I. Implementing Basel III through the CRR III Regulation
The Basel III standards comprise a package of reforms that were largely agreed by the Basel Committee on Banking Supervision (“BCBS“) in December 2017 and set out in the BCBS standard “Basel III: Finalising post-crisis reforms” (BCBS 424).
In order to implement more fully these standards, the European Commission has amended the Capital Requirements Regulation (Regulation (EU) 575/2013, as amended (“CRR“)) by Regulation (EU) 2024/1623 (“CRR III“) and the Capital Requirements Directive (Directive (EU) 2013/36, as amended (“CRD IV“)) by Directive (EU) 2024/1619 (“CRD VI“). Both of which have been published in the Official Journal of the European Union on 19 June 2024 and shall enter into force on the twentieth day following that of its publication. Most amended provisions of the CRR will become effective on 1 January 2025 while CRD implementation provisions are to be transposed by EU member states (each, a “Member State“) and applicable as of 11 January 2026.
The latest CRR changes have two general objectives:
- Contributing to financial stability; and
- Contributing to the steady financing of the economy in the context of the post-COVID-19 crisis recovery.
Those general objectives can be broken down into four more specific objectives:
- Strengthening the risk-based capital framework, without significant increases in capital requirements overall;
- Enhancing the focus on ESG risks in the prudential framework;
- Further harmonising supervisory powers and tools; and
- Reducing institutions’ administrative costs related to public disclosures and improving access to institutions’ prudential data.
The key final Basel III standards being implemented in the latest set of amendments address:
- the output floor;
- the standardised approach for credit risk;
- internal ratings-based approach for credit risk;
- the credit valuation adjustment risk framework;
- the leverage buffer;
- the operational risk framework; and
- the market risk.
Each of these areas of reform is described in greater detail in turn below.
A. Standardised approach for credit risk
Credit risk – the risk of loss due to a borrower being unable to repay a debt in full or in part – results from the credit institutions’ risk-taking activities and provides the basis for a credit institution’s regulatory capital requirements. Credit risk can be calculated by using the standardised approach or the internal ratings-based (IRB) approach.
The standardised approach allows credit institutions to use a prescribed risk weight schedule for calculating risk-weighted assets (“RWAs“). In summary, a credit institution allocates a risk weight to each of its assets and off-balance sheet positions and produces a sum of risk-weighted asset values.
The CRR III amends the existing CRR provisions to implement BCBS’s revised standardised approach for credit risk. These amendments will improve the risk sensitivity of this approach. Among other things, CRR provisions related to the following have been revised:
- Exposure value of off-balance sheet items;
- Exposures to credit institutions and to corporates;
- Treatment of specialised lending exposures;
- Exposures secured by real estate;
- Equity exposures; and
- Defaulted exposures.
B. Internal ratings-based approach for credit risk
As an alternative to the standardised approach, the IRB approach1 allows a credit institution to use its internal estimates of borrower creditworthiness to assess credit risk in its portfolios. At the same time, it is subject to strict methodological and disclosure standards. The use of this approach is subject to the explicit approval of a credit institution’s competent authority.
The CRR III amends the CRR provisions to implement the revised IRB approach set out in the final Basel III standards. Therefore, among other things, the Regulation:
- Limits the exposure classes for which internal models can be used to calculate own funds requirements for credit risk;2
- Introduces minimum values for credit institutions’ own estimates of IRB parameters that are used as inputs to the calculation of RWAs (so-called “input floor”); and
- Removes the 1.06 scaling factor that is currently applied to RWAs determined by the IRB approach to credit risk.
C. Output floor
The amendments introduce the so-called output floor as an additional step in the calculation of capital requirements. The output floor sets a lower limit on the capital requirements calculated by credit institutions that use internal models, which are now required to compare the RWAs resulting from their internal models with those calculated by using the standardised approach as multiplied by a percentage factor of 72.5%; will the higher of the two amounts of RWAs being used to calculate the total risk exposure amount of the entity (“TREA“).
Member States may apply the following factors when calculating a credit institution’s TREA; starting with 50% in 2025 and increasing this percentage every year by 5% up to 70% in 2029.
In addition, in the CRD VI, the provisions on the institution-specific pillar 2 requirement (P2R) and the systemic risk buffer (SRB) will be changed to introduce safeguards tailored to prevent unjustified increases in these requirements following a credit institution becoming bound by the output floor.
