Back to Insights

Financial Crime MI Reporting Supported by BCBS 239 Principles - Actionable Guidance

Financial institutions face significant challenges in managing and analysing vast amounts of data to make informed risk management decisions. 

Structured reporting is required for insights and risk analysis. Data that underpin such reports should be carefully defined, sourced, and aggregated to provide the report audience with complete, accurate and timely insights into the firm’s inherent risk and control environment effectiveness. 

The Basel Committee on Banking Supervision (BCBS) introduced BCBS 239 ‘Principles for Effective Risk Data Aggregation & Risk Reporting’, which aim to strengthen risk data aggregation and risk reporting capabilities within financial institutions. 

In this article, Beyond MI apply their experience in this field to provide practical guidance on financial crime risk management data aggregation and reporting.

What is BCBS 239?

BCBS 239 is a set of principles introduced by the Basel Committee on Banking Supervision to address weaknesses in banks’ risk data aggregation and risk reporting practices. It emphasises the importance of timely and accurate data delivery, enabling banks to have both holistic and detailed views of their risk exposure for more effective decision making.

BCBS 239 highlights four key areas that firms should focus on in relation to risk data aggregation and risk reporting:

  1. overarching governance and infrastructure
  2. risk data aggregation capabilities
  3. risk reporting practices
  4. supervisory review, tools and cooperation

In this article we focus on three of those principles (Accuracy & Integrity, Completeness, Timeliness) and apply practical examples on how they can support financial institutions with their financial crime risk data aggregation and management information reporting.

Principle 3: Accuracy and Integrity:

The accuracy and integrity principle highlights the importance of ensuring the accuracy and reliability of data used for risk management reporting purposes. To adhere to this principle, financial institutions are advised to establish robust data validation and data quality control processes. The development of data lineage and ownership tracking helps maintain data integrity and should provide a clear record of material data transformations. Implementing a data quality framework that facilitates data reconciliation, error detection, and data cleansing should be high on every CRO and MLRO agenda.

Beyond MI Guidance / Considerations:

  • Data Dictionary - Metric Definition and Ownership: Clearly defined risk metric definitions, supported by detailed parameters, data lineage, and ownership information will assist with monitoring accuracy and reliability of MI reporting. An up-to-date data dictionary supports financial institutions in understanding risk metrics’ significance, calculation methodology and the designated individuals responsible for maintaining their accuracy.
  • Roles of Consumer Owner and Producer Owner: The roles of the consumer owner (who sets reporting requirements) and producer owner (who provides the data) must be clearly defined. Such roles are often restricted to senior members of staff so the handover / transition points between producer and consumer ownership should be determined, documented, and supported by robust data quality control checks. Evidencing ownership and associated data controls assists with providing assurances that the reported data aligns with the expectations of both parties and holds the correct party accountable for its accuracy.
  • Managing External User Developed Applications (EUDAs): Attention should be drawn to the integrity of data sourced from spreadsheets and other non-target architecture applications. Controlling how such data is input, managed, manipulated, and extracted is important, especially when integrating it with other information to generate metric and data visualisation content for MI reporting.
  • Accuracy and Integrity in a Multi-System Landscape: Financial crime risk management relies on multiple processing systems for data provision and reporting. The absence of a universal standardised system across the financial crime landscape means that defining, sourcing and aggregating the multiple data feeds should be performed using clearly defined methodologies of which the report owner should have oversight. Such aggregations are often manual and therefore consideration should be given to appropriately positioned data quality control points.
  • Transparency is Key: Supervisors expect banks to document and explain all risk data aggregation processes whether automated or manual (judgement based or otherwise). Documentation should include an explanation of the appropriateness of any manual workarounds, a description of their criticality to the accuracy of risk data aggregation and proposed actions to reduce the impact.

Principle 4: Completeness:

The completeness principle reaffirms the need to capture and aggregate all material risk data across the organisation to provide a comprehensive view of risk exposure. To satisfy this principle, financial institutions must implement data management practices that ensure data is collected from all relevant sources, including various business lines, departments, and offline systems and files where relevant. Implementing a data governance framework can help ensure comprehensive data capture and consistent data definitions across the organisation.

Beyond MI Guidance / Considerations:

The financial crime compliance industry is constantly embracing innovative technologies. This level of innovation and change within the industry presents additional considerations when defining, sourcing, aggregating, and reporting a complete view of risk exposures. BCBS 239 makes clear that firms should document the specific approach used to aggregate exposures for any given risk measure. This will support the board and senior management in their assessment of risk exposures.

  • Evolving System Configurations: As risk management systems are enhanced to deal with changes to regulations and the risks to which firms are exposed, organisations must diligently oversee changes in data provision to prevent any gaps in information. Such gaps can give rise to inaccuracies in risk reporting and therefore undermine the effectiveness of risk oversight practices. Maintaining a robust approach to data quality requires ongoing monitoring and regular reconciliations to ensure the completeness of reported data.
  • System Migrations: When decommissioning obsolete systems, any impact on data integrity (duplication or loss) will have a direct impact on the completeness and integrity of reported data which in turn, has a direct impact on risk oversight and management capabilities. System migrations require careful planning and execution. MI reporting requirements should form part of the critical requirements from the outset rather than an afterthought post implementation.
  • Data Quality Attestation: Periodic attestations play a pivotal role in providing assurances on the accuracy and completeness of risk data within reports.
  • Data Dictionary: A comprehensive data dictionary will state the scope of the reported measure, including its authoritative source(s), parameters, and ownership. This information should be periodically reconciled with the scope of the risk reporting to ensure the completeness of reported information.

Principle 5 Timeliness:

The timeliness principle emphasises providing timely risk data to decision-makers and regulators. It is recommended that financial institutions establish efficient data aggregation and risk reporting processes that enable the timely collection, processing, and reporting of information. MI dashboards and reporting tools that provide real-time or near-real-time insights can aid decision-makers in responding promptly to emerging risks and market conditions.

Beyond MI Guidance / Considerations:

  • Understanding Data Availability and Reporting Timeframes: An essential consideration in achieving timely risk data reporting is understanding the availability of data and determining what can be reported within specific timeframes. For instance, in financial crime risk management, conducting quality assurance on client onboarding will lag behind the actual availability of client onboarding data. Thus, it may be reasonable to report such data with a one-month delay – signposted accordingly in the risk reports. This recognition of data timing enables the financial institution to maintain accurate and timely risk management reporting.
  • Ownership and Accountability: Establishing ownership and accountability for timely data reporting is crucial. Control owners must be aware of data submission deadlines and work diligently to meet them. Instances of late submissions by data providers of manually produced MI should be escalated as appropriate.
  • Automated Data Aggregation and Reporting Solutions: The adoption of automated data aggregation processes, particularly in connection with data feeds to centralised reporting solutions, should be on every risk manager’s strategic roadmap. Automated data aggregation and reporting will streamline the data collection and reporting processes, reducing the risk of errors associated with manual data entry and manipulation.
  • Real-Time MI Insights: Banks need to build their risk systems to be capable of producing aggregated risk data rapidly during times of stress/crisis for all critical risks. Most financial crime risk reporting is produced at the end of each reporting period (monthly / quarterly). Consideration should be given to real-time MI insights that allow risk managers to deep dive into inherent risk and control environment effectiveness for more targeted and timely risk management.

Implementing MI Guidance Effectively:

To successfully implement financial crime risk reporting in line with BCBS 239 principles, Beyond MI recommend that financial institutions should also consider the following:

  • Engage Senior Management and Board: Ensure strong engagement and support from senior management and the board of directors. Their commitment is essential in implementing a risk data aggregation and effective risk reporting culture throughout the organisation.
  • Data Architecture and Integration: Create a comprehensive data architecture that supports data sourcing, aggregation, and reporting requirements. This includes data models, data dictionaries, and standardised data formats to enable seamless data exchange across systems and processes.
  • Establish a Data Governance Framework: Develop a robust data governance framework that outlines data ownership, accountability, and data quality management processes. Define clear data definitions, standards, and validation rules to ensure consistency and integrity across the organisation.
  • Data Lineage and Audit Trails: Establish data lineage and audit trail functionality to evidence data provenance (including any manipulations) from authoritative source through to risk reports.
  • Data Quality Framework: Implement a structured and systematic data quality framework to assess, measure, manage, and improve the quality of data.
  • Reported Data Quality Issues Identified: Identifying data quality deficiencies is, unfortunately, only the start. In addition to understanding the impact on your internal and external reporting commitments, it should be clear who to contact for resolution and understand when the issue is expected to be corrected. This often involves the producer owner adding additional data quality issues to their tech stack for triage, root cause analysis, resource allocation and remediation and therefore may not be a quick win. Any consumers of the impacted data should be notified of the impact and expected remediation timelines – see below.
  • Escalation Channels for Inaccurate or Unreliable Data: Instances of misreporting should be escalated to the report owner as soon as possible. The report owner will then decide if previous reports should be restated or if a reconciliation of before and after MI is sufficient in future reporting commitments. A summary of the data quality issue impact should also be directed to the appropriate operations or technology teams.


Effective financial crime risk management is underpinned by robust MI reporting that provides a complete, accurate and timely insight into (i) the inherent risks to which the firm is exposed, and (ii) the scope and effectiveness of the control environment to manage those risks.

BCBS 239 provides good practice expectations on risk data aggregation and risk reporting. Published in 2013, it remains the industry standard and should be considered in full by all risk reporting managers.

In this article we focused on, in our view, the higher priority data quality principles of accuracy and integrity, completeness, and timeliness. Applying our actionable guidance to your risk data aggregation and risk reporting processes should strengthen your firm’s risk reporting capabilities and usefulness.

Beyond MI specialise in supporting clients with their financial crime data governance frameworks. This includes helping firms establish a data governance framework that provides insight into data provenance, ownership, data quality controls and reporting effectiveness.

Contact us today to find out more about how we can help you with your financial crime data governance framework.

We use cookies on this website to make your browsing experience better. To understand how we use these cookies please view our privacy policy.