(1)

The requirement in Regulation (EU) No 575/2013 that competent authorities assess the compliance of an institution with the requirements to use the Internal Ratings Based (IRB) Approach relates to all of the requirements for the use of the IRB Approach, irrespective of their degree of materiality, and concerns compliance with the requirements at all times. As a result, that requirement does not only relate to the assessment of the initial application of an institution for the permission to use the rating systems for the purpose of the calculation of own funds requirements, but also to: the assessment of any additional applications of an institution for the permission to use the rating systems implemented according to the institution’s approved plan of sequential implementation of the IRB Approach; the assessment of the application for material changes to the internal approaches that the institution has received permission to use in accordance with Article 143(3) of that Regulation and Commission Delegated Regulation (EU) No 529/2014 (2); changes to the IRB Approach that require notification in accordance with Article 143(4) of Regulation (EU) No 575/2013 and Delegated Regulation (EU) No 529/2014; the ongoing review of the IRB Approach that the institution has received permission to use in accordance with Article 101(1) of Directive 2013/36/EU of the European Parliament and of the Council (3); the assessment of applications for permission to return to the use of less sophisticated approaches in accordance with Article 149 of Regulation (EU) No 575/2013. Competent authorities should apply the same criteria to all of these particular aspects of the assessment of compliance with the requirements to use the IRB Approach. The rules that set out that assessment methodology should therefore apply to all of those cases, in order to ensure harmonisation of assessment methodologies by competent authorities and avoid the risk of regulatory arbitrage.

(2)

The assessment methodology should consist in methods to be used by the competent authorities, either as optional or mandatory, and provide for criteria that are subject to the verification by the competent authorities.

(3)

In order to ensure a consistent assessment of compliance with the requirements to be fulfilled for using the IRB Approach throughout the Union, it is necessary that competent authorities apply the same methods for that assessment. As a result, it is necessary to lay down a set of methods to be applied by all competent authorities. However, given the nature of the model assessment and the diversity and particularities of the models, competent authorities should also apply their supervisory discretion in the application of those methods with regard to the specific models under examination. The assessment methodology in this Regulation should specify the minimum criteria for competent authorities to verify compliance with the requirements to use the IRB Approach and lay down an obligation for the competent authorities to verify any other relevant criteria necessary for that purpose. Furthermore, in certain cases where the competent authority has carried out recent assessments for similar rating systems in the same class of exposures, it is appropriate to allow use of the results of such assessments, rather than the competent authority having to repeat them, if the competent authority after applying its discretion finds that those remain materially unchanged. This should avoid complexity, unnecessary burdens and duplication of work.

(4)

Where the competent authorities are to assess the compliance of an institution with the requirements to use the IRB Approach for other purposes than the initial application for permission, competent authorities should only apply those rules that are relevant to the scope of the assessment for those other purposes and should in each case use the conclusions from the previous assessments as the starting point.

(5)

Where the assessment relates to applications for the permissions referred to in Article 20(1)(a) of Regulation (EU) No 575/2013, the implementing technical standards referred to in paragraph 8 of that Article in relation to the joint decision process apply.

(6)

Competent authorities are required to verify compliance of institutions with the specific regulatory requirements for the use of the IRB Approach, as well as evaluate the overall quality of the solutions, systems and approaches implemented by an institution, and request constant improvements and adaptations to changed circumstances in order to achieve continuous compliance with those requirements. Such an assessment requires, to a large extent, that the competent authorities exercise their discretion. Rules for the assessment methodology should, on the one hand, allow the competent authorities to exercise their discretion by carrying out additional checks to those specified in this Regulation, as necessary, and should, on the other hand, ensure harmonisation and comparability of supervisory practices across different jurisdictions. For the same reasons, competent authorities should have the necessary flexibility to apply the most appropriate optional method or any other method necessary for verifying particular requirements, having regard, among others, to the materiality of the types of exposures covered by each rating system, the complexity of the models, the particularities of the situation, the specific solution implemented by the institution, the quality of evidence provided by the institution, the resources available to the competent authorities themselves. Furthermore, for the same reasons competent authorities should be able to carry out additional tests and verifications necessary in case of doubts regarding the fulfilment of the requirements of the IRB Approach in accordance with the principle of proportionality, having regard to the nature, size and complexity of an institution’s business and structure.

