EBA Pillar 3 Peer Review: Uneven Disclosure Supervision in the EU
On 2 July 2026 the European Banking Authority published the EBA Pillar 3 peer review of how competent authorities supervise Pillar 3 disclosures. Six supervisors were assessed against four benchmarks, and their scores ran the full length of the scale, from fully applied to not applied. For a reporting team the spread is the story: how hard your published Pillar 3 gets checked depends heavily on which supervisor sits across the table.
The EBA Pillar 3 peer review covers the reference period from 1 June 2023 to 30 June 2025, and its subject is supervisory practice: the report grades how competent authorities police the disclosure obligations already set out in Part Eight of the Capital Requirements Regulation. The EBA has committed to a follow-up review in two years, so the general recommendations issued to every competent authority mark the start of a direction of travel that your next disclosure cycle will feel.
The direction is toward reconciliation. The strongest supervisors in the sample already tie each published Pillar 3 template back to the bank’s COREP and FINREP submissions, and the EBA wants that habit generalised. If your disclosure figures and your regulatory returns are built in separate cycles by separate teams, this review is the reason to close that gap before your supervisor does it for you.
Related reading: Pillar 3 disclosure requirements explained
The peer review at a glance
The core dates are short enough to keep on one screen before the detail starts.
- Published: 2 July 2026, by the European Banking Authority.
- Reference period: 1 June 2023 to 30 June 2025.
- Follow-up: a second peer review of how the measures were implemented, due in two years.
Six supervisors went through the assessment: France’s ACPR, Italy’s Banca d’Italia, Poland’s KNF, Portugal’s Banco de Portugal, Sweden’s Finansinspektionen, and the ECB acting through the Single Supervisory Mechanism. The legal basis for the exercise runs through Article 13 and Part Eight of Regulation (EU) No 575/2013 (the CRR), Article 45i paragraphs 3, 4, 6 and 7 of Directive 2014/59/EU (the BRRD), and the related EBA implementing technical standards. Scoring covered four supervisory benchmarks, each rated fully applied, largely applied, partially applied, or not applied. The scope is credit institutions, and what the review actually measures is supervisory practice around them: the six authorities’ own processes for policing Pillar 3 compliance.
The overall verdict from the Peer Review Committee was positive, with only a limited number of partially applied or not applied ratings. Three supervisors were judged to have incorporated the requirements to a very high standard, with Banca d’Italia and Banco de Portugal scoring fully applied on all four benchmarks. That headline sits on top of a much less even picture underneath, which is where the practical reading begins.
What the EBA actually assessed
Pillar 3 is the market-discipline leg of the Basel framework. Under Part Eight of the CRR, institutions publish prudential information so that markets can price their risk. The frequency and depth of that publication scale with size: large institutions disclose most under Article 433a, other institutions under Article 433c, and small and non-complex institutions get a lighter set under Article 433b. The content and templates sit in the disclosure ITS. During the reference period, the relevant framework included Commission Implementing Regulation (EU) 2021/637 as amended, including by Commission Implementing Regulation (EU) 2022/2453 for ESG disclosures. Commission Implementing Regulation (EU) 2024/3172 is now the adopted Pillar 3 disclosure ITS and repeals 2021/637; current builds should map to 2024/3172 and the EBA IT solutions rather than to the superseded 2021/637 framework.
The peer review turned its lens on the supervisors’ own oversight machinery, using those templates as the backdrop for grading how six competent authorities police them. The Peer Review Committee tied its assessment to four benchmarks, each anchored to specific provisions of the Capital Requirements Directive. The first asks whether an authority has integrated Pillar 3 requirements into its own supervisory manuals, guidelines and planning, under Article 97(2) of the CRD. The second asks whether it has working arrangements to supervise and review institutions’ disclosures over time, including keeping a live list of who falls in scope, under Articles 433a, 433b and 433c of the CRR and Article 97(1), (3) and (4) of the CRD. The third checks whether the assessment and verification of disclosures is built into the supervisory review and evaluation process, SREP, again under Article 97(1), (3) and (4) of the CRD. The fourth measures whether the authority effectively supervises compliance, communicates findings, follows up, and requires remediation, under Articles 102(1)(a), 104(1)(m) and 106 of the CRD.
