed to the relevant parties while maintaining confidentiality. Banks must have policies and procedures in place to quickly collect and analyze risk data and distribute the risk report to all appropriate recipients.

Supervisory Review, Tools, and Cooperation

Principle 12: Review

Banks should conduct regular reviews of their compliance with BCBS 239 principles. Banks should implement a self-assessment framework to periodically review compliance, as supervisors may test a bank’s compliance with requests for information on specific risk issues within a short timeline. Supervisors are testing the capacity of a bank to aggregate risk data rapidly and produce risk reports.

Principle 13: Remedial Actions and Supervisory Measures

Banks must promptly address deficiencies in risk data aggregation capabilities, reporting, and internal controls. This requires banks to develop a remediation plan to take actions that address the identified gaps.

Principle 14: Cooperation with Supervisors

Banks should coordinate with domestic regulators, relevant supervisors, and authorities in other jurisdictions. Cooperation can consist of sharing information within the confines of applicable laws and regulations. Participation in industry forums and regulatory consultations is also highly recommended.

Comprehensive Risk Reporting with BigID

Ensure BCBS 239 Compliance with BigID

BCBS 239 compliance is a strategic imperative for banks aiming to strengthen their risk management frameworks and ensure regulatory adherence. Complying with the BCBS 239 starts with knowing your data. BigID makes complying with BCBS 239 easy because it allows you to identify and remediate potential risks by providing comprehensive visibility into your organization’s sensitive data landscape. BigID enables organizations to automatically find, tag, label, and accurately classify and remediate the data they know about – and the data they don’t know about, wherever it lives.

With BigID, banks can:

  • Identify Critical Data: BigID helps banks discover and inventory all critical and high-risk data, ensuring that all necessary information is captured for comprehensive risk data reporting.
  • Discover Sensitive & Regulated Data Discovery: BigID can discover sensitive and regulated data wherever it is stored, ensuring comprehensive data coverage under BCBS 239.
  • Classify High-Risk Data: BigID automatically classifies and tags high-risk data using AI and machine learning, aiding in risk management reporting and compliance.
  • Establish a Single Source of Truth: By reducing data fragmentation, BigID strengthens a bank’s privacy, security, and governance programs.
  • Manage Data Retention: BigID’s data retention rules help manage high-risk data effectively, adhering to compliance and regulatory standards.
  • Streamline Data Remediation: BigID provides workflows and audit trails for remediating high-risk data, ensuring compliance with regulatory requirements.
  • Reconcile M&A Data: BigID supports regulatory compliance across all divisions of the enterprise, particularly during mergers and acquisitions, ensuring data consistency and completeness.
  • Cooperate with Supervisory Review: BigID facilitates periodic reviews and evaluations of compliance, allowing for timely remediation actions and cooperation with other jurisdictions.

Get a 1:1 demo with our data experts to see how BigID can help you achieve compliance with BCBS 239.