The 2008 financial crisis exposed a shocking truth: major banks couldn't accurately report their own risk exposures in real-time.
When Lehman Brothers collapsed, regulators discovered that institutions didn't know their actual exposure to toxic assets -- not because they were hiding it, but because they genuinely couldn't aggregate their own data fast enough.
Fifteen years and billions in compliance spending later, only 2 out of 31 Global Systemically Important Banks fully comply with BCBS-239 -- the regulation designed to prevent this exact problem.
The bottleneck? Data lineage.
BCBS-239 applies from January 1, 2016 for Global Systemically Important Banks (G-SIBs) and is recommended by national supervisors for Domestic Systemically Important Banks (D-SIBs) three years after their designation. In practice, this means hundreds of banks worldwide are now expected to comply.
Unlike regulations with fixed annual filing deadlines, BCBS-239 is an ongoing compliance requirement. Supervisors can test a bank's compliance with occasional requests on selected risk issues with short deadlines, gauging a bank's capacity to aggregate risk data rapidly and produce risk reports.
Think of it as a fire drill that can happen at any moment -- and with increasingly serious consequences for failure.
More than a decade after publication and eight years past the compliance deadline, the results are dismal. Only 2 out of 31 assessed Global Systemically Important Banks fully comply with all principles, and no single principle has been fully implemented by all banks.
Even more troubling, the compliance level across all principles barely improved from an average of 3.14 in 2019 to 3.17 in 2022 on a scale of 1 ("non-compliant") to 4 ("fully compliant"). At this rate of improvement, full compliance is decades away.
The consequences are escalating. The ECB guide explicitly mentions:
The Basel Committee makes it clear that banks' progress towards BCBS 239 compliance in recent years has not been satisfactory and that increased measures on the part of the supervisory authorities are to be expected to accelerate implementation.
Most banks have responded to BCBS-239 with predictable tactics:
These tactics, as positive steps forward, are necessary but not sufficient to meeting compliance. In other words, they're checking boxes without fundamentally solving the problem.
The issue? Banks are treating BCBS-239 like a project with an end date, when it's actually an operational capability that must be demonstrated continuously.
Among the 14 principles, one capability has emerged as the make-or-break factor for compliance: data lineage.
Data lineage has been identified as one of the key challenges that banks have faced in aligning to the BCBS-239 principles, as it is one of the more time consuming and resource intensive activities demanded by the regulation.
Data lineage -- the ability to trace data from its original source through every transformation to its final destination -- sits at the intersection of virtually every BCBS-239 principle. The European Central Bank refers to data lineage as "a minimum requirement of data governance" in the latest BCBS 239 recommendations.
Here's why lineage is uniquely difficult:
It's invisible until you need it.
Unlike a data governance policy you can show an auditor or a data quality dashboard you can pull up, lineage is about proving flows, transformations, and dependencies that exist across dozens or hundreds of systems. You can't fake it in a PowerPoint.
It crosses organizational and system boundaries.
Complete lineage requires cooperation between IT, risk, finance, operations, and business units -- each with their own priorities, systems, and definitions. Further, data hand-off occurs in and between systems, databases and files, which adds to the complexity of connecting what happens at each hand-off. Regulators are increasingly requiring detailed traceability of reported information, which can only be achieved through lineage across organizations and systems.
It must be current and complete.
The ECB requires "complete and up-to-date data lineages on data attribute level (starting from data capture and including extraction, transformation and loading) for the risk indicators, and their critical data elements." A lineage document from six months ago is worthless if your systems have changed.
It must work under pressure.
Supervisors increasingly require institutions to demonstrate the effectiveness of their data frameworks through on-site inspections and fire drills, with data lineage providing the audit trail necessary for these reviews. When a regulator asks "prove this number came from where you say it came from," you have hours -- not days -- to respond.
While 11 of the 14 principles benefit from good data lineage, regulatory guidance makes it explicitly mandatory for eight:
Most banks have invested heavily in data catalogs, metadata management platforms, and governance frameworks. Yet they still can't produce lineage evidence under audit conditions. Why?
