Why banks can’t meet modern regulations without data lineage

What BCBS 239 and SR 26-2 now demand at the column level

A team of two at HSBC set out to map the bank’s entire wholesale credit and lending book. Within six months, they had documented it from end to end, tracing every figure from the system that first captured it to the report that finally used it. The work covered 2,000 source tables, more than 80,000 fields, and 20,000 data linkages across 45 systems worldwide. A competing approach would have taken twenty-five staff, eighteen months, and more than $5 million, yet HSBC reached the same result with two people in six months for under $500,000.1

Modern bank regulation now depends on exactly this kind of detailed evidence, and two pressures are bearing down on every regulated bank at once. These are:

  1. Supervisors have pushed the standard for regulatory proof down to the level of the individual data column.
  2. Bank data estates have swelled past a billion fields across Solidatus customers alone.

Proving where a single reported number came from, across a data ecosystem that large, is no longer something a team can document by hand or pull from a catalog. The banks that meet modern regulatory requirements at scale now do so through data lineage, and for institutions still relying on spreadsheets and dataset-level catalogs, the arithmetic has turned against them.

The standard moved to the column level

Over the past decade and a half, the evidence regulators expect from banks has moved steadily toward finer detail. In 2013, the Basel Committee on Banking Supervision published its principles for effective risk data aggregation and risk reporting, known as BCBS 239, and for years, many banks treated them as a reporting obligation they could satisfy with summaries and attestations. The European Central Bank then ran a thematic review and found that none of the significant institutions in its sample, including global systemically important banks, had fully implemented the principles.2

In May 2024, the ECB answered with a guide that left far less room for interpretation, requiring “complete and up-to-date data lineages on data attribute level.”3 Attribute level means column level, traced from the point of capture through every extraction, transformation, and load.

The Digital Operational Resilience Act, in force across the European Union since January 2025, widened the same expectation to the data moving through third-party and information and communication technology (ICT) systems, not only the bank’s own. In the United States, regulators arrived at the same place by a different route. The Federal Reserve, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation jointly issued SR 26-2 in 2026, the first overhaul of model risk management guidance in fifteen years.4 It never uses the phrase “data lineage,” yet it requires banks to document where model data came from, how it was selected, and whether its quality has held over time, which is lineage by another name.

Different supervisors, writing in different styles, have converged on the same minimum standard, and a summary at the dataset level no longer meets it. Meeting it takes the ability to show the column-level path that data traveled, as that path stood on the date the report was filed.

Industry analysts agree. Gartner defines data lineage as something that “must be deep to allow for drilling down or analyzing to the finest level of detail, such as column-level or transformation logic.”5 Gartner’s banking guidance notes that supervisors are not creating special rules for new technology but “applying foundational data-risk frameworks,” singling out BCBS 239, “which mandates robust data lineage,” with the ability to trace data “from its source to consumption.”6 Regulator and analyst now describe the same standard in the same words.

The regulations that set the standard

  • BCBS 239 (2013): The Basel Committee’s risk data aggregation and reporting principles for global systemically important banks.
  • ECB Guide on RDARR (May 2024): Requires “complete and up-to-date data lineages on data attribute level,” from data capture through extraction, transformation, and loading.
  • DORA (January 2025): Extends traceability and operational-resilience expectations to third-party and ICT data flows across EU financial services.
  • SR 26-2 (United States, 2026): Updated model risk management guidance from the Federal Reserve, OCC, and FDIC, requiring evidence of data selection, quality, and relevance for models at banks with more than $30 billion in assets.
  • EU AI Act, Article 10 (phasing in): Requires high-risk AI systems to be trained on traceable, well-governed datasets.

Now multiply that by the size of the ecosystem

Column-level traceability sounds reasonable until you apply it to a working bank. HSBC’s wholesale lending estate, the one behind the figures above, holds tens of thousands of fields and hundreds of thousands of governed transitions, and it is not the largest example here. Royal London Asset Management, a fund manager overseeing £162.3 billion in assets, modeled 175,000 fields and 99,000 attribute flows across 41 systems while migrating its investment platform and moving to the cloud.7 These are single institutions. If you look across Solidatus clients, the total number of modeled fields exceeds a billion.

Proving column-level provenance for a single report is manageable. Doing it across a data estate this size turns into an engineering problem. Gartner reaches the same conclusion, noting that modern architectures spanning cloud, hybrid, and on-premises systems make “manual data tracking impossible to sustain,”8 while the “explosion of alternative data is overwhelming traditional, centralized data architectures.”9 A bank cannot map that provenance by hand across hundreds of thousands of fields and keep it up to date as systems change from week to week. Having that evidence ready the moment an examiner asks is more than any team can staff. The work has outgrown the methods most banks still use.

