Living with BCBS 239

| Article

In 2016 McKinsey and the Institute of International Finance (IIF) conducted their fourth Global Risk Data and Technology Benchmarking Survey.1 The context for the 2016 survey is the regulatory environment for risk data aggregation and reporting defined by the Basel Committee on Banking Supervision regulation 239 (BCBS 239). The compliance deadline of January 2016 came and went, with most G-SIBs engaged in ongoing risk data transformations.

BCBS 239 has set a standard for regulators globally and thus D-SIBs and other non-G-SIBs have sought to conform as well. The survey revealed that in the past several years, banks have made significant investments in the data capabilities needed to meet rising regulatory demands—yet they are still struggling to keep pace. According to banks’ own quantified self-assessments, overall compliance levels have actually declined since 2015.

At the top of the list of regulatory-related challenges are the increasing scrutiny that banks expect in the near future and the rising levels of investment needed in data and technology capabilities. The dilemma can be resolved, however, if banks are able to create value from data as they tackle the regulatory agenda. This implies that the data vision and strategy banks deploy to meet regulatory needs and contribute to overall safety and soundness also support business goals. While banks remain primarily focused on risk data compliance, a few have begun to use data strategically to support business growth, through advanced analytics and digitization.

Despite investment, compliance levels are decreasing

In recent years, banks have invested significantly in their data and technology programs. These largely support remediation for regulatory initiatives such as BCBS 239. Survey respondents revealed that the programs are mostly led by the risk and finance functions and run centrally. Two-thirds said that they are aligning their programs with an overarching data vision and strategy. The immediate focus is on getting the basics right: improving operations and IT, enhancing risk management, and better supporting the business. Many banks are also deepening senior-management accountability to improve program governance and data-quality awareness, as these are key topics for regulators. In developing a culture of data-quality awareness in their business and support functions, banks have also begun to tackle the question of data ownership, seeking to harmonize overlapping functions and increase collaboration among risk, finance, and treasury.

Investments in fundamental data capabilities have varied. Value-added efforts such as automation are mostly in the beginning stages or are scheduled for a later date.

  • G-SIBs. Most G-SIBs have focused on documentation and selective remediation. About one-third are documenting data lineage up to the level of provisioning data elements and including data transformation—though several are questioning the value of data lineage in the context of broader data controls. Most banks are working on enabling specific IT systems rather than particular use cases or business capabilities. All US and most European and Asian G-­SIBs have conducted an independent validation. To ensure an independent perspective on the state of remediation, the validation is usually conducted by an internal team reporting to the chief risk officer. Several banks are complementing their internal validation with external support to build capabilities in their second-line function.
  • D-SIBs. European and Asian D­-SIBs are accelerating their remediation programs, as evidenced by rising investment levels. Three levels of maturity have been identified. At the highest level are D-­SIBs adhering to the G-SIB timeline—such as Canadian banks, due to a stronger push by local regulators. A second group of D-­SIBs began working on risk data and technology early on but have not yet finalized their programs. The last group are the late starters, which have only recently begun to work on risk data and technology.

Despite the data and technology investments, however, overall BCBS 239 compliance levels have declined since 2015 (Exhibit 1). Our respondents’ self-assessment is supported by the latest Basel Committee progress report on risk data aggregation and risk reporting, which finds that banks’ overall level of BCBS 239 compliance remains unsatisfactory. In fact, local supervisors have concluded that only one bank can be considered in alignment with the principles. Highlighted in the Basel Committee report is the regulators’ assessment that, based on the current state of BCBS 239 remediation, banks that began the process in 2013 will need an average of five to six years to complete it.2


A few factors have conspired to produce the more conservative compliance assessments. Through discussions with regulators and the sharing of industry best practices, banks now have a deeper understanding of the technical requirements for compliance. Through independent validation, many banks developed a better understanding of their own capabilities and discovered previously unknown gaps in coverage. A further contributing factor has been that banks have expanded the scope of their regulatory programs beyond risk and finance to include data for management and regulatory reporting, operational processes, and material business decisions.

