Response to consultation on revised Guidelines for common procedures and methodologies for the supervisory review and evaluation process (SREP) and supervisory stress testing

Go back

Q1. What are the respondents’ views on the overall amendments and clarifications made to the revised guidelines (across Titles 2 – 12)?

The French Banking Federation (FBF) welcomes the opportunity to comment on the revised guidelines on the procedures and methodologies for the supervisory review and evaluation process (SREP) and supervisory stress testing.

Overall, alongside the better coverage of risks under Pillar 1 with the implementation of CRR3, we welcome the opportunity to enhance greater transparency in overlaps in capital add-ons, in particular on Pillar 1, Pillar 2 requirements and guidance, as well as overlaps with the Output floor and macroprudential buffers. This subject is central to the SREP revised guidelines and competent authorities should, as stated in CRD6, exert a heightened scrutiny on double counting of risks. 

We welcome the simplification efforts made on the presentation of the revised document, and we acknowledge the EBA objective of consolidating these GLs to enhance efficiency and support risk-based supervision. 

While commendable, these efforts do not appear to reduce the overall workload for most institutions or diminish supervisory activity, consequently still impeding effective risk management. Critically, there appears to be a continued emphasis on processes, diverging from recent international supervisory trends, including those in the US, which are shifting towards more risk-centered, outcome-focused assessments that prioritize the substance of risk management over procedural form. A heavy focus on process may inadvertently create incentives to optimize documentation rather than genuinely strengthen real-world controls and actual risks. Aligning supervisory expectations more closely with the materiality of risks, rather than the volume or granularity of documentation, would more effectively guide banks in deploying resources to support stability and resilience, and improve the predictability of supervisory statements. 

In that perspective, materiality thresholds should be defined to apply consistently across supervisors and banks. This would ensure material risks are better aligned and comparable. In the same vein, the overall SREP assessment should only include deficiencies and supervisory concerns that are traceable, comparable and monitorable, rather than focusing on past remediation capabilities (as referred to in paragraph 80).

Furthermore, the application of proportionality seems narrowly focused, benefiting only Category 4 institutions. 

Also, criteria for benchmarking and peer selection should be more transparent and subject to discussion. In particular, while we support the objective of enhancing comparability within the SREP framework, we respectfully suggest that the EBA Guidelines explicitly acknowledge some specific features, such as for example the cooperative and mutual institutions category when considering business model analysis, supervisory benchmarking and risk assessment. These institutions have distinctive governance structures, ownership arrangements and business models that form an integral part of how they operate and manage risks. More generally, recognizing the existence of different models would ensure that institutions are assessed against peers with similar structural characteristics, thereby improving proportionality and comparability within supervisory benchmarking exercises and would fully reflect the diversity of business models within the EU financial system.

We also find it difficult to pinpoint how the stated revision to the minimum supervisory engagement model, allowing for a lighter assessment of immaterial or unchanged SREP elements, is concretely reflected within the GLs. 

Finally, the anticipated application date of the guidelines (January 2027) introduces a risk that these guidelines might apply before the completion of other expected EBA RTS or ITS. 

 

Taxonomies:

The revised guidelines include an appendix providing a detailed risk taxonomy by risk type (Credit, Market, operational, IRRBB). The taxonomy is partial but, within Pillar 1 risk categories, addresses Pillar 2 risks (such as credit concentration). On some elements, the taxonomy uses a regulatory approach, for ex equity risk or real estate risk are aggregated within credit risk. Banks would expect a taxonomy more economic and if possible consistent with ECB’s.

Q2. What are the respondents’ views on the integration of ESG risks and factors across the existing SREP elements in the revised guidelines?

We welcome the integration of ESG risks across the different sections of the SREP methodology as expected from CRR and CRD, rather than a specific section dedicated to ESG. However, ESG is a separate bullet in the scoring tables throughout the document, which may lead to an excessive focus on ESG risk and prove disproportionate for institutions less exposed to C&E risk. 

Of note, we are concerned that the impact of ESG on the inherent credit risk (§149) is still particularly difficult to factor in, as recognized by the EBA in its February 2025 report (EBA/REP/2025/06, EBA report on data availability and feasibility of common methodology for ESG exposures, stating “While progress has been made in assessing ESG risks, there is still insufficient understanding and evidence on the impact of ESG factors on credit risk.”). The SREP guidelines should be made clearer on this point. 

We particularly welcome the progressive approach considered, although we would favor a clearer terminology on the gradual approach proposed to supervisors (§42 : competent authorities may adopt a gradual approach) which should also encompass the prudential transition plan. Furthermore, the gradual approach is only mentioned in the “consultation paper”, not in the draft guidelines themselves. We would also favor explicit guidance in the final guidelines setting out the need to initially focus on Climate and Environmental risks, with other ESG risks being gradually phased in, in line with the EBA’s GLs on ESG Risk Management.

Overall, a streamlined formulation for ESG risks could be used across the different SREP scores. The overall SREP business model score mentions “material ESG risks”, which should apply to the credit and counterparty risks score, which emphasizes the materiality of “ESG factors and ESG risks on credit risk”. The EBA guidelines should concentrate on ESG risks rather than ESG factors. Additionally, the current drafting uses the terms “climate and environmental risk”, “environmental risk”, “climate” and “ESG” interchangeably without a clear justification as to why different terms have been used in each instance. Reflecting the focus on C&E risks above, we would support aligning the wording to climate and environmental risk throughout the document and ensuring that terminology is correct and specific in each instance.

As a broad point, further thought is required as to how to account for the fundamental disconnect between the time horizons considered for C&E risks (e.g. out to 10 years as set out in paragraph 69.c.) and the traditional strategic planning time horizons of 3-5 years. In particular, any projection out to 10 years includes significant amounts of uncertainty, which should be considered when incorporating determinations based on these projections into capital determinations primarily anchored in shorter, evidence-based time horizons. 