Why catalogs and manual methods cannot clear it at this scale

Most banks already own a data catalog, and for good reason. A catalog discovers what data exists across the environment, classifies it, and assigns owners and stewards, making the data easier to find and govern at the dataset level. Those are real capabilities, and they are not the ones a supervisor’s question depends on.

A regulatory examiner wants the column-level path that data traveled, through every join, filter, and calculation, and the state of that path on the date the report was filed. Knowing which system the data lives in does not answer that. A catalog records that a dataset exists; reconstructing the route a single field took through dozens of systems, and showing that route as it stood last quarter, was not what it was built to do. Spreadsheets and periodic manual reviews capture a moment, then fall behind the next schema change.

Gartner’s own evaluations bear this out. In its assessment of metadata management tools, only half of the vendors scored highly on data lineage and impact analysis, the capabilities that separate a suitable solution from the rest.10 The firm is more critical of manual methods, calling legacy frameworks that lean on human-led sampling “operationally useless” against data that moves and changes faster than people can review it.11 The catalog was built to inventory the estate. Proving regulatory lineage across it is a different job.

What the banks that cleared it did, and where to start

The institutions furthest along have built lineage into how the bank runs day-to-day, and HSBC is a great example. The team produced a living model of the wholesale credit and lending book. It traces every figure from source to consumption and reconciles the physical implementation against the logical design, confirming that the two agree. That model now reaches well beyond compliance, feeding environmental, social, and governance (ESG) reporting, risk-weighted asset calculations, and liquidity analysis from one trusted source.12 The regulatory work paid for an asset the bank uses every day.

Royal London Asset Management took the same foundation and transformed it. With version history and branching, the team modeled migration scenarios and identified downstream dependencies, then connected its risk and control frameworks directly to the lineage so a control could be traced to the exact data it governs.13

The true brilliance of Solidatus lies in its capability to capture the physical aspects of data and seamlessly link them back to your catalogs and critical business information.

— Lynn Watts, Head of Data Management and Governance, Royal London Asset Management

At Bank of New York, the governance question is organizational as much as technical. Former Chief Data Officer Eric Hirschhorn describes a “data risk usage board” that reviews data and AI use before work begins, on the principle that “the security and the privacy and the ethics follow the information regardless of the transformation.”14 Lineage makes that principle enforceable, because it shows where data goes in practice rather than where policy says it should. M&T Bank followed a similar arc, turning a governance program built for compliance into a foundation it now uses to deploy AI with confidence.15

A bank starting with a catalog and a stack of spreadsheets should pick one critical data domain, such as wholesale credit or regulatory risk reporting, and prove column-level lineage from source to report for that domain before scaling the pattern. Gartner describes the destination in plain terms, calling lineage “a continuous, adaptive control layer,” not a periodic exercise.16 None of these banks tried to map everything at once. Each proved the operating model starting where regulatory pressure was highest, then extended it.

The AI turn raises the stakes

Everything that makes column-level lineage hard for regulatory reporting becomes harder once a bank deploys generative and agentic AI. The same evidence standard now applies to the data feeding the models.
Article 10 of the EU AI Act requires high-risk AI systems to be trained on traceable, well-governed datasets.17 US supervisors went the other way and left the rules open. SR 26-2 excludes generative and agentic AI from its scope and leaves banks to govern those systems by the same data-evidence principles it already applies to traditional models. A bank that cannot trace a reported number to its source will not be able to trace what a model learned from either.

AI adds speed to the scale problem. Gartner observes that agents “both consume and generate data at machine speed,” and projects that 40% of agentic AI projects will be canceled by 2028, in part for inadequate risk controls.18 Manual lineage cannot keep pace with systems that rewrite data faster than a person can review it. The Solidatus AI Lineage Assistant runs BCBS 239 analysis across hundreds of thousands of entities in minutes rather than months, with every AI-proposed change staged for human review before it is accepted.

The math no longer favors the manual path

Regulators have spelled out what they expect, and it points one way. Proof now has to reach the level of the individual data column, across estates that run to hundreds of thousands of fields and beyond. Spreadsheets and dataset-level catalogs were not built to produce that, and no amount of staffing closes the difference. The banks meeting the standard at scale, from HSBC to Royal London to Bank of New York, reached it by building column-level lineage into how they operate, with fewer people and less time than the manual alternative would have demanded. As AI moves more data faster, the room for doing this by hand keeps narrowing.

Solidatus is a data lineage platform built for regulated enterprises, used by banks including HSBC, Royal London Asset Management, and Bank of New York to map data lineage at the column level. To see how other regulated banks approached this, request the banking use case overview or ask to speak with a Solidatus reference customer. Either one shows what column-level lineage looks like in a live banking estate.