The rising regulatory bar

Around the globe, most bank executives believe regulators will continue to increase requirements for data capabilities. The present regulatory environment is thus viewed as only the starting point (Exhibit 2). The scope of regulation is expected to widen, with thickening coverage for risk metrics, reports, data, and legal entities. One result is that some banks, especially in Europe, have chosen to be “constantly materially compliant,” a status just shy of full compliance, because of ongoing long-term remediation programs.


More frequent regulatory exams also are expected. Many regulators have already begun targeted reviews, such as the European Central Bank’s thematic review of BCBS 239 compliance for G-SIBs. They are also doing more live testing, through CCAR (in the United States) and other regulatory stress tests. Almost all G-SIBs and about 40 percent of D-SIBs across geographies have conducted an independent validation of their BCBS 239 capabilities, to meet a regulatory requirement and prepare for further discussions with regulators. Respondents indicate that US regulators have been the most assertive; in Europe regulators are issuing further standards to improve consistency, while in Asia the regulatory climate is less intense. The regulatory environment will thus continue to tighten, with a cluster of regulations relating to risk data and technology, including BCBS 239, CCAR, FRTB, GDPR, and RRP, posing capability challenges for the largest banks.3

While no one expects to see global standards for risk data and technology, general approaches are emerging within regions and have been codified in some countries (such as Germany’s “MaRisk,” or minimum requirements for risk management). Regulators have helped recently with more transparent definitions of data quality. The European Central Bank, for example, has developed BIRD (Banks’ Integrated Reporting Dictionary), a database with technical guidelines for reporting data, and has issued reviews of the quality of submitted reports, findings, and resolutions covering common reporting, financial reporting, the liquidity coverage ratio, the net stable funding ratio, and others.

Challenges to compliance

While self-assessed compliance levels have dipped and greater regulatory pressure is expected, banks’ spending on risk data and technology will likely vary by region (Exhibit 3). On the one hand, American G-SIBs are expected to maintain current budgets, because of either regulatory scrutiny or an appreciation of the competitive advantage these capabilities afford. European and Asian G-SIBs and American D-SIBs, however, are expected to reduce their level of investments by around 25 percent. Declining budgets pose significant challenges for many banks and may become a factor affecting compliance levels well into the future, as the impact of changes in investments may take several years to materialize.


Most surveyed banks are already facing challenges in improving their overall data quality. Most commonly, a lack of front-office controls is leading to poor data quality at the systems of origin (Exhibit 4). Many banks also struggle with inefficient data architecture, often in legacy systems, which create operational inefficiencies and make it harder to improve data quality. Addressing these twin challenges usually requires more, not less, spending.


At banks where budgets are shrinking, however, two factors may be at work. The value of the data transformation may be inadequately appreciated by the business, while board and senior-management support, which has been generally growing, is still relatively modest. With the regulatory bar still rising, many banks find themselves running in place, still fixing the basics after having made significant investments over the past several years. They may be losing the focus needed to get to the finish line.

Making data value a reality

To address regulatory requirements and achieve business value, banks will have to reverse the backsliding and redouble their efforts on data. A renewed value-based effort could take shape around three principles.

First, with full support from the business, banks should develop a business case that clearly defines and quantifies the value of the data program. Less than 40 percent of surveyed banks have done this, and many that have are not yet realizing value. One reason is that most (64 percent) of the value so far identified was set top-down, rather than through bottom-up commitments from the business. The benefits, furthermore, are mostly connected to cost reduction and improved capital efficiency, rather than revenue uplift.

Second, banks should continue to make progress on their remediation programs and regulatory agenda. The orientation of these efforts should, however, begin to shift away from “change the bank” to “run the bank.” That is, banks should begin to move beyond reacting to regulatory requirements to a point where the capabilities they develop in response are embedded into the functioning of the bank. These capabilities should also be applied beyond risk and finance to include and address data used for operational processes and material business decisions.

Finally, from this foundation, banks should define a holistic data vision and strategy that creates business value. The approach is best derived from the bank’s business strategy. The end state is one in which all divisions are aligned and data requirements from all areas and for all uses are harmonized. The data environment, quality controls, and governance mechanisms established for compliance should also support business goals and create business value. As the bank meets standards for high-quality data for risk management and regulatory compliance, a coordinated effort can also be advanced to automate and digitize processes and develop advanced analytics capabilities to enable the business.

