When BCBS 239 was first introduced (2013) to improve the reliability and effectiveness of risk data, banks were optimistic about compliance. The vast majority (90%) of major global banks expected to be ready by the 2016 deadline. By 2023, only a couple (6%) were.
Why? The principles-based nature of BCBS 239, the complexity of the task and a perceived lack of enforcement contributed to a low sense of urgency. Fast forward to today, and the picture is changing.
What now? In its January 2025 Dear CEO letter to UK banks, the PRA identified data risk as a key supervisory priority for this year noting that “increased use of artificial intelligence places heightened importance on the quality and accuracy of the data underpinning these tools” and “We expect to place increasing reliance on data tools and analytics as part of our drive for efficient supervision”.
Last year, the ECB was unequivocal. In its Risk Data and Risk Reporting (RDARR) guide, it highlighted, “If material shortcomings are evidenced (such as inaccurate information reported on key risk indicators), the matter can potentially result in the imposition of enforcement measures, sanctions and capital add-ons...the management body is accountable”.
What’s next? As regulators signal greater urgency and a shift towards a more prescriptive and intrusive oversight, some of the fundamental issues in their line of sight have not changed over the last decade, while others have evolved as the industry continues to learn. We’ll cover these core challenges and new perspectives in upcoming posts.
If this article resonates with you, connect with us on LinkedIn to stay updated with our latest industry insights and expert perspectives.