1Solidatus. “Solidatus Models HSBC’s Global Lending Book.” Case study, 2024.
https://www.solidatus.com/resource/case-studies/solidatus-models-hsbcs-global-lending-book/.

2European Central Bank, Banking Supervision. “Report on the Thematic Review on Effective Risk Data Aggregation and Risk Reporting.” May 2018.https://www.bankingsupervision.europa.eu/ecb/pub/pdf/ssm.BCBS_239_report_201805.pdf. The review covered 25 significant institutions, none of which had fully implemented the BCBS 239 principles.

3European Central Bank, Banking Supervision. “Guide on Effective Risk Data Aggregation and Risk Reporting.” May 3, 2024.
https://www.bankingsupervision.europa.eu/ecb/pub/pdf/ssm.supervisory_guides240503_riskreporting.en.pdf.

4Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency. “Supervisory Guidance on Model Risk Management.” SR Letter 26-2, April 17, 2026.
https://www.federalreserve.gov/supervisionreg/srletters/SR2602.htm.

5Gartner. “Magic Quadrant for Data and Analytics Governance Platforms.” 2026.

6Bhattacharya, Sudarshana, and Jonathan Jackson. “Modernize Data Governance for Agentic AI Adoption in Banking.” Gartner, December 2, 2025. ID G00842144.

7Solidatus. “Royal London Asset Management Builds Operational Data Blueprint With Solidatus Data Lineage.” Case study, 2024.
hlarge becomesttps://www.solidatus.com/wp-content/uploads/2024/06/RLAM-Case-study.pdf.

8De Simoni, Guido. “Data Lineage Is Essential to Manage the Risks of Agentic AI.” Gartner, March 24, 2026. ID G00847339.

9Bhattacharya, Sudarshana, Kimberly Harris-Ferrante, and Jasleen Kaur Sindhu. “Top Data & Analytics Trends in Banking and Insurance for 2026.” Gartner, February 3, 2026. ID G00843275.

10Gartner. “Critical Capabilities for Metadata Management Solutions.” 2025.

11Bhattacharya, Sudarshana, and Jonathan Jackson. “Modernize Data Governance for Agentic AI Adoption in Banking.” Gartner, December 2, 2025. ID G00842144.

12Solidatus. “Solidatus Models HSBC’s Global Lending Book.” Case study, 2024. https://www.solidatus.com/resource/case-studies/solidatus-models-hsbcs-global-lending-book/. Banking Tech Awards 2023 recognition: Solidatus, “HSBC & Solidatus Win at Banking Tech Awards 2023 from FinTech Futures.” https://www.solidatus.com/news/hsbc-solidatus-win-at-banking-tech-awards-2023-from-fintech-futures/.

13Solidatus. “Royal London Asset Management Builds Operational Data Blueprint With Solidatus Data Lineage.” Case study, 2024.
https://www.solidatus.com/wp-content/uploads/2024/06/RLAM-Case-study.pdf.

14Hirschhorn, Eric. “Pioneering Data Strategies: How Bank of New York Is Shaping Business Success in the Age of AI.” Solidatus webinar, 2025.
https://www.solidatus.com/resource/pioneering-data-strategies-how-bank-of-new-york-is-shaping-business-success-in-the-age-of-ai-webinar-recording/.

15Solidatus. “Unifying the Enterprise: How M&T Bank Is Rewriting the Rules of Data Governance With Solidatus.” Resource, 2025.
https://www.solidatus.com/resource/unifying-the-enterprise-how-mt-bank-is-rewriting-the-rules-of-data-governance-with-solidatus/.

Frequently asked questions

01.

What is data lineage in banking?

Data lineage is the record of how data moves through a bank, from the system that first captured it through every transformation to the report or model that uses it. For regulatory purposes, banks need that record at the column, or data attribute, level rather than the dataset level. Column-level lineage lets a bank show the exact path any single reported number traveled and the state of that path on a given reporting date, which is what supervisors now ask for.

02.

Why is a data catalog not enough to prove BCBS 239 compliance?

A data catalog discovers what data exists, classifies it, and assigns owners at the dataset level, which makes data easier to find and govern. It records that a dataset exists, but it was not built to reconstruct the column-level route a single field took through dozens of systems, or to show that route as it stood last quarter. BCBS 239 and the European Central Bank’s 2024 guidance ask for exactly that depth, which catalogs were not designed to produce.

03.

Which regulations require banks to have data lineage?

Several converge on the same expectation. BCBS 239 set the principles for risk data aggregation and reporting in 2013. The European Central Bank’s May 2024 guide requires “complete and up-to-date data lineages on data attribute level.” DORA extends traceability to third-party and ICT systems, and the US SR 26-2 guidance requires evidence of data selection and quality for models at banks above $30 billion in assets. Article 10 of the EU AI Act adds traceability for high-risk AI training data.

