ICAAP and ILAAP Reporting for Luxembourg Banks: A Practical Guide to Pillar 2 Assessments

ByOfficer

Last updated: April 2026

Your COREP templates are filed on time. Your LCR and NSFR ratios are above the minimum. Your Pillar 3 disclosures are published. Then the CSSF sends a letter asking for your ICAAP/ILAAP documentation as part of the SREP cycle, and the room goes quiet. Because unlike the quantitative reports, ICAAP and ILAAP are not templates you fill in. They are processes you have to prove actually exist, actually work, and actually inform how your institution makes decisions about capital and liquidity.

For many Luxembourg banks, ICAAP and ILAAP are the hardest Pillar 2 deliverables to get right. Not because the concepts are complicated, but because the documentation must demonstrate something that is difficult to fake: that risk management is embedded in the way the institution operates, not bolted on for regulatory purposes. The CSSF has made this a supervision priority area for 2026, and institutions that treat these assessments as a compliance checkbox rather than a management tool will find themselves on the wrong end of a SREP dialogue.

This guide covers what Luxembourg credit institutions need to know about ICAAP and ILAAP: the legal basis, what must be documented, what the CSSF actually looks for, and the practical mistakes that trigger supervisory scrutiny.

Related reading: COREP Reporting Explained

Legal Basis

ICAAP and ILAAP originate from the Capital Requirements Directive. Article 73 of Directive 2013/36/EU (CRD IV, now CRD V as amended by Directive 2019/878/EU) requires institutions to have in place sound, effective, and complete processes for assessing and maintaining internal capital that is adequate for the nature and level of risks they face. Article 86 of the same directive establishes the equivalent requirement for liquidity.

In Luxembourg, these requirements are transposed through CSSF Regulation N° 15-02 (RCSSF 15-02). Article 3 of RCSSF 15-02 imposes the ICAAP and ILAAP obligation on all CRR institutions incorporated under Luxembourg law and on Luxembourg branches of third-country credit institutions and investment firms.

The implementing framework is set out in CSSF Circular 07/301, which has been amended multiple times (by Circulars CSSF 08/338, 09/403, 11/506, 13/568, and 20/753). The most recent substantive amendment, Circular CSSF 20/753, aligned the circular with the EBA’s revised SREP Guidelines (EBA/GL/2018/03) and the EBA Guidelines on ICAAP and ILAAP information collected for SREP purposes (EBA/GL/2016/10).

The general governance principles of CSSF Circular 12/552 also apply to ICAAP and ILAAP. In practice, this means the management body’s oversight obligations, the three-lines-of-defence model, and the internal control framework all feed directly into how the CSSF evaluates whether your ICAAP and ILAAP are sound.

Who Must Have an ICAAP and ILAAP

The scope is broader than some institutions assume. CSSF Circular 07/301 applies to all CRR institutions that are required to have an ICAAP and ILAAP pursuant to Article 3 of RCSSF 15-02. In practical terms, this covers:

  • All credit institutions incorporated under Luxembourg law
  • CRR investment firms incorporated under Luxembourg law
  • Luxembourg branches of credit institutions and investment firms from third countries

Proportionality

The CSSF applies the principle of proportionality. A small, straightforward deposit-taking institution is not expected to run the same level of modelling sophistication as a systemically important bank. But proportionality does not mean exemption. Even the smallest Luxembourg bank must have a documented ICAAP and ILAAP. The depth and complexity of the analysis may vary, but the core requirements remain: identify your risks, quantify your capital and liquidity needs, stress test them, and document the entire process in a way the CSSF can assess.

I have seen smaller institutions interpret proportionality as permission to submit a five-page summary with a few ratio calculations. That does not work. The CSSF expects proportionality in the modelling approach, not in the completeness of documentation. A simpler institution can use simpler methods, but it still needs to cover every required element.

Consolidated vs Solo

For institutions that are part of a group, the ICAAP and ILAAP should be prepared at the level required by the CSSF. If the parent entity’s ICAAP covers the Luxembourg subsidiary, the subsidiary still needs to ensure the local documentation reflects its specific risk profile, local regulatory requirements, and any constraints on capital or liquidity transferability within the group. The CSSF will not accept a group ICAAP that does not adequately address Luxembourg-specific factors.

What ICAAP Covers

The ICAAP is not a single report. It is a set of strategies, processes, and procedures that together assess and maintain the amount, types, and distribution of internal capital that the institution considers adequate to cover its risks. The key word is “internal capital.” This is distinct from regulatory capital under Pillar 1 (COREP own funds). Internal capital is the institution’s own view of what it needs to survive its risk profile, including risks that Pillar 1 does not fully capture.

Risk Identification and Materiality Assessment

The starting point is a full inventory of risks the institution faces or could face. This goes beyond credit, market, and operational risk. The CSSF and EBA expect you to consider:

  • Credit and counterparty credit risk (including concentration risk)
  • Market risk (including interest rate risk in the banking book, covered by IRRBB guidelines)
  • Operational risk (including ICT and cyber risk)
  • Credit spread risk in the banking book
  • Business model and strategic risk
  • Reputational risk
  • Risk of excessive leverage
  • Environmental, social, and governance (ESG) risks
  • Geopolitical risks

For each risk, the institution must assess materiality. Not every risk requires full quantification. But the materiality assessment itself must be documented and justified. “We decided reputational risk is immaterial” is acceptable only if you explain why, given your business model.

Capital Quantification

For material risks, the institution must quantify the capital it considers necessary. This can follow the Pillar 1 Plus approach (starting from regulatory minimum requirements and adding capital for risks not covered or not fully covered by Pillar 1) or an economic capital approach (building a ground-up internal model). Most Luxembourg banks use the Pillar 1 Plus approach, which the CSSF considers appropriate for institutions that do not have the resources to maintain a full economic capital framework.

The quantification must cover both normal conditions and stressed conditions. The CSSF wants to see that you have not just calculated what you need today but what you would need if conditions deteriorated.

Capital Planning

The ICAAP must include a forward-looking capital plan covering at least three years. The plan should project the development of risks and capital under a baseline scenario and at least one adverse scenario. It should include planned capital actions (issuances, dividend policy, balance sheet changes) and demonstrate that the institution can maintain adequate capital throughout the planning horizon.

This is where the ICAAP connects to real management decisions. If the capital plan says you need to retain earnings for two years to maintain buffers under stress, that finding should appear in the institution’s actual dividend policy. The CSSF will check whether capital planning outcomes are reflected in management body decisions.

What ILAAP Covers

The ILAAP mirrors the ICAAP structure but for liquidity. It assesses and maintains the level, composition, and quality of liquidity buffers the institution considers adequate to cover its liquidity and funding risks. It is a companion process to the quantitative liquidity requirements (LCR, NSFR, and Additional Monitoring Metrics) but goes beyond them.

Liquidity Risk Identification

The ILAAP must cover at minimum:

  • Short-term liquidity risk (survival horizon under stress)
  • Structural funding risk (maturity mismatch between assets and liabilities)
  • Intraday liquidity risk
  • Concentration risk in funding sources
  • Currency mismatch risk
  • Contingent liquidity risk (off-balance sheet commitments, collateral calls)

Liquidity Buffer Adequacy

The institution must determine the liquidity buffer it needs beyond the regulatory LCR minimum. The Pillar 1 LCR is a one-size-fits-all ratio. The ILAAP should reflect the institution’s actual liquidity risk profile, including risks the LCR does not capture (such as intraday liquidity needs or currency-specific stress scenarios).

In my experience, the ILAAP is where many Luxembourg institutions underinvest. The ICAAP gets the attention because capital shortfalls carry immediate consequences. But the CSSF has increased its focus on ILAAP quality in recent years, particularly around stress testing assumptions for liquidity. An ILAAP that simply confirms “our LCR is above 100%, so we are fine” will not satisfy supervisory expectations.

