Commission Delegated Regulation (EU) 2022/439 of 20 October 2021 supplementing Regulation (EU) No 575/2013 of the European Parliament and of the Council with regard to regulatory technical standards for the specification of the assessment methodology competent authorities are to follow when assessing the compliance of credit institutions and investment firms with the requirements to use the Internal Ratings Based Approach (Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (1), and in particular the third subparagraph of Article 144(2), the third subparagraph of Article 173(3) and the third subparagraph of Article 180(3) thereof,

Whereas:

(1) The requirement in Regulation (EU) No 575/2013 that competent authorities assess the compliance of an institution with the requirements to use the Internal Ratings Based (IRB) Approach relates to all of the requirements for the use of the IRB Approach, irrespective of their degree of materiality, and concerns compliance with the requirements at all times. As a result, that requirement does not only relate to the assessment of the initial application of an institution for the permission to use the rating systems for the purpose of the calculation of own funds requirements, but also to: the assessment of any additional applications of an institution for the permission to use the rating systems implemented according to the institution’s approved plan of sequential implementation of the IRB Approach; the assessment of the application for material changes to the internal approaches that the institution has received permission to use in accordance with Article 143(3) of that Regulation and Commission Delegated Regulation (EU) No 529/2014 (2); changes to the IRB Approach that require notification in accordance with Article 143(4) of Regulation (EU) No 575/2013 and Delegated Regulation (EU) No 529/2014; the ongoing review of the IRB Approach that the institution has received permission to use in accordance with Article 101(1) of Directive 2013/36/EU of the European Parliament and of the Council (3); the assessment of applications for permission to return to the use of less sophisticated approaches in accordance with Article 149 of Regulation (EU) No 575/2013. Competent authorities should apply the same criteria to all of these particular aspects of the assessment of compliance with the requirements to use the IRB Approach. The rules that set out that assessment methodology should therefore apply to all of those cases, in order to ensure harmonisation of assessment methodologies by competent authorities and avoid the risk of regulatory arbitrage.

(2) The assessment methodology should consist in methods to be used by the competent authorities, either as optional or mandatory, and provide for criteria that are subject to the verification by the competent authorities.

(3) In order to ensure a consistent assessment of compliance with the requirements to be fulfilled for using the IRB Approach throughout the Union, it is necessary that competent authorities apply the same methods for that assessment. As a result, it is necessary to lay down a set of methods to be applied by all competent authorities. However, given the nature of the model assessment and the diversity and particularities of the models, competent authorities should also apply their supervisory discretion in the application of those methods with regard to the specific models under examination. The assessment methodology in this Regulation should specify the minimum criteria for competent authorities to verify compliance with the requirements to use the IRB Approach and lay down an obligation for the competent authorities to verify any other relevant criteria necessary for that purpose. Furthermore, in certain cases where the competent authority has carried out recent assessments for similar rating systems in the same class of exposures, it is appropriate to allow use of the results of such assessments, rather than the competent authority having to repeat them, if the competent authority after applying its discretion finds that those remain materially unchanged. This should avoid complexity, unnecessary burdens and duplication of work.

(4) Where the competent authorities are to assess the compliance of an institution with the requirements to use the IRB Approach for other purposes than the initial application for permission, competent authorities should only apply those rules that are relevant to the scope of the assessment for those other purposes and should in each case use the conclusions from the previous assessments as the starting point.

(5) Where the assessment relates to applications for the permissions referred to in Article 20(1)(a) of Regulation (EU) No 575/2013, the implementing technical standards referred to in paragraph 8 of that Article in relation to the joint decision process apply.

(6) Competent authorities are required to verify compliance of institutions with the specific regulatory requirements for the use of the IRB Approach, as well as evaluate the overall quality of the solutions, systems and approaches implemented by an institution, and request constant improvements and adaptations to changed circumstances in order to achieve continuous compliance with those requirements. Such an assessment requires, to a large extent, that the competent authorities exercise their discretion. Rules for the assessment methodology should, on the one hand, allow the competent authorities to exercise their discretion by carrying out additional checks to those specified in this Regulation, as necessary, and should, on the other hand, ensure harmonisation and comparability of supervisory practices across different jurisdictions. For the same reasons, competent authorities should have the necessary flexibility to apply the most appropriate optional method or any other method necessary for verifying particular requirements, having regard, among others, to the materiality of the types of exposures covered by each rating system, the complexity of the models, the particularities of the situation, the specific solution implemented by the institution, the quality of evidence provided by the institution, the resources available to the competent authorities themselves. Furthermore, for the same reasons competent authorities should be able to carry out additional tests and verifications necessary in case of doubts regarding the fulfilment of the requirements of the IRB Approach in accordance with the principle of proportionality, having regard to the nature, size and complexity of an institution’s business and structure.

(7) In order to ensure consistency and comprehensiveness of the assessment of the overall IRB Approach, in the case of subsequent requests for permission on the basis of the approved sequential implementation plan of an institution, competent authorities should base their assessment at least on the rules on the use and experience test, assignment to grades or pools, rating systems and risk quantification, as these aspects of the assessment relate to every individual rating system of the IRB Approach.

(8) In order to assess the adequacy of the application of the IRB Approach all rating systems and related processes should be verified where an institution has delegated tasks, activities or functions relating to the design, implementation and validation of rating systems to a third party or has obtained a rating system or pooled data from a third party vendor. In particular, it should be verified that adequate controls have been implemented at the institution and that full documentation is available. Furthermore, as the management body of the institution is ultimately responsible for the delegated processes and the performance of rating systems obtained from a third party vendor, it should be verified that the institution should has sufficient in-house understanding of the delegated processes and purchased rating systems. All tasks, activities and functions that have been delegated and the rating systems obtained from the third party vendors should therefore be assessed by the competent authorities in a manner similar to where the IRB Approach has been developed fully via internal processes of the institution.

(9) In order to prevent the institutions from only partially completing the sequential implementation of the IRB Approach for an extended period of time, the competent authorities should verify the appropriateness of the time limit for the implementation of the so-called ‘roll-out plan’, compliance with this deadline and the necessity of changes to the roll-out plan. It should be verified that all exposures covered by the roll-out plan have a defined and reasonable maximum timeframe for implementation of the IRB Approach.

(10) It is important to assess the robustness of the validation function and so the independence from the credit risk control unit, the completeness, frequency and adequacy of the methods and procedures and the soundness of the reporting process in order to verify that an objective assessment of the rating systems takes place and that there is a limited incentive to disguise the model deficiencies and weaknesses. When verifying whether an adequate level of independence of the validation function is in place, the competent authorities should take into account the size and complexity of the institution.

(11) As the rating systems are the core of the IRB Approach, and their quality may impact significantly the level of own funds requirements, the performance of the rating systems should be regularly reviewed. Given that estimates of risk parameters have to be subject to review at least annually and that rating systems should be regularly assessed by competent authorities and by the internal audit function, and given that, in order for this task to be performed, input from the validation function is necessary, it is appropriate to verify that the validation of the performance of the rating systems covering material portfolios and back-testing of all other rating systems is performed at least annually.

(12) All areas of the IRB Approach are to be effectively covered by internal audits. Nevertheless, it should be verified that the internal audit resources are used efficiently with focus on the most risky areas. Some flexibility is important particularly in the case of institutions that use numerous rating systems. As a consequence, competent authorities should verify that annual reviews are performed in order to determine areas that require more thorough reviews during the year.

(13) In order to ensure a minimum level of harmonisation in relation to the scope of use of the rating systems (the so-called ‘use test’), competent authorities should verify that the rating systems are incorporated in the relevant processes of the institution within the broader processes of risk management, credit approval and decision-making processes, internal capital allocation, and corporate governance functions. These are basic areas where internal processes require the use of risk parameters, therefore if there are differences between the risk parameters used in those areas and those used for the purpose of the calculation of own funds requirements, it should be verified that they are justified.

(14) In relation to experience test requirements, while assessing whether the rating systems used by the institution prior to the application to use the IRB Approach were ‘broadly in line’ with the IRB requirements, competent authorities should verify in particular that during at least three years before the use of the IRB Approach, the rating system has been used in the internal risk measurement and management processes of the institution and that it has been subject to monitoring, internal validation and internal audit. Such specification of the assessment methodology is necessary to ensure a minimum level of harmonisation. Competent authorities should verify that rating systems have been implemented in at least the most basic areas of use to ensure that the rating systems have been effectively used by the institution and that both the personnel and the management are accustomed to those parameters and understand well their meaning and weaknesses. Finally, monitoring, validation and internal audit during the experience period should show that the rating systems were compliant with the basic requirements of the IRB Approach and that they were gradually improved during that time.