The relevance of RWAs with a standardised approach is growing steadily, forcing credit institutions to adapt their internal calculation models as well.
D. Credit valuation adjustment risk framework
Credit institutions engaging in OTC derivatives trading are subject to credit valuation adjustment (“CVA“) risk, which is the risk of incurring mark-to-market losses (i.e. losses derived from accounting for the value of the derivative based on its current market price) because of the deterioration of their counterparties’ creditworthiness.
To implement the revised framework set out in the final Basel III standards extensive amendments to CRR provisions on CVA risk are made. Therefore, a credit institution must calculate its own funds requirements for CVA risk in accordance with the following approaches:
- The standardised approach (“SA-CVA“), which is based on fair value sensitivities to market risk factors, the use of which requires permission by the relevant competent authorities;
- The basic approach (“BA-CVA“), which builds on the previously standardised method for CVA, which is the default approach for CVA. Credit institutions which are not using the simplified approach described below must use the BA-CVA, unless they are permitted to use the SA-CVA; and
- The simplified approach, which is available to credit institutions with less engagement in derivatives activities, which permits such credit institutions to use their counterparty credit risk (CCR) capital requirements as a proxy for their CVA charge as an alternative to using SA-CVA or BA-CVA.
E. Leverage buffer
The final Basel III standards introduced a leverage buffer for global systemically important banks (G-SIBs) and refinements to the leverage ratio exposure measure. These measures were largely implemented in the European Union through amendments to the CRR by Regulation (EU) 2019/876 (“CRR II“).
The CRR III will amend Art. 429c CRR to implement the BCBS finalised standards on the leverage ratio treatment of client cleared derivatives to align it with the measurement as determined under the standardised approach to measuring CCR exposures. It will also make further technical amendments relating to the calculation of the exposure value of off-balance-sheet items and to provisions related to further purchases and sales awaiting settlement.
F. Operational risk framework
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
The CRR III replaces the CRR provisions on operational risk entirely by a single risk-sensitive standardised approach for calculating operational risk capital requirements to be used by all credit institutions.
The own funds requirement for operational risk under the new framework is the business indicator component (“BIC“), which is calculated by multiplying the business indicator (“BI“) by a set of regulatorily determined marginal coefficients. The BI is a financial statement-based proxy for operational risk, consisting of three elements, each calculated as the average over a period of three years:
- An interest, leases and dividend component;
- A services component; and
- A financial component.
All credit institutions are required to have an operational risk management framework. In addition, credit institutions with a BI equal to or above EUR 750 million will be required to maintain a loss data set and to calculate their annual operational risk losses for disclosure purposes.
G. Market risk
CRR II introduced the BCBS’s market risk standards which followed on from its fundamental review of the trading book as an ongoing reporting requirement, but not as a binding capital requirement. CRR II inserted an alternative standardised approach (A-SA), Art. 325c to 325ay CRR, and an alternative internal model approach (“A-IMA“), Art. 325az to 325bp CRR.
CRR III by comparison, imposes these approaches as binding own funds requirements. Art. 325 CRR will be amended to provide that credit institutions should calculate their own funds for market risk in accordance with the A-SA, the A-IMA or the simplified standardised approach (Art. 326 to 361 CRR). The CRR III will also:
- Amend the provisions referred to the trading book and the assignment of instruments to trading and banking books (Art. 104 to 104c CRR);
- Make technical amendments to provisions on the A-SA and A-IMA;
- Delete provisions in the CRR on the existing internal models approach (Art. 362 to 377 CRR), which is replaced by the A-IMA; and
- Give the European Commission the power to adopt delegated acts to amend the approaches to calculating own funds requirements for market risk and to amend the date of entry of application of these approaches (Art. 461a CRR).
The flexibility granted to the European Commission reflects uncertainty on whether major jurisdictions will deviate from the final Basel III standards in their implementation of these new standards.