 

Prudential transition plans

In relation to Prudential transition plans, we would like to make two comments. 

Paragraph 71.h. includes as a supervisory measure the Competent Authority (CA)  requiring institutions to adjust their business strategy to address ESG risks. Given the nascent nature of the prudential transition plans, requiring firms to adjust their strategies based on an assessment of a firm’s Prudential transition plans may be premature, and could have significant negative impacts both on firms’ abilities to set their own strategies, and on the quality of those strategies. 

Furthermore, there is a clear delineation in both the Level 1 legislation and the underlying EBA GLs between the Prudential transition plans required under CRD Article 76(2), and broader transition plans (as required under the CSRD). It is important that the SREP Guidelines unambiguously clarify in their drafting that Prudential transition plans do not require the institution to be aligned to either Union or Member State transition objectives or trajectories, to avoid the supervision under the SREP Guidelines leading to divergence with other EBA guidelines, and inconsistencies between SREP outcomes.

Q3. What are the respondents’ views on the enhanced simplification and proportionality aspects?

We welcome the flexibility offered to the supervisors to review the categorization of their institutions. We would however like to emphasize the need for all supervisors to comply with the revised guidelines to enhance the same level of supervisory enforcement in the European Union.

We regret that the approach to proportionality only applies to a subset of category 4 institutions and relies predominantly on reduced frequency of assessments. There are also no concrete proposals for how proportionality can be operationalized in practice, beyond the aspect of frequency. For example, the guidelines should address the question of how proportionality should be applied in groups with different risk profiles between subsidiaries and parent entities. Issues related to continuous supervision should also be addressed, with for example a reduction in the operative burden related to the intense scrutiny on internal models and their up-to-datedness and scope, as well as the related portfolios.

The explicit emphasis in the documentation of findings on identifying the "root causes of the identified deficiencies" seems to signal a more analytical and forward-looking supervisory approach, which we acknowledge can support more effective and sustainable remediation outcomes. This shift towards focusing on underlying drivers, rather than solely on symptoms, is in principle beneficial for strengthening risk management and governance frameworks. However, this evolution may also imply increased expectations for institutions, as they will likely be required to demonstrate a deep understanding of their own root causes, not merely to address symptoms, and remediation plans may need to illustrate how fundamental drivers will be transformed. 

While welcoming this increased analytical focus, we consider it crucial that expectations regarding root-cause analysis are applied in a proportionate and risk-based manner, carefully considering the materiality, complexity, and context of the identified deficiencies, especially since root-cause analysis inherently involves judgment and may not always yield exhaustive or definitive causal certainty. More broadly, the effectiveness of this intensified focus on root causes and structural remediation hinges critically on the evolution of supervisory culture; a sustainable shift towards deeper, judgment-based analysis necessitates moving away from a zero-failure mindset towards an outcomes-oriented approach that pragmatically recognizes that not all risk can be eliminated. 

Q4. What are the respondents’ views on the introduction of a high-level escalation framework?

The formalization of the escalation framework is greatly appreciated. From a practical perspective, supervisory judgment is generally welcomed, provided there is an assurance of equal treatment across the industry, rather than a unilateral application of benchmarking against a set standard. In this respect we appreciate the statement made by the EBA during the public hearing held on December 4th, 2025 that the set of supervisory measures was not predetermined to be binding, but was rather meant to leave room for discretion on the assessment of each institution.

However, there could be a concern that the framework significantly expands supervisory discretion in a disorderly fashion and may reduce predictability for institutions. The absence of clear criteria for transitioning between escalation stages increases the risk of inconsistent application across the board and makes it difficult for institutions to anticipate supervisory expectations.

The introduction of a more flexible, judgment-based escalation framework has the potential to improve supervisory effectiveness, but its success will depend heavily on supervisory culture. Because escalation decisions increasingly rely on qualitative assessments and the identification of “root causes,” a high degree of trust and open dialogue between supervisors and institutions is essential. Without this, there is a risk that discretion translates into inconsistent expectations or unnecessary escalation. To realize the intended benefits, the framework should be applied in a manner that is focused on material risks and proportionate, avoiding box-ticking approaches and ensuring that interventions target genuinely material issues.

Comparability could also be further improved by introducing a scale that clearly defines the criteria for moving from one action to the next within the escalation ladder. If defining clear criteria is not feasible, providing illustrative examples would be highly beneficial.  

Moreover, another concern relates to the circumstance where different supervisory teams (e.g., JST, OSI, horizontal teams) investigate the same or overlapping topics. It is fundamental that decisions regarding such topics are centralized to avoid multiple supervisory actions for the same issue. 

Of note, paragraph 22 does not indicate that supervisory priorities are a factor in selecting the appropriate measure. However, we have observed, for instance in the context of ESG, that escalation occurred and progressed rapidly up the ladder, partly because it was aligned with supervisory priorities.

We would suggest clarification on whether the escalation framework also applies outside the SREP context, or, in other words, whether escalation occurs on a specific topic (for example, when an OSI results in a decision letter instead of a follow-up letter) without being listed as a requirement within the SREP.

Q5. Do you consider the coverage and level of detail of this Title appropriate for its intended purpose?

This Title has undergone limited changes compared to its previous version. We however would like to underline the need to cautiously consider when an institution appears as an outlier to its peer group (§52), which can vary depending on the business models, and geographies operated, and be compensated by various arrangements. A holistic view should be contemplated.  

