ECB Internal Models Sanction: What the BIL Enforcement Action Means for IRB Governance and Capital Reporting

Last updated: July 2026

An ECB-approved internal model is a supervisory decision the bank asked for and agreed to run. Treat it as optional for a few quarters and the capital ratios you report to the ECB stop being true. That is the practical lesson from the ECB internal models sanction announced on 29 June 2026, when the European Central Bank fined Banque Internationale a Luxembourg (BIL) EUR 3,255,000 for breaching an ECB decision on internal models. The bank did not apply its approved internal ratings-based models to defaulted retail and corporate exposures, so it never calculated the resulting IRB shortfall and never deducted it from capital.

The effect was mechanical and it landed straight in the returns. For three consecutive quarters, from the fourth quarter of 2023 to the second quarter of 2024, BIL reported higher own funds than it should have, and its published capital ratios were inflated as a result. The ECB classified the breach as severe and imposed the penalty under Article 18 of Council Regulation (EU) No 1024/2013, the SSM Regulation. The bank may challenge the decision before the Court of Justice of the European Union.

For prudential reporting teams the real interest sits one level down, at the seam where a model engine, a provisions ledger and the COREP own funds template are supposed to agree, and what happens when they quietly stop agreeing. One bank drew the fine here; the failure mode belongs to any institution on the IRB approach. This is an operator note on where that seam fails, how the IRB shortfall deduction actually works, and what an IRB or IMA reporting function should check before the same gap opens on its own submission.

Related reading: EBA 2025 annual assessment of banks’ internal approaches: what supervisory findings on IRBA, IMM and IMA mean for prudential reporting teams

What the ECB internal models sanction actually covers

The facts, as the ECB set them out, are narrow. BIL holds ECB permission to use the internal ratings-based approach for credit risk. For defaulted retail and corporate exposures, the bank did not apply those approved models to calculate the regulatory expected loss. Because it did not produce the model expected loss, it did not perform the comparison against provisions that generates the IRB shortfall, and it did not take the shortfall as a deduction from Common Equity Tier 1. The consequence was a higher reported capital figure across the fourth quarter of 2023, the first quarter of 2024 and the second quarter of 2024.

The ECB described the conduct as intentional and classified the breach as severe, on a scale that runs from minor through moderately severe, severe and very severe to extremely severe. The penalty of EUR 3,255,000 was set by applying the ECB’s published method for calculating administrative pecuniary penalties. The legal basis is Article 18 of the SSM Regulation, which lets the ECB impose penalties on the significant institutions it directly supervises. BIL has the right to bring the decision before the Court of Justice of the European Union. The case did not involve loss to depositors or a solvency event; the supervisor treated a reporting integrity failure as serious in its own right.

One point deserves care from the outset. The ECB found that the bank overstated capital, not that it hid a capital hole. An overstatement of own funds still matters, because the supervisor, the market and the bank’s own risk appetite framework all read the reported ratios as accurate. When those numbers are wrong in the bank’s favour, every decision taken on top of them inherits the error.

Why an approved internal model is a binding decision, not a setting

The reason this is enforceable at all sits in the permission architecture of the Capital Requirements Regulation. Under Article 143 of Regulation (EU) No 575/2013, a competent authority permits an institution to calculate risk-weighted exposure amounts using the IRB Approach, and that prior permission extends to the use of own estimates of loss given default and conversion factors. The permission is granted by a formal supervisory decision. For a significant institution in the euro area, that decision is an ECB decision.

Article 18(1) of the SSM Regulation lets the ECB penalise a supervised entity that, intentionally or negligently, breaches either a directly applicable requirement of Union law or a requirement set out in ECB regulations and decisions. An internal-models permission is exactly the second kind of requirement. Once the ECB has approved a model, using it is not a matter of internal preference. The approved model is the model the bank is required to run, and departing from it without going back to the supervisor is a breach of the decision itself.

This is where teams tend to misread the regime. There is a widespread assumption that a model approval is a ceiling, a permission to use a model if the bank chooses, with the standardised approach always available as a conservative fallback. That is not how the IRB permission works for the portfolios it covers.

Reverting to the standardised approach, or simply not applying the model, is a return to permanent partial use or a rollback, and both are governed by conditions and by supervisory consent. A bank cannot silently stop applying an approved model for a class of exposures because a process broke or a run was skipped. The model application itself is part of what the ECB approved.

There is a second, related trap. Material changes and extensions to an approved model require prior permission under Article 143 of the CRR, and reporting teams are usually well drilled on that gate. The BIL case is not a model-change case.

