The ECB is “intensifying its supervisory approach” on BCBS 239 compliance – and basic lineage is not sufficient
Navigate BCBS 239’s rigorous standards with robust data lineage solutions that keep your organization ahead in compliance.
Are you aware of how a key regulation for financial institutions – the BCBS 239 regulation – requires you to ensure accuracy of the data that underpins your business? And to demonstrate intent to control where exactly your data comes from and how precisely it changes, before it is used in key business activity, such as board-level decision making, AI recommendations and more? If you don’t know, you need to – as your CEO won’t want the company facing fines in the millions as a result. You don’t want to be the person that wasn’t proactive and waited until the regulators issued a fine. We can help you understand what you should know in regards to data lineage requirements of compliance – now specified as a minimum data governance requirement – and in an advanced, not basic form, which we’ll explain.
If you’re new to this topic, what’s it all about? Well, data is the foundation of any modern business, but an important question is, how can you confidently make key decisions and ensure regulatory compliance, if you can’t be sure where it comes from and is used, how it’s transformed and whether it’s fit for purpose? Its source and granular accuracy are critical for regulatory compliance, key business decisions, mergers and acquisitions, software migrations and transformation and as the foundation for AI.
The regulators understand this and know the importance of the integrity of data. And demonstrating its journey – or data lineage – is referred to as a minimum requirement of data governance, in the latest recommendations from the European Central Bank regarding BCBS 239.
What’s BCBS239 all about?
In summary, BCBS 239 is a set of principles developed by the Basel Committee on Banking Supervision (BCBS) following the 2008 financial crisis. It’s aimed at strengthening banks’ risk data aggregation capabilities and internal risk reporting practices. It’s a set of guidelines that banks, particularly globally systemically important banks (G-SIBs), are expected to implement. However, national regulators do incorporate BCBS 239 principles into their regulatory frameworks, making compliance mandatory within their jurisdictions. In addition to Europe, in the U.S., the Federal Reserve has incorporated elements of BCBS 239 requirements into its regulatory expectations for banks, particularly those designated as systemically important.
In its introduction, the European Central Bank states in its May 2024 ‘Guide on effective risk data aggregation and risk reporting’, “The ability of institutions to effectively manage and aggregate risk-related data is an essential precondition for sound decision-making and strong risk governance.”
They state that the, “ECB Banking Supervision is intensifying its supervisory approach.” This statement comes after they’ve explained that there has been a lack of full compliance – and it is likely they are going to start coming down harder in their approach – ‘intensifying’ it. So, if you’ve managed to be OK so far and not been fined, be warned that you need to look at this, or risk facing a hefty fine into the millions for non-compliance. And if you have ‘data lineage’ in an existing data catalog, it doesn’t mean that you can tick the box of ‘data lineage – sorted’. You are highly unlikely to be compliant to the level required by regulators.
What does BCBS 239 regulations say about data lineage – and what is it anyway?
Let’s start with an understanding of lineage, for those new to it. The data at the foundation of many business use cases, such as financial reports for shareholders, board-level decisions and much more, must be accurate, in order to be of any use. But the source of data and its journey before being used in these key business areas, is complex. It’s used in many systems, by different departments and countries and may have calculations, formulas and transformations applied. To be able to truly trust that data, organizations need to understand where it comes from, where it is used, and to correct and prevent any issues in order to prove its trustworthiness.
Data lineage helps by creating a map view of all systems and data flows – so you can see where the data comes into the business, where it has been used, how it travels through different systems – and is changed – and to see any data quality issues, before it is used in its often critical, strategic and regulatory uses.
Why basic data lineage isn’t enough
We’ve seen it many times. Companies come to Solidatus after being told by regulators that their data lineage is not good enough. What can typically happen, is that companies use the data lineage that is included in other software they have, such as a data catalog. They assume that this means they have done what is required by regulators but they discover that the basic form of lineage included in this software is neither broad nor detailed enough for the regulators.
In their recent May 2024 guide, the European Central Bank is now clarifying very clearly that:
- You need to have a data lineage solution as a minimum element of your data governance
- That data lineage needs to be both ‘complete’, thereby encompassing a view of all the data flows across all systems, from end to end of your business. Not just a subset. And secondly, it must be granular and detailed, or to the ‘attribute’ level in their terms. This means that you must be able to drill from that broad map view, right down to the column in a table level – not just to the table level
“Regulators seek frequent, granular, and comprehensive data from financial institutions”
Deloitte Center for regulatory strategy, US, BCBS 239 Progress Report February 2024
The reason they are specifying this is because otherwise, you don’t have a full picture and understanding of your entire data risk and you can’t quickly act to specifically identify and therefore correct issues. You won’t be able to find the exact root cause if you can’t drill down far enough – to see for example the problematic calculation that was used in a particular column.
What we have to do with this, at Solidatus? We help you discover, assess and prove the complete journey of your data from its source, through multiple systems, to finish – so you can understand and truly trust the data at the foundation of your business decisions, governance, transformation projects, AI and more. We do this through a visual map of your data’s journey and transformations through all systems in your organization.
We hope that helps provide background to the need for advanced data lineage. We are the experts at data lineage. And we understand BCBS 239 – and other regulations. We can ensure your data lineage is to the level required by regulators, so you don’t get fined for poor lineage and can truly trust the data at the basis of your business.
Summary
The European Central Bank (ECB) is ramping up enforcement on BCBS 239 compliance, emphasizing the need for comprehensive data lineage—not just basic coverage. This article will cover why financial institutions must ensure data accuracy, traceability, and governance to avoid significant fines. Simple data lineage found in typical data catalogs often falls short of regulatory requirements, which now demand a complete, detailed view of data flows across systems. Solidatus provides advanced data lineage solutions that help institutions meet these stringent standards and avoid compliance risks.