Funding Plan

Similar to the ICAAP’s capital plan, the ILAAP must include a funding plan. This should project funding needs, sources, and composition over a multi-year horizon. It should address how the institution would respond to a funding disruption and whether alternative funding sources are genuinely available under stress.

Documentation Requirements Under CSSF Circular 07/301

CSSF Circular 07/301, as most recently amended by Circular CSSF 20/753, specifies the documentation structure the CSSF expects to receive. The information must cover at least the following areas:

General Context Information

Where relevant for ICAAP and ILAAP, the institution must document:

  • Business model and strategy
  • Risk governance and management framework
  • Risk appetite framework and statement
  • Stress testing framework and programme
  • Risk data, aggregation, and IT systems

ICAAP-Specific Information

The ICAAP documentation must include methodology and policy documentation (how risks are identified, measured, and quantified) and operational documentation (the actual outputs, results, and conclusions). This means two layers: explaining how you do it and showing what the results are.

The EBA Guidelines on ICAAP and ILAAP information (EBA/GL/2016/10) specify that competent authorities should receive:

  • The risk identification and materiality assessment process and its outcomes
  • Internal capital quantification methods and their results
  • Capital planning assumptions, scenarios, and projections
  • Stress testing methodology, scenarios, and quantitative outcomes
  • Supporting documentation including management body minutes evidencing approval and oversight

ILAAP-Specific Information

The same two-layer structure applies. The CSSF needs to see how liquidity risks are identified and measured, what the liquidity buffer adequacy assessment concluded, and how stress testing was conducted and what it showed.

The Capital Adequacy Statement (CAS) and Liquidity Adequacy Statement (LAS)

CSSF Circular 07/301 requires institutions to produce a summary of the main conclusions of the ICAAP and ILAAP, including the Capital Adequacy Statement (CAS) and the Liquidity Adequacy Statement (LAS). These are formal statements, approved by the management body, declaring that the institution considers its capital and liquidity to be adequate given its risk profile.

The CAS and LAS are not throwaway sign-off pages. They are the management body’s explicit acknowledgment that it has reviewed the ICAAP and ILAAP results and stands behind the conclusions. The CSSF reads these carefully. A generic CAS that does not reference specific ICAAP findings will raise questions about whether the management body actually engaged with the assessment.

Report Format

Institutions may present the ICAAP and ILAAP information in one comprehensive report (covering both capital and liquidity) or as two separate reports. They may also split the information across different internal documents and use a summary document that references them. The CSSF does not prescribe a template. What matters is completeness and the ability of the supervisor to trace the logic from risk identification through quantification to the CAS/LAS conclusion.

Stress Testing in ICAAP and ILAAP

Stress testing is not an add-on to the ICAAP and ILAAP. It is integral. The EBA Guidelines expect institutions to run stress scenarios that test both capital and liquidity under adverse conditions, and to integrate the results into capital and liquidity planning.

ICAAP Stress Testing

At minimum, institutions should apply:

  • A baseline scenario reflecting the institution’s business plan
  • At least one adverse scenario with plausible but severe macroeconomic assumptions
  • Sensitivity analyses for key risk parameters

The adverse scenario should be specific to the institution’s business model. A Luxembourg private bank concentrated in wealth management faces different stress factors than a retail deposit-taker or a custodian bank. The CSSF will challenge institutions that use generic, off-the-shelf stress scenarios without tailoring them to their actual risk profile.

The stress test outputs should show the impact on key metrics: profit and loss, capital ratios (both regulatory and internal), and the institution’s ability to maintain buffers above combined buffer requirements throughout the stress horizon.

ILAAP Stress Testing

Liquidity stress testing should cover multiple time horizons: overnight, one week, one month, and longer periods. The scenarios should address funding source concentration (what happens if your largest depositor withdraws), market access disruption, and collateral value changes.