II. EU-specific reforms
In tandem with its implementation of the final Basel III standards, the EU has generally updated the legislative framework for EU credit institutions. These amendments, which primarily affect the Capital Requirements Directive 2013/49/EC (“CRD IV“), cover the following key topics, which are described in greater detail in the following sections:
- A new regulatory and supervisory framework for branches of third-country credit institutions established in Member States;
- Expansion of competent authorities’ powers to supervise acquisitions by credit institutions of a material holding in other entities, the material transfer of assets or liabilities and mergers or divisions of credit institutions;
- Introduction of a fit and proper framework to assess the suitability of individuals holding positions of responsibility in a credit institution;
- Expansion of the sanctioning powers available to competent authorities for breaches of the CRR-CRD IV regulatory framework;
- Measures to clarify the interaction between the withdrawal of credit institutions’ authorisations and determinations that credit institutions meet the conditions necessary for resolution;
- Measures intended to reinforce the need for ESG risks to be included consistently in credit institutions’ risk management systems and in supervision; and
- Reforms to the manner in which credit institutions make public disclosures including an increased role for the European Banking Authority (“EBA“) publishing disclosures for small and non-complex institutions.
A. Third-country branches
CRD VI has amended CRD IV to introduce minimum requirements for the prudential supervision of third-country branches (“TCBs“). A number of commentators have opined that these requirements are broader in scope and stricter than comparable regimes in other jurisdictions. Financial institutions should take care to analyse whether the relevant requirements apply to them and, if so, what compliance with these requirements entails.
An undertaking established in a third country that carries out activities in a Member State falls under the new TCB regime if either of the following two criteria are satisfied:
- The activities of the undertaking comprise the following systemically important investment activities
- Dealing on own account; and
- Underwriting of financial instruments and/or placing of financial instruments on a firm commitment basis; and
the assets of the undertaking or the assets of undertakings in its consolidated group exceed EUR 30 billion, where the total assets of each branch of the third‐country group authorised in the EU are consolidated in the combined total assets of the undertakings at the group.
- The activities of the undertaking are any of (or a combination of) the following
- Taking deposits and other repayable funds;
- Lending including, amongst other areas: consumer credit, credit agreements relating to immovable property, factoring, with or without recourse and financing of commercial transactions (including forfeiting);
- Financial leasing;
- Certain payment services;
- Issuing and administering other means of payment (e.g., travellers’ cheques and bankers’ drafts) (unless the undertaking is not a credit institution);
- Guarantees and commitments;
- Trading for own account or for account of customers in any of the following: money market instruments (cheques, bills, certificates of deposit, etc.); foreign exchange; financial futures and options; exchange and interest-rate instruments; or transferable securities;
- Participation in securities issues and the provision of services relating to such issues;
- Advice to undertakings on capital structure, industrial strategy and related questions and advice as well as services relating to mergers and the purchase of undertakings;
- Money broking;
- Portfolio management and advice;
- Safekeeping and administration of securities;
- Credit reference services;
- Safe custody services; or
- Issuing electronic money
(with respect to c through o above, unless the undertaking is not a credit institution).
This new regime for third country branches has quite broad application. Any undertaking established in a third country that carries out any of these activities in a Member State is now required to establish a TCB and seek authorisation under the CRD IV for that branch as a condition for permission to conduct banking activities in a Member State (as set out in new Art. 21c(1) and 48c(1), CRD IV). This requirement does not apply where third-country undertakings engage in the provision of banking services with clients and counterparts in a member state through reverse solicitation of services (that is, where the relevant client or counterpart approaches the third-country undertaking to solicit the provision of the service) (according to new Art. 21c(2) and (3), CRD IV).
A TCB may only conduct authorised activities in the Member State in which it is established. It is not permitted to offer or conduct those activities in other Member States on a cross-border basis (new Art. 48c(4)(d), CRD IV).
The most salient new requirements for TCBs relate to the following four areas:
1. Authorisation
The establishment of TCBs is subject to an explicit authorisation procedure and minimum requirements, relating in particular to information arrangements with TCBs’ competent authorities. Competent authorities have the power to require a TCB established in their member state to apply for authorisation as a credit institution where it engages in transactions or business with counterparts in other member states in contravention of the internal market rules or poses risks to the financial stability of the relevant Member State or the EU.
If a TCB has assets on its books in an amount equal to or higher than EUR 30 billion, competent authorities must assess regularly whether it poses a level of a risk to the financial stability of the Member State and the EU that is analogous to systemically important EU credit institutions. Competent authorities may require a systemically important TCB to apply for authorisation as a subsidiary institution under the CRD IV to continue conducting banking activities in the Member State, and may also require such a TCB to restructure its operations or impose additional requirements on it.
TCBs previously operating in the EU need to be reauthorised under the new framework. A transitional period of 12 months following the transposition date of the CRD VI Directive applies, to allow time for these branches to re-establish and become duly authorised.