04.

What does "data attribute level" mean in the ECB guidance?

Data attribute level means column level. The European Central Bank’s 2024 guidance requires lineage that traces data from the point of capture through every extraction, transformation, and load, down to individual columns rather than whole datasets or tables. Gartner describes the same standard, defining lineage that drills down “to the finest level of detail, such as column-level or transformation logic.” A dataset-level summary does not meet that requirement.

05.

Where should a bank start with data lineage?

Start with one critical-data domain under heavy regulatory pressure, such as wholesale credit or regulatory risk reporting, and prove column-level lineage from source to report there before scaling the pattern across the estate. The banks furthest along, including HSBC and Royal London Asset Management, did not map everything at once. Each proved the model where the regulatory stakes were highest, then extended it to the next domain.

06.

How does data lineage support AI governance in banks?

As banks deploy generative and agentic AI, the same column-level evidence applies to the data feeding the models. Article 10 of the EU AI Act requires high-risk systems to be trained on traceable, well-governed data, and SR 26-2 leaves banks to govern AI on the same data-evidence principles set for traditional models. Lineage lets a bank trace what a model learned from, and which upstream changes could affect it, faster than manual review can manage.

Published on: July 13, 2026

Contents

Related articles

Ai lineage company
Blog

Your Data Governance Team Already Built Your AI Governance Foundation

How LSEG turned data lineage into a strategic asset for AI trust

Blog

Proving data lineage to regulators

What regulators expect when they ask you to prove data lineage

Blog

The Data Fairy is Dead

Five data lineage myths that the masterclass got right

ai data lineage
Blog

Detailed Expectations Around End-to-End Data Lineage and BCBS 239 From the European Central Bank RDARR Guide

In May 2024, the ECB released its ‘Guide on effective risk data aggregation and risk reporting (RDARR)’...

Blog

How Data Lineage Supports Regulations Such as BCBS 239, DORA, GDPR and the EU AI Act

How data lineage supports compliance with key data-related regulations

Blog

Why is Advanced Data Lineage Fundamental for Financial Services Organizations?

Read why advanced data lineage is crucial for business success

Blog

Continuing Innovation in Advanced Data Lineage to Help Answer Business Questions

An update on some recent developments in our latest product releases

Blog

Unveiling the Path: Why Data Lineage is Crucial for Building Effective AI Products

Read more about data lineage and its business impact, including on AI, BCBS 239 and more

Blog

Solidatus & Microsoft Purview: Elevating Data Governance in the AI Era

Solidatus data lineage partners with Microsoft Purview to help enterprises trust their data

Blog

Blasting Off: Why Proactive Data Governance is Propelling Innovation

Read our key takeaways from Gartner D&A Summit 2024

Blog

Live Demo: Explore our All-new Interface

Video introducing our new interface and core features like Connected Catalog and Data Map

Blog

Visualize Snowflake Horizon and Enhance its Impact

Read about Solidatus and Snowflake Horizon's governance solution

Blog

Advanced Data Lineage: The Cornerstone of Modern Data Governance

Explore the various aspects of data lineage and its crucial role in your organization.

Blog

Achieving Basel III Compliance: A 3-Step Action Plan

Basel III is changing – are you prepared? Read 3 easy steps with Solidatus

Blog

Building a Data Community

Read how we helped successfully launched the Houston Women in Data Chapter

Blog

Data Lineage for Better Planning

Exploring the parallels between urban planning and data planning projects

Blog

Data Distress: Data Leaders on Brink of Quitting Jobs

71% of senior data leaders in financial services polled are close to quitting their jobs

Blog

Supercharging your Snowflake Governance with Solidatus

Take a look at what's new in our partnership with Snowflake

Blog

The Value of Data: Reflections from Attending Gartner

VP Product, Tina Chace, reflects on the Gartner conference, covering data governance and AI

Blog

Douze Points for New Way to Visualize Eurovision Data

We’ve linked the Eurovision Song Contest to the realm of data governance and data lineage

Blog

Quick Answer: What is Active Metadata?

In the latest Gartner® research note, find out what active metadata is

Blog

The Amazing World of Active Metadata

The role of metadata, dynamic visualization and inference across metadata

Blog

5 Ways Great Metadata Connectors are Game-Changers

Automatic connectors are essential for efficiently mapping metadata but not all are created equal. We look at the most important...

Blog

Combining Software to Ensure your Regulatory Compliance

With news that Solidatus and Corlytics are joining forces to ease the burden of tracking data regulations, we look at...

Blog

5 Things we Can’t Wait to Do at the Gartner Summit, Orlando

We discuss injecting active metadata into your governance and 4 other things we’re looking forward to at the Gartner® Data...