CPG235 and BCBS239 Regulations

Managing Data Risk and Compliance

CPG235 is a guideline implemented by APRA

New Zealand
New Zealand New Zealand
Consumers make most of their payments by internet banking
  • 74%
  • 70.5%
  • 54.5%
  • 46.5%
  • 39.6%
  • 40.7%
  • A higher percentage make payments via internet banking to banks and insurance companies, telcos, and retailers, respectively, compared to the regional average
  • Impact: Anti-fraud capabilities critical to the increased digital transaction frequency and customers’ trust in banks
Australia Australia
Consumers are most satisfied with the post-fraud service of banks and insurances companies
  • More than 70% satisfaction rate compared to 59.7% on average
  • Impact: Increased trust in BFSIs
Indonesia Indonesia
Consumers that encountered most fraud incidents in the past 12 months

AP Average

  • 49.8% have experienced fraud at least once compared to 34.7% on average
  • Impact: Overall anti-fraud capabilities need improvement
Singapore Singapore
Consumers have the highest trust towards government
AP Average
  • 75.5% choose government agencies, compared with 51.7% on average
  • Impact: Trust of personal data protection is centered around government agencies
Vietnam Vietnam
Consumers encountered most fraud incidents in retail and telco during the past 12 months
  • 55%
  • 54.5%
  • 32.8%
  • 35.2%
  • 55% and 54.5% have experienced fraud at least once in retail and telco, respectively, compared to 32.8% and 35.2% on average
  • Impact: Overall anti-fraud capabilities need improvement
Thailand Thailand
Most Thai consumers believe speed and resolution are severely lacking (response/ detection speed toward fraud incidents)
AP Average
  • 60.5% think it is most important, compared to 47.7% on average
  • Impact: Response time as one of key factors to fraud management to retain customers and gain their trust
India India as standalone
Consumers have the largest number of shopping app accounts in the region
  • Average of three accounts per person
  • Impact: Highest exposure to online fraud
Hong Kong
Hong Kong Hong Kong
The least percentage of consumers with high satisfaction level toward banks and insurance companies’ fraud management
AP Average
  • Only 9.7% are most satisfied compared to 21.1% on average
  • Impact: effective response towards fraud incidents to be improved
China China
Consumers are the most tolerant toward submitting and sharing of personal data
AP Average
  • 46.6% compared to the AP average of 27.5% are accepting of sharing personal data of existing accounts with other business entities
  • Impact: higher exposure of data privacy and risk of fraud
Japan Japan as standalone
Consumers most cautious on digital accounts and transactions
50.7% Actively maintain digital accounts’ validity
27% AP Average
45.5% Do not do online bank transfers
13.5% AP Average
  • More than 70% did not encounter fraud incidents in past 12 months, compared to 50% on average
  • Impact: Relatively low risk of fraud

The Genesis of Managing Risk Data and the surrounding Regulations

The Genesis of Managing Risk Data and the surrounding Regulations

During the Global financial crisis in 2008 banks struggled to responsively gain clarity on their exposure or predict default despite banks having robust modelling in place. Regulators found it to be the quality and credibility of the data used in these models to be the root cause. Despite these learnings, 2 years later, banks were yet again faced with similar challenges during the EuroZone Greek crisis.


Regulators stepped in and created BCBS239 as a regulation to ensure data used to determine risk metrics are managed appropriately.


BCBS239 should never have been a regulation. Actively managing one of their key assets, their data, is something banks should always have been doing.


The Covid pandemic has once again shown that no-one can predict the future and what it may hold. Even though BCBS 239 should never have been a regulation, it provides key foundational principles to ensure readiness for the next world event.


Managing Data Risk in Australia (APRA CPG 235 Guidelines)


CPG235 is a similar guideline implemented by APRA in the Australian context - even though required in Australia - as it is in Europe and other countries. CPG235 suggests appropriate management of all data risk within financial services organisations. It is a wider scope than BCBS where the focus is more on risk data management than managing risk associated with all data.


