Risk Governance — Basel Committee

From the 1 January 2025 reporting period, internationally active banks subject to the Basel Committee on Banking Supervision’s (BCBS) Pillar 3 framework must publish granular climate-related financial risk disclosures. The Basel climate disclosure standard, finalized in December 2022 and refined through 2023 supervisory Q&As, sets out governance, strategy, risk management, and metrics targets aligned with the Task Force on Climate-related Financial Disclosures (TCFD) and the International Sustainability Standards Board’s IFRS S2. Banks must embed these requirements into year-end 2025 reporting packs, with supervisors expecting early dry runs and strong evidence trails covering data lineage, scenario analysis, and universal opt-out controls for stakeholder data captured in transition planning tools.

The Basel package requires banks explain board and senior management oversight of climate risks, detail exposure pathways across credit, market, liquidity, and operational risk, and report quantitative metrics such as financed emissions, sectoral exposures, and climate scenario sensitivities.

Jurisdictions including the European Union, United Kingdom, Canada, Singapore, and Hong Kong have already confirmed supervisory timelines that sync with the Basel standard, making 2024 a build year for harmonising disparate disclosure regimes. Banks operating in multiple markets must map crosswalks between Basel templates, IFRS S2, the EU Capital Requirements Regulation (CRR) Pillar 3 ESG templates, and jurisdiction-specific expectations like the US Federal Reserve’s proposed climate guidance.

Meeting the 2025 deadline requires a governance-led mobilization. Boards should ensure climate risk reporting is governed through an integrated sustainability reporting committee that coordinates finance, risk, sustainability, technology, investor relations, and legal teams.

This committee must align Basel disclosure data with enterprise risk appetite statements, integrate climate metrics into ICAAP and ILAAP documentation, and oversee investment in systems that can capture facility-level emissions data, climate-adjusted probability of default, and scenario stress results. Board minutes should explicitly reflect discussions on capital planning impacts, risk-weighted asset implications, and capital buffers tied to climate risks.

Governance and operating model expectations: The Basel standard demands clear delineation of responsibilities. Banks should assign executive ownership—typically the chief risk officer or chief sustainability officer—with formal delegations to business line risk committees. Governance documentation should capture how front-line units identify material climate exposures, escalate them through first-line risk forums, and integrate them into credit decisioning and portfolio management. Internal audit must include climate disclosures in the 2025 audit plan, testing data quality controls, model validation, and adherence to disclosure policies approved by the board.

Supervisors will scrutinise how climate risk identification feeds into strategy, including net-zero commitments, sector exclusion policies, and transition finance products.

Governance forums should assess whether lending, underwriting, and investment portfolios align with jurisdictional taxonomies—such as the EU Taxonomy or Singapore’s Green and Transition Taxonomy—and document approvals for clients that sit outside risk appetite thresholds. Banks should also embed climate considerations into remuneration structures under Basel’s Principles for Effective Risk Data Aggregation and Reporting (BCBS 239), linking executive incentives to progress on scenario capability, data governance, and disclosure accuracy.

Universal opt-out and stakeholder data controls: Climate disclosure programs rely on sensitive customer and counterparty data, including energy usage, emissions inventories, and transition plans. Banks must ensure that data collection and engagement respect universal opt-out mechanisms across jurisdictions. For example, clients located in California or Colorado can transmit browser-based global privacy control (GPC) signals that restrict secondary uses of personal data, while EU corporate clients may exercise GDPR objections to processing for profiling or marketing. Data gathering platforms should centralize consent capture, record the legal basis for processing (legitimate interest, contractual necessity, or consent), and automatically propagate opt-out decisions to analytics workbenches, client portals, and vendor systems.

When banks collaborate with climate data providers, utilities, or satellite analytics vendors, they should negotiate contractual clauses that require honoring opt-out preferences and specify data deletion timelines.

Universal opt-out governance should extend to investor relations activities: sustainability microsites, survey distribution tools, and webinar platforms must recognize opt-out headers and provide frictionless unsubscribe options for teams receiving Basel-related updates. Banks should also create specialized workflows for Indigenous communities, small business owners, and retail borrowers to ensure opt-out rights are communicated in culturally appropriate formats and alternative contact methods are available for regulatory notices that must be delivered regardless of marketing preferences.

Evidence and assurance framework: Basel climate disclosures will be heavily scrutinised by supervisors, investors, and civil society. Banks should build an evidence vault that stores source documents for every reported metric—loan-level data, emissions factors, scenario assumptions, board papers, model validation reports, and legal opinions on data usage. Metadata should capture versioning, data owners, processing steps, and controls applied, aligning with BCBS 239 principles. Institutions should also deploy automated lineage tooling that tracks how raw data flows into disclosure tables, enabling independent validation and swift response to supervisory queries.

External assurance is rapidly becoming market practice. Many jurisdictions are moving toward limited assurance for sustainability disclosures, with reasonable assurance on the horizon. Banks should engage auditors early to define the scope of assurance, evidence expectations, and testing timelines. Internal audit must coordinate with external auditors to avoid duplication and ensure all critical controls—such as climate scenario governance, opt-out management, and data quality checks—are tested. For cross-listed banks, evidence packs should be harmonized across US, UK, EU, and Asian exchanges to prevent inconsistent disclosures.

