CRR3 ECAI Due Diligence: What EU Banks Must Evidence Under the Standardised Approach

ByOfficer

Last updated: May 2026

An institution files its COREP credit risk returns using the standardised approach. The risk weights come from external ratings mapped to Credit Quality Steps. The process looks mechanical. Assign the ECAI, look up the CQS mapping, apply the weight. But CRR3 has tightened what institutions must demonstrate before they can rely on those ratings. Get it wrong, and you are either applying an incorrect risk weight or failing to evidence the due diligence that your competent authority expects during SREP. Either outcome carries capital or supervisory consequences.

This article covers what changed under Regulation (EU) 2024/1623 (CRR3) regarding ECAI due diligence for external credit assessments in the credit risk standardised approach. I focus on operational requirements: what risk and regulatory reporting teams need to document, challenge, and control before applying ECAI-derived risk weights.

Related reading: CRR3 Output Floor Phase-In 2026

What CRR3 Actually Changed in Article 138

Article 138 of Regulation (EU) No 575/2013 (the CRR) already contained requirements on ECAI nomination, consistency, and the solicited-versus-unsolicited distinction. CRR3 added a new restriction at point (g) that targets a specific systemic risk: the assumption of implicit government support embedded in credit ratings of institutions.

The new rule is direct. For exposures to institutions (banks, investment firms), an EU institution must not use an ECAI credit assessment that incorporates assumptions of implicit government support. The only exception applies to institutions owned by, or set up and sponsored by, central governments, regional governments, or local authorities. If the only available ECAI assessments for a given institution incorporate implicit government support assumptions, the exposure must be treated as unrated under Article 121 CRR.

This is not a theoretical problem. Before CRR3, a significant number of ECAI ratings for European banks included implicit government support notches. Institutions relying on those ratings without adjustment were effectively applying lower risk weights than the standalone credit profile justified. CRR3 closes that gap.

The common error I see in implementation: teams assume this only matters for non-EU counterparties or government-owned banks. It does not. The prohibition applies to any exposure to any institution where the rating incorporates implicit support assumptions. The question is not whether the counterparty is government-owned. The question is whether the specific credit assessment relies on an assumption that the government would step in.

The Transitional Under Article 495e

CRR3 did not switch off implicit-support-adjusted ratings overnight. Article 495e provides a transitional measure allowing competent authorities to permit continued use of ECAI credit assessments incorporating implicit government support assumptions until 31 December 2029. The drop-dead date in the Level 1 text is 31 December 2029. Competent authorities may exercise the option for a shorter window. The ECB chose 1 January 2027 for its directly supervised institutions, while BaFin, for example, chose the full 31 December 2029 for German less significant institutions.

The ECB exercised this option for directly supervised institutions through Regulation (EU) 2025/24 (adopted 15 July 2025). For banks under ECB supervision within the SSM, the transitional applies until 1 January 2027. National competent authorities for less significant institutions may or may not have exercised the same option, and may have chosen different end dates up to the Level 1 ceiling; institutions must verify with their own supervisor.

The operational trap here is treating the transitional as a permanent pass. Teams that have not already begun identifying which counterparty ratings incorporate implicit government support will face a cliff-edge at the date applicable to their supervisor. The remediation work involves counterparty-by-counterparty assessment, ECAI engagement, and potentially reclassifying a portfolio of interbank exposures from rated to unrated. That drives risk weight increases from the institution-specific CQS weight to the unrated treatment under Article 121, which under CRR3 uses the Standardised Credit Risk Assessment Approach (SCRA).

ECAI Eligibility: What Counts as a Usable Rating

Article 135(1) CRR sets the gateway. External credit assessments can only be used for risk weighting if they have been issued by an ECAI. The definition of ECAI is narrow: a credit rating agency registered or certified under the CRA Regulation (Regulation (EC) No 1060/2009), or a central bank issuing credit ratings that is exempt from the CRA Regulation.

This matters in practice for three reasons:

First, not every entity that produces credit opinions qualifies. Internal rating models, credit research from broker-dealers, and ESG scoring services are not ECAIs. Using them to inform risk weights under the SA requires no regulatory capital mapping. They can inform internal processes but cannot drive CQS assignment.

Second, only publicly disclosed ratings qualify. The EBA confirmed this in Q&A 2024_7220: credit assessments not publicly disclosed cannot be used to determine risk weights under the standardised approach, even if issued by a registered ECAI. Private ratings, bilateral assessments, and subscription-only opinions do not meet the public disclosure threshold.

Third, the ECAI must have a valid mapping to Credit Quality Steps under Commission Implementing Regulation (EU) 2024/1872 (the latest ECAI mapping ITS). If an ECAI’s rating scale is not mapped, the assessment exists but cannot be used for SA risk weighting. Teams should maintain a register of which ECAIs they use and verify that each rating scale has a current CQS mapping.

Nomination and Consistency Requirements

Article 138 CRR requires institutions to nominate one or more ECAIs for each exposure class in the standardised approach. This nomination must be consistent: once an institution chooses an ECAI for an exposure class, it must use that ECAI consistently for all exposures within that class. Switching between ECAIs selectively to obtain more favourable risk weights (cherry-picking) is explicitly prohibited.

The operational implication: your credit risk policy must document which ECAI is nominated for which exposure class. Changes to nomination must have a documented rationale. I have seen institutions fail to maintain this register, creating problems during Pillar 3 disclosure preparation and during SREP assessments when supervisors ask for the nomination framework.

Article 444, point (a) CRR requires public Pillar 3 disclosure of the names of nominated ECAIs and Export Credit Agencies (ECAs), including reasons for any changes during the disclosure period. This is not cosmetic. If an institution switches ECAI mid-year without documented governance, the Pillar 3 narrative either omits the explanation (non-compliance) or exposes the gap.

Where multiple credit assessments exist for the same item, Article 138 CRR governs the treatment: where two credit assessments yield different risk weights, the higher (more conservative) risk weight is assigned; where three or more exist, the institution must identify the two assessments yielding the lowest risk weights and apply the higher of those two. This prevents rating shopping but creates a data management requirement: the institution must source and compare all available eligible assessments, not just the one from its nominated ECAI.

Issue Versus Issuer Ratings: The Mapping Trap

Article 139 CRR governs when an issue-specific credit assessment can be used and when an issuer assessment applies. The rules are not symmetric, and this is where reporting teams frequently misclassify exposures.

If a specific issue (a bond, a facility) has its own ECAI credit assessment, that issue-specific assessment determines the risk weight for that exposure. The institution cannot substitute a more favourable issuer rating. Conversely, if no issue-specific assessment exists, the institution may use the issuer assessment, but only under specific conditions that depend on the seniority and characteristics of the exposure relative to the assessed claims.

The operational error: applying an issuer rating universally across all exposures to a counterparty without checking whether specific issues within the portfolio carry their own assessments. A subordinated bond from a counterparty may carry a different (lower) rating than the issuer-level assessment. Applying the issuer rating to that bond overstates the credit quality and understates the risk weight.

For teams running the C 07.00 credit risk SA templates, this means the data pipeline must flag at instrument level whether a position carries an issue-specific assessment or relies on issuer-level mapping. That granularity often does not exist in legacy systems, and many institutions default to issuer-level ratings for everything. This was tolerated pre-CRR3. Post-CRR3, the implicit-support prohibition and the supervisory focus on non-mechanistic reliance make blanket issuer-level application a compliance risk.

Non-Mechanistic Reliance: The CRA Regulation Overlay

CRR3 does not operate in isolation. The CRA Regulation (Regulation (EC) No 1060/2009, as amended by Regulation (EU) No 462/2013) imposes an independent requirement at Article 5a(1): the entities referred to in the first subparagraph of Article 4(1) shall make their own credit risk assessment and shall not solely or mechanistically rely on credit ratings for assessing the creditworthiness of an entity or financial instrument.

This means that even when an institution has a valid, publicly disclosed, properly mapped ECAI assessment for an exposure, it cannot treat that rating as the final word. The institution must perform its own creditworthiness assessment alongside the external rating. The external rating informs the SA risk weight; the internal assessment validates that reliance on the rating is appropriate given the institution’s knowledge of the counterparty.

