THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012(1), and in particular the third subparagraph of Article 312(4) thereof,

Whereas:

(1) For the purposes of own funds requirements for operational risk, the first subparagraph of Article 312(2) of Regulation (EU) No 575/2013 provides that competent authorities permit institutions to use Advanced Measurement Approaches (‘AMA’) based on the institutions' own operational risk measurement systems where they meet all of the qualitative and quantitative standards set out in that Article, implying compliance of institutions with these requirements at all times. As a result, such an assessment does not only relate to the initial application of an institution for the permission to use the AMA, but also applies on an on-going basis.

(2) The various elements constituting an institution's AMA framework should not be considered in isolation but rather reviewed and assessed as a package of interwoven elements, so that competent authorities are satisfied with an adequate level of compliance in relation to each part of the framework.

(3) The assessment by competent authorities of an institution's compliance with the requirements referred to in points (a) and (b) of Article 312(4) of Regulation (EU) No 575/2013 to use Advanced Measurement Approaches should not be conducted in a uniform manner. The nature of the elements to be assessed varies according to the type of assessment conducted which in turn depends on the type of application submitted. Competent authorities are required to assess such compliance where an institution first applies to use AMA, where an institution applies to extend the AMA in accordance with the approved sequential implementation plan, where an institution applies to extend or change the AMA it has been granted permission to use, and where an institution applies to return to the use of less sophisticated approaches in accordance with Article 313 of Regulation (EU) No 575/2013. In addition, competent authorities should conduct an ongoing review of the use of the AMA by institutions. Accordingly, competent authorities should conduct the assessment of an institution's compliance with the requirements to use AMA in accordance with the nature of the elements to be assessed corresponding to the relevant assessment methodology.

(4) Article 85(1) of Directive 2013/36/EU of the European Parliament and of the Council(2) requires institutions to articulate what constitutes operational risk for the purposes of implementing policies and processes to evaluate and manage the exposure to operational risk. Regulation (EU) No 575/2013 provides a definition for ‘operational risk’ which includes both legal risk and model risk. In Article 3(1) of Directive 2013/36/EU, model risk refers to potential losses owed to errors in the development, implementation or use of internal models but does not include potential losses owed to valuation adjustments from model risk as referred to in Article 105 of Regulation (EU) No 575/2013 on prudent valuation or in Commission Delegated Regulation (EU) 2016/101(3) and does not refer to model risk associated with using a possibly incorrect valuation methodology as referred to in Article 105(13) of Regulation (EU) No 575/2013. Equally, Regulation (EU) No 575/2013 does not specify how competent authorities should verify compliance with the requirement to articulate any operational risk that relates to legal risk and model risk. Rules specifying the assessment methodology to be used by competent authorities when assessing whether institutions may use the AMA should therefore include such specification.

(5) It is also necessary to harmonise supervisory approaches with regard to the correct articulation of operational risk in financial transactions, including those related to market risk, as the operational risks of these transactions are proved to be sizeable and their drivers, typically of multifaceted nature, may be not consistently detectable and recordable as such throughout the Union.

(6) Standards to be respected by an institution's governance and risk management framework are laid down in Article 74 of Directive 2013/36/EU and Article 321 of Regulation (EU) No 575/2013. As a result, the methodology for AMA assessment should provide for verification, by competent authorities, that an institution has a clear organisational structure for the governance and management of operational risk with well-defined, transparent and consistent lines of responsibility taking into account the nature, scale and complexity of the activities of the institution when assessing whether an institution may use the AMA approach. In particular, it should be confirmed that the operational risk management function plays a key role in identifying, measuring and assessing, monitoring, controlling and mitigating the operational risks faced by the institution and that it is sufficiently independent from the institution's business units so as to ensure that its professional judgement and recommendations are both independent and impartial. It should also be determined that senior management is responsible for developing and implementing the operational risk governance and management framework that has been approved by the management body and that such framework is consistently implemented throughout the institution's organisation. Competent authorities should also assess that adequate tools and information are provided at all staff levels so that all staff understand their responsibilities with respect to operational risk management.

(7) Effective internal reporting systems are a prerequisite of sound internal governance. Competent authorities should therefore ensure that an institution applying for AMA permission adopts effective risk reporting systems not only to the management body and senior management but also to all the functions responsible for the management of operational risks to which the institution is, or might be, exposed. The reporting system should reflect the up-to-date status of operational risk issues at the institution and should include all material aspects of operational risk management and measurement.

(8) In accordance with Article 321(a) of Regulation (EU) No 575/2013, an institution's internal operational risk measurement system has to be closely integrated into its day-to-day risk management processes. As a result, the methodology for AMA assessment should provide for competent authorities to ensure that an institution applying for an AMA permission actually uses its operational risk measurement system for its day-to-day business process and for risk management purposes on an on-going basis and not solely for the purpose of calculating the own funds requirements for operational risk. Rules on the AMA supervisory assessment should therefore include rules on the supervisory expectations to be met by the institution applying for an AMA permission as regards the ‘use test’.

(9) In order to provide both institutions and competent authorities with evidence that an institution's operational risk measurement system is reliable and robust and generates more credible operational risk own funds requirements than a simpler operational risk regulatory methodology, competent authorities should verify that the institution has compared the operational risk measurement system against the Basic Indicator Approach or the Standardised Approach for operational risk laid down in Articles 315, 317, and 319 of Regulation (EU) No 575/2013 over a determined period of time. That period of time should be sufficiently long for the competent authority to establish that the institution meets the qualitative and quantitative standards laid down in the Regulation (EU) No 575/2013 for the use of an AMA.