(7)

In order to ensure consistency and comprehensiveness of the assessment of the overall IRB Approach, in the case of subsequent requests for permission on the basis of the approved sequential implementation plan of an institution, competent authorities should base their assessment at least on the rules on the use and experience test, assignment to grades or pools, rating systems and risk quantification, as these aspects of the assessment relate to every individual rating system of the IRB Approach.

(8)

In order to assess the adequacy of the application of the IRB Approach all rating systems and related processes should be verified where an institution has delegated tasks, activities or functions relating to the design, implementation and validation of rating systems to a third party or has obtained a rating system or pooled data from a third party vendor. In particular, it should be verified that adequate controls have been implemented at the institution and that full documentation is available. Furthermore, as the management body of the institution is ultimately responsible for the delegated processes and the performance of rating systems obtained from a third party vendor, it should be verified that the institution should has sufficient in-house understanding of the delegated processes and purchased rating systems. All tasks, activities and functions that have been delegated and the rating systems obtained from the third party vendors should therefore be assessed by the competent authorities in a manner similar to where the IRB Approach has been developed fully via internal processes of the institution.

(9)

In order to prevent the institutions from only partially completing the sequential implementation of the IRB Approach for an extended period of time, the competent authorities should verify the appropriateness of the time limit for the implementation of the so-called ‘roll-out plan’, compliance with this deadline and the necessity of changes to the roll-out plan. It should be verified that all exposures covered by the roll-out plan have a defined and reasonable maximum timeframe for implementation of the IRB Approach.

(10)

It is important to assess the robustness of the validation function and so the independence from the credit risk control unit, the completeness, frequency and adequacy of the methods and procedures and the soundness of the reporting process in order to verify that an objective assessment of the rating systems takes place and that there is a limited incentive to disguise the model deficiencies and weaknesses. When verifying whether an adequate level of independence of the validation function is in place, the competent authorities should take into account the size and complexity of the institution.

(11)

As the rating systems are the core of the IRB Approach, and their quality may impact significantly the level of own funds requirements, the performance of the rating systems should be regularly reviewed. Given that estimates of risk parameters have to be subject to review at least annually and that rating systems should be regularly assessed by competent authorities and by the internal audit function, and given that, in order for this task to be performed, input from the validation function is necessary, it is appropriate to verify that the validation of the performance of the rating systems covering material portfolios and back-testing of all other rating systems is performed at least annually.

(12)

All areas of the IRB Approach are to be effectively covered by internal audits. Nevertheless, it should be verified that the internal audit resources are used efficiently with focus on the most risky areas. Some flexibility is important particularly in the case of institutions that use numerous rating systems. As a consequence, competent authorities should verify that annual reviews are performed in order to determine areas that require more thorough reviews during the year.

(13)

In order to ensure a minimum level of harmonisation in relation to the scope of use of the rating systems (the so-called ‘use test’), competent authorities should verify that the rating systems are incorporated in the relevant processes of the institution within the broader processes of risk management, credit approval and decision-making processes, internal capital allocation, and corporate governance functions. These are basic areas where internal processes require the use of risk parameters, therefore if there are differences between the risk parameters used in those areas and those used for the purpose of the calculation of own funds requirements, it should be verified that they are justified.

(14)

In relation to experience test requirements, while assessing whether the rating systems used by the institution prior to the application to use the IRB Approach were ‘broadly in line’ with the IRB requirements, competent authorities should verify in particular that during at least three years before the use of the IRB Approach, the rating system has been used in the internal risk measurement and management processes of the institution and that it has been subject to monitoring, internal validation and internal audit. Such specification of the assessment methodology is necessary to ensure a minimum level of harmonisation. Competent authorities should verify that rating systems have been implemented in at least the most basic areas of use to ensure that the rating systems have been effectively used by the institution and that both the personnel and the management are accustomed to those parameters and understand well their meaning and weaknesses. Finally, monitoring, validation and internal audit during the experience period should show that the rating systems were compliant with the basic requirements of the IRB Approach and that they were gradually improved during that time.

(15)

Independence of the process of assignment of exposures to grades or pools is required for non-retail exposures because the application of human judgement is typically necessary in the process. In the case of retail exposures the assignment process is usually fully automatic, based on objective information about the obligor and his transactions. The correctness of the assignment process is ensured by proper implementation of the rating system in the institution’s IT systems and procedures. Nevertheless if overrides are allowed, human judgement has to be applied in the rating process. As a result, and given that those responsible for origination or renewal of exposures are typically inclined to assign better ratings in order to increase sales and volumes of credits, where overrides are used, including in the case of retail exposures, it should be verified that the assignment has been approved by an individual or by a committee independent from the persons responsible for the origination or renewal of exposures.