The road ahead: Regulatory alignment and business value

Value creation through data therefore requires simultaneous progress in two dimensions of banks’ data agenda. Banks must continue the work of alignment with regulatory requirements such as BCBS 239. At the same time, they must derive business value from data with their new digital and advanced analytics capabilities.

Regulatory alignment

In the regulatory dimension, most banks are already focusing on data governance and data quality. Regulators are now turning their attention to some of the thornier requirements for BCBS 239 compliance. A few points deserve priority attention.

  • Developing capabilities for times of stress. Though many banks have adequate data-aggregation and reporting capabilities for normal times, these capabilities must also be strong enough for times of stress. To enhance data capabilities as needed, banks should develop scenarios covering all material risk areas and define scenario-specific data-aggregation and reporting requirements. The scenarios can then be used to test the bank’s capabilities during times of stress and identify potential gaps.
  • Limiting end-user computing tools (EUCs). Banks should reduce their reliance on these tools, which are often used during data-aggregation and reporting processes. EUCs are typically developed and managed by end users outside a controlled environment and not subject to general IT controls. They can introduce various types of risk into the system, relating to data quality and integrity, access and security, and versioning. Banks must therefore seek significantly to reduce the number of EUCs through the automation of key processes. Banks should furthermore establish strict governance and controls over any remaining EUCs, often leveraging advanced tools for EUC identification, documentation, and management.
  • Addressing data risk. Finally, poor data quality can lead to losses and ineffective management decisions. A data-risk discipline should therefore be established within the overall risk management framework. Its purpose is to identify, assess, and manage data risk. This will require that banks incorporate data risk as part of their risk appetite statement and develop a set of metrics to measure data risk across the organization, setting thresholds commensurate with the risk tolerance of the bank.

Business value

Many banks have begun to focus on the next data horizon by developing business-enabling digital and analytics capabilities. These can be applied to revenue-generating opportunities, such as targeted acquisition of customer segments or personalized banking at scale. They can also be used to streamline branch and back-office processes and to enhance risk management, such as for advanced fraud detection. Nearly 80 percent of respondents are piloting or have deployed business-enhancing analytics capabilities (Exhibit 5).


Most of the activity is in the areas of operational risk and compliance (such as anti-money laundering), credit risk (including early warning systems and self-learning models), and automated reporting (such as data quality gap identification). A large majority of respondents have focused on building forward-looking capabilities, including machine learning, predictive analytics, autodiscovery, and prescriptive analytics tools.

To support business growth with advanced analytics and digitization, however, banks must also enhance their data architecture and invest in next-generation technologies. The trend among leading banks is to adopt modern technology for their versatility and the potential to lower costs. These technologies are being applied to meet regulatory requirements for data granularity, quality, timeliness, auditability, and comprehensiveness—while also supporting advanced analytics and digital enablement to drive business growth. Implementation of such technology should be modular and agile. In this way, the long-term projects can advance toward their strategic target state while existing legacy infrastructure can be managed in a manner that generates value rapidly, according to more immediate business goals.

McKinsey on Risk Number 2 - January 2017

McKinsey on Risk, Volume 2

Data-driven synergy

The goals of regulatory alignment and business value can be pursued simultaneously. Compliance efforts are leading to enterprise-wide data-quality controls and governance established on the same data that can also be used to yield business value. Through machine learning and other advanced analytics methods, high-quality, well-governed data will provide the basis for the insights needed to realize business value in a range of situations.

Leading banks have gone further, using BCBS 239, FRTB, and other data-related regulations as catalysts for value-based data management. These banks are seeking to streamline their responses to existing and new regulatory demands, including the digitization and automation of regulatory processes. As capability levels rise, data and technology resources can be increasingly managed with the aid of advanced data forensics and data-management tools. These resources will also be integrated across the enterprise with other related disciplines, such as cybersecurity and operational risk.

Leaders are demonstrating that regulatory demands themselves can spur value creation. The greater transparency obtained through stress-testing and CCAR programs can support business planning and investment goals, while advanced analytics and digital capabilities are increasingly used to serve the business and drive growth. The new approaches turn living with BCBS 239 today (and new rules tomorrow) into sources of value.

Explore a career with us