(15) Independence of the process of assignment of exposures to grades or pools is required for non-retail exposures because the application of human judgement is typically necessary in the process. In the case of retail exposures the assignment process is usually fully automatic, based on objective information about the obligor and his transactions. The correctness of the assignment process is ensured by proper implementation of the rating system in the institution’s IT systems and procedures. Nevertheless if overrides are allowed, human judgement has to be applied in the rating process. As a result, and given that those responsible for origination or renewal of exposures are typically inclined to assign better ratings in order to increase sales and volumes of credits, where overrides are used, including in the case of retail exposures, it should be verified that the assignment has been approved by an individual or by a committee independent from the persons responsible for the origination or renewal of exposures.

(16) Where ratings are older than 12 months or where the review of the assignment has not been performed in due time according to the institution’s policy, the competent authorities should verify that conservative adjustments have been performed in terms of the risk-weighted assets calculation. The reasons for that are multiple. If the rating is outdated or based on outdated information the risk assessment might not be accurate. In particular, if the situation of the obligor has deteriorated during the last 12 months it is not reflected in the rating, and the risk is underestimated. In addition, according to the general rule relating to the estimation of the risk parameters, where the estimation of risk parameters is based on insufficient data or assumptions, a wider margin of conservatism should be adopted. The same rule should apply to the process of assignment of exposures to grades or pools, i.e. where insufficient information has been taken into account in the assignment process, additional conservatism should be adopted in the calculation of risk weights. The method of applying additional conservatism in the calculation of risk weights should not be specified as the institution may adjust either the rating, the risk parameter estimation or the risk weight directly. The adjustment should be proportional to the length of the period during which the rating or the information underlying the rating is out-of-date.

(17) The institutions are required to document the specific definitions of default and loss used internally and ensure consistency with the definitions set out in Regulation (EU) No 575/2013. When assessing this consistency, the competent authorities should verify that institutions have clear policies that specify when an obligor or facility is classified as being in default. These policies need to be consistent with the general principles regarding the identification of default. The EBA has adopted Guidelines on the application of the definition of default under Article 178 of Regulation (EU) No 575/2013. These policies should also be embedded into the institutions’ risk management processes and systems since Regulation (EU) No 575/2013 requires in particular that internal ratings, i.e. including the assignment to a default rating grade, play an essential role in the risk management and other internal processes of an institution, which should also be the subject of verification by the competent authorities.

(18) The information on the performance of an obligor and on the exposures in default and those not in-default, is the basis for the institution’s internal processes, for the quantification of risk parameters and for the calculation of own funds requirements. Therefore, not only the identification of defaulted obligors but also the process of reclassification of defaulted obligors to non-defaulted status need to be robust and effective. The competent authorities should verify that the prudent reclassification process ensures that obligors are not reclassified to a non-defaulted status where the institution expects that the exposure will probably return to default in a short period of time.

(19) In order to provide competent authorities with a consistent and accurate overview of the rating systems that the institution has been using as well as the improvement of the rating systems over time, it is necessary for competent authorities to assess the completeness of the register of the current and historical versions of rating systems used by the institution (‘register of rating systems’). Having regard to the fact that the requirements of the experience test relate to the preceding three years from the time of consideration of an application for approval of an internal model, and that the competent authorities are to carry out an overall review of the internal model on a regular basis, and at least every three years, it is appropriate for competent authorities to verify that such a register of rating systems covers at least the versions of the internal models used by the institution over the three preceding years.

(20) Human judgement is applied at various stages of the development and use of rating systems. Reasonable application of human judgement can increase the quality of the model and the accuracy of its predictions. Nevertheless, since human judgement changes the estimates based on prior experience in a subjective manner, the application of human judgement should be subject to control. The competent authorities should therefore verify that the application of human judgement is justified by its positive contribution to the accuracy of predictions. Thus, a large number of overrides of the results of the model might indicate that some important information is not included in the rating system. Therefore, competent authorities should verify that the number of overrides and their justification are regularly analysed by the institutions and that any detected weaknesses of the model are adequately addressed in the model review.

(21) In all cases, the competent authorities should assess whether the institution has adopted sufficient margin of conservatism in their estimates of risk parameters. This margin of conservatism should take into account any identified deficiencies in data or methods used in the risk quantification and increased uncertainty that might result for example from the changes in the lending or recovery policies. Where an institution ceases to comply with the requirements for the IRB Approach, the competent authorities should verify whether it fulfils the requirement that the rating systems are corrected in a timely manner. The application of the margin of conservatism should not be used as an alternative to correcting the models and ensuring their full compliance with the requirements of Regulation (EU) No 575/2013.