Traditional approaches have three fatal flaws:
Excel-based lineage documentation becomes outdated within weeks as systems change. By the time you finish documenting one data flow, three others have been modified. Manual approaches simply can't keep pace with modern banking environments.
Modern data lineage tools can map cloud warehouses and APIs, but they hit a wall when they encounter legacy mainframe systems. They can't parse COBOL code, decode JCL job schedulers, or trace data through decades-old custom applications -- exactly where banks' most critical risk calculations often live.
Lineage that stops at the data warehouse is fundamentally incomplete under BCBS-239's end-to-end data lineage requirements. Regulators want to see the complete path -- from original source system through every transformation, including hard-coded business logic in legacy applications, to the final risk report. Most tools miss 40-70% of the actual transformation logic.
This is where AI-powered solutions like Zengines fundamentally differ from traditional approaches.
Instead of manually documenting lineage, Zengines can automatically and comprehensively:
For many banks, the biggest lineage gap isn't in modern systems -- it's in legacy mainframes where critical risk calculations were encoded 20-60 years ago by developers who have long since retired. These systems are literal "black boxes": they produce numbers, but no one can explain how.
Zengines' Mainframe Data Lineage capability specifically addresses this challenge by:
This capability is essential for banks that need to prove how legacy calculations work -- whether for regulatory compliance, system modernization, or simply understanding their own risk models.
The critical question isn't "Do we have data lineage?" It's "Can we prove compliance through data lineage right now, under audit conditions, with short notice?"
Most banks would answer: "Well, sort of..."
That's not good enough anymore.
We've translated ECB supervisory expectations into a practical, principle-by-principle checklist. This isn't about aspirational capabilities or future roadmaps -- it's about what you can demonstrate today, under audit conditions, with short notice.
The bottleneck to full BCBS-239 compliance is clear: data lineage.
Traditional approaches -- manual documentation, point solutions, incomplete coverage -- can't solve this problem fast enough. The compliance deadline was 2016. Enforcement is escalating. Fire drills are becoming more frequent and demanding.
Banks that solve the lineage challenge with AI-powered automation will demonstrate compliance in hours instead of months. Those that don't will continue struggling with the same gaps, facing increasing regulatory pressure, and risking enforcement actions.
The technology to solve this exists today. The question is: how long can your bank afford to wait?
Schedule a demo with our team today to get started.

In this episode of the Finovate Podcast, host Greg Palmer sits down with Caitlyn Truong, CEO and Co-founder of Zengines, fresh off the company's Best of Show win at FinovateSpring 2026.
Caitlyn traces her path from hardware and software engineering in telecom to financial services consulting, where she and her co-founders kept running into the same gap: critical business logic locked inside legacy core applications written in COBOL, RPG, and PL/1. With 92 of the top 100 banks running COBOL mainframe cores and over half of credit unions and regional banks operating on RPG cores, that black box isn't an edge case — it's the industry norm.

There is a rule that has been on the books for over a decade, and almost nobody outside of risk and compliance teams has ever heard of it: BCBS 239. It is not a catchy name. But the idea behind it is one of the more sensible things to come out of the post-2008 regulatory response: banks should be able to explain where their risk numbers come from.
Not approximate. Not eventually. Be able to trace a number back to its source, on demand, and show the path it took to get there.
That standard came into force for the world’s largest banks in January 2016. Almost ten years later, only a handful of the 31 global systemically important banks (G-SIBs) have reported full compliance. The ECB’s RDARR Guide, published in May 2024, named data lineage as one of seven priority areas still holding institutions back, and said it expects remediation work to continue through 2027.
I want to make the case that this isn’t a story about banks dragging their feet, or regulators failing to enforce something. It’s a story about a rule that was right, running into a technical wall that was real.
If you’ve spent time around a bank’s core systems, you already know what the wall looks like. Decades of COBOL or RPG, written and rewritten by people who retired years ago, running calculations that nobody currently on staff can fully explain. Ask a team to trace how a specific risk figure was derived, and the honest answer is often: we’d need a few months, and a few of our most senior mainframe engineers — who are also the people we can least afford to pull onto this.
That’s not a compliance excuse. It’s a real description of how these systems work. Logic gets buried inside modules that branch into other modules, which branch into more, written in a language most engineering schools stopped teaching in the 1990s.
