EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Document 32024R1085

Commission Delegated Regulation (EU) 2024/1085 of 13 March 2024 supplementing Regulation (EU) No 575/2013 of the European Parliament and of the Council with regard to regulatory technical standards on the assessment methodology under which competent authorities verify an institution’s compliance with the requirements to use internal models for market risk

C/2024/1678

OJ L, 2024/1085, 17.6.2024, ELI: http://data.europa.eu/eli/reg_del/2024/1085/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

Legal status of the document In force

ELI: http://data.europa.eu/eli/reg_del/2024/1085/oj

European flag

Official Journal
of the European Union

EN

L series


2024/1085

17.6.2024

COMMISSION DELEGATED REGULATION (EU) 2024/1085

of 13 March 2024

supplementing Regulation (EU) No 575/2013 of the European Parliament and of the Council with regard to regulatory technical standards on the assessment methodology under which competent authorities verify an institution’s compliance with the requirements to use internal models for market risk

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (1), and in particular Article 325az(8), first subparagraph, point (b), and third subparagraph, thereof,

Whereas:

(1)

Institutions are only allowed to use internal models for market risk if they comply with the requirements laid down in Regulation (EU) No 575/2013. Institutions should not only comply with those requirements when they apply for permission to use those internal models, but also when they use those models, and when they apply for material extensions or changes to such internal models. It is therefore appropriate to lay down that competent authorities, when they verify whether institutions comply with those requirements, apply the same criteria and the same assessment methodology to each of those phases. However, for reasons of efficiency and to reduce administrative burdens, competent authorities, when assessing compliance by institutions that have already been granted permission to use such alternative internal models, should not be required to reassess such permission. They should rather only assess compliance with those rules that are relevant to the scope of the assessment concerned, and build, in each case, on the conclusions from previous assessments.

(2)

To ensure that institutions comply on a continuous basis with the requirements laid down in Regulation (EU) No 575/2013, competent authorities should evaluate the overall quality of the solutions, systems and approaches implemented by an institution, and request constant improvements and adaptations to changed circumstances.

(3)

To ensure harmonisation and comparability of supervisory practices across different jurisdictions, competent authorities’ assessment of whether institutions comply with the requirements laid down in Regulation (EU) No 575/2013 should comply with prescriptive assessment techniques. Competent authorities should, however, be able to take into account the nature, size and complexity of an institution’s structure and business model, the complexity of the alternative internal models, the nature of the financial products those models cover, the quality of information provided by the institution concerned, and the resources they have at their disposal. Competent authorities should therefore, when they assess whether an institution complies with the requirements laid down in Regulation (EU) No 575/2013, be granted a certain discretion, enabling them to carry out additional checks and to apply the most appropriate methods for verifying compliance with particular requirements. In addition, to enable competent authorities to conduct that assessment in a proportionate manner, and given the broad range of financial products available in trading activities, it is necessary to lay down categories of financial products of increasing level of complexity, on which competent authorities should base their assessment.

(4)

To ensure sufficient in-house understanding of the alternative internal model, including outsourced operations, it is necessary to lay down that, despite any outsourcing of some risk tools, IT systems, and risk management solutions, all key tasks, activities or functions related to the internal model are to be conducted by the risk control unit referred to in Article 325bi(1), point (b), of Regulation (EU) No 575/2013. For the same reasons, those rules should also require that the risk control unit implements adequate controls and performs quality and validation tests for any outsourced solution, that full documentation on those controls and test is available in all cases, and that competent authorities assess any tools and IT solutions obtained from third party vendors in a manner similar to cases where they have been fully developed via internal processes.

(5)

Governance and operational aspects play a central role in the proper functioning of the alternative internal model. The methodology to verify whether an institution complies with the requirements laid down in Regulation (EU) No 575/2013 (‘assessment methodology’) should therefore comprehensively assess those governance and operational aspects, including the trading desk set-up, the role of the senior management and the management body, the risk-control unit, and the independent review of the alternative internal model itself.

(6)

The assessment methodology relating to governance aspects should take into account that certain institutions that ask for permission to use the alternative internal model approach already obtained approval, before Regulation (EU) No 575/2013 was amended by Regulation (EU) 2019/876 of the European Parliament and of the Council (2), to use an internal model to calculate the own funds requirements for market risk. It is therefore necessary to lay down assessment rules that are similar to those laid down in the past for those aspects that were not amended by Regulation (EU) 2019/876, and to introduce new rules that cover new provisions introduced by that Regulation, including the trading desk requirements laid down in Article 104b of Regulation (EU) No 575/2013.

(7)

To enable competent authorities to assess compliance with the requirements for the validation and review of alternative internal models, institutions should perform the internal validation of the model at least annually. While initial validation should cover all methodologies applied throughout the internal model, it is appropriate to lay down, in consideration of staff and resources constraints, that the annual validation focuses on at least the main issues detected either in previous internal validations or previous internal audit reviews, and on any changes or new methodologies introduced in the alternative internal model.

(8)

Trading activities and financial markets are evolving constantly and rapidly. To enable competent authorities to take those characteristics into account when assessing whether institutions comply with the requirements laid down in Regulation (EU) No 575/2013, the assessment methodology should contain qualitative and procedural standards with regard to the formal approval by the institution of new financial instruments and products, and their introduction in the trading area. Standards for a formal new product approval policy are necessary to ensure that the introduction of new financial instruments and products, which may pose additional risk factors or require methodological changes to the internal risk measurement models, is fully compatible with the comprehensive control and validation.

(9)

The quality of data and the accuracy of risk estimation and of calculation of own funds requirements for market risk are highly dependent on the reliability of the IT systems used for that purpose. Equally, the continuity and consistency of the risk management processes and the calculation of own funds requirements for market risk can only be ensured where such IT systems are safe, secure, and reliable, and where the IT infrastructure is sufficiently robust. It is therefore necessary that, when assessing the market risk internal models, competent authorities also check the reliability of the institution’s IT systems and the robustness of the IT infrastructure used for the internal models.

(10)

One of the novelties of the new market risk framework laid down in Part Three, Title IV, Chapter 1b, of Regulation (EU) No 575/2013 is the determination of own funds requirements on the basis of expected shortfall measures. It is necessary to ensure that institutions actively monitor the accuracy of those figures. It is therefore appropriate to require institutions to directly back-test their expected shortfall measures as part of the internal back-testing programme required by Article 325bj of Regulation (EU) No 575/2013. As there is not yet an established methodology among market participants for back-testing an expected shortfall measure, no specific methodology should be prescribed, and institutions should be left free to take into account the evolution of new techniques and best practices in that regard, in line with the qualitative requirements set out in Article 325bi of that Regulation.

(11)

Internal-risk measurement models can only considered to be implemented with integrity, as referred to in Article 325bi(1) of Regulation (EU) No 575/2013, where all regulatory requirements are met. In addition, several building blocks of the Basel reforms in the area of market risk have been implemented in Union law by means of delegated acts, inter alia, Commission Delegated Regulation (EU) 2022/2058 (3), Commission Delegated Regulation (EU) 2022/2059 (4), Commission Delegated Regulation (EU) 2022/2060 (5), Commission Delegated Regulation (EU) 2023/1577 (6), Commission Delegated Regulation (EU) 2023/1578 (7) and Commission Delegated Regulation (EU) 2024/397 (8). It follows that competent authorities should consider whether institutions comply with the requirements laid down Regulation (EU) No 575/2013, taking into account those delegated acts. To ensure a comprehensive assessment of compliance of market risk internal models, it is necessary to specify techniques for competent authorities to assess institutions’ compliance with aspects covered both by the Regulation (EU) No 575/2013 and by those delegated regulations. For that reason, competent authorities should examine specific documentation that institutions are required to produce.

(12)

The back-testing and the profit and loss attribution requirements provide a solid basis for a critical monitoring of the performance of the internal-risk measurement model. It is therefore necessary to lay down assessment rules to consider the results of those tests. In relation to back-testing, it should be ensured that overshootings are critically analysed to identify potential weaknesses in the model, and that institutions monitor whether the changes in the portfolios’ values are driven by modellable or by non-modellable risk factors. Furthermore, in light of the profit and loss attribution test results, competent authorities should assess the accuracy of the pricing functions employed by the institution, as their accuracy is essential for a sound calculation of the own funds requirements.

(13)

In order to ensure the consistent application of the requirements laid down in Article 325bh of Regulation (EU) No 575/2013, it is necessary to further specify those requirements. Whether institutions comply with those requirements should be assessed on the basis of the broad risk factor categories referred to in Table 2 of Article 325bd of Regulation (EU) No 575/2013. It is therefore necessary, for each of those categories, to lay down how competent authorities are to assess whether basis risk is captured, and whether the treatment of curves and surfaces in the internal risk-measurement model is sound.

(14)

Due to the fast changing and evolving nature of financial markets, unreliable, inaccurate, incomplete, or outdated data result in errors in the risk estimation and in the calculation of own funds requirements, including in market risk models. In the context of risk management processes of an institution, such erroneous data may also lead to poor management decisions. Consequently, to ensure the reliability and high quality of data and their proper use in the internal processes and the processes for the calculation of own funds requirements, the way data are collected and stored and the procedures for such collecting and storing should be well documented, including a full description of the characteristics, quality checks, automatic filters, and specific sources of daily data. Competent authorities, when they assess market risk internal models, should therefore give particular attention to the quality and reliability of the data used for modelling purposes, and to the processes applied to ensure that such quality and reliability are maintained.

(15)

To ensure a correct calculation of the own funds requirements, competent authorities, when they assess the overall quality of the data, should assess whether the approach employed by the institution to proxy time series is sound. The assessment methodology should therefore verify that the requirements set out in Regulation (EU) No 575/2013 governing the usage of proxies are complied with. Where relevant, the rules laid down in that assessment methodology should differ depending on whether the time series for which a proxy has been used relates to a risk factor that passed the modellability assessment, or to a risk factor that did not.

(16)

In relation to the internal default risk model, and more in particular Articles 325bn, 325bo, 325bp of Regulation (EU) No 575/2013, it is necessary that the assessment methodology ensures that those risk models lead to accurate results. The rules laid down in the assessment methodology should therefore cover all aspects affecting the outcome of those models, including the scope of the positions captured by those models, the estimates of default probabilities and losses given default, the choice of systematic risk factors to simulate the default of issuers, and all modelling assumptions made by the institution, including any copula assumption made for simulating the default of multiple issuers.

(17)

Risks stemming from climate change and broader environmental issues are changing the risk picture for the financial sector and are expected to become even more prominent. Considering the importance of those risk drivers, competent authorities should verify that institutions consider those risk drivers in their stress testing programmes referred to in Article 325bi(1), point (g), Regulation (EU) No 575/2013. In that context, institutions have already taken steps to include environmental risks in their stress testing programmes. However, to ensure that institutions have sufficient time to fully reflect those risks in their stress testing programmes, competent authorities should assess compliance of institutions with any requirements related to climate change and broader environmental related aspects only as of 1 January 2025. Similarly, in light of the complexity of the implementation of the expected shortfall direct backtesting, institutions should be given an additional period before competent authorities assess their compliance in this area. Hence, the related date of application of the assessment should be set to start as of 1 January 2026.

(18)

This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Banking Authority.

(19)

The European Banking Authority has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Banking Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council (9),

HAS ADOPTED THIS REGULATION:

CHAPTER 1

GENERAL PROVISIONS

Article 1

Structure of the assessment

1.   When verifying an institution’s compliance with the requirements set out in Articles 325bh, 325bi, 325bn, 325bo, and 325bp of Regulation (EU) No 575/2013, competent authorities shall assess:

(a)

the governance aspects, in accordance with Chapter 2 of this Regulation;

(b)

aspects relating to the internal risk-measurement model used to compute the expected shortfall measure and the stress scenario risk measure, in accordance with Chapter 3 of this Regulation;

(c)

aspects relating to the internal default risk model used to compute the additional own funds requirement for default risk, in accordance with Chapter 4 of this Regulation.

For the purposes of the first subparagraph, competent authorities shall apply the principles related to proportionality in accordance with Article 2, the quality of the documentation in accordance with Article 3, and the outsourcing arrangements in accordance with Article 4.

2.   A competent authority that identifies, as part of the assessment performed in accordance with this Regulation, significant deficiencies in the internal risk-measurement model in relation to some product classes in a given trading desk, or that cannot confirm that that model has a proven track record of being reasonably accurate in measuring the risks corresponding to those product classes, may do either of the following:

(a)

require the institution to remove the positions corresponding to those product classes from that trading desk;

(b)

refuse to grant permission to calculate the own funds requirements in accordance with the internal model approach for that trading desk.

3.   A competent authority that comes to the conclusion that product classes in a given trading desk are booked back-to-back with those of another entity of the group that is outside the scope of the highest level of consolidation within the Union, and that such back-to-back booking hinders the competent authority to assess whether the internal risk-measurement model has a proven track record of being reasonably accurate in measuring risks corresponding to those product classes, may do either of the following:

(a)

require the institution to remove the positions corresponding to those product classes from that trading desk;

(b)

refuse to grant the permission to calculate the own funds requirements in accordance with the internal model approach for that trading desk.

4.   Where the market risk of positions corresponding to some product classes is transferred to another entity of the group that is outside the scope of the highest level of consolidation within the Union, and where the effects of such a transfer de facto resemble those of positions booked back-to-back, the competent authority may apply paragraph 3.

Article 2

Proportionality – product categories and model complexities

Competent authorities shall apply the assessment methodology set out in this Regulation in a manner that is proportionate to the size and complexity of the trading activities included in the internal model, based on the following categories of financial instruments in increasing order of complexity:

(a)

simple instruments without optionality;

(b)

instruments, other than those referred to in point (a), without path-dependent features, on a single underlying, including indices, with a continuous payoff in the same currency as the underlying;

(c)

instruments with path-dependent features, instruments on multiple underlyings, instruments with payoffs in currencies that are different to that of the underlying, and any other instruments that are not referred to in points (a) or (b).

Article 3

Quality and auditability of documentation

Competent authorities shall verify that the documentation submitted by an institution in support of its application for permission to use an internal model for the calculation of own funds requirements for market risk is of sufficient quality and is sufficiently detailed and accurate to allow for examination by qualified third parties.

Competent authorities shall in particular verify that:

(a)

the documentation concerned is approved at the appropriate management level of the institution with sufficient authority delegated by the management body for the purposes of internal models;

(b)

the institution has established policies which ensure high-quality standards for internal documentation, including internal accountability to ensure that the documentation concerned is complete, consistent, accurate, updated, approved in accordance with point (a), and secure;

(c)

the documentation set out in the policies referred to in point (b) provides for the identification of the type of document, the author, the reviewer, the authorising agent, the owner, the dates of development and approval, the version number, and the history of amendments;

(d)

the institution accurately and diligently documents the policies, procedures, and methodologies it applies pursuant to this Regulation;

(e)

the documentation concerned is sufficiently detailed to enable qualified third parties to understand all aspects of the internal risk-measurement model.

Article 4

Outsourcing

1.   Competent authorities shall verify that the outsourcing by an institution of any tasks, activities or functions related to the design, implementation, and validation of internal models does not prevent or hinder the application of the assessment methodology set out in this Regulation.

