Ten years after the publication of the BCBS 239 principles (the Principles), banks are still at different stages of alignment with the principles for effective risk data aggregation and risk reporting. Only two out of 31 assessed global systemically important banks (G-SIBs) fully comply with all principles, and no single principle has been fully implemented by all banks.
Many banks have made positive efforts to establish implementation programs and roadmaps, but these programs often lack sufficient funding and attention from boards and other levels of management. Banks must take full responsibility for overseeing the development and implementation of robust data management procedures.
Delays in implementing the principles are further exacerbated by the diversity of banks' global operations, evolving business models and the need for more detailed and high-frequency data. The global pandemic and recent stress events have highlighted weaknesses in banks' IT landscapes and in the aggregation and reporting of data.
Supervisors continue to implement a range of supervisory measures to work towards addressing these deficiencies. Banks should prioritise implementation of the Principles, improve data management and address data architecture and IT infrastructure challenges. Implementation of the Principles is an ongoing process that requires continuous assessment and improvement.
The 7th progress report on the implementation of BCBS 239 makes it clear that in the last three years - between 2019 and 2022 - hardly any progress has been made in the degree of compliance of the 31 G-SIBs examined. Overall, the compliance level across all principles improved from an average of 3.14 in 2019 to 3.17 in 2022 on a scale of 1 ("non-compliant") to 4 ("fully compliant"). By comparison, the level of compliance has steadily improved across all principles in the previous years from 2017 to 2019. According to the supervisory authorities, this positive development has stalled in recent years.
If we look at the developments in more detail based on the individual Principles, we see that the aggregated assessment of Principles 1, 5, 7 and 9 in particular actually deteriorated between 2019 and 2022. This can be attributed to an ever better understanding of what "fully compliant" means, as well as increased supervisory expectations.
Figure 1: Compliance grades in 2017, 2019 and 2022
Significant improvements were achieved in the implementation of principles 2 (Data Architecture & IT Infrastructure), 3 (Accuracy & Integrity), 8 (Comprehensiveness), 10 (Frequency) and 11 (Distribution).
In this context, fragmented IT landscapes, outdated system landscapes and manual processes continue to pose obstacles that have a negative impact on the implementation of all Principles. In addition, the Covid-19 pandemic demonstrated the need for standardised and automated data governance processes in stressful situations.
The practice of supervisory authorities is also addressed, and they are encouraged to make greater use of targeted audit activities (e.g., on-site audits or fire drills) in order to accelerate the processing of long-standing deficiencies in aggregation and reporting. In this context, "tougher" measures can also be taken (e.g., capital surcharges, restrictions on capital distribution and other penalties/fines). In addition, the application of the principles should be promoted in a broader area of application.
With the publication of the progress report, the Basel Committee on Banking Supervision makes it clear that banks' progress towards BCBS 239 compliance in recent years has not been satisfactory and that increased measures on the part of the supervisory authorities are to be expected to accelerate implementation.
The presentation also corresponds to the view of the European Central Bank (ECB), which in turn substantiates the expectations of the European supervisory authorities with the consultation draft of the Guide on effective risk data aggregation and risk reporting (RDARR) published in the summer of 20231. The deficiencies at the global systemically important banks described in the progress report also largely apply 1:1 to the banks directly supervised by the ECB.
Just like the banks supervised by the ECB, global systemically important banks should review their implementation status in the form of gap analyses and consider the ECB guide, which specifies some requirements. Ongoing implementation projects should be adjusted accordingly and banks that have not yet been audited in the form of an on-site inspection OSI for BCBS 239 should be well prepared for this.
It is expected that clear responsibility for the topic will be assigned at management/board level and that all necessary measures will be taken to "finally" become compliant.
1 European Central Bank, “Guide on effective risk data aggregation and risk reporting”, 24 July 2023, (link)