So banks have been stuck between a standard they understand and largely agree with, and infrastructure that makes meeting it genuinely hard. Regulators have been patient about this — I think correctly — because the alternative, demanding visibility into systems that were close to a black box, wasn’t realistic.
I run a company called Zengines. We built technology specifically to deal with this wall: parsing legacy code at scale, tracing how data moves through mainframes and AS/400 applications, and surfacing the business logic that’s been buried inside them for decades — with the context needed to make it usable.
At one Fortune 100 financial institution, we’re currently working through hundreds of thousands of COBOL modules, some of them tens of thousands of lines deep, netting out to tens of millions of lines of code. Questions that used to take a mainframe specialist months to answer — tracing a variable by hand through branch after branch — can now be answered in seconds. An analyst can ask the system directly where a number came from, instead of opening a ticket and waiting. That same self-service access lets teams build their own understanding, and answer questions from regulators and transformation programs directly.
I’m not suggesting this solves everything BCBS 239 asks for. Governance, and the behavioral discipline of actually using data management tools once you have them — those still take sustained organizational effort, and always will.
But the specific claim that legacy mainframes are too opaque to document fully? That claim is no longer true, at least not in the way it used to be.
I’d guess most people reading this don’t work in regulatory compliance.
If you’re a CDO, a CIO, or a risk leader at a bank with a mainframe at its core, BCBS 239 is probably one item on a long list. But the underlying question — can we actually explain how our own systems work? — isn’t a regulatory question. It’s a basic operational one. It’s the same question that determines whether you can trust the data going into a new AI initiative, whether you can defend a number in front of your own board, and whether the next system migration breaks something nobody saw coming.
Lineage has quietly become a prerequisite for almost everything banks are now trying to do with their data. Most executives don’t ask for it directly, because they don’t think to ask — they ask for the AI use case, or the modernization roadmap, or the faster reporting cycle, and lineage turns out to be the thing standing between them and any of it.
I don’t think this is a story that needs villains. The standard was right. The barrier was real. What’s changed is narrower, and more hopeful: the wall that made the standard so hard to meet has a way through it now.
If you’re a regulator, I’d offer this as something worth knowing: the technical excuse has less weight than it used to. If you’re an executive at a bank still living with this problem, I’d offer something more direct — this is more solvable, and more quickly, than you’ve been told.
Either way, the goal was never the regulation itself. It was being able to look at your own systems and actually understand them. That’s now a lot closer than it’s been in years.
Sincerely,
Caitlyn Truong
CEO, Zengines

At industry conferences this year, I’ve spent dozens of hours inside conversations with CEOs, CDOs, CIOs and operating executives across financial services. When I ask what’s keeping them up at night when it comes to their data, the answer is remarkably consistent: data access. They want data more accessible, faster, in more usable form, in more places, with fewer gatekeepers.
What's notable is what they don't ask for. Not trustworthiness. Not audit-ability. Not the ability to defend a number to a regulator without calling three people first. Access is the ceiling of the conversation, and honestly, that makes sense. In large financial enterprises built on decades of legacy applications, murky integrations, and pipelines that nobody fully documented, just getting the data somewhere useful is still a meaningful achievement.
The problem is that "getting the data" is already more complicated than most leaders realize. The moment data leaves its source system, decisions are being made about it. Decisions that quietly change what it means. And if you don't know those decisions were made, you don't know what you're actually looking at.
That's where lineage comes in, and why it matters even before you get to the outcomes leaders should be asking for.
Below, I’ll walk through (1) what “access” really delivers, (2) the abstraction layer hidden inside every extraction, (3) the compounding problem of “data derivatives”, (4) a concrete example – encoding and precision – where this gets expensive, and (5) what business leaders should be asking for instead.
When a business team asks for access to data, they almost always receive something that has already been processed for their consumption. Someone – usually a data engineer or database administrator – sat down with the source system and made a series of decisions:
These decisions are reasonable. Business consumers don’t want raw operational data; they want something readable without extraneous noise. But every one of those decisions encodes logic and judgment that doesn’t travel with the data. The output looks complete – and to the business user, it looks like the source of truth – but it is already an abstraction.