2.   For the purposes of paragraph 1, competent authorities shall verify whether:

(a)

tasks and responsibilities reserved for the risk control unit are not outsourced;

(b)

the senior management and the management body are actively involved in the supervision of any tasks outsourced by the institution, and in the acquisition of any IT risk management tool solutions from third parties;

(c)

the institution itself has sufficient knowledge about any outsourced tasks, activities or functions and of the structure of any data and methodologies obtained from a third party, and is able to verify the quality of the work performed by the third party to which it outsources its tasks, as well as the results of that work;

(d)

the internal audit and the ongoing monitoring by the institution of any outsourced tasks, activities and functions are not limited or inhibited by such outsourcing;

(e)

full access to all relevant information is granted to competent authorities.

3.   Competent authorities shall verify that third parties involved in the development of methodologies for assessing market risk used by the institution are not involved in the initial or ongoing internal validation of the model by the institution.

4.   For the purposes of paragraphs 1, 2 and 3, competent authorities shall review the outsourcing agreement between the institution and the third party. Where appropriate, competent authorities may also:

(a)

interview or require the submission of written statements from any of the following:

(i)

staff and senior management of the institution;

(ii)

the management body of the institution;

(iii)

the third party to whom the task, activity or function have been outsourced;

(b)

review other relevant documents of the institution or the third party.

CHAPTER 2

ASSESSMENT OF QUALITATIVE REQUIREMENTS

Article 5

Overview of the assessment of qualitative requirements

When assessing an institution’s compliance with the qualitative requirements set out in Article 325bi of Regulation (EU) No 575/2013, competent authorities shall:

(a)

verify whether the institution has a clear organisational structure for the governance and management of the market risk model, including well defined, transparent and appropriate lines of responsibility;

(b)

verify whether the decision-making process of the institution regarding all aspects of market risk internal models is clearly established in the institution’s internal documentation;

(c)

verify, in accordance with Article 6:

(i)

the adequacy of the composition of the senior management and the management body;

(ii)

the role of the senior management and the management body;

(d)

verify, in accordance with Article 7, whether the set-up of the trading desks for which the institution is in the process of being granted the approval, or has already obtained the approval, is adequate;

(e)

assess, in accordance with Article 8, the internal governance and oversight of the institution in relation to the risk control unit;

(f)

assess, in accordance with Article 9, whether the internal policy is adequate for the introduction of new products;

(g)

verify, in accordance with Article 10, whether the internal model is reviewed independently;

(h)

assess:

(i)

in accordance with Article 11, the adequacy of the internal validation process and of its outcome;

(ii)

in accordance with Article 12, the scope of the validation and its completeness;

(i)

assess, in accordance with Article 13, the adequacy of the internal regular reporting;

(j)

assess:

(i)

in accordance with Article 14, the adequacy of position limits;

(ii)

in accordance with Article 15, the adequacy of the process to update those limits;

(iii)

in accordance with Article 16, the adequacy of the process followed where those limits are breached;

(k)

assess:

(i)

in accordance with Article 17, the adequacy ofthe stress testing programme;

(ii)

in accordance with Article 18, the adequacy of reverse stress-testing scenarios and ad-hoc stress-testing scenarios;

(l)

assess, in accordance with Article 19, the adequacy of the IT systems;

(m)

verify, in accordance with Article 20, whether the internal risk-measurement model, including any pricing model, has a proven track record of being reasonably accurate in measuring risks, and does not differ significantly from the models that the institution uses for its internal risk management.

For the purposes of point (a), competent authorities shall take into account the nature and size of the institution, and the scale and complexity of its activities.

Article 6

Assessment of the adequacy of the composition and role of the management body and senior management

1.   When assessing the adequacy of the composition and the role of the senior management and the management body as referred to in Article 325bi(1), point (c), of Regulation (EU) No 575/2013, competent authorities shall:

(a)

verify whether the institution, in its documentation of the risk management system, describes:

(i)

the composition, the roles and responsibilities of the management body and senior management;

(ii)

the roles and responsibilities of each member of the management body and senior management;

(b)

verify whether the senior management is constituted of members that represent the highest hierarchical levels below the management body, and has defined responsibility for the proper functioning of the internal model for market risk;

(c)

verify whether the composition of any internal committee structure established by the management body to support its decision-making is adequate, as required by paragraph 2;

(d)

verify whether the role of the senior management is adequate, as required by paragraph 3;

(e)

verify whether the role of the management body, and of the committees constituting the internal committee structure referred to in point (c), are adequate, as required by paragraph 4.

Where an institution’s management body delegates any of its tasks to an internal committee, competent authorities shall, in the context of those delegated tasks, make the assessments required by this Regulation at the level of the internal committee designated by the management body.

2.   For the purposes of paragraph 1, first subparagraph, point (c), competent authorities shall verify whether:

(a)

for each committee of the internal committee structure, the management body has clearly set out its mandate, hierarchy, reporting lines, permanent members, frequency of meetings, and levels of responsibility;

(b)

the internal committee structure has a committee that assesses any new product, proposes those products to the senior management for approval, and monitors those products and whether the risk control unit, and any other function of the institution that is affected by the introduction of a new product, are represented in such committee;

(c)

the governance underpinning the internal committee structure allows for the effective and timely control of all internal position limits referred to in Article 325bi(1), point (b), of Regulation (EU) No 575/2013;

(d)

the governance underpinning the internal committee structure ensures active involvement of the management body in the risk-control process as required by Article 325bi(1), point (c), of Regulation (EU) No 575/2013;

(e)

as part of the internal documentation, the institution has documented all aspects referred to in point (a).

3.   For the purposes of paragraph 1, first subparagraph, point (d), competent authorities shall verify whether:

(a)

the senior management of the institution takes appropriate corrective actions where weaknesses of the internal risk-measurement model or the internal default risk model are identified by any of the following:

(i)

the risk control unit;

(ii)

the qualified parties tasked with the validation of the internal model (‘validation function’);

(iii)

the internal audit function;

(iv)

any other control function of the institution;

(b)

the senior management of the institution is informed of, and follows up on, the recommendations made by the internal audit, the risk control unit, the validation function, in relation to the internal risk-measurement model or the internal default risk model;

(c)

the senior management of the institution is able to ensure the overall quality of the institution’s governance of the valuation of positions included in the internal risk-measurement model or the internal default risk model.

4.   For the purposes of paragraph 1, first subparagraph, point (e), competent authorities shall verify whether the management body:

(a)

on the basis of a proposal from the risk control unit, approves all relevant policies and procedures related to the implementation of the internal model, including the appropriate organisational structure, to ensure that the internal model is implemented with integrity;

(b)

on the basis of a proposal from the risk control unit and after due consideration of the conclusions and recommendations resulting from the validation process, approves the methodologies for assessing market risk applied in the internal model;

(c)

on the basis of an assessment from the risk control unit and after due consideration of the conclusions and recommendations resulting from the validation process, approves any new products;

(d)

on the basis of a proposal from the risk control unit, approves and updates the internal position limits;

(e)

on the basis of a proposal from the risk control unit laying down and assessing the acceptable level of risk, approves the acceptable level of risk, the internal capital allocation and the budget by trading desk;

(f)

adopts the approval procedure for breaches of internal position limits;

(g)

approves or requires corrective actions in relation to breaches of the internal position limits escalated by the risk control unit in accordance with Article 16(1), point (b);

(h)

on the basis of a proposal from the risk control unit:

(i)

approves the stress testing programme;

(ii)

discusses the results of the stress tests;

(iii)

assesses potential action, and where necessary, takes corrective actions.

Article 7

Assessment of whether trading desks comply with Article 104b of Regulation (EU) No 575/2013

When assessing whether trading desks comply with Article 104b of Regulation (EU) No 575/2013, competent authorities shall:

(a)

review the business strategy referred to in Article 104b of that Regulation as documented in the internal policies of the institution under Article 325bi(1), point (e), of that Regulation, and verify whether:

(i)

internal policies clearly describe the economic rationale of the business strategy, including its primary activities, trading, and hedging strategies;

(ii)

internal policies describe the features of the financial instruments and commodities traded by the trading desk, and contains a regularly updated and comprehensive list of those financial instruments and commodities;

(iii)

the institution highlights in its internal policies the instruments that are most frequently traded and that contribute the most to the acceptable level of risk for the trading desk;

(iv)

internal policies describe risk factor’s types inherent in the financial instruments and commodities referred to in point (ii);

(v)

internal policies clearly describe how the instruments and commodities referred to in point (ii) are hedged, what are the expected slippages and mismatches of hedges, and what is the expected holding period for the positions in the trading desk;

(vi)

the business strategies of the trading desks are distinctive, as required by Article 104b(2), point (a), of Regulation (EU) No 575/2013, by:

(1)

identifying the main characteristics of the trading desks in terms of business strategy, including primary activities, trading and hedging strategies;

(2)

verifying that the main characteristics referred to in point (1) meaningfully differ from one trading desk to another;

(b)

verify whether transactions between trading desks are consistent with the business strategies of those trading desks and that those transactions are not performed to:

(i)

reduce the own funds requirements for market risk;

(ii)

meet the profit and loss attribution requirements;

(iii)

meet the back-testing requirements;

(c)

review the organisational structure referred to in Article 104b(2), point (b), of Regulation (EU) No 575/2013 and the annual business plan referred to in Article 104b(2), point (e), of that Regulation, as documented in the internal policies of the institution under Article 325bi(1), point (e), of that Regulation;

(d)

verify whether for each trading desk, the institution has identified one or two head dealers, and that where two head dealers have been appointed, they either have roles, responsibilities, and authorities that are clearly separated, or one has ultimate oversight over the other;

(e)

review the reports referred to in Article 104b(2), points (d) and (f), of Regulation (EU) No 575/2013, and verify whether all aspects referred to in those points are complied with;

(f)

verify whether the institution duly documents and justifies cases where a dealer is assigned to more than one trading desk as referred to in Article 104b(3) of Regulation (EU) No 575/2013, and, for that purpose:

(i)

review the responsibility of that dealer in the context of the trading desks to which he or she has been assigned;

(ii)

verify whether the tasks performed by the dealer in one trading desk as per the business strategy of that desk do not contradict, nor create any conflict with, the tasks that the dealer performs for the other trading desks;

(g)

verify whether the rationale for the inclusion of the trading desks in the scope of the alternative internal model approach meets all of the following conditions:

(i)

the rationale is documented in the internal policies as required by Article 325bi(1), point (e), of Regulation (EU) No 575/2013;

(ii)

the rationale ensures consistency in the approach used for calculating the own funds requirements for market risk among trading desks managing similar positions;

(iii)

the rationale is coherent with the business strategy of the trading desks as referred to in Article 104b(2), point (a), of Regulation (EU) No 575/2013;

(h)

verify whether the business strategy entails that at least 10 % of the own funds requirements for market risk are calculated in accordance with the internal model approach.

For the purposes of point (a)(i), competent authorities shall verify whether the business strategy specifies how much of the trading activities are customer driven, and whether the business strategy entails trade origination and structuring, or execution of services, or both.

For the purposes of point (b), competent authorities may, where appropriate, require the institution to provide a sample of transactions between trading desks, including between trading desks for which the institution computes the own funds requirements with the internal model approach and trading desks for which the institution uses the standardised approach.

Article 8

Assessment of the internal governance and oversight of the institution in relation to the risk control unit

1.   When assessing the internal governance and oversight of the institution in relation to the risk control unit referred to in Article 325bi(1), point (b), of Regulation (EU) No 575/2013, competent authorities shall verify whether that risk control unit:

(a)

is completely separate and independent from the personnel and the management functions responsible for the trading business areas;

(b)

is duly represented in the institution’s decision-making bodies and is involved in the decision-making process where any of the following issues are on the agenda:

(i)

the approval of new methodologies for assessing market risk and of any changes to existing methodologies;

(ii)

the approval of the establishment of a trading desk;

(iii)

the approval or update of reports and inventories within the remit of the risk control unit;

(iv)

the setting of the acceptable level of risk;

(v)

the setting and regular update of the internal limit structure;

(vi)

the approval of limit breaches;

(vii)

the approval of new products or new business lines;

(viii)

the approval of pricing models used for risk purposes;

(ix)

the approval of stress testing programmes;

(x)

the approval of IT infrastructure systems related to risk management tools;

(c)

is adequate, is proportionate to the size of the institution and the risks of the business, and has the resources necessary to perform its tasks effectively;

(d)

has sufficiently experienced, qualified and trained staff to undertake all relevant activities for the effective risk management of the internal model and for monitoring and challenging the actions of other units, in particular of the trading business units;

(e)

is responsible for the outcome of the calculations based on the internal-risk measurement model and the internal default risk model.

2.   For the purposes of paragraph 1, point (a), competent authorities shall verify whether:

(a)

the risk control unit is composed of one or more separate organisational structures in the institution’s organisational chart;

(b)

the heads of the risk control unit or units are senior managers of the institution;

(c)

the staff and the senior management responsible for the risk control unit are not responsible for any trading business activities;

(d)

senior managers of the risk control unit and those responsible for business areas have different reporting lines to the management body of the institution;

(e)

the variable remuneration of the staff and senior management responsible for the risk control unit is not linked to the performance of the tasks related to trading business areas under their supervision in a way that hinders or impedes their independence.

3.   For the purposes of paragraph 1, point (b), competent authorities shall take into account:

(a)

the documented view of the risk control unit when either the management body or the relevant committee of the internal committee structure discuss any of the issues referred to in paragraph 1, point (b);

(b)

the minutes of the institution’s management body or relevant committee of the internal committee structure, and the action points reflected therein;

(c)

the reports of the risk control unit about internal position limits, and any decisions regarding limit breaches;

(d)

information provided by the staff and senior management of the institution, where appropriate.

For the purposes of point (b), competent authorities shall assess the degree of involvement of the risk control unit when the institution’s management body or relevant committee of the internal committee structure discuss any of the issues referred to in paragraph 1, point (b). Competent authorities shall identify cases where the view of the risk control unit and the final decision taken by either the management body or the relevant committee of the internal committee structure diverge.

Article 9

Assessment of the new product policy

When assessing whether the internal policies referred to in Article 325bi(1), point (e), of Regulation (EU) No 575/2013 are adequate for the introduction of any new product, including new financial instruments, activities, markets, booking locations or business lines, competent authorities shall verify whether:

(a)

the risk control unit has documented a new product policy and the management body has approved that policy, including a definition of ‘new product’;

(b)

the internal committee structure has a committee (‘new product committee’) that assesses, controls and monitors all issues arising from the introduction of new products, including, where relevant:

(i)

assessing regulatory compliance;

(ii)

reviewing any pricing models used for risk purposes;

(iii)

specifying the market parameters to be used for calibration purposes, the way the calibration is to be done, and the frequency of update of the calibration;

(iv)

introducing any new methodologies for assessing market risk;

(v)

assessing the impacts on the acceptable level of risk, capital adequacy, and profitability;

(vi)

ensuring the availability of front, back and middle office resources and internal tools and expertise that allow for the understanding and monitoring of any associated new risks;

(vii)

specifying and proposing to the management body the restrictions in terms of maturities, underlying, counterparties, and internal limits for such new product;

(viii)

assessing the adequacy of the accounting schemes and ensuring that the internal reporting appropriately reflects the underlying risks;

(c)

the management body, based on an assessment by the new product committee, authorises the trading of new products;

(d)

where the management body delegates the authorisation task to the new product committee:

(i)

the volume allowed for the new product is restrictive enough to prevent any material losses stemming from such new products, including, where appropriate, shorter trial periods for products referred to in Article 2, point (c);

(ii)

the authorisation is delegated separately for each type of new product and always for a limited period of time, with a maximum of 6 months;

(iii)

the authorisation, if renewed, is only renewed once by the management body;

(iv)

after a one-year period, all relevant issues referred to in point (b) are addressed, or no additional trading in that new product is allowed;

(e)

without the specific approval from the new product committee, the business areas are not authorised to trade new products before the issues referred to in point (b) are addressed;

(f)

in the specific cases where traders are allowed to trade new products that do not comply with point (b), the new-product committee approves the transactions on an individual basis and within the limits referred to in point (d)(i);

(g)

the new product committee meets frequently enough to evaluate and approve any new product transaction and to monitor all the issues referred to in point (b) that those transactions may pose;

(h)

transactions are monitored individually until all issues referred to in point (b) have been fully addressed and, based on an assessment by the new product committee, the management body confirms that the transactions are fully incorporated into all relevant IT systems and controlled via the regular risk-management system;

(i)

all new products, regardless of their degree of incorporation into the IT systems, are computed both in the internal risk-measurement model and in the daily changes to the portfolio’s value used for back-testing and profit and loss attribution test purposes.