Potential consequences of supervisory benchmarks 

In relation to our answer to question 8, while overall supportive of the use of benchmark within the holistic assessment of an institution, we would like to emphasize that benchmarks should only support the overall analysis of the institution where the cohort for the identification of peers is relevant. Benchmarks should also not push institutions’ indicators to the same (higher benchmarked) level without any other supporting evidence, nor inflate the number of indicators requested. We would like the EBA to promote homogeneous approach and very importantly more transparency about the criteria and the results used. This applies to all benchmarking practices (IRRBB/CSRBB, credit risk, etc…). Business models’ cohorts are also relevant to Question 6.

We feel that the criteria for what constitute a 'material change' and an 'anomaly' should be clearly defined to ensure consistency and maintain a level playing field.

Benchmarks should also be refined to suit exactly the scope analyzed based on a relevant panel of institutions, depending on the matter covered. Instead of resource-intensive, overly technical and uniform approaches, the guidelines should put more emphasis on institution-specific, risk-based assessments that take into account the business model of the institution rather than strict benchmarking-based assessments with implied automaticity in terms of further steps and escalation.

Additionally, this section would benefit from being more prescriptive by defining monitoring systems with a minimum set of indicators and thresholds tailored to each category of institution (1 to 4). The level of details could be further increased by listing a set of indicators or examples of indicators to be monitored for each category of institution (1 to 4).

Eventually, benchmarks should also systematically be communicated to institutions. 

Q6. Do you consider the coverage and level of detail of this Title appropriate for its intended purpose?

Supervisors should ensure that there is an appropriate peer comparison across factors including inter alia licensing and authorizations; relevant capital regime and treatment; global footprint including branch and subsidiary considerations; business model; product offerings; business lines and client target market (Retail, Professional, Eligible Counterparties). 

 As such it is proposed that Paragraph 63 be reworded to make this clearer: 

“To identify relevant peers for the BMA, the competent authority should consider inter alia: 

  • licensing and authorizations;
  • regulatory regimes and geopolitical risks of location of operations; 
  • relevant capital regime and treatment; 
  • global footprint including branch and subsidiary considerations; 
  • business model; 
  • business lines and offerings;
  • common client target market;
  • other appropriate factors to the sector in which the firm’s operate.”

While we note the focus of this consultation is on SREP guidelines, the same principles should apply to the quality assurance phase of regulatory stress testing, where financial institutions are frequently subjected to peer comparisons. Loss projections are often augmented in specific risk categories. However, the selected peer cohorts frequently fail to accurately represent the distinct business models or risk profiles of individual institutions, thereby generating elevated stress losses that may be disproportionate for certain financial institutions exhibiting lower risk profiles.

 

 

Remarks on paragraph 60

This paragraph suggests that competent authorities conduct the BMA by using as a source of information “recovery plans” (e) and “resolution plans, including the work and outcome of resolvability assessment” (f). The industry would welcome clarifications on how the works in Recovery and Resolution planning could impact BMA.

Indeed, the BMA is meant to provide understanding of the institutions’ operations in current and forward-looking perspectives and not in the very specific context of Recovery or Resolution planning, both of which address crises of extreme severity, justifying the implementation of measures impacting the BM if ever occurring.

Whereas the recovery scenarios are designed based on the institutions‘ business model and could highlight their potential vulnerabilities or weaknesses, the recovery plan is meant to demonstrate the ability of a bank to overcome such crises even if it affects their business model. Accordingly, it may not be a perfect angle to assess the business model itself, but rather the resilience it allows. 

 On its side, the approach in Resolution Planning is scenario-agnostic, resolution plans are prepared and defined by the resolution authorities without any apparent link to the business model and, in our view, the resolvability assessment does not bring any added-value to the BMA.

Finally, the resolvability assessment is expected to have an impact on the MREL or subordinated MREL calibration and not on the P2R / P2G capital stack, which would definitely introduce a double counting and have snowball effects due to the way MREL objectives are set. Hence, we strongly advise against such proposal.

 

Remarks on paragraph 71 table 3 (points D and H) 

The business model and strategies are in the responsibility of the institution and its management body. The supervisory authority may only issue specific requirements in exceptional cases, although this is not clear from the wording. The table should therefore be omitted. A general reference to the supervisory powers under Article 104 CRD would be sufficient. 

Q7. What are the respondents’ views on the updated section 5.7 “ICT systems, risk data aggregation and risk reporting”?

We welcome the inclusion of ICT in the SREP methodology.  

We would like to raise the subject of the interaction between EBA guidelines. We are concerned that, with the EBA Guidelines on Internal Governance (and the ECB Guide on Governance and Risk Culture) both currently going through amendment, following consultation periods, it is difficult to comment on this section of the draft SREP GLs. The draft SREP GLs refer to and take as a key input the contents of the draft EBA Guidelines on Internal Governance as consulted on. The following key concerns are, as yet, not addressed:

  • Failed to sufficiently national frameworks and corporate law and regulatory systems, in particular, by removing acknowledgement of the legitimacy of one-tier board systems and imposing requirements that undermine the principle of collective responsibility embedded in several Member States’ legal frameworks, as well as other governance schemes foreseen and allowed by national company law;
  • The Imposition of overly detailed and costly provisions on mapping of duties and individual statements of responsibility, especially given that no political agreement in detail was reached regarding these topics and the EBA received no mandate regarding them;
  • The need to emphasize proportionality and flexibility to ensure that governance expectations are tailored not only to institutions’ size, complexity, and risk profile, but also to the diversity of board structures recognized under EU and national legislation; and
  • Required sufficient time for implementation and coordination with other EU initiatives.

In this respect, we strongly encourage the EBA to ensure that there is alignment of implementation deadlines, with EBA Guidelines on Internal Governance (and any other Guidelines currently under review) to be finalized with a sufficient implementation period before they are included in any SREP assessment. In addition, if the final EBA Guidelines on Internal Governance differ significantly from the draft consulted on, it may be appropriate to allow additional comment on the accompanying SREP provisions. 

