Solvency II and data lineage: what IAM teams should notice

TL;DR: Solvency II compliance depends on traceable data, accountable governance, and defensible disclosures across capital calculations, supervision, and reporting, according to Collibra. The governance lesson is broader: regulated data programmes fail when lineage, ownership, and quality controls are treated as documentation instead of operational controls.

NHIMG editorial — based on content published by Collibra: Solvency II, solved: 3 ways Collibra builds lasting compliance

By the numbers:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should organisations prove that regulated reporting data is trustworthy?

A: They should treat lineage, approval history, and data quality rules as evidence controls, not administrative extras.

Q: Why does governance workflow matter for compliance programmes?

A: Because policy alone cannot prove accountability.

Q: What do security teams get wrong about data lineage and access control?

A: They often treat both as separate documentation tasks instead of as evidence of control.

Practitioner guidance

• Map critical data paths end to end Identify which source systems, transformations, manual overrides, and report outputs influence Solvency II calculations, then document the lineage for each critical field so auditors can reconstruct the number without ad hoc explanation.
• Assign named owners to regulated data assets Tie each high-value reporting dataset to a steward or owner who is accountable for approvals, exceptions, and issue resolution, and ensure that ownership is reflected in the workflow rather than only in policy documents.
• Standardise business terms and reference codes Create one controlled glossary for report terms, codes, and definitions so finance, risk, and IT teams use the same meaning when preparing disclosures and responding to audit questions.

What's in the full article

Collibra's full post covers the operational detail this post intentionally leaves for the source:

• The specific ways Collibra maps data lineage from source systems through transformations into Solvency II reports.
• How stewardship assignments and workflow automation are used to operationalise approvals and issue resolution.
• The role of policy management, business glossary, and reference data controls in disclosure consistency.
• Examples of how the platform is positioned across Pillar 1, Pillar 2, and Pillar 3 reporting obligations.

👉 Read Collibra's analysis of Solvency II compliance and data governance →

Solvency II and data lineage: what IAM teams should notice?

Explore further

View Full Forum →  |  NHI Foundation Course →