(1)

Institutions are only allowed to use internal models for market risk if they comply with the requirements laid down in Regulation (EU) No 575/2013. Institutions should not only comply with those requirements when they apply for permission to use those internal models, but also when they use those models, and when they apply for material extensions or changes to such internal models. It is therefore appropriate to lay down that competent authorities, when they verify whether institutions comply with those requirements, apply the same criteria and the same assessment methodology to each of those phases. However, for reasons of efficiency and to reduce administrative burdens, competent authorities, when assessing compliance by institutions that have already been granted permission to use such alternative internal models, should not be required to reassess such permission. They should rather only assess compliance with those rules that are relevant to the scope of the assessment concerned, and build, in each case, on the conclusions from previous assessments.

(2)

To ensure that institutions comply on a continuous basis with the requirements laid down in Regulation (EU) No 575/2013, competent authorities should evaluate the overall quality of the solutions, systems and approaches implemented by an institution, and request constant improvements and adaptations to changed circumstances.

(3)

To ensure harmonisation and comparability of supervisory practices across different jurisdictions, competent authorities’ assessment of whether institutions comply with the requirements laid down in Regulation (EU) No 575/2013 should comply with prescriptive assessment techniques. Competent authorities should, however, be able to take into account the nature, size and complexity of an institution’s structure and business model, the complexity of the alternative internal models, the nature of the financial products those models cover, the quality of information provided by the institution concerned, and the resources they have at their disposal. Competent authorities should therefore, when they assess whether an institution complies with the requirements laid down in Regulation (EU) No 575/2013, be granted a certain discretion, enabling them to carry out additional checks and to apply the most appropriate methods for verifying compliance with particular requirements. In addition, to enable competent authorities to conduct that assessment in a proportionate manner, and given the broad range of financial products available in trading activities, it is necessary to lay down categories of financial products of increasing level of complexity, on which competent authorities should base their assessment.

(4)

To ensure sufficient in-house understanding of the alternative internal model, including outsourced operations, it is necessary to lay down that, despite any outsourcing of some risk tools, IT systems, and risk management solutions, all key tasks, activities or functions related to the internal model are to be conducted by the risk control unit referred to in Article 325bi(1), point (b), of Regulation (EU) No 575/2013. For the same reasons, those rules should also require that the risk control unit implements adequate controls and performs quality and validation tests for any outsourced solution, that full documentation on those controls and test is available in all cases, and that competent authorities assess any tools and IT solutions obtained from third party vendors in a manner similar to cases where they have been fully developed via internal processes.

(5)

Governance and operational aspects play a central role in the proper functioning of the alternative internal model. The methodology to verify whether an institution complies with the requirements laid down in Regulation (EU) No 575/2013 (‘assessment methodology’) should therefore comprehensively assess those governance and operational aspects, including the trading desk set-up, the role of the senior management and the management body, the risk-control unit, and the independent review of the alternative internal model itself.

(6)

The assessment methodology relating to governance aspects should take into account that certain institutions that ask for permission to use the alternative internal model approach already obtained approval, before Regulation (EU) No 575/2013 was amended by Regulation (EU) 2019/876 of the European Parliament and of the Council (2), to use an internal model to calculate the own funds requirements for market risk. It is therefore necessary to lay down assessment rules that are similar to those laid down in the past for those aspects that were not amended by Regulation (EU) 2019/876, and to introduce new rules that cover new provisions introduced by that Regulation, including the trading desk requirements laid down in Article 104b of Regulation (EU) No 575/2013.

(7)

To enable competent authorities to assess compliance with the requirements for the validation and review of alternative internal models, institutions should perform the internal validation of the model at least annually. While initial validation should cover all methodologies applied throughout the internal model, it is appropriate to lay down, in consideration of staff and resources constraints, that the annual validation focuses on at least the main issues detected either in previous internal validations or previous internal audit reviews, and on any changes or new methodologies introduced in the alternative internal model.

(8)

Trading activities and financial markets are evolving constantly and rapidly. To enable competent authorities to take those characteristics into account when assessing whether institutions comply with the requirements laid down in Regulation (EU) No 575/2013, the assessment methodology should contain qualitative and procedural standards with regard to the formal approval by the institution of new financial instruments and products, and their introduction in the trading area. Standards for a formal new product approval policy are necessary to ensure that the introduction of new financial instruments and products, which may pose additional risk factors or require methodological changes to the internal risk measurement models, is fully compatible with the comprehensive control and validation.

(9)

The quality of data and the accuracy of risk estimation and of calculation of own funds requirements for market risk are highly dependent on the reliability of the IT systems used for that purpose. Equally, the continuity and consistency of the risk management processes and the calculation of own funds requirements for market risk can only be ensured where such IT systems are safe, secure, and reliable, and where the IT infrastructure is sufficiently robust. It is therefore necessary that, when assessing the market risk internal models, competent authorities also check the reliability of the institution’s IT systems and the robustness of the IT infrastructure used for the internal models.