Nothing in it turns on recalibration or a new methodology. The failure was more basic: the approved model was not applied to a set of exposures it was supposed to cover. Governance built entirely around the model-change process can miss the simpler risk that the model, unchanged and approved, is not being run end to end.

The IRB shortfall mechanism the bank skipped

To see why a missed model run distorts capital, follow the expected loss chain the CRR sets out. Under Article 158 of the CRR, the expected loss for an IRB exposure is the probability of default multiplied by loss given default, and the expected loss amount is that figure multiplied by the exposure value. For defaulted exposures where the bank uses its own LGD estimates, the expected loss is the institution’s best estimate of expected loss for that defaulted exposure. Defaulted exposures are precisely the population the ECB says BIL failed to model.

Article 159 of the CRR then tells the bank what to do with those expected loss amounts. The institution subtracts the total IRB expected loss from the general and specific credit risk adjustments and certain other own funds reductions related to the same exposures. If provisions exceed expected loss, the positive difference is the IRB excess. If expected loss exceeds provisions, the negative difference is the IRB shortfall. The CRR3 amendments in Regulation (EU) 2024/1623 now name these outcomes explicitly in the Article 159 heading, “Treatment of expected loss amounts, IRB shortfall and IRB excess”, but the comparison itself has been in the framework since the CRR came into force.

The final link is Article 36(1)(d) of the CRR. For institutions on the IRB Approach, negative amounts resulting from the calculation of expected loss amounts under Articles 158 and 159, the IRB shortfall, are deducted from Common Equity Tier 1. That deduction is the mechanism BIL did not operate. Skip the model run for defaulted exposures, and there is no expected loss to compare against provisions, so there is no shortfall to deduct, so CET1 is reported higher than the rules allow. The overstatement was a missing deduction at the top of the capital stack, not a rounding difference in a footnote.

Two things are commonly misunderstood here. First, the shortfall is not a portfolio-by-portfolio netting exercise that teams can run loosely. The comparison aggregates expected loss against eligible provisions across the relevant exposures, and specific credit risk adjustments on defaulted exposures cannot be used to cover expected loss on other exposures. Second, defaulted exposures are the sharp end of the calculation, because they carry the largest expected loss and the best-estimate LGD drives the number. A bank that models performing exposures cleanly but drops the defaulted book, as the ECB describes here, removes exactly the exposures most likely to produce a shortfall.

How the misstatement flows into COREP

For a reporting function, the interesting question is where this should have been caught. The answer is the own funds template. In COREP, template C 01.00 carries the IRB shortfall of credit risk adjustments to expected losses as a Common Equity Tier 1 deduction line.

That line is fed from the IRB expected loss calculated in the credit risk templates and from the provisions recorded in the accounting systems. When the model run is complete, the deduction populates, own funds fall by the shortfall, and template C 03.00 reports capital ratios built on the reduced own funds figure. When the model run is missing, the deduction line is empty or wrong, and every ratio downstream is overstated.

When I reconcile an own funds submission, the IRB shortfall line is one of the first I tie back to source, because the three numbers that feed it live in three different places: the model engine’s expected loss output, the provisions ledger in the finance systems, and the exposure population in the credit risk templates. If any one of those is stale or scoped wrong, the deduction is wrong, and the C 01.00 total looks perfectly plausible while being materially off. A clean-looking own funds template only proves that a number was entered, not that the shortfall was calculated.

This is a specific version of a general reporting failure covered in our guide to the most common COREP reporting errors: a template validates and submits without ever being reconciled to the risk engine that is supposed to drive it. Validation rules confirm internal arithmetic and cross-template consistency. They do not confirm that the expected loss in the credit risk templates reflects an actual model run over the correct, current population of defaulted exposures. A submission can be technically valid and substantively wrong at the same time, which is why the reconciliation between the model output and the own funds deduction has to be an owned control, not an assumption. If you want the wider context on how these templates fit together, our COREP reporting guide sets out the own funds and credit risk blocks.

The disclosure angle matters too. The same capital figures flow into Pillar 3, so an overstatement in the returns does not stay inside the supervisory channel. It reaches the public disclosures that analysts and counterparties read. Our note on Pillar 3 disclosure requirements explains how the own funds and IRB numbers surface there. A reporting team that treats COREP own funds and Pillar 3 as separate workflows can propagate the same error into both.

How the ECB set the penalty, and what “severe” means

The amount was not picked from the air. The ECB applies its Guide to the method of setting administrative pecuniary penalties pursuant to Article 18(1) and (7) of the SSM Regulation, and the guide is public. It uses a two-step approach: determine a base amount from the severity of the breach, then adjust for aggravating and mitigating circumstances, subject to a legal maximum of 10 percent of the entity’s total annual turnover.