What does this look like in practice? It does not mean running a full internal model. It means the institution must have documented policies and procedures for:

Assessing whether the external rating remains consistent with the institution’s own understanding of the counterparty’s risk profile. If internal indicators (financial statement deterioration, sector stress, news flow) suggest a material deviation from the ECAI assessment, the institution must have a process for flagging and potentially overriding the rating for internal risk management purposes, even if the SA risk weight mechanically follows the ECAI CQS.

The Joint ESAs published a Final Report on mechanistic references to credit ratings in the ESAs’ guidelines and recommendations (JC 2014/004), which set out the working definition of sole and mechanistic reliance still used today. JC 2014/004 was developed in the Article 5b context (ESAs’ own guidelines), but the definition of sole/mechanistic reliance it provides is the standard reference point for the parallel Article 5a duty on institutions.

The common failure mode: an institution has an ECAI nomination policy and maps ratings to risk weights in its systems, but has no documented challenge process. No periodic review of whether ratings remain appropriate. No escalation trigger when internal data contradicts the external assessment. In SREP, this reads as mechanistic reliance regardless of how sophisticated the SA implementation otherwise is.

What Reporting Teams Must Evidence for ECAI Due Diligence

Pulling these requirements together, here is what a credit risk reporting team must be able to demonstrate under the CRR3 standardised approach:

Exposure mapping: a complete register of exposures under the SA, identifying for each exposure class whether external credit assessments are used, which ECAI provides them, and whether the assessment is issue-specific or issuer-level.

ECAI eligibility register: documented verification that each nominated ECAI is registered/certified under the CRA Regulation, that its rating scales are mapped under the current ITS (Commission Implementing Regulation (EU) 2024/1872), and that the EBA’s Decision on unsolicited credit assessments (EBA/DC/2021/397) covers any unsolicited ratings relied upon.

Implicit government support screening: for exposures to institutions, documented assessment of whether each ECAI credit assessment incorporates assumptions of implicit government support. Where it does, evidence that the institution either applies the unrated treatment under Article 121 or operates within a valid transitional permission under Article 495e.

Rating applicability checks: documented process for verifying that a credit assessment applies to the specific exposure (not just the counterparty generally), that the rating is current, publicly available, and issued by the nominated ECAI for that exposure class.

Non-mechanistic reliance framework: internal policies and procedures for performing own creditworthiness assessments alongside external ratings. Evidence of periodic review. Documented triggers for challenging or overriding external ratings where internal data diverges.

Governance and oversight: board-approved or senior-management-approved policies covering ECAI nomination, rating usage, challenge processes, and override authority. Minutes or records showing periodic review of the framework.

Pillar 3 disclosure readiness: ability to produce the Article 444 CRR disclosures covering ECAI names, exposure class usage, the process for transferring issue assessments to comparable items not in the trading book, association of external assessments with CQS, and exposure values by credit quality step.

Reporting and Template Implications

The due diligence requirements feed directly into COREP reporting. Template C 07.00 (Credit and counterparty credit risks and free deliveries: standardised approach to capital requirements) requires exposure breakdown by exposure class and risk weight. The risk weight assignment depends on correct ECAI mapping. If due diligence failures lead to incorrect CQS assignment, the template output is wrong, and the own funds requirement is misstated.

The Pillar 3 templates under Commission Implementing Regulation (EU) 2024/3172 (which repealed Implementing Regulation (EU) 2021/637) require qualitative narrative covering: names of ECAIs and ECAs nominated, changes and reasons, exposure classes per ECAI, and the process for transferring assessments. This disclosure must be consistent with the internal due diligence framework. If the disclosure says one thing and the internal policy says another, a supervisor will find the gap.

For institutions that also use the IRB approach for some portfolios, the output floor under Article 92(3) CRR (with transitional schedule in Article 465) means SA calculations apply as a floor regardless. The ECAI due diligence requirements therefore apply to the SA calculation feeding the floor, even for portfolios where the primary own funds requirement uses internal models. Teams that previously treated SA as a secondary calculation with less rigour should recognise that the output floor makes SA governance as consequential as IRB governance.

