Most of the commentary on CP26/7 focuses on which firms need to report, to which agencies, and by when. That's fair enough for compliance teams. For credit risk, it misses where the reform bites.
What happens to your models once the data feeding them changes overnight? And what does that mean for the decisions those models are already making?
Key takeaways
|
The reality of multi-bureau reporting
Before considering model implications, it helps to understand the scale of the data change itself, because it's easy to either overstate or understate it.
Remedy 2A introduces a mandatory reporting framework requiring any firm that shares consumer credit information with at least one Designated Consumer Credit Reference Agency to share all such information with all DCCRAs. Most large lenders already contribute to all three. The impact of the change won't be zero, but for these firms, it may not be as big as some people think.
Some data items will see no change regardless of firm size:
- CCJs, bankruptcies and electoral roll data aren't sourced from lenders, so all CRAs hold this already
- Public record information is unaffected by the new reporting requirements

The material effect of the reform lies in lender-reported account data. The change will result in a richer, more complete view of the customer, including additional data that may currently be held by one bureau and missing from another. That has a direct consequence for decisioning: it will affect the volume of applications lenders accept and decline, with potential knock-on impacts to impairment and capital models.
The main challenge is that it is difficult to say how significant the change will be. Credit risk teams should be thinking now about what analysis and modelling they could undertake to understand the impacts. That will help determine whether current credit decisioning systems will continue to be optimal, or whether changes to credit risk models and credit strategy will be required once the richer data becomes available.
What the data change means for models
The obligation to report is manageable. What's harder, and far less discussed, is what a fuller, more consistent bureau file does to models that were built, trained and validated on a different set of data.
My point about the 12-month stability window is worth taking a step further, because it has a sharper edge to it than it first appears. A feature like "worst arrears status in the last 12 months" needs the new reporting framework to have been fully operational for 12 months before that data point is stable enough to use.

A richer bureau file doesn't tend to be ready to plug in. It accumulates. And a model calibrated against the data it has always received may produce different outputs once the underlying inputs change, even where those changes improve the overall quality of information available.
This has a direct bearing on IFRS 9 models specifically. The Bank of England's 2025 thematic feedback letter on IFRS 9 already flags source data governance as an area the PRA expects firms to strengthen. A change to the bureau data feeding those models sits squarely inside that scrutiny, though what it means for any individual firm's provisioning will depend on detail that isn't available until the Policy Statement lands.
The same logic extends to application scorecards. The Population Stability Index (PSI) treats a change in source data as one of the recognised triggers for review. Whether that translates into recalibration, and for which portfolios, isn't something that can be answered until the richer data is available to test against. But it's a reasonable question to be asking now, alongside the review of behavioural and impairment models.
Forbearance reporting and model risk under Remedy 2D
There's a specific data quality issue that I think credit risk teams should look at more closely than the general commentary suggests, one that Remedy 2D's accuracy rules will bring into sharper focus.
Remedy 2D introduces stricter accuracy testing, faster error correction, and tighter governance around how data contributors report consumer credit information. None of these are peripheral obligations, and they apply just as much to forbearance data as to any other reported item.
Where the reporting breaks down
There may be practices a lender employs, either ongoing or to solve a temporary problem, that results in general mis-reporting for a group of customers. How breathing spaces and other forbearance measures are reported across bureaus is a clear example.
In 2024 alone, 87,732 breathing space plans were registered in England and Wales. How these get reported to CRAs has never been fully consistent across the industry.
Why this hits behavioural models specifically
They depend on a customer's data history building up in a stable, predictable way. Under Remedy 2D's tighter accuracy requirements, that inconsistency will face closer scrutiny.
If a behavioural model has been reading a customer's risk trajectory off incomplete forbearance history, the new regime won't just tidy up the data. It will change what the model concludes about that customer, which is worth knowing before a validation cycle finds it first.
Treating credit reporting as a regulated control
Credit reporting has historically been treated in many organisations as a compliance feed that operates in the background and only becomes a concern when an individual dispute arises. That won't survive the new regime. The data feeds should be subject to the same governance and control processes as regulatory reporting. Given how important accurate credit reporting is for individuals, it can be the difference between someone being able to obtain a mortgage or whether they can fund a new washing machine.
The downside is that this may place a disproportionate burden on smaller firms and new entrants. The BSA has raised proportionality concerns in its response to the consultation, noting that setting up contracts with all three designated CRAs, alongside stricter accuracy and correction obligations, may be operationally challenging for firms with limited resources. A change that's manageable for a large lender with established CRA relationships and a model governance function may be materially harder for a firm that's historically operated with a single bureau relationship.
Action plan: Preparing credit risk teams for CP 26/7
My view is that the right posture at this stage is to "get ready to be ready." That means having plans and resourcing in place for the analysis and change work that will be required, rather than waiting for the Policy Statement to confirm every detail. The new regime commences 12 months after that publication, and that window is shorter than it sounds for teams managing model validation queues alongside business-as-usual.
There are also things firms can do now.
They can review the accuracy and completeness of the data they currently supply to the CRAs, and evaluate the change and control processes that support ongoing reporting. That's good data governance today and will become a requirement under the new regime.
Three model-specific steps worth taking now:
- Run a data overlap analysis focused on Remedy 2A. The largest model risk here is the additional lender-reported data that will become available. A preliminary analysis of data overlap between the three main CRAs, looking at where files diverge and what extra data may become visible, gives an early view of how applicant risk profiles could change, and which model types are most exposed.
- Pre-book retros with bureau partners. There will be significant demand on CRAs for retrospective data samples once the Policy Statement lands, letting lenders test how their models would have performed against the fuller bureau file. CRA capacity for retros is finite, so reserving that analytical capacity early is worth doing now, regardless of where the final rules land.
- Review forbearance reporting processes against Remedy 2D now. For teams running behavioural models, the accuracy of how breathing spaces, payment arrangements and other forbearance events have been reported to bureaus is worth examining before the new accuracy requirements are confirmed. Where reporting has been inconsistent, the model may be working with a customer history that the new regime will correct, and that correction will need factoring into the next validation cycle.
What they can do right now, independent of the Policy Statement, is review the accuracy and completeness of the data a firm currently supplies to the bureaus, and evaluate its change and control processes for ongoing reporting. That's valuable today as a matter of data governance, and CP26/7 will make it a requirement rather than good practice.
You may also like: