Detailed Expectations Around Data Lineage and BCBS 239 From the European Central Bank (ECB)

In May 2024, the ECB released its ‘Guide on effective risk data aggregation and risk reporting’. This sought to clarify requirements for banks relating to the principles of BCBS 239, after not enough progress was seen relating to BCBS 239 compliance. In this Guide, there was far more specific reference than previously, to the need for data lineage as part of BCBS 239 compliance.
Prior to the release of the final May 2024 guide, the ECB conducted a public consultation and stakeholder meeting, in order to understand questions and clarifications following the release of the first draft of the Guide. As such, two documents were published in 2024. The Guide itself, plus the Feedback Statement which summarised questions raised and answers given by the ECB.
We’ve written a blog about the May 2024 Guide itself, specifically regarding BCBS 239 requirements and the role and importance of data lineage for regulatory compliance. But the answers to questions raised in its, ‘Feedback statement on responses to the public consultation on the ECB draft Guide on effective risk data aggregation and risk reporting’ are also helpful in providing even more clarity around what the regulators are seeking and expecting from businesses for BCBS 239. As the ECB puts it, “This feedback statement presents the ECB’s assessment of the comments received during the public consultation and aims to provide answers to all matters raised by the industry.”
We thought to delve a little deeper into what the ECB says about data lineage and BCBS 239. What is clear from the feedback statement is that there were a lot of requests for clarification around detailed expectations of data lineage. Around the types of data that require lineage, whether an end-to-end or complete lineage is too high an expectation, why granularity is important and could it not be avoided.
According to table 3, section 21referring to ‘External data’, the ECB states:
“Data capture … should be the starting point for the data lineage.”
It defines the difference between data capture and data origination as:
“Data capture is the point at which the data are entered into the bank’s system on the business side. Origination is a wider concept and includes, for example, market data, external data or even derived data which are combined and recalculated in the risk process and stored as a new result (e.g. information which is automatically calculated and stored during the risk calculation and aggregation process).”
In summary, the data lineage needs to be complete and end-to-end, from source to use.
In table 3 section 22, referring to ‘Reports’ the ECB states:
“Key risk indicators included within the scope of application should have a complete and end-to-end data lineage, as explained in Section 3.4.”
A later section ‘Models’ again stipulates this:
“The Guide states in Section 3.4 that complete end-to-end data lineage is expected for the risk indicators and their critical data elements identified as being within the scope of application.”
And again this question is raised by participants:
“Respondent(s) suggested removing from the text the phrase in paragraph 3.4.3 which reads: “complete and up-to-date data lineages (including data capture) for all risk indicators and metrics within the scope of application”.
The response from the ECB stipulates that:
“We deem this necessary as it stresses that the complete data lineage will be available. For that reason we will keep the phrase.”
Table 5, section 13, ‘Complete and up to date lineages’ was questioned by respondents as being too ambitious at this point in time. The ECB responded clearly the important impact this has on the ability to produce metrics in times of crisis:
“Just creating data lineage on an ad hoc basis for critical data elements makes it more difficult to produce risk metrics quickly in times of stress and crisis. Furthermore, data corrections at the source level can be performed more easily and faster if the concrete data elements can be identified via the data lineage. Without a data lineage it is impossible to assess data quality effectively in the complex operational landscapes of large banks.”
This topic of being able to produce risk metrics quickly in times of stress and crisis is a fundamental reason for why BCBS 239 is so important. Companies must have a good grasp of their risk and be able to react quickly when the situation requires it.
Details as regards the granularity of data are explained in table 4, section 18, ‘Responsibility of data owners’:
“There are several questions included in one remark.
Table 5, section 10 on ‘Complete and up-to-date data lineages’ explains that system level is not sufficient:
“Not only does a data lineage at the system level not fulfil the expectations set by the Guide, it does not fulfil the purposes described in the response to question 13 below. Data lineage should be defined at the data attribute level.”
Table 5, section 5 on ‘Terminology’ explains in some detail the expectations from the ECB as regards data lineage:
“The data lineage is key to identifying the (critical) data elements needed to aggregate the information and create reports.
This data lineage documentation should entail:
-the steps in the movement and/or transformation of data end to end, from data capture to reporting, including the presentation of the functional and technical data lineage with a granularity on the level of the data attribute used;
-systems that deliver, store, aggregate and transform the data, including the end-user applications used;
-any manual steps;
-the data quality controls and data quality requirements at each step of the creation, acquisition, movement or transformation of the data.”
-business roles, responsibilities and ownership data at each step of the acquisition, movement or transformation of data, and technical ownership of the systems that store, move, aggregate and transform the data.”
The requirements from the ECB are clear. Solidatus advanced data lineage was built specifically for data lineage and can do everything above and below. In order to not risk fines in the millions, you need:
Advanced data lineage from Solidatus differs from basic forms included in other systems in that it is end-to-end and granular, but also you can apply a rich amount of business context information, so that you can quickly see the impact on the business. This not only helps your compliance with BCBS 239, but other regulations such as GDPR, DORA, the EU AI Act – and many other use cases. These include decisions and reporting, trust in AI data, change management, operational resilience and more.
Please do contact us to find out more about how we’ve helped many companies ensure BCBS 239 – and other regulatory compliance and use cases. We’d love to hear from you.
Published on: August 22, 2025