Highest demands for data quality in banks (BCBS 239)


We are coming to the end of an era in which IT solutions and manually maintained Excel spreadsheets are used to manage the data of financial institutions.

When analysing the financial crisis 2007–10, many institutions and banking supervisors saw that a large proportion of the IT and data architectures of banks were inadequate for managing financial risks. For example, after the collapse of Lehman Brothers, major international banks needed approximately two weeks to assess their own Lehman commitment. The data were not automatically available, and many employees had to manually gather and consolidate the data, which required a great deal of effort. As a result, the Basel Committee on Banking Supervision (BCBS) and the Financial Stability Board (FSB) of the Bank for International Settlements (BIS) agreed to develop international standards for data management. In January 2013, in BCBS 238, Basel regulators published their international requirements as “principles for the effective aggregation of risk data and risk reporting”.

The BCBS (Basel Committee on Banking Supervision) consists of representatives of central banks and national supervisory authorities from all over the world, and its headquarters are at the Bank for International Settlements in Basel. It meets on a quarterly basis to develop guidelines and recommendations for creating uniform international standards in banking supervision.

BCBS 239 forces financial institutions to establish appropriate and effective risk reporting, which ensures clear statements about the risk-bearing capacity of individual subsidiaries and customers. For this purpose, heterogeneous system landscapes need to be cleaned up.  In addition, long overdue measures for modernisation need to be implemented in data management and internal control procedures. The control mechanisms requiring expansion include

  • Regulations on structural and operational organisation
  • Processes for identifying, assessing, controlling, monitoring, and communicating risks
  • A function for risk control and compliance

The requirements for risk data aggregation and risk reporting are described in 14 principles. Each principle is assigned to one of the four superordinate topics: (I) overall bank management and infrastructure, (ii) risk data aggregation, (III) risk reporting, and (IV) regulatory inspections and cooperation.

  • I. Overall bank management and infrastructure
    • (1) Governance: The quality and interpretation of the risk data is the responsibility of the executive board
    • (2) Data architecture and IT infrastructure: The provision of effective IT support in times of crisis
  • II. Risk data aggregation
    • (3) Accuracy and Integrity: If possible, automated data aggregation for preventing errors as well as uniform and tuneable data sources
    • (4) Completeness: Delivery of complete risk information, measurements, and verification of completeness
    • (5) Relevance: In each institute area, risk data should be available on short notice and consolidated if necessary
    • (6) Adaptability: Flexible and scalable risk data aggregation for ad hoc reports to satisfy regulatory requirements
  • III. Risk reporting
    • (7) Accuracy: Timely generation of correct reports
    • (8) Comprehensive character: Involvement of all relevant risks
    • (9) Clarity and benefits: Clear presentation and consideration of the limits of risk reporting
    • (10) Frequency: Guarantee of regular, risk-adequate reporting, even under stress and crisis conditions
    • (11) Distribution: Sending of reports that are fair to the addresses
  • IV. Regulatory inspections and cooperation
    • (12) Verification: Compliance with the principles should be reviewed and monitored
    • (13) Corrective and supervisory measures: Recommendations on review tools and sanctions
    • (14) Cross-border cooperation: Cooperation among national supervisors at the international level

Timeline for the reactions to BCBS 239

Global systemically-relevant banks (G-SIBs)

  • Implementation by 1 January 2016 mandatory

National systemically-relevant banks (D-SIBs)

  • Implementation is mandatory three years after the national classification of a bank as a D-SIB (for Germany, expected in the 2015 MaRisk amendment)

Other institutions

  • At the discretion of the national supervisors, sensible principles will be selectively and proportionally assigned to medium and small financial institutions (in Germany, through the MaRisk amendment in 2015)


Implementing the requirements in accordance with BCBS 239 is expensive. This has been confirmed by the regulatory authorities. Depending on the bank, this can involve hundreds of millions. The institutes still have a lot of work to do. The last progress review of BCBS 239 conversion at the G-SIBs in 2014 has unfortunately encouraged sobering results for days. Despite numerous improvements since 2013, some areas have become worse. In the average of all G-SIBs and across all subject areas, there was almost no visible progress between 2013 and 2014. In addition, about half of the institutes have indicated that they will not be able to meet the 1 January 2016 deadline. The supervisors assume that this will also be the case for many more.

An overarching problem is the automation of the existing manual processes in risk reporting. Organisational bottlenecks such as underestimated staffing needs in the IT departments or in the cooperation with the banking supervision can lead to delays in the restructuring projects.

In addition, some institutes only realised the scope of this request in 2014. In particular, implementing and establishing a common IT platform and adequate interfaces for integrating all relevant risk data (also from subsidiaries) is a major expense for all credit institutes that have not already begun to make improvements in internal auditing and risk and data management in the wake of the financial crisis.

Experts estimate that with the help of such restructuring measures, in four or five years, the risk management of the European banks should be strengthened in such a way as to provide valid support in the event of a new financial crisis.

S&N References / Offer

S&N has many years of experience in Business Intelligence for financial service providers. Here, the focus was on the implementation of new reporting requirements from Basel III as well as the consolidation and automation of reporting in risk control.

Our consultants are responsible for the analysis and conception of requirements, project management, implementation, and operational support.

In parallel to the regulatory BCBS 239, S&N offers comprehensive support in implementing the new requirements.

What we offer

  • Inventory and documentation of existing processes and reports on risk reporting
  • Assistance in identifying areas of activity
  • Support in the automation, consolidation and optimisation of reporting systems and processes

Contact: Franziska Mühlenkord; Turn on Javascript! und Matthias Koch; Turn on Javascript!