An illustrative South African banking scenario on bank regulatory reporting reconciliation, disputed prudential figures, SARB returns, and data lineage between finance, risk, and regulatory teams.
A prudential reporting problem rarely starts as a technology failure. It usually starts with a number that two responsible teams cannot agree on.
In a South African bank, that number may appear in a management pack, a board risk committee report, and a SARB prudential return. Finance recognises one value. Risk recognises another. The regulatory reporting team submits a third version after month-end adjustments. Each team can explain its own calculation, but no one can show the full path from source transaction to submitted figure.
That is the real problem: not that the number is wrong, but that the bank cannot prove why it is right.
For CFOs, CROs, and regulatory reporting owners, bank regulatory reporting reconciliation South Africa is not a back-office clean-up exercise. It is a control issue, a governance issue, and in some cases a supervisory credibility issue.
This article uses an illustrative banking scenario to show how disputed prudential figures arise, why ordinary reconciliation is not enough, and what executives should require before accepting a reported number as defensible.
Consider a mid-sized South African bank preparing its internal prudential management report ahead of a board committee meeting.
A key figure relating to credit risk-weighted exposure appears materially different across three outputs:
The difference is not large enough to suggest fraud or a system crash. It is large enough to affect internal interpretation of capital utilisation and business unit performance.
Finance argues that the general ledger-aligned number is the controlled figure. Risk argues that the exposure data reflects the approved credit risk model inputs. The regulatory reporting team says both numbers require adjustments before they can be used in the prudential return.
No one is acting irresponsibly. Each team is working within its mandate. The failure sits between the mandates.
When the CFO asks, “Which number will we stand behind if the Prudential Authority challenges us?”, the room cannot answer with evidence. They can only answer with confidence, convention, or seniority.
That is not good enough for a regulated bank.
Traditional reconciliation asks whether two numbers can be made to agree. Regulatory reporting lineage asks a deeper question: how did this figure come into existence, and who approved each transformation?
In many banks, reconciliation is performed late in the process. Teams compare finance balances to risk extracts, investigate differences, post manual adjustments, and document commentary. This may satisfy an internal timetable, but it does not always create a defensible audit trail.
A common pattern is that the submitted figure is correct only because experienced staff know how to bridge the gaps. They understand which portfolios are excluded, which product codes are unreliable, which adjustments are “always made”, and which timing differences can be ignored. The knowledge is real, but it is not institutionalised.
This creates several weaknesses:
For SARB returns data lineage finance risk work, the control objective is not simply agreement. It is traceability. The bank must be able to move from submitted value back to source data, through calculation rules, adjustments, ownership, and approval.
If that path cannot be demonstrated, the reported figure remains vulnerable even when the arithmetic is sound.
When finance and risk teams dispute a prudential number, executives often ask for a “data fix”. That framing is too narrow.
The more common root cause is that different teams are using similar labels for different concepts.
For example, finance may view exposure through accounting recognition and ledger mapping. Risk may view exposure through credit facility structure, collateral treatment, probability of default inputs, and regulatory segmentation. Regulatory reporting may then apply prudential rules that do not align neatly with either internal management view.
The word “exposure” therefore becomes dangerous. It sounds singular, but it may carry different meanings depending on context.
In a retail banking environment, a home loan balance may be straightforward in the ledger, but more complex in risk reporting once arrears status, loan-to-value banding, guarantee treatment, and default classification are considered. In a corporate book, a facility limit, drawn balance, undrawn commitment, and credit conversion factor may each be relevant at different stages of the regulatory calculation.
The executive issue is not that these views differ. They often must differ. The issue is whether the differences are formally defined, governed, and reconciled.
A bank does not need one universal number for every purpose. It does need clarity on which number is authoritative for which decision and which regulatory submission.
In South African banks, manual adjustments will not disappear overnight. Legacy platforms, product migrations, new regulatory interpretations, acquisitions, and operational exceptions all create situations where judgement is required.
The control question is not whether adjustments exist. It is whether they are visible, justified, approved, and reviewable.
A defensible adjustment should answer five questions:
Without these controls, manual adjustments become a hidden reporting layer. They may be embedded in spreadsheets, copied from prior months, or applied by a small group of specialists who understand the history but have not documented the rationale.
This is especially risky in prudential reporting because the same adjustment can affect several outputs. A change made to align a management report may also influence a regulatory return, capital forecast, board dashboard, or risk appetite metric.
