BCBS 239 — Risk Data Aggregation & Risk Reporting Principles
BCBS 239 — Risk Data Aggregation & Risk Reporting Principles — 50% covered.
14 requirements · 7 enforced · 0 designed · 0 advisory · 0 deferred.
Source: The Basel Committee on Banking Supervision's Principles for effective risk data aggregation and risk reporting (BCBS 239, January 2013) set 14 principles across four areas: overarching governance and infrastructure (P1 governance, P2 data architecture & IT infrastructure), risk data aggregation capabilities (P3 accuracy & integrity, P4 completeness, P5 timeliness, P6 adaptability), risk reporting practices (P7 accuracy, P8 comprehensiveness, P9 clarity & usefulness, P10 frequency, P11 distribution), and supervisory review (P12 review, P13 remedial actions & supervisory measures, P14 home/host cooperation). KYE Protocol™ governs the EVIDENCE side of the principles: every risk report bound to its data-lineage evidence chain before filing or reliance, every embedded number traceable to model_id + version + validation reference, production and distribution provably timestamped, and the whole chain reconstructable offline from published keys. KYE does not build the bank's data architecture, aggregate the risk data, or compute the risk numbers. · License: BCBS 239 is published by the Bank for International Settlements and is publicly available; the KYE registry paraphrases each principle's intent and cites the official principle number for mapping purposes only.
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| Overarching governance & infrastructure (P1–P2) | 2 | 1 | 0 | 0 | 0 | 50% |
| Risk data aggregation capabilities (P3–P6) | 4 | 3 | 0 | 0 | 0 | 75% |
| Risk reporting practices (P7–P11) | 5 | 3 | 0 | 0 | 0 | 60% |
| Supervisory review, tools & cooperation (P12–P14) | 3 | 0 | 0 | 0 | 0 | 0% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
bcbs-239.principle1-governance |
Principle 1 — Governance: risk-data aggregation and reporting under board-owned governance with named, recorded authority | enforced | audit_events: kye.purpose.request.v1, kye.purpose.admissibility.v1, kye.evidence.decision_map.v1engines: internal, internalrule_packs: kye:rule-pack:model-risk-data-governancedictionaries: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
bcbs-239.principle2-data-architecture |
Principle 2 — Data architecture and IT infrastructure supporting aggregation in normal and stress conditions | out-of-scope | (no enforcement cited) |
bcbs-239.principle3-accuracy-integrity-lineage |
Principle 3 — Accuracy and integrity: every risk report bound to its data-lineage evidence chain (sources, transformations, integrity hash) | enforced | audit_events: kye.evidence.decision_map.v1, kye.evidence.pack.v1, kye.replay.context_seal.v1engines: internalrule_packs: kye:rule-pack:model-risk-data-governanceconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/30-AUDIT-WORM-RETENTION.md |
bcbs-239.principle4-completeness |
Principle 4 — Completeness: the lineage chain proves which sources, books, and entities the report aggregated — omissions are visible | enforced | audit_events: kye.evidence.decision_map.v1, kye.evidence.pack.v1engines: internalrule_packs: kye:rule-pack:model-risk-data-governanceconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/31-DATA-GOVERNANCE-PACK.md |
bcbs-239.principle5-timeliness |
Principle 5 — Timeliness: generating up-to-date aggregated risk data quickly, including in stress / crisis | out-of-scope | (no enforcement cited) |
bcbs-239.principle6-adaptability |
Principle 6 — Adaptability: ad hoc / bespoke risk reports are reconstructable — the lineage chain replays deterministically | enforced | audit_events: kye.replay.context_seal.v1, kye.replay.proof.v1, kye.evidence.pack.v1engines: internal, internalrule_packs: kye:rule-pack:model-risk-data-governanceconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/21-DELEGATED-AUDITABILITY.md |
bcbs-239.principle7-reporting-accuracy |
Principle 7 — Accuracy of risk reports: every reported number traces to its model version, validation reference, and lineage — reconciled and verifiable | enforced | audit_events: kye.evidence.tool_call.v1, kye.evidence.pack.v1, kye.replay.context_seal.v1engines: internal, internalrule_packs: kye:rule-pack:model-risk-data-governanceconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
bcbs-239.principle8-comprehensiveness |
Principle 8 — Comprehensiveness: reports cover all material risk areas with appropriate depth | out-of-scope | (no enforcement cited) |
bcbs-239.principle9-clarity-usefulness |
Principle 9 — Clarity and usefulness: reports communicate risk in a clear, concise, decision-useful way | out-of-scope | (no enforcement cited) |
bcbs-239.principle10-frequency |
Principle 10 — Frequency: when each report was produced is provably timestamped, so the required cadence is demonstrable | enforced | audit_events: kye.evidence.pack.v1, kye.replay.context_seal.v1engines: internalrule_packs: kye:rule-pack:model-risk-data-governanceconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/30-AUDIT-WORM-RETENTION.md |
bcbs-239.principle11-distribution |
Principle 11 — Distribution: who received each report, when, is recorded as evidence while confidentiality is preserved | enforced | audit_events: kye.evidence.decision_map.v1, kye.evidence.pack.v1engines: internalrule_packs: kye:rule-pack:model-risk-data-governanceconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/38-COMMS-RAIL.md |
bcbs-239.principle12-supervisory-review |
Principle 12 — Supervisory review of the bank's compliance with the Principles | out-of-scope | (no enforcement cited) |
bcbs-239.principle13-remedial-actions |
Principle 13 — Remedial actions and supervisory measures for deficiencies | out-of-scope | (no enforcement cited) |
bcbs-239.principle14-home-host-cooperation |
Principle 14 — Cooperation between home and host supervisors | out-of-scope | (no enforcement cited) |