(16)

Where ratings are older than 12 months or where the review of the assignment has not been performed in due time according to the institution’s policy, the competent authorities should verify that conservative adjustments have been performed in terms of the risk-weighted assets calculation. The reasons for that are multiple. If the rating is outdated or based on outdated information the risk assessment might not be accurate. In particular, if the situation of the obligor has deteriorated during the last 12 months it is not reflected in the rating, and the risk is underestimated. In addition, according to the general rule relating to the estimation of the risk parameters, where the estimation of risk parameters is based on insufficient data or assumptions, a wider margin of conservatism should be adopted. The same rule should apply to the process of assignment of exposures to grades or pools, i.e. where insufficient information has been taken into account in the assignment process, additional conservatism should be adopted in the calculation of risk weights. The method of applying additional conservatism in the calculation of risk weights should not be specified as the institution may adjust either the rating, the risk parameter estimation or the risk weight directly. The adjustment should be proportional to the length of the period during which the rating or the information underlying the rating is out-of-date.

(17)

The institutions are required to document the specific definitions of default and loss used internally and ensure consistency with the definitions set out in Regulation (EU) No 575/2013. When assessing this consistency, the competent authorities should verify that institutions have clear policies that specify when an obligor or facility is classified as being in default. These policies need to be consistent with the general principles regarding the identification of default. The EBA has adopted Guidelines on the application of the definition of default under Article 178 of Regulation (EU) No 575/2013. These policies should also be embedded into the institutions’ risk management processes and systems since Regulation (EU) No 575/2013 requires in particular that internal ratings, i.e. including the assignment to a default rating grade, play an essential role in the risk management and other internal processes of an institution, which should also be the subject of verification by the competent authorities.

(18)

The information on the performance of an obligor and on the exposures in default and those not in-default, is the basis for the institution’s internal processes, for the quantification of risk parameters and for the calculation of own funds requirements. Therefore, not only the identification of defaulted obligors but also the process of reclassification of defaulted obligors to non-defaulted status need to be robust and effective. The competent authorities should verify that the prudent reclassification process ensures that obligors are not reclassified to a non-defaulted status where the institution expects that the exposure will probably return to default in a short period of time.

(19)

In order to provide competent authorities with a consistent and accurate overview of the rating systems that the institution has been using as well as the improvement of the rating systems over time, it is necessary for competent authorities to assess the completeness of the register of the current and historical versions of rating systems used by the institution (‘register of rating systems’). Having regard to the fact that the requirements of the experience test relate to the preceding three years from the time of consideration of an application for approval of an internal model, and that the competent authorities are to carry out an overall review of the internal model on a regular basis, and at least every three years, it is appropriate for competent authorities to verify that such a register of rating systems covers at least the versions of the internal models used by the institution over the three preceding years.

(20)

Human judgement is applied at various stages of the development and use of rating systems. Reasonable application of human judgement can increase the quality of the model and the accuracy of its predictions. Nevertheless, since human judgement changes the estimates based on prior experience in a subjective manner, the application of human judgement should be subject to control. The competent authorities should therefore verify that the application of human judgement is justified by its positive contribution to the accuracy of predictions. Thus, a large number of overrides of the results of the model might indicate that some important information is not included in the rating system. Therefore, competent authorities should verify that the number of overrides and their justification are regularly analysed by the institutions and that any detected weaknesses of the model are adequately addressed in the model review.

(21)

In all cases, the competent authorities should assess whether the institution has adopted sufficient margin of conservatism in their estimates of risk parameters. This margin of conservatism should take into account any identified deficiencies in data or methods used in the risk quantification and increased uncertainty that might result for example from the changes in the lending or recovery policies. Where an institution ceases to comply with the requirements for the IRB Approach, the competent authorities should verify whether it fulfils the requirement that the rating systems are corrected in a timely manner. The application of the margin of conservatism should not be used as an alternative to correcting the models and ensuring their full compliance with the requirements of Regulation (EU) No 575/2013.

(22)

With regard to risk quantification, it is desirable that the PD estimates are relatively stable over time in order to avoid the excessive cyclicality of own funds requirements. Competent authorities should verify that the PD estimates are based on the long-run average of yearly default rates. In addition, as the own funds should help institutions survive in a time of stress, the risk estimates should take into account the possible deterioration in the economic conditions even in the times of prosperity. Finally, whenever there is an increased uncertainty that results from insufficient data, competent authorities should verify that an additional margin of conservatism has been adopted. If the length of available time series does not encompass the expected variability of default rates, appropriate methods should be adopted to account for the missing data.