The CSSF expects liquidity stress tests to be more granular than the regulatory LCR stress assumptions. The LCR applies standardized run-off rates. Your ILAAP stress tests should reflect your actual depositor behavior, your actual collateral portfolio, and your actual market access constraints.

The SREP Connection

The CSSF assesses ICAAP and ILAAP as part of the Supervisory Review and Evaluation Process (SREP), following the EBA Revised Guidelines on SREP (EBA/GL/2018/03). The SREP has four main elements, and ICAAP/ILAAP are directly relevant to all of them:

  • Business model assessment
  • Assessment of internal governance and institution-wide controls
  • Assessment of risks to capital (where ICAAP is central)
  • Assessment of risks to liquidity and funding (where ILAAP is central)

The CSSF uses the ICAAP and ILAAP documentation as a primary input when determining Pillar 2 capital requirements (P2R) and Pillar 2 guidance (P2G). If your ICAAP understates a material risk, the CSSF will add capital for it. If your ILAAP does not adequately address a liquidity vulnerability, the CSSF may impose a liquidity-specific measure.

This is the practical reason to take ICAAP and ILAAP seriously: they directly influence the supervisory outcome. A well-reasoned ICAAP that demonstrates a thorough understanding of the institution’s risk profile gives you credibility in the SREP dialogue. A superficial one invites supervisory add-ons because the CSSF cannot rely on your own assessment.

SREP Scoring

The EBA SREP framework assigns scores from 1 (no discernible risk) to 4 (high risk) across each element. The assessment of ICAAP and ILAAP soundness, effectiveness, and comprehensiveness feeds directly into the overall SREP score. A poor ICAAP/ILAAP score does not just mean a supervisory letter. It can result in higher Pillar 2 requirements, restrictions on distributions, or requirements to implement specific remedial measures within defined timelines.

Governance and Management Body Involvement

The CSSF expects the management body to be actively involved in ICAAP and ILAAP, not just to sign the final document. Specific expectations include:

  • Approval of the overall ICAAP and ILAAP framework and methodology
  • Approval of the risk appetite framework and its limits
  • Review and approval of stress testing scenarios
  • Discussion of ICAAP and ILAAP results and their implications for strategy and planning
  • Approval and signing of the CAS and LAS

The documentation must evidence this involvement. The CSSF will ask for management body minutes, committee records, and evidence that ICAAP/ILAAP findings were discussed and acted upon. An ICAAP produced entirely by the risk function without management body engagement is a red flag.

In practice, this means scheduling ICAAP and ILAAP updates on board agendas at least annually, with interim updates when the risk profile changes materially. I have seen institutions where the risk management team produces an excellent ICAAP document, but the board minutes contain only a single line: “The board approved the ICAAP.” That is not enough. The minutes should reflect discussion of key findings, challenges to assumptions, and decisions taken as a result.

Common Mistakes That Trigger Supervisory Scrutiny

Based on CSSF SREP feedback patterns and EBA thematic reviews, these are the issues that most frequently draw supervisory attention:

Disconnect Between ICAAP and Business Decisions

The ICAAP says one thing, the institution’s actual behavior says another. If your ICAAP identifies concentration risk as material but your lending book keeps growing in the same sector, the CSSF will question whether the ICAAP is genuinely used. The assessment must be embedded in decision-making, not filed in a drawer.

Inadequate Stress Testing

Using a single mild adverse scenario, or a scenario that is not tailored to the institution’s business model, is a recurring finding. The CSSF also flags institutions that run stress tests but do not clearly articulate what management actions would follow if the adverse scenario materialized.

Weak Risk Materiality Assessment

Dismissing risks as immaterial without adequate justification. This is particularly common for ESG risks and operational/ICT risks, where some institutions still lack quantification frameworks. Even if quantification is difficult, the materiality assessment must explain why a risk is considered immaterial, not simply omit it.

Insufficient ILAAP Depth

Treating the ILAAP as a secondary exercise. The CSSF has repeatedly indicated that ILAAP quality lags behind ICAAP quality across the Luxembourg market. Institutions that do little more than restate their LCR compliance in the ILAAP will receive pushback.