Article 10

Independent review of the internal risk-measurement model

1.   When assessing the independent review of the internal risk-measurement models in accordance with Article 325bi(1), point (h), of Regulation (EU) No 575/2013, competent authorities shall verify whether:

(a)

the reviewer is independent;

(b)

the resources assigned to the review are appropriate;

(c)

the process established within the institution to address the recommendations made by the reviewer is adequate;

(d)

the reviewer reviews the internal risk-measurement models on at least an annual basis, and includes the conclusions of that review in a report submitted to the senior management and the management body;

(e)

the report referred to in point (d) provides sufficient information to the senior management and the management body of the institution on all elements referred to in Article 325bi(2) and Article 325bp(7) of Regulation (EU) No 575/2013, and identifies the areas in the annual work plan that require a more detailed compliance analysis of those elements;

(f)

the review is adequate, proportionate to the size and the complexity of the portfolios concerned, and effective in identifying shortcomings.

2.   For the purposes of paragraph 1, competent authorities shall verify whether:

(a)

the review is proportionate to the nature, size, and complexity of the institution’s business and organisational structure, and in particular to the complexity of the internal models and their implementation;

(b)

the reviewer has resources that are adequate to undertake all relevant activities, and sufficiently experienced and qualified staff;

(c)

the reviewer is not, nor has been involved in any aspect of the design and implementation of the internal model subject to review;

(d)

the reviewer is independent from the staff and management function responsible for the business and risk control units;

(e)

the variable remuneration of the staff and management responsible for the review is not linked to the performance of the tasks related to the institution’s trading business areas in a way that hinders or impedes their independence.

3.   Competent authorities shall examine the latest and other relevant reports produced by the reviewer and verify that the remediation of the issues identified in those reports is relevant, material, and credible.

Article 11

Assessment of the validation of any internal risk measurement models, and of the outcome of such validation

1.   When assessing whether any internal risk-measurement models are adequately validated, as referred to in Article 325bj of Regulation (EU) No 575/2013, competent authorities shall verify whether:

(a)

the validation process is conducted by staff that is not nor has been involved in any way in the development of the internal model subject to validation;

(b)

the validation process is conducted with sufficient resources, including experienced and qualified staff;

(c)

the variable remuneration of the staff and senior managers responsible for the validation process is not dependent on the performance of the tasks related to the institution’s risk control or business areas in a way that hinders or impedes their independence;

(d)

all necessary corrective measures resulting from the validation process are reflected in the validation report referred to in paragraph 2, and implemented in a timely manner;

(e)

a decision-making process is in place to ensure that the senior management of the institution takes into account the findings and recommendations resulting from the validation process;

(f)

the reviewer referred to in Article 10(1), point (a), regularly assesses the compliance with the conditions referred to in Article 10(1), points (e) and (f).

2.   When assessing the outcome of the validation process, competent authorities shall:

(a)

verify whether the recommendations, findings, and conclusions of the validation process are included in a validation report that identifies and describes:

(i)

the validation methodology;

(ii)

the tests performed;

(iii)

the reference dataset used;

(iv)

the respective data cleansing processes;

(b)

verify whether the conclusions, findings and recommendations of the validation report are directly communicated to, and considered by, the management body of the institution before that management body approves a model to be applied for the calculation of own funds requirements and before any subsequent changes in the methodologies are applied;

(c)

verify whether any remedial measure proposed by the validation functions is documented in the validation report and is accompanied by a timeline that is adequate for fixing the identified deficiencies;

(d)

verify whether an escalation process is included in the internal policies of the institution for those remedial measures that are overdue, and whether, based on evidence from the past, that process is followed;

(e)

assess the overall quality of the outcome of the validation process by comparing the deficiencies identified in the assessment of the internal model in accordance with this Regulation with the deficiencies identified by the validation unit in the validation process.

Article 12

Assessment of the adequacy of the scope and completeness of the internal validation

1.   When assessing whether the scope of the internal validation referred to in Article 325bj of Regulation (EU) No 575/2013 is adequate, competent authorities shall verify whether the internal validation:

(a)

critically reviews all aspects of the methodologies and pricing functions used for capital purposes, including those applied to new products, thereby taking account of strengths and weaknesses compared to any alternative methodologies;

(b)

verifies:

(i)

the choice of market data;

(ii)

the mapping of risk factors to the relevant liquidity horizon;

(iii)

the mapping of a real price observation to a risk factor or to a bucket for which it is considered representative;

(iv)

the proxying approaches used;

(c)

verifies whether the distributional and any other relevant stochastic assumptions and parameters of the underlying stochastic processes, including volatility and correlation, are well justified, including with regard to:

(i)

the tails of the distributions relevant for the calculation of the expected shortfall risk measures referred to in Article 325bb of Regulation (EU) No 575/2013;

(ii)

the stress scenario risk measure referred to in Article 325bk of Regulation (EU) No 575/2013;

(d)

assesses the soundness of any empirical correlations used both within and across the broad categories of risk factors to calculate the unconstrained expected shortfall measure referred to in Article 325bh(2) of Regulation (EU) No 575/2013;

(e)

assesses the correlation assumptions made in the calculation of the own funds requirements for default risk, including:

(i)

the choice of the relevant copula, where modelled explicitly;

(ii)

the choice and weights of the systematic risk factors referred to in Article 325bp of Regulation (EU) No 575/2013;

(iii)

the ability of the model to explain default clusters;

(f)

assesses the assumptions made to obtain estimates of default probabilities and losses given default to compute own funds requirements for default risk;

(g)

assesses the assumptions made in relation to the modelling of hedges in the computation of own funds requirement for default risk as referred to in Article 325bo of Regulation (EU) No 575/2013;

(h)

analyses the results of the stress testing programme, including the results relating to default risk, and extracts relevant conclusions, if any, around methodological flaws or weaknesses stemming from particular market scenarios;

(i)

applies and analyses the results obtained for the hypothetical portfolios referred to in Article 325bj(3), point (c), of Regulation (EU) No 575/2013 to ensure that the internal model can account for structural features, including, where relevant, the following:

(i)

basis risks between different yield curves;

(ii)

less than perfectly correlated movements between similar but not identical positions;

(iii)

name-related basis risk and basis stemming from similar but not identical credit or equity positions;

(iv)

concentration risk;

(j)

verifies the robustness of the implementation of the internal risk measurement model in IT systems, and ensures that all business and support units apply methodologies consistently and for all relevant geographic areas;

(k)

verifies the appropriateness and materiality of the proxies by assessing:

(i)

the percentage of proxied time series used;

(ii)

the percentage marginal contribution of proxied time series;

(iii)

the impact that proxy usage may have in the recognition of diversification effects.

2.   When assessing the completeness of the internal validation process, competent authorities shall verify whether:

(a)

for the internal validation conducted when the model is initially developed, the institution has performed and documented a complete validation process for all methodologies applied in the internal model;

(b)

for the periodic internal validation, the institution has conducted a complete validation, or has done the validation on areas to be validated following the changes referred to in paragraph 3 on:

(i)

any new methodologies required by the introduction of new products;

(ii)

areas related to any issues identified in the conclusions of previous validations and internal audit reviews.

3.   For the purposes of paragraph 2, point (b), competent authorities shall:

(a)

verify whether the internal policies of the institution ensure that the internal periodic validation is performed at least annually, and each time significant structural changes in the market or changes to the composition of the portfolio occur that may lead to the internal model no longer being adequate, including the following:

(i)

a number of overshootings that deviate significantly from the number anticipated by the model calibration;

(ii)

large market losses relative to the level predicted by risk metrics;

(iii)

a significant change in the institution’s business that may challenge the modelling assumptions;

(iv)

unusual and significant misalignments between the theoretical and hypothetical changes to the portfolios’ values;

(b)

verify whether the internal periodic validation is based on a work plan, approved by the management body, and that that work plan sets out:

(i)

the scope of the internal validation;

(ii)

the tasks performed by the validation unit;

(iii)

the priorities of the internal validation;

(c)

assess how the work plan referred to in point (b) ensures that a comprehensive and risk-oriented internal validation process is performed, and that relevant aspects are not omitted from the scope of the internal validation.

Article 13

Assessment of the adequacy of reporting

When assessing the adequacy of the reports referred to in Article 104b(2), points (d) and (f), and Article 325bi(1), point (b), of Regulation (EU) No 575/2013, competent authorities shall verify:

(a)

whether the institution maintains an inventory of those reports, specifying their content, frequency and addressees;

(b)

whether the inventory referred to in point (a) has been approved at the appropriate management level and is updated in consultation with the risk control unit.

Article 14

Assessment of adequacy of trading limits

When assessing the adequacy of trading limits referred to in Article 103(2), point (b)(ii), Article 104b(2), points (c) and (f), and Article 325bi(1), point (b), of Regulation (EU) No 575/2013, competent authorities shall verify whether:

(a)

the institution has a clear breakdown of trading limits that is consistent with the acceptable level of risk set by the institution and the budget of each trading desk;

(b)

the choice of the trading limits reflects the trading strategy of the trading desk and the nature of the underlying risks;

(c)

the trading limits include the following:

(i)

a value-at-risk limit for the maximum level of portfolio aggregation at which the internal model is applied;

(ii)

a value-at-risk limit for each trading desk for which the institution calculates its own funds requirement for market risk with the internal risk-measurement model;

(d)

the institution has a further breakdown in the value-at-risk limits, proportional to the institution’s trading strategies;

(e)

all internal limits, including those referred to in point (c), are properly documented and formally approved;

(f)

as part of the limit approval and update process, the risk control unit assesses and documents the consistency and compatibility between the value-at-risk limits approved by the management body and the rest of the internal limits not based on value-at-risk, including sensitivities or loss trigger;

(g)

the institution properly documents and formally approves an inventory of authorised instruments and underlying risk positions that traders can enter.

For the purposes of point (c)(i), the value-at-risk limit shall be the sum of individual value-at-risk limits when the permission to use the internal model approach, as referred to in Article 325(1), point (b), of Regulation (EU) No 575/2013, has not been granted.

Article 15

Assessment of the adequacy of the process to update trading limits

1.   When assessing the adequacy of the process of updating the institution’s trading limits referred to in Article 103(2), points (b)(ii), Article 104b(2), points (c) and (f), and Article 325bi(1), point (b), of Regulation (EU) No 575/2013, competent authorities shall verify whether:

(a)

the update process is coordinated and duly documented by the risk control unit;

(b)

the proposal for updating the trading limits reflects any changes in:

(i)

the acceptable level of risk set by the institution;

(ii)

the expected activity or in the budget objectives of the trading desks;

(c)

the proposal for updating the trading limits takes into account, over the period where the trading limit applicable at the time of the update has been used:

(i)

the average level of use of the trading limits applicable at the time of the update;

(ii)

the number and magnitude of trading limit breaches.

2.   Competent authorities shall verify whether the process to update trading limits is conducted at least every year, and more frequently where there are changes in the organisation or new business lines or products are introduced.

Article 16

Assessment of the adequacy of the process relating to trading limit breaches

1.   When assessing the adequacy of the process for the approval of trading limit breaches referred to in Article 104b(2), point (f), of Regulation (EU) No 575/2013, competent authorities shall verify whether:

(a)

the institution has a clear and documented procedure for the approval by the management body of breaching trading limits;

(b)

the management body has specified materiality conditions according to which any breach of the trading limits are to be reported to the management body itself, irrespective of the level where the trading limits have been approved;

(c)

the risk control unit documents any breaches of the trading limits and reports such breaches to the responsible committee, sub-committee or individual manager;

(d)

the committee, sub-committee or individual manager referred to in point (c) either takes action when a trading limit is breached, or reports such breach to the management body, in accordance with point (b);

(e)

the documentation referred to in point (c) comprises the magnitude and main causes of the breach of the trading limit, including:

(i)

any increase in the trading positions;

(ii)

any methodological changes introduced in the internal risk-measurement model;

(iii)

any developments in market conditions.

2.   Competent authorities shall verify, in particular where a trading desk has frequently exceeded trading limits, whether the frequency and magnitude of breaches of trading limits, and the measures taken by the risk control unit and management body in response to such breaches, are appropriate. The competent authority shall conduct such verification.

Article 17

Assessment of the adequacy of the stress testing programme

1.   When assessing the adequacy of the programme of stress testing referred to in Article 325bi(1), point (g), and Article 325bp(7), point (b), of Regulation (EU) No 575/2013, competent authorities shall verify whether:

(a)

the institution reviews scenarios applied as part of the stress testing programme at least annually;

(b)

the risk control unit runs the stress test scenarios determined in the stress testing programme frequently and at least every month, and at a higher frequency where the institution has significant trading activities;

(c)

the scenarios to be applied as part of the stress testing programme comprise, apart from historically observed or hypothetical scenarios, scenarios resulting from reverse stress testing and ad-hoc scenarios designed to address the relevant specific risk drivers;

(d)

the scenarios referred to in point (c) are reviewed at least on an annual basis.

2.   Competent authorities shall verify whether the scenarios referred to in paragraph 1, point (c), are used to assess the reasonableness of the elements constituting the own funds requirements for market risk, including the additional own funds requirement for default risk, when those own funds requirements are compared with potential losses stemming from severe, but plausible market scenarios.

3.   For the purposes of paragraph 2, competent authorities shall verify whether the institution, when it is assessing the reasonableness of the default risk model assumptions, in particular regarding the capture of credit risk concentrations, uses all of the following:

(a)

losses arising from events, including credit events;

(b)

hypothetical rating downgrades;

(c)

market events on specific issuers’ types;

(d)

changes to copulas’ types and parameters, where modelled explicitly.

Article 18

Assessment of the adequacy of the reverse and ad-hoc stress testing scenarios

1.   When assessing the adequacy of the reverse stress testing scenarios referred to in Article 325bi(1), point (g), of Regulation (EU) No 575/2013, competent authorities shall verify whether:

(a)

the risk control unit applies the reverse stress test as a tool to identify possible combinations of severe events and risk concentrations within the institution, including severe events and risk concentrations that derive from environmental risks;

(b)

the analysis performed with the reverse stress test complements the regular stress testing;

(c)

when identifying the scenario or scenarios resulting from reverse stress testing, the risk control unit assesses:

(i)

the business lines where traditional risk management models indicate an exceptionally good trade-off between risk and return;

(ii)

new products and new markets which have not experienced severe strains;

(iii)

exposures where there are no liquid two-way markets;

(iv)

foreign exchange exposures either pegged or subject to a cap or floor to other currencies;

(v)

positions in deep out-of-the-money options, in particular digital options;

(vi)

events not considered in the stress period used to calibrate the expected shortfall risk measures referred to in Article 325bb of Regulation (EU) No 575/2013;

(vii)

environmental risks in the form of both physical and transition risks.

