BCBS 239: Latest outlook from the Basel Committee

On 6 January 2026, the Basel Committee issued Newsletter No. 36 summarising key themes and challenges related to banks risk data aggregation and risk reporting practices (RDA) based on recent supervisory and industry outreach sessions on BCBS 239 principles implementation. It offers a timely reflection on how banks are progressing with BCBS 239 and, more importantly, where supervisors continue to see gaps.

While many banks have improved since the BCBS  239 guidance were first being published in 2013, supervisors still observe governance gaps, fragile lineage across complex estates, and inconsistent execution across borders.

Key takeaways on current issues and challenges

1 – Adapting to a changing operating environment

BCBS 239 implementation cannot be static and must evolve with M&A activity, new products, platform change and shifting risk profiles. Periodic reassessment of scope and capabilities is expected.

What action is required from financial organisations?

• Conduct annual BCBS 239 scope reviews aligned to strategic change and transformation roadmaps.
• Refresh critical data elements (CDEs), lineage scope, and reporting SLAs regularly.

2 – Governance and data

Boards are responsible for oversight of risk data aggregation and risk reporting practices activities and for obtaining assurance that processes align with organisational objectives, whereby management must provide evidence-based updates. There is also indication that a data driven culture remains uneven across firms, whereby an active involvement of senior management has shown to be beneficial for overcoming implementation barriers and preserving bank capabilities.

What action is required from financial organisations?

• Embed board-level accountability for data risk within operational risk governance.
• Define roles, KPIs and attestations across all three lines of defence, ensuring data controls are monitored and tested as part of risk-control frameworks.

3 – Addressing data challenges

End‑to‑end lineage and the ability to deliver accurate, timely ad‑hoc reports remain difficult across legacy, distributed estates. Demonstrating business value helps secure investment in automation.

What action is required from financial organisations?

• Implement risk-based data lineage for metrics feeding critical data risk and regulatory reports.
• Combine data lineage with robust data-quality checks and regularly test ad-hoc reporting within strict time limits to ensure accuracy and speed under stress.

4 – Cross‑border implementation

International groups face complexity aligning practices across subsidiaries. Standardised group‑level frameworks, consistently applied, reduce variability and supervisory risk.

What action is required from financial organisations?

• Embed a single group standard for controls, metadata, lineage, and reconciliations.
• Apply consistent frameworks across all jurisdictions with documented exceptions only.

5 – Leveraging emerging technologies and compensating controls

AI and automation can improve aggregation and reporting, but effectiveness depends on data quality and robust guardrails. Compensating controls should be risk‑based and documented.

What action is required from financial organisations?

• Pilot automation and AI for lineage capture, reconciliations, and report generation.
• Embed audit trails, data-quality rules, and model governance in all technology solutions.
• Document compensating controls and time-box remediation for gaps.

How 4most can help?

At 4most, our delivery approach starts with understanding data risk first, using a risk-based assessment to identify material data risks across:

• Governance and data ownership architecture.
• End-to-end data lineage, expressed through a risk and impact lens.
• Control design and effectiveness, including data quality, reconciliation and change controls.
• Reporting and management decision-making, with a focus on confidence, escalation, and accountability.

Conclusion

Applying BCBS 239 principles is an ongoing discipline, not a one-off exercise. The starting point is a clear view of your current maturity, which will enable your organisation to prioritise the most critical gaps and build a roadmap that delivers sustainable compliance and long-term value.

Get in touch

Send us an email if you are interested in learning more about how 4most can support your organisation’s BCBS 239 strategy – info@4-most.co.uk.