2. Minimum regulatory requirements
TCBs are required to:
- maintain a minimum capital endowment, calculated as a percentage of the branch’s liabilities for larger and riskier TCBs (class 1) or a fixed amount for smaller TCBs (class 2);
- comply with a liquidity requirement;
- comply with internal governance and risk control requirements; and
- implement booking arrangements in order to track the assets and liabilities linked to the business conducted by the TCB in the Member State.3
3. Reporting requirements
TCBs must report regularly to their competent authorities information on their compliance with their regulatory requirements and provide to these competent authorities financial information concerning the assets and liabilities on their books.
4. Supervision
Competent authorities must conduct regular reviews of a TCBs’ compliance with its regulatory requirements and take supervisory measures to ensure or if necessary, restore compliance with those requirements.
B. Supervisory powers
The supervisory powers available to competent authorities are expanded by CRD IV to cover the following transaction types:
- Acquisitions by a credit institution of a material holding in a financial or non-financial entity;
- The material transfer of assets or liabilities; and
- Mergers or divisions.
These powers are similar to the powers that that have previously applied concerning the acquisition or disposal of qualifying holdings. These supervisory powers are intended to ensure that competent authorities are notified in advance, have at their disposal all necessary information to perform a prudential assessment of these transactions, and can ultimately oppose their completion if deemed to be detrimental to the prudential profile of the credit institutions undertaking them.
C. Fit and proper framework
Prior to these amendments, the CRD did not contain provisions requiring competent authorities to assess the suitability of individuals in credit institutions holding positions of responsibility, apart from certain provisions on the role of competent authorities in the assessment of the suitability of members of management bodies.
New provisions introduced through CRD VI require:
- Credit institutions and certain companies in their groups to assess the suitability of their management board members;
- Competent authorities to assess the suitability of these management board members. Such assessment will ordinarily be carried out before the relevant individuals undertake their new roles, except in emergency situations;
- Credit institutions and certain group companies to assess the suitability of key function holders based on specified criteria. Key function holders are defined as “persons who have significant influence over the direction of the institution but are not members of the management body, including the heads of internal control functions and the chief financial officer, where those heads or that officer are not members of the management body”; and
- Competent authorities to assess the suitability of the heads of internal control functions and chief financial officers based on specified criteria. This will ordinarily be carried out before the relevant individuals undertake their new roles, except in emergency situations.
The CRD VI Directive also amends the Bank Recovery and Resolution Directive (2014/59/EU) to provide how the fit and proper framework applies to new members of the management body or senior management where a competent authority uses its early supervisory intervention powers.
D. Sanctions
As part of an overhaul of administrative sanction provisions, the CRD VI:
- Introduces periodic penalty payments as a new enforcement tool. These are daily penalties aimed at ending ongoing breaches and compelling legal or natural persons to return to compliance with their obligations under the CRD IV and the CRR. Competent authorities may impose periodic penalty payments and administrative penalties for the same breach;
- Expands the list of sanctionable breaches to encompass breaches of certain prudential requirements; and
- Requires competent authorities and judicial authorities to co-operate in the context of penalties applicable to cross-border cases or in the case of accumulation of criminal and administrative proceedings and penalties concerning the same breach.
E. Resolution conditions and withdrawal of authorisation
Resolution powers can only be used in relation to a credit institution if all of the following resolution conditions are met:
- The failure condition, where the credit institution is determined to be failing or likely to fail;
- The no alternative condition, where there is no reasonable prospect that any solution, other than a resolution action taken in respect of the credit institution, would prevent the failure of the credit institution within a reasonable timeframe; and
- The public interest condition, where intervention through resolution action is necessary in the public interest.
Under this set of amendments, if the first two conditions are met but the third is not, the competent authority may withdraw the credit institution’s banking authorisation. This change follows recent cases highlighting problems with alignment between the resolution conditions (particularly the first one) and the withdrawal of licences under the CRD IV.
F. ESG Risks
The need for ESG risks to be included consistently in credit institutions’ risk management systems and in supervision features prominently in amendments to both the CRR and CRD.