2.   When assessing the adequacy of ad hoc stress testing scenarios as part of the stress testing programmes referred to in Article 325bi(1), point (g), of Regulation (EU) No 575/2013, competent authorities shall verify whether the risk control unit, when designing the ad hoc stress testing scenarios concerned, takes into account the composition, at the last reporting date, of the portfolio of positions included in the scope of the internal model. Competent authorities shall in particular verify:

(a)

whether the risk control unit uses the results obtained from sensitivity analysis towards single risk factors, considered individually and jointly, to identify scenarios that include the stress of a combined set of plausible risk factors;

(b)

whether the risk control unit explicitly has considered the following elements when establishing the ad hoc stress testing scenarios:

(i)

the illiquidity of markets in stressed market conditions, gapping of prices, concentration risk, and one-way markets;

(ii)

an event resulting in a rise in correlation across instruments or risk factors, or a sharp foreign exchange shift scenario, stemming from any currencies which are subject to a peg, cap, or floor at the time of the review, which are breaking those relationships, where such an event occurs at the same time as an event as referred to in point (i);

(iii)

event risks for equities and jump-to-default risk for credit positions, by considering either of the following:

(1)

four instantaneous defaults with zero recovery of the long debt positions in the current portfolio with the largest exposure and the two largest equity long positions in the current portfolio;

(2)

the event risk stemming from a sharp rise in equity prices for the two largest short positions;

(iv)

the non-linearity of products, by applying full revaluation of all positions to reflect non-linearity effects accurately, and by applying large enough shocks to trigger the exercise of some deep out-of-the-money options, in particular digital options;

(v)

event risks stemming from environmental risk drivers;

(vi)

other risks that may not be captured appropriately in the internal models, including risks derived from the use of proxies and the potential misalignment between a proxy and the underlying risk.

For the purposes of point (b)(i), the risk control unit may consider larger shocks to reflect the impossibility of unwinding positions in a timely manner, in particular for cash instruments, that is caused by the fact that positions are concentrated, or that are due to a sharp increase in market illiquidity.

For the purposes of point (b)(iv), the risk control unit may, in particular:

(a)

assess the potential risk incurred when hedging positions valued using a proxy;

(b)

apply the stressed scenario movements to the proxy while keeping illiquid positions constant.

Article 19

Assessment of the internal risk-measurement model in relation to the robustness of the IT systems

1.   When assessing whether the internal risk-measurement model is calculated and implemented with integrity as required by Article 325bi(1) of Regulation (EU) No 575/2013, competent authorities shall verify whether the institution’s IT systems related to market risk management and the IT systems supporting the internal model are robust enough to cope with execution errors. In particular, competent authorities shall:

(a)

assess the robustness of the IT systems during the last 250 business days;

(b)

verify whether:

(i)

appropriate remediation capabilities are in place in case of system breakdown;

(ii)

the institution is able to re-calculate any affected risk metrics;

(iii)

back-testing overshootings produced by technical problems are exceptional.

2.   Competent authorities shall verify whether an institution examines all internal model positions and instruments in the internal risk-measurement model and reconciles those positions and instruments with the end-of-day value systems by confirming, at least on a weekly basis, that the positions and instruments in one system correspond to those in the other systems. Competent authorities shall verify that the institution fully documents and monitors any positions and instruments not fully reconciled.

Article 20

Assessment of reasonable accuracy of the internal risk-measurement model, including pricing model

1.   When assessing whether the internal risk-measurement model, including any pricing model, has a proven track record of being reasonably accurate in measuring risks, and does not differ significantly from the models that the institution uses for its internal risk-measurement models as referred to in Article 325bi(1), point (f), of Regulation (EU) No 575/2013, competent authorities shall:

(a)

verify whether the institution has inventories, whereby those inventories comprise:

(i)

the pricing functions or methods used in the internal-risk measurement model and the pricing functions or methods used to calculate the end-of-day value of the portfolio;

(ii)

for each of the pricing functions or methods referred to in point (i), a concise description, the main features, assumptions, key parameters of those pricing functions or methods, how those features, assumptions and parameters were calibrated, and how those pricing functions or methods are implemented;

(iii)

a description of the scope of financial instruments and commodities included in the internal-risk measurement model covered by each pricing function or method;

(iv)

a description of the scope of financial instruments and commodities covered by each pricing function or method in the calculation of the end-of-day-value of the portfolio;

(v)

one or more metrics to measure the materiality of positions priced with the corresponding pricing function or method in the internal risk-measurement model;

(vi)

one or more metrics to measure the materiality of positions priced with the corresponding pricing function and method in the calculation of the end-of-day-value of the portfolio;

(vii)

a comprehensive mapping between the pricing functions and methods used in the internal risk-measurement model and the pricing functions and methods used in the calculation of the end-of-day-value of the portfolio;

(b)

verify whether the inventories referred to in point (a) are updated at least annually, and whether the internal policies of the institution provide for a specific update whenever that would be necessary due to substantial changes in the information provided in the inventories;

(c)

verify whether all the differences between the pricing functions used to compute the end-of-day value and the pricing functions used in the internal risk-measurement model are validated as part of the internal validation referred to in Article 325bj of Regulation (EU) No 575/2013;

(d)

assess, on the basis of the profit and loss attribution results and the back-testing results, whether there are pricing functions that may present deficiencies;

(e)

analyse the conclusions in the most recent reports by the institution’s internal validation referred to in Article 325bj of Regulation (EU) No 575/2013 regarding the accuracy of the internal risk-measurement model;

(f)

analyse the conclusions laid down in the most recent reports about the institution’s internal review of the accuracy of the internal risk-measurement model, as referred to in Article 325bi(1), point (h), of Regulation (EU) No 575/2013;

(g)

verify whether the institution has documented the differences between the internal risk-measurement model and the models that the institution uses for its internal risk management for the same scope of positions, and whether the institution is able to explain those differences;

(h)

analyse the results of the tests performed by the institution as part of its internal validation to verify whether the assumptions made in the internal risk-measurement model are appropriate and do not underestimate or overestimate the risk, as referred to in Article 325bj(3), point (a), of Regulation (EU) No 575/2013, in particular for the trading desks with the highest differences between the own funds requirements calculated in accordance with the alternative standardised approach referred to in Part Three, Title IV, Chapter 1a of Regulation (EU) No 575/2013, and the own funds requirements calculated in accordance with the internal risk-measurement model.

For the purposes of point (d), competent authorities may, where appropriate, require the institution to calculate, on a set of instruments and commodities for which the competent authority wants to test the accuracy of the pricing functions, the risk-theoretical changes referred to in Chapter 2, Section 2, of Commission Delegated Regulation (EU) 2022/2059 (10) and the hypothetical changes referred to in Chapter 1, Section 2, of that Delegated Regulation, and require the institution to justify differences in outcome between the two measures.

2.   Where positions corresponding to product classes assigned to a trading desk are booked back-to-back with those of another entity of the group that is outside the scope of the highest level of consolidation within the Union, and the competent authority needs more evidence to verify that the internal risk-measurement model is reasonably accurate, the competent authority may require institutions to provide:

(a)

the actual, hypothetical, and risk theoretical changes over 60 business days in the trading desk portfolio’s value, without any hedges with the entity of the group being considered;

(b)

the value-at-risk numbers at trading desk level as referred to in Article 325bf of Regulation (EU) No 575/2013 over 60 business days, without any hedges with the entity of the group being considered;

(c)

an assessment of the profit and loss attribution results and back-testing results in light of the changes in the portfolio’s values referred to in point (a) and the value-at-risk numbers referred to in point (b).

3.   Where the market risk of positions corresponding to some product classes is transferred to another entity of the group that is outside the scope of the highest level of consolidation within the Union, and the effects of such transfer de facto resemble the effects of positions booked back-to-back, competent authorities may apply paragraph 2.

Article 21

Assessment of the internal risk-measurement model in relation to additional back-testing programmes

1.   When assessing whether the institution’s internal model is implemented with integrity as required by Article 325bi(1) of Regulation (EU) No 575/2013 in relation to the back-testing referred to in Article 325bj(3), point (b), of that Regulation, competent authorities shall verify whether, as part of such back-testing programmes, the institution:

(a)

runs the back-testing programme referred to in paragraph 2 or another internal back-testing programme that enables the institution to identify the contribution of modellable and non-modellable risk factors to the back-testing results;

(b)

applies direct expected shortfall back-testing approaches to its portfolios.

For the purposes of point (b), competent authorities shall verify how the institution motivates the choice of the applied direct expected shortfall back-testing methodology, and analyse whether that methodology is conceptually sound.

The institution may use the back-testing programmes referred to in the first subparagraph as an element to detect and monitor potential deficiencies in the calculation of the excepted shortfall measures. Where a competent authority decides on the permission to use the internal model approach to compute the own funds requirement for market risk in accordance with Article 325az, those back-testing programmes shall not supersede the outcomes of the regulatory back-testing referred to in Article 325bf of Regulation (EU) No 575/2013 and the profit and loss attribution requirements referred to in Article 325bg of that Regulation.

2.   For the purposes of paragraph 1, first subparagraph, point (a), the institution may run a back-testing programme that applies the following principles:

(a)

an overshooting is identified as a one-day change in HPL MRF or in

(b)

APL MRF that exceeds the value-at-risk number referred to in Article 325bf(6), point (a), of Regulation (EU) No 575/2013;

(c)

HPL MRF and APL MRF are calculated as follows:

Formula

Formula

Where:

HPL are the hypothetical changes in the portfolio’s value;

APL are the actual changes in the portfolio’s value;

RTPL are the risk-theoretical changes in the institution’s portfolio’s value;

RTPL MRF are the risk-theoretical changes in the institution’s portfolio’s value considering only changes to modellable risk factors;

(d)

the institution identifies potential weaknesses in its risk-measurement model by counting the overshootings, as identified in accordance with point (a), that occurred over the last 250 business days, and by comparing the amount of the identified overshootings against the thresholds referred to in Article 325bf(3), points (a) and (b), of Regulation (EU) No 575/2013.

CHAPTER 3

ASSESSMENT OF THE INTERNAL RISK-MEASUREMENT MODEL USED TO COMPUTE THE EXPECTED SHORTFALL RISK MEASURE AND THE STRESS SCENARIO RISK MEASURE

SECTION 1

Overview of the assessment

Article 22

Introduction to the assessment of the internal risk-measurement model used to compute the expected shortfall measure and the stress scenario risk measure

When assessing an institution’s compliance with the requirements applicable to the internal risk-measurement model used to compute the expected shortfall risk measure and the stress scenario risk measure, competent authorities shall assess whether the institution complies with:

(a)

Section 2 of this Chapter, which contains requirements on risk factors, including the modellability assessment and the mapping to the appropriate liquidity horizon;

(b)

Section 3 of this Chapter, which contains requirements on data quality and the proxy approaches used in the calculation of:

(i)

the expected shortfall measure referred to in Article 325bb of Regulation (EU) No 575/2013;

(ii)

the stress scenario risk measure referred to in Article 325bk of Regulation (EU) No 575/2013;

(c)

Section 4 of this Chapter, which contains requirements on back-testing and profit and loss attribution;

(d)

Section 5 of this Chapter, which contains requirements on the treatment of foreign exchange risk and commodity risk in the non-trading book;

(e)

Section 6 of this Chapter, which contains requirements on the expected shortfall measure and the stress scenario risk measure calculations.

SECTION 2

Assessment of the internal risk measurement model’s risk factors set-up and properties

Subsection 1

Assessment of the internal risk measurement model’s risk factors set-up

Article 23

Assessment of the internal risk-measurement model’s coverage of the risk

1.   When assessing the institution’s compliance with Article 325bh(1), point (a), of Regulation (EU) No 575/2013 in relation to the requirement to include in the internal risk-measurement model at least those risk factors that are used in the calculation of the own funds requirements under the alternative standardised approach, the competent authority shall verify whether:

(a)

the institution documents whether there are risk factors used in the standardised approaches that are not included in the internal risk-measurement model;

(b)

the institution highlights all of the following aspects:

(i)

whether there are currencies for which general interest rate risk, including inflation risk or cross-currency basis risk, are not modelled;

(ii)

whether there are issuer’s credit spreads that are not modelled;

(iii)

whether there are equity spot prices and equity repo rates that are not modelled;

(iv)

whether there are commodity spot prices that are not modelled;

(v)

whether there are spot exchange rates that are not modelled;

(vi)

whether there are cases where the implied volatility in instruments with optionality is not modelled;

(c)

where there are risk factors used in the alternative standardised approach that are not included in the internal risk-measurement model, the institution, in addition to providing information on the impact of the exclusion of those risk factors on the profit and loss attribution results as required by Article 325bh(1), point (a), of Regulation (EU) No 575/2013:

(i)

provides an appropriate rationale for not including those risk factors in the internal risk-measurement model and, where such exclusion is due to a lack of representative prices for those risk factors, the rationale for not capturing those risk factors in the calculation of the stress scenario risk measure referred to in Article 325bk of Regulation (EU) No 575/2013, and documents such a rationale;

(ii)

calculates and monitors the impact on the own funds requirements resulting from excluding those risk factors from the internal risk-measurement model.

2.   When assessing an institution’s compliance with Article 325bh(1), point (a), of Regulation (EU) No 575/2013 in relation to the requirement to include in the internal risk-measurement model a sufficient number of risk factors, competent authorities shall perform the following steps in the following order:

(a)

require the institution to provide an overview of the factors used in the calculation of the end-of-day value of the portfolio, including, where appropriate, a list of aggregates of factors used in the calculation of the end-of-day value, which specifies, for each aggregate, all of the following:

(i)

the number of factors per aggregate;

(ii)

the broad category of risk factors and broad sub-category of risk factors, as referred to in Table 2 of Article 325bd of Regulation (EU) No 575/2013, to which the factors in the aggregate can be mapped;

(iii)

a gross and net sensitivity of the institution portfolio to the factors that are part of the aggregate;

(iv)

whether the factors are included or not in the internal risk-measurement model, and:

(1)

where included, whether each factor is directly modelled as a risk factor in the internal-risk measurement model without any proxy being used, or whether other techniques are used;

(2)

where not included, the rationale for that choice.

(b)

based on the overview referred to in point (a):

(i)

verify that there are no material factors that are not modelled, and that the rationales supporting the exclusions of non-modelled factors are appropriate;

(ii)

assess how the institution, for factors that are not modelled directly as risk factors in the risk-measurement model referred to in point (a)(iv), ensures that all material risks, including material basis risks, are captured.

For the purposes of point (a), institutions shall aggregate factors so that each aggregate shares the same attributes in relation to point (ii), point (iv)(1), and point (iv)(2).

For the purposes of point (b)(i), competent authorities shall apply the assessment method referred to in paragraph 3, and may complement that method by the assessment method referred to in paragraph 4.

