Originally introduced by the Basel Committee on Banking Supervision in 2013, BCBS 239 set out 14 principles to strengthen banks’ risk data aggregation and reporting capabilities in response to weaknesses exposed during the global financial crisis of 2008.
Its core focus areas of governance, integrated data architecture, data accuracy and completeness, timeliness, adaptability, and effective reporting, were designed to support improvements in decision-making and resilience, particularly under stress conditions.
While often viewed as a regulatory framework, these disciplines are increasingly relevant beyond compliance. In forward-looking operating environments, shaped by the rise of agentic AI, these foundational capabilities may become increasingly important.
Agentic AI relies on consistent access to high-quality, well-governed, and well-integrated data, with poor data quality and fragmented architectures cited as key barriers to adoption.
Against this backdrop, BCBS 239 might be framed as a post-crisis regulatory response, and an early articulation of the data foundations often associated with autonomous, data-driven operating models. Its emphasis on governance, data lineage, and timely, comprehensive aggregation aligns with capabilities often associated with how modern AI systems are deployed to support more transparent and effective operations across complex enterprise environments.
“We spent years building BCBS 239 programs in Tier 1 banks, and the hardest lesson was always the same: the technology is never the bottleneck. Data ownership, lineage gaps, and fragmented governance are. Similar themes are increasingly considered to be a threat in the context of agentic AI adoption.”
— Hemal Shah, Moody’s Global Data Strategist, Former Head of Data, Banking | BCBS 239 Program Delivery Lead
The BCBS 239 principles aim to strengthen banks’ risk data aggregation and reporting capabilities to enhance risk management and decision-making, supported by what BCBS describes as “more accurate, complete, and timely data across the organization”. A decade on, these same data capabilities increasingly underpin what organizations expect from agentic AI—namely rapid data retrieval, on-demand synthesis, workflow execution, and continuous exception management.
The cost of weak BCBS 239 implementation is increasingly seen as extending beyond a compliance penalty. In an agentic AI operating model, poor lineage, fragmented identifiers, manual workarounds, and inconsistent taxonomies have potential to propagate at high speed. A flaw that once affected a single report could potentially contaminate the broader decisioning process.
“Many of us have sat in front of regulators to explain a data quality issue that affected several months of risk reports. That conversation is difficult when a human analyst makes an error. Imagine trying to explain it when an AI agent is involved, and you cannot reconstruct the decision trail. That is not a purely hypothetical risk. This is a possibility without the appropriate data foundations in place.”
— Francis Marinier, Moody’s industry practice lead and former head of compliance, banking
Traditionally, risk reporting has focused on producing timely and decision-useful outputs for internal stakeholders and regulators. BCBS 239 reinforces this by emphasizing greater completeness, clarity, and consistency in how risk information is delivered.
As operating models evolve, however, reporting is becoming less about static outputs and more about how information is accessed and used dynamically. In an agentic context, reporting capabilities extend beyond production to support coordinated workflows, i.e., where data is retrieved, interpreted, and acted upon across systems.
This shift places emphasis on governed data flows, clear lineage, and consistent definitions, so information can be more readily used to support reporting and serve as an input into ongoing decision-making and execution.
BCBS 239 sets out guidance on how banks measure and monitor data quality, including how to track quality metrics such as accuracy and completeness, escalate issues, and fix problems when they arise.
This structure can also support AI-assisted remediation. For example, AI systems can help identify potential data issues, suggest possible root causes, route fixes to the appropriate owners, track progress, and document what has been resolved.
This represents a shift from traditional remediation approaches. Rather than being manual and one-off, remediation can become a more repeatable and measurable process. However, this would largely depend on the extent to which data ownership, rules, and exception handling is clearly defined. Without that clarity, an AI system may reinforce existing data issues rather than resolve them.
“In many BCBS 239 programs, remediation processes are often among the most challenging pieces to operationalize. Not necessarily because the bank lacked tools, but because ownership was unclear, policies were implicit, and exceptions were treated as one-offs. If you automate a broken remediation process, you just get a faster broken process.”
— Hemal Shah
In 2013, the Basel Committee positioned improved risk data aggregation and reporting to strengthen risk management and decision-making, supported by what the Basel Committee describes as more accurate, complete, and timely data. Over time, improvements in these areas have been associated with better risk visibility and more effective management of potential losses.