(10)

One of the novelties of the new market risk framework laid down in Part Three, Title IV, Chapter 1b, of Regulation (EU) No 575/2013 is the determination of own funds requirements on the basis of expected shortfall measures. It is necessary to ensure that institutions actively monitor the accuracy of those figures. It is therefore appropriate to require institutions to directly back-test their expected shortfall measures as part of the internal back-testing programme required by Article 325bj of Regulation (EU) No 575/2013. As there is not yet an established methodology among market participants for back-testing an expected shortfall measure, no specific methodology should be prescribed, and institutions should be left free to take into account the evolution of new techniques and best practices in that regard, in line with the qualitative requirements set out in Article 325bi of that Regulation.

(11)

Internal-risk measurement models can only considered to be implemented with integrity, as referred to in Article 325bi(1) of Regulation (EU) No 575/2013, where all regulatory requirements are met. In addition, several building blocks of the Basel reforms in the area of market risk have been implemented in Union law by means of delegated acts, inter alia, Commission Delegated Regulation (EU) 2022/2058 (3), Commission Delegated Regulation (EU) 2022/2059 (4), Commission Delegated Regulation (EU) 2022/2060 (5), Commission Delegated Regulation (EU) 2023/1577 (6), Commission Delegated Regulation (EU) 2023/1578 (7) and Commission Delegated Regulation (EU) 2024/397 (8). It follows that competent authorities should consider whether institutions comply with the requirements laid down Regulation (EU) No 575/2013, taking into account those delegated acts. To ensure a comprehensive assessment of compliance of market risk internal models, it is necessary to specify techniques for competent authorities to assess institutions’ compliance with aspects covered both by the Regulation (EU) No 575/2013 and by those delegated regulations. For that reason, competent authorities should examine specific documentation that institutions are required to produce.

(12)

The back-testing and the profit and loss attribution requirements provide a solid basis for a critical monitoring of the performance of the internal-risk measurement model. It is therefore necessary to lay down assessment rules to consider the results of those tests. In relation to back-testing, it should be ensured that overshootings are critically analysed to identify potential weaknesses in the model, and that institutions monitor whether the changes in the portfolios’ values are driven by modellable or by non-modellable risk factors. Furthermore, in light of the profit and loss attribution test results, competent authorities should assess the accuracy of the pricing functions employed by the institution, as their accuracy is essential for a sound calculation of the own funds requirements.

(13)

In order to ensure the consistent application of the requirements laid down in Article 325bh of Regulation (EU) No 575/2013, it is necessary to further specify those requirements. Whether institutions comply with those requirements should be assessed on the basis of the broad risk factor categories referred to in Table 2 of Article 325bd of Regulation (EU) No 575/2013. It is therefore necessary, for each of those categories, to lay down how competent authorities are to assess whether basis risk is captured, and whether the treatment of curves and surfaces in the internal risk-measurement model is sound.

(14)

Due to the fast changing and evolving nature of financial markets, unreliable, inaccurate, incomplete, or outdated data result in errors in the risk estimation and in the calculation of own funds requirements, including in market risk models. In the context of risk management processes of an institution, such erroneous data may also lead to poor management decisions. Consequently, to ensure the reliability and high quality of data and their proper use in the internal processes and the processes for the calculation of own funds requirements, the way data are collected and stored and the procedures for such collecting and storing should be well documented, including a full description of the characteristics, quality checks, automatic filters, and specific sources of daily data. Competent authorities, when they assess market risk internal models, should therefore give particular attention to the quality and reliability of the data used for modelling purposes, and to the processes applied to ensure that such quality and reliability are maintained.

(15)

To ensure a correct calculation of the own funds requirements, competent authorities, when they assess the overall quality of the data, should assess whether the approach employed by the institution to proxy time series is sound. The assessment methodology should therefore verify that the requirements set out in Regulation (EU) No 575/2013 governing the usage of proxies are complied with. Where relevant, the rules laid down in that assessment methodology should differ depending on whether the time series for which a proxy has been used relates to a risk factor that passed the modellability assessment, or to a risk factor that did not.

(16)

In relation to the internal default risk model, and more in particular Articles 325bn, 325bo, 325bp of Regulation (EU) No 575/2013, it is necessary that the assessment methodology ensures that those risk models lead to accurate results. The rules laid down in the assessment methodology should therefore cover all aspects affecting the outcome of those models, including the scope of the positions captured by those models, the estimates of default probabilities and losses given default, the choice of systematic risk factors to simulate the default of issuers, and all modelling assumptions made by the institution, including any copula assumption made for simulating the default of multiple issuers.

(17)

Risks stemming from climate change and broader environmental issues are changing the risk picture for the financial sector and are expected to become even more prominent. Considering the importance of those risk drivers, competent authorities should verify that institutions consider those risk drivers in their stress testing programmes referred to in Article 325bi(1), point (g), Regulation (EU) No 575/2013. In that context, institutions have already taken steps to include environmental risks in their stress testing programmes. However, to ensure that institutions have sufficient time to fully reflect those risks in their stress testing programmes, competent authorities should assess compliance of institutions with any requirements related to climate change and broader environmental related aspects only as of 1 January 2025. Similarly, in light of the complexity of the implementation of the expected shortfall direct backtesting, institutions should be given an additional period before competent authorities assess their compliance in this area. Hence, the related date of application of the assessment should be set to start as of 1 January 2026.

(18)

This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Banking Authority.

(19)

The European Banking Authority has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Banking Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council (9),