(23)

The LGD estimation is based on the average realised LGDs weighted by the number of defaults. If the exposure value is a relevant risk driver, it should be considered among other potential risk drivers for the segregation or risk differentiation of LGD in order to ensure that the parameter is calculated for homogenous pools or facility grades. Competent authorities should verify that this approach is adequately applied, as it ensures consistency with the calculation of the PD parameter and a meaningful application of the risk weight formula. Regulation (EU) No 575/2013 distinguishes the method of estimating LGD for individual exposures for the purpose of risk-weighted exposure amounts from the average of LGD estimates calculated at the portfolio level. Differently from the individual LGD estimation, the LGD floor for retail exposures secured by immovable property, applied at the overall portfolio level, is defined as an exposure-weighted average LGD. In order to ensure adequate levels of risk parameters for exposures secured by immovable property competent authorities should verify that the LGD floors are applied correctly.

(24)

Defaulted exposures that, after the return to non-defaulted status, are reclassified as defaulted within a short period of time should be treated as defaulted from the first moment when the default occurred, as the temporary reclassification to non-defaulted status is most likely performed on the basis of incomplete information about the real situation of the obligor. As a result, the treatment of multiple defaults as a single default better represents the real default experience. Competent authorities should therefore verify that in the estimation of risk parameters multiple defaults of the same obligor within a short period of time are treated as a single default. Furthermore, the treatment of multiple defaults by the same obligor as separate defaults might lead to significant errors in risk parameter estimates, because higher default rates would lead to higher PD estimates. On the other hand the LGD would be underestimated, because the first defaults by the obligor would be treated as cure cases with no loss related to them, whereas the institution did suffer a loss. Additionally, due to the link between PD and LGD estimates and in order to ensure realistic estimation of expected loss, the treatment of multiple defaults should be consistent for the purpose of PD and LGD estimation.

(25)

The scope of information available to the institution with regard to defaulted exposures is significantly different from that regarding performing exposures. In particular, two additional risk drivers are available for the defaulted exposures, namely the time in-default and realised recoveries. Therefore, the estimation of LGD carried out before the default is not sufficient, because the risk estimates should take into account all significant risk drivers. Additionally, for defaulted exposures it is already known what the economic conditions were at the moment of default. Furthermore, LGD for defaulted exposures should reflect the sum of expected loss under current economic circumstances and possible unexpected loss that might occur during the recovery period. Therefore, competent authorities should verify that the LGD for defaulted exposures (‘LGD in-default’) is estimated either directly or as a sum of best estimate of expected loss (‘ELBE’) and an add-on that captures the unexpected loss that might occur during the recovery period. Irrespective of the approach applied the estimation of the LGD in-default should take into account the information on the time in-default and recoveries realised until the time of estimation and consider a possible adverse change in economic conditions during the expected length of the recovery process.

(26)

In the case of institutions using own-LGD estimates internal requirements for collateral management should be generally consistent with the requirements of Section 3, Chapter 4, Title II in Part three of Regulation (EU) No 575/2013. Competent authorities should focus on the requirements of collateral valuation and legal certainty because it is important to ensure regular and reliable valuation of collateral, and that the valuation reflects the real market value under current market conditions. The frequency and character of revaluation should be adjusted to the type of collateral, as outdated or inaccurate evaluation might lead to the underestimation of risk relating to the credit exposures. It is also crucial to ensure that the collateral is legally effective and enforceable in all relevant jurisdictions. In the contrary case, the exposure should be treated as unsecured; if such collateral is recognised in the risk quantification, it may lead to the underestimation of risk.

(27)

Competent authorities should verify that for the purpose of the advanced IRB Approach, i.e. where own-LGD estimates are used, guarantors are considered eligible where they are rated using a rating system approved under the IRB Approach; other guarantors may also be eligible, provided that they are classified as an institution, a central government or central bank, or a corporate entity that has a credit assessment by an ECAI, and the guarantee meets the requirements set out in Section 3, Chapter 4, Title II in Part Three of Regulation (EU) No 575/2013, which are also applicable for the Standardised Approach.

