From BCBS 239 to RDARR Guidelines: five steps to address the new banking risk reporting requirements

In recent years, banks have benefited from a certain “tolerance” by regulators regarding the quality of risk data and risk reporting. But that period is over. The ECB is clear: regulations on this matter have existed for some time; now is the moment to truly apply them. Imagine a financial institution under stress: markets are fluctuating, risk exposure is increasing, and it becomes necessary to quickly provide precise data to management and potentially to supervisory bodies. But if internal information is incomplete or unreliable, the danger becomes real: authorities could demand additional capital or even impose operational restrictions.

RDARR Guidelines: Irion at the ABI Lab Forum 2025

The recent ECB Guidelines on RDARR (Risk Data Aggregation and Risk Reporting)—which our Principal Business Consultant Roberto Fasano will discuss on Tuesday, March 25, at the ABI Lab Forum 2025 in Milan—have set precise expectations for European banks. Institutions that fail to comply risk facing stricter inspections, more severe capital requirements, and increased pressure from regulators. It’s not just a matter of compliance: better data governance means having real control over risks and enhancing the stability of financial institutions.

Already two years ago, the ECB report on supervisory priorities emphasized the need to “strengthen resilience against immediate macro-financial and geopolitical shocks,” to “accelerate interventions” addressing “deficiencies in governance and management of climate and environmental risks,” and to “make further progress” in digital transformation and operational resilience frameworks.

From inspections to the need for action

The origin of the RDARR Guidelines dates back to findings from the Supervisory Review and Evaluation Process (SREP) and the disappointing outcomes of a specific thematic review conducted on 25 Significant Institutions in Europe. In Italy, according to the latest Bank of Italy report (end of 2024), the three areas least compliant with BCBS 239 principles are governance, data architecture, and IT infrastructure.

The reference principles (including the cornerstone BCBS 239), as well as sector-specific regulations (the CRD directive on capital requirements, Bank of Italy Circular 285, and certain EBA guidelines), have long been known. However, inspections have revealed that several institutions have yet to implement adequate processes to ensure effective risk data management. Similar shortcomings are also found in the production of supervisory reports, financial statements, and reporting intended for the bank’s decision-making bodies, supervisors, and the market.

In past years, authorities have tolerated delays due to implementation difficulties, exacerbated by contingent situations such as the pandemic. During COVID-19, for example, banks often struggled with rapidly managing data. The result? A lack of control that translated into slower decision-making and increased exposure to risk factors. The ECB acknowledged this weakness and defined strengthening data governance and data quality as one of the priorities for the next three years.

What changes with the RDARR Guidelines?

The Guidelines do not introduce new regulations but clarify what is expected from banks and highlight the areas on which future ECB inspections will focus. In stressful situations (financial crises, geopolitical instability), accuracy and timeliness in risk reporting are essential to avoid delayed or incorrect decisions.

Here are the regulators’ new expectations, outlined in four key points:

• The Role of C-level Management. Banks must demonstrate that top management is actively involved in data and risk governance through:
  • the definition of clear objectives
  • the allocation of adequate resources
  • the continuous monitoring of Data Quality

• An effective Data Governance framework. The financial Data Management system must include:
  • Data Owners responsible for KRI (Key Risk Indicators) and CDE (Critical Data Elements)
  • A central function for data governance
  • An independent team for validation
  • Internal audit with periodic reviews

• An integrated data architecture. To ensure informational consistency, the ECB requires:
  • detailed documentation of the data architecture adopted by the bank
  • shared glossaries for a uniform definition of data
  • validation rules for each information domain
  • updated data lineage for each attribute

• Quality and timeliness of reporting. A quality control system must cover the entire data lifecycle, from front office to the reporting layer, including:
  • Quality controls on data throughout the entire chain
  • Data reconciliations within the defined perimeter, ensuring consistency with source systems as well as financial and accounting reporting, maintaining comparability characteristics
  • Quality indicators for monitoring
  • Documented procedures for error management

The potential risks for non-compliance

For example, risk management monitors, among other things, the concentration of exposures at the group level within the context of credit risk. If a subsidiary’s data is incorrect or delayed, there is a real risk of losing control over the overall exposure to a specific client. In the event of a large company’s failure, the impact at the group level could be critical if the institution has been excessively exposed

This is why the ECB insists on a structural strengthening of data quality: without a solid system, banks risk finding themselves without the necessary tools to assess and mitigate unforeseen risks. And for those who do not comply with the Guidelines? The main risks fall into four areas:

• Higher capital requirements. If the ECB identifies insufficient reliability in the processes for producing data relevant to bank management and the oversight of key operational risks, it may require additional capital requirements to create a buffer in response to increased result volatility caused by poor data quality

• Sanctions proportional to the severity of the identified violations

• Personal consequences for management, particularly for members designated as responsible for compliance. Any deficiencies may lead to a reassessment of their suitability and, in very serious cases, even their removal
  

• Reputational implications. Banks that fail to meet regulatory expectations risk losing credibility in the eyes of the market and investors.

Five steps to manage compliance

To align with the ECB’s new expectations, banks must adopt a structured approach to compliance. The key steps include:

1. Self-assessment on the seven key areas of the guidelines
2. Definition of a sustainable set of KRI and CDE
3. Creation of a Data Quality Framework with robust and comprehensive validation rules covering the identified KRIs and CDEs
4. Identification of key indicators for internal and external stakeholders
5. Implementation of a compliance program with dedicated resources

An opportunity to build stronger banks

The RDARR Guidelines thus represent an opportunity to improve the governance and quality of risk data: adhering to its principles is essential to avoid negative impacts on capital requirements and the level of ECB supervision. In summary, the regulators’ new approach to RDARR makes it clear that risk management remains central but now encompasses many more types of data. Irion supports banks on their compliance journey by offering advanced and customizable solutions for managing risk data, information asset quality, and regulatory reporting.