Read those four in sequence and you have the supervisory lifecycle a competent authority is expected to run around your disclosures: know who is in scope, check what they publish, feed it into SREP, and chase what is wrong. The peer review measures how far each of the six has actually built that lifecycle.
How the EBA Pillar 3 peer review scored the six supervisors
The ratings are worth reading supervisor by supervisor, because a bank inherits the practice of its own competent authority.
Banca d’Italia and Banco de Portugal came out fully applied on all four benchmarks. Banca d’Italia runs a master list of supervised entities mapped to the CRR and ITS, an applicability matrix that sets which templates and frequencies apply to each institution, and a gap-and-remediation matrix that links every deficiency to a specific CRR article and ITS template with a named owner and a deadline. Its Pillar 3 review is embedded in the annual SREP, with completeness and accuracy checked against the CRR requirements and the disclosure ITS. Banco de Portugal in its 2024 assessment asked 22 of 23 less significant institutions to republish information, and when it finds a data quality issue it requests the institution to resubmit its disclosures and, where relevant, its FINREP and COREP data for validation.
ACPR in France scored fully applied on the first three benchmarks and largely applied on the fourth. Its supervision runs on a four-eyes principle, with an analyst and a supervisor independently checking each institution, and Pillar 3 figures are reconciled manually against supervisory reporting data. Its remediation is graduated but informal, moving from email reminders to registered letters, with no formal remediation-plan template documented. No Pillar 3 weakness has fed into a SREP or Pillar 2 measure there in the past three years, which is why the softer approach was accepted as effective.
The ECB scored fully applied on integration and largely applied on the other three benchmarks. It supervises 114 significant institutions at top entity level and runs an annual reconciliation exercise between published Pillar 3 data and supervisory reporting, using the EBA mapping tool. That exercise typically takes six to seven months and applies two materiality thresholds to any mismatch: an absolute threshold of EUR 100 million and a relative difference threshold of 20 per cent. In the 2024 exercise, 36 banks, roughly one third of those assessed, republished their Pillar 3 reports to correct mismatches by the cut-off date of 31 October 2025. The gaps flagged by the Committee were procedural rather than substantive: no pre-agreed escalation strategy specific to Pillar 3, and no central database of common issues across all institutions.
KNF in Poland was rated partially applied on all four benchmarks. Its supervision is split between a commercial banking department and a cooperative banking department that do not yet apply the same tools, and its centralised tool for checking the completeness and correctness of quantitative disclosures is still in development. Its inspection activity was real: across 2023 to 2025, KNF recorded 17, 16 and 3 infringements respectively, with over 100 irregularities in total. The peer review also records that KNF can impose fines and suspend supervisory or management board members for up to 12 months under Poland’s Banking Law, giving its escalation process real enforcement teeth.
Finansinspektionen in Sweden was the outlier, rated not applied on the first three benchmarks and partially applied on the fourth. It does not run a regular process to assess institutions’ Pillar 3 compliance, on the view that non-compliance with disclosure requirements does not normally constitute a significant financial-stability risk. Its one focused exercise in the period was a thematic review of Pillar 3 ESG templates from May to November 2024, covering seven Swedish institutions, and even that produced only informal requests rather than documented follow-up.
Reconciliation is the pressure point
Strip away the supervisor-by-supervisor detail and one mechanism runs through the highest-scoring authorities: they tie what a bank discloses back to what it reports elsewhere, and they act on the difference. Banca d’Italia checks Pillar 3 completeness and accuracy against the CRR and the disclosure ITS inside SREP. Banco de Portugal asks for COREP and FINREP resubmission when disclosures do not tie out. The ECB has formalised a reconciliation against supervisory reporting data into an annual exercise with hard materiality thresholds. This is the practice the EBA is pushing every competent authority to adopt.
When a reporting team reconciles a published Pillar 3 template against the COREP figures it is meant to mirror, mismatches usually come from timing and ownership rather than from fabricated numbers. The disclosure report may have been assembled in a separate cycle, from a separate extract, by a team that did not sit with regulatory reporting. A risk-weighted exposure amount in a Pillar 3 capital template that does not equal the same figure in COREP template C 02.00 is exactly the kind of outlier a mapping tool surfaces quickly. Our COREP reporting guide and FINREP reporting guide set out those return structures in detail.