Severity is where the intentionality finding does its work. The guide classifies severity from the impact of the breach and the degree of misconduct, each rated low, medium or high. A breach is severe where one of those two is high.

The guide treats conduct as more culpable where the entity could not have been unaware that it would breach its prudential requirements, and most culpable where it knew a breach was near certain or sought to conceal it. An intentional failure to run an approved model points to the higher end of the misconduct scale. That, combined with a capital overstatement running across three quarters, is the kind of profile the guide maps to a severe classification.

For breaches up to very severe, the base amount comes from a penalty grid keyed to the entity’s total assets, sorted into five size groups, with a separate route where the profits gained or losses avoided can be measured. The final figure is then tuned for cooperation, remediation and other factors. This is worth understanding for one practical reason: the published number is an outcome of a structured method, so a reporting officer reading a sanction should look past the headline figure to the severity classification and the description of the conduct, which is where the supervisory expectation actually lives. Speculating about how the grid or the mitigating factors were applied in a specific case adds nothing, and the ECB does not publish that arithmetic.

What the regime does require is that the penalty be effective, proportionate and dissuasive. The dissuasive element is aimed at the whole population of supervised banks, not only the one sanctioned. In other words, the ECB expects every IRB bank to read a case like this and check its own house.

What this signals for IRB and IMA governance and reporting controls

The durable message is that applying an approved model is a controlled, evidenced process with an owner, not a background job that is assumed to have run. Several checks follow directly from the BIL facts and are worth putting in front of the model governance and reporting functions now.

Confirm that approved models are actually applied to their full approved scope every reporting period, defaulted exposures included. The gap here was the absence of the model over a population it was approved to cover, not a wrong number inside the model. A control that only reviews model outputs will not see a missing run. The control has to confirm the run happened over the current, complete population before the outputs are trusted.

Reconcile expected loss to own funds as a standing control. The expected loss in the credit risk templates, the provisions in finance, and the IRB shortfall deduction in C 01.00 should be tied together every quarter, by someone who owns the reconciliation and signs it. Treat an empty or unchanged shortfall line as a question to answer, not a convenience.

Keep the distinction between model change and model application visible in governance. Prior permission for material changes under Article 143 is necessary, but it is not the whole duty. Reverting from an approved model, or not applying it, is itself a supervisory event, and the reporting and risk functions should know which portfolios are on which approach at all times, with any change routed through the supervisor rather than made silently.

Extend the same discipline to market risk internal models. The internal model approach for market risk raises the identical question in a different template: is the approved model being applied as approved, and does its output reconcile to the capital and disclosure numbers. The mechanics differ, but the governance point is the same, and it is the theme running through the PRA’s Basel 3.1 market-risk internal model adjustments on the UK side of the fence. Any bank running an IMA permission should ask whether its own model-application controls would catch a skipped or mis-scoped run.

None of this requires new systems. It requires treating the internal-models decision as the binding instrument it is, and treating the own funds deduction it drives as a number a named person has checked against the model, rather than a cell that reconciles to itself.

Frequently Asked Questions

What exactly did the ECB sanction BIL for?

The ECB sanctioned Banque Internationale a Luxembourg for breaching an ECB decision on internal models. According to the ECB, the bank did not apply its approved internal ratings-based models to calculate the expected loss for retail and corporate exposures in default, so it did not compute or deduct the resulting IRB shortfall from capital. This caused it to report higher own funds than it should have from the fourth quarter of 2023 to the second quarter of 2024. The penalty was EUR 3,255,000.

What legal power did the ECB use?

Article 18 of Council Regulation (EU) No 1024/2013, the SSM Regulation, gives the ECB the power to impose administrative pecuniary penalties on the significant institutions it directly supervises where they breach, intentionally or negligently, a requirement of directly applicable Union law or a requirement set out in ECB regulations and decisions. An internal-models permission is a requirement set out in an ECB decision, so failing to apply it falls within Article 18.

What is the IRB shortfall and why does skipping it overstate capital?

The IRB shortfall is the amount by which regulatory expected loss on IRB exposures exceeds the eligible provisions and value adjustments for those exposures, calculated under Article 159 of the CRR. Article 36(1)(d) of the CRR requires that shortfall to be deducted from Common Equity Tier 1. If a bank does not calculate expected loss for a set of exposures, there is no shortfall to deduct, so CET1, and every capital ratio built on it, is reported higher than the rules permit.

Which reporting templates would show this problem?

In COREP, template C 01.00 carries the IRB shortfall of credit risk adjustments to expected losses as a CET1 deduction line, fed by the IRB expected loss in the credit risk templates and by the provisions in the accounting records. Template C 03.00 reports the capital ratios that depend on the resulting own funds. The same figures also flow into Pillar 3 disclosures.

Does this mean a bank can never stop using an approved model?

It means a bank cannot simply stop applying an approved model to exposures it covers. Reverting to the standardised approach or ceasing to apply an IRB model is governed by the permanent partial use and rollback conditions and by supervisory consent. The regulation treats the approved model as the required approach for its scope, so any change of approach is a supervisory matter rather than an internal reporting decision.

How did the ECB arrive at the EUR 3.255 million figure?

The ECB applies its published Guide to the method of setting administrative pecuniary penalties. It first sets a base amount from the severity of the breach, classified from the impact and the degree of misconduct, then adjusts for aggravating and mitigating circumstances, within a legal maximum of 10 percent of annual turnover. The ECB classified this breach as severe. It does not publish the case-specific arithmetic behind the final amount.

Can BIL challenge the decision?

Yes. The ECB has stated the bank has the right to challenge the decision before the Court of Justice of the European Union. A right of judicial review is standard for ECB sanction decisions and does not by itself indicate any view on the outcome.

What should an IRB reporting team do first in response?

Confirm that every approved model is being applied across its full approved scope each period, defaulted exposures included, and that the expected loss output reconciles to the IRB shortfall deduction in the own funds template and to the provisions ledger. Treat an unchanged or empty shortfall line as something to investigate rather than accept.

Related Articles

Key Takeaways

  • The ECB fined Banque Internationale a Luxembourg EUR 3,255,000 on 29 June 2026 for breaching an ECB decision on internal models, classifying the breach as severe under Article 18 of the SSM Regulation.
  • The bank did not apply its approved IRB models to defaulted retail and corporate exposures, so it did not calculate the IRB shortfall or deduct it from CET1, overstating own funds from Q4 2023 to Q2 2024.
  • An ECB internal-models permission is a binding supervisory decision under Article 143 of the CRR, so not applying an approved model is a breach of the decision, not a discretionary reporting choice.
  • The IRB shortfall deduction runs through Articles 158 and 159 of the CRR into the Article 36(1)(d) CET1 deduction, and it surfaces in COREP template C 01.00 with the capital ratios in C 03.00 depending on it.
  • A validating, submitting own funds template is not proof the shortfall was calculated: reconcile expected loss, provisions and the C 01.00 deduction as an owned control every quarter.
  • Governance built only around material model changes can miss the simpler failure of an approved model not being applied to its full scope, defaulted exposures included.
  • The same model-application discipline applies to market risk internal models, where a skipped or mis-scoped run raises the identical capital and disclosure integrity risk.

Sources and References

  • European Central Bank Banking Supervision, press release, “ECB sanctions BIL for breaching ECB decision on internal models”, 29 June 2026: bankingsupervision.europa.eu
  • Council Regulation (EU) No 1024/2013 of 15 October 2013 (SSM Regulation), Article 18: eur-lex.europa.eu
  • ECB Guide to the method of setting administrative pecuniary penalties pursuant to Article 18(1) and (7) of Council Regulation (EU) No 1024/2013, March 2021: bankingsupervision.europa.eu (PDF)
  • Regulation (EU) No 575/2013 (CRR), consolidated text, Articles 36(1)(d), 143, 158 and 159: eur-lex.europa.eu
  • Regulation (EU) 2024/1623 (CRR3), amendments to Articles 158 and 159 on expected loss amounts, IRB shortfall and IRB excess: eur-lex.europa.eu
  • Regulation (EU) No 468/2014 (SSM Framework Regulation), procedural basis for ECB supervisory decisions and penalties: eur-lex.europa.eu

Reading a model permission as a promise you have to keep

The cheapest way to internalise the BIL case is to stop thinking of an internal model as a tool the bank owns and start thinking of it as a commitment the bank made to the supervisor. The ECB approved a specific approach for specific exposures, and the bank agreed to run it. Running it is the obligation. The IRB shortfall deduction, the C 01.00 line, the capital ratio in C 03.00, and the Pillar 3 disclosure are all downstream of that one promise being kept every quarter, for every exposure the model covers, including the defaulted ones where the numbers bite hardest. Check that the promise is actually being kept before you check anything the model produces.

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.

Similar Posts