For the assessment referred to in paragraph 2, point (b)(i), competent authorities shall identify trading desks or hypothetical portfolios used by the institution for the internal validation referred to in Article 325bj(3), point (c), of Regulation (EU) No 575/2013 whose values depend on factors that are not included in the internal risk-measurement model. Competent authorities shall verify for those trading desks whether the results of the back-testing referred to in Article 325bf of Regulation (EU) No 575/2013 or of the own internal model validation tests referred to in Article 325bj(3), point (b), of Regulation (EU) No 575/2013 indicate weaknesses in the internal risk-measurement model.

3.   For the assessment referred to in paragraph 2, point (b)(i), competent authorities may identify trading desks or hypothetical portfolios used by the institution for the internal validation referred to in Article 325bj(3), point (c), of Regulation (EU) No 575/2013 whose values depend on factors that are not included in the internal risk-measurement model, and apply the following steps in the following order:

(a)

require the institution to calculate:

(i)

the hypothetical changes in a trading desk portfolio’s value or in the hypothetical portfolio’s value calculated in accordance with Article 3 of Delegated Regulation (EU) 2022/2059;

(ii)

the hypothetical changes in the trading desk portfolio’s value or in the hypothetical portfolio’s value calculated in accordance with Article 3 of Delegated Regulation (EU) 2022/2059, while keeping unchanged the factors that are not included as risk factors in the internal risk-measurement model;

(iii)

the risk-theoretical changes in the trading desk portfolio’s value or in the hypothetical portfolio’s value calculated in accordance with Article 12 of Delegated Regulation (EU) 2022/2059.

(b)

require the institution to explain deviations in the changes in the portfolio’s values calculated in accordance with points (a)(i), (ii), and (iii).

Article 24

Assessment of general interest rates risk factors

1.   When assessing an institution’s compliance with the requirements set out in Article 325bh(1), point (c), of Regulation (EU) No 575/2013 in relation to the modelling of the interest rate risk, competent authorities shall:

(a)

require the institution to provide a list of all the currencies towards which the institution’s portfolio is sensitive and, for each of those currencies, all the yield curves towards which the institution’s portfolio is sensitive;

(b)

require the institution, for each of the yield curves referred to in point (a), to specify whether a curve is modelled in its entirety directly, or whether it is modelled as a sum of a base curve and a basis curve;

(c)

require the institution to provide a sensitivity analysis of its portfolio towards each of the yield curves referred to in point (a);

(d)

verify, by using the information referred to in points (a), (b) and (c), that the basis risk between any two given yield curves is either implicitly captured by the fact that two yield curves are modelled directly, or by the fact that a basis yield curve representing the difference between those two yield curves is included in the internal-risk measurement model;

(e)

perform, in relation to yield curves where risk factors are points in the curve, an additional assessment in accordance with Article 29 of this Regulation and, where buckets are established by the institution in accordance with Article 5(4) of Commission Delegated Regulation (EU) 2022/2060 (11), verify whether the institution uses at least six risk factors where both of the following conditions are met:

(i)

the exposure to the yield curve is material;

(ii)

the exposure is in a most liquid currency as referred to in Annex I to Commission Delegated Regulation (EU) 2022/2058 (12);

(f)

perform, in relation to curves that have been modelled by means of function parameters as referred to in Article 6 of Delegated Regulation (EU) 2022/2060, an additional assessment of compliance in accordance with Article 29 of this Regulation;

(g)

assess whether vega risk related to interest rate risk is duly captured as required by Article 30 of this Regulation.

2.   By way of derogation from paragraph 1, points (a) and (b), competent authorities may require an institution to provide the information referred to in those points for the most relevant currencies and yield curves only, and perform the assessment set out in that paragraph 1 on those data.

Article 25

Assessment of equity risk factors

1.   When assessing the institution’s compliance with the requirement set out in Article 325bh(1), point (e), of Regulation (EU) No 575/2013 in relation to the modelling of equity risk, the competent authority shall:

(a)

require the institution to provide a list of all equity names and equity indices towards which the institution’s portfolio is sensitive, and the risk factors used to model the associated risk;

(b)

require the institution to provide a sensitivity analysis of its portfolio towards each of the equity names and equity indices referred to in point (a);

(c)

verify that, where the risk in an equity name is modelled as a sum of a systematic risk factor as referred to in Article 3(3) of Delegated Regulation (EU) 2022/2060 and idiosyncratic risk factor, the volatility generated by shocking those factors reflects the volatility observed for that equity name;

(d)

verify that the basis risk between two different equity names is captured by either modelling the two equity names directly or by means of a basis risk factor;

(e)

assess whether the risk in changes in equity curves is duly captured in accordance with Article 29 of this Regulation;

(f)

assess whether vega risk related to equity risk is duly captured in accordance with Article 30 of this Regulation.

For the purposes of point (c), the competent authority may, where appropriate, compare the volatility of the shocks applied to the issuer equity name, as resulting from the systematic and idiosyncratic risk factors, with the volatility observed for that equity name.

2.   By way of derogation from paragraph 1, point (a), the competent authority may require the institution to provide the information referred to in that point for the most relevant equity names and indices only, and may perform the assessment set out in that paragraph on those data.

Article 26

Assessment of credit spread risk factors

1.   When assessing an institution’s compliance with the requirements set out in Article 325bh(1) of Regulation (EU) No 575/2013 in relation to the modelling of credit spread risk, competent authorities shall:

(a)

require the institution to provide a list of all issuers’ credit spreads curves and credit indices towards which the institution’s portfolio is sensitive, and the risk factors used to model the associated risk;

(b)

require the institution to provide a sensitivity analysis of its portfolio towards each of the issuers’ credit spreads curves and credit indices referred to in point (a);

(c)

verify whether, where the risk in an issuer credit spread is modelled as a sum of a systematic risk factor as referred to in Article 3(3) of Delegated Regulation (EU) 2022/2060 and an idiosyncratic risk factor, the volatility generated by shocking those factors reflects the volatility observed for that issuer credit spread;

(d)

verify whether the basis risk between issuers is captured by either modelling the issuers’ credit spreads directly or by means of a basis risk factor, and whether the basis between different positions referencing to the same issuer is monitored and, when material, included in the internal risk-measurement model;

(e)

assess whether the risk in changes in credit spread curves is duly captured as required by Article 29 of this Regulation;

(f)

assess whether vega risk related to credit spread risk is duly captured as required by Article 30 of this Regulation.

For the purposes of point (c), competent authorities may, where appropriate, compare the volatility of the shocks applied to the issuer credit spread, as resulting from the systematic and idiosyncratic risk factors, with the volatility observed for that issuer credit spread.

2.   By way of derogation from paragraph 1, point (a), competent authorities may require an institution to provide the information referred to in that point for the most relevant credit spreads curves and credit indices only, and perform the assessment set out in that paragraph 1 on those data.

Article 27

Assessment of foreign exchange risk factors

1.   When assessing an institution’s compliance with the requirements set out in Article 325bh(1), point (d), of Regulation (EU) No 575/2013 in relation to the modelling of foreign exchange risk, competent authorities shall:

(a)

require the institution to provide a list of all the currency pairs towards which the institution’s portfolio is sensitive and, for each of those currency pairs, to clarify whether that currency pair is subject to the spot exchange rate only, or other risk factors, including implied volatilities;

(b)

require the institution to provide a sensitivity analysis of its portfolio towards each currency pair referred to in point (a);

(c)

based on the information referred to in points (a) and (b), verify whether the basis risk between any couple of currency pairs is implicitly captured by either of the following:

(i)

the fact that the two currency pairs are modelled directly;

(ii)

the fact that a basis representing the difference between those two currencies pairs is included in the internal-risk measurement model;

(d)

assess the extent to which the institution considers the risk linked to unpegging events for non-free floating currency pairs, and where such risk is material, how it is monitored;

(e)

assess whether the risk in changes in foreign-exchange curves is duly captured as required by Article 29 of this Regulation;

(f)

assess whether vega risk related to foreign-exchange risk is duly captured as required by Article 30 of this Regulation.

2.   By way of derogation from paragraph 1, point (a), competent authorities may require an institution to provide the information referred to in that point for the most relevant currency pairs only, and perform the assessment set out in that paragraph 1 on those data.

Article 28

Assessment of commodity risk factors

1.   When assessing an institution’s compliance with the requirements set out in Article 325bh(1), point (f), of Regulation (EU) No 575/2013 in relation to the modelling of commodity risk, competent authorities shall:

(a)

require the institution:

(i)

to provide a list of all the types of commodities towards which the institution’s portfolio is sensitive;

(ii)

for each of the commodity type referred to in point (i), to clarify whether that commodity type is subject to the spot price of the commodity only, or other risk factors, including implied volatilities;

(iii)

to provide a sensitivity analysis of its portfolio towards each of the commodity types referred to in point (a);

(b)

verify whether the institution’s internal policies identify metrics that are appropriate to assess the materiality of a commodity market as referred to in Article 325bh(1), point (f), of Regulation (EU) No 575/2013 and whether, for commodity markets identified as material, each different commodity is specifically modelled in the institution’s internal risk-measurement model;

(c)

verify whether the basis risk between similar but not identical commodities towards which the institution has material exposure is captured, including the basis risk stemming from a different place of delivery and from maturity mismatches;

(d)

assess whether the risk in changes in commodity curves is duly captured as required by Article 29 of this Regulation;

(e)

assess whether vega risk related to commodity risk is duly captured as required by Article 30 of this Regulation.

For the purposes of point (c), competent authorities shall verify whether the institution models two different commodities directly or captures the basis by means of a basis risk factor.

2.   By way of derogation from paragraph 1, points (a)(i) and (ii), competent authorities may require the institution to provide the information referred to in those points for the most relevant commodities only, and may perform the assessment set out in that paragraph 1 on those data.

Article 29

Assessment of curves

1.   Competent authorities shall apply:

(a)

where required to assess curves whose points are risk factors as referred to in Article 4 of Delegated Regulation (EU) 2022/2060, paragraph 2 of this Article;

(b)

where required to assess curves that have been modelled by means of function parameters as referred to in Article 6 of Delegated Regulation (EU) 2022/2060, paragraph 4 of this Article.

For the purposes of points (a) and (b), competent authorities shall assess the interpolation and extrapolation techniques used by the institution in accordance with paragraph 6.

2.   For curves for which the institution establishes buckets itself in accordance with Article 5(4) of Delegated Regulation (EU) 2022/2060, competent authorities shall verify that:

(a)

the institution’s internal policies have established criteria to decide on the numbers of risk factors to be used to model a curve, and that such criteria are based on the liquidity and materiality of the positions with exposure to that curve;

(b)

the criteria referred to in point (a) are accompanied by an analysis showing that the number of risk factors used allows for the volatility across different tenors to be captured.

For the purposes of point (b), where the competent authority considers that the number of risk factors used to model a curve are not appropriate, competent authorities may complement their assessment using the assessment method referred to in paragraph 3.

3.   For the purposes paragraph 2, point (b), competent authorities may:

(a)

require the institution to apply scenarios of future shocks to the curve’s risk factors as made in the internal risk-measurement model;

(b)

require the institution to derive the volatility of a point in the curve that is not a risk factor;

(c)

require the institution to obtain the observed volatility of the point in the curve referred to in point (b);

(d)

compare the volatility obtained in accordance with point (b) with the observed volatility obtained in accordance with point (c).

For the assessment referred to in paragraph 2, point (b), competent authorities shall base themselves on both the period referred to in Article 325bc(4), point (c), of Regulation (EU) No 575/2013 and the period of financial stress referred to in Article 325bc(2), point (c), of that Regulation.

4.   For curves that have been modelled by means of function parameters as referred to in Article 6 of Delegated Regulation (EU) 2022/2060, competent authorities shall assess whether the institution’s internal policies include analysis showing that shocking functions parameters allows capturing all material risks in the curves and the volatility across different tenors. Where appropriate, competent authorities may complement their assessment by using the assessment method referred to in paragraph 5 of this Article.

5.   For the purposes of paragraph 4, competent authorities may:

(a)

require the institution to apply scenarios of future shocks to the function parameters as made in the internal risk-measurement model;

(b)

require the institution to derive the volatility of a point in the curve;

(c)

require the institution to obtain the volatility of the point in the curve referred to in point (b);

(d)

compare the volatility obtained in accordance with point (b) with the observed volatility obtained in accordance with point (c).

For that assessment, competent authorities shall base themselves on both the period referred to in Article 325bc(4), point (c), of Regulation (EU) No 575/2013 and the period of financial stress referred to in Article 325bc(2), point (c), of that Regulation.

6.   Competent authorities shall assess whether all the techniques used by the institution to build a curve, including interpolation and extrapolation techniques, are sound. Where part of the curve is derived by extrapolating its two outer points, competent authorities shall verify whether the volatility of the returns observed in the market for the extrapolated part of the curve does not significantly differ from that resulting from the extrapolation. For that purpose, competent authorities may apply the assessment methods referred to in paragraphs 3 and 5 by picking a point in the curve obtained via extrapolation when applying point (b), of those paragraphs.

Article 30

Assessment of implied volatility surfaces

1.   When assessing an institution’s compliance with the requirements set out in Article 325bh(1), point (h), of Regulation (EU) No 575/2013 in relation to capturing vega risk for any given broad risk factor category, competent authorities shall:

(a)

require the institution to provide a list of all the volatility surfaces towards which the institution’s portfolio is sensitive;

(b)

require the institution to provide a sensitivity analysis of its portfolio towards each of the surfaces referred to in point (a);

(c)

verify, based on the information referred to in points (a) and (b), whether any material basis risk between any two given surfaces is either implicitly captured by the fact that two surfaces are modelled directly, or by the fact that a basis surface representing the difference between those two curves is modelled;

(d)

verify, in relation to volatility surfaces whose points are risk factors as referred to in Article 4 of Delegated Regulation (EU) 2022/2060, whether:

(i)

the institution’s internal policies have established criteria to decide on the numbers of risk factors to be used to model a surface, and whether such criteria are based on the liquidity and materiality of the positions exposed to that surface;

(ii)

the criteria referred to in point (i) are accompanied by an analysis showing that the number of risk factors used allows for a comprehensive representation of the risk across the surface;

(e)

verify, in relation to surfaces that have been modelled by means of function parameters as referred to in Article 6 of Delegated Regulation (EU) 2022/2060, whether the institution’s internal policies include an analysis showing that shocking functions parameters allow for a comprehensive representation of the risk across the surface;

(f)

assess whether interpolation and extrapolation techniques used by the institution to build a surface are sound and where part of the surface is derived by extrapolating its two outer points, verify whether the volatility of the returns observed in the market for the extrapolated part of the surface does not significantly differ from that resulting from the extrapolation.

For the purposes of point (a), the institution shall for each of the surfaces referred in that point specify whether it is modelled in its entirety directly, or whether it is modelled as a sum of a base surface and a basis surface.

For the purposes of point (d)(ii), competent authorities may, where appropriate, complement their assessment by using the assessment method referred to in paragraph 2.

For the purposes of point (e), competent authorities may, where appropriate, complement their assessment by using the assessment method referred to in paragraph 3.

For the purposes of point (f), competent authorities may apply the assessment method referred to in paragraphs 2 and 3 by picking a point in the surface obtained via extrapolation when applying points (b) of those paragraphs.