Where teams get this wrong is in treating a clean regulatory return as proof of a clean disclosure. The two can diverge even when each is internally correct, because Pillar 3 aggregates, rounds and presents on its own schedule. The supervisors that scored well do not check whether COREP is right and whether Pillar 3 is right as two separate questions. They check whether the two agree. A bank that only ever validates each in isolation is optimising for the wrong test.
The EBA supports this with public tooling: a mapping tool, a signposting tool and frequency-of-disclosure files, all on its website, that supervisors are encouraged to build their checklists around. A reporting team can run the same mapping tool against its own draft disclosures before publication. Doing so turns the supervisor’s reconciliation from an external surprise into an internal control.
Why Sweden scored not applied, and what it signals
Finansinspektionen’s position deserves closer scrutiny, because its reasoning is a live misconception in more than one market. Swedish law requires banks to disclose detailed capital adequacy and capital requirement information, referencing the CRD and CRR, inside their audited financial statements. The Swedish supervisor treats that statutory audit as sufficient scrutiny of the underlying information and concludes that a separate Pillar 3 compliance process is not a priority use of supervisory resources.
The Peer Review Committee did not accept that logic as a substitute for supervising Pillar 3 itself. Statutory audit of the financial statements and supervisory assessment of Part Eight disclosures are different exercises with different scopes, and the review recommended that Finansinspektionen keep an updated list of institutions in scope, build tools for regular Pillar 3 assessment within SREP, and formalise a communication protocol with standard notices, deadlines and escalation tiers. The wider signal for banks is that reliance on an adjacent control, whether that is external audit, an ICAAP narrative or a financial-statements disclosure, does not discharge the specific obligation to publish complete and accurate Pillar 3 information. Supervisors are being told to check the disclosure on its own terms.
What the general recommendations change for the next cycle
The peer review issued four general recommendations addressed to every competent authority in the EU, a scope reaching well beyond the six authorities in the sample. In the EBA’s own framing, follow-up measures of a general nature apply to all authorities unless the issue does not arise in their jurisdiction. Read as a to-do list handed to your supervisor, they translate cleanly into what a reporting officer should expect.
Authorities are told to integrate all relevant Pillar 3 requirements into their supervisory manuals and planning. Practically, that means the topic stops being ad hoc and gets a named slot in the supervisory calendar. They are told to keep an updated list of institutions in scope and to run commensurate compliance processes, including data quality assessment against supervisory reporting, template sampling, and assessment of the governance and controls a bank uses to produce its disclosures. That last point matters: supervisors will look as closely at the internal process that produced the numbers, including board and committee sign-off and the disclosure policy on materiality and confidentiality, as at the published numbers themselves.
Authorities are told to build the assessment of disclosures into SREP in a proportionate way. For a bank, a finding on Pillar 3 can therefore surface inside the SREP dialogue rather than as a standalone letter, and the way SREP feeds capital and governance conclusions is set out in our SREP guidelines explainer. Finally, authorities are told to have standardised processes to communicate outcomes and to follow up on non-compliance, and to be ready to deal in a structured way with institutions that fail to remediate. The softer end of that spectrum is an email asking you to correct a template; the harder end, seen in the ECB’s framework, refers the most serious omissions or misstatements to an enforcement and sanctions function where they could materially mislead a user of the disclosure.
What these four recommendations tighten is supervisory practice around obligations banks already carry, with no new legal duty added on top. The strongest form of preparation is the reconciliation discipline the high-scoring supervisors already apply. The EBA’s broader push here connects to its wider work on supervisory consistency, which we cover in the 2025 supervisory convergence report.
The Pillar 3 Data Hub sits underneath all of this
The single change most likely to reshape disclosure supervision sits outside the four recommendations altogether: the Pillar 3 Data Hub. The hub has been live for large and other institutions since 26 January 2026, when the EBA began publishing their submitted Pillar 3 information centrally. It does not, by itself, remove the need for those institutions to prepare and control Pillar 3 data. The automation point is narrower: for small and non-complex institutions, the EBA is consulting on a process under which it would prepare and publish Pillar 3 disclosures using supervisory reporting data. The ECB recommendation points in the same longer-term direction: amend Level 1 regulation so the EBA can derive more Pillar 3 data directly from supervisory reporting and improve coherence between reporting and disclosure.
If the Level 1 mandate is extended, reconciliation would move from an after-the-fact supervisory check toward a single-source publication model for a larger part of the disclosure framework. Until that legal change is made, large and other institutions still need controls over the Pillar 3 data they submit to the hub, and they still need to reconcile disclosure figures to COREP and FINREP before submission. The current interim state, where large and other institutions submit to the hub while the EBA works on the SNCI process, is covered in our note on the EBA Pillar 3 Data Hub and smaller banks, and the CRR3-driven changes to the disclosure templates themselves in our CRR3 Pillar 3 disclosure guide.
What this peer review does not do
A few boundaries keep the reading accurate. Part Eight of the CRR and ITS 2024/3172 continue to fix the disclosure frequency and template set for your institution, exactly as before the review, and no new reporting return, deadline or penalty comes out of this exercise. The report’s subjects are the six supervisors, and the institution-level figures it cites illustrate aggregate supervisory practice; no bank is named as having done wrong.
The document’s role is that of a convergence tool: it builds the practice your competent authority will adopt over the next two years, without naming or predicting enforcement outcomes for any institution. That indirectness is easy to underrate. A bank whose supervisor moves from Finansinspektionen’s model toward Banca d’Italia’s will experience a genuine change in the intensity and formality of Pillar 3 scrutiny, even though the text of the CRR stays exactly as it was.
Frequently Asked Questions
Does the EBA Pillar 3 peer review impose any new disclosure obligation on my bank?
No. The review’s subjects are six competent authorities, and Part Eight of the CRR and the disclosure ITS stay unchanged. The obligation it sharpens is the supervisor’s obligation to check your disclosures. Your own to-do list is to make sure your published Pillar 3 reconciles to your COREP and FINREP before the supervisor does that reconciliation for you.
Which implementing standard governs the Pillar 3 templates now?
Commission Implementing Regulation (EU) 2024/3172. It is the current adopted Pillar 3 disclosure ITS and repeals Commission Implementing Regulation (EU) 2021/637. Commission Implementing Regulation (EU) 2022/2453 amended the 2021/637 framework for ESG disclosures, so it should be treated as part of the superseded 2021/637 regime rather than as a separate current build basis. A disclosure build or supervisory checklist should map to 2024/3172 and the EBA IT solutions going forward.
What are the ECB’s materiality thresholds for a Pillar 3 mismatch?
In its annual reconciliation exercise the ECB applies two thresholds to a mismatch between published Pillar 3 data and supervisory reporting: an absolute threshold of EUR 100 million and a relative difference threshold of 20 per cent. A mismatch above either can trigger a request to verify and, if needed, republish the affected report. In the 2024 exercise, 36 banks republished corrected Pillar 3 reports by the 31 October 2025 cut-off.
My institution is a small and non-complex institution. Does this apply to me?
The lighter disclosure set under Article 433b of the CRR still applies, and supervisors are expected to run their checks in a way that is commensurate with the mix of institutions under their remit. Several supervisors in the review maintain a dedicated list of small and non-complex institutions and apply a proportionate assessment. Proportionate supervision is still supervision: Poland classifies whole cooperative networks as small and non-complex and still reviews their disclosures.
How will the Pillar 3 Data Hub change supervisory review of disclosures?
The hub is already live for large and other institutions, which submit Pillar 3 information to the EBA. That improves central access to disclosures but does not remove the need for those institutions to prepare and control Pillar 3 data. The reduction in manual production is clearest for the proposed SNCI process, where the EBA would prepare and publish disclosures using supervisory reporting data. The ECB has recommended going further by extending the EBA’s mandate to derive Pillar 3 data directly from supervisory reporting for all banks. If that Level 1 change is made, disclosures and returns would move closer to a single-source model.