We encourage the EBA to consider how the overall simplification agenda of the EU authorities can be applied to the contents of the draft SREP GLs Title 5. For instance, we note that the section begins with a list of 15 different sets of guidelines covered by the subject matter of this section, to which users should refer. This makes the use of the draft SREP GLs a complex matter for practitioners.

There are some areas where some of the terminology and language lacks clarity. For example, in relation to risk awareness. This leaves too much room for subjectivity and the assessment should be more precisely defined / framed.

Moreover, we would like to stress the need for close coordination of remedies between SREP competent authorities and (new) AML/CFT supervisors for cross-cutting deficiencies to avoid conflicting or duplicative supervisory measures, i.e. current SREP GLs and new draft on SREP GLs do not draw a clear picture to avoid "double-counting", duplications / a clear understanding of competences. The request regarding the ‘appropriateness of ICT systems, data aggregation, and risk reporting’ lacks clarity and specificity, making it difficult to determine the exact requirements for achieving this objective. 

Eventually, we call for a clarification on the assessment of “appropriate understanding” and “sufficient knowledge and skills” “through regular training” (point 83.c, page 49) : such expectation leaves too much room for subjectivity and the assessment should be more specifically defined and framed.

Likewise, paragraph 83 point c provides that the management body collectively has an appropriate understanding of the institution’s business model and activities and keeps up-to-date knowledge and relevant skills, including IT risks, ESG risks and other emerging risks, through regular training. It is not clear what should be covered by “and other emerging risks”. We propose to delete "and other emerging risks” as it is too broad.

Also in paragraph 104, it is provided that competent authorities should determine whether the management body of the institution and senior management review and approve the institution’s risk data aggregation and risk reporting framework. We propose to delete “and senior management” as only the Management Body can take decisions. 

Q8. Do you consider the coverage and level of detail of this Title appropriate for its intended purpose?

Please refer to our remarks on benchmarks (please see response to question 5).

Q9. Do you agree with the treatment proposed to account for transfer pricing risk in the context of trading book activities? Please elaborate.

While we fully acknowledge the importance of addressing transfer pricing risk, we have reservations about introducing a prescriptive formula to determine the Pillar 2 Requirement (P2R) for this risk.

First, we would like to point out the risk of precedent. Using a formula for one specific P2R component could set a precedent for other risks to be treated similarly. Over time, this might shift the SREP framework from a supervisory judgment-based approach to a formula-driven system, which could undermine the principle of proportionality and supervisory discretion.

This would also lead to a potential Inflation of P2R. A formulaic approach may lead to systematic increases in P2R across institutions, regardless of their actual risk profile. This could result in excessive capital requirements without clear alignment to the underlying risk.

 

The EBA should aim at preserving flexibility. Supervisory authorities need flexibility to tailor P2R to the specific circumstances of each institution. A formula reduces this flexibility and may not adequately capture the complexity and diversity of transfer pricing practices.

 

We suggest an alternative approach. We recommend maintaining a principles-based approach, where competent authorities assess transfer pricing risk through qualitative and quantitative analysis rather than relying on a fixed formula. This ensures proportionality, preserves supervisory judgment, and avoids unintended capital inflation.

During the public hearing, the EBA clarified the guidance relating to transfer pricing risks within CSRBB was added to cover risks consistently identified in the past, that were not covered by Pillar 1. While we support the need to cover risks not by Pillar 1, any risk that has not been covered should be covered through Pillar 1 method and introduced in the Basel framework, to apply consistently in all jurisdictions. The enforcement of a stated minimum methodology in the SREP risks leaves little flexibility to the supervisor, and creates a deviation from international standards, which, if confirmed, should be incorporated in the level 1 text.

Q10. What are the respondents’ views on the integration of the EBA GL on ICT risk assessment under the SREP (EBA/GL/2017/05) and DORA aspects?

ICT risks assessments are in line with DORA, and we have no further comments on his. 

Q11. What are the respondents’ views on the introduction of operational resilience (section 6.4.5)?

Operational Resilience

While we welcome the introduction of Operational Resilience as a broad concept in the SREP, with the inclusion of DORA and the EBA’s draft GLs on the management of third party risk, it does not seem to strictly align with the overall EU regulatory framework nor does it fully encompass a holistic concept of Operational Resilience. 

DORA specifically targets Digital Resilience. Third Party risk management requirements similarly have a clear and specific focus, rather than providing a framework for a holistic approach to Operational Resilience. Some jurisdictions, such as Ireland, do have an Operational Resilience framework. Hence, the absence of a clear and consistent approach across member states could lead to fragmented and varying implementation. 

In this respect, the SREP guidelines amount to a far-reaching, broad and highly demanding set of supervisory expectations. A change of scope would likely justify separate, specific consultation with the industry and possibly even require Commission Regulation to form the basis of it.

These concerns are further compounded by the extremely broad and loose definition of ‘Operational Resilience’ leveraged by the EBA, which also deviates significantly from existing definitions of operational resilience in jurisdictions such as Ireland.

Members would propose that references to operational resilience are restated to be framed around digital operational resilience, to ensure that it is aligned with the regulatory framework.