2.   For the purposes paragraph 1, point (d)(ii), competent authorities may:

(a)

require the institution to apply scenarios of future shocks to the surface’s risk factors as made in the internal risk-measurement model;

(b)

require the institution to derive the volatility of a point of the surface that is not a risk factor;

(c)

require the institution to obtain the observed volatility of the point in the surface referred to in point (b);

(d)

compare the volatility obtained in accordance with point (b) with the observed volatility obtained in accordance with point (c).

For the assessment referred to in paragraph 1, point (d)(ii), competent authorities shall base themselves on both the period referred to in Article 325bc(4), point (c), of Regulation (EU) No 575/2013 and the period of financial stress referred to in Article 325bc(2), point (c), of that Regulation.

3.   For the purposes of paragraph 1, point (e), competent authorities may:

(a)

require the institution to apply scenarios of future shocks to the function parameters as made in the internal risk-measurement model;

(b)

require the institution to derive the volatility of a point of the surface;

(c)

require the institution to obtain the observed volatility of the point in the surface referred to in point (b);

(d)

compare the volatility obtained in accordance with point (b) with the observed volatility obtained in accordance with point (c).

For the assessment referred to in paragraph 1, point (e), competent authorities shall base themselves on both the period referred to in Article 325bc(4), point (c), of Regulation (EU) No 575/2013 and the period of financial stress referred to in Article 325bc(2), point (c), of that Regulation.

Article 31

Assessment of correlation risk factors

When assessing whether an institution’s internal risk-measurement model captures correlation risk as required by Article 325bh(1), point (b), of Regulation (EU) No 575/2013, competent authorities shall verify that, for multi-underlying options and any other products whose end-of-day value is determined via an implied correlation parameter, a risk factor capturing the risk of changes in the correlation parameter is included in the internal risk-measurement model.

The competent authority may identify options and products relying on an implied correlation parameter by using the information reported in accordance with Article 23 of this Regulation, and by identifying those factors that are correlation parameters.

Subsection 2

Assessment of the risk factors properties

Article 32

Assessment of the modellability of risk factors

1.   When assessing an institution’s compliance with Article 325bi(1), point (e), of Regulation (EU) No 575/2013 in relation to requirements on the risk factors’ modellability, competent authorities shall verify whether the institution’s internal policies referred to in that point meet all of the following conditions:

(a)

the internal policies cover the aspects referred to in Article 7 of Delegated Regulation (EU) 2022/2060 for all documentation;

(b)

the internal policies require the production of an up-to-date inventory which specifies for each risk factor the following:

(i)

a description of the risk factor;

(ii)

whether the risk factor is modellable following the modellability assessment referred to in Article 325be of Regulation (EU) No 575/2013, and whether the risk factor has ever changed its modellability status in the previous year;

(iii)

the 12 month-period used for the modellability assessment;

(iv)

whether the risk factor is a systematic credit or equity risk factor, as referred to in Article 3(3) of Delegated Regulation (EU) 2022/2060;

(v)

whether the risk factor is a point of a curve, a surface, or a cube, as referred to in Article 4(1) of Delegated Regulation (EU) 2022/2060, the bucket used for assessing the modellability of that risk factor, and the results of the modellability assessment of that bucket;

(vi)

whether the risk factor is a function parameter used to represent a curve, a surface, or a cube, as referred to in Article 6(1) of Delegated Regulation (EU) 2022/2060, and:

(1)

the set of points of the curve, surface or cube that have been used to calibrate the parametric function as referred to in Article 6(1) of Delegated Regulation (EU) 2022/2060;

(2)

the set of buckets, and their modellability, as resulting from the application of the steps referred to in Article 6(1), points (b) and (c), of Delegated Regulation (EU) 2022/2060;

(3)

the set of points of the curve, surface or cube that have been used to calibrate the function parameter as referred to in Article 6(2) of Delegated Regulation (EU) 2022/2060;

(vii)

the number of verifiable prices that are representative for the risk factor over the period considered for the modellability assessment;

(viii)

whether there are 90-day periods with less than four verifiable and representative prices;

(c)

the internal policies set out:

(i)

criteria to identify risk factors for which the institution applies the shifted period referred to in Article 1(2) and Article 4(3) of Delegated Regulation (EU) 2022/2060;

(ii)

criteria to establish whether risk factors are to be considered to be of the same type, as referred to in Article 1(2), point (a), of that Regulation;

(d)

the internal policies set out criteria to determine whether the modellability assessment of a curve, surface, or cube is performed by using standard, pre-defined buckets as referred to in Article 5(2) of Delegated Regulation (EU) 2022/2060, or by using the institution’s own establishment of buckets as referred to in Article 5(4) of that Delegated Regulation;

(e)

the internal policies set out the rationale of the choice, where the standard pre-defined buckets referred to in Article 5(2) of Delegated Regulation (EU) 2022/2060 are subdivided into smaller buckets in accordance with Article 5(3) of that Regulation.

For the purposes of points (b)(vii) and (viii), where the institution performs the modellability assessment for a risk factor by assessing the modellability of a set of buckets first, competent authorities shall verify whether the number of verifiable and representative prices are specified at the level of each of those buckets.

2.   When assessing whether the institution’s internal risk-measurement model is implemented with integrity as required by Article 325bi(1) of Regulation (EU) No 575/2013 in relation to the modellability assessment of risk factors that are assessed as modellable in accordance with Article 1 of Delegated Regulation (EU) 2022/2060, competent authorities shall:

(a)

verify, in relation to the results of the modellability assessment:

(i)

by using the inventory referred to in paragraph 1, point (b), that those risk factors meet any of the two criteria referred to in Article 1(1), points (a) and (b) of Delegated Regulation (EU) 2022/2060;

(ii)

where applicable, by using the inventory referred to in paragraph 1, point (b), that the period used for the modellability assessment complies with Article 1(2) of Delegated Regulation (EU) 2022/2060;

(b)

in relation to the requirements for considering a price verifiable as referred to in Article 2 of Delegated Regulation (EU) 2022/2060:

(i)

verify whether:

(1)

the institution’s internal systems and policies, and its contractual agreements with third-party vendors, ensure that the conditions referred to in Article 2(1) of Delegated Regulation (EU) 2022/2060 are met;

(2)

there are any prices that meet the conditions referred to in Article 2(2) of Delegated Regulation (EU) 2022/2060 that are considered verifiable;

(ii)

by reviewing the audit reports, verify whether the independent audit referred to in Article 2(6) of Delegated Regulation (EU) 2022/2060 is robust and covers all the aspects referred to in that paragraph;

(iii)

where applicable, review the contractual arrangements referred to in Article 2(7) of Delegated Regulation (EU) 2022/2060;

(c)

in relation to the requirements for considering a verifiable price as representative of a risk factor as referred to in Article 3 of Delegated Regulation (EU) 2022/2060, verify whether the mapping process and the criteria used to determine the representativeness of a price for a risk factor as referred to in Article 7(1), point (d), of that Delegated Regulation are sound.

For the purposes of point (a)(ii), competent authorities shall verify whether the criteria referred to in paragraph 1, point (c) to identify whether risk factors are of the same type are sound and, by using the inventory referred to in paragraph 1, point (b), verify whether those criteria are applied correctly.

For the purposes of point (b)(i), competent authorities shall apply the assessment method referred to in paragraph 5.

For the purposes of point (c), competent authorities shall apply the assessment method referred to in paragraph 6.

3.   When assessing whether an institution’s internal model is implemented with integrity as required by Article 325bi(1) of Regulation (EU) No 575/2013 in relation to the modellability assessment of risk factors that belong to a curve, a surface or a cube and that are assessed as modellable in accordance with Article 4 of Delegated Regulation (EU) 2022/2060, competent authorities shall:

(a)

in relation to the results of the modellability assessment:

(i)

by using the inventory referred to in paragraph 1, point (b), verify whether the bucketing of curves, surfaces and cubes complies with the conditions referred to in Article 5(2) or Article 5(4) of Delegated Regulation (EU) 2022/2060, and that the institution correctly applies the criteria referred to in paragraph 1, point (d), of this Article to select the bucketing approach;

(ii)

where the institution uses the set of standard pre-defined buckets referred to in Article 5(2), point (d), of Delegated Regulation (EU) 2022/2060, verify whether any conversion of buckets into a different market-standard convention is appropriate;

(iii)

by using the inventory referred to in paragraph 1, point (b), verify whether the buckets that are assessed as modellable meet any of the two conditions referred to in Article 4(2), points (a) and (b), of Delegated Regulation (EU) 2022/2060;

(iv)

by using the inventory referred to in paragraph 1, point (b), verify whether the period used for the modellability assessment is the same for all buckets of a given curve, surface or cube;

(b)

in relation to the requirements for considering a price verifiable as referred to in Article 2 of Delegated Regulation (EU) 2022/2060:

(i)

by reviewing the institution’s internal systems and policies, and its contractual agreements with third-party vendors, ensure that:

(1)

the conditions referred to in Article 2(1) of Delegated Regulation (EU) 2022/2060 are met;

(2)

that no prices that meet the conditions referred to in Article 2(2) of that Delegated Regulation are considered verifiable;

(ii)

by reviewing the audit reports, verify whether the independent audit to which third-party vendors are subject is robust and covers all the aspects referred to Article 2(6) of Delegated Regulation (EU) 2022/2060;

(iii)

where applicable, review the contractual arrangements between the institution and the third-party vendors referred to in Article 2(7) of Delegated Regulation (EU) 2022/2060;

(c)

in relation to the requirements for allocating a verifiable price to a bucket as referred to in Article 4(4) of Delegated Regulation (EU) 2022/2060, verify whether the mapping process and the criteria referred to in Article 7(1), point (d), of that Regulation used to determine that a price is representative for a point in the bucket are sound;

(d)

in relation to the possibility of reallocating a verifiable price of a bucket to an adjacent bucket in accordance with Article 5(5) of Delegated Regulation (EU) 2022/2060, verify:

(i)

whether the approach documented in accordance with Article 7(1), point (f), of that Regulation used by the institution to perform such reallocation is appropriate;

(ii)

how the institution ensures that the conditions under which reallocation is allowed in accordance with Article 5(5) of Delegated Regulation (EU) 2022/2060 are fulfilled.

For the purposes of point (b)(i), competent authorities shall apply the assessment method referred to in paragraph 5.

For the purposes of point (c), competent authorities shall apply the assessment method referred to in paragraph 7.

4.   When assessing whether an institution’s internal model is implemented with integrity as required by Article 325bi(1) of Regulation (EU) No 575/2013 in relation to the modellability assessment of risk factors that are assessed as modellable in accordance with Article 6 of Delegated Regulation (EU) 2022/2060, competent authorities shall:

(a)

in relation to the results of the modellability assessment:

(i)

by using the inventory referred to in paragraph 1, point (b), verify whether the buckets of the curve, surface or cube modelled through a parametric function that are assessed as modellable meet any of the two conditions referred to in Article 4(2), points (a) and (b), of Delegated Regulation (EU) 2022/2060;

(ii)

by using the inventory referred to in paragraph 1, point (b), verify whether:

(1)

the institution uses the bucketing approach set out in Article 5(2) of Delegated Regulation (EU) 2022/2060;

(2)

any conversion of buckets into a different market-standard convention in accordance with Article 5(2), point (d), of that Regulation is appropriate;

(iii)

by using the inventory referred to in paragraph 1, point (b), verify whether the institution assesses the function parameter as modellable only where all points in the curve, surface or cube that are used to calibrate that function parameter belong to buckets that are modellable;

(b)

in relation to the requirements for considering a price verifiable as referred to in Article 2 of Delegated Regulation (EU) 2022/2060:

(i)

verify whether:

(1)

the institution’s internal systems and policies, and its contractual arrangements with third-party vendors, ensure that the conditions referred to in Article 2(1) of Delegated Regulation (EU) 2022/2060 are met;

(2)

there are no prices that meet the conditions referred to in Article 2(2) of Delegated Regulation (EU) 2022/2060 that are considered verifiable;

(ii)

by reviewing the audit reports, verify whether the independent audit to which third-party vendors are subject is robust and covers all aspects referred to in Article 2(6) of Delegated Regulation (EU) 2022/2060;

(iii)

where applicable, review the contractual arrangements between the institution and the third-party vendors referred to in Article 2(7) of Delegated Regulation (EU) 2022/2060;

(c)

in relation to the requirements for allocating a verifiable price to a bucket as referred to in Article 4(4) of Delegated Regulation (EU) 2022/2060, verify whether the mapping process and the criteria referred to in Article 7(1), point (d), of that Regulation used to determine that a price is representative for a point in the bucket are sound;

(d)

in relation to the possibility of reallocating a verifiable price of a bucket to an adjacent bucket in accordance with Article 5(5) of Delegated Regulation (EU) 2022/2060, verify:

(i)

whether the approach documented in accordance with Article 7(1), point (f), of that Regulation used by the institution in performing such reallocation is appropriate;

(ii)

how the institution ensures that the conditions under which reallocation is allowed in accordance with Article 5(5) of Delegated Regulation (EU) 2022/2060 are fulfilled.

For the purposes of point (b)(i), competent authorities shall apply the assessment method referred to in paragraph 5.

For the purposes of point (c), competent authorities shall apply the assessment method referred to in paragraph 7.

5.   For the purposes of paragraph 2, point (b)(i), paragraph 3, point (b)(i) and paragraph 4, point (b)(i), competent authorities shall apply the following assessment method:

(a)

require the institution to provide a sample of risk factors and buckets, with the corresponding verifiable and representative prices, including:

(i)

risk factors and buckets that narrowly met the conditions for being assessed as modellable;

(ii)

risk factors and buckets that changed their modellability status over the previous year;

(iii)

where applicable, risk factors and buckets for which verifiable prices are obtained solely by the institution, solely by third-party vendors, and by both the institution and third-party vendors;

(b)

require the institution to justify for the prices referred to in point (a), of this paragraph which of the conditions referred to in Article 2(1) of Delegated Regulation (EU) 2022/2060 are met, and verify the following:

(i)

where the condition referred to in Article 2(1), point (a), of Delegated Regulation (EU) 2022/2060 is met, how the institution assessed that the transaction was entered at arm’s length;

(ii)

where the condition referred to in Article 2(1), point (b), of Delegated Regulation (EU) 2022/2060 is met, how the institution or the third-party vendor assessed that the transaction was entered at arm’s length;

(iii)

where the condition referred to in Article 2(1), point (c), of Delegated Regulation (EU) 2022/2060 is met, how the institution or the third-party vendor identified both bid and offer quotations;

(c)

for the verifiable prices referred to in point (a), competent authorities shall verify:

(i)

whether the price is not a transaction or bid and offer quotation between two entities of the same group as referred to in Article 2(2), point (a), of Delegated Regulation (EU) 2022/2060, and whether the approach that the institution or the third-party vendor used to conclude that the two entities do not belong to the same group is sound;

(ii)

how the institution or the third-party vendor concluded that the volume of the transaction or committed quote associated with the verifiable price is non-negligible as referred to in Article 2(2), point (b), of Delegated Regulation (EU) 2022/2060, and whether the metrics employed to evaluate the negligibility are sound;

(iii)

where the verifiable price relates to committed quotes as referred to in Article 2(1), point (c), of Delegated Regulation (EU) 2022/2060:

(1)

how the institution or the third-party vendor concluded that the bid-offer spread does not deviate substantially from applicable market conditions as referred to in Article 2(2), point (c), of that Regulation;

(2)

whether the metrics employed to evaluate such potential deviation are sound;

(iv)

whether among those prices some may be considered to meet the conditions referred to in Article 2(2), point (b) or Article 2(2), point (c), of Delegated Regulation (EU) 2022/2060 because they are characterised by an unusually low volume or by an unusually large bid-offer spread;

(v)

whether the institution or the third-party vendor identified a time zone that is used consistently across all data sources to identify the observation date of the verifiable price as required by Article 2(3) of Delegated Regulation (EU) 2022/2060.