Could a Pillar 3 finding affect my SREP outcome?
It can, where the supervisor integrates disclosure assessment into SREP, which the review recommends all authorities do proportionately. In practice a disclosure deficiency tends to feed the internal governance and risk management element of SREP rather than a direct capital add-on, and several supervisors reported no Pillar 3 weakness reaching a Pillar 2 measure. The exposure is greater where the deficiency points to weak internal controls over the disclosure process itself.
What should a reporting team do first in response to this report?
Run a reconciliation of your most recent published Pillar 3 against the corresponding COREP and FINREP figures, using the EBA mapping tool, and document where they diverge and why. That single exercise mirrors what the strongest supervisors in the sample already do, and it converts an external supervisory check into an internal control you own.
Related Articles
- Pillar 3 Disclosure Requirements – The foundational guide to what Part Eight of the CRR requires, template by template.
- EBA Pillar 3 Data Hub for Smaller Banks – How centralised disclosure submission changes the workflow for less significant and small and non-complex institutions.
- CRR3 Pillar 3 Disclosure Changes – The ESG, equity and shadow-banking template changes flowing from CRR3 and ITS 2024/3172.
- COREP Reporting Explained – The own funds and capital return that Pillar 3 capital templates must reconcile to.
- FINREP Reporting Explained – The financial reporting return supervisors cross-check against disclosed figures.
- EBA Supervisory Convergence Report 2025 – The wider EBA push for consistent supervisory outcomes across the EU.
Key Takeaways
- The EBA published its targeted peer review of Pillar 3 disclosure supervision on 2 July 2026, covering the reference period 1 June 2023 to 30 June 2025.
- Six supervisors were assessed against four benchmarks. Banca d’Italia and Banco de Portugal scored fully applied on all four; KNF was partially applied throughout; Finansinspektionen was not applied on three of the four.
- The review grades supervisors on their own disclosure-oversight practice and changes no disclosure obligation for banks directly; its force works through the practice your competent authority adopts over the next two years.
- Reconciliation of published Pillar 3 against COREP and FINREP is the common thread among the high-scoring authorities and the practice the EBA wants generalised.
- The ECB applies two materiality thresholds to a mismatch, EUR 100 million absolute and 20 per cent relative, and 36 banks republished corrected 2024 reports by 31 October 2025.
- Current disclosure templates sit in Commission Implementing Regulation (EU) 2024/3172, which repeals ITS 2021/637 (as amended by 2022/2453 for ESG disclosures).
- The Pillar 3 Data Hub, and the ECB’s recommendation to derive disclosures from supervisory reporting, point toward a single source that would close the reconciliation gap at source.
- A follow-up peer review in two years will check whether the general recommendations to all competent authorities have been implemented.
Sources and References
- European Banking Authority, press release: Targeted EBA peer review finds high compliance in Pillar 3 disclosures and calls for greater consistency (2 July 2026) – eba.europa.eu
- European Banking Authority, Peer Review Report on Pillar 3 Disclosures (2 July 2026) – Peer Review Report (PDF)
- Regulation (EU) No 575/2013 (Capital Requirements Regulation), Part Eight and Articles 13, 433a, 433b, 433c – EUR-Lex
- Directive 2013/36/EU (Capital Requirements Directive), Articles 97, 102, 104 and 106 – EUR-Lex
- Directive 2014/59/EU (Bank Recovery and Resolution Directive), Article 45i – EUR-Lex
- Commission Implementing Regulation (EU) 2024/3172 (ITS on Pillar 3 disclosures) – EUR-Lex
The peer review as a signal for what comes next
The temptation with a peer review is to read the ratings and stop there. A more useful reading treats the high-scoring supervisors as a preview of the practice heading toward every bank in the EU. Banca d’Italia’s applicability matrix, the ECB’s reconciliation thresholds and Banco de Portugal’s resubmission requests are ordinary, achievable controls, exactly what consistent Pillar 3 supervision looks like when it is done well, and the EBA has just told the rest of the field to catch up. The bank that reconciles its own disclosures first is the one that never finds out what its supervisor’s version of that exercise feels like.
Last updated: July 2026
Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.