Boilerplate Documentation

Reusing the prior year’s document with updated numbers but no updated analysis. The risk environment changes. Your ICAAP should reflect what changed this year, what new risks emerged, and what assumptions you revised. A cut-and-paste job is obvious to experienced supervisors.

Missing Management Body Evidence

No board minutes, no committee records, no evidence that the management body challenged or discussed the ICAAP/ILAAP results. This suggests the process is a compliance exercise rather than a management tool.

Practical Implementation Tips

If you are building or improving your ICAAP and ILAAP process, here is what I would prioritize:

Start with a clear risk taxonomy. List every risk category the EBA SREP framework expects, then assess each one against your business model. Document why each risk is or is not material. This taxonomy becomes the foundation for everything else.

Build the connection to decision-making first. Before you worry about modelling sophistication, ensure the ICAAP results flow into capital allocation, limit setting, and strategic planning. The CSSF cares more about use than precision.

Do not outsource the thinking. External consultants can help with methodology and modelling, but the institution’s own understanding of its risks must come through in the documentation. An ICAAP that reads like a consulting deliverable rather than an internal assessment will not satisfy the CSSF’s expectations of management body ownership.

Update the stress scenarios annually. Review whether last year’s adverse scenario is still relevant given current economic conditions. If inflation was your stress scenario last year but geopolitical disruption is the emerging risk this year, update accordingly.

Use the ICAAP and Pillar 3 disclosures as complementary exercises. Much of the risk assessment work overlaps. Ensure consistency between what you tell the CSSF in the ICAAP and what you disclose publicly in Pillar 3.

Interaction With Other Prudential Reports

The ICAAP and ILAAP do not exist in isolation. They connect to multiple other reporting and disclosure requirements:

  • COREP provides the Pillar 1 capital baseline. Your ICAAP builds on top of this with Pillar 2 risk coverage.
  • FINREP feeds financial data into the ICAAP’s capital planning projections.
  • LCR/NSFR reporting provides the Pillar 1 liquidity baseline. The ILAAP assesses whether the regulatory minimum is sufficient for your specific risk profile.
  • Large Exposures reporting informs the concentration risk assessment in the ICAAP.
  • IRRBB results feed directly into both ICAAP capital quantification and ILAAP economic value assessments.
  • Pillar 3 disclosures should be consistent with ICAAP risk assessments and capital adequacy conclusions.

Consistency across these reports matters. If your COREP submission shows one capital figure and your ICAAP uses a different one without explanation, the CSSF will notice.

Frequently Asked Questions

How often must the ICAAP and ILAAP be updated?

The CSSF expects at least an annual full update, with the documentation reflecting the most recent year-end data. However, a material change in the risk profile (new business lines, significant loss events, market disruptions) should trigger an interim update. The ICAAP and ILAAP should be living processes, not once-a-year exercises.

Is there a standard template for ICAAP and ILAAP?

No. Unlike COREP or FINREP, there is no prescribed template. CSSF Circular 07/301 specifies the information content requirements, but institutions choose their own format. The documentation can be a single report, two separate reports, or a summary document referencing underlying internal documents.

When does the CSSF request ICAAP and ILAAP documentation?

The CSSF requests this documentation as part of the SREP cycle. The timing varies by institution and supervisory classification. Institutions should be prepared to submit documentation within a reasonable period after the CSSF’s request. Having the documentation ready and up to date avoids scrambling when the request arrives.

What is the difference between the CAS/LAS and the ICAAP/ILAAP report?

The CAS (Capital Adequacy Statement) and LAS (Liquidity Adequacy Statement) are summary conclusions, formally approved by the management body, stating that the institution considers its capital and liquidity adequate. The ICAAP/ILAAP reports are the full documentation underpinning those conclusions. The CAS and LAS should reference specific ICAAP/ILAAP findings, not simply state adequacy in generic terms.