Scenario analysis and data architecture: Delivering Basel-aligned climate metrics requires advanced data capabilities. Banks should invest in integrated data platforms that combine internal credit risk systems with external datasets like the Partnership for Carbon Accounting Financials (PCAF) factors, International Energy Agency (IEA) transition pathways, and NGFS scenarios. Model risk management teams need to validate climate models, documenting assumptions, back-testing methodologies, and limitations. Data governance councils must approve taxonomies for sectors, technologies, and asset classes to ensure consistent reporting across jurisdictions.

To maintain accuracy, institutions should automate reconciliations between Basel Pillar 3 tables, financial statements, and sustainability reports. Tools such as XBRL tagging and disclosure management software can simplify reporting packages, while workflow engines manage sign-offs from finance, risk, legal, and investor relations. Banks should also establish key performance indicators (KPIs) for data completeness, opt-out compliance rates, and assurance findings, reporting them to the board quarterly.

Regulatory engagement and stakeholder communications: Supervisory colleges are coordinating on climate risk expectations. Banks should brief their supervisory teams on setup progress, highlighting governance structures, universal opt-out capabilities, and evidence management. For markets like the EU, banks must align Basel disclosures with CSRD/ESRS obligations and the European Central Bank’s climate expectations, ensuring consistent messaging. Investor communications should explain how Basel disclosures interact with transition finance strategies, capital allocation, and client engagement policies. Transparent articulation of data limitations, opt-out impacts, and scenario assumptions will build credibility.

Engagement should extend to clients and civil society. Banks should develop communication materials that explain why data is being collected, how universal opt-out rights are honored, and how disclosures support climate transition objectives. Client advisory teams can offer toolkits that help corporate customers gather emissions data, align with ISSB standards, and navigate opt-out compliance in their own supply chains. Civil society dialogs should focus on addressing concerns about greenwashing, data privacy, and equitable transition financing.

Action checklist for 2024: set up a Basel climate disclosure steering committee with board sponsorship; map disclosure requirements to existing reporting frameworks; design a consent and opt-out architecture that spans CRM, data lakes, and analytics environments; build an evidence register with automated lineage; schedule internal audit and external assurance reviews; and run dry-run disclosures using 2024 data to validate metrics, governance, and opt-out controls. Banks that complete these steps by mid-2024 will be better positioned to withstand supervisory deep dives and investor scrutiny when the 2025 reporting window opens.

Sources

• Basel Committee on Banking Supervision: Pillar 3 disclosure requirements for climate-related financial risks (December 2022)
• Basel Committee: Frequently asked questions on climate-related financial risk (June 2023)
• Network for Greening the Financial System climate scenarios
• Partnership for Carbon Accounting Financials methodology

This enables Basel-aligned climate disclosures by unifying consent-aware data collection, universal opt-out orchestration, and evidence vaults, giving banks confidence that 2025 Pillar 3 reports will withstand supervisory challenge.

How to implement this

If you are affected, develop setup roadmaps that account for resource constraints, dependencies, and risk priorities. Phased approaches typically provide better outcomes than attempting full changes simultaneously. Early wins build momentum and show value to teams.

Progress monitoring should track setup activities against planned timelines and identify potential issues requiring intervention. Regular reporting keeps teams informed and maintains organizational focus on setup priorities.

Stakeholder management

Effective stakeholder engagement ensures alignment on objectives, expectations, and setup approaches. Communication should be tailored to different audiences, providing appropriate levels of detail for technical and executive teams.

Change management processes should address organizational readiness and potential resistance to new requirements or practices. Training and support resources help ensure successful adoption of required changes.

Iterating and improving

Continuous improvement processes should incorporate lessons learned and feedback from setup experiences. Regular reviews help identify improvement opportunities and ensure approaches remain aligned with evolving requirements.

Documentation of setup activities and outcomes provides evidence of due diligence and supports ongoing maintenance. Knowledge capture ensures institutional learning is preserved for future reference.

More on this topic

Further reading from our research library.

Data Strategy · Credibility 88/100 · January 1, 2025

Data Governance — Corporate Transparency Act

January 1, 2025 was the deadline for existing companies to file their initial beneficial ownership reports with FinCEN. If you formed your company before 2024 and have not filed yet, you are already past due. The…

Data Strategy · Credibility 87/100 · January 1, 2025

Data Privacy — January 1, 2025: Iowa Consumer Data Protection Act

Iowa's Consumer Data Protection Act became effective January 1, 2025. The thresholds are fairly high—100K consumers or 50K if you are selling data—but the requirements are standard: privacy notices, consumer rights, data…

Data Strategy · Credibility 86/100 · January 1, 2025

Data Privacy — January 1, 2025: New Hampshire Consumer Data Protection Act

New Hampshire's Consumer Data Protection Act became effective January 1, 2025. It is relatively standard as state privacy laws go—consumer rights, data protection assessments, limited sensitive data processing. Another…

Data Strategy · Credibility 86/100 · December 30, 2024

Data Strategy — Healthcare interoperability

ONC's Health IT Certification Program (HTI-1) compliance deadlines rolled through 2024. If you are a certified health IT developer, verify your certification status and upcoming requirements. The regulatory timeline…

Data Strategy · Credibility 73/100 · November 21, 2024

Data Strategy — EU regulation

The EU's financial data space initiative launched calls for proposals in late 2024. They are building infrastructure for secure financial data sharing across the EU. If you are in fintech or financial services, watch for…

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Interoperability Engineering Guide

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

• Data Strategy Operating Model Guide

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

Source material

1. BCBS: Climate-related financial risk disclosures — bis.org
2. BIS press release on climate disclosure standards — bis.org
3. ISO 8000-2:2022 — Data Quality Management — International Organization for Standardization