A Review of BCBS 239: Helping banks stay compliant

Overview of FATCA
A summary of Solvency II Directives

The Basel Committee of Banking Supervision’s (BCBS) guiding principles, titled BCBS 239: Principles for Effective Risk Data Aggregation and Risk Reporting came into being in the aftermath of the 2008 Financial Crisis. The global financial crisis brought to the fore how banks’ information technology (IT) and data architectures were inadequate to deal with the management of financial risks.

money-1090816_640In April 2009, the Financial Stability Board (FSB) was established as an international body to govern and recommend changes to ensure financial stability of global financial system[1]. Additionally, the Basel Committee issued the Basel II framework to enhance banks’ ability to identify and manage risks[2]. The committee also included references to data aggregation as part of its guidelines. Stress testing exercises like Comprehensive Capital Analysis and Review (CCAR) in the US, the Firm Data Submission Framework (FDFS) in the UK, and the European Banking Authority (EBA) across Europe reiterate the need for banks to fill in these gaps.

In 2013, The BCBS 239 guiding principles for banks and financial institutions were established. The purpose of the principles is to strengthen the risk data aggregation capabilities and internal risk reporting practices of banks, thereby enhancing their risk management and decision making processes. Approximately 30 global systematically important banks (G-SIBs) identified in 2013 were given the January 2016 deadline to get things in order to comply with the 14 guiding principles of BCBS 239.[3]

What are the 14 principles of BCBS 239?

Cognizant BCBS 239 Deadline

Image Credits: Cognizant Solutions

Principles for Governance, Data Architecture and IT Infrastructure

Principle 1- Governance: A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee.

Principle 2 – Data Architecture and IT Infrastructure: A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis while still meeting the other Principles.

Principles for Accuracy and Integrity, Completeness, Timelines and Adaptability

Principle 3 – Accuracy and Integrity: A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimize the probability of errors.

Principle 4 – Completeness: A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations and emerging risks.

Principle 5 – Timeliness: A bank should be able to generate aggregate and up-to-date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability. The precise timing will depend upon the nature and potential volatility of the risk being measured as well as its criticality to the overall risk profile of the bank. The precise timing will also depend on the bank-specific frequency requirements for risk management reporting, under both normal and stress/crisis situations, set based on the characteristics and overall risk profile of the bank.

Principle 6 – Adaptability: A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs and requests to meet supervisory queries.

Principles for Accuracy, Comprehensiveness, Clarity and Usefulness, Frequent and Distribution

Principle 7 – Accuracy: Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.

Principle 8 – Comprehensiveness: Risk management reports should cover all material risk areas within the organization. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients.

Principle 9 – Clarity and usefulness: Risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include meaningful information tailored to the needs of the recipients.

Principle 10 – Frequency: The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported and the speed, at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision‑making across the bank. The frequency of reports should be increased during times of stress/crisis.

Principle 11 – Distribution: Risk management reports should be distributed to the relevant parties while ensuring confidentiality is maintained.

Principles for Review, Remedial actions & supervisory measures and Home/host cooperation

Principle 12 – Review: Supervisors should periodically review and evaluate a bank’s compliance with the eleven Principles above.

Principle 13 – Remedial actions and supervisory measures: Supervisors should have and use the appropriate tools and resources to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting Principles for effective risk data aggregation and risk reporting 15 practices. Supervisors should have the ability to use a range of tools, including Pillar 2.

Principle 14 – Home/host cooperation: Supervisors should cooperate with relevant supervisors in other jurisdictions regarding the supervision and review of the Principles and the implementation of any remedial action if necessary.[4]

Read more about the report at: The Basel Committee on Banking Supervision’s “Principles for effective risk data aggregation and risk reporting”: BCBS 239 published in Jan 2013


BCBS 239: Challenges and Scope

The principles of BCBS 239 underline that there is no quick short-cut to compliance. Banks have to invest in upgrading existent systems and implement technological and reporting solutions that will prepare them for meeting their strategic goals and make them ready to address future regulatory compliance changes.

Why is it so challenging?

Short Timelines

It was only in January 2013 that G-SIBs and later D-SIBs were identified to comply with the new guidelines. As the compliance requirements for BCBS 239 are substantial, most banks found task of incorporating the changes challenging.

No Easy Solution

BCBS 239 focusses on a bank’s ability to aggregate risk data and to report it in a flexible manner to improve insights on their risks. As such, there is no shortcut or easy solution to comply, as streamlining the processes of data aggregation and having IT systems capable of storing, processing and analyzing risk data is essential.

Varying compliance issues as per size

Small banks may struggle to cope with the principles due to their tight budgets. Given the situation, the technology upgrades and compliance and reporting processes that BCBS239 hope to streamline is hard to implement.

On the other hand, large banks face excessive level of complexities, given their size and geographical reach. Streamlining and effectively implementing the new practices across all departments’ presents a big challenge. Simply put, size is a paradoxical factor. Although large banks have better resources and capacity to implement changes, modifying or instituting new regulations presents its own difficulties.[5]

Banks’ outlook towards BCBS 239

Key Findings of EY’s BCBS 239 Autumn 2014 Industry survey of 30 G-SIBs and D-SIBs on prioritizing and mobilizing projects for 2015:

  • Most respondents said a significant part of their BCBS 239 change delivery will not be complete by January 2016
  • 89% of respondents viewed BCBS 239 as an enabler to shape their IT strategy and develop their IT infrastructure.
  • 78% of respondents viewed BCBS 239 as an enabler for their enterprise-wide data management capabilities.
  • 67% of respondents viewed BCBS 239 as an initiative to help drive operational efficiency and other cost reduction initiatives.
EY Figure 1

Credits: EY


G-SIBs have been mobilized and Domestic Systemically Important Banks (D-SIBs) are now mobilizing their approach to achieve regulatory compliance. A recent EY survey on BCBS 239 readiness shows that banks are viewing the principles as an enabler for other strategic objectives aimed at transforming the business to survive in the new marketplace.[6]

Although the challenge to comply with BCBS 239 is vital, the scope is immense. Now that the Jan 2016 deadline for the G-SIBs is up, the rule is expected to extend to other financial institutions and banks. The principles will also apply to all key internal risk management models including market, credit, and counterparty risk. Establishing the principle guidelines and putting core capabilities in place has its merits.[7]

The clarity that effective risk data aggregation provides will help banks streamline their businesses, and can allow banks to make better judgments through more accurate risk analysis. Aggregated information across all channels will enable to provide comprehensive support and services to existing customers. The robust data framework also helps banks supervise and anticipate future problems, giving them a clear view for data analysis.

It can lead to gains in efficiency, reduce probability of losses and enhance strategic decision making, ultimate benefiting a bank’s profitability.[8]

Marion Leslie, Managing Director of Pricing and Reference Services at Thomson Reuters outlines BCBS 239 requirements, challenges and discusses how banks can benefit from the compliance.


How can banks stay compliant using Hexanika Solutions

Hexanika is a RegTech Big Data software company that has developed a revolutionary software platform SmartJoin™ and a software product called SmartReg™ for financial institutions to address data sourcing and reporting challenges for regulatory compliance.

Hexanika helps banks meet the 14 principles of BCBS 239 using its strategic enablers and advanced regulatory and technology solutions. Our software platform SmartJoin™ uses heuristics and semantics to address core issues related to data governance, aggregation and consolidation. It improves data accuracy and integrity, also allowing traceability of data to its raw form. Using SmartReg™, banks can institutionalize and streamline the reporting process, giving them additional options of reviewing, supervising and/or analyzing data using a preferred BI Tool. It reduces the complexity, costs and time required to generate reports, helping banks meet BCBS 239 compliance.

Read more about our solutions and technology at: https://hexanika.com/company-profile/


Contributor: Vedvrat Shikarpur

Image Credits:  bykst


Also read our other articles on similar topics:

Overview of FATCAhttps://hexanika.com/overview-of-fatca/

Regtech is the new Fintechhttps://hexanika.com/regtech-is-the-new-fintech/

Evolution of Data Integration post the implementation of Dodd-Frankhttps://hexanika.com/evolution-of-data-integration-post-the-implementation-of-dodd-frank-act/

Dodd-Frank’s Impact on Regulatory Reportinghttps://hexanika.com/dodd-franks-impact-on-regulatory-reporting/

An overview of MiFID IIhttps://hexanika.com/an-overview-of-mifid-ii/

An overivew of CCARhttps://hexanika.com/an-overview-of-the-ccar/



[1] Knowledge Blogs: The 14 principles of BCBS 239

[2] Basel Committee: Enhancements to Basel II Framework

[3] Oracle: BCBS 239- Take Action to Ensure Compliance and Deliver a Competitive Advantage

[4] Basel Committee on Banking Supervision: BCBS 239: Principles for effective risk data aggregation and risk reporting

[5] Zanders: Why is implementing BCBS 239 so challenging?

[6] EY: BCBS 239: A practical path to compliance and delivering business value

[7] Information Week: 8 things you probably did not know about BCBS 239

[8] Banking Technology: Breaking down BCBS 239

1 Comment. Leave new

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

− 4 = 3