I find it useful to think of an extraction as a translation. Someone translated the operational reality of a data storage system into a business-readable view. Like any translation, choices were made: what to keep, what to drop, how to render concepts that don’t map cleanly across contexts. And like any translation, those choices can quietly change the meaning.
When a business leader looks at the extracted view, the assumption is usually that the data was “moved and shifted” – that is, copied with fidelity. That assumption is possible. In my experience, it is also highly doubtful. Logic gets applied at the moment of extraction, and unless someone deliberately captured and shared that logic, it is invisible by the time the data reaches a dashboard.
Here is where it gets harder.
Once an extracted data set exists, other people start using it. And why wouldn't they? There is already a data access path. The alternative - forging a new data access path - is the full corporate yellow tape headache: hunting for a charge code, filling out a technical work request that Business can’t quite decipher, watching that ticket age in a queue, and depending on legacy data SMEs who left the company in 2019. The extracted data set skips all of that. Already shaped for consumption, already lightly documented, already trusted by some peer team who vouched for it in a meeting six months ago. So the next team builds a report off it. Or creates a derivative data set for their own use case. Or both. What they don't realize is that the easy path and the right path may not be the same one.
They use it because it’s available and easier than starting from scratch – it’s already shaped for consumption, already lightly documented, already trusted by some peer team. So they build a new report off it. Or they create a derivative data set for their own use case. Or both.
That derivative is now an abstraction of an abstraction. The further you move from the originating system, the more layers of unrecorded judgment sit between the business decision and the operational event the data was supposed to describe. By the third or fourth hop, the question “where did this number come from?” can be genuinely difficult to answer – even for the team that produced the report.
Let me make this concrete with an example I keep encountering.
When data is moved between systems, engineers make practical choices about how to package it. One of those choices is how to handle numeric precision. A value originally stored at six decimal places in the source might be packaged at four, or two, depending on what the receiving system supports – or simply what the engineer is most familiar with.
In some industries, that’s fine. In financial services, insurance, and healthcare, it is often not fine. A decimal place in an interest rate, a reserve calculation, or a pricing model can represent material variance. Once precision has been silently reduced, the data is no longer the real data – it is an approximation that looks identical to a casual reviewer. The business consumer assumes they’re working with the underlying record; in reality, they’re working with a rounded version of it that was reshaped during packaging.
This is exactly the kind of change that lineage is built to surface. Without lineage, you can’t tell that anything happened. With lineage, the precision change is documented, traceable, and reviewable.
Regulatory frameworks have been ahead of business intuition on this point. BCBS-239 requires banks to demonstrate the accuracy, completeness, and timeliness of their risk data – which is impossible to defend without lineage. ORSA and Solvency II require insurers to substantiate the data flowing into solvency and capital calculations. None of these frameworks ask whether you have access to the data. They ask whether you can prove what the data is and how it got there.
For institutions operating under these regimes, lineage isn’t a nice-to-have analytics enhancement. It is the substrate that makes the rest of the data conversation defensible.
If “give me access to the data” is the wrong ask on its own, what’s the right one? In my view, business leaders should be asking three questions every time a new data set lands on their desk:
These questions don’t replace the access conversation – they extend it. Access is the entry point. Lineage is what makes access trustworthy.
The reason business teams don’t ask for lineage isn’t that lineage doesn’t matter. It’s that the absence of lineage rarely announces itself. The data looks fine. The dashboard renders. The report mostly ties out. The risk lives in the assumptions you didn’t know you were making about what the data went through to get to you.
If your business teams are only asking for access, you have a gap – and in legacy environments where decades of undocumented logic sit between the source and the report, that gap is widest. The fix is to start asking for lineage too.
Zengines Contextual Data Lineage is built for the environments where the lineage gap is widest – large financial enterprises with critical business logic locked inside COBOL, RPG, PL/1, and AS/400 code. We extract that embedded logic, make the data path visible, and give your teams the evidence trail they need to defend their numbers to auditors, regulators, and themselves.
If you’re working through a BCBS-239, ORSA, or Solvency II mandate, a planned mainframe migration, or a growing trust gap between your business teams and the data they consume, we’d like to hear about it.
.png)