Article 323
Operational risk management framework
1.
The competent authorities shall permit institutions to recognise the impact of insurance subject to the conditions set out in paragraphs 2 to 5 and other risk transfer mechanisms where the institution can demonstrate that a noticeable risk mitigating effect is achieved.
2.
EBA shall develop draft regulatory technical standards to specify the obligations under paragraph 1, points (a) to (h), taking into consideration the size and complexity of the institution.
EBA shall submit those draft regulatory technical standards to the Commission by 10 January 2027.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
3.
The insurance and the institutions' insurance framework shall meet all the following conditions:
(a)
the insurance policy has an initial term of no less than one year. For policies with a residual term of less than one year, an institution shall make appropriate haircuts reflecting the declining residual term of the policy, up to a full 100 % haircut for policies with a residual term of 90 days or less;
(b)
the insurance policy has a minimum notice period for cancellation of the contract of 90 days;
(c)
the insurance policy has no exclusions or limitations triggered by supervisory actions or, in the case of a failed institution, that preclude the institution's receiver or liquidator from recovering the damages suffered or expenses incurred by the institution, except in respect of events occurring after the initiation of receivership or liquidation proceedings in respect of the institution. However, the insurance policy may exclude any fine, penalty, or punitive damages resulting from actions by the competent authorities;
(d)
the risk mitigation calculations shall reflect the insurance coverage in a manner that is transparent in its relationship to, and consistent with, the actual likelihood and impact of loss used in the overall determination of operational risk capital;
(e)
the insurance is provided by a third party entity. In the case of insurance through captives and affiliates, the exposure has to be laid off to an independent third party entity that meets the eligibility criteria set out in paragraph 2;
(f)
the framework for recognising insurance is well reasoned and documented.
4.
The methodology for recognising insurance shall capture all the following elements through discounts or haircuts in the amount of insurance recognition:
(a)
the residual term of the insurance policy, where less than one year;
(b)
the policy's cancellation terms, where less than one year;
(c)
the uncertainty of payment as well as mismatches in coverage of insurance policies.
5.
The reduction in own funds requirements from the recognition of insurances and other risk transfer mechanisms shall not exceed 20 % of the own funds requirement for operational risk before the recognition of risk mitigation techniques.