BCBS239 - managing risk data, CPG235 - managing data risk


Summary overview of BCBS239 and CPG235 


BCBS-239 is a principle based regulation that covers various aspects of risk data which includes credit risk, operational risk, market risk and all other material risk types.


The 11 principles prescribed for the banks in the BCBS regulation are categorised into three distinct categories and can be summarised as follows: 


Read full article

Sound interesting? Follow us for regular, published insights


By Experian 09/17/2021

Related Articles

Why improving data quality is a top trend
Why improving data quality is a top trend

This past year, business have realised the importance of data quality, and how data and data insights are key to adapting to drastic market changes.

Learn more
Data validation for eCommerce
Data validation for eCommerce

Improving satisfaction, increasing revenue, and reducing costs for your eCommerce business

Learn more
Why address validation is essential for your business
Why address validation is essential for your business

By validating addresses, you make sure your customer data is clean and accurate. This helps your packages and mail reach their destination on time.

Learn more
  • Overarching governance and infrastructure
    Overarching governance and infrastructure

    - Governance

    - Data Architecture and IT infrastructure

  • Risk reporting
    Risk reporting practices

    - Accuracy

    - Comprehensiveness

    - Clarity and usefulness

    - Frequency

    - Distribution

  • Risk data aggregation capabilities
    Risk data aggregation capabilities

    - Accuracy and integrity

    - Completeness

    - Timeliness

    - Adaptability


CPG is also a principle-based regulation taking into account the broader data risk and can be summarised as follows:

  • Overarching Data Management Framework
  • Data Risk Management
  • Staff awareness and Training
  • Data Risk Assurance & Audibility
  • Managing Data Quality – Metrics & Issues
  • Establish data Controls and Validation
  • Risk Management throughout Data Lifecycle


  • Risk Management throughout Data Lifecycle
  • Establish Controls & Validations
  • Managing Data Quality
  • Data Risk Assurance & Data Quality Reporting
  • Educating Staff & Support
  • Establish Data Risk Framework
  • Establish Data Governance Framework



Becoming materially compliant to these regulations requires significant investment from organisations and in order to build a business case the data management capabilities of the organisation must be enhanced to build long term value - over and above being compliant.


With global banks especially in South Africa and Europe having done this for many years, there are multiple benefits of joining the journey late. Australian banks are in a unique position where they can learn from the successes and mistakes that the global banks have made. Collateral and accelerators that have also been developed, and most importantly access to resources who have done this before or are still busy doing it.


It is a marathon, not a sprint




Regulations don’t have to be seen as a negative. In the case of both CPG235 and BCBS239, there are numerous benefits including:


Improved risk management through data quality


Improved identification, monitoring and management of risks at both global, consolidated and detailed levels.


Enhance capabilities of risk management quantifications that may result in the reduction in risk losses and ultimately in capital requirements.


Simplification of data processes drive responsiveness and adaptability in normal and times of stress/crisis.


Cost reduction


Drive structural cost reductions through process rationalisation.


Reduce losses through more accurate, adaptable and faster reporting and insights.


Minimising of costs associated with poor-quality data (such as reporting that requires constant remediation).


Improved decision making


Better quality of strategic decision making and planning.


Empowerment of risk and business line teams to access and leverage data assets.


Maximise return on investment from the BCBS 239 program as it increases speed of the decision-making process throughout the organisation.


The introduction of these regulations will ensure that financial services organisations in Australia uplift their data management capabilities and move towards being truly data-driven.


NovoFinity provides accelerated compliance, powered by Experian Aperture Data Studio


Together, NovoFinity and Experian offer a custom-built solution that includes services and software with a proprietary rules package to help businesses comply with these regulatory guidelines and standards. We aim to deliver data that is consistent, complete, accurate, available, fit for use and timeliness.


NovoFinity provides financial institutions with governance advisory services to meet BCBS239 & CPG235 guidelines.



Would you like more information? Please complete the form below and a member of our team will be in touch shortly.

  • Submit
By providing your personal information you agree that we may collect and process it in accordance with our Privacy Statement.