For the purposes of this paragraph, competent authorities shall require institutions or third-party vendors as applicable to provide them with all information that they need to perform that assessment comprehensively, in accordance with Article 2(5), point (b), of Delegated Regulation (EU) 2022/2060.

6.   For the purposes of paragraph 2, point (c), competent authorities shall:

(a)

require an institution to provide a sample of risk factors, and the corresponding verifiable and representative prices used to assess the conditions referred to in Article 1 of Delegated Regulation (EU) 2022/2060;

(b)

verify whether, where for the risk factor there are multiple verifiable prices on a given observation date, only one is considered when assessing whether the conditions referred to in Article 1 of Delegated Regulation (EU) 2022/2060 are met;

(c)

for those risk factors in the sample referred to in point (a) that are not systematic credit or equity risk factors capturing market-wide movements as referred to in Article 3(3) of Delegated Regulation (EU) 2022/2060, verify whether:

(i)

the risk factor is a strong driver of the price considered representative

(ii)

whether the method used by the institution to conclude that there is a close relationship between the risk factor and that price is sound;

(iii)

the methodology employed by the institution to extract the value of the risk factor from that price is sound;

(d)

for those risk factors in the sample referred to in point (a) that are systematic credit or equity risk factors capturing market-wide movements as referred to in Article 3(3) of Delegated Regulation (EU) 2022/2060, verify whether the verifiable prices used are representative of attributes of the systematic risk factors.

For the purposes of point (a), the sample of risk factors shall include, among others, risk factors that narrowly met the conditions for being assessed modellable and risk factors that changed their modellability status over the previous year. Where applicable, that sample shall contain risk factors for which verifiable prices are obtained solely by the institution, solely by third-party vendors, and by both the institution and third-party vendors.

7.   For the purposes of paragraph 3, point (c), and paragraph 4, point (c), competent authorities shall:

(a)

require the institution to provide a sample of buckets relating to a set of curves, surfaces or cubes, and the corresponding verifiable and representative prices;

(b)

for the verifiable prices referred to in point (a), verify, for the buckets for which there are multiple verifiable prices on a given observation date, that only one verifiable price per each date is considered when assessing whether the conditions referred to in Article 1 of Delegated Regulation (EU) 2022/2060 are met;

(c)

for the verifiable prices referred to in point (a), assess that the methodology employed by the institution to map a verifiable price to a given bucket is appropriate.

For the purposes of point (a), the sample of buckets shall include, among others, buckets that narrowly met the conditions for being assessed modellable and buckets that changed their modellability status over the previous year. Where applicable, that sample shall include buckets for which verifiable prices are obtained solely by the institution, solely by third-party vendors, and by both the institution and third-party vendors.

For the purposes of point (c), the competent authority shall verify whether:

(a)

the points in a bucket are a strong driver of the price considered representative,

(b)

the method used by the institution to conclude that there is a close relationship between any point in the bucket and that price is sound,

(c)

the methodology employed by the institution to extract the value of that point in the bucket from that price is sound.

Article 33

Assessment of the risk factors’ liquidity horizon

1.   When assessing an institution’s compliance with Article 325bi(1), point (e), of Regulation (EU) No 575/2013 in relation to requirements on the risk factors’ liquidity horizon, competent authorities shall verify whether the internal policies referred to in that point require the production of an up-to-date inventory specifying, for each risk factor, the following:

(a)

a description of the risk factor;

(b)

whether the risk factor is modellable following the assessment of the modellability referred to in Article 325be of Regulation (EU) No 575/2013 and, where the risk factor is modellable, whether that risk factor is included in the subset of modellable risk factors referred to in Article 325bc(2), point (a), of that Regulation;

(c)

a simple description of the data inputs used to mark the risk factor;

(d)

the liquidity horizon assigned to the risk factor as required by Article 325bd(2) of Regulation (EU) No 575/2013;

(e)

whether the nature of the risk factor does not correspond to any broad category of risk factors as required by Article 1(2) of Delegated Regulation (EU) 2022/2058;

(f)

whether the nature of the risk captured by the risk factor and the data inputs used for that risk factor correspond to risk factors that could fall under more than one broad category of risk factors or broad sub-category of risk factors as required by Article 1(3) of Delegated Regulation (EU) 2022/2058;

(g)

where used to model a homogenous index, whether the methodology referred to in Article 1 of Delegated Regulation (EU) 2022/2058 or the methodology referred to in Article 2 of that Regulation has been used to map the risk factor to the appropriate broad category and sub-category of risk factors of Table 2 of Article 325bd of Regulation (EU) No 575/2013.

2.   When assessing whether the institution’s internal model is implemented with integrity in accordance with Article 325bi(1) of Regulation (EU) No 575/2013 as regards requirements on the risk factors’ liquidity horizon, competent authorities shall verify whether:

(a)

by using the elements referred to in paragraph 1 of this Article:

(i)

there is consistency between the nature of the risk factors, the data inputs used for the risk factors, and the broad category and sub-category of risk factors of Table 2 of Article 325bd, of Regulation (EU) No 575/2013;

(ii)

equity and credit risk factors that reflect a systematic component have been subject to the treatment referred to in Article 1(3) of Delegated Regulation (EU) 2022/2058, when those risk factors are calibrated using data inputs related to different broad categories or sub-categories of risk factors;

(iii)

basis risk factors representing the difference between two risk factors that if modelled directly by the institution, instead of the basis, would be assigned to two different sub-categories, are subject to the treatment referred to in Article 1(3) of Delegated Regulation (EU) 2022/2058;

(iv)

where a risk factor is not among risk factors referred to in Articles 3 and 4 of Delegated Regulation (EU) 2022/2058 and that risk factor does not unambiguously relate to one of the broad sub-categories of risks of Table 2 of Article 325bd of Regulation (EU) No 575/2013, that risk factor is mapped to the sub-category ‘other’ of the appropriate category;

(v)

equity risk factors recognised as equity with large market capitalisation meet one of the conditions referred to in Article 7(1) of Delegated Regulation (EU) 2022/2058;

(b)

the institution has in place objective criteria for identifying when a credit spread risk factor refers to an investment grade or a high yield position;

(c)

where the institution applies the derogation set out in Article 325bd(3) of Regulation (EU) No 575/2013 regarding the use of longer liquidity horizons in calculating the expected shortfall risk measure referred to in Article 325bb of that Regulation and the stress scenario risk measure referred to in Article 325bk of that Regulation, the institution distinguishes between positions belonging to trading desks for which the derogation is used from those trading desks for which the derogation is not used;

(d)

as part of the monthly verification referred to in Article 325bd(6) of Regulation (EU) No 575/2013, the institution verifies whether:

(i)

due to a change in the equity capitalisation or in the components of indices referred to in Article 7(1), point (b), of Delegated Regulation (EU) 2022/2058, there has been a change in the appropriate sub-category for an equity risk factor;

(ii)

due to migration or other credit quality events, there has been a change in the appropriate sub-category for a credit spread risk factor;

(e)

only one currency is considered domestic for the purpose of mapping a risk factor to the broad category ‘Interest rate’ and sub-category ‘Most liquid currencies and domestic currency’ of Article 325bd, Table 2, of Regulation (EU) No 575/2013.

For the purposes of point (c), competent authorities shall focus on risk factors belonging to the sub-category subject to the derogation and that are present both in trading desks for which the derogation is used and in trading desks for which the derogation is not used.

3.   For the purposes of paragraph 2, point (a), competent authorities may require the institution to identify the risk factors in a sample of financial instruments or commodities, and make their assessment taking into account the nature of the financial instruments bearing the risk factors. When requiring that sample, competent authorities shall focus on financial instruments or commodities encompassing a sufficiently wide range of risk factor types to ensure a comprehensive assessment.

4.   For the purposes of paragraph 2, point (d), of this Article competent authorities may require the institution to provide risk factors that were subject to a change in the sub-category, and verify that, following the monthly verification, the expected shortfall risk measure referred to in Article 325bb of Regulation (EU) No 575/2013 and the stress scenario risk measure referred to in Article 325bk of that Regulation reflected the changes in the liquidity horizon.

SECTION 3

Assessment of proxies and data quality

Article 34

Assessment of proxies

1.   When assessing whether an institution’s internal model is implemented with integrity as required by Article 325bi(1) of Regulation (EU) No 575/2013 in relation to requirements on the use of proxies, competent authorities shall verify whether:

(a)

the institution has established, as part of the internal policies referred to in Article 325bi(1), point (e), of Regulation (EU) No 575/2013, criteria outlining:

(i)

when a risk factor is proxied;

(ii)

how a risk factor would be proxied if subject to a proxy approach.

(b)

the internal policies referred to in Article 325bi(1), point (e), of Regulation (EU) No 575/2013 cover all proxy approaches employed by the institution, including, where used:

(i)

factor models;

(ii)

beta approximations;

(iii)

mapping of risk factors to benchmarks, including names representative of the sector and region or indices;

(c)

for non-modellable risk factors, there is a clear rationale for using a proxy approach, even though the number of returns N in the time series for the risk factor resulting from Article 7 of Delegated Regulation (EU) 2024/397 would allow for using the historical method or the asymmetrical sigma method referred to, respectively, in Articles 8 and 9 of that Delegated Regulation;

(d)

the approach used to proxy the risk factor is appropriate and ensures, as required by Article 325bh(1), point (g), of Regulation (EU) No 575/2013, a conservative calibration of the scenarios of future shocks for modellable risk factors and of the extreme scenarios of future shock for non-modellable risk factors;

(e)

for risk factors for which proxy data are used only for specific periods in the time series, there are no anomalous jumps between the parts of the time series that are proxied and the parts of the time series that are not proxied.

2.   For the purposes of paragraph 1, point (c), competent authorities shall, on a sample of risk factors that are proxied, verify whether:

(a)

the proxy approach used for those risk factors is the approach described in the internal policies as referred to in paragraph 1, point (a), and the proxy used is economically meaningful;

(b)

the basis risk between that risk factor as proxied and other risk factors is duly captured, including where different risk factors are proxied by mapping them to the same risk factor;

(c)

there are no cases where, as a result of the proxy, the specific risk is not duly captured.

When applying that assessment method, competent authorities shall choose a sample of risk factors reflecting a variety of proxy approaches, including, where used, factor models, beta approximations, and mapping of risk factors to benchmarks, including names representative of the sector and region or indices.

3.   For the purposes of paragraph 1, point (c), competent authorities shall, on a sample of risk factors for which data in the last 12-month period have been proxied:

(a)

require the institution to provide the time series of the proxied risk factors as used in the internal risk-measurement model and the time series of the corresponding pricing factors as used in the end-of-day valuation process;

(b)

verify that the volatilities of the two time series referred to in point (a) do not substantially diverge;

(c)

verify that the two time series are highly correlated.

When applying that assessment method, competent authorities shall choose a sample of risk factors reflecting a variety of proxy approaches, including, where used, factor models, beta approximations, and mapping of risk factors to benchmarks, including names representative of a given sector and region or indices.

4.   For the purposes of paragraph 1, point (c), to test the conservativeness of proxy approaches, competent authorities shall select a sample of approaches and apply, for each proxy approach, all the following steps in following order:

(a)

require the institution to provide the time series of a sample of risk factors that are not proxied and that, if proxied, would follow the proxy approach being assessed;

(b)

require the institution to provide the time series that would be used by applying the proxy approach being assessed to the risk factors’ time series referred to in point (a);

(c)

for both time series, obtain the volatilities of the risk factors in the stress period and in the last 12-month period, and verify that the volatility resulting from the proxy time series referred to in point (b) does not underestimate the volatility resulting from the time series referred to in point (a).

When applying that assessment method, competent authorities shall choose a sample of risk factors reflecting a variety of proxy approaches, including, where used, factor models, beta approximations, and mapping of risk factors to benchmarks, including names representative of a given sector and region or indices.

5.   For the purposes of paragraph 1, point (c), competent authorities shall, on a sample of non-modellable risk factors for which proxy data have been used in the stress period despite the number of returns N in the time series for the risk factor resulting from Article 7 of Delegated Regulation (EU) 2024/397 would allow for using the historical method or the asymmetrical sigma method referred to, respectively, in Articles 8 and 9 of that Delegated Regulation:

(a)

require the institution to provide the original time series for the risk factors before any proxy approach has been used;

(b)

require the institution to provide the time series used for the proxied risk factors;

(c)

compare the upward and downward calibrated shocks as resulting from the application of Article 8 and 9 of Delegated Regulation (EU) 2024/397 to the time series referred to in points (a) and (b) of this paragraph, and verify that shocks resulting from the proxied time series are not systematically less conservative than the shocks obtained by using the original time series.

When applying that assessment method, competent authorities shall choose a sample of risk factors reflecting a variety of proxy approaches, including, where used, factor models, beta approximations, and mapping of risk factors to benchmarks, including names representative of the sector and region or indices.

Article 35

Assessment of the data quality

1.   When assessing whether an institution’s data standards meet the minimum standards for the internal risk-measurement model to be considered reasonably accurate in measuring risks as required by Article 325bi(1), point (f), of Regulation (EU) No 575/2013, competent authorities shall verify whether:

(a)

the institution documents, as part of its internal policies, any methodology used to fill in time series with missing data points, and whether such documentation contains sound analysis showing that those methodologies do not affect the risk factors’ volatilities and correlations;

(b)

the institution has established objective criteria setting out which methodology to fill in time series is used, where more than one methodology is available, and has documented those criteria in its internal policies;

(c)

the institution has established, as part of its internal policies, the process to be followed whenever the values in a time series are changed, and whether such process includes the documentation of the performed changes;

(d)

the institution does not perform filtering of data, including flooring, capping and exclusions of outliers, unless the institution is able to demonstrate that the excluded data point relates to erroneous or stale data, and the institution documents such an exclusion;

(e)

the institution performs periodic quality checks on the time series used for the computation of the expected shortfall risk measure, and documents those checks and the corresponding results are documented;

(f)

the institution analyses, as part of the checks referred to in point (e), the effect that missing or replaced data and the methodology used to obtain the time series have on the risk factors’ volatilities and correlations;

(g)

the data quality of the time series used by the institution is appropriate.

For the purposes of point (e), competent authorities shall verify whether the institution monitors, as part of the checks referred to in that point, for each time series:

(a)

the number of days for which data points were initially missing and were then filled in using a particular methodology;

(b)

the number of days for which data points were initially available and have been replaced using a particular methodology;

(c)

the number of days with no daily changes;

(d)

the maximum number of consecutive days with no daily change.