Common Implementation Failures

From operational experience, these are the recurring failures in ECAI due diligence frameworks across EU institutions:

Outdated ECAI register. The institution nominated an ECAI years ago, documented it once, and never reviewed whether the mapping ITS was updated, whether the ECAI lost registration, or whether new rating scales were introduced. Commission Implementing Regulation (EU) 2024/1872 is the current version. If your internal register references an earlier implementing regulation, it is out of date.

No implicit-support screening. The institution relies on ECAI ratings for interbank exposures without ever assessing whether those ratings incorporate government support uplift. This was tolerable before 1 January 2025. It is not tolerable now, even under the Article 495e transitional, because the transitional only works if the competent authority has exercised the option and the institution can demonstrate awareness of which ratings are affected.

Blanket issuer-level application. The data pipeline pulls one issuer rating per counterparty and applies it to all exposures. Subordinated exposures, structured facilities, and specific issuances with their own ratings are treated at issuer level. This understates risk weights on lower-rated specific issues and misstates the COREP return.

No challenge or override process. The institution has no documented procedure for what happens when internal credit monitoring identifies deterioration that the ECAI has not yet reflected. No escalation, no override authority, no record of challenge. Under CRA Regulation Article 5a(1), this constitutes mechanistic reliance.

Stale Pillar 3 narrative. The Article 444 disclosure repeats the same language year after year, even when ECAIs have been added, removed, or changed. Supervisors compare year-on-year disclosures. A static narrative in a period of change signals weak governance.

Building the Governance Framework

For institutions that need to build or remediate their ECAI due diligence framework, the minimum viable structure includes:

A credit risk policy section covering external credit assessments. This sits within the broader credit risk framework and addresses ECAI nomination criteria, the process for selecting and reviewing ECAIs, rules for issue-versus-issuer mapping, the implicit government support screening methodology, and override/challenge authority.

A data quality layer in the reporting pipeline. This layer flags: exposures without valid ECAI mapping, exposures where the nominated ECAI’s registration status has changed, exposures where implicit support screening has not been performed, and exposures where issue-level assessments exist but issuer-level assessments are being applied.

Periodic review. At minimum annually, the framework should be reviewed for changes to: the ECAI mapping ITS, CRA Regulation registration status of nominated ECAIs, EBA Decisions on unsolicited credit assessments, and new Q&A or guidance from the EBA Single Rulebook platform on Articles 135-141.

Audit trail. Every risk weight derived from an ECAI assessment should be traceable to: the specific ECAI, the specific rating scale, the CQS mapping reference, the date of assessment, and confirmation that due diligence (implicit support check, public availability, issue/issuer applicability) was performed.

Frequently Asked Questions

Does CRR3 require institutions to perform their own internal credit assessment for every SA exposure?

Not a full internal model assessment. The CRA Regulation (Article 5a(1)) requires that institutions do not rely solely or mechanistically on external ratings. This requires having policies to review, challenge, and supplement external assessments with internal indicators. It does not require an IRB-equivalent PD model for SA exposures.

What happens if the only available rating for an institution counterparty incorporates implicit government support?

Under Article 138, point (g) CRR (as amended by CRR3), the institution must treat the exposure as unrated and apply Article 121 CRR. CRR3 replaced the previous sovereign-CQS-based fallback with the Standardised Credit Risk Assessment Approach (SCRA): exposures are classified into Grade A, B, or C based on quantitative and qualitative criteria, with risk weights of 40% (Grade A, reducible to 30% if conditions are met), 75% (Grade B), and 150% (Grade C). Short-term exposure weights are 20%/50%/150%. During the Article 495e transitional, continued use may be permitted until 1 January 2027 for ECB-supervised banks under Regulation (EU) 2025/24, and until 31 December 2029 in jurisdictions where the NCA has exercised the full Level 1 option.

Can private (non-publicly-disclosed) ratings from a registered ECAI be used for SA risk weighting?

