Navigating data risk: A look at the PRA’s latest Dear CEO Letter

On 21 January, the Prudential Regulation Authority (PRA) issued a Dear CEO letter that highlighted its key objectives for 2025.

In the letter addressed to Chief Executive Officers of PRA-regulated UK deposit takers (together ‘firms’) operating in the UK, the PRA emphasised, as it has done in previous years, the importance for firms to maintain robust governance, risk management and controls, supported by accurate information. This would enable firms to proactively identify, analyse, and mitigate risks within a dynamic, competitive, and challenging environment.

It also emphasised the critical importance of data quality, highlighting that accurate, complete, and timely data is essential for effective risk management and regulatory compliance.

This focus aligns with the principles of BCBS 239, which underscore the need for robust data aggregation and reporting capabilities to manage risks effectively. High-quality data is crucial for UK deposit takers to make informed decisions, maintain financial stability, and meet regulatory expectations, impacting stakeholders across the financial sector, including regulators, investors, and customers.

Leveraging BCBS 239 principles for data risk management

Focusing on the Data Risk section of the letter, poor data quality has been identified as a root cause of numerous risks requiring remediation within firms. To address this, firms must enhance their data aggregation capabilities to support holistic risk management, robust board decision-making, and accurate regulatory calculations.

While not all firms fall under the scope of the Basel Committee on Banking Supervision’s principles for effective risk data aggregation and reporting (BCBS 239), these principles provide a valuable framework for managing data risk. As part of the PRA’s commitment to efficient supervision, alongside reliance on data tools and analytics, firms must also ensure the submission of complete, timely, and accurate regulatory returns.

Having a poor understanding of BCBS 239 can be risky…

Smaller firms as well as D-SIBs/G-SIBs are expected to meet higher data quality standards as part of supervisory reviews.

Regulatory bodies are now likely to view every interaction through a BCBS 239 lens, which means there could be implications for your reputation, potential fines, or operational adjustments if expectations aren’t met.

Why should non-BCBS 239 compliant banks care about data risk?

Regulatory scrutiny is rising for ALL deposit takers. The PRA’s Dear CEO letter highlights data accuracy, timeliness, and completeness as critical for regulatory submissions.

Guidelines on effective risk data aggregation and reporting (RDARR) issued by the Basel Committee on Banking Supervision in January 2013, enforced by ECB and local regulators like PRA are mandatory for G-SIB and D-SIB banks, and are recommended for others.

These guidelines aim to enhance risk management and decision making by improving risk data aggregation and reporting. Based on 14 pillars, they can be divided into 4 broad categories:

1. Overarching governance and infrastructure
2. Risk data aggregation capabilities
3. Risk reporting practices
4. Supervisory tools and cooperation

What you should be focusing on…

• Establishing a strong data governance framework.
• Enhancing the data quality of your risk data.
• Implementing data lineage to ensure transparency.
• Conducting regular reviews and updates of your risk data and reporting practices.
• Leveraging technology to streamline compliance efforts.

How to kick-off a successful BCBS 239 programme

Spending sufficient time planning and defining the scope and approach to BCBS 239 is fundamental to success and managing delivery risk and costs.

These are the steps you should be taking:

1. Define the scope and plan
2. Establish the governance structure
3. Understand the shared responsibility
4. Interlock with the wider change agenda
5. Identify the skills you need
6. Effectively communicate the change
7. Oversight (audit)

How can 4most support firms with data risk?

We can help financial institutions in the UK and Europe manage their needs across the data lifecycle. Our experienced data team is made up of banking and insurance specialists that have led data management functions and worked with a variety of clients.

Get in touch if you are interested in learning more about how we can support your organisation – info@4-most.co.uk.

You can read the full Dear CEO letter here.