(28)

In the assessment of the process of assignment of exposures to exposure classes, specific requirements should be laid down for the verification by the competent authorities for the assignment of exposures to retail exposures because of their preferential treatment in terms of risk-weighted exposure amounts calculation. Some exposure classes are defined on the basis of the characteristics of the transaction and others on the basis of the type of obligor; as a result, there may be exposures that fulfil the criteria of more than one exposure class. Competent authorities should therefore verify that the institution applies the correct sequencing of classification in order to ensure a consistent and unequivocal assignment of exposures to exposure classes.

(29)

The competent authorities should verify that the results of the stress tests are taken into account in the risk and capital management processes, because the integration of the stress tests results in the decision-making processes ensures that the scenarios and their impact on own funds requirements are developed and performed in a meaningful manner and that forward-looking aspects of own funds requirements are taken into account in the management of the institution.

(30)

Institutions that use own-LGD and own conversion factors estimates should calculate effective maturity of the exposures under the IRB Approach for the purpose of the calculation of own funds requirements. In the case of revolving exposures, an institution is at risk for a longer period than the repayment date of the current drawing, given that the borrower may redraw additional amounts. Therefore, competent authorities should verify that the calculation of effective maturity of revolving exposures is based on the expiry date of the facility.

(31)

The calculation of the difference between expected loss amounts on the one hand and credit risk adjustments, additional value adjustments and other own funds reductions on the other hand (‘IRB shortfall‘) should be performed on an aggregate level separately for the portfolio of defaulted exposures and the portfolio of exposures that are not in default. The separation between defaulted and non-defaulted exposures is necessary in order to ensure that the negative amounts resulting from the calculation performed for the defaulted portfolio are not used to offset the positive amounts resulting from the calculation performed for the portfolio of exposures that are not in default. Apart from that the overall calculation is in line with the general concept of own funds, according to which the own funds should be fully available to cover unexpected losses in case of insolvency of the institution. Since the amounts of credit risk adjustments, additional value adjustments and other own funds reductions included in the calculation of the IRB shortfall have already been deducted from own funds to cover the expected losses (‘EL’), their excess part on the total EL is fully available to cover losses identified on all defaulted exposures. Therefore, competent authorities should verify that the adjustments to own funds based on the IRB shortfall are calculated and applied correctly.

(32)

Unreliable, inaccurate, incomplete or outdated data may lead to errors in the risk estimation and in the calculation of own funds requirements. Furthermore, when used in the risk management processes of the institution such data may also lead to poor credit and management decisions. In order to ensure the reliability and a high quality of data the infrastructure and procedures relating to the collection and storing of data should be well documented and contain a full description of the characteristics and the sources of data in order to ensure their proper use in the internal processes and the processes for the calculation of own funds requirements. Hence competent authorities should verify the quality and documentation of data used in the process of estimation of risk parameters, in the assignment of exposures to grades or pools and in the calculation of own funds requirements.

(33)

The quality of data, the accuracy of risk estimation and the correctness of calculation of own funds requirements are highly dependent on the reliability of the IT systems used for the purpose of the IRB Approach. Furthermore, the continuity and consistency of the risk management processes and the calculation of own funds requirements can only be ensured when the IT systems used for those purposes are safe, secure and reliable and the IT infrastructure is sufficiently robust. It is therefore necessary that competent authorities also verify the reliability of the institution’s IT systems and the robustness of the IT infrastructure.

(34)

Competent authorities should verify that as far as possible non-overlapping observations of returns on equity exposures are used both for the development and validation of internal models for equity exposures. Non-overlapping observations ensure higher quality of predictions, given that all observations are assigned the same weight and the observations are not closely correlated to each other.

(35)

The use of the IRB Approach requires the approval of the competent authorities, and any material changes to that approach have to be approved. As a result, competent authorities should verify that the internal process of management and in particular the internal process of approving such changes ensure that only changes that are in accordance with Regulation (EU) No 575/2013 and Delegated Regulation (EU) No 529/2014 are implemented and, in that context, that the classification of changes is consistent in order to avoid any regulatory arbitrage.

(36)

The provisions of this Regulation are closely linked, since they all deal with aspects of the assessment methodology that competent authorities are to apply when assessing the compliance of an institution with the IRB Approach. To ensure coherence between those provisions, which should enter into force at the same time, and to facilitate a comprehensive view and compact access to them by persons subject to them, it is desirable to include all of the regulatory technical standards relating to the assessment methodology of the IRB Approach required by Regulation (EU) No 575/2013 in a single regulation.

(37)

This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Banking Authority.

(38)

The European Banking Authority has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the opinion of the Banking Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council (4),