BCBS 239 in Focus: Increasing Regulatory Scrutiny and Tangible Steps to Comply

The webinar “BCBS 239 In Focus: Increasing Regulatory Scrutiny and Tangible Steps to Comply,” hosted by the EDM Association’s and Element22, discussed the evolution of BCBS 239, ongoing regulatory expectations, and how firms are responding to increasing scrutiny around risk data aggregation and reporting. Speakers included:

• Co-Moderator: Jim Halcomb, Chief Research & Development Officer, EDM Association

• Co-Moderator: Chiara Brown, Regional Advocate UK & Europe, EDM Association

• Mark Davies, Partner, Element22

• Christophe Tummers, Group Chief Data Officer, Société Générale

The session emphasized that BCBS 239, originally published in January 2013, remains highly relevant today, with regulators continuing to assess progress and identify gaps in compliance. Across eight progress reports from 2014 to 2023, only a small number of firms were found to be fully compliant, indicating that “there’s more that the industry can do.”

Speakers highlighted that BCBS 239 originated from lessons learned after the 2008 financial crisis, where banks lacked the ability to aggregate risk data quickly and accurately. This inability had “severe consequences to the banks and the stability of the financial system as a whole.” The regulation focuses on improving risk data aggregation and reporting capabilities, with 11 core principles and dozens of supporting requirements. Over time, regulatory scrutiny has increased, particularly through the European Central Bank (ECB), which introduced additional guidance (RADAR) and conducted on-site inspections between 2022 and 2024. The ECB has made clear that supervisory efforts will continue to intensify through at least 2026–2028.

A key theme was that BCBS 239 should not be treated as a one-time program. Christophe emphasized that many banks initially approached it as a finite initiative, but “BCBS 239 is forever,” and compliance must be continuously maintained. Regulators have shifted expectations from simply establishing governance and capabilities to demonstrating measurable outcomes and impact. As noted, having governance structures and tools is no longer sufficient; firms must show that “the data has to be better than it is today.”

The discussion also covered the role of the Data Management Capability Assessment Model (DCAM), which helps translate regulatory expectations into actionable data management practices. While BCBS 239 defines “what” firms must achieve, DCAM helps answer “how” by outlining capabilities such as data quality, governance, architecture, and lineage. However, speakers stressed that DCAM alone cannot prove compliance—it serves as an input rather than a complete solution.

Responsibility for compliance extends across the organization. Data is owned by the business, and effective implementation requires coordination among risk, finance, technology, and data teams, with oversight at the senior management or board level. Additionally, firms must focus on tangible indicators of progress, such as data quality, reduction of manual adjustments, and the ability to produce accurate reports during stress scenarios.

Overall, the webinar reinforced that BCBS 239 is both a regulatory requirement and an operational necessity, requiring continuous investment in data management, governance, and measurable improvement in risk reporting capabilities.