Do Luxembourg branches of third-country banks need their own ICAAP?

Yes. CSSF Circular 07/301 applies to Luxembourg branches of credit institutions and investment firms having their registered office in a third country. The branch must have its own ICAAP and ILAAP documentation reflecting its local risk profile, even if the head office conducts a group-level assessment.

How does proportionality work in practice?

Proportionality applies to the complexity and sophistication of the methodologies, not to the scope of the documentation. A smaller institution can use simpler risk quantification approaches (such as regulatory formulas with add-ons rather than internal models) but still must cover all required elements: risk identification, materiality assessment, quantification, stress testing, capital/liquidity planning, and governance evidence.

What happens if the CSSF finds the ICAAP or ILAAP inadequate?

An inadequate ICAAP or ILAAP affects the SREP score, which can result in higher Pillar 2 capital requirements, specific liquidity measures, restrictions on distributions (dividends, variable remuneration), or a formal requirement to remediate within a specified timeframe. In severe cases, the CSSF can require the institution to hold additional own funds under Article 104 of CRD V.

Related Articles

Key Takeaways

  • ICAAP and ILAAP are required for all CRR institutions in Luxembourg under CSSF Circular 07/301 (as amended by Circular 20/753), transposing CRD Articles 73 and 86.
  • These are processes, not templates. The CSSF assesses whether your ICAAP/ILAAP is sound, effective, comprehensive, and genuinely embedded in management decisions.
  • The Capital Adequacy Statement (CAS) and Liquidity Adequacy Statement (LAS) must be approved by the management body and reference specific assessment findings.
  • Stress testing is integral to both ICAAP and ILAAP. Scenarios must be tailored to the institution’s business model, not generic.
  • ICAAP and ILAAP quality directly influences SREP outcomes, including Pillar 2 capital requirements and potential distribution restrictions.
  • Proportionality applies to methodology complexity, not documentation completeness. Smaller institutions must still cover every required element.
  • Consistency across COREP, FINREP, LCR/NSFR, Pillar 3, and ICAAP/ILAAP is expected. Conflicting figures across reports invite supervisory questions.
  • The CSSF has flagged ICAAP/ILAAP as a 2026 supervision priority. Institutions should review and upgrade their processes now, not when the SREP letter arrives.

Sources and References

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.

Similar Posts

  • MiFIR Transaction Reporting: Complete Guide to Article 26 Compliance

    Last updated: March 2026 What Is MiFIR Transaction Reporting and Why It Matters MiFIR transaction reporting is one of the most operationally demanding requirements in European financial regulation. Every day, thousands of investment firms, trading venues, and systematic internalisers in the EU submit transaction data to national competent authorities (NCAs) under MiFIR Article 26. If…

  • AML Reporting in Luxembourg: STRs, GoAML, and Your Obligations

    Last updated: March 2026 Introduction AML reporting in Luxembourg is mandatory for every regulated financial institution and obliged entity – failure to file suspicious transaction reports exposes your firm to regulatory sanctions, reputational damage, and legal liability. For compliance officers, risk managers, and AML practitioners in Luxembourg’s financial sector, understanding when and how to file…

  • FINREP Reporting Explained: What You Actually Need to Know

    Last updated: March 2026 What Is FINREP and Why It Matters FINREP stands for Financial Reporting. It’s the European regulatory framework for collecting standardized financial data from banks and certain investment firms. If you work in prudential reporting at a European bank, FINREP is not optional – it’s a statutory obligation enforced by your national…

  • PSD2 Reporting Requirements for Payment Institutions: Complete Practitioner Guide

    Last updated: March 2026 Introduction PSD2 reporting is not optional – payment institutions face multiple overlapping reporting obligations including statistical, prudential, fraud, incident, and complaint reporting, each with distinct deadlines, data sources, and regulatory recipients. Payment Services Directive 2 (Directive (EU) 2015/2366) fundamentally reshaped how payment institutions, e-money institutions (EMIs), account information service providers (AISPs),…