The CFO should not accept “we reconciled it” as sufficient assurance. The better question is: “Can internal audit independently trace the adjustment from source to submission without relying on the preparer’s memory?”
In banking data discussions, POPIA is often raised quickly and correctly. Customer financial information must be protected. Access to personal data must be justified. Reporting extracts should not be casually copied across teams or stored in uncontrolled locations.
However, prudential reporting reconciliation has a different primary risk. The main issue is usually not whether the bank has too much personal data in the report. It is whether the bank can prove the integrity of aggregated regulatory figures.
Both matters need attention.
A good control design avoids unnecessary customer-level exposure while preserving traceability. For example, regulatory reporting teams may not need full personal identifiers in every working file, but they may need controlled reference keys that allow authorised investigation back to account or facility level when a variance arises.
This is where POPIA and prudential governance must be designed together. Over-restricting access can make reconciliation impossible. Over-sharing creates privacy and conduct risk. The answer is role-based access, retained evidence, and clear escalation routes — not informal file sharing under month-end pressure.
Load-shedding is not usually the cause of poor regulatory reporting, but it exposes fragile processes.
If a bank’s prudential reporting process depends on overnight batch runs, manual extracts, shared drives, and a few senior analysts working late during month-end, operational disruption matters. Missed data loads, delayed system availability, remote working constraints, and backup power limitations can compress review time.
When time is lost, teams tend to protect submission deadlines by reducing challenge. They rely on prior-month templates, roll forward known adjustments, and accept explanations that would receive more scrutiny under normal conditions.
For a regulated bank, resilience is not only about keeping systems online. It is also about preserving control quality when conditions are poor.
Executives should ask whether the bank’s reporting process can still demonstrate lineage when the timetable is compressed. If the answer is no, the process is not resilient; it is dependent on favourable conditions and personal effort.
A practical model does not begin with a large transformation programme. It begins by identifying the figures that matter most.
For a prudential reporting owner, the starting point may be a small set of high-risk metrics: capital adequacy inputs, credit risk exposure values, liquidity measures, large exposure calculations, or other figures that appear in board packs and SARB submissions.
For each priority figure, the bank should establish:
This is not bureaucracy for its own sake. It reduces rework, shortens dispute cycles, and gives executives confidence that reported figures can withstand challenge.
The key is to focus on decision-critical and regulator-facing numbers first. Trying to document every data element across the bank will usually fail. Starting with the figures that carry the highest supervisory, financial, or reputational risk is more realistic.
For a deeper treatment of this discipline, see Zorinthia’s guidance on regulatory reporting data lineage in banking.
The CFO should not be expected to resolve every technical dispute between finance, risk, and regulatory reporting. But the CFO must ensure that ownership is clear.
In practice, disputed prudential figures often persist because governance is polite but weak. Finance, risk, regulatory reporting, technology, and data teams all contribute to the number, yet no single forum has authority to decide definitions, approve changes, and retire old workarounds.
The CFO, CRO, and regulatory reporting accountable executive should agree where authority sits for each class of metric. They should also define when disputes must be escalated before submission rather than resolved informally afterwards.
Board and committee reporting should reinforce this discipline. If a metric appears in both internal management reporting and regulatory submissions, the pack should not present it as a simple number without noting unresolved data quality issues, material methodology changes, or significant manual overlays.
Executives do not need every technical detail. They do need to know whether the number is stable, governed, and fit for the decision being made.
A useful first intervention is a focused lineage and reconciliation review of one disputed prudential figure.
The review should not attempt to redesign the entire bank’s data architecture. It should follow the figure from origination to submission and identify where evidence breaks down.
The work typically covers:
The output should be an executive view of control gaps, not a technical catalogue. It should show where the bank can defend the figure today, where it relies on undocumented knowledge, and where remediation is required.
This type of review also helps separate genuine data defects from governance defects. Some problems require system changes. Others require definition ownership, approval discipline, or better retention of evidence.
More banking-related examples can be found in Zorinthia’s banking advisory examples.
A disputed prudential figure is not just a reporting inconvenience. It is a warning that the bank may be relying on process memory instead of governed evidence.
For CFOs and regulatory reporting owners, the next step is not to ask whether the teams can reconcile the number again this month. They probably can.
The better question is:
If SARB, internal audit, or the board asked us to prove this figure from source to submission, could we do it without relying on the person who prepared the spreadsheet?
If the answer is uncertain, select one material prudential figure and trace it end to end. The result will show whether the bank has a number it can explain — or merely a number it has learned to accept.