Some specific comments include:

  • Paragraph 68.c. refers to a CA’s assessment of a firm’s “operational resilience, by reviewing the institution’s operational resilience framework”. In line with our wider comments, there is no current regulatory requirement for firms to have a holistic operational resilience framework in place.
  • Paragraph 92.g. refers to “appropriate and consistent links between the business strategy, risk strategy, digital operational resilience strategy”. During the development of the technical standards under DORA, it was made clear that a separate DORA / ICT strategy would not be required, as long as the requirements were covered under existing or other strategies. This requirement could lead to supervisors requiring a separate DOR strategy in contravention to the prevailing approach. For those firms which do have a separate DOR strategy, there is no current requirement under DORA for links between it and the business strategy beyond the requirement that the firm be able to describe how the DOR strategy supports the business strategy. Such links may be more common in IT strategies. The supervisory expectation as currently drafted could be seen as moving the goalposts, and lead to a duplication of strategies which would increase the complexity of governance.
  • Paragraph 197 states that, “Competent authorities should assess the materiality of operational risk arising from third-party service providers”. This goes against the fundamental approach to both the assessment of third-party service providers, and established supervisory practice. Requiring supervisors to independently assess the materiality of risks associated with third parties would be a significant operational demand on both supervisors and firms, and would likely lead to the CA coming to inaccurate conclusions. It would be more appropriate for CAs to assess the institution’s approach to determining the materiality of operational risk arising from TPSPs.
  • Paragraph 208 refers to CAs using reports of significant cyber threats as a source of information. We would emphasize that the reporting of significant cyber threats is on a voluntary basis under DORA, and may not be available for all CAs. We would welcome the EBA clarifying that this may be a source of information where available.
  • Paragraph 216.i. states that CAs should review the institution’s level of adoption and integration of digital technologies. Digital technologies is not a clearly defined term, and could refer to anything from the use of digital calculators to the deployment of sophisticated AI. Furthermore, a general expectation that the CA review firms’ use of digital technologies, without links to a specific desired outcome, risks overstepping the boundary of supervisory responsibility into taking a direct hand in firms’ IT Strategy.
  • Paragraph 216.o. requires CAs to review institutions’ vulnerabilities, however it does not define what sort of vulnerabilities this refers to. For example, software vulnerabilities are usually normally very point-in-time, and often resolved quickly after they are identified. As such, the specific vulnerabilities which might exist at the point of the SREP are unlikely to be representative of the steady state. Furthermore, the sharing of vulnerabilities outside of the institution can pose a material security risk to institutions, as any sharing of this information increases the likelihood that these vulnerabilities will become known to bad actors. We would propose that instead, CAs should consider the institution’s approach to identifying the external threat environment, rather than seek to identify the threats and vulnerabilities themselves.
  • Paragraph 217 states that CAs should “form an opinion on which ICT systems and ICT services support critical or important functions”. In line with our other comments, this runs counter to established supervisory processes. It would be more appropriate for CAs to review the approach that institutions have taken to determining which ICT systems and ICT services support their CIFs.
  • The title, “Identification and mapping of material ICT risks to critical ICT systems and ICT services” on page 89 uses terminology which is not present in the existing regulatory framework. Rather than referring to critical ICT systems and ICT services, we would propose that this be amended to “ICT systems and ICT services supporting critical or important functions”.
  • Paragraph 218 states that CAs should “form an opinion on the material ICT risks that can have a significant prudential impact on the institution’s ICT systems and services that support critical or important functions”. Similarly to our other comments, it would be more appropriate for the CA to review the institution’s approach to determining the material ICT risks to which they are exposed.
  • Paragraph 232.c. does not recognize that the management body may delegate some of its responsibilities for follow-up and response to audit findings, nor does it consider the materiality of audit findings in question. We would propose that this be amended to read, “adequate follow-up and response by the management body or its delegates on material ICT related audit findings and findings reported under Article 13(5) of DORA”.
  • Paragraph 245 refers to monitoring the maturity level of an institution’s operational resilience. Maturity isn’t clearly defined in this context, and there is a risk that this could decouple the expectations from the degree of risk faced by the institution. A firm’s approach to resilience should be proportionate to the risks to which it is exposed. As such, we would propose that the wording be updated and rather refer to the effectiveness or the appropriateness of the institution’s operational resilience. 

 

Reputational risks

We would like to remind that reputational risks are explicitly excluded from the definition of operational risks in CRR (Article 4 (52) : “operational risk” means the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, including, but not limited to, legal risk, model risk or information and communication technology (ICT) risk, but excluding strategic and reputational risk”). 
To ensure consistency with the level 1 text, the CRR definition must prevail and any reference to the reputational risk should be removed from the Operational risk section.

To go a step further we would like to better understand how reputational risk could increase the level of operational risk for an institution. 

It also appears that the quantification of reputational risk is at a very uneven stage of development across institutions, with methodologies that, where they exist, differ across institutions and would certainly necessitate harmonization. In any case, the effects of reputational risks remain difficult to quantify.

Definitions

Finally, certain elements are insufficiently defined, leaving considerable room for supervisory discretion. As an example, the significance or materiality of risks is insufficiently defined and would benefit further clarification (§239, §245 for example).

Q12. What are respondents’ views on the additional section on CSRBB and the combined score for IRRBB and CSRBB?

Whilst there is understanding why CSRBB was added, the IRRBB and CSRBB are traditionally holistically covered by ICAAP. In addition to criteria in Table 12, potential double counting between CSRBB/IRRBB assessment and ICAAP assessment should be avoided; and / or ICAAP coverage of the risk in BB should be considered.

To be consistent, with the above, IRRBB and CSRBB should be combined for the SREP scoring process while being transparent on the contributions of each component. Isolated scores would increase the complexity of the SREP process.

In addition, we would like EBA to also stress in this section the need for transparency in case of benchmarking approach, for both criteria as well as results.

We also note that CSRBB is considered almost exclusively in European regulatory / supervisory framework. EBA should ensure that no additional burden is put on EU banks that produces uneven playing field.

Q13. What are the respondents’ views on the proposed assessment of the interaction between Pillar 1 and Pillar 2 requirements and on the proposed approach for operationalizing concerning cases where an institution becomes bound by the output floor?

Articulation between Pillar 1 and P2R :

We appreciate the inclusion of provisions in section 7.2 (§297) that encourage competent authorities to assess the impact of Pillar 1 changes on Pillar 2 Requirements (P2R). This is an important step toward ensuring that overall capital requirements remain risk-based and proportionate. We welcome the principle that the assessment may lead to recalibration of P2R to avoid over-coverage of risks already addressed under Pillar 1. This is particularly relevant given the significant methodological changes introduced by CRR3.As derived from the 2025 EBA stress test transparency templates, which show CRR3 FTA impacts, the estimate of the pure mechanical impact of CRR3 on P2R ranged from -€500 to + €700 million. This significant variance strongly supports the need for recalibration to ensure fairness and proportionality across institutions.

 

Fundamentally, there is a need to have a holistic approach to the capital requirements of an institution, considering pillar 1 and pillar 2 requirements as a whole and to find a balance between the P1R and the P2R. This is addressed in §297 (“When a material impact on institution’s capital profile is or may be expected due to relevant changes to the regulatory framework for determining P1R or to its implementation on the specific institution, competent authorities should assess such impact in terms of interaction with the P2R”…), and it should to be a key driver for the calibration of pilar 2 requirements, which seems to not have been the case when CRR3 was implemented and often triggered significant and undue increases of RWA.

To ensure that supervisory authorities apply this in a consistent manner, we recommend a stronger stance on §297 : “When a material impact on institution’s capital profile is or may be expected due to relevant changes to the regulatory framework for determining P1R or to its implementation on the specific institution, competent authorities should assess such impact in terms of interaction with the P2R. Such assessment should systematically result in redetermining the quantity or composition of the P2R to make sure the institution’s overall own funds requirements are in line with Article 104a(1) of Directive 2013/36/EU, in particular that P2R cover risks or elements of risks that are not covered or not sufficiently covered by the P1R. To perform such an assessment, competent authorities may increase the frequency of the SREP assessment as set out in the SREP engagement model in section 2.4 or of specific elements thereof. “ 

Furthermore, paragraph 301 c) should be amended to emphasize the fact that P2R should be seen as a measure of last resort when it comes to deficiencies in the individual SREP elements, and only used where it is unlikely that other supervisory measures would be sufficient to ensure that those requirements can be met within an appropriate timeframe.

 

Articulation between Output floor and P2R :

We welcome the introduction of provisions aiming at limiting the side effects of the application of P2R to an institution that starts being hit by the output floor, for institutions using internal models (§320 à §322). Indeed, it is important not to unduly penalize institutions that bear additional RWAs stemming from the output floor application which adds conservatism to Pillar 1 requirements, whereas their risk profile remains basically the same. 

Coming more specifically to the process described when an institution becomes bound by the output floor, the EBA proposes to make a review of the P2R in order to assess the double counting due to model effects that are already covered by the output floor, and consider whether there are undue arithmetic effects (paragraph 320). This raises the following comments: 

  • The supervisor should clearly consider to what extent the additional capital requirements of the output floor are redundant with P2R and proceed to a rebasing of the P2R accordingly.
  • We do not advocate for a standardization of P2R, which must remain supervisory, judgmental and risk-based. However, a minimum level of transparency regarding the broad proportion of P2R attributable to quantified risk elements versus supervisory qualitative judgement is needed to perform meaningful double counting effects between P1R CRR3 and P2R referred to in paras §320(c) and §451. This would make overlap assessments and support supervisory dialogue more robust, while avoiding purely mechanical disclosures and without constraining authorities’ discretion.
  • In §320, the term of “undue” arithmetic effects would deserve clarification. The current wording (“consider whether there are undue arithmetic effects […] and remove them as appropriate”) leaves discretion to competent authorities, which may lead to inconsistent application across jurisdictions.
  • We wonder what the rationale for a mandatory disclosure in Pilar 3 (art 320.c) would be. It might be left at the appreciation of the institution. In case it would be required by the supervisor, then the transparency mentioned above should be a pre-requisite. In this respect, and before such disclosure requests are introduced by competent authorities into institutions’ Pillar 3 disclosures, we encourage the EBA to clarify the methodological principles for identifying overlaps and how competent authorities expect institutions to perform such assessments, so that resulting information is meaningful, comparable and not misleading across jurisdictions.

 

Timing of the double counting review

Limiting the review to the year when the institution first becomes bound by the output floor may not be sufficient : the rebasing of P2R should go longer than the first time the institution becomes bound to the output floor, as the effect will be permanent. We propose that the review should continue as long as the institution remains constrained by the output floor, to maintain fairness and proportionality. At least, it should be done until the end of the phasing of the output floor.  We therefore recommend introducing an automatic neutralization mechanism for the arithmetic effect as long as the institution is constrained by the output floor, to avoid unwarranted capital inflation that does not correspond to any additional risk. In that respect, §320(b)ii should be redrafted accordingly :  “consider whether there are undue arithmetic effects […] on the nominal amount of P2R arising from the automatic increase in the TREA due to the fact that the institution has become bound by the output floor and remove them as appropriate as long as the institution is constrained by the output floor.

This approach would fully align with: 

  • The legislator’s intent (Recital §55 CRD6 and Art. 104a(8)),
    • Previous expectations expressed by EBA (2019) and ECB (2022),
    • The principle of risk-based regulation,
    • The need for a level playing field within and outside Europe

 

Scope of the double counting 

We acknowledge the contribution of section 7.2.2, which introduces measures such as freezing the nominal P2R by applying it to unfloored TREA (U-TREA) and requiring a review at the latest during the next SREP. These steps are important to mitigate undue effects and avoid double-counting of model risk. 

Nevertheless, the EBA focuses only on double-counting elements (model risk) (see (§320(b)i and §451). It is unclear whether the EBA intends the neutralization of arithmetic effects of the output floor to apply only to the part of P2R covering regulatory model deficiencies or to the entire P2R : we firmly believe that double counting items should not be limited to only double counting effects on model risks, but also account for undue arithmetic effects, as well as double-counting with several other P2R components (e.g. concentration, sectoral or portfolio risk elements). To avoid any ambiguity, the guidelines should explicitly state that the mechanism described in §320 applies to the entire P2R, and §320(b)i should be amended as follows : “remove any part of the P2R that may be covering all regulatory model deficiencies for the calculation of own funds requirements that is already covered by the output floor, in order to eliminate any potential double-counting effects;”

 

Furthermore, we suggest §320, currently located in section 7.2.2, titled “Determining own funds or other measures to cover regulatory model deficiencies not covered by the fact that an institution has become bound by the output floor.” should be located either in Additional own funds to cover unexpected losses (section 7.2.1), or/and Own funds or other measures to cover other deficiencies (section 7.2.3), to apply the neutralization of double-counting effects to the full P2R.

Regarding the recalibration of certain risks, an automatic recalibration mechanism could be considered for risks whose calculation methodology and capital requirements have significantly evolved under CRR3 to avoid unintended capital inflation and ensure aligned assessment on EU level.

 

On this matter, we understand that the EBA remains consistent with its previous opinion, published on January 21st, 2025, which somehow dismissed the issue of neutralizing the overlap by proposing a one-off review ("EBA advises CAs to consider how they could ward off […] the arithmetic effects from the OF in the one-off review") and considering that P2R add-ons on models deficiencies would be the sole (though minor) source of overlap between the P2R and the Output Floor (“19.It is worth noting, however, that the use of P2R as a tool to cover for such deficiencies by supervisors is already expected to be residual in the SREP Guidelines”]. The EBA based its opinion on the analysis of QIS exercises by institutions across Europe. 

While averaging results across the wide spectrum of EU institutions might lead to a poor outcome due to the scattered profiles of institutions, this analysis would have been better sustained by appropriate comparison of actual P2R figures set by competent authorities (which have all available information) rather than industry-wide comparisons. Furthermore, comparisons would be more appropriate between output floor bound institutions and non-output floor bound institutions using internal models.

 

 

Calibration of the P2G

The BSG supports the consideration about the proper calibration of P2G in regard of the impact of the output floor (§357(e)). As the additional capital requirements coming from the output floor is an additional margin of conservatism for institutions that become bound to it, they create an additional capacity to absorb stressed conditions. It means that the capital buffers should be calibrated accordingly.

We would like to highlight the importance of some factors that are to be considered in §355 to determine the P2G. More specifically, in point b, the need to consider the outcome of institutions stress test, in addition to the results of the supervisory stress test, is very important for two reasons: the supervisory stress test relevance might depend on the institution’s business model and strategy, (cf point e), meaning that internal stress test might be more appropriate; besides, the supervisory stress test encompasses systemic downturn effects that could be redundant with  CCyB. We appreciate also the point about the composition and quality of available own funds in the calibration of P2G.

§347 states that “Competent authorities should determine and set P2G and P2G-LR based on the outcomes of the adverse scenario of the relevant supervisory stress tests, including the EU-wide stress tests performed by the EBA or any other relevant supervisory stress tests performed on a system-wide basis over a forward-looking horizon of at least 2 years.”

The calibration of Pillar 2 Guidance currently relies predominantly on EU-wide supervisory stress tests performed on a biannual basis, with predefined adverse scenarios (and a static balance sheet assumption (which does not reflect the potential management actions or economic dynamics) ensuring methodological consistency and cross-institution comparability. While this framework provides supervisory control and harmonization, it may capture less effectively and rapidly evolving macro-financial conditions and idiosyncratic risk dynamics observed between stress test cycles.

To ensure P2G remains meaningful and aligns with its core purpose - covering capital needs under adverse scenarios and stressed market conditions - we encourage the EBA to consider a more explicitly hybrid and risk-sensitive approach to P2G calibration, combining internal (e.g. ICAAP) and external supervisory stress test exercises.

This approach would reflect both the impact of EU-wide supervisory stress tests and the institution’s own internal stress tests, with transparent supervisory judgment on how these elements are combined.

This suggestion aims to ensure that P2G continues to reflect both structural and rapidly evolving risks in an increasingly macro-financial and geopolitical environment.

 

Interaction between P2G and CCyB

Concerning the overlap between P2G and CCyB (§357.b), the EBA should consider the recent Basel Committee publication on positive neutral countercyclical buffers (Nov 2024) which reminds that "The CCyB can be raised by authorities in response to periods of excess aggregate credit growth, which have often been associated with the build-up of system-wide risk, and then released during downturns." It is therefore explicit in the guidance provided by the Basel Committee that countercyclical buffers should be released in stressed situations like the scenario of the EBA stress test. As a reminder, in the 2025 EBA stress test, banks in the EBA sample generate losses of €547bln in the adverse scenario. Stock prices decrease by 50% in the first year of the scenario in the European Union, commercial real estate prices lose over 30% over three years compared to their baseline growth. It is not possible not to characterize the scenario and its impact on banks as a downturn. The countercyclical buffer should therefore be always offset from the P2G, otherwise a structural overlap exists between the P2G, which reflects a capital requirement in stress, and the countercyclical buffer, which would be released in such a stress scenario.

In addition, on overlaps between P2G and the countercyclical capital buffer (CCyB), we note that in the current draft the offset is described as an exceptional discretionary measure by competent authorities after liaison with macroprudential authorities. 

In this context, we encourage the EBA to explicitly recognize that the adverse scenarios used in supervisory stress tests — which imply severe downturn conditions (e.g., large market declines and significant losses) — are precisely the conditions in which CCyB is designed to be released according to macroprudential principles. 

Aligning the treatment of CCyB and P2G under such stressed conditions would help avoid economic double counting and ensure that P2G remains aligned with its core purpose of covering capital needs under stress, without undue overlap with buffers intended to be releasable during downturns.

 

Overall Recovery Capacity (ORC)

Banks make reservations about the consideration of the ORC score as regards capital and liquidity adequacy assessment for the following reasons :

  • There could be redundancies or double counting in terms of scoring ; for instance, ORC considers measures to be implemented in BAU (i.e. ICAAP management actions and LCP measures).
  • It would imply taking into account limited time horizons (6 months for liquidity ORC or 18 months for capital ORC), which do not reflect the actual full capacity of a bank to recover from a severe crisis,
  • It would introduce a degree of subjectivity into the overall SREP assessment since the ORC is a theoretical measure which is based on scenarios, themselves specific to each bank, and, furthermore, ORC is not comparable between banks due to their differences in size, geographical footprint and business model.
  • It would add further complexity to the SREP process at a time when regulators are engaged in a simplification process.

 

If nevertheless included, banks would request clarifications:

  • As regards the ORC assessment itself : what are the criteria used for the assessment of the ORC, considering both qualitative and quantitative aspects? Among others, clarifications would be welcome as regards the methodology applied for the “adjusted ORC” and notably for the haircuts applied to the quantitative impacts reported by institutions. More transparency on this matter with banks having individually access to their respective “adjusted ORC” and to explanations for their final ORC score assessment would be welcome and would facilitate discussions between banks and their supervisors.
  • Paragraph 355 : to which extent and how would the ORC score impact the final P2 assessments

Q14. What are the respondents’ views on the merger with the ‘SREP liquidity assessment’ and the merger of the scores into a combined liquidity and funding adequacy score?

Banks are satisfied with the unique score and the merger into a combined liquidity and funding adequacy score.

Paragraph 372 page 218 provides for coverage of all material legal entities: we subscribe to the expectation as well as to entities’ responsibility for the implementation of risk management, but the EBA should also clarify that for consolidated groups, the findings as well as the remediation should be managed by the consolidating entity. 

Q15. What are the respondents’ views in relation to enhanced communication aspects?

We welcome the introduction of new provisions on the transparency of SREP decisions as stated in §451. It will help institutions to be aware of the material risk drivers and deficiencies, and prioritize their remediation actions to respond to the supervisor’s expectations. It fits in with a cost/ benefit purpose, enabling institutions to allocate their resources primarily to the most impacting issues in terms of risk and capital.

We view the proposal for a dedicated section on SREP assessment communication, with its heightened emphasis on justification by supervisors, as a constructive and positive development. This enhanced transparency is crucial for fostering a deeper understanding between supervisors and institutions. 

We anticipate that these communication efforts will be clearly and demonstrably articulated to the banks, ensuring a consistent and equitable application of supervisory expectations. However, we understand that the EBA SREP guidelines do not enforce any binding obligation relating to the communication of several items of the SREP : where “material risk drivers supporting any additional own funds requirement (P2R and P2R-LR) […] should be duly justified to institutions material risks drivers” (§39), “where appropriate […] competent authorities may disclose to institutions the SREP scores for relevant elements or sub-elements” (§39). 

These provisions about transparency of SREP decisions should apply not only at group level, but also for entities belonging to larger groups that are bound to individual SREP and P2R / P2G decisions.

Finally, for effective supervisory oversight, it is crucial that banks be benchmarked not only against the broader industry but also against clearly defined and relevant peer groups. The results derived from such comprehensive benchmarking exercises must be consistently and transparently communicated to each institution. This consistent sharing of information is fundamental to enabling a deeper understanding of their relative performance and, consequently, to fostering continuous improvement across the banking sector.

Q16. Do you consider the coverage and level of detail of this Title appropriate for its intended purpose?

Additionally, clear guidance on the links between local and consolidated assessments is recommended, as well as the identification of explicit criteria for the independence and autonomy of subsidiaries.

Q17. Do you consider the coverage and level of detail of this Title appropriate for its intended purpose?

The proposed adjustments are a step in the right direction toward strengthening the principles of proportionality and practicability. We recommend that these approaches be consistently implemented and further expanded in supervisory practice. In doing so, it must be made transparent to institutions at all times how their respective results are arrived at, i.e., supervisory stress tests must not be a black box.

 

We appreciate the flexibility to adjust to stress scenarios but recommend that the guidelines explicitly acknowledge the need to tailor these scenarios to the specific markets within which the group operates. 

Q18. Do respondents consider the guidance for the assessment of third-country branches appropriate and sufficiently clear?

Further clarity is requested on whether this paragraph applies only to the list of third country branches published on 13 October 2025. 

The SREP assessment is composed of core SREP elements and is intended to result in an overall viability score, as presented in Table 21. However, the methodology for deriving the overall SREP score from the individual components is not fully clear.

In particular:

  • Should an overall SREP score of 1 be assigned only when all core components are assessed as “do not raise concerns”?
  • Conversely, does the presence of at least one component assessed at a “low to medium” level automatically result in an overall SREP score of 2, regardless of the assessment of the other components?

Further clarification on the aggregation logic and supervisory judgement applied would be helpful.

 Title 9 addresses the communication of the outcome of the SREP assessment to the management body of the institution. However, for third-country branches (TCBs), Title 12 does not specify the modalities for communicating the results of the SREP assessment. In particular, it remains unclear whether, and through which channels, the outcome will be communicated to the branch management, the head undertaking, and the authority responsible for the supervision of the head undertaking (the “home authority”).

Upload files

Name of the organization

French Banking Federation