2.   For the purposes of paragraph 1, point (g), competent authorities shall:

(a)

require the institution to provide an overview of their time series used in

Formula

,

Formula

,

Formula

,

Formula

,

Formula

and

Formula

, as referred to in Article 325bb of Regulation (EU) No 575/2013, and in the calculation of the stress scenario risk measures, as referred to in Article 7 of Commission Delegated Regulation (EU) 2024/397, and to include in that overview for each time series used:

(i)

the total number of days in the historical observation period used to calculate the

Formula

,

Formula

,

Formula

,

Formula

,

Formula

and

Formula

, as referred to in Article 325bb of Regulation (EU) No 575/2013, and the stress scenario risk measures, as referred to in Article 7 of Commission Delegated Regulation (EU) 2024/397;

(ii)

the number of days with missing data in the time series before the institution introduces any adjustment;

(iii)

the number of days without any daily change in the time series before the institution introduces any adjustment;

(iv)

the maximum number of consecutive days without any daily change in the time series before the institution introduces any adjustment;

(v)

the number of days for which data were initially available in the time series but that the institution excluded or changed before being used in the calculation of the

Formula

,

Formula

,

Formula

,

Formula

,

Formula

and

Formula

, as referred to in Article 325bb of Regulation (EU) No 575/2013, and the stress scenario risk measures, as referred to in in Article 7 of Commission Delegated Regulation (EU) 2024/397;

(b)

based on the overview referred to in point (a), identify those times series used for risk factors that may be affected by low data quality;

(c)

based on the overview referred to in point (a), select a sample of time series that are characterised by a high number of data points initially missing, and apply the following steps in the following order:

(i)

require the institution to provide the time series with the initial data points only, and the time series after they have been filled in;

(ii)

verify that the time series have been filled in in accordance with the methodologies envisaged in the internal policies as referred to in paragraph 1, points (a) and (b), and that such methodologies are appropriate for the case at matter;

(d)

based on the overview referred to in point (b), select a sample of time series characterised by a high number of data points that were initially available but have been substituted by other data points, and apply the following steps in the following order:

(i)

require the institution to provide the time series with the initial data points only, and the time series after data points in the time series have been substituted;

(ii)

verify that the data points have been replaced in accordance with the methodologies envisaged in the internal policies as referred to in paragraph 1, points (a) and (b), and that such methodologies are appropriate for the case at matter.

For the purposes of point (b), competent authorities may use, where appropriate, as a basis for the identification referred to in that point, the following indicators:

(a)

time series with less than 10 % of initially available data points;

(b)

time series with 20 consecutive business days without any daily change;

(c)

time series with more than 20 % of days with no changes;

(d)

time series for which more than 50 % of the initially available data have been changed.

Competent authorities shall require the institution to justify the use of those time series and, where applicable, the reason why the corresponding risk factor is included in the reduced set of risk factors as referred to in Article 325bc(2), points (a) and (b), and Article 325bc(3), points (a) and (b), of Regulation (EU) No 575/2013.

3.   For risk factors for which proxy data are used, competent authorities shall perform the assessment referred to in paragraph 2 on the proxy time series as used in the calculation of the

Formula

,

Formula

,

Formula

,

Formula

,

Formula

and

Formula

, as referred to in Article 325bb of Regulation (EU) No 575/2013, and on the stress scenario risk measures, as referred to in Article 7 of Commission Delegated Regulation (EU) 2024/397.

SECTION 4

Assessment of compliance with requirements relating to the back-testing and profit-loss attribution test

Article 36

Assessment of the technical elements to be included in the actual and hypothetical changes in the portfolio’s value for the back-testing requirements

1.   When verifying whether an institution complies with Article 325bi(1), point (e), of Regulation (EU) No 575/2013 in relation to requirements on the technical elements to be included in the actual and hypothetical changes in the portfolio’s value, competent authorities shall verify whether the internal policies referred to in that point:

(a)

specify all the elements referred to in Article 5 of Delegated Regulation (EU) 2022/2059 and, where applicable, all the elements referred to in Article 1(5), point (c), of that Regulation;

(b)

require the production of a periodic report, and, where the different elements contributing to the changes in the portfolio’s value are disentangled, daily figures, including:

(i)

the changes related to elements that are removed from the end-of-day value to obtain the actual and hypothetical changes in accordance with Articles 1 to 4 of Delegated Regulation (EU) 2022/2059, including those relating to intraday trading activities;

(ii)

the changes related to adjustments that are included in the end-of-day of value but that are not in the calculation of the actual and hypothetical changes in accordance with Articles 1 to 4 Delegated Regulation (EU) 2022/2059;

(iii)

the changes related to adjustments that are included in the end-of-day of value and in the calculation of the actual and hypothetical changes in accordance with Articles 1 to 4 Delegated Regulation (EU) 2022/2059;

(iv)

the changes related to adjustments resulting from the independent price verification process referred to in Article 1(1) and 2(1) of Delegated Regulation (EU) 2022/2059;

(c)

require the production of the report referred to in point (b) both at the level of each trading desk subject to trading desk’s back-testing requirements in accordance with Articles 1 and 3 of Delegated Regulation (EU) 2022/2059, and at the level of the portfolio subject to back-testing requirements in accordance with Articles 2 and 4 of Delegated Regulation (EU) 2022/2059;

(d)

specify the rectification processes to follow in the calculation of the actual and hypothetical changes in case of contingencies, exceptions, errors, and pricing failures.

2.   When assessing whether an institution’s internal model is implemented with integrity as required by Article 325bi(1) of Regulation (EU) No 575/2013 in relation to requirements on the technical elements to be included in the actual and hypothetical changes in the portfolio’s value, competent authorities shall:

(a)

in relation to the calculation of the actual changes in the trading desk portfolio’s value as referred to in Article 1(1) of Delegated Regulation (EU) 2022/2059:

(i)

by using the reports referred to in paragraph 1, points (b) and (c) of this Article and the outline of the differences referred to in Article 5, point (a), of Delegated Regulation (EU) 2022/2059:

(1)

identify the elements that differ between the changes in the end-of-day portfolio values produced by the end-of-day valuation process and the actual changes;

(2)

verify whether the elements identified in accordance with point (1) are limited to fees and commissions as referred to in Article 325bf(4), point (b), of Regulation (EU) No 575/2013, and are limited to those adjustments that must or may be excluded from the actual changes, as laid down in Article 1(3) and (5) of Delegated Regulation (EU) 2022/2059;

(ii)

by using the reports referred to in paragraph 1, points (b) and (c) of this Article, verify whether, the adjustments resulting from the independent price verification are included in the actual changes in the trading desk portfolio’s value, as required by Article 1(1) of Delegated Regulation (EU) 2022/2059;

(iii)

verify whether the passage of time as referred to in Article 1(2) of Delegated Regulation (EU) 2022/2059 is reflected in the calculation of the actual changes, and whether that passage of time is reflected in the same way as in the calculation of the end-of-day portfolio values produced by the end-of-day valuation process;

(iv)

assess how the institution evaluates whether an adjustment is market-risk related, as referred to in Article 1(3) of Delegated Regulation (EU) 2022/2059 and, by using the reports referred to in paragraph 1, points (b) and (c) of this Article, verify whether those adjustments that are not market-risk related are excluded from the calculation of the actual changes;

(v)

by comparing the reports referred to in paragraph 1, points (b) and (c) of this Article at different dates, verify whether, the institution reflects changes in adjustments’ values only on the dates at which the adjustment is calculated, as required by Article 1(4) of Delegated Regulation (EU) 2022/2059;

(vi)

verify whether the scope of positions on which the adjustment is calculated includes only positions assigned to the trading desk, as required by Article 1(4) of Delegated Regulation (EU) 2022/2059;

(vii)

verify whether the adjustments that may be excluded from the actual changes pursuant to Article 1(5) of Delegated Regulation (EU) 2022/2059 are non-additive;

(viii)

verify whether the information referred to in Article 5(c) of Delegated Regulation (EU) 2022/2059 is consistent with the evidence resulting from the reports referred to in paragraph 1, points (b) and (c) of this Article;

(b)

in relation to the calculation of the actual changes in the portfolio’s value as referred to in Article 2 of Delegated Regulation (EU) 2022/2059:

(i)

by using the reports referred to in paragraph 1, points (b) and (c), of this Article and the outline of the differences referred to in Article 5(a) of Delegated Regulation (EU) 2022/2059:

(1)

identify the elements that differ between the changes in the end-of-day portfolio values produced by the end-of-day valuation process and the actual changes;

(2)

verify whether the elements referred to in point (1) are limited to fees and commissions as referred to in Article 325bf(4), point (b), of Regulation (EU) No 575/2013, and to those adjustments that must or may be excluded from the actual changes pursuant to Article 2 of Delegated Regulation (EU) 2022/2059;

(ii)

by using the reports referred to in paragraph 1, points (b) and (c) of this Article, verify whether the adjustments resulting from the independent price verification are included in the actual changes in the portfolio’s value, as required by Article 2(1) of Delegated Regulation (EU) 2022/2059;

(iii)

verify whether the passage of time referred to in Article 2(2) of Delegated Regulation (EU) 2022/2059 is reflected in the calculation of the actual changes, and whether that passage of time is reflected in the same way as in the calculation of the end-of-day portfolio values produced by the end-of-day valuation process;

(iv)

assess how the institution evaluates whether an adjustment is market-risk related as referred to in Article 2(3) of Delegated Regulation (EU) 2022/2059 and, by using the reports referred to in paragraph 1, points (b) and (c) of this Article, verify whether those that are not market-risk related are excluded from the calculation of the actual changes;

(v)

verify whether, as required by Article 2(4) of Delegated Regulation (EU) 2022/2059, the scope of positions on which an adjustment is calculated is either made of:

(1)

positions assigned to trading desks for which the institution calculates its own funds requirements for market risk in accordance with Part Three, Title IV, Chapter 1b of Regulation (EU) No 575/2013;

(2)

all positions subject to own funds requirements for market risk;

(vi)

by comparing the reports referred to in paragraph 1, points (b) and (c) of this Article at different dates, verify whether, the institution reflects changes in adjustments’ values only on the dates at which the adjustment is recomputed in accordance with Article 2(5) of Delegated Regulation (EU) 2022/2059;

(vii)

verify whether the information referred to in Article 5, point (c), of Delegated Regulation (EU) 2022/2059 is consistent with the evidence resulting from the reports referred to in paragraph 1, point (b) and (c) of this Article;

(c)

in relation to the calculation of the hypothetical changes in the trading desk portfolio’s value as referred to in Article 3 of Delegated Regulation (EU) 2022/2059:

(i)

identify, by using the reports referred to in paragraph 1, point (b) and (c) of this Article, the elements that differ between the changes in the end-of-day portfolio values produced by the end-of-day valuation process and the hypothetical changes, and verify whether those elements are limited to:

(1)

fees and commissions;

(2)

those elements that are not captured due to the assumption that positions are unchanged as referred to in Article 325bf(4), point (a), of Regulation (EU) No 575/2013;

(3)

those adjustments that must or may be excluded from the hypothetical changes as laid down in Article 3(3) and (5) of Delegated Regulation (EU) 2022/2059;

(ii)

verify whether the effect of the passage of time is reflected in the hypothetical changes consistently with the treatment the institution applies for such effect in the calculation of the expected shortfall risk measure as referred to in Article 325bb of Regulation (EU) No 575/2013 and in the calculation of the stress scenario risk measure referred to in Article 325bk of that Regulation, as required by Article 3(2) of Delegated Regulation (EU) 2022/2059;

(iii)

assess how the institution evaluates whether an adjustment is market-risk related as referred to in Article 3(3) of Delegated Regulation (EU) 2022/2059 and, by using the reports referred to in paragraph 1, point (b) and (c) of this Article, verify whether those adjustments that are not market-risk related are excluded from the calculation of the hypothetical changes;

(iv)

by using the reports referred to in paragraph 1, point (b) and (c) of this Article, verify that only adjustments that are calculated daily and that are included in the institution’s risk measurement model are included as part of the hypothetical changes, as required by Article 3(3) of Delegated Regulation (EU) 2022/2059;

(v)

verify that the scope of positions on which the adjustment is calculated includes only positions assigned to the trading desk, as required by Article 3(4) of Delegated Regulation (EU) 2022/2059;

(vi)

verify whether the adjustments that are excluded from the hypothetical changes pursuant to Article 3(5) of Delegated Regulation (EU) 2022/2059 are non-additive;

(vii)

by using the outline referred to in Article 5, point (c)(viii) of Delegated Regulation (EU) 2022/2059, verify whether the methodology used by the institution to calculate changes in the value of an adjustment assuming that positions are unchanged as referred to in Article 325bf(4), point (a), of Regulation (EU) No 575/2013 is appropriate;

(viii)

verify whether the information referred to in Article 5, point (c), of Delegated Regulation (EU) 2022/2059 is consistent with the evidence resulting from the reports referred to in paragraph 1, point (b) and (c) of this Article;

(d)

in relation to the calculation of the hypothetical changes in the portfolio’s value as referred to in Article 4 of Delegated Regulation (EU) 2022/2059:

(i)

by using the reports referred to in paragraph 1, point (b) and (c) of this Article:

(1)

identify the elements that differ between the changes in the end-of-day portfolio values produced by the end-of-day valuation process and the hypothetical changes;

(2)

verify whether the elements referred to in point (1) are limited to fees and commission, to those elements that are not captured due to the assumption that positions are unchanged as referred to in Article 325bf(4), point (a), of Regulation (EU) No 575/2013, and to those adjustments that must or may be excluded from the hypothetical changes in accordance with Article 4 of Delegated Regulation (EU) 2022/2059;

(ii)

verify whether, the effect of the passage of time is reflected in the hypothetical changes consistently with the treatment the institution applies for such effect in the calculation of the expected shortfall risk measure as referred to in Article 325bb of Regulation (EU) No 575/2013 and in the calculation of the stress scenario risk measure referred to in Article 325bk of that Regulation, as required by Article 4(2) of Delegated Regulation (EU) 2022/2059;

(iii)

assess how the institution evaluates whether an adjustment is market-risk related as referred to in Article 4(3) of Delegated Regulation (EU) 2022/2059 and, by using the reports referred to in paragraph 1, point (b) and (c) of this Article, verify that those that are not market-risk related are excluded from the calculation of the hypothetical changes;

(iv)

by using the reports referred to in paragraph 1, point (b) and (c) of this Article, verify that, only adjustments that are calculated daily and that are included in the institution’s risk measurement model are included as part of the hypothetical changes, as required by Article 4(3) of Delegated Regulation (EU) 2022/2059;

(v)

verify whether, as required by Article 4(4) of Delegated Regulation (EU) 2022/2059, the scope of positions on which an adjustment is calculated is either made of:

(1)

positions assigned to trading desks for which the institution calculates its own funds requirements for market risk in accordance with Part Three, Title IV, Chapter 1b of Regulation (EU) No 575/2013;

(2)

all positions subject to own funds requirements for market risk;

(vi)

by using the outline referred to in Article 5, point (c)(viii), of Delegated Regulation (EU) 2022/2059, verify whether the methodology used by the institution to calculate changes in the value of an adjustment assuming that positions are unchanged as referred to in Article 325bf(4), point (a), of Regulation (EU) No 575/2013 is appropriate;

(vii)

verify whether the information referred to in Article 5(c) of Delegated Regulation (EU) 2022/2059 is consistent with the evidence resulting from the reports referred to in paragraph 1, point (b) and (c) of this Article;

(e)

in relation to the processes followed by the institution to calculate actual and hypothetical changes:

(i)

verify whether the process to map a position to one trading desk only is robust;

(ii)

verify whether the rectification processes referred to in paragraph 1, point (d) are robust, and whether they are followed in practice whenever contingencies, exceptions, errors, and pricing failures occur;

(iii)

verify how illiquid positions are treated in the end-of-day valuation process and in the independent price verification process.