EU Capital Requirements Regime: Operational risk under CRR III

Background and sources

• Operational risk is defined as "the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events."
• In the context of operational risk, CRR III and CRD VI (the Banking Package) implement the new Basel standards by replacing Part Thr
• ee, Title III, of the CRR (new Articles 312 to 315; and Article 446 provide for the disclosure of operational risks).
• The BCBS has revised the international standard on operational risk "in order to address weaknesses that emerged in the wake of the 2008-2009 financial crisis. Besides the lack of risk-sensitivity in the standardised approaches, a lack of comparability arising from a wide range of internal modelling practices under the advanced measurement approaches (AMA) was identified."
• The EBA is to develop various Regulatory and Implementing Technical Standards (Article 314 (6), (7) and Article 315 (3) CRR) to specify, e.g. the components of the business indicator (as defined below) and its use by developing lists of typical sub-items, the items of the business indicator by mapping these items to the corresponding reporting lines and the way in which institutions shall determine the adjustment to the business indicator.

Key changes

Against this background, the most relevant change in law is the removal of the AMA as an internal approach for operational risk:

• In order to enhance the simplicity of the framework, all existing approaches for the calculation of the own funds requirements for operational risk were replaced by a single, non-model-based approach to be used by all institutions.
• Although the use of models, such as those developed under the AMA, is no longer possible under this new framework to determine own funds requirements, institutions will still have the discretion to use those models for the purpose of the internal capital adequacy assessment process (ICAAP).

From an overall capital perspective, an increase in banks' own funds is to be expected. The changes in operational risk (in addition to credit risk) are a key driver for the increase, due to the discontinuation of the internal approach in favour of a significantly less granular, single non-model-based method. According to the EBA, the weighted average increase in capital requirements after full CRR III implementation is expected to be a plus of 15 per cent across all banks.

Operational risk under the new Business Indicator Component (BIC) approach

• The calculation of capital requirements for operational risk is simplified. As part of the proposal, the current operational risk framework will be replaced by a new Standardised Approach for own funds requirement covering operational incidents.
• Under the Basel III final standards, the new methodology utilises an indicator based on an institution's business size (BIC) (Articles 313 to 315 CRR).
• The calculation formula is based on the profit and loss (P&L) components of the respective institution. The calculation of capital requirements for operational risk,
  therefore, mainly relies on the corresponding financial statements of banks.
• The institution-specific loss history should not be included in the capital adequacy requirements: An Internal Loss Multiplier (ILM) reflecting historical losses was not provided for in the Banking Package (therefore, ILM=1). This simplification is explicitly recognised in the Basel standard and aims to limit increases in capital requirements.
• The minimum own funds requirements for operational risk in the EU will be therefore be based solely on the BIC.
• However, institutions whose BIC exceeds the threshold of EUR 750 million will be asked to compute and disclose their yearly operational risk losses, unless they meet the specific criteria to obtain a waiver, and, therefore, make their loss history public as part of the disclosure requirements (even if the use of the ILM is not imposed per se, certain data collection and disclosure requirements remain under CRR III).
• The collected data will also be available for the Supervisory Review Evaluation Process (SREP).

Implementation timelines

The new rules will apply on and from 1 January 2025. While there are granularly increasing, multi-year transitional arrangements for the output floor in terms of credit risk, the CRR III does not provide for such a phase for the amendments in operational risk.

Overlap with DORA

Will there be an overlap between CRR III and DORA (please see our overview of the latter here; the latest developments can be accessed here; an expert interview with UK partner Bradley Rice can be found here)

• The Digital Operational Resilience Act (Regulation (EU) 2022/2554) (DORA) solves an important problem in EU financial regulatory system. Before DORA, financial institutions managed the main categories of operational risk mainly with the allocation of capital, but they did not manage all components of operational resilience. After DORA, they must also follow rules for protection, detection, containment, recovery and repair capabilities in connection with information and communication technology (ICT) related incidents.
• The scope of the CRR and DORA differ: While the CRR requires institutions to, at all times, have adequate own funds available, DORA explicitly refers to ICT risks and sets rules on ICT risk management, incident reporting, operational resilience testing and ICT third-party risk monitoring. DORA acknowledges that ICT incidents and a lack of operational resilience have the ability to jeopardise the soundness of the entire financial system, even if there is "adequate" capital for the traditional risk categories.

There should therefore be no overlap between both regulations.