Choose the experimental features you want to try

This document is an excerpt from the EUR-Lex website

Document 32022R0439

Commission Delegated Regulation (EU) 2022/439 of 20 October 2021 supplementing Regulation (EU) No 575/2013 of the European Parliament and of the Council with regard to regulatory technical standards for the specification of the assessment methodology competent authorities are to follow when assessing the compliance of credit institutions and investment firms with the requirements to use the Internal Ratings Based Approach (Text with EEA relevance)

C/2021/7470

OJ L 90, 18.3.2022, p. 1–66 (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

Legal status of the document In force

ELI: http://data.europa.eu/eli/reg_del/2022/439/oj

18.3.2022   

EN

Official Journal of the European Union

L 90/1


COMMISSION DELEGATED REGULATION (EU) 2022/439

of 20 October 2021

supplementing Regulation (EU) No 575/2013 of the European Parliament and of the Council with regard to regulatory technical standards for the specification of the assessment methodology competent authorities are to follow when assessing the compliance of credit institutions and investment firms with the requirements to use the Internal Ratings Based Approach

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (1), and in particular the third subparagraph of Article 144(2), the third subparagraph of Article 173(3) and the third subparagraph of Article 180(3) thereof,

Whereas:

(1)

The requirement in Regulation (EU) No 575/2013 that competent authorities assess the compliance of an institution with the requirements to use the Internal Ratings Based (IRB) Approach relates to all of the requirements for the use of the IRB Approach, irrespective of their degree of materiality, and concerns compliance with the requirements at all times. As a result, that requirement does not only relate to the assessment of the initial application of an institution for the permission to use the rating systems for the purpose of the calculation of own funds requirements, but also to: the assessment of any additional applications of an institution for the permission to use the rating systems implemented according to the institution’s approved plan of sequential implementation of the IRB Approach; the assessment of the application for material changes to the internal approaches that the institution has received permission to use in accordance with Article 143(3) of that Regulation and Commission Delegated Regulation (EU) No 529/2014 (2); changes to the IRB Approach that require notification in accordance with Article 143(4) of Regulation (EU) No 575/2013 and Delegated Regulation (EU) No 529/2014; the ongoing review of the IRB Approach that the institution has received permission to use in accordance with Article 101(1) of Directive 2013/36/EU of the European Parliament and of the Council (3); the assessment of applications for permission to return to the use of less sophisticated approaches in accordance with Article 149 of Regulation (EU) No 575/2013. Competent authorities should apply the same criteria to all of these particular aspects of the assessment of compliance with the requirements to use the IRB Approach. The rules that set out that assessment methodology should therefore apply to all of those cases, in order to ensure harmonisation of assessment methodologies by competent authorities and avoid the risk of regulatory arbitrage.

(2)

The assessment methodology should consist in methods to be used by the competent authorities, either as optional or mandatory, and provide for criteria that are subject to the verification by the competent authorities.

(3)

In order to ensure a consistent assessment of compliance with the requirements to be fulfilled for using the IRB Approach throughout the Union, it is necessary that competent authorities apply the same methods for that assessment. As a result, it is necessary to lay down a set of methods to be applied by all competent authorities. However, given the nature of the model assessment and the diversity and particularities of the models, competent authorities should also apply their supervisory discretion in the application of those methods with regard to the specific models under examination. The assessment methodology in this Regulation should specify the minimum criteria for competent authorities to verify compliance with the requirements to use the IRB Approach and lay down an obligation for the competent authorities to verify any other relevant criteria necessary for that purpose. Furthermore, in certain cases where the competent authority has carried out recent assessments for similar rating systems in the same class of exposures, it is appropriate to allow use of the results of such assessments, rather than the competent authority having to repeat them, if the competent authority after applying its discretion finds that those remain materially unchanged. This should avoid complexity, unnecessary burdens and duplication of work.

(4)

Where the competent authorities are to assess the compliance of an institution with the requirements to use the IRB Approach for other purposes than the initial application for permission, competent authorities should only apply those rules that are relevant to the scope of the assessment for those other purposes and should in each case use the conclusions from the previous assessments as the starting point.

(5)

Where the assessment relates to applications for the permissions referred to in Article 20(1)(a) of Regulation (EU) No 575/2013, the implementing technical standards referred to in paragraph 8 of that Article in relation to the joint decision process apply.

(6)

Competent authorities are required to verify compliance of institutions with the specific regulatory requirements for the use of the IRB Approach, as well as evaluate the overall quality of the solutions, systems and approaches implemented by an institution, and request constant improvements and adaptations to changed circumstances in order to achieve continuous compliance with those requirements. Such an assessment requires, to a large extent, that the competent authorities exercise their discretion. Rules for the assessment methodology should, on the one hand, allow the competent authorities to exercise their discretion by carrying out additional checks to those specified in this Regulation, as necessary, and should, on the other hand, ensure harmonisation and comparability of supervisory practices across different jurisdictions. For the same reasons, competent authorities should have the necessary flexibility to apply the most appropriate optional method or any other method necessary for verifying particular requirements, having regard, among others, to the materiality of the types of exposures covered by each rating system, the complexity of the models, the particularities of the situation, the specific solution implemented by the institution, the quality of evidence provided by the institution, the resources available to the competent authorities themselves. Furthermore, for the same reasons competent authorities should be able to carry out additional tests and verifications necessary in case of doubts regarding the fulfilment of the requirements of the IRB Approach in accordance with the principle of proportionality, having regard to the nature, size and complexity of an institution’s business and structure.

(7)

In order to ensure consistency and comprehensiveness of the assessment of the overall IRB Approach, in the case of subsequent requests for permission on the basis of the approved sequential implementation plan of an institution, competent authorities should base their assessment at least on the rules on the use and experience test, assignment to grades or pools, rating systems and risk quantification, as these aspects of the assessment relate to every individual rating system of the IRB Approach.

(8)

In order to assess the adequacy of the application of the IRB Approach all rating systems and related processes should be verified where an institution has delegated tasks, activities or functions relating to the design, implementation and validation of rating systems to a third party or has obtained a rating system or pooled data from a third party vendor. In particular, it should be verified that adequate controls have been implemented at the institution and that full documentation is available. Furthermore, as the management body of the institution is ultimately responsible for the delegated processes and the performance of rating systems obtained from a third party vendor, it should be verified that the institution should has sufficient in-house understanding of the delegated processes and purchased rating systems. All tasks, activities and functions that have been delegated and the rating systems obtained from the third party vendors should therefore be assessed by the competent authorities in a manner similar to where the IRB Approach has been developed fully via internal processes of the institution.

(9)

In order to prevent the institutions from only partially completing the sequential implementation of the IRB Approach for an extended period of time, the competent authorities should verify the appropriateness of the time limit for the implementation of the so-called ‘roll-out plan’, compliance with this deadline and the necessity of changes to the roll-out plan. It should be verified that all exposures covered by the roll-out plan have a defined and reasonable maximum timeframe for implementation of the IRB Approach.

(10)

It is important to assess the robustness of the validation function and so the independence from the credit risk control unit, the completeness, frequency and adequacy of the methods and procedures and the soundness of the reporting process in order to verify that an objective assessment of the rating systems takes place and that there is a limited incentive to disguise the model deficiencies and weaknesses. When verifying whether an adequate level of independence of the validation function is in place, the competent authorities should take into account the size and complexity of the institution.

(11)

As the rating systems are the core of the IRB Approach, and their quality may impact significantly the level of own funds requirements, the performance of the rating systems should be regularly reviewed. Given that estimates of risk parameters have to be subject to review at least annually and that rating systems should be regularly assessed by competent authorities and by the internal audit function, and given that, in order for this task to be performed, input from the validation function is necessary, it is appropriate to verify that the validation of the performance of the rating systems covering material portfolios and back-testing of all other rating systems is performed at least annually.

(12)

All areas of the IRB Approach are to be effectively covered by internal audits. Nevertheless, it should be verified that the internal audit resources are used efficiently with focus on the most risky areas. Some flexibility is important particularly in the case of institutions that use numerous rating systems. As a consequence, competent authorities should verify that annual reviews are performed in order to determine areas that require more thorough reviews during the year.

(13)

In order to ensure a minimum level of harmonisation in relation to the scope of use of the rating systems (the so-called ‘use test’), competent authorities should verify that the rating systems are incorporated in the relevant processes of the institution within the broader processes of risk management, credit approval and decision-making processes, internal capital allocation, and corporate governance functions. These are basic areas where internal processes require the use of risk parameters, therefore if there are differences between the risk parameters used in those areas and those used for the purpose of the calculation of own funds requirements, it should be verified that they are justified.

(14)

In relation to experience test requirements, while assessing whether the rating systems used by the institution prior to the application to use the IRB Approach were ‘broadly in line’ with the IRB requirements, competent authorities should verify in particular that during at least three years before the use of the IRB Approach, the rating system has been used in the internal risk measurement and management processes of the institution and that it has been subject to monitoring, internal validation and internal audit. Such specification of the assessment methodology is necessary to ensure a minimum level of harmonisation. Competent authorities should verify that rating systems have been implemented in at least the most basic areas of use to ensure that the rating systems have been effectively used by the institution and that both the personnel and the management are accustomed to those parameters and understand well their meaning and weaknesses. Finally, monitoring, validation and internal audit during the experience period should show that the rating systems were compliant with the basic requirements of the IRB Approach and that they were gradually improved during that time.

(15)

Independence of the process of assignment of exposures to grades or pools is required for non-retail exposures because the application of human judgement is typically necessary in the process. In the case of retail exposures the assignment process is usually fully automatic, based on objective information about the obligor and his transactions. The correctness of the assignment process is ensured by proper implementation of the rating system in the institution’s IT systems and procedures. Nevertheless if overrides are allowed, human judgement has to be applied in the rating process. As a result, and given that those responsible for origination or renewal of exposures are typically inclined to assign better ratings in order to increase sales and volumes of credits, where overrides are used, including in the case of retail exposures, it should be verified that the assignment has been approved by an individual or by a committee independent from the persons responsible for the origination or renewal of exposures.

(16)

Where ratings are older than 12 months or where the review of the assignment has not been performed in due time according to the institution’s policy, the competent authorities should verify that conservative adjustments have been performed in terms of the risk-weighted assets calculation. The reasons for that are multiple. If the rating is outdated or based on outdated information the risk assessment might not be accurate. In particular, if the situation of the obligor has deteriorated during the last 12 months it is not reflected in the rating, and the risk is underestimated. In addition, according to the general rule relating to the estimation of the risk parameters, where the estimation of risk parameters is based on insufficient data or assumptions, a wider margin of conservatism should be adopted. The same rule should apply to the process of assignment of exposures to grades or pools, i.e. where insufficient information has been taken into account in the assignment process, additional conservatism should be adopted in the calculation of risk weights. The method of applying additional conservatism in the calculation of risk weights should not be specified as the institution may adjust either the rating, the risk parameter estimation or the risk weight directly. The adjustment should be proportional to the length of the period during which the rating or the information underlying the rating is out-of-date.

(17)

The institutions are required to document the specific definitions of default and loss used internally and ensure consistency with the definitions set out in Regulation (EU) No 575/2013. When assessing this consistency, the competent authorities should verify that institutions have clear policies that specify when an obligor or facility is classified as being in default. These policies need to be consistent with the general principles regarding the identification of default. The EBA has adopted Guidelines on the application of the definition of default under Article 178 of Regulation (EU) No 575/2013. These policies should also be embedded into the institutions’ risk management processes and systems since Regulation (EU) No 575/2013 requires in particular that internal ratings, i.e. including the assignment to a default rating grade, play an essential role in the risk management and other internal processes of an institution, which should also be the subject of verification by the competent authorities.

(18)

The information on the performance of an obligor and on the exposures in default and those not in-default, is the basis for the institution’s internal processes, for the quantification of risk parameters and for the calculation of own funds requirements. Therefore, not only the identification of defaulted obligors but also the process of reclassification of defaulted obligors to non-defaulted status need to be robust and effective. The competent authorities should verify that the prudent reclassification process ensures that obligors are not reclassified to a non-defaulted status where the institution expects that the exposure will probably return to default in a short period of time.

(19)

In order to provide competent authorities with a consistent and accurate overview of the rating systems that the institution has been using as well as the improvement of the rating systems over time, it is necessary for competent authorities to assess the completeness of the register of the current and historical versions of rating systems used by the institution (‘register of rating systems’). Having regard to the fact that the requirements of the experience test relate to the preceding three years from the time of consideration of an application for approval of an internal model, and that the competent authorities are to carry out an overall review of the internal model on a regular basis, and at least every three years, it is appropriate for competent authorities to verify that such a register of rating systems covers at least the versions of the internal models used by the institution over the three preceding years.

(20)

Human judgement is applied at various stages of the development and use of rating systems. Reasonable application of human judgement can increase the quality of the model and the accuracy of its predictions. Nevertheless, since human judgement changes the estimates based on prior experience in a subjective manner, the application of human judgement should be subject to control. The competent authorities should therefore verify that the application of human judgement is justified by its positive contribution to the accuracy of predictions. Thus, a large number of overrides of the results of the model might indicate that some important information is not included in the rating system. Therefore, competent authorities should verify that the number of overrides and their justification are regularly analysed by the institutions and that any detected weaknesses of the model are adequately addressed in the model review.

(21)

In all cases, the competent authorities should assess whether the institution has adopted sufficient margin of conservatism in their estimates of risk parameters. This margin of conservatism should take into account any identified deficiencies in data or methods used in the risk quantification and increased uncertainty that might result for example from the changes in the lending or recovery policies. Where an institution ceases to comply with the requirements for the IRB Approach, the competent authorities should verify whether it fulfils the requirement that the rating systems are corrected in a timely manner. The application of the margin of conservatism should not be used as an alternative to correcting the models and ensuring their full compliance with the requirements of Regulation (EU) No 575/2013.

(22)

With regard to risk quantification, it is desirable that the PD estimates are relatively stable over time in order to avoid the excessive cyclicality of own funds requirements. Competent authorities should verify that the PD estimates are based on the long-run average of yearly default rates. In addition, as the own funds should help institutions survive in a time of stress, the risk estimates should take into account the possible deterioration in the economic conditions even in the times of prosperity. Finally, whenever there is an increased uncertainty that results from insufficient data, competent authorities should verify that an additional margin of conservatism has been adopted. If the length of available time series does not encompass the expected variability of default rates, appropriate methods should be adopted to account for the missing data.

(23)

The LGD estimation is based on the average realised LGDs weighted by the number of defaults. If the exposure value is a relevant risk driver, it should be considered among other potential risk drivers for the segregation or risk differentiation of LGD in order to ensure that the parameter is calculated for homogenous pools or facility grades. Competent authorities should verify that this approach is adequately applied, as it ensures consistency with the calculation of the PD parameter and a meaningful application of the risk weight formula. Regulation (EU) No 575/2013 distinguishes the method of estimating LGD for individual exposures for the purpose of risk-weighted exposure amounts from the average of LGD estimates calculated at the portfolio level. Differently from the individual LGD estimation, the LGD floor for retail exposures secured by immovable property, applied at the overall portfolio level, is defined as an exposure-weighted average LGD. In order to ensure adequate levels of risk parameters for exposures secured by immovable property competent authorities should verify that the LGD floors are applied correctly.

(24)

Defaulted exposures that, after the return to non-defaulted status, are reclassified as defaulted within a short period of time should be treated as defaulted from the first moment when the default occurred, as the temporary reclassification to non-defaulted status is most likely performed on the basis of incomplete information about the real situation of the obligor. As a result, the treatment of multiple defaults as a single default better represents the real default experience. Competent authorities should therefore verify that in the estimation of risk parameters multiple defaults of the same obligor within a short period of time are treated as a single default. Furthermore, the treatment of multiple defaults by the same obligor as separate defaults might lead to significant errors in risk parameter estimates, because higher default rates would lead to higher PD estimates. On the other hand the LGD would be underestimated, because the first defaults by the obligor would be treated as cure cases with no loss related to them, whereas the institution did suffer a loss. Additionally, due to the link between PD and LGD estimates and in order to ensure realistic estimation of expected loss, the treatment of multiple defaults should be consistent for the purpose of PD and LGD estimation.

(25)

The scope of information available to the institution with regard to defaulted exposures is significantly different from that regarding performing exposures. In particular, two additional risk drivers are available for the defaulted exposures, namely the time in-default and realised recoveries. Therefore, the estimation of LGD carried out before the default is not sufficient, because the risk estimates should take into account all significant risk drivers. Additionally, for defaulted exposures it is already known what the economic conditions were at the moment of default. Furthermore, LGD for defaulted exposures should reflect the sum of expected loss under current economic circumstances and possible unexpected loss that might occur during the recovery period. Therefore, competent authorities should verify that the LGD for defaulted exposures (‘LGD in-default’) is estimated either directly or as a sum of best estimate of expected loss (‘ELBE’) and an add-on that captures the unexpected loss that might occur during the recovery period. Irrespective of the approach applied the estimation of the LGD in-default should take into account the information on the time in-default and recoveries realised until the time of estimation and consider a possible adverse change in economic conditions during the expected length of the recovery process.

(26)

In the case of institutions using own-LGD estimates internal requirements for collateral management should be generally consistent with the requirements of Section 3, Chapter 4, Title II in Part three of Regulation (EU) No 575/2013. Competent authorities should focus on the requirements of collateral valuation and legal certainty because it is important to ensure regular and reliable valuation of collateral, and that the valuation reflects the real market value under current market conditions. The frequency and character of revaluation should be adjusted to the type of collateral, as outdated or inaccurate evaluation might lead to the underestimation of risk relating to the credit exposures. It is also crucial to ensure that the collateral is legally effective and enforceable in all relevant jurisdictions. In the contrary case, the exposure should be treated as unsecured; if such collateral is recognised in the risk quantification, it may lead to the underestimation of risk.

(27)

Competent authorities should verify that for the purpose of the advanced IRB Approach, i.e. where own-LGD estimates are used, guarantors are considered eligible where they are rated using a rating system approved under the IRB Approach; other guarantors may also be eligible, provided that they are classified as an institution, a central government or central bank, or a corporate entity that has a credit assessment by an ECAI, and the guarantee meets the requirements set out in Section 3, Chapter 4, Title II in Part Three of Regulation (EU) No 575/2013, which are also applicable for the Standardised Approach.

(28)

In the assessment of the process of assignment of exposures to exposure classes, specific requirements should be laid down for the verification by the competent authorities for the assignment of exposures to retail exposures because of their preferential treatment in terms of risk-weighted exposure amounts calculation. Some exposure classes are defined on the basis of the characteristics of the transaction and others on the basis of the type of obligor; as a result, there may be exposures that fulfil the criteria of more than one exposure class. Competent authorities should therefore verify that the institution applies the correct sequencing of classification in order to ensure a consistent and unequivocal assignment of exposures to exposure classes.

(29)

The competent authorities should verify that the results of the stress tests are taken into account in the risk and capital management processes, because the integration of the stress tests results in the decision-making processes ensures that the scenarios and their impact on own funds requirements are developed and performed in a meaningful manner and that forward-looking aspects of own funds requirements are taken into account in the management of the institution.

(30)

Institutions that use own-LGD and own conversion factors estimates should calculate effective maturity of the exposures under the IRB Approach for the purpose of the calculation of own funds requirements. In the case of revolving exposures, an institution is at risk for a longer period than the repayment date of the current drawing, given that the borrower may redraw additional amounts. Therefore, competent authorities should verify that the calculation of effective maturity of revolving exposures is based on the expiry date of the facility.

(31)

The calculation of the difference between expected loss amounts on the one hand and credit risk adjustments, additional value adjustments and other own funds reductions on the other hand (‘IRB shortfall‘) should be performed on an aggregate level separately for the portfolio of defaulted exposures and the portfolio of exposures that are not in default. The separation between defaulted and non-defaulted exposures is necessary in order to ensure that the negative amounts resulting from the calculation performed for the defaulted portfolio are not used to offset the positive amounts resulting from the calculation performed for the portfolio of exposures that are not in default. Apart from that the overall calculation is in line with the general concept of own funds, according to which the own funds should be fully available to cover unexpected losses in case of insolvency of the institution. Since the amounts of credit risk adjustments, additional value adjustments and other own funds reductions included in the calculation of the IRB shortfall have already been deducted from own funds to cover the expected losses (‘EL’), their excess part on the total EL is fully available to cover losses identified on all defaulted exposures. Therefore, competent authorities should verify that the adjustments to own funds based on the IRB shortfall are calculated and applied correctly.

(32)

Unreliable, inaccurate, incomplete or outdated data may lead to errors in the risk estimation and in the calculation of own funds requirements. Furthermore, when used in the risk management processes of the institution such data may also lead to poor credit and management decisions. In order to ensure the reliability and a high quality of data the infrastructure and procedures relating to the collection and storing of data should be well documented and contain a full description of the characteristics and the sources of data in order to ensure their proper use in the internal processes and the processes for the calculation of own funds requirements. Hence competent authorities should verify the quality and documentation of data used in the process of estimation of risk parameters, in the assignment of exposures to grades or pools and in the calculation of own funds requirements.

(33)

The quality of data, the accuracy of risk estimation and the correctness of calculation of own funds requirements are highly dependent on the reliability of the IT systems used for the purpose of the IRB Approach. Furthermore, the continuity and consistency of the risk management processes and the calculation of own funds requirements can only be ensured when the IT systems used for those purposes are safe, secure and reliable and the IT infrastructure is sufficiently robust. It is therefore necessary that competent authorities also verify the reliability of the institution’s IT systems and the robustness of the IT infrastructure.

(34)

Competent authorities should verify that as far as possible non-overlapping observations of returns on equity exposures are used both for the development and validation of internal models for equity exposures. Non-overlapping observations ensure higher quality of predictions, given that all observations are assigned the same weight and the observations are not closely correlated to each other.

(35)

The use of the IRB Approach requires the approval of the competent authorities, and any material changes to that approach have to be approved. As a result, competent authorities should verify that the internal process of management and in particular the internal process of approving such changes ensure that only changes that are in accordance with Regulation (EU) No 575/2013 and Delegated Regulation (EU) No 529/2014 are implemented and, in that context, that the classification of changes is consistent in order to avoid any regulatory arbitrage.

(36)

The provisions of this Regulation are closely linked, since they all deal with aspects of the assessment methodology that competent authorities are to apply when assessing the compliance of an institution with the IRB Approach. To ensure coherence between those provisions, which should enter into force at the same time, and to facilitate a comprehensive view and compact access to them by persons subject to them, it is desirable to include all of the regulatory technical standards relating to the assessment methodology of the IRB Approach required by Regulation (EU) No 575/2013 in a single regulation.

(37)

This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Banking Authority.

(38)

The European Banking Authority has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the opinion of the Banking Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council (4),

HAS ADOPTED THIS REGULATION:

CHAPTER 1

GENERAL PROVISIONS ON THE ASSESSMENT METHODOLOGY

Article 1

Assessment of compliance with requirements to use the Internal Ratings Based Approach

1.   Competent authorities shall apply this Regulation for the assessment of the compliance of an institution with the requirements to use the Internal Ratings Based Approach (‘IRB Approach’) as follows:

(a)

for the purposes of assessing initial applications for permission to use the IRB Approach as provided for in Article 144 of Regulation (EU) No 575/2013, competent authorities shall apply all provisions of this Regulation;

(b)

for the purposes of assessing applications for permission to extend the IRB Approach in accordance with the approved sequential implementation plan as provided for in Article 148 of Regulation (EU) No 575/2013, competent authorities shall apply Chapters 4, 5, 7 and 8 and any other part of this Regulation that is relevant to that request;

(c)

for the purposes of assessing applications for prior permission to carry out changes as referred to in Article 143(3) of Regulation (EU) No 575/2013, competent authorities shall apply all parts of this Regulation that are relevant to those changes;

(d)

for the purposes of assessing changes to rating systems and internal models approaches to equity exposures which have been notified in accordance with Article 143(4) of Regulation (EU) No 575/2013, competent authorities shall apply all parts of this Regulation that are relevant to those changes;

(e)

for the purposes of conducting ongoing reviews of the use of the IRB Approach pursuant to Article 101 of Directive 2013/36/EU, competent authorities shall apply all parts of this Regulation that are relevant to that review;

(f)

for the purposes of assessing applications for permission to revert to the use of less sophisticated approaches in accordance with Article 149 of Regulation (EU) No 575/2013, competent authorities shall apply Articles 6 to 8 of this Regulation.

2.   In addition to the criteria laid down in the provisions of this Regulation referred to in paragraph 1, the competent authorities shall verify any other relevant criteria necessary for the assessment of the compliance with the requirements to use the IRB Approach.

Article 2

Methods to be applied by competent authorities

1.   For the purposes of assessing initial applications for permission to use the IRB Approach, competent authorities shall apply all compulsory methods set out in this Regulation. They may also apply other methods set out in this Regulation in accordance with paragraph 7 and any other methods in accordance with paragraph 8.

2.   For the purposes of assessing applications for permission to extend the IRB Approach in accordance with a sequential implementation plan, competent authorities shall apply all compulsory methods set out in Chapters 4, 5, 7 and 8. They may also apply other methods set out in this Regulation in accordance with paragraph 7 and any other methods in accordance with paragraph 8.

3.   For the purposes of assessing applications for prior permission to carry out changes to the IRB Approach, competent authorities shall review the documents required to be submitted by institutions with regards to the change in accordance with Article 8 of Delegated Regulation (EU) No 529/2014. They may also apply any methods set out in this Regulation in accordance with paragraphs 7 and any other methods in accordance with paragraph 8.

4.   For the purposes of assessing changes to rating systems and internal models approaches to equity exposures which have been notified, competent authorities shall review the documents required to be submitted by institutions with regard to the change in accordance with Article 8 of Delegated Regulation (EU) No 529/2014 and may apply any methods set out in this Regulation in accordance with paragraph 7 and any other methods in accordance with paragraph 8.

5.   For the purposes of conducting ongoing reviews of the use of the IRB Approach, competent authorities may apply any methods set out in this Regulation in accordance with paragraph7 and any other methods in accordance with paragraph 8.

6.   For the purposes of assessing the applications to revert to the use of less sophisticated approaches, competent authorities may apply any of the methods set out in Chapter 2 of this Regulation in accordance with paragraph 7 and any other methods in accordance with paragraph 8.

7.   Where this Regulation provides for optional use of methods, the competent authorities may apply any of those methods which are suitable and appropriate to the nature, size and degree of complexity of the institution’s business and organisational structure, taking into account:

(a)

the materiality of the types of exposures covered by rating systems;

(b)

the complexity of the rating models and risk parameters and their implementation.

8.   In addition to the methods set out in this Regulation, competent authorities may use other methods, which are suitable and appropriate to the nature, size and degree of complexity of the institution's business and organisational structure, where this is necessary for the assessment of compliance with the requirements to use the IRB Approach.

9.   When applying the methods set out in this Regulation, competent authorities may take into account results from recent assessments made by themselves or by other competent authorities, if those assessments fulfil both of the following conditions:

(a)

the assessment was based wholly or in part on the compulsory methods;

(b)

the subject of the assessment included the same or a similar rating system in the same class of exposures.

Article 3

Quality of documentation

1.   In order to verify the compliance of the institution with the documentation requirement set out in point (e) of Article 144(1) of Regulation (EU) No 575/2013, competent authorities shall verify that the documentation of the rating systems as defined in point (1) of Article 142(1) of Regulation (EU) No 575/2013 (‘rating systems’):

(a)

is sufficiently detailed and accurate for it to be efficiently used;

(b)

is approved at the appropriate management level of the institution;

(c)

contains, with regard to each document, at least a record of the type of document, the author, the reviewer, the authorising agent, the owner, the dates of development and of approval, the version number and the history of changes to the document;

(d)

allows third parties to examine and confirm the functioning of the rating systems and, in particular, to examine and confirm that:

(i)

the documentation of the rating system design is sufficiently detailed to allow third parties to understand the reasoning behind all aspects of the rating system, including the assumptions, the mathematical formulas and, where human judgement is involved, the decisions, as well as the procedures for the development of the rating system;

(ii)

the documentation of the rating system is sufficiently detailed to allow third parties to understand the operation, limitations and key assumptions of each rating model and each risk parameter and to replicate the model development;

(iii)

the documentation of the rating process is sufficiently detailed to allow third parties to understand the method of assigning exposures to grades or pools and their actual assignment to grades or pools and to replicate the assignment.

2.   For the purposes of paragraph 1, the competent authority shall verify that the institution has in place policies outlining specific standards for documentation ensuring:

(a)

that the internal documentation is sufficiently detailed and accurate;

(b)

that specific persons or units are assigned responsibility to ensure that the documentation is complete, consistent, accurate, updated, approved as appropriate and secure;

(c)

that the institution adequately documents its policies, procedures and methodologies relating to the application of the IRB Approach.

Article 4

Third party involvement

1.   In order to assess compliance with the requirement regarding the soundness and the integrity of the rating systems laid down in Article 144(1) of Regulation (EU) No 575/2013 where an institution has delegated tasks, activities or functions relating to the design, implementation and validation of its rating systems to a third party, or has purchased a rating system or pooled data from a third party, the competent authority shall verify that that delegation or purchase does not hinder the application of this Regulation and shall verify that:

(a)

senior management of the institution as defined in point (9) of Article 3(1) of Directive 2013/36/EU (‘senior management’) as well as the management body of the institution or the committee designated by that management body are actively involved in the supervision and decision-making regarding the tasks, activities or functions delegated to the third party or regarding the rating systems obtained from third parties;

(b)

the staff of the institution has sufficient knowledge and understanding of the tasks, activities or functions delegated to third parties and of the structure of data and rating systems obtained from third parties;

(c)

continuity of the outsourced functions or processes is ensured, including by means of appropriate contingency planning;

(d)

internal audit or other control of the tasks, activities and functions delegated to third parties is not limited or inhibited by the involvement of the third party;

(e)

the competent authority is granted full access to all relevant information.

2.   Where a third party is involved in the tasks of developing a rating system and risk estimation for an institution, the competent authority shall verify that:

(a)

points (a) to (e) of paragraph 1 are satisfied;

(b)

the validation activities with regard to those rating systems and those risk estimates are not performed by that third party;

(c)

the third party provides the institution with the information necessary for those validation activities to be performed.

3.   Where, for the purposes of developing a rating system and risk parameter estimation, the institution uses data that is pooled across institutions, and a third party develops the rating system, the third party may assist the institution in its validation activities by performing those tasks of validation which require access to the pooled data.

4.   For the purposes of applying paragraphs 1, 2 and 3, competent authorities shall apply all of the following methods:

(a)

review the agreements with the third party and other relevant documents which specify the tasks of the third party;

(b)

obtain written statements from or interview the relevant staff of the institution or the third party to whom the task, activity or function is delegated;

(c)

obtain written statements from or interview senior management or the management body of the institution or the third party to whom the task, activity or function is delegated, or the committee of the institution designated by the management body;

(d)

review other relevant documents of the institution or of the third party, where necessary.

Article 5

Temporary non-compliance with the requirements of the IRB Approach

For the purposes of the application of Article 146(a) of Regulation (EU) No 575/2013, the competent authority shall:

(a)

review whether the institution’s plan for a timely return to compliance is sufficient to remedy the non-compliance and whether the time schedule is reasonable taking into account all of the following:

(i)

the materiality of the non-compliance;

(ii)

the extent of the measures required to return to compliance;

(iii)

the resources available to the institution;

(b)

monitor on a regular basis the progress in the realisation of the institution’s plan for a timely return to compliance;

(c)

verify the institution’s compliance with the relevant requirements after the implementation of the plan, by applying the assessment methodologies laid down in this Regulation.

CHAPTER 2

ASSESSMENT METHODOLOGY FOR SEQUENTIAL IMPLEMENTATION PLANS AND PERMANENT PARTIAL USE OF THE STANDARDISED APPROACH

Article 6

General

1.   In order to assess the compliance of an institution with the conditions for implementing the IRB Approach laid down in Article 148 of Regulation (EU) No 575/2013 and the conditions for permanent partial use laid down in Article 150 of that Regulation, competent authorities shall verify both of the following:

(a)

that the institution’s initial coverage and plan for sequential implementation of the IRB Approach are adequate, in accordance with Article 7;

(b)

that the exposure classes, types of exposures or business units where the Standardised Approach is applied are eligible for permanent exemption from the IRB Approach.

2.   For the purposes of the verification under paragraph 1, competent authorities shall apply all of the following methods:

(a)

review the institution’s plan for sequential implementation of the IRB Approach;

(b)

review the institution’s relevant internal policies and procedures, including the calculation methods for the share of exposures to be covered by the sequential implementation of the IRB Approach and the permanent exemption from the IRB Approach;

(c)

review the roles and responsibilities of the units and management bodies involved in the assignment of individual exposures to the IRB Approach or the Standardised Approach;

(d)

review the relevant minutes of meetings of the institution’s internal bodies, including the management body, or committees;

(e)

review the relevant findings of the internal audit function or of other control functions of the institution;

(f)

review the relevant progress reports on the effort made by the institution to correct shortcomings and mitigate risks detected during audits;

(g)

obtain written statements from the relevant staff and senior management of the institution or interview them.

3.   For the purposes of the verification under paragraph 1, competent authorities may:

(a)

review the functional documentation of the IT systems used in the process of the assignment of individual exposures to the IRB Approach or the Standardised Approach;

(b)

conduct sample testing and review documents relating to the characteristics of the obligors and to the origination and maintenance of the exposures included in the sample;

(c)

review other relevant documents of the institution.

Article 7

Sequential implementation of the IRB Approach

1.   When assessing the initial coverage and the institution’s plan for sequential implementation of the IRB Approach in accordance with Article 148 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the sequential implementation plan includes at least the following:

(i)

a specification of the range of application of each rating system, as well as of the types of exposures which are rated using each rating model;

(ii)

the planned dates of application of the IRB Approach with regard to each type of exposures;

(iii)

information on the total exposure values at the time of the assessment and risk-weighted exposure amounts calculated in accordance with the approach applied at the time of the assessment to each type of exposures;

(b)

the sequential implementation plan comprises all exposures of the institution, and, where applicable, its parent undertaking, and all exposures of the subsidiaries of the institution, unless the exposures are assessed in accordance with Article 8;

(c)

the implementation is planned to be performed in accordance with the second and third subparagraphs of Article 148(1) of Regulation (EU) No 575/2013;

(d)

where the institution is permitted to use the IRB Approach for any exposure class, that it uses the IRB Approach for equity exposures except in the cases specified in Article 148(5) of Regulation (EU) No 575/2013;

(e)

the sequence and time periods of the implementation of the IRB Approach are specified on the basis of the real capabilities of the institution, having regard to the availability of data, rating systems and experience periods as referred to in Article 145 of Regulation (EU) No 575/2013 and are not used selectively for the purpose of achieving reduced own funds requirements;

(f)

the sequence of the implementation of the IRB Approach ensures that implementation with regard to the credit exposures relating to the institution’s core business is given priority;

(g)

a definite time limit for the implementation of the IRB Approach is set for each type of exposures and business units and is reasonable on the basis of the nature and scale of the institution’s activities.

2.   Competent authorities shall determine whether the time limit referred to in point (g) of paragraph 1 is reasonable based on all of the following:

(a)

the complexity of the institution’s operations, including those of the parent undertaking and its subsidiaries;

(b)

the number of business units and business lines within the institution, and, where applicable, its parent undertaking and the subsidiaries of the institution;

(c)

the number and complexity of the rating systems to be implemented by all entities covered by the sequential implementation plan;

(d)

the plans to implement rating systems in subsidiaries located in third countries where significant legal or other difficulties for the approval of IRB models exist;

(e)

the availability of accurate, appropriate and complete time series;

(f)

the institution’s operational capability to develop and implement the rating systems;

(g)

the institution’s prior experience in managing specific types of exposures.

3.   When assessing the institution’s compliance with the plan for sequential implementation of the IRB Approach, which has been subject to permission of the competent authorities in accordance with Article 148 of Regulation (EU) No 575/2013, competent authorities may consider changes to the sequence and time period appropriate only if one or more of the following conditions are met:

(a)

there are significant changes in the business environment and in particular changes in strategy, mergers and acquisitions;

(b)

there are significant changes in the relevant regulatory requirements;

(c)

material weaknesses in the rating systems have been identified by the competent authority, or by the internal audit or the validation function;

(d)

the elements referred to in paragraph 2 have changed significantly, or any of the elements referred to in paragraph 2 were not taken into account adequately in the plan for sequential implementation of the IRB Approach which was approved.

Article 8

Conditions for permanent partial use

1.   When assessing the institution’s compliance with the conditions for permanent partial use of the Standardised Approach in relation to the exposures referred to in points (a) and (b) of Article 150(1) of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the availability of external data for representative counterparties is assessed and taken into account by the institution;

(b)

the cost to the institution of developing a rating system for the counterparties in the relevant exposure class is assessed taking into account the size of the institution and the nature and scale of its activities;

(c)

the operational capability of the institution to develop and implement a rating system is assessed taking into account the nature and scale of the institution’s activity.

2.   When assessing the institution’s compliance with the conditions for permanent partial use of the Standardised Approach in relation to the exposures referred to in point (c) of Article 150(1) of Regulation (EU) No 575/2013, competent authorities shall verify that the institution has verified and taken into account at least one of the following:

(a)

that the exposures, including the number of separately managed portfolios and business lines are not homogenous enough to allow the development of a robust and reliable rating system;

(b)

that the risk-weighted exposure amount calculated in accordance with the Standardised Approach is significantly higher than the expected risk-weighted exposure amount calculated in accordance with the IRB Approach;

(c)

that the exposures relate to a business unit or business line of the institution which is planned to be discontinued;

(d)

that the exposures include portfolios subject to proportional consolidation of partly-owned subsidiaries, in accordance with Article 18 of Regulation (EU) No 575/2013.

3.   When assessing the institution’s compliance with the conditions for permanent partial use of the Standardised Approach, competent authorities shall verify that the institution monitors compliance with the requirements of Article 150 of Regulation (EU) No 575/2013 on a regular basis.

CHAPTER 3

ASSESSMENT METHODOLOGY FOR THE FUNCTION OF VALIDATION OF INTERNAL ESTIMATES AND OF THE INTERNAL GOVERNANCE AND OVERSIGHT OF AN INSTITUTION

SECTION 1

General provisions

Article 9

General

1.   In order to assess whether an institution is compliant with the requirements on internal governance, including requirements on senior management and management body, internal reporting, credit risk control and internal audit, oversight and validation, competent authorities shall verify all of the following:

(a)

the robustness of the arrangements, mechanisms and processes of validation of rating systems of an institution and the appropriateness of the personnel responsible for the performance of the validation (‘validation function’) as referred to in points (c) and (f) of Article 144(1), point (d) of Article 174, Article 185 and Article 188 of Regulation (EU) No 575/2013, in respect of:

(i)

the independence of the validation function, in accordance with Article 10;

(ii)

the completeness and frequency of the application of the validation process, in accordance with Article 11;

(iii)

the adequacy of the methods and procedures of the validation function, in accordance with Article 12;

(iv)

the soundness of the reporting process and the process for addressing the validation conclusions, findings and recommendations in accordance with Article 13;

(b)

the internal governance and oversight of the institution, including the credit risk control unit and the internal audit of the institution, as referred to in Articles 189, 190 and 191 of Regulation (EU) No 575/2013 in respect of:

(i)

the role of senior management and the management body, in accordance with Article 14;

(ii)

the management reporting, in accordance with Article 15;

(iii)

the credit risk control unit, in accordance with Article 16;

(iv)

the internal audit, in accordance with Article 17.

2.   For the purposes of the verification under paragraph 1, competent authorities shall apply all of the following methods:

(a)

review the relevant internal policies and procedures of the institution;

(b)

review the relevant minutes of the institution’s internal bodies, including the management body, or committees;

(c)

review the relevant reports relating to the rating systems, as well as any conclusions and decisions taken on the basis of those reports;

(d)

review the relevant reports on the activities of the credit risk control, internal audit, oversight and validation functions prepared by the staff responsible for each of those functions or by any other control function of the institution, as well as the conclusions, findings and recommendations of those functions;

(e)

obtain written statements from or interview the relevant staff and senior management of the institution.

3.   For the assessment of the validation function, in addition to the methods referred to in paragraph 2, competent authorities shall apply all of the following methods:

(a)

review the roles and responsibilities of all staff involved in the validation function;

(b)

review the adequacy and appropriateness of the annual validation work plan;

(c)

review the validation manuals used by the validation function;

(d)

review the process of categorisation of the findings and the relevant recommendations in accordance with their materiality;

(e)

review the consistency of the conclusions, findings and recommendations of the validation function;

(f)

review the role of the validation function in the internal approval procedure of rating systems and all related changes;

(g)

review the action plan of each relevant recommendation, also in terms of its follow-up, as approved by the appropriate management level.

4.   For the assessment of the credit risk control unit, referred to in point (c) of Article 144(1) and Article 190 of Regulation (EU) No 575/2013, in addition to the requirements referred to in paragraph 2, competent authorities shall apply all of the following methods:

(a)

review the roles and responsibilities of all relevant staff and senior management of the credit risk control unit;

(b)

review the relevant reports submitted by the credit risk control unit and the senior management, to the management body or to the designated committee thereof.

5.   For the assessment of the internal audit or another comparable independent auditing unit as referred to in Article 191 of Regulation (EU) No 575/2013 in addition to the requirements referred to in paragraph 2, competent authorities shall apply all of the following methods:

(a)

review the relevant roles and responsibilities of all relevant staff involved in the internal audit;

(b)

review the adequacy and appropriateness of the annual internal audit work plan;

(c)

review the relevant auditing manuals and work programs and the findings and recommendations included in the relevant audit reports;

(d)

review the action plan of each relevant recommendation, also in terms of its follow-up, as approved at the appropriate management level.

6.   In addition to the methods listed in paragraph 2, competent authorities may review other relevant documents of the institution for the purposes of the verification under paragraph 1.

SECTION 2

Methodology for assessing the validation function

Article 10

Independence of the validation function

1.   When assessing the independence of the validation function for the purposes of Article 144(1)(f), Article 174(d), Article 185 and Article 188 of Regulation (EU) No 575/2013, competent authorities shall verify that the unit responsible for the validation function or, where there is no separate unit dedicated only to the validation function, the staff performing the validation function fulfils all of the following:

(a)

the validation function is independent from the personnel and management function responsible for originating or renewing exposures and for the model design or development;

(b)

the staff performing the validation function is different from the staff responsible for the design and development of the rating system, and from the staff responsible for the credit risk control function;

(c)

it reports directly to senior management.

2.   For the purposes of paragraph 1, where the unit responsible for the validation function is organisationally separate from the credit risk control unit and each unit reports to different members of the senior management, competent authorities shall verify, both of the following:

(a)

that the validation function has adequate resources, including experienced and qualified personnel to perform its tasks;

(b)

that the remuneration of the staff and senior managers responsible for the validation function is not linked to the performance of the tasks relating to either credit risk control or to originating or renewing exposures.

3.   For the purposes of paragraph 1, where the unit responsible for the validation function is organisationally separate from the credit risk control unit, and both units report to the same member of the senior management, competent authorities shall verify all of the following:

(a)

that the validation function has adequate resources, including experienced and qualified personnel to perform its tasks;

(b)

that the remuneration of the staff and senior managers responsible for the validation function is not linked to the performance of the tasks relating to either credit risk control or to originating or renewing exposures;

(c)

that there is a decision-making process in place to ensure that the conclusions, findings and recommendations of the validation function are properly taken into account by the senior management of the institution;

(d)

that no undue influence is exercised on the conclusions, findings and recommendations of the validation function;

(e)

that all necessary corrective measures to address the conclusions, findings and recommendations of the validation function are decided and implemented in a timely manner;

(f)

that internal audit regularly assesses the fulfilment of the conditions referred to in points (a) to (e).

4.   For the purposes of paragraph 1, where there is no separate unit responsible for the validation function, competent authorities shall verify all of the following:

(a)

that the validation function has adequate resources, including experienced and qualified personnel to perform its tasks;

(b)

that the remuneration of the staff and senior managers responsible for the validation function is not linked to the performance of the tasks relating to either credit risk control or to originating or renewing exposures;

(c)

that there is a decision-making process in place to ensure that the conclusions, findings and recommendations of the validation function are properly taken into account by the senior management of the institution;

(d)

that no undue influence is exercised on the conclusions, findings and recommendations of the validation function;

(e)

that all necessary corrective measures to address the conclusions, findings and recommendations of the validation function are decided and implemented in a timely manner;

(f)

that internal audit regularly assesses the fulfilment of the conditions referred to in points (a) to (e);

(g)

that there is effective separation between the staff performing the validation function and the staff performing the other tasks;

(h)

that the institution is not a global or other systemically important institution in the meaning of Article 131 of Directive 2013/36/EU.

5.   When assessing the independence of the validation function, competent authorities shall also assess whether the choice of the institution with regard to the organisation of the validation function as referred to in paragraphs 2, 3 and 4 is adequate, taking into account the nature, size and scale of the institution and the complexity of the risks inherent in its business model.

Article 11

Completeness and frequency of the validation process

1.   When assessing the completeness of the validation function for the purposes of the requirements laid down in Article 144(1)(f), Article 174(d), Article 185 and Article 188 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the institution has defined and documented a complete validation process for all rating systems;

(b)

the institution performs the validation process referred to in point (a) with an adequate frequency.

2.   When assessing the completeness of the validation process as referred to in paragraph 1(a), competent authorities shall verify that the validation function:

(a)

critically reviews all the aspects of the specification of the internal ratings and risk parameters, including the procedures for data collection and data cleansing, the choices of the methodology and model structure, and the process for the selection of the variables;

(b)

verifies the adequacy of the implementation of internal ratings and risk parameters in IT systems and that grade and pool definitions are consistently applied across departments and geographic areas of the institution;

(c)

verifies the performance of the rating systems taking into account at least risk differentiation and quantification and the stability of the internal ratings and risk parameters and the model specifications;

(d)

verifies all changes relating to internal ratings and risk parameters and their materiality in accordance with the Delegated Regulation (EU) No 529/2014 and that it consistently follows up on its own conclusions, findings and recommendations.

3.   When assessing whether the frequency of the validation process referred to in paragraph 1(b) is adequate, competent authorities shall verify that the validation process is performed regularly for all rating systems of the institution following an annual work plan and that:

(a)

for all rating systems the processes required by Article 185(b) and Article 188(c) of Regulation (EU) No 575/2013 (‘back-testing’) are performed at least once annually;

(b)

for the rating systems covering material types of exposures, the verification of the performance of the rating systems as referred to in paragraph 2(c), takes place at least once annually.

4.   Where an institution applies for permission to use the internal ratings and risk parameters of a rating system or for any material changes to internal ratings and risk parameters of a rating system, competent authorities shall verify that the institution performs the validation referred to in paragraph 2(a), (b) and (c) before the rating system is used for the calculation of own funds requirements and for internal risk management purposes.

Article 12

Adequacy of the methods and procedures of the validation function

When assessing the adequacy of the validation methods and procedures for the purposes of the requirements laid down in Article 144(1)(f), Article 174(d), Article 185 and Article 188 of Regulation (EU) No 575/2013, competent authorities shall verify that those methods and procedures allow for a consistent and meaningful assessment of the performance of the internal rating and risk estimation systems, and shall verify that:

(a)

the validation methods and procedures are appropriate for assessing the accuracy and consistency of the rating system;

(b)

the validation methods and procedures are appropriate to the nature, degree of complexity and range of application of the institution’s rating systems and data availability;

(c)

the validation methods and procedures clearly specify the validation objectives, standards and limitations, contain a description of all validation tests, data sets, and data cleansing processes, set out data sources and reference time periods, and set the fixed targets and tolerances for defined metrics, for the initial and regular validation respectively;

(d)

the validation methods used, and in particular the tests performed, the reference data set used for the validation and the respective data cleansing, are applied consistently over time;

(e)

the validation methods include back-testing, and benchmarking as set out in Article 185(c) and Article 188(d) of Regulation (EU) No 575/2013;

(f)

the validation methods take account of the way business cycles and the related systematic variability in default experience are considered in the internal ratings and risk parameters, especially regarding PD estimation.

Article 13

Soundness of the reporting process and the process for addressing the validation conclusions, findings and recommendations

When assessing the soundness of the reporting process and the process to address the validation conclusions, findings and recommendations, for the purposes of the requirements laid down Article 144(1)(f), Article 174(d), Article 185 and Article 188 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the validation reports identify and describe the validation methods used, the tests performed, the reference data set used and the respective data cleansing processes and include the results of those tests, the conclusions of the validation, the findings and the respective recommendations;

(b)

the conclusions, findings and recommendations of the validation reports are directly communicated to senior management and to the management body of the institution or to the committee designated by it;

(c)

the conclusions, findings and recommendations of the validation reports are reflected in changes and improvements in the design of internal ratings and risk estimates, including in the situations described in the first sentence of Article 185(e) and Article 188(e) of Regulation (EU) No 575/2013;

(d)

the decision-making process of the institution takes place at the appropriate management level.

SECTION 3

Methodology for assessing internal governance and oversight

Article 14

The role of senior management and management body

When assessing the institution’s corporate governance as referred to in Article 189 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the decision-making process of the institution, its hierarchy, reporting lines- and levels of responsibility are clearly laid down in the internal documentation of the institution and consistently reflected in the minutes of its internal bodies;

(b)

both the management body or the committee designated by it and the senior management approve at least the following material aspects of the rating systems:

(i)

all relevant policies relating to the design and implementation of rating systems and the application of the IRB Approach, including the policies relating to all material aspects of the rating assignment and risk parameter estimation and validation processes;

(ii)

all relevant risk management policies, including those relating to IT infrastructure and contingency planning;

(iii)

the risk parameters of all rating systems used in internal risk management processes and in the calculation of own funds requirements;

(c)

the management body or the committee designated by it sets an appropriate organisational structure for the sound implementation of the rating systems by way of a formal decision;

(d)

the management body or the committee designated by it approves by way of a formal decision the specification of the acceptable level of risk, taking into account the internal rating system scheme of the institution;

(e)

the senior management has a good understanding of all rating systems of the institution, of their design and operation, of the requirements for the IRB Approach and of the institution’s approach to meeting those requirements;

(f)

the senior management notifies the management body or the committee designated by it of material changes to or exceptions from established policies that materially impact the operations of the institution’s rating systems;

(g)

the senior management is in a position to ensure on an ongoing basis the good functioning of the rating systems;

(h)

the senior management takes relevant measures where weaknesses of the rating systems are identified by the credit risk control, the validation, the internal audit or any other control function.

Article 15

Management reporting

When assessing the adequacy of the management reporting as referred to in Article 189 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the management reporting includes information about all of the following:

(i)

the risk profile of the obligors or exposures, by grade;

(ii)

the migration across grades;

(iii)

an estimation of the relevant risk parameters per grade;

(iv)

a comparison of realised default rates, and, where own estimates are used, of realised LGDs and realised conversion factors against expectations;

(v)

stress test assumptions and results;

(vi)

the performance of the rating process, areas needing improvement and the status of efforts to improve previously identified deficiencies of the rating systems;

(vii)

validation reports;

(b)

the form and the frequency of management reporting are adequate having regard to the significance and the type of the information and to the level the recipient occupies in the hierarchy, taking into account the institution’s organisational structure;

(c)

the management reporting facilitates the senior management’s monitoring of the credit risk in the overall portfolio of exposures covered by the IRB Approach;

(d)

the management reporting is proportionate to the nature, size, and degree of complexity of the institution’s business and organisational structure.

Article 16

Credit risk control unit

1.   When assessing the internal governance and oversight of the institution in relation to the credit risk control unit referred to in Article 190 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the credit risk control unit or units are separate and independent of the personnel and management functions responsible for originating or renewing exposures;

(b)

the credit risk control unit or units are functional and adequate for their tasks.

2.   For the purposes of the verification under paragraph 1(a), competent authorities shall verify that:

(a)

the credit risk control unit or units are distinct organisational structures within the institution;

(b)

the head of the credit risk control unit or the heads of such units are part of the senior management;

(c)

the credit risk management function is organised taking into account the principles set out in Article 76(5) of Directive 2013/36/EU;

(d)

the staff and the senior management responsible for the credit risk control unit or units are not responsible for originating or renewing exposures;

(e)

senior managers of the credit risk control unit or units and of units responsible for originating or renewing exposures report to different members of the management body of the institution or of the committee designated by it;

(f)

the remuneration of the staff and senior management responsible for the credit risk control unit or units is not linked to the performance of the tasks relating to originating or renewing exposures.

3.   For the purposes of the verification under paragraph 1(b), competent authorities shall verify that:

(a)

the credit risk control unit or units are proportionate to the nature, size and degree of complexity of the business and organisational structure of the institution, and in particular to the complexity of the rating systems and their implementation;

(b)

the credit risk control unit or units have adequate resources, and experienced and qualified personnel to undertake all relevant activities;

(c)

the credit risk control unit or units are responsible for the design or selection, implementation and oversight and the performance of the rating systems, as required by the second sentence of Article 190(1) of Regulation (EU) No 575/2013, and that the areas of responsibility of that unit or those units include those listed in Article 190(2) of that Regulation;

(d)

the credit risk control unit or units regularly inform the senior management of the performance of the rating systems, of areas needing improvement, and of the status of efforts to improve previously identified deficiencies.

Article 17

Internal audit

1.   When assessing the internal governance and oversight of the institution in relation to the internal audit or another comparable independent auditing unit, as referred to in Article 191 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the internal audit or the other comparable independent auditing unit reviews the following, at least annually:

(i)

all rating systems of the institution;

(ii)

the operations of the credit risk control function;

(iii)

the operations of the credit approval process;

(iv)

the operations of the internal validation function;

(b)

the review under point (a) facilitates the specification in the annual work plan of areas that require a detailed review of compliance with all requirements applicable to the IRB Approach laid down in Articles 142 to 191 of Regulation (EU) No 575/2013;

(c)

the internal audit or the other comparable independent auditing unit are functional and adequate for their tasks.

2.   For the purposes of the verification under paragraph 1(c), competent authorities shall verify that:

(a)

the internal audit or the other comparable independent auditing unit provides sufficient information to the senior management and the management body of the institution on the compliance of the rating systems with all applicable requirements for the IRB Approach;

(b)

the internal audit or the other comparable independent auditing unit is proportionate to the nature, size and degree of complexity of the institution’s business and organisational structure, and in particular to the complexity of the rating systems and their implementation;

(c)

the internal audit or the other comparable independent auditing unit has adequate resources, and experienced and qualified personnel to undertake all relevant activities;

(d)

the internal audit or the other comparable independent auditing unit is not involved in any aspect of the operation of the rating systems which it reviews in accordance with paragraph 1(a);

(e)

the internal audit or the other comparable independent auditing unit is independent from the personnel and management responsible for originating or renewing exposures and reports directly to senior management;

(f)

the remuneration of the staff and senior management responsible for the internal audit function is not linked to the performance of the tasks relating to originating or renewing exposures.

CHAPTER 4

ASSESSMENT METHODOLOGY FOR USE TEST AND EXPERIENCE TEST

Article 18

General

1.   In order to assess whether an institution is compliant with the requirements on the use of rating systems for the purposes of Article 144(1)(b), Article 145, Article 171(1)(c), Article 172(1)(a), Article 172(1)(c), Article 172(2) and 175(3) of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

internal ratings and default and loss estimates of the rating systems used in the calculation of own funds play an essential role in the risk management, credit approval and decision-making process in accordance with Article 19;

(b)

internal ratings and default and loss estimates of the rating systems used in the calculation of own funds play an essential role in the process of the internal capital allocation in accordance with Article 20;

(c)

internal ratings and default and loss estimates of the rating systems used in the calculation of own funds play an essential role in the corporate governance functions in accordance with Article 21;

(d)

data and estimates used by the institution for the calculation of own funds and those used for internal purposes are consistent, and where discrepancies exist, that these are fully documented and reasonable;

(e)

rating systems are broadly in line with the requirements set out in Article 169 to 191 of Regulation (EU) No 575/2013 and have been applied by the institution at least three years prior to the use of the IRB Approach, as set out in Article 145 of Regulation (EU) No 575/2013, in accordance with Article 22.

2.   For the purpose of the assessment under paragraph 1 competent authorities shall apply all of the following methods:

(a)

review the institution's relevant internal policies and procedures;

(b)

review the relevant minutes the institution's internal bodies, including the management body, or committees involved in the credit risk management governance;

(c)

review the allocation of powers to take credit decisions, the credit management manuals and the commercial channels schemes;

(d)

review the analysis the institution has made of the credit approvals and the data on rejected credit applications, including all of the following:

(i)

credit decisions deviating from the institution’s credit policy (‘exceptions’);

(ii)

the instances where human judgement results in deviation from the inputs or outputs of the rating systems (‘overrides’) and the justifications for the overrides;

(iii)

the non-rated exposures and the reasons for missing ratings;

(iv)

manual decisions and cut-off points;

(e)

review the institution’s credit restructuring policies;

(f)

review the documented regular reporting on credit risk;

(g)

review the documentation on calculation of internal capital of the institution and the allocation of the internal capital to types of risk, subsidiaries and portfolios;

(h)

review the relevant findings of the internal audit or of other control functions of the institution;

(i)

review the progress reports on the efforts made by the institution to correct shortcomings and mitigate risks detected during relevant audits;

(j)

obtain written statements from or interview the relevant staff and senior management of the institution.

3.   For the purpose of the assessment under paragraph 1, competent authorities may also apply any of the following additional methods:

(a)

review the documentation of early warning systems;

(b)

review the credit risk adjustments methodology and the documented analysis of its coherence with the calculation of own funds requirements;

(c)

review the documented analysis of the risk-adjusted profitability of the institution;

(d)

review the pricing policies of the institution;

(e)

review the procedures for the collection and recovery of debts;

(f)

review the planning manuals and reports on budgeting of the cost of risk;

(g)

review the remuneration policy and the minutes of the remuneration committee;

(h)

review other relevant documents of the institution.

Article 19

Use test in risk management, decision-making and credit approval process

1.   When assessing whether internal ratings and default and loss estimates of the rating systems used in the calculation of the own funds requirements play an essential role in the institution’s risk management and decision-making process and in its credit approval as required by Article 144(1)(b) of Regulation (EU) No 575/2013, with regard to assignment to grades or pools in accordance with Article 171(1), point (c), and (2), of that Regulation, with regard to assignment of exposures in accordance with Article 172(1), points (a), (b) and (c), of that Regulation and with regard to documentation of rating systems in accordance with Article 175(3) of that Regulation, the competent authorities shall verify that:

(a)

the number of non-rated exposures and outdated ratings is immaterial;

(b)

those internal ratings and default and loss estimates play an important role, in particular, when:

(i)

making decisions on the approval, rejection, restructuring and renewal of a credit facility;

(ii)

drawing up the lending policies by influencing either the maximum exposure limits, the mitigation techniques and credit enhancements required or any other aspect of the institution’s global credit risk profile;

(iii)

carrying out the monitoring process of obligors and exposures;

2.   Where institutions use internal ratings and default and loss estimates in any of the following areas, competent authorities shall assess how that use contributes to those ratings and estimates playing an essential role in the institution’s risk management and decision-making processes and in its credit approval as referred to in paragraph 1:

(a)

the pricing of each credit facility or obligor;

(b)

the early warning systems used for the credit risk management;

(c)

the determination and implementation of the collection and recovery policies and processes;

(d)

the calculation of credit risk adjustments where this is in line with the applicable accounting framework;

(e)

the allocation or delegation of competence for the credit approval process by the management board to internal committees, to the senior management and to the staff.

Article 20

Use test in the internal capital allocation

1.   When assessing whether internal ratings and default and loss estimates of the rating systems used in the calculation of own funds requirements play an essential role in the institution’s internal capital allocation as referred to in Article 144(1)(b) of Regulation (EU) No 575/2013, competent authorities shall assess whether these ratings and estimates play an important role in:

(a)

the assessment of the amount of internal capital that the institution considers adequate to cover the nature and level of the risk to which it is or might be exposed as referred to in Article 73 of Directive 2013/36/EU;

(b)

the allocation of the internal capital among types of risk, subsidiaries and portfolios.

2.   Where institutions take into consideration internal ratings and default and loss estimates for the purpose of calculating the cost of risk to the institution for budgetary purposes, competent authorities shall assess how taking those elements into consideration contributes to those ratings and estimates playing an essential role in the institution’s internal capital allocation.

Article 21

Use test in corporate governance functions

1.   When assessing whether internal ratings and default and loss estimates of the rating systems used in the calculation of own funds requirements play an essential role in the institution’s corporate governance functions as referred to in Article 144(1)(b) of Regulation (EU) No 575/2013, competent authorities shall assess whether these ratings and estimates play an important role in:

(a)

the management reporting;

(b)

the monitoring of the credit risk at the portfolio level.

2.   Where institutions take into consideration internal ratings and default and loss estimates in any of the following areas, competent authorities shall assess how taking those elements into consideration contributes to those ratings and estimates playing an essential role in the institution’s corporate governance functions referred to in paragraph 1:

(a)

the internal audit planning;

(b)

the design of the remuneration policies.

Article 22

Experience test

1.   When assessing whether rating systems broadly in line with the requirements set out in Article 169 to 191 of Regulation (EU) No 575/2013 have been applied by the institution at least three years prior to the use of the IRB Approach for the purpose of the calculation of the own funds requirements, as referred to in Article 145 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

those rating systems have been used in the institution’s risk management and decision-making processes and credit approval processes referred to in Article 19(1)(b);

(b)

adequate documentation of the effective operation of the rating systems for those three years is available, in particular with regard to the respective monitoring, validation and audit reports.

2.   For the purposes of assessing a request for permission to extend the IRB Approach in accordance with the sequential implementation plan, paragraph 1 shall also apply where the extension concerns exposures that are significantly different to the scope of the existing coverage, such that the existing experience cannot be reasonably assumed to be sufficient to meet the requirements of Article 145(1) and (2) of Regulation (EU) No 575/2013 in respect of the additional exposures, as laid down in Article 145(3) of Regulation (EU) No 575/2013.

CHAPTER 5

ASSESSMENT METHODOLOGY FOR ASSIGNMENT OF EXPOSURES TO GRADES OR POOLS

Article 23

General

1.   In order to assess the institution’s compliance with the requirements regarding the assignment of obligors or exposures to grades or pools laid down in Articles 169, 171, 172 and 173 of Regulation (EU) No 575/2013, competent authorities shall verify both of the following:

(a)

the adequacy of the definitions, processes and criteria used by the institution for assigning or reviewing the assignment of exposures to grades or pools, including the treatment of overrides, in accordance with Article 24;

(b)

the integrity of the assignment process as referred to in Article 173 of Regulation (EU) No 575/2013, including the independence of the assignment process, as well as the reviews of the assignment, in accordance with Article 25.

2.   For the purposes of the verification under paragraph 1, competent authorities shall apply all of the following methods:

(a)

review the institution’s relevant internal policies and procedures;

(b)

review the roles and responsibilities of units responsible for origination and renewal of exposures and units responsible for the assignment of exposures to grades or pools;

(c)

review the relevant minutes of the institution’s internal bodies, including the management body, or committees;

(d)

review the institution’s internal reports regarding the performance of the assignment process;

(e)

review the relevant findings of the internal audit or of other control functions of the institution;

(f)

review the progress reports on the efforts made by the institution to correct shortcomings in the assignment or the review process and to mitigate risks detected during audits;

(g)

obtain written statements from or interview the relevant staff and senior management of the institution;

(h)

review the criteria used by the personnel responsible for human judgement in the assignment of exposures to grades or pools.

3.   For the purposes of the verification under paragraph 1, competent authorities may also apply any of the following additional methods:

(a)

review the functional documentation of the relevant IT systems;

(b)

conduct sample testing and review documents relating to the characteristics of an obligor and to the origination and maintenance of the exposures;

(c)

perform their own tests on the data of the institution or require the institution to perform specific tests;

(d)

review other relevant documents of the institution.

Article 24

Assignment definitions, processes and criteria

1.   When assessing the adequacy of definitions, processes and criteria used by the institution to assign or review the assignment of exposures to grades or pools in accordance with Articles 169, 171, 172 and 173 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

there are adequate procedures and mechanisms in place that ensure a consistent assignment of obligors or facilities to an appropriate rating system;

(b)

there are adequate procedures and mechanisms in place to ensure that each exposure held by the institution is assigned to a grade or pool in accordance with the rating system;

(c)

for exposures to corporates, institutions, central governments and central banks, and for equity exposures where the institution uses the PD/LGD approach set out in Article 155(3) of Regulation (EU) No 575/2013, there are adequate procedures and mechanisms in place to ensure that all exposures to the same obligor are assigned to the same obligor grade, including exposures along different lines of business, departments, geographical locations, legal entities within the group and IT systems, and to ensure the correct application of the exemption from the requirement to have an obligor rating scale which reflects exclusively quantification of the risk of obligor default for specialised lending exposures, laid down in Article 170(2) of Regulation (EU) No 575/2013, and of the exemption from the obligation to assign separate exposures to the same obligor to the same obligor grade, laid down in Article 172(1)(e) of that Regulation;

(d)

the definitions and criteria used for the assignment are sufficiently detailed to ensure a common understanding and consistent assignment to grades or pools by all the personnel responsible in all business lines, departments, geographical locations, legal entities within the group, regardless of which IT system is used;

(e)

there are adequate procedures and mechanisms in place to obtain all relevant information about the obligors and the facilities;

(f)

all relevant, currently available and most up-to-date information is taken into account;

(g)

in the case of exposures to corporates, institutions, central governments and central banks, and for equity exposures where an institution uses the PD/LGD approach, both, financial and non-financial information is taken into account;

(h)

where information necessary for the assignment of exposures to grades or pools is missing or is not up-to-date, the institution has set tolerances for defined metrics and adopted rules in order to take account of that fact in an adequate and conservative way;

(i)

financial statements older than 24 months are considered outdated and are treated in a conservative way;

(j)

the assignment to grades or pools is part of the credit approval process, in accordance with Article 19;

(k)

the criteria for assignment to grades or pools are consistent with the institution’s lending standards and policies for handling troubled obligors and facilities.

2.   For the purposes of the verification under paragraph 1, competent authorities shall assess the situations where human judgement is used to override any inputs or outputs of the rating system in accordance with Article 172(3) of Regulation (EU) No 575/2013. They shall verify that:

(a)

there are documented policies setting out the grounds for and the maximum extent of overrides and specifying at what stages of the assignment process the overrides are allowed;

(b)

the overrides are sufficiently justified by reference to the grounds set out in the policies referred to in point (a) and that this justification is documented;

(c)

the institution regularly carries out an analysis of the performance of exposures the rating of which has been overridden, including an analysis of overrides performed by each member of staff applying the overrides, and that the results of this analysis are taken into account in the decision-making process at an appropriate management level;

(d)

the institution collects full information on overrides, including information both before and after the overrides, monitors the number and justifications for overrides on a regular basis, and analyses the effect of overrides on the performance of the model;

(e)

the number and justifications for overrides do not indicate significant weaknesses of the rating model.

3.   For the purposes of the verification under paragraph 1, competent authorities shall verify that the assignment definitions, processes and criteria achieve all of the following:

(a)

groups of connected clients as defined in Regulation (EU) No 575/2013 are identified;

(b)

information on the ratings and defaults of other relevant entities within the group of connected clients is taken into account in an obligor grade assignment in such a way that the rating grades of each relevant entity in the group reflects the different situation of each relevant entity and its relations with the other relevant entities of the group;

(c)

the cases where the obligors are assigned to a better grade than their parent entities are documented and justified.

Article 25

Integrity of assignment process

1.   When assessing the independence of the assignment process in accordance with Article 173 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the staff and management responsible for the final approval of the assignment or of the review of the assignment of exposures to grades or pools are not involved in or responsible for the origination or renewal of exposures;

(b)

senior managers of units responsible for the final approval of the assignment or of the review of the assignment of exposures to grades or pools and senior managers of units responsible for the origination or renewal of exposures report to different members of the management body or the relevant designated committee of the institution;

(c)

the remuneration of the staff and management responsible for the final approval of the assignment or of the review of the assignment of exposures to grades or pools is not linked to the performance of the tasks relating to the origination or renewal of exposures;

(d)

the same practices as those referred to in points (a), (b) and (c) apply to overrides in the retail exposure class.

2.   When assessing the adequacy and frequency of the assignment process as set out in Article 173 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

adequate and detailed policies specify the frequency of the review, and the criteria for the necessity of more frequent reviews having regard to the higher risk of obligors or problematic exposures and that those policies are applied consistently over time;

(b)

a review of the assignment is carried out within a maximum of 12 months after the approval of the assignment and that any adjustments to it that are found during the review to be necessary are made within that time-limit;

(c)

a review of the assignment is carried out when new material information on the obligor or the exposure becomes available and that any adjustments to it that are found during the review to be necessary are made without undue delay;

(d)

the institution has defined criteria and processes for assessing the materiality of new information and the subsequent need for reassignment and that these criteria and processes are applied consistently;

(e)

the most recent information available is used in the review of the assignment;

(f)

where for practical reasons the assignment has not been reviewed as set out in points (a) to (e), that adequate policies to identify, monitor and remedy the situation are in place and that measures are taken to ensure return to compliance with points (a) to (e);

(g)

senior management is regularly informed about the reviews of assignment of exposures to grades or pools and of any delays of the reviews of the assignment referred to in point (f);

(h)

there are adequate policies for effectively obtaining and regularly updating relevant information, and that this is reflected appropriately in the terms of the contracts with the obligors.

3.   For the purposes of the verification under paragraph 2, competent authorities shall assess the value and number of exposures that have not been reviewed in accordance with points (a) to (e) of paragraph 2, and verify that those exposures are treated in a conservative manner when calculating the risk-weighted exposure amounts. The assessment and verification shall be carried out separately for each rating system and each risk parameter.

CHAPTER 6

ASSESSMENT METHODOLOGY FOR IDENTIFICATION OF DEFAULTS

Article 26

General

1.   In order to assess whether the institution identifies all situations which are to be considered defaults in accordance with Article 178(1) to (5) of Regulation (EU) No 575/2013 and Commission Delegated Regulation (EU) 2018/171 (5) competent authorities shall verify all of the following:

(a)

the detailed specification and practical application of the triggers for identifying the default of an obligor, in accordance with Article 27;

(b)

the robustness and effectiveness of the process used by an institution for identifying the default of an obligor, in accordance with Article 28;

(c)

the triggers and process used by an institution for the reclassification of a defaulted obligor to non-default status, in accordance with Article 29.

2.   For the purposes of the verification under paragraph 1 competent authorities shall apply all of the following methods:

(a)

review the institution’s internal criteria, policies and procedures for establishing whether a default has occurred (‘definition of default’) and for the treatment of defaulted exposures;

(b)

review the roles and responsibilities of the units and management bodies involved in the identification of the default of an obligor and the management of defaulted exposures;

(c)

review the relevant minutes of the institution’s internal bodies, including the management body, or committees;

(d)

review the relevant findings of the internal audit or of other control functions of the institution;

(e)

review the progress reports on the efforts made by the institution to correct shortcomings and mitigate risks detected during relevant audits;

(f)

obtain written statements from or interview the relevant staff and senior management of the institution;

(g)

review the criteria used by the personnel responsible for manual assignment of the default status to an obligor or an exposure and of the return to the non-default status.

3.   For the purposes of the verification under paragraph 1, competent authorities may also apply any of the following additional methods:

(a)

review the functional documentation of the IT systems used in the process of identification of the default of an obligor;

(b)

conduct sample testing and review documents relating to the characteristics of an obligor and to the origination and maintenance of the exposures;

(c)

perform their own tests on the data of the institution or require the institution to perform specific tests;

(d)

review other relevant documents of the institution.

Article 27

Triggers for identification of the default of an obligor

1.   When assessing detailed specification and practical application of the triggers for identifying the default of an obligor applied by the institution and their compliance with Article 178(1) to (5) of Regulation (EU) No 575/2013 and Delegated Regulation (EU) 2018/171, competent authorities shall verify that:

(a)

there is an adequate policy in place with regard to the counting of days past due, including re-ageing of facilities, granting of extensions, amendments or deferrals, renewals and netting of existing accounts;

(b)

the definition of default applied by the institution includes at least all of the triggers of default set out in Article 178(1) and (3) of Regulation (EU) No 575/2013;

(c)

where an institution uses more than one definition of default within its legal entities, that the scope of application of each definition of default is clearly specified and that the differences between the definitions are justified.

2.   For the purpose of the verification under paragraph 1, competent authorities shall assess whether the definition of default is implemented in practice and detailed enough to be applied consistently by all members of staff for all types of exposures, and whether all of the following potential indicators of unlikeness to pay are sufficiently specified:

(a)

the non-accrued status;

(b)

events that constitute specific credit risk adjustments resulting from a significant perceived decline in credit quality;

(c)

sales of credit obligations that constitute a material credit-related economic loss;

(d)

events that constitute a distressed restructuring;

(e)

events that constitute a similar protection to that of bankruptcy;

(f)

other indications of unlikeliness to pay.

3.   Competent authorities shall verify that the policies and procedures ensure that obligors are not classified as non-defaulted where any of the default triggers apply.

Article 28

Robustness and effectiveness of the process of identifying the default of an obligor

1.   When assessing the robustness and effectiveness of the process of identifying the default of an obligor in accordance with Article 178 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

there are adequate procedures and mechanisms in place to ensure that all defaults are identified in a timely manner, in particular that the gathering and updating of relevant information are effective and take place with sufficient frequency;

(b)

where the identification of default of an obligor is based on automatic processes, tests are carried out to verify that defaults are correctly identified by the IT system;

(c)

for the purposes of identifying the default of an obligor based on human judgement, the criteria for the assessment of the obligors and triggers of default are set out in sufficient detail in the internal documentation to ensure consistency in the identification of defaults by all members of the staff involved in such identification;

(d)

where the institution applies the definition of default at the obligor level, there are adequate procedures and mechanisms in place to ensure that once default is identified for an obligor, all exposures to that obligor are registered as being in default in all relevant systems, business lines and geographical locations within the institution and its subsidiaries, and where applicable, within its parent undertaking, and its subsidiaries;

(e)

where the assignment of the default status to all exposures to an obligor as referred to in point (d) is delayed following the default of one or several exposures of the obligor, that delay does not lead to errors or inconsistencies in risk management, risk reporting, the calculation of own funds requirements or the use of data in risk quantification.

2.   For the purposes of the verification under paragraph 1, competent authorities shall assess the application of the materiality threshold defined pursuant to Article 178(2)(d) of Regulation (EU) No 575/2013 in the default definition and the consistency of that materiality threshold with the materiality threshold of a credit obligation past due set by the competent authorities in accordance with Delegated Regulation (EU) 2018/171, and shall verify that:

(a)

there are adequate procedures and mechanisms in place to ensure that the default status is assigned in accordance with Article 178(1)(b) of Regulation (EU) No 575/2013 on the basis of the assessment set out in Article 178(2)(d) of that Regulation and compliant with the materiality threshold relevant to a credit obligation past due as defined by the competent authorities in accordance with Delegated Regulation (EU) 2018/171;

(b)

the process of counting days past due is consistent with the contractual or legal obligations of the obligor, reflects adequately partial payments and is applied consistently.

3.   In the case of retail exposures, in addition to the verification laid down in paragraph 1 and the assessment laid down in paragraph 2, competent authorities shall verify that:

(a)

the institution has a clear policy with regard to the application of the default definition for retail exposures either at the level of the obligor or at the level of the individual credit facility;

(b)

the policy referred to in point (a) is aligned with the institution’s risk management and is applied consistently;

(c)

where the institution applies the definition of default at the level of the individual credit facility:

(i)

there are adequate procedures and mechanisms in place to ensure that once a credit facility is identified as being in default, that credit facility is marked as being in default across all relevant systems within the institution;

(ii)

where there is a time delay with regard to the assignment of the default status of a credit facility across all relevant systems as referred to in point (i), that time delay does not lead to errors or inconsistencies in risk management, risk reporting, the calculation of own funds requirements or the use of data in risk quantification.

Article 29

Reclassification to non-default status

1.   When assessing the robustness of the triggers and process of reclassification of a defaulted obligor to a non-default status in accordance with Article 178(5) of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the triggers for reclassification are determined for each trigger of default and that the identification and treatment of credit obligations subject to distressed restructuring are clearly specified;

(b)

reclassification is possible only after all triggers of default have ceased to apply and all relevant conditions for reclassification are met;

(c)

the triggers and process of reclassification are determined in a prudent way, in particular that they ensure that reclassification to a non-default status is not performed where the institution expects the credit obligation not to be paid in full without recourse by the institution to actions such as realising security.

2.   For the purposes of the assessment under paragraph 1, competent authorities shall verify that the institution’s policies and procedures do not allow for reclassification of a defaulted obligor to a non-default status purely as a result of changes in the terms or conditions of the credit obligations, unless the institution has found that those changes enable the obligor to be considered as no longer being unlikely to pay.

3.   Competent authorities shall verify the analysis on which the institution has based its criteria for reclassification. They shall verify that the analysis takes into account the institution’s previous default record and the percentage of the defaulted obligors that, having been reclassified to non-default status, default again within a short period of time.

CHAPTER 7

ASSESSMENT METHODOLOGY FOR RATING SYSTEMS DESIGN, OPERATIONAL DETAILS AND DOCUMENTATION

SECTION 1

General

Article 30

General

1.   In order to assess an institution’s compliance with the requirements on the design, management and documentation of rating systems, as referred to in Article 144(1)(e) of Regulation (EU) No 575/2013, competent authorities shall verify all of the following:

(a)

the adequacy of the documentation on the rationale, design, and operational details of the rating systems, as set out in Article 175 of Regulation (EU) No 575/2013, in accordance with Articles 31 and 32;

(b)

the adequacy of the structure of the rating systems, as referred to in Article 170 of Regulation (EU) No 575/2013, in accordance with Articles 33 to 36;

(c)

the application by the institution of the specific requirements for statistical models or other mechanical methods, as referred to in Article 174 of Regulation (EU) No 575/2013, in accordance with Articles 37 to 40.

2.   For the purposes of the verification under paragraph 1, competent authorities shall apply all of the following methods:

(a)

review the institution’s relevant internal policies;

(b)

review the institution’s technical documentation on the methodology and the process of the rating systems development;

(c)

review the development manuals, methodologies and processes on which the rating systems are based;

(d)

review the minutes of the institution’s internal bodies responsible for approving the rating systems, including the management body or committees designated by it;

(e)

review the reports on the performance of the rating systems and the recommendations of the credit risk control unit, validation function, internal audit function or any other control function of the institution;

(f)

review the progress reports on the efforts made by the institution to correct shortcomings and mitigate risks detected during monitoring, validations and relevant audits;

(g)

obtain written statements from or interview the relevant staff and senior management of the institution.

3.   For the purposes of the verification under paragraph 1, competent authorities may apply any of the following additional methods:

(a)

request and analyse data used in the process of developing the rating systems;

(b)

conduct their own estimations or replicate those of the institution performed during the development and monitoring of the rating systems using relevant data supplied by the institution;

(c)

request additional documentation from the institution or request that it provides analysis related to the choice of methodology for designing the rating system and provides information about the results obtained;

(d)

review the functional documentation of the IT systems relevant to the scope of the assessment of the rating systems design, operational details and documentation;

(e)

perform the competent authority’s own tests on the data of the institution or request the institution to perform tests proposed by the competent authority;

(f)

review other relevant documents of the institution.

SECTION 2

Methodology for assessing the documentation on the rationale, design and operational details of rating systems

Article 31

Completeness of the documentation of rating systems

1.   When assessing the completeness of the documentation on the design, operational details and rationale of the rating systems as referred to in Article 144(1)(e) and set out in Article 175 of Regulation (EU) No 575/2013, competent authorities shall verify that the documentation is complete and includes the following:

(a)

the adequacy of the rating system and the models used within the rating system taking into account the portfolio characteristics;

(b)

a description of data sources and data cleansing practices;

(c)

definitions of default and loss;

(d)

methodological choices;

(e)

technical specification of the models;

(f)

the weaknesses and limitations of the models and possible mitigating factors thereof;

(g)

the results of the implementation tests of the models in the IT systems, in particular information on whether the implementation was successful and error-free;

(h)

a self-assessment of compliance with regulatory requirements for the Internal Ratings Based Approach as referred to in Articles 169 to 191 of Regulation (EU) No 575/2013.

2.   For the purposes of the verification under paragraph 1(a), competent authorities shall verify that:

(a)

the documentation clearly outlines the purpose of the rating system and the models;

(b)

the documentation includes a description of the range of application of the rating system and the scope of application of the models used within the rating system, i.e. a specification of the type of exposures covered by each model within the rating system, both in a qualitative and in a quantitative manner, the type of outputs of each model and the use made of the outputs;

(c)

the documentation includes an explanation about how the information obtained by means of the rating system and the results of the models is taken into account for the purposes of risk management, decision-making and credit approval processes, as referred to in Article 19.

3.   For the purposes of the verification under paragraph 1(b), competent authorities shall verify that the documentation includes:

(a)

detailed information regarding all data used for the model development, including a precise definition of the content of the model, its source, format and coding and, where applicable, exclusions of data from it;

(b)

any data cleansing procedures including procedures for data exclusions, outlier detection and treatment and data adaptations, as well as an explicit justification for their use and an evaluation of their impact.

4.   For the purposes of the verification under paragraph 1(c), competent authorities shall verify whether the definitions of default and loss used in the development of the model are adequately documented, in particular where other definitions of default are used for the purpose of model specification than those which are used by the institution in accordance with Article 178 of Regulation (EU) No 575/2013.

5.   For the purposes of the verification under paragraph 1(d), competent authorities shall verify that the documentation includes:

(a)

details on the design, theory, assumptions, and logic underlying the model;

(b)

detailed descriptions of the model methodologies and their rationale, statistical techniques and approximations and, where appropriate, the rationale and details on segmentation methods, the outputs of statistical processes and the diagnostics and measures of predictive power of the models;

(c)

the role of experts from the relevant business areas in developing the rating system and models, including a detailed description of the consultation process with experts from the relevant business areas in the design of the rating system and models as well as outputs and rationale provided by those experts from the relevant business areas;

(d)

an explanation of how the statistical model and human judgement are combined to derive the final model output;

(e)

an explanation of how the institution takes into account unsatisfactory quality of data, lack of homogeneous pools of exposures, changes in business processes, economic or legal environment and other factors relating to quality of data that may affect the performance of the rating system or model;

(f)

a description of the analyses performed for the purposes of statistical models or other mechanical methods, as applicable:

(i)

the univariate analysis of the variables considered and respective criteria for variable selection;

(ii)

the multivariate analysis of the variables selected and respective criteria for variable selection;

(iii)

the procedure for the design of the final model, including:

the final selection of variables,

adjustments based on human judgement to the variables resulting from the multivariate analysis,

transformations of the variables,

assignment of weights to the variables,

the method of composition of model components, in particular where the contribution of qualitative and quantitative components is joined.

6.   For the purposes of the verification under paragraph 1(e), competent authorities shall verify that the documentation includes:

(a)

the technical specification of the final model structure including final model specifications, input components including type and format of selected variables, weights applied for variables and output components including type and format of output data;

(b)

references to the computer codes and tools used in terms of IT languages and programs allowing a third party to reproduce the final results.

For the purposes of point (b), the third party may be the vendor in the case of vendor models.

7.   For the purposes of the verification under paragraph 1(f), competent authorities shall verify that the documentation includes a description of the weaknesses and limitations of the model, an assessment of whether the key assumptions of the model are met and an anticipation of situations where the model may perform below expectations or become inadequate, as well as an assessment of the significance of model weaknesses and possible mitigating factors thereof.

8.   For the purposes of the verification under paragraph 1(g), competent authorities shall verify that:

(a)

the documentation specifies the process to be followed when a new or changed model is implemented in the production environment;

(b)

the documentation covers the results of the tests of the implementation of the rating models in the IT systems, including the confirmation that the rating model implemented in the production system is the same as the one described in the documentation and is operating as intended.

9.   For the purposes of the verification under paragraph 1(h), competent authorities shall verify that the institution’s self-assessment of compliance with regulatory requirements for the IRB Approach is performed separately for each rating system and is reviewed by the internal audit or another comparable independent auditing unit.

Article 32

Register of rating systems

1.   When assessing the documentation system and procedures for gathering and storing the information on the rating systems as referred to in Articles 144(1)(e) and 175 of Regulation (EU) No 575/2013, competent authorities shall verify that the institution has implemented and maintains a register of all current and past versions of the rating systems for at least the last three years (‘register of rating systems’).

2.   For the purposes of paragraph 1, competent authorities shall verify that the procedures for maintaining the register of rating systems include a recording of the following information in respect of each version:

(a)

the range of application of the rating system, specifying which type of exposures is to be rated by each rating model;

(b)

the management responsible for the approval and date of internal approval, the date of notifying to the competent authorities, the date of the approval by the competent authorities, where applicable, and the date of implementation of the version;

(c)

a brief description of any changes relative to the previous version that has been considered in the register, including a description of the aspects of the rating system which have been changed and a reference to the model documentation;

(d)

the change category assigned in accordance with Delegated Regulation (EU) No 529/2014 and a reference to the criteria for assignment to a change category.

SECTION 3

Methodology for assessing the structure of rating systems

Article 33

Risk drivers and rating criteria

1.   When assessing the risk drivers and rating criteria used in the rating system for the purposes of Article 170(1), point (a), (c) and (e), (3), point (a), and (4) of Regulation (EU) No 575/2013, competent authorities shall verify all of the following:

(a)

the selection process of the relevant risk drivers and rating criteria, including the definition of potential risk drivers, criteria for selection of risk drivers and decisions taken on the relevant risk drivers;

(b)

the consistency of the selected risk drivers and rating criteria and their contribution to the risk assessment with the expectations of the business users of the rating system;

(c)

the consistency of the risk drivers and rating criteria selected on the basis of statistical methods with the statistical evidence on risk differentiation associated with each grade or pool.

2.   The potential risk drivers and rating criteria to be analysed in accordance with paragraph 1(a) shall include the following, where available for the type of exposures:

(a)

obligor risk characteristics, including:

(i)

for exposures to corporates and institutions: financial statements, qualitative information, industry risk, country risk, support from parent entity;

(ii)

for retail exposures: financial statements or personal income information, qualitative information, behavioural information, socio- demographic information;

(b)

transaction risk characteristics, including type of product, type of collateral, seniority, loan-to-value ratio;

(c)

information on delinquency: internal information or information derived from external sources, such as credit bureaus.

Article 34

Distribution of obligors and exposures in the grades or pools

1.   When assessing the distribution of obligors and exposures within the grades or pools of each rating system for the purposes of Article 170(1), points (b), (d) and (f), (2) and (3)(c) of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the number of rating grades and pools is adequate to ensure a meaningful risk differentiation and a quantification of the loss characteristics at the grade or pool level and that:

(i)

for exposures to corporates, institutions, central governments and central banks and specialised lending exposures, the obligor rating scale has at least the number of grades set out in Article 170(1)(b) and (2) of Regulation (EU) No 575/2013, respectively;

(ii)

for purchased receivables classified as retail exposures, that the grouping reflects the seller’s underwriting practices and the heterogeneity of its customers;

(b)

the concentration of numbers of exposures or obligors is not excessive in any grade or pool, unless such distribution is supported by convincing empirical evidence of homogeneity of risk of those exposures or obligors;

(c)

the rating and facility grades or pools for retail exposures have a sufficient number of exposures or obligors in a single grade or pool, unless such distribution is supported by convincing empirical evidence that the grouping of those exposures or obligors is adequate, or that direct estimates of risk parameters for individual obligors or exposures are used as referred to in Article 169(3) of Regulation (EU) No 575/2013;

(d)

the rating and facility grades or pools for exposures to corporates, institutions, central governments and central banks, where sufficient data is available, do not have too few exposures or obligors in a single grade or pool, unless the distribution of exposures or obligors is supported by convincing empirical evidence that the grouping of those exposures or obligors is adequate, or that direct estimates of risk parameters for individual obligors or exposures are used as referred to in Article 169(3) of Regulation (EU) No 575/2013.

2.   In addition to the verification laid down in paragraph 1, competent authorities shall assess, where appropriate, the criteria applied by the institution when determining:

(a)

the maximum and the minimum overall number of grades or pools;

(b)

the proportion of exposures and obligors assigned to each grade or pool.

3.   For the purposes of paragraphs 1 and 2, competent authorities shall take into account the current and past observed distributions of the number of exposures and obligors and of the exposure values, including the migration of exposures and obligors between different grades or pools.

Article 35

Risk differentiation

1.   When assessing the risk differentiation of each rating system for the purposes of points (b) and (c) of paragraph 3 of Article 170 of Regulation (EU) No 575/2013 for retail exposures, competent authorities shall verify all of the following:

(a)

that the tools used to assess risk differentiation are sound and adequate considering the available data and that the adequate risk differentiation is evidenced with records of time series of realised default rates or loss rates for grades or pools under various economic conditions;

(b)

that the expected performance of the rating system as regards risk differentiation is defined by the institution by means of clearly established fixed targets and tolerances for defined metrics and tools as well as actions to rectify deviations from these targets or tolerances; separate targets and tolerances may be defined for the initial development and the ongoing performance;

(c)

that the targets and tolerances for defined metrics and tools and mechanisms applied to meet those targets and tolerances ensure sufficient differentiation of risk.

2.   The competent authorities shall also apply paragraph 1 to the assessment of risk differentiation for exposures other than retail exposures pursuant to Article 170(1) of Regulation (EU) No 575/2013 if a sufficient quantity of data is available for this to be possible.

Article 36

Homogeneity

1.   When assessing the homogeneity of obligors or exposures assigned to the same grade or pool for the purposes of Article 170(1) and (3)(c) of Regulation (EU) No 575/2013, competent authorities shall assess the similarity of the obligors and transaction loss characteristics included in each grade or pool with regard to all of the following factors:

(a)

internal ratings;

(b)

estimates of PD;

(c)

where applicable, own estimates of LGD;

(d)

where applicable, own estimates of conversion factors;

(e)

where applicable, own estimates of total losses.

For retail exposures competent authorities shall assess those factors for each rating system. For exposures other than retail exposures competent authorities shall assess them only for those rating systems in respect of which a sufficient quantity of data is available.

2.   For the purposes of the assessment under paragraph 1, competent authorities shall assess the range of values and the distributions of the obligor and transaction loss characteristics included within each grade or pool.

SECTION 4

Methodology for assessing specific requirements for statistical models or other mechanical methods

Article 37

Data requirements

1.   When assessing the process for vetting data inputs into the model in accordance with Article 174(b) of Regulation (EU) No 575/2013, competent authorities shall verify:

(a)

the reliability and quality of the internal and external data sources and the range of data obtained from those sources, as well as the time period the sources cover;

(b)

the process of data merging, where the model is fed with data from multiple data sources;

(c)

the rationale and scale of data exclusions broken down by reason for exclusion, using statistics on the share of total data which each exclusion covers where certain data were excluded from the model development sample;

(d)

the procedures for dealing with erroneous and missing data and treatment of outliers and categorical data, and verify that, where there has been a change in the type of categorisation, this does not lead to decreased data quality or structural breaks in the data;

(e)

the processes for data transformation, including standardization and other functional transformations, and the appropriateness of those transformations having regard to the risk of model overfitting.

2.   When assessing the representativeness of the data used to build the model as referred to in Article 174(c) of Regulation (EU) No 575/2013, competent authorities shall verify:

(a)

the comparability of risk characteristics of the obligors or facilities reflected in the data used to build the model with those of the exposures covered by a particular rating model;

(b)

the comparability of the current underwriting and recovery standards with the ones applied at the time to which the reference data set used for the modelling relates;

(c)

the consistency of default definition over time in the data used for the modelling and verify:

(i)

that adjustments have been made to achieve consistency with the current default definition where the default definition has been changed during the observation period;

(ii)

that adequate measures ensuring the representativeness of data have been adopted by the institution where the institution operates in several jurisdictions having different default definitions;

(iii)

that the default definition used for the purposes of model specification does not have a negative impact on the structure and performance of the rating model where this definition is different from the definition of default laid down in Article 178 of Regulation (EU) No 575/2013;

(d)

where external data or data pooled across institutions is used in the model development, the relevance and adequacy of such data for the institution’s exposures, products and risk profile.

Article 38

Model design

When assessing the rating model design for the purposes of Article 174(a) of Regulation (EU) No 575/2013, competent authorities shall verify:

(a)

the adequacy of the model having regard to its specific application;

(b)

the institution’s analysis of alternative assumptions or alternative approaches to those chosen in the model;

(c)

the institution’s methodology for model development;

(d)

that relevant staff of the institution fully understands the model’s capabilities and limitations, in particular that the model documentation of the institution:

(i)

describes which of the model limitations are related to the model inputs, uncertain assumptions, the processing component of the model, and whether the model output is performed manually or in the IT system;

(ii)

identifies situations where the model can perform below expectations or become inadequate and contains an assessment of the materiality of model weaknesses and possible mitigating factors thereof.

Article 39

Human judgement

When assessing whether the statistical model or another mechanical method is complemented by human judgement in accordance with Article 174(e) of Regulation (EU) No 575/2013 and whether human judgement is applied in a proportionate and adequate manner in the development of the rating model and in the process of assigning exposures to grades or pools, competent authorities shall verify that:

(a)

the manner in which human judgement is applied is justified and fully documented and that the impact of human judgement on the rating system is assessed, if possible also by means of a computation of the marginal contribution of human judgement to the performance of the rating system;

(b)

all relevant information not considered in the model is taken into account and an adequate level of conservatism is applied;

(c)

where the process of assignment of exposures to grades or pools in a rating system requires the application of human judgement in the form of subjective input data or where the credit policy allows for overrides of inputs or outputs of the model, all of the following applies:

(i)

the manual for model users clearly defines the input data and the situations where the input data can be adjusted by human judgement;

(ii)

the situations where the input data have actually been adjusted are limited;

(iii)

the manual for model users clearly defines the situations where the input or output of rating models may be overridden and the procedures for overriding the input or output of the models;

(iv)

all data regarding the application of human judgement and the situations where the inputs or outputs of the rating models have been overridden are stored and analysed periodically by the credit risk control unit or by the validation function in order to ascertain its impact on the rating model;

(d)

the application of human judgement is appropriately managed and proportionate to the type of exposures for each rating system.

Article 40

Model performance

When assessing the predictive power of the model required under Article 174(a) of Regulation (EU) No 575/2013, competent authorities shall verify that the institution’s internal standards:

(a)

provide an outline of the assumptions and theory underlying the metrics chosen by the institution for the purpose of the assessment of the model’s performance;

(b)

specify the application of the metrics, indicate whether the use of each metric is compulsory or discretionary and when it is to be used and ensure that the metrics are used coherently;

(c)

specify the conditions of the applicability and acceptable thresholds and accepted deviations for the metrics and set out whether and, if so, how statistical errors relating to the values of those metrics are taken into account in the assessment process, and, where more than one metric is calculated, establishes the methods of aggregating several test results to one single assessment;

(d)

determine a process for ensuring that events of model performance deterioration leading to the breach of the thresholds referred to in point (c) are communicated to the appropriate members of the senior management in charge of it and that clear guidance on how the outcomes of the metrics are considered is provided by the members of the management responsible for taking final decision as regards implementation of the necessary changes to the model.

CHAPTER 8

ASSESSMENT METHODOLOGY FOR RISK QUANTIFICATION

SECTION 1

General

Article 41

General

1.   In order to assess compliance of an institution with the requirements on quantification of risk parameters, for the purposes of Article 144(1)(a) of Regulation (EU) No 575/2013, competent authorities shall verify the institution’s:

(a)

compliance with the overall requirements for estimation laid down in Article 179 of Regulation (EU) No 575/2013, in accordance with Articles 42, 43 and 44;

(b)

compliance with the requirements specific to PD estimation laid down in Article 180 of Regulation (EU) No 575/2013, in accordance with Articles 45 and 46;

(c)

compliance with the requirements specific to own-LGD estimates laid down in Article 181 of Regulation (EU) No 575/2013, in accordance with Articles 47 to 52;

(d)

compliance with the requirements specific to own-conversion factor estimates laid down in Article 182 of Regulation (EU) No 575/2013, in accordance with Articles 53 to 56;

(e)

compliance with the requirements for assessing the effect of guarantees and credit derivatives laid down in Article 183 of Regulation (EU) No 575/2013, in accordance with Article 57;

(f)

compliance with the requirements for purchased receivables laid down in Article 184 of Regulation (EU) No 575/2013, in accordance with Article 58.

2.   For the purposes of the verification under paragraph 1, competent authorities shall apply all of the following methods:

(a)

review the institution’s relevant internal policies;

(b)

review the institution's technical documentation of relevant estimation methodology and process;

(c)

review and challenge the relevant estimation of risk parameter manuals, methodologies and processes;

(d)

review the relevant minutes of the institution’s internal bodies, including the management body, model committee, or other committees;

(e)

review the reports on the performance of risk parameters and the recommendations made by the credit risk control unit, the validation function, the internal audit function or any other control function of the institution;

(f)

assess progress reports on the efforts made by the institution to correct shortcomings and mitigate risks detected during relevant audits, validations and monitoring;

(g)

obtain written statements from or interview the relevant staff and the senior management of the institution.

3.   For the purposes of the verification under paragraph 1, competent authorities may also apply any of the following additional methods:

(a)

request the provision of additional documentation or analysis substantiating the institution’s methodological choices and the results obtained;

(b)

conduct their own estimations of risk parameters or replicate those of the institution, using the relevant data supplied by the institution;

(c)

request and analyse the data used in the process of estimation;

(d)

review the functional documentation of the IT systems which are relevant to the scope of the assessment;

(e)

perform their own tests on the data of the institution or request the institution to perform tests proposed by the competent authorities;

(f)

review other relevant documents of the institution.

SECTION 2

Methodology for assessing overall requirements for quantification of risk parameters

Article 42

Data requirements

1.   When assessing compliance with the overall requirements for estimation laid down in Article 179 of Regulation (EU) No 575/2013, the data used for the quantification of risk parameters and the quality of that data, competent authorities shall verify:

(a)

the completeness of the quantitative and qualitative data and other information in relation to the methods used for the quantification of risk parameters to ensure that all relevant historical experience and empirical evidence are used;

(b)

the availability of quantitative data providing a breakdown of the loss experience by the factors which drive the respective risk parameters as referred to in Article 179(1)(b) of Regulation (EU) No 575/2013;

(c)

the representativeness of the data used to estimate the risk parameters for certain types of exposures;

(d)

the adequacy of the number of exposures in the sample and the length of the historical observation period referred to in Articles 45, 47 and 53, used for the quantification to ensure that the estimates of the institution are accurate and robust;

(e)

the justification for and the documentation of all data cleansing, including any exclusions of observations from the estimation and a confirmation that these exclusions do not bias the risk quantification; for PD estimates, in particular, the justification and the documentation of the impact of the data cleansing on the long-run average default rate;

(f)

the consistency between the data sets used for the risk parameters estimation, in particular with regard to the default definition, treatment of defaults, including multiple defaults as referred to in Articles 46(1)(b) and 49, and the sample composition.

2.   For the purposes of the verification under point (c) of paragraph 1, competent authorities shall assess the representativeness of the data used to estimate the risk parameters for certain types of exposures by assessing:

(a)

the structure of exposures covered by each rating model and the different risk characteristics of the obligors or facilities, and whether the current portfolio is, to the degree required, comparable to the portfolios constituting the reference data set;

(b)

the comparability of the current underwriting and recovery standards with the ones applied at the time of the reference data set;

(c)

the consistency of the default definition in the observation period:

(i)

where the default definition has been changed in the observation period, the description of the adjustments performed in order to achieve the required level of consistency with current default definition;

(ii)

where default definitions vary across the jurisdictions in which the institution operates, the adequacy of measures and conservatism adopted by the institution;

(d)

where external data and data pooled across institutions are used in the quantification of risk parameters, the relevance and appropriateness of these data for the institution’s exposures, products and risk profile and the definition of default;

(e)

where the external or pooled data are not consistent with the institution’s internal default definition, the description of adjustments to the external or pooled data performed by the institution in order to achieve the required level of consistency with the internal default definition.

3.   When assessing the quality of the data pooled across institutions that is used for quantification of risk parameters, competent authorities shall apply the assessment methodology laid down in paragraphs 1 and 2 in addition to verifying the compliance with the requirements laid down in Article 179(2) of Regulation (EU) No 575/2013.

Article 43

Review of estimates

When assessing the review of risk parameter estimates by the institution as referred to in Article 179(1)(c) of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the process and the annual plan for the review of estimates provide for a timely review of all estimates;

(b)

criteria for the identification of situations which trigger a more frequent review have been identified;

(c)

the methodologies and data used for the estimation of risk parameters reflect changes in the underwriting process and in the composition of the portfolios;

(d)

the methodologies and data used for the LGD estimation reflect changes in the recovery process, the types of recoveries and the duration of the recovery process;

(e)

the methodologies and data used for the conversion factor estimation reflect changes in the monitoring process of undrawn amounts;

(f)

the data set used for the estimation of risk parameters includes the relevant data from the latest observation period, and are updated at least on an annual basis;

(g)

the technical advances and other relevant information are reflected in the risk parameters estimates.

Article 44

Margin of conservatism

1.   Competent authorities shall assess whether an appropriate margin of conservatism is included in the values of risk parameters used in the calculation of capital requirements as referred to in point (f) of Article 179(1) of Regulation (EU) No 575/2013, in the following situations:

(a)

the methods and data do not provide sufficient certainty of the risk parameter estimates, including where there are high estimation errors;

(b)

relevant deficiencies in the methods, information and data have been identified by the credit risk control unit, validation function or internal audit function or any other function of the institution;

(c)

relevant changes to the standards of underwriting or recovery policies or changes in the institution’s risk appetite.

2.   Competent authorities shall assess whether the institutions do not use the margin of conservativism as a substitute to any corrective action applied by the institution under Article 146 of Regulation (EU) No 575/2013.

SECTION 3

Methodology for assessing requirements specific for PD estimation

Article 45

Length of the historical observation period

When assessing the length of the historical observation period referred to in point (h) of Article 180(1) and point (e) of Article 180(2) of Regulation (EU) No 575/2013, taking into account conditions laid down in Commission Delegated Regulation (EU) 2017/72 with regard to regulatory technical standards specifying conditions for data waiver permissions (6), and the calculation of one year default rates based on internal default experience as referred to in point (e) of Article 180(1), competent authorities shall verify:

(a)

that the length of the historical observation period covers at least the minimum length in accordance with the requirements laid down in point (h) of paragraph 1 and point (e) of paragraph 2 of Article 180 of Regulation (EU) No 575/2013 and, where applicable, Delegated Regulation (EU) 2017/72;

(b)

where the available historical observation period is longer than the minimum period required in point (h) of Article 180(1) or in point (e) of Article 180(2) of Regulation (EU) No 575/2013 for a data source, and the data obtained from it are relevant, that the information for that longer period is used in order to estimate the long-run average of one-year default rates;

(c)

for retail exposures where the institution does not give equal importance to all historical data used, that this is justified by better prediction of default rates and that a zero or very small weight applied to a specific period is either duly justified or leads to more conservative estimates;

(d)

that there is consistency between underwriting standards and the rating systems in place and that comparable underwriting standards were used at the time of generating the internal default data or that changes in underwriting standards and rating systems have been addressed by applying the margin of conservatism as referred to in point (c) of Article 44(1);

(e)

for exposures to corporates, institutions, central governments and central banks, that the definition of obligors that are highly leveraged and obligors whose assets are predominantly traded assets as referred to in point (a) of Article 180(1) of Regulation (EU) No 575/2013 as well as the identification of periods of stressed volatilities for those obligors as referred to in that provision are adequate.

Article 46

Method of PD estimation

1.   When assessing the method of PD estimation, as referred to in Article 180 of Regulation (EU) No 575/2013, competent authorities shall verify that the one-year default rate for each grade or pool is calculated in a manner consistent with the characteristics of the one-year default rate defined in point 78 of Article 4(1) of Regulation (EU) No 575/2013, and they shall verify that:

(a)

the denominator of the one-year default rate includes the obligors or exposures which, at the beginning of a one year period, are not in default and are assigned to that rating grade or pool;

(b)

the numerator of the one-year default rate includes those of the obligors or exposures referred to in point (a) that have defaulted within that one year period; multiple defaults for the same obligor or exposure, which have been observed during the one year period relating to the default rate, are considered to be a single default as referred to in Article 49(b) having occurred on the date of the first of those multiple defaults.

2.   Competent authorities shall verify that the method of PD estimation by obligor grade or pool is based on the long-run average of one-year default rates.

For that purpose they shall verify that the period used by the institution to estimate the long-run average of one-year default rates is representative of the likely range of variability of default rates for that type of exposures.

3.   Where observed data used for PD estimation are not representative of the likely range of variability of default rates for a type of exposures, competent authorities shall verify that both of the following conditions are met:

(a)

the institution uses an appropriate alternative method for estimating the average of one-year default rates over a period that is representative of the likely range of variability of default rates for that type of exposures;

(b)

an appropriate margin of conservatism is applied where, after applying an appropriate method as referred to in point (a), the estimation of the averages of default rates is found to be unreliable or to have other limitations.

4.   For the purposes of the verification under paragraph 1, competent authorities shall verify that all of the following is appropriate for the type of exposures:

(a)

the functional and structural form of the estimation method;

(b)

assumptions on which the estimation method is based;

(c)

the cyclicality of the estimation method;

(d)

the length of the historical observation period used in accordance with Article 45;

(e)

the margin of conservatism applied in accordance with Article 44;

(f)

the human judgement;

(g)

where applicable, the choice of risk drivers.

5.   For exposures to corporates, institutions, central governments and central banks, where the obligors are highly leveraged or the assets of the obligor are predominantly traded assets as referred to in point (a) of Article 180(1) of Regulation (EU) No 575/2013, competent authorities shall verify that the PD reflects the performance of the underlying assets in the periods of stressed volatility as referred to in that provision.

6.   For exposures to corporates, institutions, central governments and central banks, where the institution makes use of a rating scale of an ECAI, competent authorities shall verify the institution’s analysis of compliance with the requirements laid down in point (f) of Article 180(1) of Regulation (EU) No 575/2013, and check that that analysis addresses the issue of whether the types of exposures rated by the ECAI are representative of the institution’s types of exposures and the time horizon for the credit assessment by the ECAI.

7.   For retail exposures, where the institution derives the estimates of PD or LGD from an estimate of total losses and an appropriate estimate of PD or LGD as referred to in point (d) of Article 180(2) of Regulation (EU) No 575/2013, competent authorities shall verify the institution’s analysis of compliance with all relevant criteria on PD and LGD estimation laid down in Articles 178 to 184 of Regulation (EU) No 575/2013.

8.   For retail exposures, competent authorities shall verify that the institution regularly analyses and takes into account the expected changes of PD over the life of credit exposures (‘seasoning effects’) as referred to in point (f) of Article 180(2) of Regulation (EU) No 575/2013.

9.   In the assessment of statistical models for PD estimation, competent authorities shall, in addition to the methods laid down in paragraphs 1 to 8, apply the methodology for assessing specific requirements for statistical models or other mechanical methods laid down in Articles 37 to 40.

SECTION 4

Methodology for assessing requirements specific to own-LGD estimates

Article 47

Length of the historical observation period

When assessing the length of the period used for LGD estimation for the purpose of point (j) of paragraph 1 and subparagraph 2 of paragraph 2 of Article 181 of Regulation (EU) No 575/2013 and Delegated Regulation (EU) 2017/72, (‘historical observation period’), competent authorities shall verify that:

(a)

the length of the historical observation period covers at least the minimum length in accordance with the requirements laid down in paragraph 1(j) and the second subparagraph of paragraph 2 of Article 181 of Regulation (EU) No 575/2013 and, where applicable, Delegated Regulation (EU) 2017/72;

(b)

where the available historical observation period is longer than the minimum period according to point (j) of paragraph 1 of Article 181 and subparagraph 2 of paragraph 2 of Article 181 of Regulation (EU) No 575/2013 for a data source, and the data obtained from it are relevant for the LGD estimation, that the information for that longer period is used;

(c)

for retail exposures, where the institution does not give equal importance to all historical data used, that this is justified by better prediction of loss rates and that a zero or very small weight applied to a specific period is either duly justified or leads to more conservative estimates.

Article 48

Method of LGD estimation

When assessing the method of own-LGD estimation, as referred to in Article 181 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the institution assesses LGD by homogenous facility grade or pool;

(b)

the average realized LGD by facility grade or pool is calculated using the number of default weighted average;

(c)

all observed defaults within the data sources are used, in particular that the incomplete recovery processes are taken into account in a conservative manner for the purposes of LGD estimation, and that the choice of workout period and methodologies for estimating additional costs and recoveries after and, where necessary, during that period, are relevant;

(d)

the LGD estimates of secured exposures are not solely based on the estimated market value of the collateral and that they take into account the realised revenues from past liquidations and the potential inability of an institution to gain control of the collateral and liquidate it;

(e)

the LGD estimates of secured exposures take into account the potential decreases in collateral value from the point of time of LGD estimation to the eventual recovery;

(f)

the degree of dependence between the risk of the obligor and that of the collateral as well as the cost of liquidating the collateral are taken into account conservatively;

(g)

any unpaid late fees that have been capitalised in the institution’s income statement before the default are added to the institution’s measure of exposure and loss;

(h)

the possibility of future drawings after the default is taken into account appropriately;

(i)

all of the following aspects are appropriate for the type of exposures to which they are applied:

(i)

the functional and structural form of the estimation method;

(ii)

the assumptions regarding the estimation method;

(iii)

the estimation method for a downturn effect;

(iv)

the length of data series used;

(v)

the margin of conservatism;

(vi)

the use of the human judgement;

(vii)

where applicable, the choice of risk drivers.

Article 49

Treatment of multiple defaults

For the treatment of obligors that default and recover several times in a limited period of time as defined by the institution (‘multiple defaults’), competent authorities shall assess the adequacy of the methods used by the institution and shall verify that:

(a)

explicit conditions are defined before a facility is considered to have returned to a non-default status;

(b)

multiple defaults identified within a period of time specified by the institution are considered to be a single default for the purpose of LGD estimation, using the default date of the first observed default as the relevant default date and considering the recovery process from that date until the end of the recovery process after the last observed default in this period;

(c)

the length of period within which multiple defaults are recognised as a single default is determined taking into account the institution’s internal policies and analysis of the default experience;

(d)

defaults used for the purpose of PD and conversion factors estimation are treated consistently with defaults used for the purpose of LGD estimation.

Article 50

Use of LGD estimates appropriate for economic downturn

When assessing whether the requirement to use LGD estimates that are appropriate for an economic downturn as laid down in point (b) of Article 181(1) of Regulation (EU) No 575/2013 is fulfilled, competent authorities shall verify that:

(a)

the institution uses LGD estimates that are appropriate for an economic downturn, where those are more conservative than the long-run average;

(b)

the institution provides both long-run averages and LGD estimates appropriate for an economic downturn for justification of its choices;

(c)

the institution applies a rigorous and well documented process for identifying an economic downturn and assessing its effects on recovery rates and for producing LGD estimates appropriate for an economic downturn;

(d)

the institution incorporates in the LGD estimates any adverse dependencies that have been identified between on the one hand selected economic indicators and on the other hand the recovery rates.

Article 51

LGD, ELBE and UL estimation for exposures in-default

1.   When assessing the requirements for LGD estimates for the exposures in default, and for the best estimate of expected losses (‘ELBE ’) as referred to in Article 181(1)(h) of Regulation (EU) No 575/2013, competent authorities shall verify that the institution uses one of the following approaches and shall assess the approach used by the institution:

(a)

direct estimation of the LGD for defaulted exposures (‘LGD in-default’) and direct estimation of ELBE;

(b)

direct estimation of ELBE and estimation of the LGD in-default as the sum of ELBE and an add-on capturing the unexpected loss related to exposures in default that might occur during the recovery period.

2.   When assessing the approach of the institution in accordance with paragraph 1, competent authorities shall verify that:

(a)

the LGD in-default estimation methods, either as a direct estimation or as an add-on to ELBE, take into account possible additional unexpected losses during the recovery period, and in particular consider possible adverse changes in economic conditions during the expected length of the recovery process;

(b)

the LGD in-default, either as a direct estimation or as an add-on to ELBE, and the ELBE estimation methods take into account the information on the time in- default and recoveries realised so far;

(c)

where the institution uses a direct estimation of the LGD in-default, the estimation methods are consistent with the requirements of Articles 47, 48 and 49;

(d)

the LGD in-default estimate is higher than the ELBE, or, where the LGD in- default is equal to the ELBE, that for individual exposures such cases are limited and duly justified by the institution;

(e)

the ELBE estimation methods take into account all currently available and relevant information and in particular consider current economic circumstances;

(f)

where the specific credit risk adjustments exceed the ELBE estimates the differences between the two are analysed and duly justified;

(g)

the LGD in-default, either as a direct estimation or as an add-on to ELBE, and the ELBE estimation methods are clearly documented.

Article 52

Requirements on collateral management, legal certainty and risk management

When assessing whether the institution has established internal requirements for collateral management, legal certainty and risk management which are generally consistent with those set out in Chapter 4, Section 3 of Regulation (EU) No 575/2013, as referred to in Article 181(1)(f) of that Regulation, competent authorities shall verify that at least the policies and procedures of the institution relating to the internal requirements for collateral valuation and legal certainty are fully consistent with the requirements of Section 3 of Chapter 4 of Title II in Part Three of Regulation (EU) No 575/2013.

SECTION 5

Methodology for assessing requirements specific to own- conversion factor estimates

Article 53

Length of the historical observation period

When assessing the length of the period used for the estimation of conversion factors referred to in paragraph 2 and paragraph 3 of Article 182 of Regulation (EU) No 575/2013 and Delegated Regulation (EU) 2017/72 (‘historical observation period’), competent authorities shall verify that:

(a)

the length of the historical observation period covers at least the minimum length required by paragraph 2 and paragraph 3 of Article 182 of Regulation (EU) No 575/2013 and, where applicable, Delegated Regulation (EU) 2017/72;

(b)

where the available observation period is longer than the minimum period required by paragraph 2 and paragraph 3 of Article 182 of Regulation (EU) No 575/2013 for a data source, and the data obtained from it are relevant for the estimation of conversion factors, that the information for that longer period is used;

(c)

for retail exposures, where the institution does not give equal importance to all historical data used, that this is justified by better prediction of drawings on commitments and that, if a zero weight or a very small weight is applied to a specific period, this is either duly justified or leads to more conservative estimates.

Article 54

Method of conversion factors estimation

When assessing the method of estimating conversion factors as referred to in Article 182 of the Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the institution assesses estimates of conversion factors by facility grade or pool;

(b)

the average realised conversion factors by facility grade or pool are calculated using the number of default weighted average;

(c)

all observed defaults within the data sources are used for conversion factors estimation;

(d)

the possibility of additional drawings is taken into account in a conservative manner, except for retail exposures when they are included in the LGD estimates;

(e)

the institution’s policies and strategies regarding account monitoring, including limit monitoring, and payment processing are reflected in the conversion factors estimation;

(f)

all of the following are adequate to the type of exposures to which they are applied:

(i)

the functional and structural form of the estimation method;

(ii)

assumptions on which the estimation method is based;

(iii)

where applicable the method of estimation of the downturn effect;

(iv)

the length of the historical observation period in accordance with Article 53;

(v)

the margin of conservatism applied in accordance with Article 44;

(vi)

the human judgement;

(vii)

where applicable, the choice of risk drivers.

Article 55

Use of conversion factor estimates appropriate for economic downturn

When assessing whether the requirement to use conversion factor estimates that are appropriate for an economic downturn as laid down in point (b) of Article 182(1) of Regulation (EU) No 575/2013 is fulfilled, competent authorities shall verify that:

(a)

the institution uses conversion factor estimates that are appropriate for an economic downturn, where those are more conservative than the long-run average;

(b)

the institution provides both the long-run averages and the conversion factor estimates appropriate for an economic downturn for justification of its choices;

(c)

the institution applies a rigorous and well documented process for identifying an economic downturn and assessing its effects on the drawing of credit limits and for producing conversion factor estimates appropriate for an economic downturn;

(d)

the institution incorporates in the conversion factor estimates any adverse dependencies that have been identified between on the one hand the selected economic indicators and on the other hand the drawing of credit limits.

Article 56

Requirements on policies and strategies for account monitoring and payment processing

In order to assess compliance with the requirements regarding the estimation of the conversion factors as referred to in point (d) and (e) of Article 182(1) of Regulation (EU) No 575/2013, competent authorities shall verify that the institution has policies and strategies in place in respect of account monitoring and payment processing, and has adequate systems and procedures to monitor facility amounts on a daily basis.

SECTION 6

Methodology for assessing the effect of guarantees and credit derivatives

Article 57

Eligibility of guarantors and guarantees

When assessing compliance with the requirements for assessing the effect of guarantees and credit derivatives on risk parameters as referred to in Article 183 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the institution has clearly specified criteria for identifying situations where PD estimates or LGD estimates are to be adjusted in order to incorporate mitigating effects of guarantees, and that those criteria are used consistently over time;

(b)

where the PD of the protection provider is to be used for the purpose of adjusting the risk-weighted exposure amounts in accordance with Article 153(3) of Regulation (EU) No 575/2013, the mitigating effects of guarantees are not included in the estimates of LGD or PD of the obligor;

(c)

the institution has clearly specified criteria for recognising guarantors and guarantees for the calculation of risk-weighted exposure amounts, in particular through own estimates of LGD or PD;

(d)

the institution documents the criteria for adjusting own estimates of LGD or PD to reflect the effects of guarantees;

(e)

in its own estimates of LGD or PD the institution recognises only the guarantees that meet the following criteria:

(i)

where the guarantor is internally rated by the institution with a rating system that has already been approved by the competent authorities for the purpose of the IRB Approach, the guarantee meets the requirements laid down in Article 183(1)(c) of Regulation (EU) No 575/2013;

(ii)

where the institution has received permission to use the Standardised Approach pursuant to Articles 148 and 150 of Regulation (EU) No 575/2013 for exposures to entities such as the guarantor both of the following are met:

the guarantor is assigned to an exposure class in accordance with Article 147 of Regulation (EU) No 575/2013 as an institution, a central government, a central bank or a corporate entity that has been given a credit assessment by an ECAI,

the guarantee meets the requirements set out in Articles 213 to 216 of Regulation (EU) No 575/2013.

(f)

the institution meets the requirements of points (a) and (e) also for the single-name credit derivatives.

SECTION 7

Methodology for assessing the requirements for purchased receivables

Article 58

Risk parameter estimates for purchased corporate receivables

1.   When assessing the adequacy of PD and LGD estimates for purchased corporate receivables, where the institution derives PD or LGD for purchased corporate receivables from an estimate of EL in accordance with Article 160(2) and point (e) and (f) of Article 161(1) and an appropriate estimate of PD or LGD, competent authorities shall verify that:

(a)

EL is estimated from the long-run average of one-year total loss rates or by another appropriate approach;

(b)

the process for estimating the total loss is consistent with the concept of LGD as set out in Article 181(1)(a) of Regulation (EU) No 575/2013;

(c)

that the institution is able to decompose its EL estimates into PDs and LGDs in a reliable way;

(d)

in the case of purchased corporate receivables where Article 153(6) of Regulation (EU) No 575/2013 is applied, sufficient external and internal data are used.

2.   When assessing the adequacy of PD and LGD estimates for purchased corporate receivables in cases other than those referred to in paragraph 1, competent authorities shall:

(a)

assess those estimates in accordance with Articles 42 to 52;

(b)

verify that the requirements of Article 184 of Regulation (EU) No 575/2013 are met.

CHAPTER 9

ASSESSMENT METHODOLOGY FOR ASSIGNMENT OF EXPOSURES TO EXPOSURE CLASSES

Article 59

General

1.   In order to assess compliance of an institution with the requirement to assign each exposure to a single exposure class consistently over time as laid down in Article 147 of Regulation (EU) No 575/2013, competent authorities shall assess the following:

(a)

the institution’s assignment methodology and its implementation, in accordance with Article 60;

(b)

the assignment sequence of the exposures to exposure classes, in accordance with Article 61;

(c)

whether specific considerations with regard to the retail exposure class have been taken into account by the institution, in accordance with Article 62.

2.   For the purpose of the assessment under paragraph 1, competent authorities shall apply all of the following methods:

(a)

review the institution’s relevant internal policies, procedures and assignment methodology;

(b)

review the relevant minutes of the institution’s internal bodies, including the management body, or committees;

(c)

review the relevant findings of the internal audit or of other control functions of the institution;

(d)

review the progress reports on the efforts made by the institution to correct shortcomings and mitigate risks detected during relevant audits;

(e)

obtain written statements from or interview the relevant staff and senior management of the institution;

(f)

review the criteria used by the personnel responsible for the manual assignment of exposures to exposure classes.

3.   For the purpose of the assessment under paragraph 1, competent authorities may also apply any of the following additional methods:

(a)

conduct sample testing and review documents related to the characteristics of an obligor and to the origination and maintenance of the exposures;

(b)

review the functional documentation of the relevant IT systems;

(c)

compare the institution’s data with data publicly available, including data recorded in the database maintained by EBA in accordance with Article 115(2) of Regulation (EU) No 575/2013 or in the databases maintained by the competent authorities;

(d)

verify the institution’s compliance with the Commission Implementing Decision 2014/908/EU (7) on the equivalence of the supervisory and regulatory requirements of certain third countries and territories for the purposes of the treatment of exposures according to Regulation (EU) No 575/2013;

(e)

perform own tests on the data of the institution or request the institution to perform tests proposed by the competent authorities;

(f)

review other relevant documents of the institution.

Article 60

Assignment methodology and its implementation

1.   When assessing the institution’s assignment methodology in accordance with Article 147 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the methodology is fully documented and complies with all requirements laid down in Article 147 of Regulation (EU) No 575/2013;

(b)

the methodology reflects the assigning sequence laid down in Article 61;

(c)

the methodology includes a list of the regulatory and supervisory regimes of third countries considered equivalent to those applied in the Union in accordance with the Implementing Decision 2014/908/EU as referred to in Article 107(4), Article 114(7), Article 115(4) and Article 116(5) of Regulation (EU) No 575/2013, when such an equivalence is required for the assignment of an exposure to a specific class.

2.   When assessing the implementation of the assignment methodology as referred to in paragraph 1, competent authorities shall verify that:

(a)

the procedures governing the input and transformations of data in the IT systems are sufficiently robust to ensure correct assignment of each exposure to an exposure class;

(b)

sufficiently detailed criteria are available for the personnel responsible for the assignment of the exposures to ensure a consistent assignment;

(c)

the assignment to equity exposures, items representing securitisation positions and exposures identified as specialised lending exposures in accordance with Article 147(8) of Regulation (EU) No 575/2013 is performed by personnel who are aware of the terms and conditions and of the relevant details of the transaction that determine the identification of those exposures;

(d)

the assignment is performed using the most recent data available.

3.   For exposures to CIU, competent authorities shall verify that the institutions make every effort to assign the underlying exposures to adequate exposure classes in accordance with Article 152 of Regulation (EU) No 575/2013.

Article 61

Assigning sequence

When assessing whether the institution assigns exposures to exposure classes in compliance with Article 147 of Regulation (EU) No 575/2013, the competent authorities shall verify that the assignment is carried out in the following sequence:

(a)

first, exposures eligible to be classified under equity exposures, items representing securitisation positions and other non-credit obligation assets are assigned to those classes in accordance with points (e), (f) and (g) of Article 147(2) of Regulation (EU) No 575/2013;

(b)

second, exposures which have not been assigned in accordance with point (a) and which are eligible to be classified under the classes for exposures to central governments and central banks, exposures to institutions, exposures to corporates or retail exposures are assigned to those classes in accordance with points (a), (b), (c) and (d) of Article 147(2) of Regulation (EU) No 575/2013;

(c)

third, any credit obligations not assigned in accordance with point (a) or (b) are assigned to the class of exposures to corporates in accordance with Article 147(7) of Regulation (EU) No 575/2013.

Article 62

Specific requirements for retail exposures

1.   When assessing the assignment of exposures to the retail exposure class in accordance with Article 147(5) of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the institution distinguishes between exposures to natural persons and to SMEs based on clear criteria in a consistent manner;

(b)

for the purposes of monitoring compliance with the limit laid down in Article 147(5)(a)(ii) of Regulation (EU) No 575/2013 the institution has in place adequate procedures and mechanisms for the following:

(i)

identifying groups of connected clients and aggregating relevant exposures that each institution and its parent or subsidiaries maintain against this group of connected clients;

(ii)

assessing cases where the limit has been exceeded;

(iii)

ensuring that an exposure to an SME for which the limit has been exceeded is re-assigned to the corporate exposure class without undue delay.

2.   When verifying that retail exposures are not managed just as individually as exposures in the corporate exposure class in the meaning of Article 147(5)(c) of Regulation (EU) No 575/2013, competent authorities shall take into consideration at least the following components of the credit process:

(a)

marketing and sales activities;

(b)

type of product;

(c)

rating process;

(d)

rating system;

(e)

credit decision process;

(f)

credit risk mitigation methods;

(g)

monitoring processes;

(h)

collection and recovery process.

3.   When determining whether the criteria laid down in Article 147(5)(c) and (d) of Regulation (EU) No 575/2013 are met, competent authorities shall examine whether the assignment of exposures is consistent with the institution’s business lines and the way those exposures are managed.

4.   Competent authorities shall verify that the institution assigns each retail exposure to a single category of exposures to which the relevant correlation coefficient applies in accordance with paragraphs (1), (3) and (4) of Article 154 of Regulation (EU) No 575/2013:

(a)

for the purposes of verifying compliance with points (d) and (e) of Article 154(4) of Regulation (EU) No 575/2013, competent authorities shall verify that:

(i)

the volatility of loss rates for qualifying revolving retail exposures portfolio is low relative to their average level of loss rates, by assessing the institution’s comparison of the volatility of loss rates for qualifying revolving retail exposures portfolio as opposed to other retail exposures or to other benchmark values;

(ii)

the risk management of qualifying revolving retail exposures portfolio is consistent with the underlying risk characteristics, including loss rates;

(b)

for the purposes of verifying compliance with Article 154(3) of Regulation (EU) No 575/2013, competent authorities shall verify that for all exposures where the immovable property collateral is used in the own-LGD estimates in accordance with Article 181(1)(f) of Regulation (EU) No 575/2013, the coefficient of correlation laid down in Article 154(3) of Regulation (EU) No 575/2013 is assigned.

CHAPTER 10

ASSESSMENT METHODOLOGY FOR STRESS TEST USED IN ASSESSMENT OF CAPITAL ADEQUACY

Article 63

General

1.   In order to assess the soundness of an institution’s stress test used in the assessment of its capital adequacy in accordance with Article 177 of Regulation (EU) No 575/2013, competent authorities shall verify all of the following:

(a)

the adequacy of methods used in designing the stress tests, in accordance with Article 64;

(b)

the robustness of the organisation of the stress testing process, in accordance with Article 65;

(c)

the integration of the stress tests in the risk and capital management processes, in accordance with Article 66.

2.   For the purposes of the assessment under paragraph 1, competent authorities shall apply all of the following methods:

(a)

review the institution’s internal policies, methods and procedures on the design and execution of stress test;

(b)

review the institution’s outcomes of the stress test;

(c)

review the roles and responsibilities of the units and management bodies involved in the designing, approval and execution of the stress test;

(d)

review the relevant minutes of the institution’s internal bodies, including the management body, or committees;

(e)

review the relevant findings of the internal audit or of other control functions of the institution;

(f)

review the progress reports on the efforts made by the institution to correct shortcomings and mitigate risks detected during relevant audits;

(g)

obtain written statements from or interview the relevant staff and senior management of the institution.

3.   For the purposes of the assessment under paragraph 1, competent authorities may also apply any of the following additional methods:

(a)

review the functional documentation of the IT systems used for the stress test;

(b)

request the institution to perform a computation of the stress test based on alternative assumptions;

(c)

perform their own stress test calculations based on the institution’s data for certain types of exposures;

(d)

review other relevant documents of the institution.

Article 64

Adequacy of methods used in designing the stress tests

1.   When assessing the adequacy of methods used in designing the stress tests used by the institution in the assessment of the capital adequacy in accordance with Article 177 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the tests are meaningful, reasonably conservative and capable of identifying the effects on the institution’s total capital requirements for credit risk under severe, but plausible, recession scenarios;

(b)

the tests cover at least all material IRB portfolios;

(c)

the methods are consistent to the extent appropriate with methods used by the institution for the purpose of internal capital allocation stress tests;

(d)

the documentation of the methodology of stress tests including internal and external data as well as expert judgment input is detailed enough to allow third parties to understand the rational for the chosen scenarios and to replicate the stress test.

2.   For the purpose of the assessment under paragraph 1(a), competent authorities shall verify that the stress tests include at least the following steps:

(a)

an identification of the scenarios including severe, but plausible, recession scenarios and, the adjustment in accordance with Article 153(3) of Regulation (EU) No 575/2013, of the scenario envisaging deterioration of credit quality of protection providers;

(b)

an assessment of the impact of identified scenarios on the institution’s risk parameters, rating migration, expected losses and calculation of own funds requirements for credit risk;

(c)

an assessment of the adequacy of own funds requirements.

3.   When assessing the adequacy of scenarios referred to in paragraph 2(a), competent authorities shall verify the soundness of the following methodologies:

(a)

the methodology for identifying a group of economic drivers;

(b)

the methodology for building stress scenarios, including their severity, duration and likelihood of occurrence;

(c)

the methodology for projecting the impact of each scenario on the relevant risk parameters.

Article 65

Organisation of the stress testing process

When assessing the robustness of the organisation of the stress testing process used by the institution in the assessment of the capital adequacy in accordance with Article 177 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the stress test is performed regularly and at least on a yearly basis;

(b)

the roles and responsibilities of the unit or units in charge of the design and execution of the stress test are clearly defined;

(c)

the results of stress tests are approved at an adequate management level and that senior management is informed of the results in a timely manner;

(d)

the IT infrastructure effectively supports the performance of stress tests.

Article 66

Integration of the stress tests in the risk and capital management processes

When assessing the integration of the stress tests in the risk and capital management processes of the institution for the purposes of Article 177 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the institution takes into account the results of stress tests in its decision-making process, in particular with regard to risk and capital management;

(b)

the institution takes into account the results of stress tests within the capital management process and identifies possible events or future changes in economic conditions for the purposes of capital requirements.

CHAPTER 11

ASSESSMENT METHODOLOGY FOR THE CALCULATION OF OWN FUNDS REQUIREMENTS

Article 67

General

1.   In order to assess whether an institution calculates the own funds requirements using its risk parameters for different exposure classes in accordance with Article 110(2) and (3), point (g) of Article 144(1) and Articles 151 to 168 of Regulation (EU) No 575/2013 and is able to carry out the reporting required by Article 430 of Regulation (EU) No 575/2013, competent authorities shall verify all of the following:

(a)

the reliability of the system used for the calculation of own funds requirements, in accordance with Article 68;

(b)

the data quality, in accordance with Article 69;

(c)

the correctness of the implementation of the methodology and procedures for different exposure classes, in accordance with Article 70;

(d)

the organisation of the process for the calculation of own funds requirements, in accordance with Article 71.

2.   As regards groups, competent authorities shall for the purpose of the assessment under paragraph 1 take into consideration the structure of the banking group and the established roles and responsibilities of the parent institution and its subsidiaries.

3.   For the purposes of the verification under paragraphs 1 and 2, competent authorities shall apply all of the following methods:

(a)

review the institution’s internal policies and procedures with regard to the process of calculation of own funds requirements, including the sources of data, calculation methods and controls applied;

(b)

review the relevant roles and responsibilities of the different units and internal bodies involved in the process of calculation of own funds requirements;

(c)

review the relevant minutes of the institution’s internal bodies, including the management body, or committees;

(d)

review the documentation of the tests of the calculation system, including the scenarios covered in the tests, their results and approvals;

(e)

review the relevant control reports, including the results of reconciliation of data stemming from different sources;

(f)

review the relevant findings of the internal audit or of other control functions of the institution;

(g)

review the progress reports on the efforts made by the institution to correct shortcomings and mitigate risks detected during relevant audits;

(h)

obtain written statements from or interview the relevant staff and senior management of the institution.

4.   For the purpose of the assessment under paragraphs 1 and 2, competent authorities may also apply any of the following additional methods:

(a)

review the functional documentation of the IT systems used for the calculation of own funds requirements;

(b)

request the institution to perform a live computation of the own funds requirements for certain types of exposures;

(c)

perform own sample testing of the calculation of own funds requirements on institution’s data for certain types of exposures;

(d)

perform own tests on the data of the institution or request the institution to perform tests proposed by the competent authorities;

(e)

review other relevant documents of the institution.

Article 68

Reliability of the system used for the calculation of own funds requirements

When assessing the reliability of the institution’s system used for the calculation of own funds requirements as referred to in Article 144(1)(g) of Regulation (EU) No 575/2013, in addition to the requirements of Article 72 to 75 regarding the assessment methodology for data maintenance, competent authorities shall verify that:

(a)

the control tests performed by the institution to confirm that the calculation of own funds requirements is compliant with Articles 151 to 168 of Regulation (EU) No 575/2013 are complete;

(b)

those control tests are reliable, and in particular that the calculations made in the system used for the own funds requirements are coherent with the calculations made in an alternative calculation tool;

(c)

the frequency of the control tests performed by the institution is adequate and the tests take place at least at the moment of the implementation of the algorithms for the calculation of own funds requirements and in all other cases where changes to the system are made.

Article 69

Data quality

1.   When assessing the data quality used for the calculation of own funds requirements referred to in Article 144(1)(g) of Regulation (EU) No 575/2013, in addition to the requirements in Article 73, competent authorities shall verify the mechanisms and procedures implemented by the institution for identifying the exposure values with all relevant characteristics, including data relating to risk parameters and credit risk mitigation techniques. Competent authorities shall verify that:

(a)

the risk parameters are complete, including in cases where missing parameters are substituted by default values, and that where such a substitution has taken place, it is conservative, justified and documented;

(b)

the range of the parameter values complies with the regulatory and minimum values specified in Articles 160 to 164 of Regulation (EU) No 575/2013;

(c)

the data used in the calculation of own funds requirements is consistent with the data used in other internal processes;

(d)

the application of risk parameters is in accordance with the exposure characteristics, and in particular that the LGD assigned is accurate and consistent with the type of exposure and collateral used to secure the exposure in accordance with Article 164 and Article 230(2) of Regulation (EU) No 575/2013;

(e)

the calculation of the exposure value is correct, and in particular the netting agreements and the classification of off-balance sheet items are used in accordance with Article 166 of Regulation (EU) No 575/2013;

(f)

where the PD/LGD method is applied for equity exposures, the classification of the exposures and the application of risk parameters is correct in accordance with Article 165 of Regulation (EU) No 575/2013.

2.   When assessing the coherence of the data used for the calculation of own funds requirements with the data used for internal purposes in accordance with Articles 18 to 22 on assessment methodology for use test and experience test, competent authorities shall verify that:

(a)

there are adequate control and reconciliation mechanisms in place to ensure that the values of risk parameters used in the calculation of own funds requirements are consistent with the value of parameters used for internal purposes;

(b)

there are adequate control and reconciliation mechanisms in place to ensure that the value of exposures for which the own funds requirements are calculated is consistent with the accounting data;

(c)

the calculation of own funds requirements for all exposures included in the general ledger of the institution is complete, and that the split between the exposures under the IRB Approach and the Standardised Approach complies with Articles 148 and 150 of Regulation (EU) No 575/2013.

Article 70

Correctness of the implementation of the methodology and procedures for different exposure classes

When assessing the correctness of the implementation of the methodology and procedures for the calculation of own funds requirements referred to in Article 144(1)(g) of Regulation (EU) No 575/2013 for different exposure classes, competent authorities shall verify that:

(a)

the risk weight formula is implemented correctly in accordance with Articles 153 and 154 of Regulation (EU) No 575/2013, taking into account the assignment of exposures to exposure classes;

(b)

the calculation of the correlation coefficient is done based on the characteristics of the exposures, in particular that the total sales parameter is applied on the basis of consolidated financial information;

(c)

where the risk-weighted exposure amount is adjusted in accordance with Article 153(3) of Regulation (EU) No 575/2013, the adjustment is based on all of the following considerations:

(i)

the information on the PD of the protection provider is applied correctly;

(ii)

the PD of the protection provider is estimated with the use of the rating system that has been approved by the competent authorities under the IRB Approach;

(d)

the calculation of the maturity parameter is correct, and in particular:

(i)

that the expiry date of the facility is used for the purpose of calculation of the maturity parameter in accordance with Article 162(2)(f) of Regulation (EU) No 575/2013;

(ii)

that in cases where the maturity parameter is lower than one year this is adequately justified and documented for the purpose of Article 162(1), (2) and (3) of Regulation (EU) No 575/2013;

(e)

the floors for the exposure-weighted average LGD for retail exposures secured by residential property and commercial real estate, which are not benefiting from guarantees of central governments laid down in Article 164(4) and (5) of Regulation (EU) No 575/2013, are calculated at the aggregated level of all retail exposures secured by residential property and commercial real estate respectively, and that, where the exposure-weighted average LGD at the aggregated level is below the respective floors, relevant adjustments are applied consistently over time by the institution;

(f)

the application of different approaches for different equity portfolios where the institution itself uses different approaches for internal risk management in accordance with Article 155 of Regulation (EU) No 575/2013, is correct, in particular that the choice of the approach:

(i)

does not lead to underestimation of own funds requirements;

(ii)

is made consistently, including over time;

(iii)

is justified by internal risk management practices;

(g)

where the simple risk weight approach is used in accordance with Article 155(2) of Regulation (EU) No 575/2013, the application of risk weights is correct, in particular that the risk weight of 190 % is used only for sufficiently diversified portfolios, where the institution has proved that significant reduction of risk has been achieved as a result of the diversification of the portfolio in comparison to the risk of individual exposures in the portfolio;

(h)

the calculation of the difference between expected loss amounts and credit risk adjustments, additional value adjustments and other own funds reductions in accordance with Article 159 of Regulation (EU) No 575/2013 is correct, and in particular:

(i)

that the calculation is performed separately for the portfolio of defaulted exposures and the portfolio of exposures that are not in default;

(ii)

where the calculation performed for the defaulted portfolio results in a negative amount, that this amount is not used to offset the positive amounts resulting from the calculation performed for the portfolio of exposures that are not in default;

(iii)

that the calculation is performed gross of tax effects;

(i)

the various approaches for the treatment of exposures in the form of units or shares in CIUs are applied correctly, and in particular:

(i)

that the institution correctly distinguishes between exposures in CIUs subject to the look-through approach as set out in Article 152(1) and (2) of Regulation (EU) No 575/2013 and other exposures in CIUs;

(ii)

that the exposures in CIUs treated in accordance with Article 152(1) or (2) of Regulation (EU) No 575/2013 meet the eligibility criteria of Article 132(3) of that Regulation;

(iii)

where the institution uses the approach laid down in Article 152(4) of Regulation (EU) No 575/2013 for the calculation of the average risk-weighted exposure amounts, that:

the correctness of the calculation is confirmed by an external auditor,

the multiplication factors laid down in Article 152(2)(b)(i) and (ii) of Regulation (EU) No 575/2013 are applied correctly,

where the institution relies on a third party for the calculation of the risk- weighted exposure amounts, that the third party meets the requirements of Article 152(4)(a) and (b) of Regulation (EU) No 575/2013.

Article 71

Organisation of the process for the calculation of own funds requirements

When assessing the soundness of the process for the calculation of own funds requirements as referred to in Article 144(1)(g) of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the allocation of responsibilities of the unit or units in charge of the control and management of the calculation process, in particular the allocation of responsibilities for the specific controls to be performed at each step of the calculation process, is clearly defined;

(b)

relevant procedures, including back-up procedures, ensure that the calculation of own funds requirements is carried out in accordance with Article 430 of Regulation (EU) No 575/2013;

(c)

all input data, including the values of risk parameters and the previous versions of the system, are stored to allow replication of the calculation of own funds requirements;

(d)

the results of the calculation are approved on an adequate management level and that senior management is informed about possible errors or inadequacies of the calculation and the measures to be taken.

CHAPTER 12

ASSESSMENT METHODOLOGY FOR DATA MAINTENANCE

Article 72

General

1.   When assessing compliance with the requirements on data maintenance laid down in Article 144(1)(d) and Article 176 of Regulation (EU) No 575/2013, competent authorities shall evaluate all of the following:

(a)

the quality of the internal, external or pooled data, including the data quality management process, in accordance with Article 73;

(b)

the data documentation and reporting, in accordance with Article 74;

(c)

the relevant IT infrastructure, in accordance with Article 75.

2.   For the purpose of the assessment under paragraph 1, competent authorities shall apply all of the following methods:

(a)

review the data quality management policies, methods and procedures relevant to the data used in the IRB Approach;

(b)

review the relevant data quality reports, as well as their conclusions, findings and recommendations;

(c)

review the IT infrastructure policies and IT systems management procedures, including the contingency planning policies, relevant for the IT systems used for the purpose of the IRB Approach;

(d)

review the relevant minutes of the institution’s internal bodies, including management body, or committees;

(e)

review the relevant findings of the internal audit or of other control functions of the institution;

(f)

review the progress reports on the efforts made by the institution to correct shortcomings and mitigate risks detected during relevant audits;

(g)

obtain written statements from or interview the relevant staff and senior management of the institution.

3.   For the purpose of the assessment under paragraph 1, competent authorities may also apply any of the following additional methods:

(a)

perform own tests on the data of the institution or request the institution to perform tests proposed by the competent authorities;

(b)

review other relevant documents of the institution.

Article 73

Data quality

1.   When assessing the quality of internal, external or pooled data necessary to effectively support credit risk measurement and management process in accordance with Article 144(1)(d) and Article 176 of Regulation (EU) No 575/2013, competent authorities shall verify:

(a)

the completeness of values in the attributes that require them;

(b)

the accuracy of data ensuring that the data is substantively error-free;

(c)

the consistency of data ensuring that a given set of data can be matched across different data sources of the institution;

(d)

the timeliness of data values ensuring that the values are up-to-date;

(e)

the uniqueness of data ensuring that the aggregate data is free from any duplication given by filters or other transformations of source data;

(f)

the validity of data ensuring that the data is founded on an adequate system of classification, rigorous enough to compel acceptance;

(g)

the traceability of data ensuring that the history, processing and location of data under consideration can be easily traced.

2.   When assessing the data quality management process, competent authorities shall verify that:

(a)

all of the following are in place:

(i)

adequate data quality standards that set the objectives and the overall scope of the data quality management process;

(ii)

adequate policies, standards and procedures for data collection, storage, migration, actualisation and use;

(iii)

a practice of continuously updating and improving of the data quality management process;

(iv)

a set of criteria and procedures for determining conformity with the data quality standards, and in particular the general criteria and process of data reconciliation across and within systems including among accounting and internal ratings-based data;

(v)

adequate processes for internally assessing and constantly improving data quality, including the process of issuing internal recommendations to address problems in areas which need improvement and the process of implementing these recommendations with a priority based on their materiality and in particular the process for addressing material discrepancies arising during the data reconciliation process;

(b)

there is a sufficient degree of independence of the data collection process from the data quality management process, including a separation of the organizational structure and staff, where appropriate.

Article 74

Data documentation and reporting

1.   When assessing the documentation of data necessary to effectively support credit risk measurement and management process in accordance with Articles 144(1)(d) and 176 of Regulation (EU) No 575/2013 competent authorities shall evaluate all of the following:

(a)

the specification of the set of databases and in particular:

(i)

the global map of databases involved in the calculation systems used for the purpose of the IRB Approach;

(ii)

the relevant sources of data;

(iii)

the relevant processes of data extraction and transformation and criteria used in this regard;

(iv)

the relevant functional specification of databases, including their size, date of construction, data dictionaries specifying the content of the fields and of the different values inserted in the fields with clear definitions of data items;

(v)

the relevant technical specification of databases, including the type of database, tables, database management system and database architecture, and data models given in any standard data modelling notation;

(vi)

the relevant work-flows and procedures relating to data collection and data storage;

(b)

the data management policy and allocation of responsibilities, including users’ profiles and data owners;

(c)

the transparency, accessibility and consistency of the controls implemented in the data management framework.

2.   When assessing data reporting, competent authorities shall verify, in particular, that data reporting:

(a)

specifies the scope of reports or reviews, the findings and, where applicable, the recommendations to address weaknesses or shortcomings detected;

(b)

is communicated to the senior management and management body of the institution with an adequate frequency and that the level of the recipient of the data reporting is consistent with the institution's organizational structure, and the type and significance of the information;

(c)

is performed regularly and where appropriate, also on an ad hoc basis;

(d)

provides adequate evidence that the recommendations are sufficiently addressed and properly implemented by the institution.

Article 75

IT infrastructure

1.   When assessing the architecture of the IT systems, of relevance to the institution’s rating systems and to the application of the IRB Approach in accordance with Article 144 of Regulation (EU) No 575/2013, competent authorities shall evaluate all of the following:

(a)

the IT systems architecture including all applications, their interfaces and interactions;

(b)

a data flow diagram showing a map of the key applications, databases and IT components involved in the application of the IRB Approach and relating to rating systems;

(c)

the assignment of IT systems owners;

(d)

the capacity, scalability and efficiency of IT systems;

(e)

the manuals of the IT systems and databases.

2.   When assessing the soundness, safety and security of the IT infrastructure that is of relevance to the institution’s rating systems and to the application of the IRB Approach, competent authorities shall verify that:

(a)

the IT infrastructure can support the ordinary and extraordinary processes of an institution in a timely, automatic and flexible manner;

(b)

the risk of suspension of the abilities of the IT infrastructure (‘failures’), the risk of loss of data and the risk of incorrect evaluations (‘faults’) are appropriately addressed;

(c)

the IT infrastructure is adequately protected against theft, fraud, manipulation or sabotage of data or systems by malicious insiders or outsiders.

3.   When assessing the robustness of the IT infrastructure that is of relevance to the institution’s rating systems and to the application of the IRB Approach, competent authorities shall verify that:

(a)

the procedures to back up the IT systems, data and documentation are implemented and tested on a periodic basis;

(b)

continuity action plans are implemented for critical IT systems;

(c)

the recovery procedures of IT systems in case of failure are defined and tested on a periodic basis;

(d)

the management of IT systems users is compliant with the institution’s relevant policies and procedures;

(e)

audit trails are implemented for critical IT systems;

(f)

the management of changes of IT systems is adequate and the monitoring of changes covers all IT systems.

4.   When assessing whether the IT infrastructure that is of relevance to the institution’s rating systems and to the application of the IRB Approach is reviewed both regularly and on an ad hoc basis, competent authorities shall verify that:

(a)

regular monitoring and ad hoc reviews result in recommendations to address weaknesses or shortcomings, where detected;

(b)

the findings and the recommendations referred to in point (a) are communicated to the senior management and management body of the institution;

(c)

there is adequate evidence that the recommendations are properly addressed and implemented by the institution.

CHAPTER 13

ASSESSMENT METHODOLOGY OF INTERNAL MODELS FOR EQUITY EXPOSURES

Article 76

General

1.   When assessing whether an institution is able to develop and validate the internal model for equity exposures and to assign each exposure to the range of application of an internal models approach for equity exposures as required by points (f) and (h) of Article 144(1) and Articles 186, 187 and 188 of Regulation (EU) No 575/2013, competent authorities shall evaluate all of the following:

(a)

the adequacy of the data used, in accordance with Article 77;

(b)

the adequacy of the models, in accordance with Article 78;

(c)

the comprehensiveness of the stress-testing programme, in accordance with Article 79;

(d)

the integrity of the model and modelling process, in accordance with Article 80;

(e)

the adequacy of the assignment of exposures to the internal models approach, in accordance with Article 81;

(f)

the adequacy of the validation function, in accordance with Article 82.

2.   For the purposes of the evaluation under paragraph 1, competent authorities shall apply all of the following methods:

(a)

review the institution’s relevant internal policies and procedures;

(b)

review the institution’s technical documentation on the methodology and process of the development of the internal model for equity exposures;

(c)

review and challenge the relevant development manuals, methodologies and processes;

(d)

review the roles and responsibilities of the different units and internal bodies involved in the design, validation and application of the internal model for equity exposures;

(e)

review the relevant minutes of the institution’s internal bodies, including the management body, or committees;

(f)

review the relevant reports on the performance of the internal models for equity exposures and the recommendations by the credit risk control unit, validation function, internal audit function or any other control function of the institution;

(g)

review the relevant progress reports on the efforts made by the institution to correct shortcomings and mitigate risks detected during monitoring, validations and audits;

(h)

obtain written statements from or interview the relevant staff and senior management of the institution.

3.   For the purposes of the evaluation under paragraph 1, competent authorities may also apply any of the following additional methods:

(a)

request and analyse data used in the process of development of internal models for equity exposures;

(b)

conduct their own or replicate the institution’s Value at Risk estimations using relevant data supplied by the institution;

(c)

request the provision of additional documentation or analysis substantiating the methodological choices and the results obtained;

(d)

review the functional documentation of the IT systems used for the value at risk calculation;

(e)

review other relevant documents of the institution.

Article 77

Adequacy of the data

When assessing the adequacy of the data used to represent the actual return distributions on equity exposures in accordance with Article 186 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the data represents the risk profile of the institution’s specific equity exposures;

(b)

the data is sufficient to provide statistically reliable loss estimates, or it has been adequately adjusted in order to attain model outputs that achieve appropriate realism and conservatism;

(c)

the data used comes from external sources or, where internal data is used, it is independently reviewed by a relevant control function of the institution;

(d)

the data reflects the longest available period in order to provide a conservative estimate of potential losses over a relevant long-term or business cycle, and in particular that it includes the period of significant financial stress relevant to the institution’s portfolio;

(e)

where converted-quarterly data from a shorter horizon is used, that the conversion procedure is supported by empirical evidence through a well-developed and documented approach and applied conservatively and consistently over time;

(f)

the longest time horizon is chosen which allows the estimation of the 99 percentile with non-overlapping observations.

Article 78

Adequacy of the models

When assessing the adequacy of the models used to estimate the equity return distributions for the calculation of own funds requirements in accordance with Article 186 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the model is appropriate for the risk profile and complexity of an institution's equity portfolio, and that where the institution has material holdings with values that are highly non-linear in nature, the model accounts for that in an appropriate manner;

(b)

the mapping of individual positions to proxies, market indices and risk factors is plausible, intuitive and conceptually sound;

(c)

the selected risk factors are appropriate and effectively cover both general and specific risk;

(d)

the model adequately explains the historical price variation;

(e)

the model captures both the magnitude of potential concentrations and changes in their composition.

Article 79

Comprehensiveness of the stress-testing programme

1.   When assessing the comprehensiveness of the stress-testing programme required under Article 186(g) of Regulation (EU) No 575/2013, competent authorities shall verify that the institution is able to provide loss estimates under alternative adverse scenarios and that those scenarios are different from the ones used by the internal model but still likely to occur.

2.   For the purpose of the assessment under paragraph 1, competent authorities shall verify that:

(a)

the alternative adverse scenarios are relevant to the specific holdings of the institution, reflect significant losses to the institution and capture effects which are not reflected in the outcomes of the model;

(b)

the outcomes of the model under the alternative adverse scenarios are used in the actual risk management for the equity portfolio and are periodically reported to senior management;

(c)

the alternative adverse scenarios are periodically reviewed and updated.

Article 80

Integrity of the model and modelling process

1.   When assessing the integrity of the models and modelling process required under Article 187 of Regulation (EU) No 575/2013, competent authorities shall verify that:

(a)

the internal model is fully integrated into the management of the non-trading book equity portfolio, the overall management information systems of the institution and the institution's risk management infrastructure and is used to monitor the investment limits and the risk of equity exposures;

(b)

the modelling unit is competent and independent from the unit responsible for managing the individual investments.

2.   For the purpose of the assessment under paragraph 1(a), competent authorities shall verify that:

(a)

the institution’s management body and senior management are actively involved in the risk control process in the sense that they have, endorsed a set of investment limits based, among other factors, on the internal model’s results;

(b)

the reports produced by the risk control unit are reviewed by persons at a level of management with sufficient authority to enforce reductions of positions as well as reduction in the institution’s overall risk exposure;

(c)

action plans are in place for market crisis situations affecting activities within the model’s scope, describing the events that trigger them and the planned actions.

3.   For the purpose of the assessment under paragraph 1(b), competent authorities shall verify that:

(a)

the staff and the senior management responsible for the modelling unit do not perform tasks relating to managing the individual investments;

(b)

the senior managers of modelling units and of units responsible for managing the individual investments have different reporting lines at the level of the management body of the institution or the committee designated by it;

(c)

the remuneration of the staff and of the senior management responsible for the modelling unit is not linked to the performance of the tasks relating to managing the individual investments.

Article 81

Adequacy of assignment of exposures to the internal models approach

When assessing the adequacy of the assignment of each exposure in the range of application of an approach for equity exposures to the internal models approach in accordance with Article 144(1)(h) of Regulation (EU) No 575/2013, competent authorities shall evaluate the definitions, processes and criteria for assigning or reviewing the assignment.

Article 82

Adequacy of the validation function

When assessing the adequacy of the validation function with regard to the requirements laid down in point (f) of Article 144(1) and Article 188 of Regulation (EU) No 575/2013, competent authorities shall apply Articles 10 to 13 and shall verify that:

(a)

the institution compares the first percentile of the actual equity returns with the modelled estimates at least on a quarterly basis;

(b)

the comparison referred to in point (a) makes use of an observation period equal at least to one year and of a time horizon that allows the computation of the first percentile based on non-overlapping observations;

(c)

where the percentage of observations below the estimated first percentile of equity returns is above 1 %, this is adequately justified and relevant remedial actions are taken by the institution.