The most salient CRR revisions relating to ESG risk are the following:
- New, harmonised definitions of the different types of ESG risks;
- New requirements for credit institutions to report their exposure to ESG risks to their competent authorities;
- Extended requirements relating to the disclosure of ESG risks; and
- The deadline for the EBA to deliver its report on the prudential treatment of exposures to ESG risk has, in parts, been pushed forwards from 2025 to the date of entry into force.4
The most salient CRD revisions relating to ESG risk are the following:
- Short, medium and long-term horizons of ESG risks must be included in credit institutions’ strategies and processes for evaluating internal capital needs as well as adequate internal governance;
- Management bodies are required to develop plans for the current and forward-looking impacts of ESG risks;
- Credit institutions must have robust strategies, policies, processes and systems for the identification, measurement, management and monitoring of ESG risks over the short, medium and long term. The EBA is also required to produce guidelines on the criteria for the assessment of ESG risks, including how they should be identified, measured, managed and monitored as well as how credit institutions should draw concrete plans to address and internally stress test resilience and long-term negative impacts to the ESG risks;
- In the supervisory review and evaluation process, competent authorities are required to assess the adequacy of credit institutions’ governance and risk management processes for dealing with ESG risks, as well as their exposure to these risks;
- The EBA, European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA) are mandated to develop guidelines to ensure that consistency, long-term considerations and common standards for assessment methodologies are integrated into the stress testing of ESG risks; and
- Competent authorities are given powers to require credit institutions to reduce the risks arising from their misalignment with relevant EU policy objectives relating to ESG factors over the short, medium and long term, including through adjustments to their business models, governance strategies and risk management.
G. Disclosures
In parallel to changes required to reflect the implementation of the final Basel III standards, CRR III makes a number of amendments to the CRR’s provisions on disclosure that are intended to reduce the administrative costs related to disclosures and to facilitate access to information disclosed by credit institutions. These revisions include the following:
- Giving the EBA the power to centralise the publication of annual, semi-annual and quarterly institutions’ prudential disclosures by making prudential information readily available through a single electronic access point;
- Reducing the administrative burden related to disclosures for small and non-complex institutions insofar as the EBA will publish disclosures for small and non-complex institutions based on supervisory reporting information; and
- Requiring small and non-complex institutions, as well other non-listed institutions, to disclose on an annual basis information on the amount and quality of performing, non-performing and forborne exposures for loans, debt securities and off-balance-sheet exposures, and information on past due exposures.
The CRD VI Directive, on the other hand, has been amended so as to give competent authorities the power to require credit institutions to submit information to the EBA within a deadline and to permit credit institutions to use specific media and locations other than the EBA website for the publication of relevant disclosures.
“
- The total value of the assets booked by the TCB in a member state is equal to or higher than EUR 5 billion.
- The TCB’s authorised activities include taking deposits and other repayable funds from retail customers, provided that the amount of such deposits and other repayable funds is equal to or higher than 5% of the total liabilities of the third country branch or the amount of such deposits and other repayable funds exceeds EUR 50 million.
- The TCB is not a qualifying TCB, which is one whose head office is established in a country that has in place a supervisory and regulatory framework for credit institutions and confidentiality requirements that have been assessed by the European Commission as equivalent to those in the EU and that is not listed as a high-risk third country that has strategic deficiencies in its regime for anti-money laundering and counter-terrorist financing.”
4 New definitions related to ESG risks (Article 4 of Regulation (EU) No 575/2013):
“(52d) ‘environmental, social and governance risk’ or ‘ESG risk’ means the risk of any negative financial impact on the institution stemming from the current or prospective impact of environmental, social or governance (ESG) factors on the institution’s counterparties or invested assets; ESG risks materialise through the traditional categories of financial risks;
(52e) ‘environmental risk’ means the risk of any negative financial impact on the institution stemming from the current or prospective impacts of environmental factors on the institution’s counterparties or invested assets, including factors related to the transition towards the objectives set out in Article 9 of Regulation (EU) 2020/852 of the European Parliament and of the Council; environmental risk includes both physical risk and transition risk.
(52f) ‘physical risk’, as part of the environmental risk, means the risk of any negative financial impact on the institution stemming from the current or prospective impacts of the physical effects of environmental factors on the institution’s counterparties or invested assets;
(52g) ‘transition risk’, as part of the environmental risk, means the risk of any negative financial impact on the institution stemming from the current or prospective impacts of the transition to an environmentally sustainable economy on the institution’s counterparties or invested assets;
(52h) ‘social risk’ means the risk of any negative financial impact on the institution stemming from the current or prospective impacts of social factors on its counterparties or invested assets;
(52i) ‘governance risk’ means the risk of any negative financial impact on the institution stemming from the current or prospective impacts of governance factors on the institution’s counterparties or invested assets;’;”