That argument remains relevant today, as the same foundational data controls can be applied across multiple domains, such as audit, regulatory reporting, model governance, stress testing, recovery and resolution, and AI oversight. In practice, applying these controls consistently across domains may lead to more standardized processes and reduce duplicated effort across functions, for example:
BCBS 239 sets out principles for data architecture and governance that are intended to support more consistent aggregation of risk data across legal entities, business lines, and risk types. In practice, this typically involves firms establishing common data definitions, clear lineage, and greater consistency in how entities such as customers, counterparties, and accounts are identified and represented across systems.
For large data providers, these capabilities can create a bridge between compliance and broader data strategy, which can support greater interoperability across risk domains, rather than maintaining separate data structures and controls for each.
These examples illustrate how BCBS 239-style data disciplines might be applied across different risk domains:
BCBS 239 is often seen as a compliance requirement. But it also links better data capabilities to broader outcomes such as supporting decision-making and more effective management of change, including new products and services. In practical terms today, this means that the same data foundations used for compliance might also support growth. They might help organizations onboard products more quickly, integrate acquisitions more smoothly, respond to client and regulator queries more efficiently, and extend decision-making into new areas of the business.
For data providers working with financial institutions (FIs) or non-banking financial institutions (NBFIs), a focus on interoperability could support this in three ways:
The use of AI is not necessarily the risk, but how well the underlying data that supports the model is governed. Basel Committee implementation updates* continue to highlight challenges such as weaknesses in governance, gaps in data lineage, cross-border constraints, and the use of new technology alongside compensating controls. In an environment where AI systems are more widely used to support decision-making, these challenges could become more pronounced.
Common areas of risk include:
Taken together, these factors might weaken overall consistency in risk management, as issues could scale across systems, even where individual outputs appear reliable.
BCBS 239 highlights the importance of strong risk data aggregation and reporting capabilities to support forward-looking analysis and monitoring, including capabilities intended to help identify emerging risks, monitor proximity to risk limits, and support stress testing activities.
While the standard does not prescribe specific indicators, organizations often monitor a range of operational and data-related signals that may indicate a deterioration in these capabilities over time.
Examples of such signals might include:
These types of indicators are often tracked as enterprise-level control metrics, as weaknesses in any area may affect auditability, reporting consistency, and the outcomes of remediation efforts remediation across multiple types of risk.
“The warning signs may have always been there before challenges became more visible at the program level. They may have just been treated as project metrics rather than enterprise risk indicators. A rising exception backlog is not a project management problem; it may act as a signal that your data control environment is losing coherence.”
— Francis Marinier
A technology-agnostic data provider, working alongside a client’s data function, can help position BCBS 239 as a set of regulatory expectations and part of a broader operating model for managing data in a more consistent and controlled way.
In this context, the role of the provider is often to support the development of a governed interoperability layer across domains, systems, and jurisdictions, while supporting flexibility in tooling, architecture choices, and wider execution models.
Within this approach, organizations often seek greater alignment in how data, controls, and processes are defined and applied across the operating model, for example:
Today, BCBS 239 may be seen as both a post-financial crisis regulation and a way to assess whether advanced technologies, including agentic AI, can operate safely within core risk, audit, and reporting processes.
Institutions who approach the principles as part of a reusable enterprise data architecture may be better positioned to manage costs, support control environments, and facilitate growth while maintaining oversight.
For data providers working with FIs and NBFIs managing large and complex data estates, the message to customers may be a practical one: Unified risk management may be impacted where interoperability is limited, data lineage is incomplete, or remediation processes are slow.
In contrast, organizations who are more advanced in this area may be able to combine flexible technology choices with consistent control disciplines for data quality, traceability, and forward-looking risk insight.
“BCBS 239 was introduced after the financial crisis to stop banks flying blind. In the age of agentic AI, we face a different version of the same risk: systems that may appear to see everything, but have limitations in traceability, validation, or other challenges remain. While the principles remain relevant, organizations should consider how their implementation evolves alongside new technologies.”
— Hemal Shah
If you have questions about how Moody’s can support your business with data and workflow solutions for compliance and risk management activities, please get in touch any time.
*Disclaimer: This content is for informational purposes only and does not constitute legal, financial, compliance or other professional advice. Please consult with a qualified professional for specific legal, financial, compliance, or other professional advice. For more terms and conditions pertaining to Moody’s products and services, refer to the https://www.moodys.com/web/en/us/legal/global-disclaimer.html on Moody’s website.
Resources: