top of page

Subscribe to Our Regulatory Digest 

Stay up to date with our monthly newsletter. Receive a clear, concise snapshot of what matters in the regulatory landscape — from key news and upcoming compliance deadlines to notable enforcement actions, all in one place.

A New Regulatory Horizon: Inside the EU’s Revamped Operational Risk Rules

  • Writer: Kodex AI
    Kodex AI
  • Jun 20
  • 6 min read

The European Union's financial landscape is constantly evolving, with new regulations shaping how financial institutions manage risk and capital. A significant development in this regard is the recent amendment to Regulation (EU) No 575/2013 (CRR), known as CRR3, which ushers in a revised framework for operational risk capital calculation.


This shift, detailed in recent publication on regulating and implementing technical standards (RTS and ITS) from the European Banking Authority (EBA), replaces all previous approaches with a single, non-model-based method: the Business Indicator Component (BIC). For financial institutions, understanding these changes isn't just about compliance; it's about strategically managing capital and operational resilience.


Let's break down the key elements and their implications.

This post has been created with the help of Kodex AI's built-in chat analysis and doesn't constitute legal advice. Verify crucial details.


What is Operational Risk and Why the Change?


Operational risk refers to the risk of losses resulting from inadequate or failed internal processes, people and systems, or from external events. Think of anything from internal fraud and IT system failures to legal disputes or natural disasters. Effectively managing this risk is crucial for an institution's stability and the broader financial system.


Historically, the CRR offered various approaches for calculating the capital required to cover these risks. However, CRR3, implementing the Basel III framework in the EU, moves towards a more standardized and transparent approach. The core of this new framework is the Business Indicator (BI), which acts as a financial statement-based proxy for an institution's volume of business. The BIC, derived from this BI, is now the sole method for determining regulatory capital for operational risk.


The EBA was specifically mandated to define the components of this BI, specify exclusions, map them to supervisory reporting references (FINREP), and detail how to handle adjustments for mergers, acquisitions, and disposals.


The three components of the Business Indicator (BI) of new EU Operational Risk Framework are: • Interest, Leases and Dividend Component (ILDC): This component measures an institution's volume of business related to interest income and expenses, income and expenses from leases, and dividend income. It includes sub-components like the interest and leases component (IC), asset component (AC), and dividends component (DC). • Services Component (SC): This component is calculated based on four amounts: other operating income, other operating expenses, fee and commission income, and fee and commission expenses. It specifically includes an institution’s expenses and losses from operational risk events in its other operating expenses. • Financial Component (FC): This component is the sum of the trading book component (TC) and the banking book component (BC). Both TC and BC are computed as the annual average of the absolute values of the net profit or loss over the previous three financial years, generally using an accounting-based approach, though a prudential boundary approach is also an option under certain conditions.

The Components of the Business Indicator (BI)


The BI is composed of three main elements: the Interest, Leases and Dividends Component (ILDC), the Services Component (SC), and the Financial Component (FC).


  1. Interest, Leases and Dividends Component (ILDC)

    • IFRS 16 alignment: The definition of leases now aligns with IFRS 16 (International Financial Reporting Standards 16), ensuring that all relevant income and expenses from investment properties generating rents are included. Derivatives with positive fair value that generate interest flows are also explicitly included in the Asset Component (AC), which is part of the ILDC calculation.

    • Action point: Institutions should review their accounting of leases and interest-bearing derivatives to ensure accurate inclusion in the ILDC calculation. This impacts how they report their interest-earning assets.

  2. Services Component (SC)

    • Detailed treatment of impacts: The framework provides a detailed breakdown of expenses, losses, provisions, and other financial impacts specifically due to operational risk events, to ensure comprehensive information on how these impacts are accounted for in an institution's profit and loss (P&L) statement.

    • Rules on netting: These operational risk impacts within the SC should not be netted against payments received from insurance or reinsurance policies purchased. However, recoveries other than insurance/reinsurance can be used to net operational risk losses before inclusion in the other operating expenses.

    • System readiness required: The institutions are advised to develop robust internal systems to precisely track and categorize all financial impacts of operational risk events across their P&L. It should be clear on what can and cannot be netted to avoid miscalculations.

  3. Financial Component (FC)

    • Structure: This component is the sum of the Trading Book Component (TC) and the Banking Book Component (BC), both calculated as the annual average of the absolute net profit or loss over the previous three financial years.

    • PBA Adoption:  While the Accounting Approach (AA) (based on accounting standards) is the default, institutions may adopt the Prudential Boundary Approach (PBA) under specific conditions. The PBA is particularly relevant to avoid an "unwarranted increase" in the FC, which can occur when strictly related operations (like economic hedging of fair value through P&L positions) have opposite P&L signs but are accounted for in different components under the AA, preventing netting.

    • PBA Requirements:  Adopting the PBA requires demonstrating the "unwarranted increase" and having robust internal policies, procedures, systems, and controls to accurately calculate P&L for prudential trading and non-trading books, including disentangling hedged instruments and related hedges. Institutions must also notify competent authorities of their intention to use the PBA at least 90 days in advance.

    • Reversal: If the conditions for using the PBA are no longer met, institutions must revert to the AA and cannot use the PBA again for the following three years.

    • Action point: For institutions engaged in complex financial operations or hedging, it's advisable to evaluate the benefits of the PBA. If adopted, the institutions should ensure meticulous documentation, consistent application over time, and a clear understanding of the notification and reversal processes.


What Stays Out? Exclusions from the BI


The regulation also clarifies what not to include in the BI calculation.


  • Income and expenses where an institution takes the insurance risk are excluded.

  • However, if an institution sells or distributes insurance products or services, the income and expenses from these activities are included, as they are considered conceptually similar to financial services from an operational risk perspective.

  • Certain financial impacts, even if they fall into categories like administrative expenses, depreciation, or impairment, are not excluded if they are related to lease assets, operational risk events, or outsourcing fees for financial services.

  • Crucially, the CRR does not allow for a generic exclusion of "extraordinary" or "irregular" items from the BI, as it focuses on income and expenses from "ordinary banking operations" regardless of their labelling.



Mergers, Acquisitions, and Disposals: Adjusting the BI


Corporate actions like mergers, acquisitions, and disposals significantly alter an institution's business volume and risk profile, necessitating adjustments to the BI.


  • Mergers and Acquisitions (M&A): When an institution merges or acquires another, the BI of the acquired or merged entity must be incorporated retroactively into the acquiring institution's consolidated BI for the previous three years.


    • The primary method is to use audited historical financial statements. If these are unavailable or inaccurate, alternative methodologies are provided:

      1. Using an "M&A factor" based on the Net Operating Income (NOI) of both institutions.

      2. If the M&A factor is not feasible, using financial forecasts from the final valuation.

    • No Materiality Threshold for M&A: Adjustments for M&A are systematic, meaning they must always be performed, regardless of size. The EBA deemed a threshold unnecessary given the simplified alternative calculation methods and the temporary nature of any capital impact delay.


    • Action Point: M&A due diligence must now include a thorough assessment of historical financial data for operational risk purposes. Institutions should be prepared for data reconstruction and have internal capabilities to apply the alternative calculation methods if needed.


  • Disposals: Institutions may exclude BI items related to disposed entities or activities, but this requires permission from the competent authority. Permission hinges on factors like the disposed entity's contribution to past operational losses, any remaining guarantee commitments, and the disposal's impact on the institution's operational risk management.


    • New Materiality Threshold for Disposals: A significant change introduces a 5% materiality threshold based on the total annual net operational impact of disposals. If the aggregate impact of disposals falls below this threshold, permission to adjust the BI is deemed granted if the competent authority does not respond within 90 days of a complete request. This streamlines the process for smaller disposals.

    • Action Point: For disposals, it's advisable to understand the conditions for exclusion and prepare comprehensive documentation for supervisory review. Institutions should leverage the new 5% materiality threshold for smaller divestments to potentially expedite the adjustment process.



The Reporting Landscape: FINREP Alignment


To ensure consistency and reduce administrative burden, the EBA has developed Implementing Technical Standards (ITS) that map the BI items to corresponding cells in FINREP (Commission Implementing Regulation (EU) 2021/451), which governs financial reporting.


  • This mapping aims for harmonized interpretation across the EU and applies to both IFRS and national accounting frameworks (nGAAP).


  • New supervisory reporting templates (C 16.01, C 16.02, C 16.03, C 16.04) have been introduced to capture the detailed information for operational risk. C 16.02 provides a detailed breakdown of the BI's sub-components, while C 16.03 offers granular insights into operational risk event impacts on the P&L.


  • Reporting Frequency: The calculation of the BIC is done annually at the financial year-end, and this figure is then used for the subsequent three quarters, unless an M&A or disposal event occurs necessitating an update.


  • Transitional Provisions: The EBA acknowledges the challenges of new data requirements, especially for historical periods. For initial reporting reference dates (March, June, September 2026), certain rows in C 16.02 and C 16.03 can be reported using business estimates or other proxies, with full quality expected from December 2026 onwards.


  • Action Point: Institutions are advised to update their reporting systems and processes to align with the new FINREP mapping and COREP templates. They should leverage the transitional provisions to ensure data quality while adapting to the new framework.



The Road Ahead


This revised operational risk framework, driven by CRR3 and specified by the EBA's RTS and ITS, marks a significant step towards greater harmonization and robustness in the EU banking sector. For financial institutions and related stakeholders, the implications are clear: a need for enhanced data granularity, refined accounting practices, and adaptive internal processes. By proactively understanding and implementing these changes, institutions can ensure compliance, optimize capital allocation, and strengthen their overall operational resilience in a dynamic regulatory environment.

bottom of page