No. EBA Q&A 2024_7220 confirms that external credit assessments not publicly disclosed cannot determine risk weights under the standardised approach, even if issued by a registered ECAI. Public availability is a prerequisite under Article 135(1) CRR.

How do institutions verify whether an ECAI rating incorporates implicit government support?

ECAIs typically publish rating methodologies that specify whether and how government support is factored into credit assessments. Many ECAIs publish separate “standalone” or “viability” ratings alongside supported ratings. Institutions must review the ECAI’s methodology documentation and, where necessary, engage directly with the ECAI to obtain confirmation of whether a specific assessment incorporates support assumptions.

What Pillar 3 disclosures relate to ECAI due diligence?

Article 444 CRR requires disclosure of: (a) names of nominated ECAIs and ECAs and reasons for any changes; (b) exposure classes for which each ECAI or ECA is used; (c) a description of the process used to transfer issuer and issue credit assessments onto items not included in the trading book; (d) the association of the external rating of each nominated ECAI or ECA with the credit quality steps; and (e) the exposure values and post-CRM exposure values associated with each credit quality step, by exposure class. These disclosures are implemented via the Pillar 3 templates in Commission Implementing Regulation (EU) 2024/3172 (which repealed Implementing Regulation (EU) 2021/637).

Does the implicit government support prohibition apply during the output floor calculation?

Yes. The output floor under Article 92(3) CRR uses SA-calculated risk-weighted exposure amounts. All SA requirements, including Article 138, point (g) on implicit government support, apply to the floored calculation. Institutions using the IRB approach for primary own funds requirements must still apply full ECAI due diligence in their SA floor calculation.

What is the deadline for remediating implicit-support-affected ratings?

The prohibition in Article 138, point (g) applies from 1 January 2025. The Article 495e transitional allows continued use where the competent authority exercises the option. The ECB exercised it via Regulation (EU) 2025/24 with a deadline of 1 January 2027. The Level 1 ceiling under Article 495e is 31 December 2029, and national competent authorities may choose any end date up to that ceiling. After the applicable deadline, no transitional relief is available: affected ratings must be removed from SA risk weighting, and exposures reclassified as unrated under the SCRA framework in Article 121.

How should the ECAI nomination be documented for SREP purposes?

The institution should maintain a board-approved or senior-management-approved policy specifying: which ECAIs are nominated for which exposure classes, the criteria for selection, the process for periodic review, and the governance for making changes. This documentation should be readily available for SREP and align with the Pillar 3 Article 444 narrative.

Key Takeaways

  • CRR3 Article 138, point (g) prohibits using ECAI credit assessments that incorporate implicit government support for exposures to institutions, effective 1 January 2025.
  • Article 495e transitional relief runs until the date set by each competent authority, up to the Level 1 ceiling of 31 December 2029. The ECB set 1 January 2027 for directly supervised banks; BaFin chose the full 31 December 2029 for German less significant institutions.
  • Institutions should prepare for the cliff-edge applicable to their supervisor: 1 January 2027 for ECB-supervised banks under Regulation (EU) 2025/24, 31 December 2029 (the Level 1 ceiling under Article 495e) for less significant institutions where their national competent authority has exercised the longer option (e.g., BaFin Circular 06/2025 (BA) for Germany).
  • Only publicly disclosed ratings from registered/certified ECAIs with valid CQS mappings under Commission Implementing Regulation (EU) 2024/1872 can drive SA risk weights.
  • The CRA Regulation Article 5a(1) prohibition on sole/mechanistic reliance requires documented internal challenge processes alongside ECAI-derived risk weights.
  • Issue-versus-issuer assessment mapping must be performed at instrument level, not defaulted to issuer-level for entire counterparty portfolios.
  • Pillar 3 disclosure under Article 444 CRR must reflect the actual ECAI nomination framework and any changes during the period, reported via templates in Commission Implementing Regulation (EU) 2024/3172.
  • The output floor under Article 92(3) CRR makes SA due diligence requirements binding even for institutions primarily using the IRB approach.

Related Articles

Sources and References

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.

Similar Posts