(10) According to Article 321(g) of Regulation (EU) No 575/2013, an institution's data flows and processes associated with the AMA measurement system are required to be transparent and accessible. Data relating to operational risk is not immediately available as it first needs to be identified within an institution's books and archives, and then properly gathered and maintained. Furthermore, the measurement system is typically very sophisticated and envisages several logical and computational steps for the generation of the AMA own funds requirements. The methodology for AMA assessment should therefore verify that the data quality and IT systems are properly designed and correctly implemented within an institution so as to serve the purpose for which they are built.

(11) The AMA framework of an institution is subject to internal validation and audit reviews in accordance with points (e) and (f) of Article 321 of Regulation (EU) No 575/2013. Although the organisational structure of the internal validation and audit functions can vary depending on an institution's nature, complexity and business, it should be ensured that the methodology for AMA assessment of the reviews undertaken by these functions adheres to common criteria as to the terms and scope of such reviews.

(12) Operational risk modelling is a relatively new and evolving discipline. Accordingly, Article 322 of Regulation (EU) No 575/2013 grants significant flexibility to institutions in building the operational risk measurement system for calculating the AMA own funds requirements. Such flexibility, however, should not result in significant differences across institutions with regard to the key components of the measurement system, including the use of internal data, external data, scenario analysis and business environment and internal control factors (known and referred to as ‘the four elements’), the core modelling assumptions that permit capturing severe tail events and the related risk drivers (the building of the calculation data set, the granularity, the identification of the loss distributions and the determination of aggregated loss distributions and risk measures) or the expected loss, the correlation and the criteria for capital allocation which should ensure a measurement system's internal consistency. Therefore, with the view to ensuring that the risk measurement system is methodologically well founded, comparable across the institutions, effective in capturing the institutions' actual and potential operational risk and reliable and robust in generating AMA regulatory capital requirements, the methodology for AMA assessment should provide that the same criteria and requirements are applied by the competent authorities across the Union. The AMA assessment methodology should also take into consideration the idiosyncratic components of operational risk that are related to the institutions' different size, nature and complexity.

(13) With particular regard to the internal data, consideration should be given to the fact that even though an operational risk loss can arise only from an operational risk event, its occurrence may be revealed by different items, including direct charges, expenses, provisions, uncollected revenues. Whilst some operational risk events have a quantifiable impact and are reflected in the institution's financial statements, others are not quantifiable and do not affect the institution's financial statements and are therefore detectable from other sources including managerial archives and incidents dataset. Therefore, rules specifying the assessment methodology for competent authorities in order to permit institutions to use the AMA should specify what constitutes an operational risk loss and the amount to be recorded for AMA purposes and, more generally, all the potential items that could reveal the occurrence of operational risk events.

(14) Sometimes, institutions are able to quickly recover emerging operational risk losses. Rapidly recovered losses should not be considered for the purposes of calculating the AMA own funds requirements, although they may be useful for management purposes. Since there are various criteria that institutions use to qualify losses as rapidly recovered, rules on the AMA assessment methodology should include rules specifying the appropriate criteria for qualifying losses as rapidly recovered.

(15) Risk mitigation techniques may be recognised by competent authorities within the AMA provided that certain conditions are fulfilled, as referred to in Article 323 of Regulation (EU) No 575/2013. In order to effectively apply the rules relating to these mitigation techniques, specific standards should be followed by competent authorities when assessing the application of these rules by an institution. In particular, where those mitigation techniques are in the form of insurance, it is necessary to ensure that such insurance is provided by insurance firms authorised in the Union or in jurisdictions with equivalent regulatory standards for insurance firms, as those applicable in the Union.

(16) Where risk mitigation techniques are in the form of other risk transfer mechanisms than insurance, competent authorities should ensure that such mechanisms are actually transferring risk and are not used to circumvent the AMA own funds requirements. This condition is essential in light of the peculiarities of operational risk, where there are no clear underlying assets of reference and where unexpected losses play a greater role than in other types of risk. This is further exacerbated in light of the lack of an efficient, liquid, and structured market for operational risk ‘products’ which thus far have been traded outside the banking sector, including catastrophe bonds and weather derivatives. Finally, there is often great difficulty in assessing the legal risk of such mechanisms, even where the terms and conditions of these contracts are clearly and carefully spelled out.

(17) To ensure a smooth transition for institutions that already have permission to use the AMA or that have applied for a permission to use the AMA before the entry into force of this Regulation, it should be provided that competent authorities apply this Regulation in relation to the assessment of the AMA of these institutions only after a certain transitional period. Given that the regular review of the AMA referred to in Article 101(1) of Directive 2013/36/EU is usually performed on an annual basis, that transitional period should be a year from the date of entry into force of this Regulation.

(18) Institutions that use Gaussian or Normal-like distributions for recognising correlation within all or parts of their AMA should no longer use them in the context of their AMA as these assumptions would imply tail independence among operational risk categories, thus excluding the possibility of simultaneous occurrence of large losses of different types, an assumption which is neither prudent nor realistic. Enough time should therefore be granted for the smooth transition of these institutions to a new regime where more conservative assumptions, implying positive tail dependence, are introduced within the operational risk measurement system. Given that the implementation of these assumptions might require the modification of some key elements and the related procedures, of the AMA framework, it would be appropriate to provide two years for that transition.

(19) This Regulation is based on the draft regulatory technical standards submitted by the European Banking Authority to the Commission.

(20) The European Banking Authority has conducted open public consultations on these draft regulatory technical standards, analysed the potential related costs and benefits and requested the opinion of the Banking Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council(4),

HAS ADOPTED THIS REGULATION: